CompTIA PenTest+ Certification PT0-001: Practice Test #4 (Total Seminars)

Question 1

Post-engagement cleanup involves completing which of the following activities?
A.All of the answer choices are correct
B.Removing tools
C.Removing shells
D.Removing tester-created credentials

Answer 1

A.All of the answer choices are correct

Explanation
Correct Answer: All of the answers are correct. Removing shells, tools, and tester-created credentials is part of cleaning up the customer environment. It is import to ensure the environment is left the way you found it. However, some of these activities may require coordination with the customer to ensure they are properly taken care of (for example, cleaning up tester-created users/passwords).

Incorrect Answers: The other answers are incorrect when selected individually because all of these answers are correct.

Question 2

What defines the requirements and objectives for a penetration test?
A.Executive summary
B.Scope
C.Rule of engagement
D.Nondisclosure agreement

Answer 2

B.Scope

Explanation
Correct Answer: Scope is correct. The scope outlines the objectives and requirements for the assessment. During the scoping phase, you attempt to address the testing requirements, target selection, scheduling and timelines, and strategy for testing.

Incorrect Answers: Executive summary is incorrect because the executive summary is a section in the pentest report that includes nontechnical or high-level findings and observations of a pentest.

Rules of engagement is incorrect because the rules of engagement (RoE) document puts into writing the guidelines and constraints regarding the execution of a pentest.

Nondisclosure agreement is incorrect because a nondisclosure agreement (NDA) is a confidentiality agreement that protects a business’s competitive advantage by protecting its proprietary information and intellectual property.

Question 3

In which of the following situations is it appropriate to immediately halt testing and initiate communication with the client?
A.Discovery of software version number disclosure in an internally facing, business critical web application
B.Discovery of a file named”rs.pl” in the CGI directory of a web application that contains a one-line reverse shell to a system not under your control
C.A system in scope being unresponsive tp pings or port scanning attempts
D.Port scanning taking a little longer than expected

Answer 3

B.Discovery of a file named”rs.pl” in the CGI directory of a web application that contains a one-line reverse shell to a system not under your control

Explanation
Correct Answer: Discovery of a file named “rs.pl” in the CGI directory of a web application that contains a one-line reverse shell to a system not under your control is correct. The scenario described here seems to indicate that there has been a prior breach of the client’s systems. As such, the appropriate action to take is to immediately halt all testing and notify the client. Remember that penetration testing and forensic analysis are different tasks that require different approaches, training, and tools.

Incorrect Answers: Discovery of software version number disclosure in an internally facing, business-critical web application is incorrect because noncritical findings do not merit immediate communication with the client; their time is valuable, as is yours as the penetration tester. The correct decision in this case would be to note the finding and continue testing.

Port scanning taking a little longer than expected is incorrect because port scanning can vary wildly in its duration, depending on numerous network factors and the flags used when executing the port scan. As such, the best course of action would be to simply exercise patience.

A system in scope being unresponsive to pings or port scanning attempts is incorrect because although the unavailability of a system in scope does merit communication with the listed point of contact, it does not necessitate a cessation of all testing.

Question 4

In Microsoft Windows, the \_\_\_\_\_\_\_\_\_\_\_\_\_ is used to store credentials in memory after a user successfully logs in to a system.
A.SAM
B.Widgest
C.Kerberos
D.LSASS

Answer 4

D.LSASS

Explanation
Correct Answer: LSASS is correct. The Local Security Authority Subsystem Service (LSASS) is used to store credentials in memory after a user successfully logs in to a system. The credentials may be an NT LAN Manager (NTLM) password hash, LM password hash, or even a cleartext password. This helps make credential sharing between trusted applications efficient and not require the user to enter a username and password every time authentication is required.

Incorrect Answers: Wdigest is incorrect because Wdigest is a protocol designed to share credentials with applications that use HTTP and the Simple Authentication Security Layer (SASL).

Kerberos is incorrect because Kerberos is a network authentication protocol that leverages a ticketing system to allow hosts and users operating over the network to prove their identity to one another in a secure fashion.

SAM is incorrect because the Security Accounts Manager (SAM) database is a file that contains local account settings and password hashes for the host.

Question 5

Which attack occurs when an attacker is able to trick a victim into performing unexpected actions on a web application to which they are presently authenticated?
A.Local file inclusion
B.Cross-site request forgery
C.Code injection
D.DOM-based XSS

Answer 5

B.Cross-site request forgery

Explanation
Correct Answer: Cross-site request forgery is correct. The attack described is a cross-site request forgery, wherein an application’s trust of a given client (based on their session ID) is exploited to execute changes that are not intended by the user in question. Although the target of a CSRF attack is the server, the attack is necessarily initiated by the abuse of the authenticated victim’s session (perhaps via a well-crafted link in a phishing e-mail), making this a client-side attack.

Incorrect Answers: Code injection is incorrect because code injection would involve an attacker abusing an application system call that relies on unsanitized user input, rather than tricking a user into performing an action they otherwise would not have taken, as described in the question. In other words, since the attack described is not executed against the web server by the attacker directly, and instead relies on abuse of the user’s authenticated session, this answer is incorrect.

DOM-based XSS is incorrect because DOM-based XSS is a client-side attack that targets the victim’s browser rather than the remote server. Since the attack described is targeting a function found on the remote server rather than data or code execution in the user’s browser, this answer is incorrect. Recall that DOM-based XSS attacks are contained in the Document Object Model (DOM), which is a part of the environment of a victim’s browser. This attack method frequently abuses URIs (uniform resource indicators), which are not transferred to the web server but can contain snippets of code; this allows attackers to perform various actions, such as stealing a user’s session cookies.

Local file inclusion is incorrect because local file inclusion would show through the disclosure of a file on the web server, which would ordinarily not be accessible. The attack described instead tricks a user into performing an action they would otherwise be unlikely to perform. Since no disclosure of a local file is described, this answer is incorrect.

Question 6

Which class of vulnerability occurs when an attacker is able to exploit an improperly configured file inclusion mechanism in a target application in such a way that a web application handles an otherwise inaccessible file, such as the system hosts file or /etc/passwd file in *nix systems?

A.HTML Injection
B.Local file inclusion
C.Remote file inclusion
D.Reflected XSS

Answer 6

B.Local file inclusion

Explanation
Correct Answer: Local file inclusion is correct. The attack described is local file inclusion (LFI). LFI vulnerabilities are best mitigated through the used of “jail directories” that prevent a running web service or application from traversing the entirety of a host’s operating system, and they are best mitigated by properly sanitizing user input and/or by whitelisting files or file types acceptable for inclusion.

Incorrect Answers: Remote file inclusion is incorrect because remote file inclusion would require that the web server load a resource hosted on an external system, rather than a file stored on the local system, as described in the scenario.

HTML injection is incorrect because HTML injection would show through the addition of malicious HTML to a web server that would then be executed in a visiting victim’s web browser. The attack described instead attacks the server directly in order to achieve disclosure of information or files on the target server that would otherwise be inaccessible, making this answer incorrect.

Reflected XSS is incorrect because reflected XSS attacks would require that a user be tricked into clicking a malicious link that sends the payload (typically a snippet of JavaScript that steals the user’s session token or gets them to download a malicious file) to the web server; the web server then does nothing with this payload but feed it back to the victim without storing it locally. The attack described in the question does not target a visiting user’s browser but rather information stored on the web server itself. Moreover, it does not require that a legitimate user click a malicious link, making this answer incorrect.

Question 7

Which of the following items would be expected to be found in the RoE for a penetration test report?
A.A detailed explanation of the period of time the penetration test report should be stored
B.A high-level overview of findings discovered during the engagement
C.Detailed artifacts and evidence that support the findings of the penetration test but are not critical to understanding its findings
D.An account of variables and difficulties encountered during a penetration test, such as systems being unavailable for extended periods of times

Answer 7

A.A detailed explanation of the period of time the penetration test report should be stored

Explanation
Correct Answer: A detailed explanation of the period of time the penetration test report should be stored is correct. The storage time for a penetration test report would be expected to be found in the RoE for a penetration test. This should also include the conditions under which the report is stored, such as encryption and access requirements.

Incorrect Answers: The other answers are incorrect. These answers are all descriptions of components of a penetration test report, rather than information that should be found in the RoE of an engagement.

In the case of an account of variables and difficulties encountered during a penetration test, such as systems in scope being unavailable for extended periods of time, variables and difficulties encountered during the penetration test that may have altered the testing timeline would be expected to be found in the methodology section of a penetration test report.

A high-level overview of findings discovered during the engagement is incorrect because the executive summary exists to provide a high-level overview of the findings of the penetration test.

Finally, Detailed artifacts and evidence that support the findings of the penetration test but are not critical to understanding its findings is incorrect because detailed artifacts supporting the findings of a penetration test that are not critical to the understanding of the report would be expected in the conclusion of a penetration test report specifically in the appendixes.

Question 8

Which of the following would not be expected in the findings and remediation section of a penetration test report?
A. A breakdown of steps taken to exploit, where applicable
B.Details on vulnerabilities discovered, the general threat they introduce, the service or feature they affect and the impacted host(s)
Recommendations for mitigation of each findings
D.A high-level overview of the general results of the penetration test

Answer 8

D.A high-level overview of the general results of the penetration test

Explanation
Correct Answer: A high-level overview of the general results of the penetration test is correct. A high-level overview of the general results of a penetration test would be expected in the executive summary of a penetration test report, rather than in the findings and remediation section.

Incorrect Answers: None of the other answers are incorrect. All of the other answer choices are expected components of the findings and remediation section of a penetration test report. Because the question asked which of the answer choices was not expected to be found in the findings and remediation section of a penetration test report, these are incorrect answers.

Question 9

Which of the following would be examples of communication during a penetration test that serve to raise the client’s situational awareness of the engagement in process? (Choose two.)
A. A weekly call detailing current progress, actions taken, or thought processes that guided a particular component of testing
B.An e-mail indicating that testing will begin shortly on a system the client has identified as particularly sensitive
C.A call to notify the client that a server is no longer responding after actions conducted during the course of the engagement with the goal of making the system available for testing again
D.A call intended to identify the root cause of unexpected behavior encountered during the course of a penetration test

Answer 9

A. A weekly call detailing current progress, actions taken, or thought processes that guided a particular component of testing
B.An e-mail indicating that testing will begin shortly on a system the client has identified as particularly sensitive

Explanation
Correct Answers: A weekly call detailing current progress, actions taken, or the thought processes that guided a particular component of testing and an e-mail indicating that testing will begin shortly on a system the client has identified as particularly sensitive are correct. Weekly status calls and notifications that testing will begin on new areas in the engagement scope are all valid reasons to extend the courtesy of an e-mail or a phone call, so as to keep the client appraised of the ongoing status of the penetration test.

Incorrect Answers: A call intended to identify the root cause of unexpected behavior encountered during the course of a penetration test is incorrect because a call seeking to identify the cause of an unexpected behavior would be an example of communication for the sake of deconfliction, rather than to simply maintain situational awareness.

A call to notify the client that a server is no longer responding after actions conducted during the course of the engagement, with the goal of making the system available for testing again is incorrect because a call seeking to remedy an issue that has arisen as a result of penetration testing activities would be an example of communication for the sake of de-escalation.

Question 10

UDP is a connectionless protocol. Which of the following options use this protocol for communication? (Choose three.)
A.DNS
B.TFTP
C.SSH
D.NetBIOS

Answer 10

A.DNS
B.TFTP
D.NetBIOS

Explanation

Correct Answers: DNS, NetBIOS, and TFTP are correct. DNS (53/udp), NetBIOS (137/udp, 139/udp), and TFTP (69/udp) all rely on the connectionless protocol.

Incorrect Answer: SSH is incorrect. SSH (22/tcp) is a connection-oriented protocol and relies on TCP for establishing communication with a remote host.

Question 11

Which vulnerability research and analysis resource consists of thousands of known attack patterns and methodologies, categorized by both the domain of attack and the mechanism of attack? It is focused on application security and describes common techniques used by adversaries in exploiting known weaknesses.
A.Full Disclosure
B.CAPEC
C.CVE
D.CWE

Answer 11

B.CAPEC

Explanation

Correct Answer: CAPEC is correct. CAPEC (Common Attack Pattern Enumeration and Classification) is a publicly available vulnerability research resource that serves as a dictionary of common attack patterns and classifies various types of attacks so that they can be better understood by analysts, developers, penetration testers, and educators. Note that it can be particularly easy to confuse CAPEC with ATT&CK; the latter emphasizes general network defense rather than specific attack tactics, and may be broadly understood to be a tool better suited for use by network defenders rather than penetration testers. Refer to MITRE for further information on the differences between the two https://capec.mitre.org/about/attack_comparison.html.

Incorrect Answers: CVE is incorrect because CVE (Common Vulnerabilities and Exposures) is a list of entries for publicly known cybersecurity vulnerabilities provided by MITRE. Each entry contains an identification number, a description, and at least one public reference for further information. Because this is a dictionary of known vulnerabilities rather than one of attack tactics used by adversaries targeting applications, it is incorrect.

CWE is incorrect because CWE (Common Weakness Enumeration) is a community-developed list of common software security weaknesses managed by MITRE, providing a baseline for weakness identification, mitigation, and prevention efforts. While a list of potential software weaknesses is valuable for penetration testers, software developers, and educators, it does not focus on attack tactics used by adversaries in attacking applications, making it incorrect.

Full disclosure is incorrect because Full Disclosure is a public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, in addition to providing tools, papers, news, and events of interest to the cybersecurity community. While some discussion of attack tactics can be expected on Full Disclosure indeed, proof-of-concept code is commonly found in posts there it is not the sole focus of the site, making it an incorrect answer.

Question 12

Which attack tactic as detailed by MITRE's ATT&CK matrix details actions that may be used to obtain an additional level of permissions within a system?
A.Privilege Escalation
B.Command and control
C.Persistence
D.Credentialed access

Answer 12

A.Privilege Escalation

Explanation

Correct Answer: Privilege escalation is correct. Privilege escalation methods as described by ATT&CK are attack techniques that allow an attacker or penetration tester to gain additional permissions on a target system, such as popping a shell for a non-root-user-owned service running on a Linux host, or gaining a SYSTEM-level command shell on a Windows host.

Incorrect Answers: Persistence is incorrect because attacks categorized as persistence methods are techniques by attackers to ensure retention of a presence on a target system. An example of this would be a malicious cronjob snuck into the root crontab that sets up a bound shell on an unused port.

Credentialed is incorrect because attacks categorized as credentialed access methods are identified by their use of legitimate, authorized credentials to access a system.

Command and control is incorrect because attacks categorized as command and control methods are used to maintain communication within a target network; an example of this would be the use of specially crafted packets that send communications through commonly used ports and protocols such as HTTP on port 80 or DNS on port 53.

Question 13

Post-engagement cleanup involves completing which of the following activities?
A.All of the answer choices are correct
B.Removing tools
C.Removing shells
D.Removing tester-created credentials

Answer 13

A.All of the answer choices are correct

Explanation

Correct Answer: Airodump-ng is correct. Airodump-ng is used to capture packets sent across a wireless network and save them to a .cap file for later use in analysis or key cracking.

Incorrect Answers: Airdecap-ng is incorrect because airdecap-ng is used to decrypt .cap files created from dumps of WEP and WPA-PSK wireless networks, rather than to create the initial capture file.

Airolib-ng is incorrect because airolib-ng is used to create and manage a pre-computed hash table for WPA and WPA2 network cracking efforts, and has no role to play in the creation of packet capture files.

Wash is incorrect because wash is a tool used to identify wireless networks that have WPS enabled.

Question 14

In which scenario(s) can DLL hijacking occur? (Choose two.)
A.The attacker has read access to the DLL search path for the Windows target
B.The attacker has write access to a location or path of missing DLL that is called during program execution
C.The attacker removes DDLs used by the operating system in C:/Windows/system32”.
D.The attacker can create a DLL that is missing during program execution and successfully escalate privileges to a SYSTEM

Answer 14

B.The attacker has write access to a location or path of missing DLL that is called during program execution

D.The attacker can create a DLL that is missing during program execution and successfully escalate privileges to a SYSTEM

Explanation

Correct Answers: The attacker has write access to a location or path of a missing DLL that is called during program execution is correct because write access is required for the location where a DLL should be located; otherwise, the attacker will not be able to copy over the malicious DLL to be used in the DLL hijacking attack.

The attacker can create a DLL that is missing during program execution and successfully escalate privileges to SYSTEM is correct because the attacker has write access to the location of where the DLL should reside, and can replace the “missing” DLL with a malicious one to escalate privileges on the system.

Incorrect Answers: The attacker removes DLLs used by the operating system in C:/Windows/system32 is incorrect because removing the DLL from the System32 directory can cause a denial of service (DoS) and prevent applications from functioning, which would be the opposite of exploiting a privileged escalation vulnerability using a running program.

The attacker has read access to the DLL search path for the Windows target is incorrect because write access is required so the malicious DLL used to escalate privileges can be copied to the appropriate DLL path.

Question 15

Which attack tactic as detailed by MITRE's ATT&CK matrix covers methods for the transfer of sensitive information from a system?
A.Lateral movement
B.Exfiltration
C.Defense evasion
D.Execution

Answer 15

B.Exfiltration

Explanation

Correct Answer: Exfiltration is correct. Exfiltration methods as described by ATT&CK are attack techniques that seek to discover and remove sensitive information from within a system. An example of this would be to send harvested data in a netcat connection to a commonly used port and protocol (such as HTTP on port 80 or DNS on port 53) on an external system to avoid scrutiny by an otherwise alert defense team.

Incorrect Answers: Lateral movement is incorrect because attacks categorized as lateral movement methods are techniques by which an attacker or penetration tester transitions from one system over the network to another; passing the hash, or sending a hashed password to obtain access without needing the cleartext password, is an example of this.

Defense evasion is incorrect because attacks categorized as defense evasion methods are meant to escape detection or system security defenses; this could be as simple as deleting temporary files created in the process of attacking a target system.

Execution is incorrect because attacks categorized as execution methods are techniques that result in the execution of malicious code on a local or remote system; an example of this would be the use of a native command-line interface, such as cmd.exe in a Windows environment or the terminal on a Linux host.

Question 16

Which attack method exploits AD legacy support for older Windows clients, resulting in an attacker obtaining a weakly encrypted ticket-granting service that uses the NTLM hash of the service owner's account as the encryption key? By obtaining such a ticket, the attacker can identify the hash and crack it offline, allowing for privilege escalation, lateral movement, or persistence in a given system or environment.
A.Scheduled task abuse
B.Plaintext LDAP credential transmission
C.Kerberoasting
D.Insecure sudo access

Answer 16

C.Kerberoasting

Explanation

Correct Answer: Kerberoasting is correct. The attack described is Kerberoasting.

Incorrect Answers: Modules to simplify this attack are found in both PowerSploit and Empire.Plaintext LDAP credential transmission is incorrect because plaintext LDAP credential transmission interception does not rely Active Directory support for older, legacy Windows clients to obtain NTLM hashes. Rather, it allows credential harvesting to occur if the application making the LDAP request is not doing so via LDAPS (LDAP over SSL, or Secure LDAP). This is because the application transfers the username and password in plaintext in the very first packet it sends, leaving it vulnerable to sniffing via a network protocol analyzer like Wireshark.

Scheduled task abuse is incorrect because scheduled task abuse occurs most often when a script or .bat file run as part of a scheduled task is world-writeable, creating openings for privilege escalation, lateral movement, or persistence. Since there is no abuse of Active Directory support for legacy Windows clients, this answer is also incorrect.

Insecure sudo access is incorrect because insecure sudo access is a privilege escalation vector found in *nix environments; since the attack vector described targets NTLM hashes, as used in a Windows environment, this answer is incorrect.

Question 17

When used as part of a search through the harvester, what will be the effect of the -c flag?
A.A DNS brute-force search will be conducted for the domain name provided
B.A reverse DNS query will be ran for all discovered ranges
C.A simple declaration of the domain or company name for which to search
D.Identified hosts will be cross-referenced with the Shodan database

Answer 17

A.A DNS brute-force search will be conducted for the domain name provided

Explanation

Correct Answer: A DNS brute-force search will be conducted for the domain name provided is correct. The -c flag in the harvester will result in a DNS brute-force search conducted for the domain name provided.

Incorrect Answers: A simple declaration of the domain or company name for which to search is incorrect because a simple declaration of the domain or company name for which to conduct the search describes the -d flag.

A reverse DNS query will be run for all discovered ranges is incorrect because a reverse DNS query will be run for all discovered ranges when the -n flag is used.

Identified hosts will be cross-referenced with the Shodan database is incorrect because the -h flag will result in identified hosts being cross-referenced with the Shodan database.

Question 18

Which technique is marked by overwriting a program's execution stack with "no operation" instructions, with an end goal of shifting a program's instruction pointer to a specific command sequence? It is used extensively in the development of buffer overflow attacks.
A.Return-oriented programming
B.NOP sled
C.Ret2libc
D.Stack smashing

Answer 18

B.NOP sled

Explanation

Correct Answer: NOP sled is correct. The technique described is a NOP sled (also called a NOP slide or NOP ramp). A NOP instruction indicates that no action should be taken by a processor during the execution of a program, effectively sliding the instruction pointer further down the stack until it reaches an instruction that can be acted upon.

Incorrect Answers: Return-oriented programming is incorrect because return-oriented programming is a category of attack used to achieve arbitrary code execution in spite of existing defenses such as code signing and executable space protection. Briefly, return-oriented programming seeks to gain control of a program’s execution flow and then employ instruction sequences already present in memory. Since return-oriented programming is an attack type rather than a specific technique used to slide the instruction pointer along, this answer is incorrect.

Ret2libc is incorrect because ret2libc attacks are a specific type of return-oriented programming that attempts to leverage an existing library function in memory to obtain code execution rather than deploying a custom-written payload. As with the broader category of return-oriented programming, this is a category of attack rather than a specific technique used in the attack, making this answer incorrect as well.

Stack smashing is incorrect because stack smashing is a specific type of buffer overflow attack that occurs when data is written to memory addresses on a program’s call stack, taking up more storage space than the intended data buffer is meant to contain. Since stack smashing is a type of buffer overflow attack rather than a technique used in the development of buffer overflow attacks, this answer is incorrect.

Question 19

Which freely available, open-source web application scanning tool provides automated vulnerability scanning, traffic interception, and HTTP parameter tampering in addition to a robust RESTful API?
A.OWASP ZAP
B.Qualys WAS
C.Nexpose
D.nikto

Answer 19

A.OWASP ZAP

Explanation

Correct Answer: OWASP ZAP is correct. OWASP ZAP is a free, open-source web application and web server scanning tool. It boasts numerous features similar to those found in Burp Suite, including automated scanning, site fuzzing, and a marketplace for add-ons and plugins.

Incorrect Answers: Nikto is incorrect because nikto is an open-source, command-line-based web server scanner that checks for potentially dangerous files, outdated software versions, and server configuration items. It can perform neither traffic interception nor HTTP parameter tampering, nor does it provide an API, making this answer incorrect.

Nexpose is incorrect because Rapid7’s Nexpose is a broad-scale, commercial vulnerability scanner. Since Nexpose is a commercial, proprietary product that is not limited to web server scanning and is incapable of traffic interception, this answer is incorrect.

Qualys WAS is incorrect because Qualys WAS (Web Application Scanner) is a commercial, cloud-based web application scanning and vulnerability discovery service. As Qualys WAS is also a commercial, proprietary product, this answer is also incorrect.

Question 20

The role of an organization's \_\_\_\_\_\_\_\_\_\_ in a penetration test is to provide written authorization for the assessment.
A.IT department
B.Executive management
C.Security personnel
D.HR department

Answer 20

B.Executive management

Explanation

Correct Answer: Executive management is correct. Executive management is composed of the senior management personnel in an organization, and as such is empowered to provide written authorization for a penetration test. It is difficult to overstate the importance of written authorization; in the United States, for instance, conducting a penetration test without written authorization is a nearly guaranteed way to pick up federal charges under the Computer Fraud and Abuse Act. ‘

Incorrect Answers: HR department is incorrect because the human resources department serves to protect the organization’s interests in regard to personnel decisions, but would be highly unlikely to have any influence in the provisioning or authorization of a penetration test.

Similarly, IT department and security personnel are incorrect because although both the IT department and security personnel have a vested interest in the outcome of a penetration test as stakeholders, providing written authorization is generally a responsibility for executive management, along with heavy legal department input.

Question 21

U.S. export laws prohibit which of the following?
A.Importing lock picking hardware
B.Importing certain types of encryption into the US
C.Exporting certain encryption technology
D.Use of encryption with certain parts of the US

Answer 21

C.Exporting certain encryption technology

Explanation

Correct Answer: Exporting certain encryption technology is correct. Encryption technology is subject to U.S. export laws.

Incorrect Answers: Importing lock picking hardware and use of encryption within certain parts of the U.S. are incorrect because the question is asking about U.S. export laws, not import restrictions.

Importing certain types of encryption into the U.S. is incorrect both because it doesn’t refer to exporting anything and because no U.S. laws regarding encryption apply only to certain parts of the country.

Question 22

Which family of attack is used to obtain control of the operation of Bluetooth-enabled devices?
A.Pixie dust
B.Jamming
C.Bluesnarfing
D.Bluebugging

Answer 22

D.Bluebugging

Explanation

Correct Answer: Bluebugging is correct. Bluebugging attacks exploit a flaw in Bluetooth data transfers to keep the attacking system as a trusted device, allowing the attacker to pair with the victim device and assume control of its operation. Modern Bluetooth implementations have numerous security checks in place to prevent this type of attack, such as enhancements in Bluetooth device firmware and the requirement of a PIN to complete pairing. As in WPA-PSK, these security measures can still be defeated if an attacker is able to capture an authentication handshake, allowing recovery of the PIN used.

Incorrect Answers: Bluesnarfing is incorrect because bluesnarfing is the use of vulnerabilities in a device or in Bluetooth to steal information, such as phone numbers, SMS message contents, or calendar information, but does not imply or require control over the target, as stated in the question.

Jamming is incorrect because jamming attacks are those that attempt to render a wireless protocol unusable, usually by flooding the wireless spectrum used by the target protocol with additional transmissions and degrading the signal-to-noise ratio. Thus, jamming attacks are a form of denial of service attack, which cannot be used to seize control of a device, making this an incorrect answer.

Pixie dust is incorrect because a pixie dust attack is one aimed at cracking the PIN used in WPS-enabled Wi-Fi routers, with the ultimate goal of enabling an attacker to connect to and authenticate with a wireless AP; since this attack targets 802.11 Wi-Fi networks rather than Bluetooth connections, it is incorrect.

Question 23

What is the process of collecting information about target systems, software, networks, or people in a manner that requires direct engagement with the target or its assets?
A.Passive information gathering
B.Active information gathering
C.Reconnaissance
D.Web searching

Answer 23

B.Active information gathering

Explanation

Correct Answer: Active information gathering is correct. Active information gathering is the process of collecting information about target systems, software, networks, or people in a manner that requires direct engagement with the target or its assets.

Incorrect Answers: Passive information gathering is incorrect because passive information gathering is the process of assessing a target to collect preliminary knowledge about systems, software, networks, or people without directly engaging the target or its assets.

Web searching is incorrect because web searching is a specific activity that falls under the umbrella of passive information gathering.

Reconnaissance is incorrect because reconnaissance is a broader term that can describe both passive and active information-gathering efforts.

Question 24

Which document details the communication path for findings and other critical information, such as system unavailability or the discovery of evidence of a previous compromise?
A.RoE
B.MSA
C.NDA
D.Executive summary

Answer 24

A.RoE

Explanation

Correct Answer: NDA is correct. The communication escalation path should be detailed in the rules of engagement (RoE), with at least a primary and alternate point of contact listed.

Incorrect Answers: The other answers are incorrect. The communication escalation path exists to lay out the specific chain of command regarding the details of a penetration test. Because this is a fine detail associated with the technical specifics of a penetration test, one would not expect to find it in a nondisclosure agreement (which codifies an agreement that the client’s proprietary information will not be divulged by the penetration tester), a master service agreement (which details broader, less technical details about the penetration testing agreement such as payment terms and processes for dispute resolution), or an executive summary (a component of a penetration test report, which is delivered after the completion of the penetration test).

Question 25

Which method of jailbreaking an iOS device requires a computer to turn on the device each time?
A.Semi-untethered
B.Tethered
C.Untethered
D.Semi-tethered

Answer 25

B.Tethered

Explanation

Correct Answer: Tethered is correct. Tethered jailbreaks require a computer to turn the device on every time.

Incorrect Answers: Semi-untethered is incorrect because a semi-untethered jailbreak method requires the device to be jailbroken on every reboot; this method can be accomplished using a jailbreak app already installed on the device in question.

Untethered is incorrect because devices jailbroken with an untethered mechanism can be turned on and off without the need for a computer.

Semi-tethered is incorrect because devices jailbroken with a semi-tethered method may be rebooted at will, but they will need to be jailbroken again on boot with the assistance of a computer.

Question 26

Which nmap flag is used to denote a simple ping scan?
A.'-Pn'
B.'-sn'
C.'-sL'
D.'-v'

Answer 26

B.’-sn’

Explanation

Correct Answer: -sn’ is correct. The -sn nmap flag denotes a simple ping scan.

Incorrect Answers: ‘-Pn’ is incorrect because the -Pn flag disables ping and skips host discovery.

‘-v’ is incorrect because the -v flag increases output verbosity.

‘-sL’ is incorrect because the -sL flag is used when listing multiple targets to be scanned.

Question 27

Which cryptographic side-channel attack exploits the delay in volatility in system RAM after a hard reboot, and is frequently used to target encryption keys that were sitting in memory on the target system?
A.Serial connections
B.Cold boot attack
C.Timing attack
D.JTAG debugging

Answer 27

B.Cold boot attack

Explanation

Correct Answer: Cold boot attack is correct. A cold boot attack exploits the delay in volatility in system RAM after a hard reboot, and is frequently used to target encryption keys that were sitting in memory on a target system.

Incorrect Answers: JTAG debugging is incorrect because JTAG debugging leverages the IEEE standard used to test printed circuit boards to obtain elevated access to a device; since this is not a side-channel attack and does not exploit RAM volatility delay, this answer is incorrect.

Serial connections is incorrect because serial connections are communication interfaces used to transfer information to and from various devices, such as a modem or terminal; since this is not a side-channel attack, but rather abuse of a known standard connection mechanism, this answer is incorrect.

Timing attack is incorrect because a timing attack is a cryptographic side-channel attack that is based on measuring the time required for computations to complete; since all computations take time, and the time required varies directly based on input, an attacker is able to observe the time to completion for information they would like to harvest and then compare the time expended to values based on known inputs. While this is a side-channel attack, it does not exploit the delay in the volatility of system memory, making this answer incorrect as well.

Question 28

What is the significance of the [R] flag based on the following tcpdump output?
A.The kali host is sending a RST to the target host
B.The target host is sending a RST to the kali host
C.The kali host is sending a SYN to the target host
D.The target host is sending a SYN to the kali host

Answer 28

B.The target host is sending a RST to the kali host

Explanation

Correct Answer: The target host is sending a RST to the kali host is correct. In the results of the tcpdump output in this scenario, the [R] flag is a RST (reset) flag, informing the kali host to close the connection, as there is either nothing listening on that port or the service on the other end has requested that the connection be terminated.

Incorrect Answers: The target host is sending a SYN to the kali host is incorrect because the SYN flag is represented in the tcpdump output as [S], not as [R].

The kali host is sending a RST to the target host and The kali host is sending a SYN to the target host are incorrect because the kali host is attempting to connect to the host over multiple ports using a [S] (SYN) flag, and based on the direction (>) of the communication, the [R] (RST) is originating from the target host, not the kali host.

Question 29

The Center for Internet Security (CIS) can provide which of the following?
A.Pentest reports formats
B.Risk and remediation
C.Common vulnerabilities and exposures (CVEs)
D.System hardening guidance

Answer 29

D.System hardening guidance
Explanation

Correct Answer: System-hardening guidance is correct. The Center for Internet Security (CIS) provides security benchmarks that offer system-hardening guidance for various operating systems, applications, and technologies.

Incorrect Answers: Risk and remediation is incorrect because risk and remediation are determined after a security evaluation of a customer’s network that takes into account different environmental behaviors and various influences that are not available through the CIS benchmarks.

Pentest report formats is incorrect because pentest report formats are not provided through the CIS benchmarks; however, PCI, FedRAMP, and PTES offer guidance for pentesters on how to lay out the pentest report.

Common vulnerabilities and exposures (CVEs) is incorrect because the common vulnerabilities and exposures (CVEs) are maintained by Mitre, not the CIS benchmarks.

Question 30

You have conducted a penetration test wherein elements of your contract require payment in full no longer than 20 days after the delivery of the final penetration test report. Eighteen days after delivery the report two days prior to payment being due in full the client's executive management raises questions regarding the contents of the report and wants to have those questions addressed before tendering payment. To which contractual document should both parties look for information on how to resolve a dispute over this matter?
A.Statement of work
B.Written authorization letter
C.Rules of engagement
D.Nondisclosure agreement

Answer 30

A.Statement of work

Explanation

Correct Answer: Statement of work is correct. Of the choices present, the specific terms for acceptance of a penetration test report and payment for services rendered for a specific assessment would be detailed in a statement of work, or SOW.

Incorrect Answers: Rules of engagement is incorrect because the rules of engagement (ROE) are the concrete guidelines and limitations to be observed during the execution of a penetration test. Some of the most critical components of a properly defined ROE are the explicit declarations of what is or is not authorized for testing.

Written authorization letter is incorrect because a written authorization letter is a document typically (but not always) provided as part of the ROE for a penetration test, explicitly stating the client organization’s authorization of the assessment to be conducted. This document is a mission-critical piece of legal protection for a penetration tester; without it, one could theoretically be exposed to laws that criminalize the unauthorized access of computer systems for example, the Computer Fraud and Abuse Act (CFAA) in the United States.

Nondisclosure agreement is incorrect because a nondisclosure agreement (NDA) is a confidentiality agreement that serves to protect the competitive advantage of a business by ensuring the security of its proprietary information and intellectual property.

Question 31

The PCI DSS regulatory framework applies for what type of organization?
A.US government agencies, organizations that do business with the US government
B.Organizations that store patients personal health information (PHI)
C.Stores, retailers and any other organizations that accept credit or debit cards as a means of payment for goods and services
D.Schools and other institutions of learning

Answer 31

C.Stores, retailers and any other organizations that accept credit or debit cards as a means of payment for goods and services

Explanation

Correct Answer: Stores, retailers, and any other organizations that accept credit or debit cards as a means of payment for goods and services is correct. PCI DSS applies to stores and retailers that accept credit or debit cards as a means of payment.

Incorrect Answers: Organizations that store patients’ personal health information (PHI) is incorrect because organizations that must store patients’ personal health information are bound by HIPAA regulatory guidelines.

U.S. government agencies, or organizations that do business with the U.S. government is incorrect because U.S. government agencies or organizations that do business with the U.S. government are going to be bound by FISMA regulations.

Schools and other institutions of learning is incorrect because schools and other institutions of learning do not have their own dedicated regulatory framework, although they may be subject to FISMA regulations (if the university receives government funding, for instance) or HIPAA regulations (if the school has an on-campus health clinic).

Question 32

Which contractual document can be used to address product warranties, intellectual property ownership, and dispute resolution between mutually consenting parties?
A.MSA
B.SOW
C.RoE
D.NDA

Answer 32

A.MSA

Explanation

Correct Answer: MSA is correct. The master service agreement (MSA) is type of overarching contract between two or more parties where each party agrees to most terms that will govern all other future transactions and agreements.

Incorrect Answers: SOW is incorrect because a statement of work (SOW) is a formal document, routinely employed in the field of project management, that outlines project-specific work to be executed by a service vendor for an organization. The SOW can be a provision found in the MSA or a separate document by itself.

NDA is incorrect because a nondisclosure agreement (NDA) is a confidentiality agreement that protects a business’s competitive advantage by protecting its proprietary information and intellectual property.

RoE is incorrect because the rules of engagement (RoE) document puts into writing the guidelines and constraints regarding the execution of a pentest.

Question 33

In certain situations, a pentester may need to download, modify, and compile an exploit for the target architecture. Which command can a pentester use to accomplish this task in a Unix-like environment?
A.'gdb'
B.'adb'
C.'apk'
D.'gcc'

Answer 33

D.’gcc’

Explanation

Correct Answer: gcc’ is correct. The GNU compiler (gcc) is a utility that will compile source code written in the C programming language for the architecture the program will run on.

Incorrect Answers: ‘adb’ is incorrect because the Android debug bridge (adb) is a command utility that will allow you to connect to an Android device from a computer, using a USB cable.

‘apk’ is incorrect because an Android application package (APK) is a file format for the packages installed on Android devices, not a compiler.

‘gdb’ is incorrect because the GNU debugger (gdb) is the command utility to debug programs, not compile them.

Question 34

What options should you consider when using nmap to conduct network information gathering activities against a customer's network? (Select all that apply.)
A.Service identification
B.Port selection
C.OS fingerprinting
D.ALl of the answer choices are correct
E.Target selection

Answer 34

D.ALl of the answer choices are correct
.
Explanation

Correct Answer: All of the answers are correct.

Service identification and OS fingerprinting will help determine the version of a given service and operating system of a target host and assist with vulnerability mapping and executing the appropriate Nmap Scripting Engine (NSE).

Port selection is important because you don’t want to scan unnecessary ports that may not be applicable to the scan, or you may want to include all ports to ensure you maximize your ability to identify the entire attack surface.

Target selection is important because you want to make sure you scan only the targets that are in scope for the engagement.

Incorrect Answers: All of the other choices are incorrect as individual responses , so the correct answer for the question is “All of the answer choices are correct.”

Question 35

The severity rating paradigm used in a penetration test report is used to provide which of the following?
A.A nontechnical, high-level overview of the findings of the penetration test
B.A collection of supplemental material that supports the findings of a penetration test, such as screenshots, automated vulnerability scan output and exploit code used
C.An accounting of the techniques, processes and decision making that drove the penetration test
D.A normalized and standardized representation of discovered vulnerabilities and the overall threat they present to affected systems or networks

Answer 35

D.A normalized and standardized representation of discovered vulnerabilities and the overall threat they present to affected systems or networks

Explanation

Correct Answer: A normalized and standardized representation of discovered vulnerabilities and the overall threat they present to affected systems or networks is correct. The vulnerability severity rating paradigm used in a penetration test report aims to provide a standardized accounting of the vulnerabilities discovered and a good sense of the threat they present to an impacted system, server, or network.

Incorrect Answers: An accounting of the techniques, processes, and decision-making that drove the penetration test is incorrect because the description listed refers to the methodology section of a penetration test report. A collection of supplemental material that supports the findings of a penetration test, such as screenshots, automated vulnerability scan output, and exploit code used is incorrect because it refers to the appendixes of a penetration test report, which are found in the conclusion of that report. A nontechnical, high-level overview of the findings of the penetration test is incorrect because the item described is the executive summary of the penetration test report. All of these choices are incorrect because they are sections of a written penetration test report rather than a tool used in the creation of that report.

Question 36

Which technique records text entries made by a user (or users) and is most often exploited to obtain usernames, passwords, and other sensitive information?
A.DLL injection
B.Unattended installation artifact collection
C.Keylogging
D.SAN database cracking

Answer 36

C.Keylogging

Explanation

Correct Answer: Keylogging is correct. Keylogging is the practice of logging text entries made by a user in the hopes of finding plaintext authorization credentials, as detailed by MITRE in the ATT&CK matrix under T1056. A relatively easy-to-use module for keylogging is found in Mimikatz.

Incorrect Answers: DLL injection is incorrect because DLL injection does not involve recording of keystrokes made by users. Rather, DLL injection is a technique wherein a running service is manipulated into loading an arbitrary library file through methods such as the SetWindowsHookExA function in the Windows API.

Unattended installation artifact collection is incorrect because while unattended installation artifacts frequently contain plaintext or base64-encoded passwords and can often be leveraged for privilege escalation or lateral movement, the process does not record text or keystrokes entered by a user.

SAM database cracking is incorrect because SAM database cracking is a technique for obtaining NTLM user password hashes requiring an attacker to obtain copies of the system SAM and SYSTEM files, which are typically stored at C:\Windows\System32\config. It does not provide any mechanism for the capture of user keystrokes, making this answer incorrect.

Question 37

The customer contacts you midway through the pentest to ask if your team tested the production database server this afternoon. You consult with your team and find that no testing was going on with that segment of the network during that timeframe. The customer notifies you the next day that an administrator had shut down the server by accident before he went home that day. This conflict resolution process is known as what?
A.Deconfliction
B.De-escalation
C.Situational awareness
D.Re prioritization

Answer 37

A.Deconfliction

Explanation

Correct Answer: Deconfliction is correct. Deconfliction is the process of helping a customer differentiate between your activities and other activities occurring, such as real attacks, systems maintenance, or operational error.

Incorrect Answers: De-escalation is incorrect because de-escalation would be a case where you know you are at fault and need to address it.

Reprioritization is incorrect because reprioritization is the process of reestablishing priorities, such as dropping what you were doing and making it an immediate priority to track down members of your pentest team to find out if they were testing on the LAN segment during the same time the server went offline.

Situational awareness is incorrect because situational awareness is a perception of one’s surroundings and can aid in helping with understanding the appropriate communication paths. However, it is not a process.

Question 38

Which vulnerability analysis and research discussion forum tends to provide a greater level of detailed analysis and researcher discussion for a vulnerability than searching MITRE's CVE website, up to and including a proof-of-concept code sample?
A.OWASP
B.CERT Vulnerability Reporting Form
C.Full Disclosure
D.CAPEC

Answer 38

C.Full Disclosure

Explanation

Correct Answer: Full Disclosure is correct. Full Disclosure is a public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques. It also provides tools, papers, news, and events of interest to the cybersecurity community.

Incorrect Answers: CERT Vulnerability Reporting Form is incorrect because the CERT Vulnerability Reporting Form is a means of vulnerability disclosure that is managed by a team of security researchers based out of Carnegie Mellon University.

OWASP is incorrect because OWASP, or the Open Web Application Security Project, is an open community designed to enable organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.

CAPEC is incorrect because CAPEC is a dictionary that serves to help classify various types of attacks so that they can be better understood by analysts, developers, testers, and educators.

Question 39

The conclusion of the pentest report may include an appendix of which of the following? (Choose two.)
A.Scan data
B.FIndings
C.RoE
D.SOW
E.Notes

Answer 39

A.Scan data
E.Notes

Explanation

Correct Answer: Scan data and notes are correct. The scan data and notes can help the organization duplicate the test results and execute the same testing activities the pentest did. This way, the organization can verify the remediation efforts are effective.

Incorrect Answers: Findings is incorrect because the findings are documented in the findings section of the pentest report. However, in some cases, a “table of findings” may be inserted as an appendix, in the event of a large assessment with lots of findings that may be cumbersome to list and report individually in a word processing document and may be better suited for documenting in a spreadsheet, such as a Microsoft Excel spreadsheet.

SOW and RoE are incorrect because the statement of work (SOW) and rules of engagement (RoE) are separate from the pentesting report and are shared prior to starting the pentest engagement.

Question 40

Which type of attack occurs when user input is not properly sanitized or validated before being passed to a system call, and can result in an attacker executing arbitrary operating system commands within the context of the user account running a web application or other service?
A.HTML Injection
B.DOM-based XSS
C.Command injection
D.SQL injection

Answer 40

C.Command injection

Explanation

Correct Answer: Command injection is correct. Command injection occurs chiefly in cases where user-provided input is not properly sanitized before being fed into a system() call (or its equivalent in higher-level programming languages, such as os.system() in Python), and can result in alteration of data (including destruction and even theft) or shell-level access to the computer system in question in the context of the user who owns the vulnerable application.

Incorrect Answers: DOM-based XSS is incorrect because DOM-based XSS attacks do not rely on the abuse of unsanitized user input being fed to system calls. Rather, DOM-based XSS attacks are contained in the Document Object Model (DOM), which is a part of the environment of a victim’s browser. This attack method frequently abuses URIs (uniform resource indicators), which are not transferred to the web server but can contain snippets of code; this allows attackers to perform various client-side attacks, such as stealing a user’s session cookies.

HTML injection is incorrect because HTML injection adds snippets of malicious HTML to web pages that execute in the victim’s browser, rather than attempting to pass commands to a lower-level system call. HTML injection relies on improper user input sanitization to allow an attacker to add arbitrary HTML code to a web page.

SQL injection is incorrect because SQL injection relies on malformed SQL queries being sent to a database, rather than abusing system calls made by an application. Note that while both SQL injection and command injection can result in shell access to a target system, this would necessarily be within the context of the database in the case of SQL injection, rather than that of the application making the system call, as with command injection.

Question 41

You have been contracted for a penetration test, and the client has requested that you focus on attempting to gain system-level access to their domain controllers. What type of penetration test has been requested?
A>Red box
B.Goals-based
C.Compliance-based
D.Red Team

Answer 41

B.Goals-based

Explanation

Correct Answer: Goals-based is correct. The client in this scenario has requested a goals-based penetration test; this is known from the specific request that you, the penetration tester, work to obtain system-level access to the environment’s domain controllers.

Incorrect Answers: Compliance-based is incorrect because a compliance-based test is marked by a requirement for adherence to a specific regulatory framework. Because no such framework has been addressed or hinted at in this scenario, this option may be ruled out.

Red team is incorrect because a red team assessment is generally conducted in a manner consistent with the real-world operation of an advanced persistent threat, or APT. Additionally, it is marked by a longer duration than other types of assessment, and potentially imposes much greater risk and expense to an organization.

Red box is incorrect because red box testing is a nonsense term designed to intentionally mislead; this incorrect answer plays on the black/gray/white box terms used to define methodology. Close reading of the questions will assist you in weeding out incorrect answers such as this one.

Question 42

What are the following commonly used for? (Choose two.)```= < > <= >= <>```
A.Compare values
B>Test for true or false conditions
C.Used only in larger computer programs
D.Add and subtract based on conditions

Answer 42

A.Compare values
B>Test for true or false conditions
Explanation

Correct Answers: Compare values and test for true or false conditions are correct. Those symbols are comparison operators that are used to compare values. The values of two conditions are compared to evaluate if either one is true or false. Based on the condition of the comparison, the program will carry out a specific action.

Incorrect Answers: Add and subtract based on conditions is incorrect because a comparison operator is not used to add and subtract based on conditions, it is used for comparing two values.

Used only in larger computer programs is incorrect because the comparison operator can be used in a computer program of any size.

Question 43

This document plainly states the guidelines and constraints to be observed during the execution of a penetration test, and it clearly lays out what systems are and are not authorized for testing. It may be delivered as part of the SOW or as its own separate document.
A.Rule of engagement (ROE)
B.Master Service Agreement (MSA)
C.Nondisclosure agreement (NDA)
D.Statement of Work

Answer 43

A.Rule of engagement (ROE)

Explanation

Correct Answer: Rules of engagement (ROE) is correct. The rules of engagement are the concrete guidelines and limitations to be observed during the execution of a penetration test. One of the most critical components of a properly defined ROE are explicit declarations of what is or is not authorized for testing; these declarations may be by explicit hostname, network or subnet range, or could possibly change during the period of an engagement, depending on the level of access gained by the penetration testing team.

Incorrect Answers: Master service agreement (MSA) is incorrect because a master service agreement is a contract between two or more parties that lays out the granular details of future transactions and agreements. This typically addresses conditions such as (but not limited to) payment terms and scheduling, intellectual property ownership, and allocation of risk.

Nondisclosure agreement (NDA) is incorrect because a nondisclosure agreement is a confidentiality agreement that serves to protect the competitive advantage of a business by ensuring the security of its proprietary information and intellectual property.

Statement of work (SOW) is incorrect because the statement of work is a provision found in an MSA that outlines the project-specific work to be executed by a service vendor for an organization. It typically addresses details such as (but not limited to) the purpose of the project, its scope of work, and the period of performance.

Question 44

Which term is defined as a methodical approach used to validate the presence of a vulnerability on a target system?
A.Vulnerability analysis
B.Scan validation
C.Configuration validation
D.Vulnerability scanning

Answer 44

A.Vulnerability analysis

Explanation

Correct Answer: Vulnerability analysis is correct. Vulnerability analysis is a methodical process by which the presence of a vulnerability on a system is confirmed.

Incorrect Answers: Vulnerability scanning is incorrect because vulnerability scanning is the process of inspecting an information system for known security weaknesses.

Scan validation is incorrect because scan validation is a decoy term for this question, in that it bears a similar meaning to the correct answer but is intended to mislead certification candidates.

Configuration validation is incorrect because while configuration validation may be a part of a penetration test or security assessment, it refers to the verification of implementation of security best practices in a given environment or for a given service.

Question 45

What is the function of an organization’s legal department in relation to a penetration test?
A.Conducting the penetration test within confinements of the ROE and other contractual documents
B.Identifying weaknesses within the security support structure of an organization and simulating attacks applicable to the organizations threat profile
C.Providing accounts and access to the organizational systems as required for the assessment
D.Ensuring that legal and contractual commitments are upheld by all parties involved in the penetration test

Answer 45

D.Ensuring that legal and contractual commitments are upheld by all parties involved in the penetration test

Explanation

Correct Answer: Ensuring that legal and contractual commitments are upheld by all parties involved in the penetration test is correct. Of the options listed, an organization’s legal department would be expected to ensure adherence to legal and contractual obligations by all parties involved in the engagement. The legal team may also have a role to play in providing written authorization for the penetration test, depending on the organization.

Incorrect Answers: Identifying weaknesses within the security support structure of an organization and simulating attacks applicable to the organization’s threat profile is incorrect because identifying security weaknesses would be the responsibility of both organizational security personnel and the IT department.

Conducting the penetration test within confinements of the ROE and other contractual documents is incorrect because executing a penetration test is the purview of the penetration tester(s).

Conducting the penetration test within confinements of the ROE and other contractual documents is incorrect because the provisioning of accounts and access required for the execution of the penetration test would be managed by the organization’s IT department.

Question 46

Mechanical locks such as a pin tumbler lock can be defeated using which of the following techniques?
A.Jiggling
B.SPP
C.All of the answer choices are correct
D.Raking

Answer 46

C.All of the answer choices are correct

Explanation

Correct Answer: All of the answer choices are correct. Single pin picking (SPP), raking, and jiggling are all locking skills that can be used to defeat the security mechanism in mechanical locks such as a pin tumbler lock.All of the other choices are incorrect as individual responses . Mechanical locks can be defeated using all these techniques, making all answers the correct choice.

Question 47

You have been contracted for a penetration test of a medium-sized organization. As a part of this assessment, the client has requested that phishing attempts be leveraged against key personnel in their IT department who have administrative access to technical assets such as servers and their domain controllers. The targeting of IT personnel with administrative access is an example of what?
A.Interrogation
B.Authority
C.Baiting
D.Whaling

Answer 47

D.Whaling

Explanation

Correct Answer: Whaling is correct. Given the damage potential of compromising the workstations and personal accounts of company systems administrators, this would be an example of whaling.

Incorrect Answers: Baiting is incorrect because baiting is a motivating factor defined by its use of means that tempt or entice a target into performing a given action.

Interrogation is incorrect because interrogation is the use of carefully asked questions to elicit information from a target.

Authority is incorrect because authority is a motivational technique that relies on the abuse of people’s trust for legal, organizational, and social leadership figures in order to gain access to secured locations or controlled information.

Question 48

Which attack tactic category as detailed by MITRE's ATT&CK matrix details methods used to gain a foothold within a target network?
A.Collection
B.Discovery
C.Execution
D.Initial access

Answer 48

D.Initial access

Explanation

Correct Answer: Initial is correct. Attack patterns categorized as initial access methods by ATT&CK are attack techniques used to gain an initial foothold within a target system or network.

Incorrect Answers: Discovery is incorrect because attacks categorized as discovery methods are post-exploit or post-compromise techniques that enhance an attacker’s knowledge of a system or network, usually with the goal of supporting another category of attack such as collection or lateral movement; this could be as simple as using the find command in Linux or the findstr command in Windows with the appropriate flags and options to search for passwords stored in plaintext.

Collection is incorrect because attacks categorized as collection methods serve to harvest information and data from a system (such as static files or database dumps) prior to exfiltration; a simple example of this would be using the Linux ls command with recursion enabled to search for interesting or specifically targeted filenames.

Execution is incorrect because attacks categorized as execution methods are techniques that result in the execution of malicious code on a local or remote system; an example of this would be the use of a native command-line interface, such as cmd.exe in a Windows environment, or the terminal on a Linux host.

Question 49

The following lines of code will echo a `random_msg` every second until `var` equals 10. However, the same message is echoed each time through the loop. What could you do to help randomize the messages that are echoed to the terminal?
A.Move line 5 within the while loop
B.Move line 3 below line 8
C.Move line 4 below line 11
D.Move line 9 outside of the while loop

Answer 49

A.Move line 5 within the while loop

Explanation

Correct Answer: Move line 5 within the while loop is correct. A seed value is a number used to initialize a pseudorandom number generator. The Bash script requires a condition that generates a random seed value (line 5) to be placed within the while loop to help randomize the message that is echoed to the terminal when the script is executed. When the condition is not in the loop, the script will echo the same message until the value of $var equals 10.

Incorrect Answers: Move line 9 outside of the while loop is incorrect because moving line 9 outside of the loop will cause line 10 to fail, as there would be no $random_msg defined within the loop.

Move line 4 below line 11 is incorrect because moving line 4 below line 11 would cause line 9 to fail, and Move line 3 below line 8 is incorrect because line 7, which starts the loop, would fail because $var would no longer be declared.

Question 50

Which view of the weaknesses as defined by CWE organizes them in a way that addresses issues that are frequently used or encountered during the programming of applications and tools? As such, this categorization method will likely be in line with the perspectives of programmers, educators, and assessment vendors.
A.Research concepts
B.Development concepts
C.Architectural concepts
D.Programming concepts

Answer 50

B.Development concepts

Explanation

Correct Answer: Development concepts is correct because when viewed by development concepts, weaknesses are presented in a way that addresses issues frequently encountered during the programming of applications and tools.

Incorrect Answers: Programming concepts is incorrect because “programming concepts” is not a view used to sort entries in the CWE dictionary.

Architectural concepts is incorrect because when the CWE list is viewed by architectural concepts, weaknesses are presented according to common software design security tactics, with the intent being to assist software developers in identifying potential weaknesses while designing software.

Research concepts is incorrect because when the CWE list is viewed by research concepts, weaknesses are presented to best support their academic study, largely ignoring means of detection, their location in a given code sample, and when they tend to be introduced in the software development cycle.

Question 51

You have been contracted for a penetration test by a private aerospace corporation. The client has requested that you begin your assessment of their environment with no information that cannot be obtained via open source methods beyond a list of in-scope networks and subnets. What testing methodology is most likely desired by this client?
A.Gray box
B.White box
C.Black box
D.Red team

Answer 51

C.Black box

Explanation

Correct Answer: Black box is correct. The client desires black box testing in this case, as they have requested that you, the penetration tester, begin with little to no knowledge about the environment in question, beyond that which is obtainable through open source intelligence sources and a list of in-scope networks and subnets.

Incorrect Answers: White box is incorrect because white box testing is marked by the tester beginning with a significantly high volume of information about the environment.

Gray box is incorrect because gray box testing occupies a middle ground between black box and white box testing; because the client has requested that you have no information that cannot be publicly obtained, gray box testing may be ruled out as well.

Red team is incorrect because red team testing is a type of test, rather than a testing methodology, and is therefore an incorrect answer. Close reading of the questions will greatly aid you in your efforts to weed out incorrect answers such as this one.

Question 52

Which component of an Android application is used to start intents, send notifications, and process data?
A.Fragments
B.Content providers
C.Activities
D.Services

Answer 52

D.Services

Explanation

Correct Answer: Services is correct. The Services component of an Android application starts intents, sends notifications, and processes data.

Incorrect Answers: Fragments is incorrect because fragments are Android application components that define behavior placed in an activity.

Activities is incorrect because activities in an Android application are the parts that are visible to the user.

Content providers is incorrect because the content provider component of an Android application is a SQLite database that stores data in the form of a flat file.

Question 53

The Android operating system relies on which type of database to store data in the form of a flat file on the end user's mobile device?
A.mongoDB
B.PostgreSQL
C.SQLite
D.MySQL

Answer 53

C.SQLite

Explanation

Correct Answer: SQLite is correct. The SQLite database is used by Android to store data on the end user’s mobile device.

Incorrect Answers: MongoDB, MySQL, and PostgreSQL are incorrect. These types of databases are typically found in non-mobile, Unix-like and Windows environments.

Question 54

Mobile operating systems and mobile applications could be tested to evaluate the integrity and confidentiality of data both in transit and in how it is stored and protected on the mobile device. During a mobile application pentest, what testing technique(s) could you use to investigate the integrity and confidentiality weaknesses of a mobile application? (Choose three.)
A.Evaluate encryption protocol usage and configuration
B.Analyze application files and permissions
C.Brute-force the PIN lock of th device
D.Evaluate application data storage

Answer 54

A.Evaluate encryption protocol usage and configuration
B.Analyze application files and permissions
D.Evaluate application data storage

Explanation

Correct Answers: Evaluate encryption protocol usage and configuration is correct because evaluating the encryption protocol usage and configuration tests to make sure the encryption protocol or configured cipher has any known weakness that would jeopardize the confidentiality of the mobile data.

Analyze application files and permissions is correct because analyzing the application files and permissions is a way to look for weak access controls to sensitive resources that, if tampered with, could negatively impact the application, such as causing it to crash unexpectedly.

Evaluate application data storage is correct because in the case of Android-based applications, sensitive user data could be stored on an SD card, where it could be accessible to other applications outside of the sandboxed environment controlled by Android. If an application running on the mobile device is exploited, data contained on the SD card could be compromised.

Incorrect Answer: Brute-force the PIN lock of the device is incorrect. Brute-forcing the PIN lock on the device is a method to defeat the access control mechanism of the operating system, not the mobile application. In some cases, the mobile device itself is not in scope for a mobile application pentest, as the device is considered compromised if lost or stolen.

Question 55

You have been contracted for a penetration test of a medium-sized organization. You have successfully phished two system administrators and have pivoted to a box hosting a web application used by several company employees. Upon review of the web application code, however, you find that the code has been modified to enlist end-user CPUs to mine cryptocurrency. Evidence of a previous breach of a client network is a universal justification to halt a penetration test and immediately contact the client. To which document should a penetration tester look to determine whom they should contact?
A.Master service agreement (MSA)
B.Nondisclosure agreement (NDA)
C.Rules of engagement (ROE)
D.Written authorization letter

Answer 55

C.Rules of engagement (ROE)

Explanation

Correct Answer: Rules of engagement (ROE) is correct. The immediate point of contact (POC) for any issues that arise in a penetration test would be detailed in the ROE for the assessment.

Incorrect Answers: Master service agreement (MSA) is incorrect because the master service agreement (MSA) is the overarching document that provides general guidelines for future transactions and agreements between two or more parties.

Nondisclosure agreement (NDA) is incorrect because a nondisclosure agreement (NDA) is a confidentiality agreement that protects the proprietary information and intellectual property of a business.

Written authorization letter is incorrect because a written authorization letter is a document, provided as part of the rules of engagement (ROE) for a penetration test, that explicitly details the client organization’s authorization of the assessment to be conducted.

Question 56

The WHOIS directory service was developed in the 1980s to query what type of information?
A.IP Information
B.Host Information
C.User information
D.Domain registration information

Answer 56

D.Domain registration information

Explanation

Correct Answer: Domain registration information is correct. The WHOIS directory service was developed to look up domain registration information from registry databases administered by multiple registries and registrars around the world.

Incorrect Answers: IP information and host information are incorrect because that information is typically searched and obtained during Domain Name System (DNS) queries.

User information is incorrect because user information obtained from the WHOIS lookup however, registrar contact information might be able to be searched if the registration of the domain is not private.

Question 57

You have been contracted for a penetration test of a medium-sized organization. As a part of this assessment, the client has requested that phishing attempts be leveraged against key personnel in their IT department who have administrative access to technical assets such as servers and their domain controllers. Your phishing campaign nets you two users who open the payload, giving you access to the targets’ personal workstations. One of these users happens to have saved administrative credentials to an internal company web application in their browser, which you harvest with the intent of planting a hidden payload in the web application’s code and expanding your footprint in the client network. Upon review of the web application code, however, you find that the code has been modified to enlist end-user CPUs to mine cryptocurrency. In this scenario, which of the key elements is most likely to be evidence of a previous security breach in the client’s network?
A.The use of saved credentials in an end users browser
B.The request that your target personnel with highly privileged access to the client network
C.The code in the web application that turns end-user workstations into cryptocurrency miners
D.Two users opened the phishing payload

Answer 57

C.The code in the web application that turns end-user workstations into cryptocurrency miners

Explanation

Correct Answer: The code in the web application that turns end-user workstations into cryptocurrency miners is correct. The presence of code that turns an end user’s workstation into a cryptocurrency miner is a blatant example of evidence of a previous breach of a target network or host in nearly all corporate networks.

Incorrect Answers: Two users opened the phishing payload is incorrect because users opening a phishing payload would simply be findings in a penetration test report; it is not in and of itself proof that they would have opened malicious e-mails in the past.

The request that you target personnel with highly privileged access to the client network is incorrect because a request that you target personnel with highly privileged access to systems in the client network indicates the need for a series of whaling e-mails to go out to assess the security posture of those targeted individuals, rather than indicating that a previous breach occurred.

The use of saved credentials in an end user’s browser is incorrect because nearly all web browsers feature credential saving as a convenience for end users; its use may be dictated by corporate policy, but it is not evidence of a prior breach in and of itself, particularly in the context of this question.

Question 58

Which of the following items would be expected to be detailed in terms and guidance found in the SOW?
A.An agreement from the penetration tester to hold secret proprietary information belonging to the client organization
B.A detailed description of findings and recommendations for remediation
C.Terms for client acceptance of findings
D.A breakdown of scheduling for payment for services rendered by the penetration tester

Answer 58

C.Terms for client acceptance of findings

Explanation

Correct Answer: Terms for client acceptance of findings is correct. The terms under which a client will accept a penetration test report are expected to be detailed in the SOW of an engagement. These terms may dictate delivery methods, encryption protocols, due dates, or other fine details.

Incorrect Answers: A breakdown of scheduling for payment for services rendered by the penetration tester is incorrect because payment schedules are typically laid out in the master service agreement between the penetration tester and the client organization.

A detailed description of findings and recommendations for remediation is incorrect because findings and remediation recommendations would be found in the penetration test report delivered after the conclusion of a penetration test, rather than in the SOW, which is written and agreed to by all necessary parties prior to the beginning of testing.

An agreement from the penetration tester to hold secret proprietary information belonging to the client organization is incorrect because the item described is a nondisclosure agreement, which is its own document separate from the SOW. Since none of these items are present in the SOW, they are incorrect answers.

Question 59

You have been contracted for a penetration test of a medium-sized organization. Your phishing campaign nets you two users who open the payload, giving you access to the targets' personal workstations. One of these users happens to have saved administrative credentials to an internal company web application in their browser, which you harvest with the intent of planting a hidden payload in the web application's code and expanding your footprint in the client network. The injection of a malicious payload into a trusted company web application is an example of what?
A.Spear phishing
B.Baiting
C.Shoulder surfing
D.Waterholing

Answer 59

D.Waterholing

Explanation

Correct Answer: Waterholing is correct. The use of a trusted site to house a malicious payload is referred to as waterholing.

Incorrect Answers: Baiting is incorrect because baiting is a motivating factor defined by its use of means that tempt or entice a target into performing a given action.

Spear phishing is incorrect because spear phishing is a tightly targeted phishing attack that focuses on specific individuals who may have information or access to systems or resources desired by a penetration tester in the context of a security assessment.

Shoulder surfing is incorrect because shoulder surfing is the covert observance of individuals geared toward the collection of sensitive information.

Question 60

The following command will do what to the wireless network interface?````airmon-ng start wlan1````
A.Put WLAN1 into monitor mode
B.None of the answer choices are correct
C.Enable the wireless interface card
D.Inject packets on the wireless network

Answer 60

A.Put WLAN1 into monitor mode

Explanation

Correct Answer: Put WLAN1 into monitor mode is correct. The airmon-ng command utility is used to put the wireless interface into monitoring mode.

Incorrect Answers: Inject packets on the wireless network is incorrect because aireplay-ng is the Aircrack-ng utility that is capability of injecting packets on the wireless network.

Enable the wireless interface card is incorrect because the interface card should already be enabled prior to using airmon-ng.

“None of the answers…” is incorrect because at least one answer is correct.

Question 61

Which view of the weaknesses defined by CWE focuses on supporting their academic study, largely ignoring means of detection, their location in a given code sample, and when they tend to be introduced in the software development cycle?
A.Programming concepts
B.Architectural concepts
C.Research concepts
D.Development concepts

Answer 61

C.Research concepts

Explanation

Correct Answer: Research concepts is correct. When viewing the CWE organized by research concepts, you can see that the emphasis is on academic study of vulnerabilities rather than the means of detection or identifying hot spots in code where they may exist.

Incorrect Answers: Architectural concepts is incorrect because when the CWE list is organized by architectural concepts, weaknesses are presented according to common software design security tactics, with the intent being to assist software developers in identifying potential weaknesses while designing software.

Programming concepts is incorrect because “programming concepts” is not a view used to sort entries in the CWE dictionary.

Development concepts is incorrect because when the CWE is viewed by development concepts, weaknesses are presented in a way that addresses issues frequently encountered during the programming of applications and tools; this categorization method will likely be in line with the perspectives of programmers, educators, and assessment vendors.

Question 62

What are advantages of running a credentialed scan over running a noncredentialled scan? (Choose three.)
A.Configuration auditing
B.Provides a best guess at active services using null session scanning techniques
C.Eliminates false positive
D.Policy and compliance auditing

Answer 62

A.Configuration auditing
C.Eliminates false positive
D.Policy and compliance auditing

Explanation

Correct Answers: Eliminates false positives is correct because eliminating false positives is an important feature of credentialed scanning that saves you from having to spend time tracking irrelevant vulnerabilities.

Configuration auditing and Policy and compliance auditing are correct because credentialed scans can locate configuration weaknesses in the operating system and ensure that the proper operating benchmark is applied to meet a specific compliance or policy requirement, such as a group policy, registry setting, or local password configuration to enforce the use of password complexity.

Incorrect Answer: Provides a best guess at active services using null session scanning techniques is incorrect. Null session scanning provides best guess scan results, which might not find all of the vulnerabilities that need to be evaluated or identify false positives, which may require unnecessary investigation of a vulnerability.

Question 63

Which attack against Bluetooth-enabled devices effectively denies use of Bluetooth functionality?
A.SYN flooding
B.Bluejacking
C.Bluesmacking
D.Ping flooding

Answer 63

C.Bluesmacking
Explanation

Correct Answer: Bluesmacking is correct. Bluesmacking may be most easily understood as the Bluetooth equivalent of a ICMP flood against a TCP/IP target: the attack is implemented through the use of echo requests over the L2CAP layer via an L2CAP ping. By using oversized packets, an attacker can crash the Bluetooth service.

Incorrect Answers: SYN flooding and ping flooding are incorrect because SYN flooding and ping flooding are DoS attacks that target TCP/IP network devices, ultimately attempting to consume server resources and bandwidth until the target system is no longer available. Since Bluetooth does not rely on TCP/IP networking, these are incorrect.

Bluejacking is incorrect because bluejacking is a technique used to send unsolicited mobile messages and information to victims via Bluetooth connections. Since the question asked about an attack that is used to deny service, this answer is incorrect.

Question 64

Milestone communication provides which of the following to the client organization?
A.Notification of noncritical findings
B.Information regarding recommended mitigation strategies for findings discovered during an engagement
C.Notification of critical findings
D.Notification of the beginning or conclusion of certain phases of testing

Answer 64

D.Notification of the beginning or conclusion of certain phases of testing

Explanation

Correct Answer: Notification of the beginning or conclusion of certain phases of testing is correct. Milestone (or stage-based) communication occurs when the client is notified at the start or completion of various stages of testing such as the beginning of a phishing campaign or when testing a specific subnet.

Incorrect Answers: Notification of critical findings is incorrect because critical findings are their own class of communication trigger and are not necessarily related to any particular milestone in the course of a penetration test.

Notification of noncritical findings is incorrect because communication of noncritical findings is reserved for the penetration test report, in order to prevent the client from being inundated with constant communication for issues that do not require their immediate attention.

Similarly, Information regarding recommended mitigation strategies for findings discovered during an engagement is incorrect because mitigation strategies should be reserved for the penetration test report in the findings and mitigation section, rather than shared immediately.

Question 65

What is the best reason an organization might ask to receive a goals-based/objectives-based assessment?
A.To evaluate the security within the organization through a simulated cyberattack
B.To evaluate the security effectiveness of the organization to protect against insider threats
C. To evaluate the effectiveness of the organizations safeguards to identify deficiencies in the network
D.To evaluate how well the organization follows industry best practices

Answer 65

A.To evaluate the security within the organization through a simulated cyberattack

Explanation

Correct Answer: To evaluate the security within the organization through a simulated cyber-attack is correct. A goals-based/objectives-based assessment evaluates the security of the network through a simulated cyber-attack. Each goal or objective provides general instruction for a given test scenario.

Incorrect Answers: To evaluate how well the organization follows industry best practices is incorrect because that type of assessment would be used to conduct a compliance or configuration audit of the organization’s information technology.

To evaluate the security effectiveness of the organization to protect against insider threats is incorrect because an insider threat is only an attack vector, whereas a simulated cyber-attack could cover many different scenarios, including an insider threat perspective.

To evaluate the effectiveness of the organization’s safeguards to identify deficiencies in the network is incorrect because evaluating security defense mechanisms is only one type of objective, whereas a simulated cyber-attack could cover many different scenarios. The byproduct or outcome of a goals-based/objectives-based assessment could provide insight into how the organization’s defenses held up against the assessment.

Question 66

Which Wi-Fi attack may be thought of as an advanced approach to the evil twin method, as it relies on wireless devices sending probe requests for a given wireless network before creating an AP with the same name?
A.KARMA
B.Wardriving
C.ChopChop
D.Bluesnarfing

Answer 66

A.KARMA

Explanation

Correct Answer: KARMA is correct. A KARMA attack occurs when an attacker listens for probe requests from a Wi-Fi-enabled device, then conveniently establishes an AP with a name matching that sought in the probe. The target device has no check in place to ensure that it is connecting to the actual AP it is requesting, and it will begin to send data to the attacker’s device, which can now effectively perform man-in-the-middle attacks against any network activity. Compare the KARMA attack to the less advanced evil twin, wherein an attacker creates a wireless AP within the vicinity of a known, legitimate AP in the hopes of having authorized users connect to the twin under their control.

Incorrect Answers: Wardriving is incorrect because wardriving is the practice of searching for wireless networks from a moving vehicle, using either a laptop or a smartphone. The term derives from wardialing, a practice from the days of phone-line-based network connections that consisted of dialing possible phone numbers in search of other modems.

ChopChop is incorrect because ChopChop is an attack method targeting WEP networks to obtain an XOR file, which may then be used to generate traffic and capture initialization vectors (IVs), ultimately enabling an attacker to decrypt the WEP key.

Bluesnarfing is incorrect because Bluesnarfing is a catchall term for the theft of data from devices via Bluetooth connections.

Question 67

Which tool is used to craft packets for injection into a wireless network for instance, after obtaining a, XOR file from a fragmentation or ChopChop attack against a WEP network.
A.iwconfig
B.aircrack-ng
C.airbase-ng
D.packetforge-ng

Answer 67

D.packetforge-ng

Explanation

Correct Answer: Packetforge-ng is correct. Packetforge-ng is used to craft ARP, UDP, ICMP, or other custom packets for injection into wireless networks. This is often used in conjunction with an XOR file obtained from a fragmentation or ChopChop attack to ultimately obtain a WEP key.

Incorrect Answers: Aircrack-ng is incorrect because aircrack-ng is a tool used to crack WEP and WPA-PSK keys; aircrack-ng also lends its name to a suite of tools used in penetration testing of wireless networks.

Airbase-ng is incorrect because airbase-ng is a tool used to attack wireless clients rather than the APs to which they connect for instance, by creating an evil twin AP to which a potential victim can connect.

iwconfig is incorrect because iwconfig is a Linux utility used for configuration of wireless network interfaces.

Question 68

Which view of the weaknesses as define by CWE organizes them according to common software design security tactics, and is intended to assist software developers in identifying potential weaknesses while designing software?
A.Research concepts
B.Programming concepts
C.Development concepts
D.Architectural concepts

Answer 68

D.Architectural concepts

Explanation

Correct Answer: Architectural concepts is correct because when the CWE list is viewed by architectural concepts, weaknesses are presented according to common software design security tactics, with the intent being to assist software developers in identifying potential weaknesses while designing software.

Incorrect Answers: Development concepts is incorrect because when the CWE list is viewed by development concepts, weaknesses are presented in a way that addresses issues frequently encountered during the programming of applications and tools.

Research concepts is incorrect because when the CWE list is viewed by research concepts, weaknesses are presented to best support their academic study, largely ignoring means of detection, their location in a given code sample, and when they tend to be introduced in the software development cycle.

Programming concepts is incorrect because “programming concepts” is not a system of categorization in use by the CWE dictionary.

Question 69

You have been contracted for a penetration test by a major online retailer. The client requires a third-party security assessment to provide confirmation that they are adhering to PCI DSS guidelines. What type of penetration test has been requested by this client?
A.Goals-based
B.Red team
C.Red box
D.Compliance based

Answer 69

D.Compliance based

Explanation

Correct Answer: Compliance-based is correct. An online retailer requiring confirmation of adherence to PCI DSS guidelines requires a compliance-based penetration test.

Incorrect Answers: Red box is incorrect because red box is a term intentionally designed to mislead; this answer is a nonsense term, derived from the black/white/gray box terms used to define penetration test methodologies. Be careful with answers such as this one.

Goals based is incorrect because a goals-based assessment is more strategic in nature and focuses on the penetration tester(s) working to achieve a specific desired outcome.

Red team is incorrect because a red team assessment is one in which the penetration tester(s) attempt to emulate a real-world attack on a target environment. This is typically accomplished through the use of tactics, techniques, and procedures known to be employed by advanced persistent threats, or APTs.

Question 70

Ret2libc is what type of attack technique?
A.Buffer overflow
B.Pivoting
C.Command injection
D.Subrouting

Answer 70

A.Buffer overflow

Explanation

Correct Answer: Buffer overflow is correct. The return-to-libc (Ret2libc) attack is a technique used to hijack program control flow by exploiting a buffer overflow vulnerability in subroutines within libc (C standard library) when performing functionality useful for execution, such as making system calls.

Incorrect Answers: Subroutine is incorrect because a subroutine is not an attack technique but rather part of a larger computer program and includes a set of instructions that execute a task.

Command injections is incorrect because a command injection is a type of web exploit that take advantage of lack of input validation in web parameters.

Pivoting is incorrect because pivoting is an attack technique used to move from target to target, leveraging existing remote login services (e.g., SSH, VNC, RSH, FTP, etc.) within an organization’s network.

Question 71

The robots.txt file at the top-level directory of a website serves what purpose?
A.Contains hard-coded credentials for automated maintenance on a host or website
B.Provides an administrative portal through which commands can be sent to processes running on the host system
C.Restricts web indexing capabilities for web-crawling utilities such as Google
D.Provides additional backend data on the website, such as the hosting OS and local network information

Answer 71

C.Restricts web indexing capabilities for web-crawling utilities such as Google

Explanation

Correct Answer: Contains hard-coded credentials for automated maintenance on a host or website is correct. The robots.txt file found at the top-level directory of a website restricts web indexers such as Google and Bing from traversing certain locations within a domain.

Incorrect Answers: The other choices are incorrect. All these answers would in fact be glaring vulnerabilities on any given system. While a robots.txt file can be beneficial for a penetration tester by itself (as if an organization wants something hidden from web indexers, it stands to reason that there may be something interesting there from the perspective of an attacker), it is not likely to be a ticket to a free system shell as these answers would likely be.

Question 72

The process of listening to a private conversation without the other party knowing you are doing so is referred to as?
A.Enumeration
B.Consent to monitoring
C.Eavesdropping
D.Scanning

Answer 72

C.Eavesdropping

Explanation

Correct Answer: Eavesdropping is correct. Eavesdropping is the process of listening to a private conversation without the other party knowing you are doing so.

Incorrect Answers: Scanning is incorrect because scanning is the process of examining or studying the surface of an object. In regard to scanning a network, this option is more obtrusive then eavesdropping.

Consent to monitor is incorrect because consent to monitoring is the acknowledgment of a user to be subject to monitoring activities, similar to eavesdropping but with the individual consent of the user.

Enumeration is incorrect because enumeration is the process of extracting information from a target or service and is an active form of testing, whereas eavesdropping is passive.

Question 73

Which tool is used heavily in web server and web application testing, providing numerous features such as automated vulnerability detection, native traffic proxying and interception, automated site content discovery, on-the-fly parameter tampering, and robust plugin support for additional modules to expand functionality or target-specific classes of vulnerability?
A.Burp Suite
B.Nessus
C.Hydra
D.gobuster

Answer 73

A.Burp Suite

Explanation

Correct Answer: Burp Suite is correct. The tool described is PortSwigger’s Burp Suite. The key indicator here is the ability to intercept HTTP and HTTPS traffic on the fly and modify it for the purposes of testing.

Incorrect Answers: Gobuster is incorrect because gobuster is a go-based, command-line-exclusive tool designed to brute-force uniform resource indicators (URIs) and DNS subdomains. It is incapable of any of the other features listed in the question, making this answer incorrect.

Nessus is incorrect because Nessus is a web-based vulnerability scanner that detects and alerts on potential vulnerabilities on target systems; it does not exclusively target web servers and web applications, nor is it capable of traffic interception or modification, making this answer incorrect.

Hydra is incorrect because Hydra is a parallelized login brute-force tool that can attack numerous protocols, including HTTP and HTTPS, LDAP, MySQL, and SSH, among many others. It does not provide any automated vulnerability scanning features, nor is it capable of content discovery, traffic interception, or parameter tampering, making this answer incorrect as well.

Question 74

You have been contracted for a penetration test of a medium-sized organization. For your phishing attempt, you elect to use a tool that can generate payloads, create malicious files, and send e-mails as needed. Given the description in the scenario, which of the following tools is most likely to be used for the phishing campaign?
A.Maltego
B.GoPhish
C.BeEF
D.SET

Answer 74

D.SET

Explanation

Correct Answer: SET is correct. The tool best described in the scenario is SET the Social Engineering Toolkit. SET is a robust framework capable of handling payload generation, malicious website creation and hosting, and mass e-mailing.

Incorrect Answers: Maltego is incorrect because Maltego is an OSINT collection framework that is known for its ability to build and illustrate connections between various data points.

BeEF is incorrect because BeEF is a Ruby-based framework developed by The BeEF Project, designed to assist penetration tests by focusing on client-side attack vectors.

GoPhish is incorrect because GoPhish is an open-source phishing framework written by Jordan Wright that leverages a powerful, full HTML editor to design e-mail templates and landing pages and uses any SMTP mailing service, enabling users to rapidly design and deploy phishing campaigns against a target.