CompTIA PenTest+ Practice Test Chapter 2 Information Gathering and Vulnerability Identification (Sybex: Panek, Crystal, Tracy) Flashcards

Question 1

Q

You have been asked to perform a black box penetration test for a medium-sized organization that sells imported motorcycles and ATVs online. In which phase of this assessment will you likely spend most of your time?

A.Planning and scoping
B.Information gathering and vulnerability identification
C.Attacking and exploiting
D.Reporting and communicating results

Answer

A

B.Information gathering and vulnerability identification

Explanation:
A black box penetration test is called for in this scenario, so you will likely spend most of your time in the information gathering and vulnerability identification phase of the assessment. This is because, by definition, you should have little or no knowledge of the organization or its network prior to running the test.

Question 2

Q

You are performing a black box penetration test for a medium-sized organization that sells imported motorcycles and ATVs through its online storefront. You need to discover who owns the organization’s domain.
Which tool in your penetration testing toolkit should you use?

A.nslookup
B..whois
C..Shodan
D.Maltego

Answer

A

B..whois

Explanation:
The whois command can be used to gather information from public records about who owns a particular domain.

Question 3

Q

You are performing a black box penetration test for a medium-sized organization that sells imported clothing through its online storefront. You need to discover which IP addresses are associated with the organization’s domain.
Which tool in your penetration testing toolkit should you use?

A.nslookup
B.whois
C.theHarvester
D.Fingerprinting Organizations with Collected Archives (FOCA)

Answer

A

A.nslookup

Explanation:
he nslookup command is included with most operating systems, including Windows and Linux, and can be used to resolve an organization’s domain name into its associated IP addresses.

Question 4

Q

You are performing a black box penetration test for a medium-sized organization that sells imported clothing through its online storefront. You want to query search engines and other resources to discover email addresses, employee names, and other details about the target. Which tool in your penetration testing toolkit should you use?

A.nmap
B.Shodan
C.theHarvester
D.Fingerprinting Organizations with Collected Archives (FOCA)

Answer

A

C.theHarvester

Explanation:
theHarvester is a tool available on some Linux distributions, such as Kali Linux, that can be used to query search engines to discover email addresses, employee names, and other details about the target organization.

Question 5

Q

You are performing a black box penetration test for a large organization that wholesales imported electronic devices in the United States. You need to uncover any information you can find about the organization using open source intelligence (OSINT). Which tool in your penetration testing toolkit could you use to do this?

A.Censys 
B.whois 
Crecon-ng 
D.Shodan 
E.All of the above

Answer

A

E.All of the above

Explanation:
The recon-ng utility provides a web reconnaissance framework that allows you to conduct open source reconnaissance about an organization on the Web. Censys is a web-based tool that probes a given IP address. The whois command can be used to gather information from public records about who owns a particular domain. Shodan is a specialized tool that a penetration tester can use to search public sources for evidence of an Internet of Things (IoT) device that a target organization may have deployed in their network.

Question 6

Q

You are performing a black box penetration test for a large organization that wholesales imported electronic devices in the United States. You need to probe the organization’s web server IP address to see what information is associated with it, such as the version of SSL or TLS and the cipher suite that it uses.

Which tool in your penetration testing toolkit could you use to do this?

A.Censys
B.nslookup
C.Maltego
D.Shodan

Answer

A

A.Censys

Explanation:
Censys is a web-based tool that probes a given IP address. It presents whatever information it can discover about the host assigned that IP address, such as the version of SSL/TLS it uses, the cipher suite it uses, and its certificate chain. Note that some organizations put their IP addresses on a blacklist, which severely limits the amount of information that Censys can discover about them.

Question 7

Q

You are performing a black box penetration test for a large financial organization. You want to search the Internet for any documents associated with the organization (such as Microsoft Word or PowerPoint documents) and analyze each file’s metadata for useful information. Which tool in your penetration testing toolkit could you use to do this?

A.Censys
B.Shodan
C.nmap
D.Fingerprinting Organizations with Collected Archives (FOCA)

Answer

A

D.Fingerprinting Organizations with Collected Archives (FOCA)

Explanation:
Fingerprinting Organizations with Collected Archives (FOCA) is a utility that you can use to gather metadata from an organization’s documents, such as Word, PowerPoint, OpenOffice, and Adobe Reader files. FOCA searches popular search engines, such as Google and Bing, for these files and extracts any metadata they may contain.

Question 8

Q

A consultant has been hired by an organization to perform a black box penetration test. She knows that Internet of Things (IoT) devices frequently employ weak security mechanisms that a penetration tester can exploit. She wants to discover whether the target organization has any of these devices deployed. Which utility could she use to do this?

A.Censys
B.Shodan
C.theHarvester
D.Maltego

Answer

A

B.Shodan

Explanation:
Shodan is a specialized tool that a penetration tester can use to search public sources for evidence of an Internet of Things (IoT) device that a target organization may have deployed in their network. This can be useful because IoT devices frequently employ weaker security mechanisms that a penetration tester can exploit.

Question 9

Q

A consultant has been hired by an organization to perform a black box penetration test. She has used a variety of tools to gather OSINT about the target information. Her efforts have been very successful. In fact, she has gathered so much information that she is having a hard time organizing it into a format that she can use efficiently. Which tool could she use to organize the information that she has gathered?

A.Censys
B.Shodan
C.theHarvester
D.Maltego

Answer

A

D.Maltego

Explanation:
Maltego is a utility that penetration testers frequently use to organize the information they have gathered from OSINT sources. One of its key benefits is its ability to graphically display the information discovered and visually link it together.

Question 10

Q

A consultant has been hired by an organization to perform a black box penetration test. She wants to perform a detailed scan of the target organization’s public-facing web server to see what she can learn. Which utility should she use to accomplish this?

A.nmap
B.Shodan
C.whois
D.Maltego

Answer

A

A.nmap

Explanation:
The nmap utility is a widely used scanner. You can use it to scan a single host, such as the web server mentioned in this scenario, or even an entire network. To be a successful penetration tester, you should be familiar with the various ways in which nmap can be employed to discover information.

Question 11

Q

You have been hired to conduct a black box penetration test for a client. You want to use a spear phishing attack to expose the authentication credentials used by key employees of the
organization. Which tools or techniques could you use to gather the information needed to conduct this attack? (Choose two.)

A.Dumpster diving 
B.theHarvester 
C.nmap scan
D.Nessus scan 
E.Shodan

Answer

A

A.Dumpster diving
B.theHarvester

Explanation:
Dumpster diving is a technique used to gather information about a target organization by reviewing documents found in its trash. Likewise, theHarvester can be used to search the Internet to find email addresses and employee names. This information can be used to craft an effective spear phishing campaign.

Question 12

Q

You have been hired to conduct a black box penetration test for a client. You want to use a whaling attack to expose the authentication credentials used by the organization’s leadership.

What information could you use to do this? (Choose two.)

A.Nessus scan 
B.Press releases 
C.Censys probe 
D.OpenVAS scan 
E.Executive bios

Answer

A

B.Press releases
E.Executive bios

Explanation:
The key to a successful whaling exploit is having detailed information about the leaders in the target organization. Useful information can often be gleaned from the organization’s website in the form of press releases and executive bios. This information can provide you with names, positions, and possibly even contact information.

Question 13

Q

Which of the following can be considered OSINT related to the target of a penetration test? (Choose two.)

A.Social media posts 
B.Results from an nmap scan 
C.Employees’ Social Security numbers 
D.Corporate tax filings 
E.Personal tax filings of executive leadership

Answer

A

A.Social media posts
D.Corporate tax filings

Explanation:
Open-source intelligence (OSINT) is any information that is publicly available and can be passively gathered. Because it is passively gathered, you can’t use methods that actively engage the target organization to gather OSINT. For example, running a vulnerability scan is an active method, while reading social media posts and viewing corporate tax filings are passive methods. Social Security numbers and personal tax filings are both examples of protected information that is not publicly available.

Question 14

Q

Which of the following can be considered OSINT related to the target of a penetration test? (Choose two.)

A.Results from a Nessus scan
B.Information from a penetration tester who tailgated her way into the organization’s facility
C.Information from the organization’s DNS registrar D.Job postings on the organization’s website E.Information gathered from a disgruntled employee

Answer

A

C.Information from the organization’s DNS registrar D.Job postings on the organization’s website

Explanation:
Open-source intelligence (OSINT) is any information that is publicly available and can be passively gathered. Because it is passively gathered, you can’t use methods that actively engage the target organization to gather OSINT. For example, running a vulnerability scan is an active method, as is penetrating the organization’s facility or wheedling information out of a disgruntled employee. On the other hand, gathering information from the organization’s DNS registrar or reading job postings on the organization’s website are examples of passively gathering public information.

Question 15

Q

You are in the information gathering stage of a black box penetration test. You need to footprint the target organization by determining what type of network infrastructure they use. Which OSINT sources could potentially reveal this information? (Choose two.)

A.Job postings on the organization’s website
B.An nmap scan of the internal network
C.A Nessus scan of the internal network
D.Information from a penetration tester who tailgated her way into the organization’s facility
E.Résumés of current employees on LinkedIn

Answer

A

A.Job postings on the organization’s website
E.Résumés of current employees on LinkedIn

Explanation:
Open-source intelligence (OSINT) is any information that is publicly available and can be passively gathered. Because it is passively gathered, you can’t use methods that actively engage the target organization to gather OSINT. For example, running a vulnerability scan is an active method, as is penetrating the organization’s facility. On the other hand, job postings on the organization’s website as well as résumés of current employees on LinkedIn are both examples of public information. By reviewing these two sources, you may determine what types of systems the organization has deployed.

Question 16

Q

You are in the information gathering stage of a black box penetration test. Which tools could you use to footprint the target organization using OSINT? (Choose two.)

A.aircrack-ng 
B.whois 
C.recon-ng
D.Kismet 
E.WiFight

Answer

A

B.whois
C.recon-ng

Explanation:
The whois tool can be used to gather information about domain ownership from public records. The recon-ng utility is a modular web reconnaissance framework that organizes and manages OSINT information.

Question 17

Q

Consider the output from the command shown here: Which OSINT utility was used to gather this information?

A.whois
B.nslookup
C.nmap
D.ifconfig host

Answer

A

A.whois

Explanation:
The whois tool can be used to gather information about domain ownership from public records. In the example shown in this question, you can learn who the registrar is for the domain, the name of the organization that owns it, the address of the organization, the phone number of the organization, the name of the employee that manages the domain, and that employee’s email address.

Question 18

Q

Consider the output from a command shown here: Which OSINT utility was used to gather this information?

A.whois
B.nslookup
C.Nessus
D.recon-ng host

Answer

A

B.nslookup

Explanation:
The nslookup utility can be used to resolve a domain name into its associated IP address.

Question 19

Q

Consider the output from a command shown here:
Which OSINT utility was used to gather this information?

A.whois 
B.nslookup 
C.nmap 
D.recon-ng 
E.host

Answer

A

D.recon-ng

Explanation:
The recon-ng utility provides a web reconnaissance framework that allows you to conduct open source reconnaissance about an organization on the Web. In this example, all the public-facing servers associated with the domain name specified along with their IP addresses have been displayed.

Question 20

Q

You are performing reconnaissance as part of a black box penetration test. You run a vulnerability scan on one of the target organization’s public-facing servers and discover that port 25 is open. What does this indicate?

A.It is a DNS server.
B.It is an SMTP server.
C.It is an FTP server.
D.It is an SMB file server.

Answer

A

B.It is an SMTP server.

Explanation:
The default port for an SMTP email relay service is port 25. Most Linux distributions use an email daemon such as sendmail for internal messaging. However, it can also be used to send messages over the network via SMTP on port 25. Normally, this port is firewalled on a public-facing server to prevent the daemon from being used for unauthorized email relay by spammers. Occasionally, you may find servers where someone opened port 25 and forgot to close it, making the host vulnerable.

Question 21

Q

You are performing reconnaissance as part of a gray box penetration test. You run a vulnerability scan on one of the target organization’s internal servers and discover that port 445 is open. What does this indicate?

A.It is a DNS server.
B.It is an HTTPS server.
C.It is an SSH server.
D.It is an SMB file server.

Answer

A

D.It is an SMB file server.

Explanation:
The default port for the SMB/CIFS service using direct TCP connections is port 445. The SMB/CIFS protocol is used for file sharing, so the host in question must be a file server.

Question 22

Q

You are performing reconnaissance as part of a gray box penetration test. You run a vulnerability scan on one of the target organization’s servers and discover that port 23 is open. What does this indicate?

A.It is a DNS server.
B.It is an SSH server.
C.It is a Telnet server.
D.It is an FTP server.

Answer

A

C.It is a Telnet server.

Explanation:
The default port for the Telnet service is 23. Telnet is used to remotely manage a system using a command-line interface. Telnet is a very old and insecure protocol. All information transmitted between the Telnet server and client is sent unencrypted, including authentication information. By sniffing traffic going in and out of this host on port 23, you may be able to capture usernames and passwords.

Question 23

Q

You are performing reconnaissance as part of a black box penetration test. You run a vulnerability scan on one of the target organization’s public-facing servers and discover that port 20 is open. What does this indicate?

A.It is a DNS server.
B.It is an FTP server.
C.It is an SSH server.
D.It is a TFTP server.

Answer

A

B.It is an FTP server.

Explanation:
The default ports used by the FTP service are 20 and 21. FTP is used to transfer files between hosts over a network connection. FTP is a very old and insecure protocol. All information transmitted between the FTP server and client is sent unencrypted, including authentication information. By sniffing traffic going in and out of this host on ports 20 and 21, you may be able to capture usernames and passwords.

Question 24

Q

You are performing reconnaissance as part of a gray box penetration test. You run a vulnerability scan on one of the target organization’s servers and discover that port 69 is open. What does this indicate?

A.It is a DNS server.
B.It is a domain controller.
C.It is an SSH server.
D.It is a TFTP server.

Answer

A

D.It is a TFTP server.

Explanation:
The default port used by the TFTP service is 69. TFTP provides a quick and easy way to transfer files between hosts over a network connection. Unlike FTP, TFTP uses the connectionless UDP Transport Layer protocol instead of TCP. The lack of acknowledgments allows a TFTP server to transfer files faster than an FTP server. However, TFTP is an insecure protocol. All information transmitted between the FTP server and client is sent unencrypted. In addition, TFTP doesn’t provide a means for authenticating connections. Therefore, anyone can connect to the service and transfer files without providing authentication credentials.

Question 25

Q

You are performing reconnaissance as part of a gray box penetration test. You run a vulnerability scan on one of the target organization’s servers and discover that several ports are open, including 88, 135, 139, 389, and 464. What does this indicate?

A.It is a domain controller.
B.It is a POP3 email server.
C.It is an SSH server.
D.It is an IMAP email server.

Answer

A

A.It is a domain controller.

Explanation:
A Windows domain controller hosts many domain-related services. Therefore, most domain controllers will have many ports open. Most will include the following: Port 88: Used for Kerberos authentication. Port 135: Used for communications between domain controllers and clients as well as between domain controllers. Ports 138 and 139: Used for file replication between domain controllers. Port 389: Used for LDAP queries. Port 445: Used for SMB/CIFS file sharing. Port 464: Used for Kerberos password change. Port 636: Used for secure LDAP queries. Ports 3268 and 3269: Used for Global Catalog communications. Port 53: Used for DNS name resolution.

Question 26

Q

You are performing reconnaissance as part of a gray box penetration test. You run a vulnerability scan on one of the target organization’s servers and discover that port 143 is open. What does this indicate?

A.It is an LDAP server.
B.It is a POP3 email server.
C.It is an SSH server.
D.It is an IMAP email server.

Answer

A

D.It is an IMAP email server.

Explanation:
The default port used by the IMAP service is 143. The IMAP protocol is used by email servers to transfer messages between the mail server and mail clients.

Question 27

Q

You are performing reconnaissance as part of a gray box penetration test. You run a vulnerability scan on one of the target organization’s servers and discover that port 22 is open. What does this indicate?

A.It is an LDAP server.
B.It is a POP3 email server.
C.It is an SSH server.
D.It is an HTTP server.

Answer

A

C.It is an SSH server.

Explanation:
The default port used by the SSH service is 22. The SSH protocol is used to remotely manage systems using a command line interface. Unlike Telnet, SSH uses encryption to protect authentication credentials as well as the data being transmitted between the client and the server.

Question 28

Q

You are performing reconnaissance as part of a gray box penetration test. You run a vulnerability scan on one of the target organization’s servers and discover that ports 80 and 443 are open. What does this indicate?

A.It is an LDAP server.
B.It is a Kerberos authentication server.
C.It is a POP3 email server.
D.It is an HTTP server.

Answer

A

D.It is an HTTP server.

Explanation:
The default ports used by a web server are 80 (HTTP) and 443 (HTTPS). Data transmitted on port 80 is usually sent in the clear, while data sent on port 443 is encrypted using SSL/TLS.

Question 29

Q

You are performing reconnaissance as part of a gray box penetration test. You run a vulnerability scan on one of the target organization’s servers and discover that ports 389 and 636 are open. What does this indicate?

A.It is an LDAP server.
B.It is a Kerberos authentication server.
C.It is a Global Catalog server.
D.It is a DNS server.

Answer

A

A.It is an LDAP server.

Explanation:
The default ports used by an LDAP server are 389 (insecure) and 636 (secure). The LDAP protocol is used to query an LDAP-compliant directory server, such as Active Directory or eDirectory. Because directory information sent on port 389 is not encrypted, sniffing the traffic on this port could reveal user account information.

Question 30

Q

You are performing reconnaissance as part of a gray box penetration test. You run a vulnerability scan on one of the target organization’s servers and discover that port 53 is open. What does this indicate?

A.It is an NTP server.
B.It is a Kerberos authentication server.
C.It is a Global Catalog server.
D.It is a DNS server.

Answer

A

D.It is a DNS server.

Explanation:
The default port used by a DNS server is 53. The DNS service is used to resolve hostnames into IP addresses (and vice versa). If the DNS server has been poorly secured, you may be able to compromise it and poison the lookup tables, enabling you to redirect legitimate name resolution requests to a fake destination host where a variety of exploits could be implemented on client systems.

Question 31

Q

During the discovery phase of a black box penetration test, you run the traceroute command to discover the route over the Internet to the target organization’s web server. The results are shown here: What do the *** characters indicate on lines 12, 13, and 14?

A.The associated devices have been configured to not respond to pings.
B.The hostnames of the associated devices could not be resolved by the DNS server.
C.The associated devices are down.
D.Your computer has been blacklisted by these devices in the routevice versa).

Answer

A

A.The associated devices have been configured to not respond to pings.

Explanation:
The *** characters in the output of the traceroute command indicate that the router for that particular hop of the route is up and forwarding traffic, but it isn’t allowed to respond to the pings used by the traceroute command.

Question 32

Q

During the discovery phase of a black box penetration test, you use the centralops.net website to perform reconnaissance on the target organization’s domain name. Partial results are shown here: What public-facing services are available for this domain name? (Choose two.)

A.FTP 
B.Secure email 
C.Insecure web server 
D.Secure web server 
E.Insecure email 
F.Secure shell

Answer

A

C.Insecure web server
D.Secure web server

Explanation:
A web server is associated with this domain name. It is configured to use the HTTP protocol (insecure) on port 80 and the HTTPS protocol (secure).

Question 33

Q

During the discovery phase of a black box penetration test, you use the centralops.net website to perform reconnaissance on the target organization’s domain name. Partial results are shown here:
Which of the following are true? (Choose two.)

A.The organization’s certificate expired in 2017.
B.SHA1 was used to sign the organization’s certificate.
C.The organization uses the Apache web server. D.SHA256 was used to sign the organization’s certificate.
E.The organization’s web server runs on Windows.

Answer

A

D.SHA256 was used to sign the organization’s certificate.
E.The organization’s web server runs on Windows.

Explanation:
In this example, the organization’s SSL/TLS certificate was signed using the SHA256 cryptographic hash function. In addition, it can be seen that the organization uses the IIS web server, which runs on top of Windows Server.

Question 34

Q

During the discovery phase of a black box penetration test, you have identified an email address that you suspect belongs to an executive within the target organization. You use the centralops.net website to analyze that email address. The results are shown here: What can you learn from the output?

A.This is a valid email address.
B.This is an invalid email address.
C.This email address belongs to the executive in question.
D.This email address belongs to a help-desk employee.

Answer

A

A.This is a valid email address.

Explanation:
In this example, the line that reads “250 2.1.5 Recipient OK” indicates that this is a valid email address within the target organization’s domain. However, it does not reveal who the address belongs to. All you know is that it is a legitimate email. To use it in the penetration test, you would first need to triangulate it against a list of company executives, such as is sometimes found on an organization’s website.

Question 35

Q

During the discovery phase of a black box penetration test, you have identified an email address that you suspect belongs to an executive within the target organization. You use the centralops.net website to analyze that email address. The results are shown here:
What can you learn from the output?

A.The organization’s email server has an IP address of 208.101.20.81.
B.The organization’s email naming convention is first_initial+lastname@company_name.com.
C.The organization’s email naming convention is first_initial.lastname@company_name.com.
D.The organization’s email server does not respond to HELO commands.

Answer

A

B.The organization’s email naming convention is first_initial+lastname@company_name.com.

Explanation:
In this example, the line that reads “250 2.1.5 Recipient OK” indicates that this is a valid email address within the target organization’s domain. Because this is a valid email address, you now know that the organization most likely uses an email naming convention of first_initial+lastname@company_name.com. Using this information, you could reference the organization’s executive bio web page and construct email addresses for all of its management team members.

Question 36

Q

During the discovery phase of a black box penetration test, you have identified an email address that you suspect belongs to an executive within the target organization. You use the centralops.net website to analyze that email address. The results are shown here:

What can you learn from the output?

A.The organization’s email server has an IP address of 208.101.20.106.
B.The organization’s email server sits behind an email filter device.
C.The organization’s email server runs on Windows and has ports 80 and 443 open in its firewall.
D.The organization’s email server responds to HELO commands.

Answer

A

D.The organization’s email server responds to HELO commands.

Explanation:
In this example, the output tells us that the email server responds to SMTP HELO commands. Useful information can sometimes be gleaned from an email server using HELO commands.

Question 37

Q

During a white box penetration test, you use the nmap utility to scan an entire subnet for hosts. Once the scan is complete, you need to enumerate the systems found. What information do you need to identify for each device discovered? (Choose two.)

A.Services installed
B.The version of nmap used to perform the scan
C.The number of unique users on the subnet
D.The version of the operating system installed
E.The grade of Ethernet cable used to create the physical network

Answer

A

A.Services installed
D.The version of the operating system installed

Explanation:
The process of enumeration involves connecting to each host discovered on the network segment and identifying key information, including the services each host is running as well as the version number of the installed operating system.

Question 38

Q

During the discovery phase of a gray box penetration test, you use the Zenmap utility to enumerate and fingerprint the devices on one of the target organization’s subnets. One device in particular caught your attention. The output is shown here:
What can you learn about the device from this information?

A.It is a Windows server.
B.It is a virtual machine.
C.It is a router.
D.It is an access point for a wireless network

Answer

A

D.It is an access point for a wireless network

Explanation:
The process of enumeration involves connecting to each host discovered on the network segment and identifying key information. In this example, notice that the OS class of the device is as follows: Type: WAP Vendor: Belkin OS Family: Embedded From this information, you can reasonably infer that this device is a wireless access point.

Question 39

Q

During the discovery phase of a gray box penetration test, you use the Zenmap utility to enumerate and fingerprint the devices on one of the target organization’s subnets. One device in particular caught your attention. The output is shown here:

What can you learn about the device using this information?

A.The device is in maintenance mode.
B.It is running an HTTP service.
C.It has been joined to a Windows domain.
D.It is managed by a wireless controller.

Answer

A

B.It is running an HTTP service

Explanation:
Under Ports Used, notice that port 80 TCP is open on the device. This indicates that it most likely is running an HTTP web server.

Question 40

Q

During the discovery phase of a gray box penetration test, you use the Zenmap utility to enumerate and fingerprint the devices on one of the target organization’s subnets. One device in particular caught your attention. The output is shown here:

What can you learn about the device using this information?

A.The device’s default administrative password
B.The number of wireless clients connected
C.The IP address of the device’s controller
D.The make and model of the device’s controller

Answer

A

A.The device’s default administrative password

Explanation:
By searching the Internet for the operating system version number displayed under Operating System, you can likely discover the default administrative username and password used by the device. Several high-profile exploits over the last
few years have been facilitated by the fact that the system implementer failed to change the default username and password used by network infrastructure devices.

Question 41

Q

During the discovery phase of a gray box penetration test, you use the Zenmap utility to enumerate and fingerprint the devices on one of the target organization’s subnets. One device in particular caught your attention. The output is shown here:

What can you learn about the device from this information?

A.It is a Linux workstation.
B.It is a Linux server.
C.It is a mobile device.
D.It is a router running an embedded version of Linux.

Answer

A

C.It is a mobile device.

Explanation:
Notice that the hostname of the device under Hostnames > Name begins with android. From this, you can reasonably infer that the device is most likely a mobile phone or tablet running the Android operating system.

Question 42

Q

During the discovery phase of a gray box penetration test, you use the Zenmap utility to enumerate and fingerprint the devices on one of the target organization’s subnets. One device in particular caught your attention. The output is shown here:

What can you learn about the device from this information?

A.It uses the NTLM protocol for file sharing.
B.It is missing the latest updates from Microsoft.
C.It is a domain controller.
D.It is a file server.

Answer

A

C.It is a domain controller.

Explanation:
Notice that this device is running Windows Server 2012 and that it has port 53 open, which is the default port for a DNS server. It is reasonable to infer, therefore, that this server is a domain controller. The Active Directory role on a Windows server requires the DNS role. While the DNS role could be located on a different member server, the Active Directory is almost always installed on the same server as the DNS role.

Question 43

Q

During the discovery phase of a gray box penetration test, you use the Zenmap utility to enumerate and fingerprint the devices on one of the target organization’s subnets. One device in particular caught your attention. The output is shown here:

What can you learn about the device from this information?

A.It has shares defined on one of its hard disks.
B.It is a global catalog server.
C.It has the Hyper-V hypervisor role installed.
D.It has been federated with another domain.
E.None of the above.

Answer

A

E.None of the above.

Explanation:
None of the responses listed in this question can be reasonably inferred from the information displayed in Zenmap. You know that it is a Windows server and that it is most likely a domain controller, but you can’t infer much else from the information given.

Question 44

Q

You are using a Telnet client to connect to a web server in an attempt to fingerprint what type and version of web server software is running on it. What is this process called?

A.Banner grabbing
B.Scanning
C.Exploiting
D.Cracking

Answer

A

A.Banner grabbing

Explanation:
Banner grabbing is the process of manually connecting to a device, such as a web server, using a utility such as a Telnet client or Ncat and using the information displayed to fingerprint the device.

Question 45

Q

During the discovery phase of a gray box penetration test, you use the Zenmap utility to enumerate and then fingerprint the devices on one of the target organization’s subnets. One device in particular caught your attention. The output is shown here:

What can you learn about the device from this information? (Choose two.)

A.It is a router. 
B.It is a network printer. 
C.It is a DNS server. 
D.It is running a web server. 
E.It has been joined to an Active Directory domain.

Answer

A

B.It is a network printer.
D.It is running a web server.

Explanation:
In this example, the device is running a web server on ports 80 and 443. Ports 515, 631, and 9100 are all used to provide network printing.

Question 46

Q

You are performing a gray box penetration test. You want to use the Telnet client on your Linux laptop to grab the banner of a web server on the target’s network. The target web server has an IP
address of 10.0.0.1. Which command would you use at the shell prompt to do this?

A.telnet 10.0.0.1:80
B.telnet 10.0.0.1:403
C.telnet 10.0.0.1 80
D.telnet 10.0.0.1 403

Answer

A

C.telnet 10.0.0.1 80

Explanation:
In this example, you would enter telnet 10.0.0.1 80 at the shell prompt of your Linux system to grab the banner of the target web server.

Question 47

Q

You are performing a gray box penetration test. You use the Telnet client on your Linux laptop to grab the banner of a web server on the target’s network.
The results are shown here:

A.The web server is running on top of Linux.
B.The web server is running on top of the Windows Server operating system.
C.It is running Apache.
D.It is running IIS.
E.The device is likely a security device.

Answer

A

C.It is running Apache.
E.The device is likely a security device.

Explanation:
In this example, you know that the device is running the Apache web server. Also notice that the name of the device is “Untangle Server.” By searching the Internet, you can learn that Untangle sells security devices used to manage traffic coming in and out of a network. Therefore, you can reasonably assume that the device is a security device from this company.

Question 48

Q

During the discovery phase of a gray box penetration test, you use the Zenmap utility to enumerate and then fingerprint the devices on one of the target organization’s subnets. One device in particular caught your attention. The output is shown here: What can you learn about the device from this information?

A.It is most likely a Windows Server machine.
B.It is most likely a Windows workstation.
C.It is most likely a Windows domain controller.
D.It is most likely an iPhone mobile device.

Answer

A

B.It is most likely a Windows workstation.

Explanation:
The device in this example is most likely a Windows workstation. This is evidenced by the fact that the default SMB/CIFS file sharing ports are open on the system.

Question 49

Q

During the discovery phase of a gray box penetration test, you use the Zenmap utility to enumerate and then fingerprint the devices on one of the target organization’s subnets. One device in particular caught your attention. The output is shown here: What can you learn about the device from this information?

A.It is most likely a Cisco router.
B.It is most likely a Linux workstation.
C.It is most likely a Windows domain controller.
D.It is most likely an Android mobile device.

Answer

A

C.It is most likely a Windows domain controller.

Explanation:
The device in this example is most likely a domain controller running on Windows Server. This is evidenced by the fact that the default DNS server, LDAP, and Kerberos ports are open on the system.

Question 50

Q

During the discovery phase of a gray box penetration test, you use the Zenmap utility to enumerate and then fingerprint the devices on one of the target organization’s subnets. One device in particular caught your attention. The output is shown here: What can you learn about the device from this information? (Choose two.)

A.It is most likely a Cisco router. 
B.It is most likely a Linux workstation.
C.It is running a DNS server. 
D.It is running a web server. 
E.It is most likely a Windows Server machine.

Answer

A

C.It is running a DNS server.
D.It is running a web server.

Explanation:
The device in this example is a little harder to analyze. You can clearly see that it is running a DNS server and a web server. However, not enough information is displayed here to infer much else. One possibility is that it is a wireless router that includes a caching-only DNS server and an embedded web server that is used to configure and manage the device. However, more information would be required to make this determination.

Question 51

Q

As the part of information gathering process during a gray box penetration test, you need to perform a certificate inspection on the target organization’s internal web server. Which utility could you use on your Kali Linux laptop to do this?

A.sslyze
B.Zenmap
C.nmap
D.hping

Answer

A

A.sslyze

Explanation:
The sslyze tool is a penetration testing tool that is commonly used to perform certificate inspection.

Question 52

Q

During a gray box penetration test, you have used a utility on your Kali Linux laptop to inspect the certificate used by the target organization’s internal web server. The output is shown here:

What can you learn from this output? (Choose two.)
A.SSLv2 is supported by the web server.
B.TLSv1_1 is supported by the web server.
C.TLSv1_2 is supported by the web server.
D.TLSv1 is supported by the web server. SSLv3 is supported by the web server.

Answer

A

B.TLSv1_1 is supported by the web server.
C.TLSv1_2 is supported by the web server.

Explanation:
The output of the sslyze command in this example shows that the web server responded to TLSv1_1 and TLSv1_2 queries but did not respond to SSLv2, SSLv3, or TLSv1 queries.

Question 53

Q

You need to capture packets on a wired network during the information gathering phase of a gray box penetration test. Which utilities could you use on your laptop to accomplish this? (Choose two.) 
A.tcpdump 
B.nmap 
C.Wireshark 
D.Zenmap 
E.aircrack-ng

Answer

A

A.tcpdump
C.Wireshark

Explanation:
You can use either tcpdump or Wireshark to capture packets on a wired network. Of the two, Wireshark is usually considered to have the most user-friendly interface.

Question 54

Q

During the information gathering phase of a black box penetration test, you need to eavesdrop on radio frequency emissions emanating from the target’s facility and attempt to capture data from their wireless network. Before you can do this, you must break the encryption used on the Wi-Fi network. You
are parked in the organization’s parking lot. Which utility could you use on your Linux laptop to do this?

A.aircrack-ng
B.tcpdump
C.Wireshark
D.nmap

Answer

A

A.aircrack-ng

Explanation:
The Aircrack-ng utility can be used to discover wireless networks in range and then crack their encryption. This process is very fast for old WEP networks, harder but doable for WPA networks, and quite challenging for WPA2 networks.

Question 55

Q

During the information gathering phase of a black box penetration test, you need to eavesdrop on radio frequency emissions emanating from the target’s facility and attempt to capture data from its wireless network. You are parked in the organization’s parking lot. How must the wireless network interface in your laptop be configured to do this?

A.Set to monitor mode.
B.Set to promiscuous mode.
C.Set to capture mode.
D.Set to IEEE 802.1x mode.

Answer

A

A.Set to monitor mode.

Explanation:
Before a wireless network interface can be used to capture wireless network traffic, it must be configured to run in monitor mode on the specific channel used by the transmitting access point.

Question 56

Q

During the information gathering phase of a black box penetration test, you need to eavesdrop on radio frequency emissions emanating from the target’s facility and attempt to capture data from its wireless network. You are parked in the organization’s parking lot. You want to use aircrack-ng to crack the encryption used by the Wi-Fi network. To accomplish this, you first need to capture the authentication handshake. Which utility should you run on your laptop to do this?

A.airodump-ng
B.aireplay-ng
C.aircrack-ng
D.nmap

Answer

A

A.airodump-ng

Explanation:
Before Aircrack-ng can be used to crack the encryption on a wireless network, you must first run the airodump-ng utility on the specific channel used by the transmitting access point to collect the authentication handshake.

Question 57

Q

During the information gathering phase of a black box penetration test, you need to eavesdrop on radio frequency emissions emanating from the target’s facility and attempt to capture data from their wireless network. You have already captured the authentication handshake. You next need to deauthenticate the wireless client so you can begin capturing data. Which utility should you run on your laptop to do this?

A.airodump-ng
B.aireplay-ng
C.aircrack-ng
D.nmap

Answer

A

B.aireplay-ng

Explanation:
Before Aircrack-ng can be used to crack the encryption on a wireless network, you must first run the airodump-ng utility on the specific channel used by the transmitting access point to collect the authentication handshake. Then, you need to de-authenticate the wireless client by running the aireplay-ng utility.

Question 58

Q

As part of a gray box penetration test, you need to capture packets on a wired network. How must the wired network interface in your laptop be configured to accomplish this?

A.Set to monitor mode.
B.Set to promiscuous mode.
C.Set to capture mode.
D.Set to IEEE 802.1x mode.

Answer

A

B.Set to promiscuous mode.

Explanation:
Before you can capture packets on a wired network, your network interface must be configured to run in promiscuous mode. Otherwise, it will discard all frames it receives that are not addressed specifically to its address.

Question 59

Q

As part of a gray box penetration test, you need to capture packets on a wired network. You’ve configured the network interface in your laptop to accept all frames transmitted on the network medium, and you have installed Wireshark. However, when you run Wireshark, you only see frames that are addressed specifically to your laptop. Why did this happen?

A.A host-based firewall on your laptop is blocking all other frames.
B.MAC address filtering has been enabled on the switch.
C.The network uses a hub.
D.The network uses a switch.

Answer

A

D.The network uses a switch.

Explanation:
The issue here is that the network uses a switch instead of a hub. The switch learns the MAC addresses of each network interface connected to each switch port. It only transmits frames to the specific port to which the destination network interface is attached. Because of this, your laptop never sees frames transmitted to any other host on the network.

Question 60

Q

As part of a gray box penetration test, you need to capture packets on a wired network. You’ve configured the network interface in your laptop to accept all frames transmitted on the network medium, and you have installed Wireshark. However, when you run Wireshark, you only see frames that are addressed specifically to your laptop. How can you fix this?

A.Disable the host-based firewall on your laptop.
B.Disable MAC address filtering on the switch.
C.Replace the network switch with a hub.
D.Connect your laptop to a mirror port on the switch.

Answer

A

D.Connect your laptop to a mirror port on the switch.

Explanation:
The issue here is that the network uses a switch instead of a hub. The switch learns the MAC addresses of each network interface connected to each switch port. It only transmits frames to the specific port to which the destination network interface is attached. Because of this, your laptop never sees frames transmitted to other hosts on the network. While you could theoretically swap out the network switch for a hub, your client would probably not allow you to do this. The best option would be to connect the laptop to a mirror port on the switch. The mirror port contains copies of frames transmitted
to all other switch ports. This allows your laptop to see frames addressed to other hosts. Before you do this, however, you need to make sure it is allowed under the rules of engagement for the test.

Question 61

Q

You are performing a gray box penetration test for a client. The employees in the target organization use an application that was

developed in-house to complete their day-to-day work. It crashes frequently, and you suspect that it is based on poorly written or outdated code. You want to analyze the application’s source code to see whether it contains weaknesses that can be exploited. However, the rules of engagement for the test do not allow access to the code. What should you do?

A.Decompile the application’s executable.
B.Debug the application’s executable.
C.Capture and analyze network traffic generated by the application while employees are using it. D.Prioritize network traffic generated by the application using quality of service (Qos) settings on the switch.

Answer

A

A.Decompile the application’s executable.

Explanation:
One option you could try in this scenario is to decompile the application’s executable. This process will reveal the application’s assembly-level code that you can analyze for weaknesses.

Question 62

Q

You are performing a gray box penetration test for a client. You want to target an in-house application that the organization’s employees use daily. To identify weaknesses in the code, you decide to decompile the application’s executable. You have some experience programming in C++, so you feel comfortable reviewing the source code revealed by the decompile process. However, after decompiling, you find that you don’t understand
the contents of the source code file produced. Why did this happen?

A.You need to convert the output to C++. B.Decompilers usually produce assembly-level code. C.You forgot to use the –C option when you ran the decompiler.
D.The application is so poorly written that the decompiler can’t reproduce the source code.

Answer

A

B.Decompilers usually produce assembly-level code.

Explanation:
Most decompilers produce assembly-level source code, not C++ code. For this information to be useful, you need extensive experience working with assembly language code. Typically, this will require you to hire a consultant with an extensive understanding of assembly programming.

Question 63

Q

You are performing a gray box penetration test for a client. The employees in the target organization use an application that was developed in-house to complete their day-to-day work. It crashes frequently, and you suspect that it is based on poorly written or outdated code. You want to analyze the application’s execution when run by a typical end user to see whether it contains weaknesses that can be exploited. What should you do?

A.Decompile the application’s executable.
B.Debug the application’s executable.
C.Capture and analyze network traffic generated by the application while employees are using it.
D.Prioritize network traffic generated by the application using quality of service (Qos) settings on the switch.

Answer

A

B.Debug the application’s executable.

Explanation:
Debuggers allow you to analyze an application as it executes. Typically, you can pause the execution of the application step by step or you can allow it to run until it reaches a certain point in the code. Doing this may allow you to identify a vulnerability that can be exploited as a part of a penetration test. However, you must have a strong background in programming or application testing to do this effectively.

Question 64

Q

Which open source research source is maintained by the U.S. government and provides a dynamic summary of the most frequent, high-impact types of security incidents currently being reported?

A.CERT
B.JPCERT
C.CVE
D.CAPEC

Answer

A

A.CERT

Explanation:
The U.S. government’s Computer Emergency Response Team (CERT) maintains a website at http://www.us-cert.gov that contains a regularly updated summary of the most frequent, high-impact types of security incidents currently being reported to CERT.

Answer 65

A

B.JPCERT

Explanation:
JPCERT is the Japanese government’s version of the U.S. government’s Computer Emergency Response Team (CERT). JPCERT maintains a website at https://www .jpcert.or.jp/english/ that provides a dynamic summary of current security alerts and advisories.

Answer 66

A

D.NVD

Explanation:
The National Vulnerability Database (NVD) is maintained by the U.S. government’s National Institute of Science and Technology. The NVD can be accessed at https://nvd .nist.gov. This website provides a summary of current security vulnerabilities ranked by their severity.

Answer 67

A

C.CVE

Explanation:
The Common Vulnerabilities and Exposures (CVE) database is a community-developed resource that can be accessed at http://cve.mitre.org. The CVE database contains a list of publicly known cybersecurity vulnerabilities. Whenever a vendor
anywhere in the world discovers a vulnerability with their product, they add an entry to the CVE database. The goal is to make a common resource that everyone can use, instead of each individual vendor maintaining their own database containing just vulnerabilities associated with their products.

Answer 68

A

C.CWE

Explanation:
The Common Weakness and Enumeration (CWE) database is a community-developed resource that can be accessed at http://cwe.mitre.org. The CWE database contains a list of publicly known cybersecurity vulnerabilities associated with software in general instead of a specific product.

Answer 69

A

D.CAPEC

Explanation:
The Common Attack Pattern, Enumeration and Classification (CAPEC) database is a community-developed resource that can be accessed at http://capec.mitre.org. The CAPEC database contains a catalog of commonly used cyber attack patterns.

Answer 70

A

B.Full Disclosure

Explanation:
Full Disclosure is an open source research source that is published by the same organization that produces the nmap utility. It can be accessed at www.seclists.org/fulldisclosure

Answer 71

A

D.All of the above

Explanation:
Each of the open source research sources listed in this question may contain information that you could use to find

Answer 72

A

A.CERT

Explanation:
The CERT database contains information about recent security updates released by software and hardware vendors and a description of the vulnerabilities they are intended to address.

Answer 73

A

A.CAPEC

Explanation:
The CAPEC database contains information about known attack patterns used to exploit weaknesses, including physical security vulnerabilities.

Answer 74

A

D.NVD

Explanation:
The National Vulnerability Database (NVD) website provides a summary of current security vulnerabilities ranked by their severity.

Answer 75

A

A.CVE

Explanation:
The Common Vulnerabilities and Exposures (CVE) database is a community-developed resource that contains a list of publicly known cybersecurity vulnerabilities. Whenever a vendor anywhere in the world discovers a vulnerability with their product, they add an entry to the CVE database. You could search the CVE site for information about Server 2003 SP2.

Answer 76

A

A.Credentialed

Explanation:

A credentialed vulnerability scan requires you to first authenticate to the network, preferably with an administrative-level account. Because administrative credentials are used, this type of scan most closely approximates the perspective of an internal administrator.

Answer 77

A

B.Noncredentialed

Explanation:
A noncredentialed vulnerability scan is performed without authenticating to the network. Because of this, a noncredentialed scan most closely approximates the perspective an external hacker.

Answer 78

A

A.Credentialed

Explanation:
A credentialed vulnerability scan requires you to first authenticate to the network, preferably with an administrative-level account. Because administrative credentials are used, this type of scan usually identifies the most vulnerabilities.

Answer 79

A

B.Noncredentialed

Explanation:
A noncredentialed vulnerability scan is performed without authenticating to the network. Because of this, a noncredentialed scan usually identifies the least number of vulnerabilities.

Answer 80

A

A.Discovery

Explanation:
A ping sweep is an example of a discovery scan. The goal of a ping sweep is not to interrogate every system. Instead, it simply seeks to identify the presence of every reachable system on the network.

Answer 81

A

A.Discovery

Explanation:
A discovery scan is designed to simply map out every system on the target network. As such, it uses very nonintrusive mechanisms (such as ping) to enumerate the network.

Answer 82

A

B.Full

Explanation:
A full scan interrogates each host discovered on the target network. Because it uses intrusive methods to do this, a full scan is usually detected (and possibly blocked) quickly by IDS or IPS devices.

Answer 83

A

A.Discovery

Explanation:
A discovery scan is designed to simply map out every system on the target network using very nonintrusive mechanisms (such as ping) to enumerate the network. Because of this, this type of scan is the least likely to be detected by an IDS or IPS device.

Answer 84

A

B.Full

Explanation:
A full scan interrogates each host discovered on the target network using intrusive methods. A full scan is usually detected (and possibly blocked) quickly by IDS or IPS devices. Because of this, full scans are more likely to be used by a defender to thoroughly test his or her network. A penetration tester is less
likely to use a full scan because it can be detected so quickly. The exception would be a white box test where everyone is already expecting the penetration tester to be running vulnerability scans.

Answer 85

A

C.Stealth

Explanation:
A stealth scan enumerates hosts on the target network by sending them a SYN packet. If a SYN-ACK is received, then the scanner knows that the destination host exists. The SYN-ACK also contains a limited amount of information about the host that can be captured and analyzed by the scanner.

Answer 86

A

C.Stealth

Explanation:
A stealth scan enumerates hosts on the target network by manipulating the TCP three-way handshake. First, it sends the target a SYN packet. If a SYN-ACK is received, then the scanner knows that the destination host exists. The SYN-ACK also contains a limited amount of information about the host that can be captured and analyzed by the scanner.

Answer 87

A

D.The scanning host responds to the target host with an RST packet.

Explanation:
A stealth scan enumerates hosts on the target network by manipulating the TCP three-way handshake. First, it sends the target a SYN packet. If a SYN-ACK is received, then the scanner knows that the destination host exists. Rather than complete the connection by sending the target an ACK packet, the scanning host resets the connection by sending a RST packet.

Answer 88

A

A.The IDS will detect the stealth scan.

Explanation:
Stealth scans currently aren’t considered as stealthy as they used to be. Most modern IDS/IPS devices can detect the unusually high frequency of RST packets on the network created during a stealth scan and take the appropriate action. For example, an IDS can generate an alert. An IPS can generate an alert and also block traffic from the scanning host.

Answer 89

A

B.Full

Explanation:
Because full connections are established with each host during a full vulnerability scan, they can be thoroughly interrogated and fingerprinted. As a result, a full scan usually produces the most accurate information. However, they are also the easiest to detect by defenders.

Answer 90

A

D.Compliance

Explanation:
A compliance vulnerability scan is used to verify that the target organization is in compliance with the requirements of a given law or policy. In this example, a PCI-DSS penetration test usually requires a PCI-DSS compliance vulnerability scan.

Answer 91

A

D.All of the above

Explanation:
When enumerating a target network during a white box penetration test, you will likely gather a great deal of information. For example, you will probably want to enumerate all subnets, hosts, and domains on the network.

Answer 92

A

D.All of the above

Explanation:
When enumerating a target network during a white box penetration test, you will likely gather a great deal of information. For example, you will probably want to enumerate any user and group accounts that can be discovered. You will also want to enumerate any network shares that can be identified.

Answer 93

A

E.All of the above

Explanation:
When enumerating a target network during a white box penetration test, you will likely gather a great deal of information. For example, you will probably want to enumerate any web pages, applications, services, and tokens used on the network.

Answer 94

A

C.Throttle the scan to use minimal bandwidth.

Explanation:
Throttling the scan to use minimal bandwidth will slow down the scanning process considerably. However, it will also make the scans less visible to the IDS/IPS devices and also allow them time to more thoroughly fingerprint network devices.

Answer 95

A

B.Schedule the scan to run in the early hours of the morning.

Explanation:
By scheduling the scan to run during a time of day when few people are at work, you can minimize the impact on available network bandwidth for production traffic, and you can also avoid being seen by internal network administrators.

Answer 96

A

C.Conduct a spear phishing exploit to trick an internal user into revealing his or her credentials.

Explanation:
The fact that you don’t have administrative credentials doesn’t mean you have to forgo enumeration and fingerprinting nor does it mean you have to cancel the test. Instead, you could try to craft a spear phishing exploit to trick an internal user into revealing his or her logon credentials.

Answer 97

A

C.Restrict the vulnerability scan to just those protocols commonly used on web servers.

Explanation:
Because you are scanning only web servers, you can probably constrain the vulnerability scan to just those ports and protocols commonly used by web servers. Performing a thorough scan of all ports and protocols would take considerably longer.

Answer 98

A

A.From within the internal network
C.From a location outside the organization’s firewall

Explanation:
From a network topology perspective, the PCI-DSS standard requires you to run vulnerability scans from both internal and external network locations. The results of both scans should be compared to identify vulnerabilities.

Answer 99

A

A.-Tn

Explanation:
The nmap –Tn option is used to specify a timing template, where n is a number between 0 and 5. The higher the number, the faster the vulnerability scan. The lower the number, the slower the scan.

Answer 100

A

C.Use the –T2 option with the nmap command.

Explanation:
Because a T1 line is limited to 1.54 Mbps, you must throttle the bandwidth used by the vulnerability scan. If you don’t, you could easily use up all the available bandwidth and not leave any for critical business operations. You can use the –Tn option with the nmap command to throttle down the scans. Because of the low bandwidth of the connection, you should consider using either the –T2 or possibly even the –T1 option with the nmap command. The –T0 option would probably throttle the scan too much, making it take an inordinate amount of time to complete.

Answer 101

A

C.Use the –T2 option with the nmap command.

Explanation:
Because the server is considered a fragile system, you should throttle the bandwidth used by the vulnerability scan. If you don’t, you could easily consume all the server’s resources with the scan and not leave any for critical business operations. You can use the -Tn option with the nmap command to throttle down the scans. In this scenario, you should consider using either the –T2 or possibly even the –T1 option with the nmap command. The –T0 option would probably throttle the scan too much, making it take an inordinate amount of time to complete.

Answer 102

A

A.Applications running within a container environment may not be detectable by traditional vulnerability scans.

E.Vulnerabilities associated with the base operating system of the container host may be inherited by its containers.

Explanation:
A container can be used to create an isolated environment, much like a virtual machine. As a result, any applications running within a container environment may not be detectable by traditional vulnerability scans. Unlike a virtual machine, a container shares much of the base operating system with the container host. Therefore, vulnerabilities associated with the base operating system of the container host may be inherited by its containers.

Answer 103

A

A.Static code analysis

Explanation:
Static code analysis is conducted by analyzing an application’s source code. Obviously, this type of testing is usually performed only during a white box penetration test. Static code analysis does not involve actually running the program. Instead, it is focused on analyzing how the application is written.

Answer 104

A

B.Dynamic code analysis
C.Fuzzing

Explanation:
Dynamic code analysis as well as fuzz testing are both performed on running code. Because the source code is not required to perform these tests, they can be performed during gray box or black box penetration tests.

Answer 105

A

B.Fuzzing

Explanation:
Fuzz testing involves sending random, unexpected, or invalid data to the inputs of an application to test how it handles that data. This is called exception handling. Many attacks can be deployed that exploit an application’s inability to properly handle unexpected data.

Answer 106

A

C.Web-enabled television monitor

Explanation:
A web-enabled television set is an example of a nontraditional system. These devices are considered fragile because they are difficult to manage in the traditional sense. and they are probably updated on an infrequent basis by the vendor. They may also have not been subjected to extensive security testing by the vendor.

Answer 107

A

B.Computer-controlled manufacturing equipment

Explanation:
Computer-controlled manufacturing devices are examples of nontraditional systems. These devices are considered fragile because they are difficult to manage in the traditional sense and they are probably updated on an infrequent basis by the vendor. They may also have not been subjected to extensive security testing by the vendor.

Answer 108

A

A.dig axfr @nameserver target_domain
B.host -t axfr target_domain nameserver

Explanation:
nameserver command can be used to perform a zone transfer. If it works, then you can gather a fairly detailed list of all the network infrastructure hosts within the target network. Ideally, the target organization has disabled unauthenticated zone transfers on their DNS server. If this is the case, either of the previous commands will return some type of “Transfer Failed” error message.

Answer 109

A

A.hping

Explanation:
The hping utility is a tool commonly used by penetration testers for packet crafting. It allows you to make almost any kind of packet you want and send it to a designated host on the target network. Analyzing how the host responds can provide you with valuable information for the next phase of the penetration test.

Answer 110

A

A.Conduct a phishing exploit.
C.Enumerate internal user accounts.

Explanation:
With a list of email addresses of users from the target organization, you could conduct any number of phishing exploits. You could also use the email addresses to enumerate internal user account names. In many (if not most) organizations, the email username is almost always the same as the user’s account name.

Answer 111

A

B.Windows

Explanation:
The host is most likely running Windows. TCP ports 139, 445, and 3389 are all commonly used for Windows file sharing services. While these ports could also be used on other operating systems (such as a Linux system with the SMB daemon running), it is more likely to be a Windows host.

Answer 112

A

D.It is probably a web server

Explanation:
The host is probably a web server. The system administrator has likely changed the default web server ports to nonstandard ports in an attempt to hide its function. This is an example of “security by obscurity.”

Answer 113

A

C.The –T0 option will cause the scan to take an inordinate amount of time on such a large subnet.

Explanation:
The –T option configures the speed at which nmap runs vulnerability scans. In this scenario, the subnet is potentially huge, with more than 16 million possible IP addresses. Running nmap with the –T0 option on a subnet this large will take a long time to complete.

Answer 114

A

A.whois

Explanation:
Whois can potentially reveal a great deal of information about a target organization, including the following:

The domain registrar

The registrant’s legal name

The registrant’s address

The registrant’s phone number

A contact email address

The name of the domain administrator

Some organizations ask their registrar to hide this information from the public.

Answer 115

A

C.Try to compromise an internal host and use it as a pivot.

Explanation:

In this scenario, a black box penetration test is being run. By definition, the tester is located somewhere outside the target’s network. As such, she has to compromise an internal host first. Once done, she can pivot and use it to scan other internal hosts.

Answer 116

A

D.The SCADA devices

Explanation:
SCADA manufacturing equipment tends to be much more fragile than traditional network assets, such as servers and routers. They tend to be difficult to manage, update, and protect from exploits. As such, they can also be susceptible to vulnerability scans and may go offline during the scanning process.

Answer 117

A

A.Availability of internal IT staff

Explanation:
The time windows when you can run vulnerability scans most effectively are heavily influenced by regulatory requirements, peak traffic times, and hardware constraints. The internal IT staff, on the other hand, will most likely not be involved with running vulnerability scans during a penetration test.

Answer 118

A

B.Static code analysis

Explanation:
A static code analysis (also called a source code analysis) is happening in this scenario. In this type of test, the tester accesses an application’s source code and reviews it for weaknesses that could be exploited. Obviously, the tester must have a strong programming background to be able to do this kind of review.

Answer 119

A

A.Fuzzing

Explanation:
Fuzzing occurs when the tester sends random, unexpected information to an application’s inputs to see how it responds. For example, the tester could try to perform a buffer overflow exploit by sending overly large input that contains executable code. If the application doesn’t handle the malicious input properly, it may be possible for executable code to be stored in the RAM of the target system and for the attacker to then be able to execute it.

Answer 120

A

C.Run a test scan in a lab environment first.

Explanation:
Because this is a mission-critical server, it may be a good idea to run a test scan in a lab environment before scanning the live system. This will help the tester assess the impact the scan will have before running it on the live system.

Answer 121

A

C.The internal system administrator isn’t paying attention to this server.

Explanation:
The fact that the server’s administrator hasn’t renewed its security certificate indicates that they aren’t paying much attention to this server. This would make this system a ripe target for compromise because it is possible that there are other factors (such as updates) that the administrator has also neglected.

Answer 122

A

E.All of the above

Explanation:
The information gathered during a vulnerability scan can be categorized in many different ways. For example, it may be appropriate to categorize the information based on the operating system because different OSs have different inherent vulnerabilities. It may also be appropriate to categorize the information by the value of each associated asset. For example, vulnerabilities associated with a mission-critical database server would be of much higher value than the vulnerabilities associated with an end user’s desktop system. You could also categorize the scan results based on the number or severity of the vulnerabilities found.

Answer 123

A

A.The scanner generated a false positive.

Explanation:
Most likely, the vulnerability scanner generated a false positive error. The purpose of the adjudication process after a vulnerability scan is to determine the value and validity of the scan results. False positives, such as the one discussed in this scenario, should be filtered out in your final report to the client.

Answer 124

A

A.A domain controller is running on an older version of Window Server and is missing several critical security updates.
D.A database server is vulnerable to the WannaCry exploit.

Explanation:
In this scenario, the value of compromising a vulnerable domain controller or a database server is much higher than the value of compromising an end user’s vulnerable workstation. For example, compromising a domain controller could expose multiple user accounts. Likewise, compromising a database server could expose valuable company information. On the other hand, the exposure created by a missing Windows feature update is probably minimal. Likewise, Linux provides a relatively high degree of system security, even on an older distribution.

Answer 125

A

A.Low

Explanation:
Any CVSS score less than 4.0 is considered to be in the Low Risk category. Therefore, a CVSS score of 3.8 indicates that this is a low-risk vulnerability.

Answer 126

A

D.Critical

Explanation:
D. Any CVSS score of 10.0 or higher is considered to be in the Critical Risk category. Therefore, a CVSS score of 10 indicates that this is a critical vulnerability.

Answer 127

A

B.Medium

Explanation:
Any CVSS score between 4.0 and 6.0 is considered to be in the Medium Risk category. Therefore, a CVSS score of 5.3 indicates that this is a medium-risk vulnerability.

Answer 128

A

C.High

Explanation:
Any CVSS score between 6.0 and 10.0 is considered to be in the High Risk category. Therefore, a CVSS score of 7.2 indicates that this is a high-risk vulnerability.

Answer 129

A

B.Investigate whether this creates any vulnerabilities that you could exploit.
C.Document the common theme of missing updates in the final penetration test report.

Explanation:
Your first response to the common theme of missing updates would to be to investigate whether this creates any vulnerabilities that you could exploit later in your penetration test. Then, you should document the common theme of missing updates so the client can update their best practices to make sure systems are kept up-to-date.

Answer 130

A

A.Map vulnerabilities present in the older Linux servers to possible exploits.

Explanation:
The first response to your observation of outdated servers would to be to investigate whether this creates any vulnerabilities that you could exploit later in your penetration test. Then, you should recommend that the client upgrade their server in your final report.

Answer 131

A

A.Recommend that the client adopt a best practice of changing all default usernames and passwords. B.Exploit the devices that are using default usernames and passwords.

Explanation:
Your first response to the client’s lack of best practices would to be to exploit the devices with default usernames and passwords later in your penetration test. Then, you should recommend that the client adopt better best practices in your final report.

Answer 132

A

A.Write the code in C on your Linux system.
D.Cross-compile the code.

Explanation:
Rather than purchasing a Windows system, you can simply create the exploit code on your Linux system and then cross-compile the code such that it can run on Windows systems. Various Linux utilities are available that can do this for you.

Answer 133

A

B.Exploit modification
D.Mapping vulnerabilities to potential exploits

Explanation:
In this scenario, you first mapped vulnerabilities you found in your scans to possible exploits. Then you modified those exploits to work on the older server operating systems.

Answer 134

A

C.Exploit chaining

Explanation:
In this scenario, you linked several exploits together to compromise the target system. This is called exploit chaining.

Answer 135

A

B.Test the modified exploit on virtual machines in a lab environment.

Explanation:
In this scenario, you need to test the modified exploit before actually attacking the target servers to make sure it works and doesn’t have any unintended consequences. An effective way to do this is to use your enumeration information to re-create the target systems as virtual machines in a lab environment and test the modified exploit. This process is called proof-of-concept development.

Answer 136

A

A.Deception
C.Social engineering

Explanation:
In this scenario, you used deception and social engineering to gain access to the target organization’s physical network.

Answer 137

A

C.Credential brute-forcing

Explanation:
Credential brute forcing is the process of trying one password after another until you finally hit the right one. This may be executed against user accounts or against other security systems, such as a WPA2 wireless network that uses a preshared key.

Answer 138

A

D.Dictionary attack

Explanation:
A dictionary attack is a type of brute-force attack. However, in a dictionary attack, a list of commonly used passwords is used, one after another, in an attempt to find the right password.

Answer 139

A

A.Rainbow table

Explanation:
A rainbow table contains a precomputed list of hash values for common passwords that can be used for offline password file cracking.

Answer 140

A

A.ICS
B.SCADA

Explanation:
Industrial control systems (ICSs) and supervisory control and data acquisition (SCADA) are commonly used in factory automation equipment and environmental controls. They tend to run on older operating systems, and their software/firmware tends to be updated very infrequently. This can make such systems more susceptible to security exploits. They are also usually quite fragile, so use caution when scanning them with a vulnerability scanner.

Answer 141

A

B.Rooting or jailbreaking
E.Inconsistent updating

Explanation:
Mobile devices represent a significant security weakness in modern networks. Among the many issues associated with mobile devices, two that a penetration tester should be aware of the fact that they tend to be updated in an inconsistent manner. This is less of an issue with Apple devices because they have control of the hardware and software. However, this is a significant issue with Android devices. If you were to check the update level of a group of Android devices, you would likely not find two that are the same. In addition, some users root or jailbreak their devices so they can install apps outside of the approved store channels. This makes these devices susceptible to malware.

Answer 142

A

D.Embedded devices
E.Smart IoT appliances

Explanation:
IoT devices, such as smart appliances, televisions, and so on, tend to have the weakest inherent security. They aren’t designed with security in mind, they are difficult to manage, and vendors rarely release security updates. Embedded devices used in industrial control devices tend to suffer from the same weaknesses.

Answer 143

A

C.Isolate the POS devices on their own subnet that doesn’t have Internet connectivity.
D.Upgrade the POS devices to a newer version.

Explanation:
The greatest risks to the POS systems in this scenario are that they are exposed to the Internet and that they are running an unsupported (and therefore highly vulnerable) operating system. The client should isolate the POS systems on their own subnet away from the Internet. They should also upgrade their hardware and software to newer versions to eliminate risks from running an ancient operating system.

Answer 144

A

A.They can be fooled with fake fingerprints.

Explanation:
The greatest security risk associated with a biometric fingerprint reader is the fact that they can be fooled by a fake fingerprint. In an episode of the television show MythBusters several years ago, the cast was able to defeat a fingerprint

Answer 145

A

A.Developers who design IoT devices are not as concerned with security.

Explanation:
The Internet of Things (IoT) refers to the network of physical products and devices that connect to the Internet. Manufacturers and developers want to minimize costs to increase their profits. Hence, security is often not the key feature of the product or device. So, as with any other device on a network, IoT devices may have security vulnerabilities and may be subject to network-based attacks.

Answer 146

A

D.Sensitive information may be revealed on the web servers.

Explanation:
D. Port 21 is for TCP and FTP and is used as a control port. Port 80 is for TCP and HTTP and is used for transferring web pages. Port 443 is used for TCP, HTTPS, and is HTTP over TLS/SSL and is for encrypted transmission.

Answer 147

A

B.A discovery scan

Explanation:
A discovery scan identifies the operating systems that are running on a network, maps those systems to IP addresses, and enumerates the open ports and services on those systems.

Answer 148

A

D.A read-only account

Explanation:
Credentialed scans require read-only access to target servers. The client should follow the principle of least privilege and limit the access available to the tester. You should consider asking for a specific “audit” account to be created with similar read-only access. A dedicated “audit” account has the advantage of showing up in the logs and instantly being recognized by everyone in IT as a potentially approved activity.

Answer 149

A

D.Static code analysis

Explanation:
Code testing is often done using static or dynamic code analysis along with testing methods like fuzzing and fault injection. Once changes are made to the code and it is deployed, it must be retested to ensure that the changes didn’t create any new security issues. Since we are only reviewing the code in this scenario, we will be conducting a static code analysis. Static code analysis, also known as source code analysis, is done by reviewing the code of an application. Since static analysis uses the source code, it can be seen as a type of white-
box testing with full visibility. This can allow testers to find problems that other tests might fail to spot.

Answer 150

A

B.dsquery user -inactive 4

Explanation:
Dsquery.exe is a command-line utility for finding information about various objects in the Active Directory domain. The utility is available in all Windows Server versions by default. The dsquery command allows you to query the LDAP directory to find objects that meet the specified criteria. As an attribute of the dsquery command, you need to specify the type of the AD object that you are searching for. In this scenario, you are looking for user accounts that have been inactive for the past 30 days, so you would use dsquery user -inactive < NumWeeks >.

Answer 151

A

D.Setting up a schedule of testing times to access their systems

Explanation:
The timeline for the engagement and when testing can be conducted will have the biggest impact on the observation and testing of the client’s systems during peak hours. Some assessments will be scheduled for noncritical time frames to minimize the impact of any potential outages, while others may be scheduled during normal business hours to help test the organization’s reaction to attacks.

Answer 152

A

D.The device is tuned more toward false positives

Explanation:
A false positive is when the system incorrectly accepts a biometric sample as being a match. Biometric sensors sometimes make mistakes for a number of reasons. The identification process compares a biometric, such as a fingerprint or iris scan that is presented to the system, against all entries in a database for a match. This is referred to as a one-to-many search. Live biometrics change due to age, climate, or a possible injury on a finger. Vendors refer to these threshold settings as false acceptance rates (FARs) and false rejection rates (FRRs).

Answer 153

A

C.Limited network access
E.Storage access

Explanation:
Compliance scanning focuses on the configuration settings or the security hardening that is being applied to a system. When a compliance scan is performed against a single computing system, it produces a report that defines how well the system is hardened against the selected compliance framework. Compliance scans are not designed to locate vulnerabilities in software applications or operating systems but are designed to locate and assess vulnerabilities in system hardening configurations. In this scenario, since you are seeing more assets on the network than what was provided in the network architecture, you can attribute that to having limited network access or storage access.

Answer 154

A

D.Begin an SNMP password brute-force attack

Explanation:
An SNMP brute-force attack attacks an IP address with SNMP queries to determine the SNMP read-only and read-write community strings (or passwords). It does this by trying every possible password. The master information base (MIB) database that is created by SNMP contains important information on every device on the network. If a tester can crack the password on SNMP, they may be able to control each networked device. This would allow changes to configurations to taking devices offline.

Answer 155

A

A.Dictionary attack

Explanation:
A dictionary attack is a method of breaking into a password-protected computer or server by thoroughly entering every word in a dictionary as a password. Dictionary attacks work because many computer users use ordinary words as passwords. Dictionary attacks rely on a prebuilt dictionary of words. In many cases, penetration testers can add additional specific dictionary entries to a dictionary file for their penetration test based on knowledge, this can be very beneficial in performing a dictionary attack. In this scenario, the penetration tester used social media to find additional keywords that may be beneficial in a dictionary attack.

Answer 156

A

C.Expand the password length from seven to 14 characters and add special characters.

Explanation:
In this scenario, since the client’s employees are using dictionary words as passwords, the best way to defeat this is by expanding the password length and adding special characters. Special characters for use in passwords are a selection of punctuation characters that are present on standard U.S. keyboards. These include !”#$%&’()*+,-./:;<=>?@[]^_’{|}~. This will make it harder for attackers to break into the client’s systems.

Answer 157

A

C.A full scan

Explanation:
A full scan will provide you with more useful results because it includes more tests. There is no requirement in the scenario that the tester should avoid detection, so a stealth scan is not necessary. But because this is a black box test, it would best to run a full scan on the network.

Answer 158

A

D.Passive scan

Explanation:
Passive scanning is a method of vulnerability detection that relies on information obtained from network data that is captured from a target computer without direct interaction. The main advantage of passive scanning for an attacker is that it does not leave a trail that could alert users or administrators.

Answer 159

A

A.Credentialed scan

Explanation:
Credentialed scans are scans in which the scanning computer has an account on the computer being scanned that allows the scanner to do a more thorough check looking for problems that may not be seen from the network. Credentialed scans are widely used in enterprise vulnerability management programs and are a useful tool when performing a penetration test. Credentialed scans may access operating systems, databases, and applications. Credentialed scans typically only retrieve information from target servers and do not make changes to the server itself.

Answer 160

A

B.False positive

Explanation:
A false positive is an error in some evaluation processes in which a condition tested for is mistakenly found to have been detected. The scanner might not have sufficient access to the target system to confirm a vulnerability, or it might simply have an error in a plug-in that generates an erroneous vulnerability report. When a scanner reports a vulnerability that does not exist, this is known as a false positive error.

Answer 161

A

D.To run it on different architectures

Explanation:
Cross-compiling code is used when a target platform is on a different architecture. The tester may not have access to a compiler on the target machine or may need to compile the code for an exploit from the primary workstation, which is not the same architecture as the target.

Answer 162

A

A.Rainbow table attacks reduce compute cycles at attack time.
B.Rainbow tables must include precompiled hashes.

Explanation:
Rainbow tables provide a powerful way to attack hashed passwords by performing a lookup rather than trying to use brute force. A rainbow table is a precomputed listing of every possible password for a given set of password requirements, which has then been hashed based on a known hashing algorithm like MD5. A rainbow table is used to attack a hashed password in reverse. A rainbow table is generally an offline-only attack. It uses fewer compute cycles than any other forms of attack. A brute-force attack is an attempt to crack a password or username by using a trial-and-error approach with an attacker submitting many passwords or passphrases with the chance of eventually guessing the password correctly.

Answer 163

A

A.By comparing hashes to identify known values

Explanation:
Rainbow tables are lists of precomputed hashes for all possible passwords for a given set of password rules. Rainbow table tools compare hashes to the previously calculated hashes, which match to known password values. This is done via a fairly fast database lookup, allowing “cracking” of hashed passwords, even though hashes aren’t reversible. The password file is a list of hashed values.

Answer 164

A

D.Open source intelligence (OSINT)

Explanation:
Open source intelligence (OSINT) tools and techniques are those that go through publicly available information for organizational and technical details that might prove useful during the penetration test. OSINT is information that can be gathered easily. OSINT is often used to determine the organization’s footprint, which includes a listing of all of the systems, networks, and other technology that an organization has.

Answer 165

A

B.Nessus

Explanation:
Nessus is a commercial vulnerability scanning tool used to scan a wide variety of devices and is not part of the tools available for OSINT gathering. There are a variety of tools that assist with this OSINT collection: Censys is a web-based tool that probes IP addresses across the Internet and then provides penetration testers with access to that information through a search engine. Fingerprinting Organizations with Collected Archives (FOCA) is an open source tool used to find metadata within Microsoft Office documents, PDFs, and other common file formats. Maltego is a commercial product that assists with the visualization of data gathered from OSINT efforts. Nslookup tools help identify the IP addresses associated with an organization. Recon-ng is a modular web reconnaissance framework that organizes and manages OSINT work. Shodan is a specialized search engine to provide the discovery of vulnerable Internet of Things (IoT) devices from public sources. theHarvester scours search engines and other resources to find email addresses, employee names, and infrastructure details about an organization. Whois tool gathers information from public records about domain ownership.

Answer 166

A

B.Computer Emergency Response Team (CERT)

Explanation:
Computer Emergency Response Team (CERT) focuses on security breach and denial of service incidents, providing alerts and incident-handling and avoidance guidelines. CERT also conducts an ongoing public awareness campaign and engages in research aimed at improving security systems.

Answer 167

A

A.The Common Attack Pattern Enumeration and Classification (CAPEC)

Explanation:
The Common Attack Pattern Enumeration and Classification (CAPEC) list is a resource intended to help identify and document attacks and attack patterns. Users are allowed to search attacks by their mechanism or domain and then break down each attack by various attributes and prerequisites. CAPEC also suggests solutions and mitigations, which is useful in identifying controls when writing a penetration test report.

Answer 168

A

D.Stealth scan

Explanation:
During a penetration test, a tester may want to configure their scans to run as stealth scans, which go to great lengths to avoid using tests that might attract attention. Service disruptions, error messages, and log entries caused by scans may attract attention from the cybersecurity team that causes them to adjust defenses in a manner that obstructs the penetration test. Using stealth scans better approximates the activity of a skilled attacker, resulting in a more realistic penetration te

Brainscape's Knowledge GenomeTM

CompTIA PenTest+ Practice Test Chapter 2 Information Gathering and Vulnerability Identification (Sybex: Panek, Crystal, Tracy) Flashcards

Brainscape's Knowledge Genome^TM