CompTIA PenTest+ Practice Test Chapter 6 Practice Exam 1 (Sybex: Panek, Crystal, Tracy) Flashcards
You are a penetration tester, and you are currently performing reconnaissance as a part of a gray box penetration test for a new client. You run a vulnerability scan on one of the client’s servers and discover that port 23 is open. What does this point to?
A.That the server is a Domain Name Service (DNS) server
B.That the server is a Secure Shell (SSH) server
C.That the server is a Telnet server
D.That the server is a File Transfer Protocol (FTP) server
C.That the server is a Telnet server
Explanation:
In this scenario, since it is port 23 that is open, this indicates the server you are on is a Telnet server. Telnet is a user command and an underlying TCP/IP protocol for accessing remote computers. Using Telnet, an administrator or another user can access someone else’s computer remotely. Telnet uses a command-line interface. Information transmitted between the Telnet server and client is sent unencrypted. This means that any authentication information may also be captured.
Panek, Crystal; Tracy, Robb. CompTIA PenTest+ Practice Tests (p. 344). Wiley. Kindle Edition.
You are a penetration tester, and a client has recently come to you voicing concern over a large number of companies recently being compromised by remote attackers who are looking for trade secrets. What best describes the types of adversaries that would be looking for trade secrets?
A.Advanced persistent threat (APT) actors
B.Hacktivist groups
C.Insider threats
D.Script kiddies
A.Advanced persistent threat (APT) actors
Explanation:
Advanced persistent threat (APT) is a computer network attack in which a person or group gains unauthorized access to a network and remains undetected for an extended period of time. APTs provide the highest level of threat on the adversary tier list. Threat actors are often rated by their capabilities. Many of the techniques used by advanced persistent threat actors are useful for penetration testers, and vice versa. If your persistence techniques aren’t monitored for or detected by the client systems, the findings should include information that can help them design around this potential problem.
You are a penetration tester, and you are conducting a test for a new client. You are prioritizing the vulnerabilities discovered during the vulnerability scan. One vulnerability you found has a Common Vulnerability Scoring System (CVSS) score of 3.6. What risk category does this vulnerability belong?
A.Low
B.Medium
C.High
D.Critical
A.Low
Explanation:
The Common Vulnerability Scoring System (CVSS) is a framework for rating the severity of security vulnerabilities. The CVSS uses an algorithm to determine three severity rating scores: Base, Temporal, and Environmental. The scores are numeric and range from 0.0 to 10.0. The most severe is 10.0. According to CVSS, a score of 0.0 receives a None rating, a 0.1–3.9 score gets a Low severity rating, a score of 4.0-6.9 is a Medium rating, a score of 7.0–8.9 is a High rating, and a score of 9.0–10.0 is a Critical rating. In this scenario, the score is 3.6 and falls within the Low category.
Panek, Crystal; Tracy, Robb. CompTIA PenTest+ Practice Tests (p. 344). Wiley. Kindle Edition.
Panek, Crystal; Tracy, Robb. CompTIA PenTest+ Practice Tests (p. 344). Wiley. Kindle Edition.
You are a penetration tester, and you are preparing to conduct an application programming interface (API) test for a client. Which of the following would be the most favorable to use when preparing for this kind of testing?
A.Nikto
B.Swagger
C.Web Application Archive (WAR)
D.Web Application Attack and Audit Framework (W3AF)
B.Swagger
Explanation:
Swagger is an open specification for defining REST APIs. A Swagger document is the REST API equivalent of a WSDL document for a SOAP-based web service. The Swagger document specifies the list of resources that are available in the REST API and the operations that can be called on those resources. It also specifies the list of parameters to an operation, including the name and type of the parameters, whether the parameters are required or optional, and information about acceptable values
for those parameters. So, access to a Swagger document provides testers with a good view of how the API works and thus how they can test it.
You are a penetration tester, and you are currently in the middle of a test when the client asks you to add more addresses. Which of the following defines the target list that you can follow?
A.The end-user license agreement
B.The master services agreement (MSA)
C.The rules of engagement (ROE)
D.The statement of work (SOW)
D.The statement of work (SOW)
Explanation:
A statement of work (SOW) defines what work will be done during an engagement. A SOW is a document that defines the purpose of the test, what tests will be done, what will be created, the timeline for the test to be completed, the price for the testing, and any additional terms and conditions.
Sue, in the finance department, receives an email from the president of the company indicating that a new vendor needs to be issued a wire transfer. However, neither Sue nor the president know who this new vendor is. The president claims that he never sent the email requesting the transfer. What type of motivation technique is the attacker attempting?
A.Principle of authority B.Principle of fear C.Principle of likeness D.Principle of scarcity E.Principle of social proof
A.Principle of authority
Explanation:
Social engineering targets people instead of computers and relies on individuals or groups breaking security procedures, policies, and rules. Social engineering can be done in person, over the phone, by text messages, or by email. In this scenario, the attacker is using the social engineering principle of authority. They were hoping that by Sue in finance receiving an email from the president of the company, there would be no questions asked and the transfer would take place. Authority follows the belief that people will tend to obey authority figures, even if they are asked to perform objectionable acts.
You are a penetration tester, and you are conducting a test for a new client. You managed to obtain access to a laptop computer. What should your next step be to obtain credentials from the laptop computer?
A.Use brute force to obtain the user’s password.
B.Conduct a LLMNR/NETBIOS-NS query.
C.Leverage the BeEF framework to capture credentials.
D.Perform an ARP spoofing poisoning.
B.Conduct a LLMNR/NETBIOS-NS query.
Explanation:
Link Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NetBIOS-NS) poisoning can provide penetration testers with the ability to obtain a man-in-the-middle position, broadening their ability to gain access and information. One of the most commonly targeted services in a Windows network is NetBIOS. NetBIOS is commonly used for file sharing.
You are a penetration tester, and you have been asked by a client to impersonate a recently laid-off help desk technician. What best describes the abilities of being a threat actor?
A.Advanced persistent threat (APT)
B.Hacktivist
C.Organized crime
D.Script kiddie
A.Advanced persistent threat (APT)
Explanation:
Advanced persistent threat (APT) is a computer network attack in which a person or group gains unauthorized access to a network and remains undetected for an extended period of time. APTs provide the highest level of threat on the adversary tier list. Many of the techniques used by advanced persistent threat actors are useful for penetration testers, and vice versa. If your persistence techniques aren’t monitored for or detected by the client’s systems, the findings should include information that can help them design around this potential problem.
You are a penetration tester, and you are conducting a test for a new client. You are conducting ARP spoofing against a switch on the client’s network. Which of the following MAC addresses should you trick to get the most amount of information?
A.The MAC address of the client
B.The MAC address of the domain controller
C.The MAC address of the web server
D.The MAC address of the gateway
D.The MAC address of the gateway
Explanation:
ARP spoofing is a technique in which an attacker sends (spoofed) Address Resolution Protocol (ARP) messages onto a local area network. Normally, the goal is to associate the attacker’s Media Access Control (MAC) address with the IP address of another host, such as the default gateway, causing any traffic meant for that IP address to be sent to the attacker instead. ARP spoofing may allow an attacker to intercept data frames on a network, modify the traffic, or stop all traffic.
Panek, Crystal; Tracy, Robb. CompTIA PenTest+ Practice Tests (p. 346). Wiley. Kindle Edition.
You are a penetration tester and are discussing the properties of the testing engagement agreement with the client. Which one of the following will have the biggest impact on the observation and testing of the client’s production systems during their peak loads?
A.Creating a scope of the critical production systems used by the client
B.Establishing a white box testing engagement with the client
C.Having the client’s management team sign off on any invasive testing
D.Setting up a schedule of testing times to access their systems
D.Setting up a schedule of testing times to access their systems
Explanation:
D. The timeline for the engagement and when testing can be conducted will have the biggest impact on the observation and testing of the client’s systems during peak hours. Some assessments will be scheduled for noncritical time frames to minimize the impact of any potential outages, while others may be scheduled during normal business hours to help test the organization’s reaction to attacks.
Panek, Crystal; Tracy, Robb. CompTIA PenTest+ Practice Tests (p. 343). Wiley. Kindle Edition.
You are a penetration tester, and you are configuring your vulnerability management solution to perform credentialed scans of servers on your client’s network. What type of account should you be provided with?
A.A domain administrator account
B.A local administrator account
C.A domain guest account
D.A read-only account
D.A read-only account
Explanation:
Credentialed scans require read-only access to target servers. The client should follow the principle of least privilege and limit the access available to the tester. You should consider asking for a specific “audit” account to be created with similar read-only access. A dedicated “audit” account has the advantage of showing up in the logs and instantly being recognized by everyone in IT as a potentially approved activity.
You are a penetration tester, and you are conducting a black box penetration test against your client’s network. You are in the process of gathering vulnerability scanning results. What type of scan will provide you with important information within the scope of your testing?
A.A compliance scan
B.A discovery scan
C.A full scan
D.A stealth scan
C.A full scan
Explanation:
A full scan will provide you with more useful results because it includes more tests. There is no requirement in the scenario that the tester should avoid detection, so a stealth scan is not necessary. But because this is a black box test, it would be best to run a full scan on the network.
You and a colleague are discussing an open source research source that is maintained by the U.S. government’s National Institute of Science and Technology (NIST). This source provides a summary of current security. What is this government repository called?
A.The Common Attack Pattern Enumeration and Classification (CAPEC)
B.Computer Emergency Response Team (CERT) C.Common Vulnerabilities and Exposures (CVE) D.National Vulnerability Database (NVD)
D.National Vulnerability Database (NVD)
Explanation:
The National Vulnerability Database (NVD) is the U.S. government repository of standards based on vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics.
You are a penetration tester, and you are getting ready to conduct an assessment for a new client. Which of the following documents defines precisely what will be conducted during testing?
A.The master service agreement (MSA)
B.The nondisclosure agreement (NDA)
C.The tester’s detailed invoice to the client
D.The statement of work (SOW)
D.The statement of work (SOW)
Explanation:
A statement of work (SOW) defines what work will be done during an engagement. A SOW is a document that defines the purpose of the test, what tests will be done, what will be created, the timeline for the test to be completed, the price for the testing, and any additional terms and conditions. The MSA defines the terms that the organizations will use for any future work. NDAs are legal documents that enforce the confidential relationship between two parties. NDAs outline the parties involved, what information should be considered confidential, how long the agreement lasts, when/how disclosure is acceptable, and how confidential information should be handled. The tester’s detailed invoice to the client is just an invoice and is not a legal document.
You and a colleague are discussing commonly used special network devices. Which of the following is not a commonly used special network devices used to control manufacturing equipment and environmental systems?
A.Industrial control systems (ICS)
B.Programmable logic controller (PLC)
C.Real-time operating system (RTOS)
D.Supervisory control and data acquisition (SCADA)
C.Real-time operating system (RTOS)
Explanation:
C. In this scenario, the only one that is not part of manufacturing is the real-time operating system (RTOS). RTOS is any operating system intended to serve real-time applications that process data as it comes in, typically without buffer delays. Industrial control system (ICS) is a term used to describe different types of control systems and associated instrumentation, which include the devices, systems, networks, and controls used to operate and/or automate industrial processes. Supervisory control and data acquisition (SCADA) systems are used to monitor and control production processes in a wide range of industries, including manufacturing, water treatment, mining, oil refining, transportation, and power distribution. A programmable logic controller (PLC) is an industrial solid-state computer that monitors inputs and outputs and makes logic-based decisions for automated processes or machines. A PLC is an industrial digital computer that has been adapted for the control of manufacturing processes, such as assembly lines, or robotic devices, or any activity that requires high reliability control and ease of programming and process fault diagnosis.
You are a penetration tester, and you are conducting a penetration test for a new client. You are using a tool to perform a source code review. The penetration tool incorrectly identifies a vulnerability. What is it called when this happens?
A.A false negative
B.A false positive
C.A true negative
D.A true positive
B.A false positive
Explanation:
A false positive is an error in some evaluation processes in which a condition tested for is mistakenly found to have been detected. The scanner might not have sufficient access to the target system to confirm a vulnerability, or it might simply have an error in a plug-in that generates an erroneous vulnerability report. When a scanner reports a vulnerability that does not exist, this is known as a false positive error.
Panek, Crystal; Tracy, Robb. CompTIA PenTest+ Practice Tests (p. 344). Wiley. Kindle Edition.
You are a penetration tester, and you are getting ready to run a test for a new client. Which of the following statements would come from the new client’s corporate policy?
A.That the corporate systems must store passwords using the MD5 hashing algorithm.
B.That employee passwords must contain a minimum of eight characters, with one being alphanumeric. C.The phone number where the help desk can be reached to perform password resets.
D.That to access corporate assets, employees must use strong passwords.
A.That the corporate systems must store passwords using the MD5 hashing algorithm.
Explanation:
A company policy (corporate policy) is a documented set of guidelines, formulated after an analysis of all internal and external factors that can affect a firm’s objectives, operations, and plans. It is created by the company’s board of directors. Corporate policy lays down the company’s response to known
and knowable situations and circumstances. It also determines the formulation and implementation of strategy and directs and restricts the plans, decisions, and actions of the company’s officers in achievement of its objectives. In this scenario, the corporate policy should be very detailed and specific; hence, the corporate systems must store passwords using the MD5 hashing algorithm.
You and a colleague are discussing which law regulates how financial institutions handle their customers’ personal information. What is this law called?
A.Federal Information Processing Standard (FIPS) Publication 140-2 (FIPS PUB 140-2)
B.Gramm-Leach-Bliley Act of 1999 (GLBA)
C.Health Insurance Portability and Accountability Act of 1996 (HIPPA)
D.Sarbanes-Oxley Act of 2002 (SARBOX)
B.Gramm-Leach-Bliley Act of 1999 (GLBA)
Explanation:
The Gramm-Leach-Bliley Act (GLBA) is also known as the Financial Modernization Act of 1999. It is a U.S. federal law that requires financial institutions to explain how they share and protect their customers’ private information.
You are a penetration tester, and you have been hired to test the physical security of a new client’s facility. You have been given freedom to try to penetrate their facility using any method you want as long as it doesn’t damage their property or harm anyone. What type of assessment is the client asking you to conduct?
A.A compliance-based assessment
B.A goal-based assessment
C.A premerger assessment
D.A supply chain assessment
B.A goal-based assessment
Explanation:
In this scenario, the client is asking the tester to conduct a goal-based assessment. Goals-based assessments are conducted for specific reasons. Some examples include validating a new security design, testing an application or service infrastructure before it enters production, or assessing the security of an organization. A premerger assessment is usually conducted on an organization prior to it merging with another. A compliance-based assessment is done to ensure that an organization is in compliance with government regulations or corporate policies. A supply chain assessment involves testing an organization’s vendors.
You are a penetration tester, and you are scoping an external black box penetration test for a new client. You have created a vulnerability scanner that is extremely assertive. During a previous test using this scanner, the scanner took down a client’s website for more than 40 minutes. But, by doing the scan, the client was able to learn about several vulnerabilities and was able to correct the issues. Prior to running this scanner with your current client, what should you do first?
A.Do not use the vulnerability scanner in the upcoming assessment.
B.Use the vulnerability scanner in the upcoming assessment.
C.Determine what the new client’s tolerance to impact is by conducting an impact analysis.
D.Modify the vulnerability scanner to be less assertive.
C.Determine what the new client’s tolerance to impact is by conducting an impact analysis.
Explanation:
In this scenario, the best approach would be to determine the client’s tolerance to impact by conducting an impact analysis. Since this vulnerability scanner may have the potential of bringing their system down, you need to know what the client’s tolerance levels are and how a down system will affect the client. You also need to make sure the client is aware of all the risks associated with running the scanner.
You and a colleague are discussing open-source intelligence (OSINT), and the discussion leans toward discussing vulnerabilities and other security flaws. There are a number of organizations that work to centralize this knowledge. One of these organizations uses a list as a resource intended to help identify and document attacks and attack patterns. It allows users to search attacks by their mechanism and then breaks down each attack by using various attributes and prerequisites. What organization is being discussed?
A.The Common Attack Pattern Enumeration and Classification (CAPEC)
B.Computer Emergency Response Team (CERT)
C.Common Weakness Enumeration (CWE)
D.National Institute of Standards and Technology (NIST)
A.The Common Attack Pattern Enumeration and Classification (CAPEC)
Explanation:
The Common Attack Pattern Enumeration and Classification (CAPEC) list is a resource intended to help identify and document attacks and attack patterns. Users are allowed to search attacks by their mechanism or domain and then break down each attack by various attributes and prerequisites. CAPEC also suggests solutions and mitigations, which is useful in identifying controls when writing a penetration test report.
You are a penetration tester, and your client wants you to scan their system. They want you to go to great lengths to avoid detection. The client does not want their cybersecurity team to be aware that a penetration test is taking place. What type of scan will you be performing?
A.A compliance scan
B.A discovery scan
C.A full scan
D.A stealth scan
D.A stealth scan
Explanation:
During a penetration test, a tester may want to configure their scans to run as stealth scans. Stealth scans go to great lengths to avoid using tests that might attract attention. Service disruptions, error messages, and log entries caused by scans may attract attention from the cybersecurity team that causes them to adjust defenses in a manner that obstructs the penetration test. Using stealth scans better approximates the activity of a skilled attacker, resulting in a more realistic penetration test.
Panek, Crystal; Tracy, Robb. CompTIA PenTest+ Practice Tests (p. 343). Wiley. Kindle Edition.
Panek, Crystal; Tracy, Robb. CompTIA PenTest+ Practice Tests (p. 343). Wiley. Kindle Edition.
You are a penetration tester, and you are conducting a penetration test for a new client. You are looking to cross-compile code for your penetration activity, and then you plan to deploy it. Why would you plan to cross-compile code?
A.To add additional libraries
B.To allow you to inspect the source code
C.To run it on multiple platforms
D.To run it on different architectures
D.To run it on different architectures
Explanation:
Cross-compiling code is used when a target platform is on a different architecture. The tester may not have access to a compiler on the target machine or may need to compile the code for an exploit from the primary workstation, which is not the same architecture as the target.
Panek, Crystal; Tracy, Robb. CompTIA PenTest+ Practice Tests (p. 345). Wiley. Kindle Edition.
You and a colleague are discussing messaging protocols. One protocol defines how structured information can be exchanged between web applications and is created from WSDL files. Which messaging protocol is being discussed?
A.Simple Object Access Protocol (SOAP)
B.Swagger
C.Web Application Description Language (WADL) D.XML Schema Definition (XSD)
A.Simple Object Access Protocol (SOAP)
Explanation:
The Simple Object Access Protocol (SOAP) is a messaging protocol specification that defines how structured information can be exchanged between web applications. SOAP project files can be created from Web Services Description Language (WSDL) files.