CompTIA PenTest+ Practice Test Chapter 6 Practice Exam 1 (Sybex: Panek, Crystal, Tracy) Flashcards
You are a penetration tester, and you are currently performing reconnaissance as a part of a gray box penetration test for a new client. You run a vulnerability scan on one of the client’s servers and discover that port 23 is open. What does this point to?
A.That the server is a Domain Name Service (DNS) server
B.That the server is a Secure Shell (SSH) server
C.That the server is a Telnet server
D.That the server is a File Transfer Protocol (FTP) server
C.That the server is a Telnet server
Explanation:
In this scenario, since it is port 23 that is open, this indicates the server you are on is a Telnet server. Telnet is a user command and an underlying TCP/IP protocol for accessing remote computers. Using Telnet, an administrator or another user can access someone else’s computer remotely. Telnet uses a command-line interface. Information transmitted between the Telnet server and client is sent unencrypted. This means that any authentication information may also be captured.
Panek, Crystal; Tracy, Robb. CompTIA PenTest+ Practice Tests (p. 344). Wiley. Kindle Edition.
You are a penetration tester, and a client has recently come to you voicing concern over a large number of companies recently being compromised by remote attackers who are looking for trade secrets. What best describes the types of adversaries that would be looking for trade secrets?
A.Advanced persistent threat (APT) actors
B.Hacktivist groups
C.Insider threats
D.Script kiddies
A.Advanced persistent threat (APT) actors
Explanation:
Advanced persistent threat (APT) is a computer network attack in which a person or group gains unauthorized access to a network and remains undetected for an extended period of time. APTs provide the highest level of threat on the adversary tier list. Threat actors are often rated by their capabilities. Many of the techniques used by advanced persistent threat actors are useful for penetration testers, and vice versa. If your persistence techniques aren’t monitored for or detected by the client systems, the findings should include information that can help them design around this potential problem.
You are a penetration tester, and you are conducting a test for a new client. You are prioritizing the vulnerabilities discovered during the vulnerability scan. One vulnerability you found has a Common Vulnerability Scoring System (CVSS) score of 3.6. What risk category does this vulnerability belong?
A.Low
B.Medium
C.High
D.Critical
A.Low
Explanation:
The Common Vulnerability Scoring System (CVSS) is a framework for rating the severity of security vulnerabilities. The CVSS uses an algorithm to determine three severity rating scores: Base, Temporal, and Environmental. The scores are numeric and range from 0.0 to 10.0. The most severe is 10.0. According to CVSS, a score of 0.0 receives a None rating, a 0.1–3.9 score gets a Low severity rating, a score of 4.0-6.9 is a Medium rating, a score of 7.0–8.9 is a High rating, and a score of 9.0–10.0 is a Critical rating. In this scenario, the score is 3.6 and falls within the Low category.
Panek, Crystal; Tracy, Robb. CompTIA PenTest+ Practice Tests (p. 344). Wiley. Kindle Edition.
Panek, Crystal; Tracy, Robb. CompTIA PenTest+ Practice Tests (p. 344). Wiley. Kindle Edition.
You are a penetration tester, and you are preparing to conduct an application programming interface (API) test for a client. Which of the following would be the most favorable to use when preparing for this kind of testing?
A.Nikto
B.Swagger
C.Web Application Archive (WAR)
D.Web Application Attack and Audit Framework (W3AF)
B.Swagger
Explanation:
Swagger is an open specification for defining REST APIs. A Swagger document is the REST API equivalent of a WSDL document for a SOAP-based web service. The Swagger document specifies the list of resources that are available in the REST API and the operations that can be called on those resources. It also specifies the list of parameters to an operation, including the name and type of the parameters, whether the parameters are required or optional, and information about acceptable values
for those parameters. So, access to a Swagger document provides testers with a good view of how the API works and thus how they can test it.
You are a penetration tester, and you are currently in the middle of a test when the client asks you to add more addresses. Which of the following defines the target list that you can follow?
A.The end-user license agreement
B.The master services agreement (MSA)
C.The rules of engagement (ROE)
D.The statement of work (SOW)
D.The statement of work (SOW)
Explanation:
A statement of work (SOW) defines what work will be done during an engagement. A SOW is a document that defines the purpose of the test, what tests will be done, what will be created, the timeline for the test to be completed, the price for the testing, and any additional terms and conditions.
Sue, in the finance department, receives an email from the president of the company indicating that a new vendor needs to be issued a wire transfer. However, neither Sue nor the president know who this new vendor is. The president claims that he never sent the email requesting the transfer. What type of motivation technique is the attacker attempting?
A.Principle of authority B.Principle of fear C.Principle of likeness D.Principle of scarcity E.Principle of social proof
A.Principle of authority
Explanation:
Social engineering targets people instead of computers and relies on individuals or groups breaking security procedures, policies, and rules. Social engineering can be done in person, over the phone, by text messages, or by email. In this scenario, the attacker is using the social engineering principle of authority. They were hoping that by Sue in finance receiving an email from the president of the company, there would be no questions asked and the transfer would take place. Authority follows the belief that people will tend to obey authority figures, even if they are asked to perform objectionable acts.
You are a penetration tester, and you are conducting a test for a new client. You managed to obtain access to a laptop computer. What should your next step be to obtain credentials from the laptop computer?
A.Use brute force to obtain the user’s password.
B.Conduct a LLMNR/NETBIOS-NS query.
C.Leverage the BeEF framework to capture credentials.
D.Perform an ARP spoofing poisoning.
B.Conduct a LLMNR/NETBIOS-NS query.
Explanation:
Link Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NetBIOS-NS) poisoning can provide penetration testers with the ability to obtain a man-in-the-middle position, broadening their ability to gain access and information. One of the most commonly targeted services in a Windows network is NetBIOS. NetBIOS is commonly used for file sharing.
You are a penetration tester, and you have been asked by a client to impersonate a recently laid-off help desk technician. What best describes the abilities of being a threat actor?
A.Advanced persistent threat (APT)
B.Hacktivist
C.Organized crime
D.Script kiddie
A.Advanced persistent threat (APT)
Explanation:
Advanced persistent threat (APT) is a computer network attack in which a person or group gains unauthorized access to a network and remains undetected for an extended period of time. APTs provide the highest level of threat on the adversary tier list. Many of the techniques used by advanced persistent threat actors are useful for penetration testers, and vice versa. If your persistence techniques aren’t monitored for or detected by the client’s systems, the findings should include information that can help them design around this potential problem.
You are a penetration tester, and you are conducting a test for a new client. You are conducting ARP spoofing against a switch on the client’s network. Which of the following MAC addresses should you trick to get the most amount of information?
A.The MAC address of the client
B.The MAC address of the domain controller
C.The MAC address of the web server
D.The MAC address of the gateway
D.The MAC address of the gateway
Explanation:
ARP spoofing is a technique in which an attacker sends (spoofed) Address Resolution Protocol (ARP) messages onto a local area network. Normally, the goal is to associate the attacker’s Media Access Control (MAC) address with the IP address of another host, such as the default gateway, causing any traffic meant for that IP address to be sent to the attacker instead. ARP spoofing may allow an attacker to intercept data frames on a network, modify the traffic, or stop all traffic.
Panek, Crystal; Tracy, Robb. CompTIA PenTest+ Practice Tests (p. 346). Wiley. Kindle Edition.
You are a penetration tester and are discussing the properties of the testing engagement agreement with the client. Which one of the following will have the biggest impact on the observation and testing of the client’s production systems during their peak loads?
A.Creating a scope of the critical production systems used by the client
B.Establishing a white box testing engagement with the client
C.Having the client’s management team sign off on any invasive testing
D.Setting up a schedule of testing times to access their systems
D.Setting up a schedule of testing times to access their systems
Explanation:
D. The timeline for the engagement and when testing can be conducted will have the biggest impact on the observation and testing of the client’s systems during peak hours. Some assessments will be scheduled for noncritical time frames to minimize the impact of any potential outages, while others may be scheduled during normal business hours to help test the organization’s reaction to attacks.
Panek, Crystal; Tracy, Robb. CompTIA PenTest+ Practice Tests (p. 343). Wiley. Kindle Edition.
You are a penetration tester, and you are configuring your vulnerability management solution to perform credentialed scans of servers on your client’s network. What type of account should you be provided with?
A.A domain administrator account
B.A local administrator account
C.A domain guest account
D.A read-only account
D.A read-only account
Explanation:
Credentialed scans require read-only access to target servers. The client should follow the principle of least privilege and limit the access available to the tester. You should consider asking for a specific “audit” account to be created with similar read-only access. A dedicated “audit” account has the advantage of showing up in the logs and instantly being recognized by everyone in IT as a potentially approved activity.
You are a penetration tester, and you are conducting a black box penetration test against your client’s network. You are in the process of gathering vulnerability scanning results. What type of scan will provide you with important information within the scope of your testing?
A.A compliance scan
B.A discovery scan
C.A full scan
D.A stealth scan
C.A full scan
Explanation:
A full scan will provide you with more useful results because it includes more tests. There is no requirement in the scenario that the tester should avoid detection, so a stealth scan is not necessary. But because this is a black box test, it would be best to run a full scan on the network.
You and a colleague are discussing an open source research source that is maintained by the U.S. government’s National Institute of Science and Technology (NIST). This source provides a summary of current security. What is this government repository called?
A.The Common Attack Pattern Enumeration and Classification (CAPEC)
B.Computer Emergency Response Team (CERT) C.Common Vulnerabilities and Exposures (CVE) D.National Vulnerability Database (NVD)
D.National Vulnerability Database (NVD)
Explanation:
The National Vulnerability Database (NVD) is the U.S. government repository of standards based on vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics.
You are a penetration tester, and you are getting ready to conduct an assessment for a new client. Which of the following documents defines precisely what will be conducted during testing?
A.The master service agreement (MSA)
B.The nondisclosure agreement (NDA)
C.The tester’s detailed invoice to the client
D.The statement of work (SOW)
D.The statement of work (SOW)
Explanation:
A statement of work (SOW) defines what work will be done during an engagement. A SOW is a document that defines the purpose of the test, what tests will be done, what will be created, the timeline for the test to be completed, the price for the testing, and any additional terms and conditions. The MSA defines the terms that the organizations will use for any future work. NDAs are legal documents that enforce the confidential relationship between two parties. NDAs outline the parties involved, what information should be considered confidential, how long the agreement lasts, when/how disclosure is acceptable, and how confidential information should be handled. The tester’s detailed invoice to the client is just an invoice and is not a legal document.
You and a colleague are discussing commonly used special network devices. Which of the following is not a commonly used special network devices used to control manufacturing equipment and environmental systems?
A.Industrial control systems (ICS)
B.Programmable logic controller (PLC)
C.Real-time operating system (RTOS)
D.Supervisory control and data acquisition (SCADA)
C.Real-time operating system (RTOS)
Explanation:
C. In this scenario, the only one that is not part of manufacturing is the real-time operating system (RTOS). RTOS is any operating system intended to serve real-time applications that process data as it comes in, typically without buffer delays. Industrial control system (ICS) is a term used to describe different types of control systems and associated instrumentation, which include the devices, systems, networks, and controls used to operate and/or automate industrial processes. Supervisory control and data acquisition (SCADA) systems are used to monitor and control production processes in a wide range of industries, including manufacturing, water treatment, mining, oil refining, transportation, and power distribution. A programmable logic controller (PLC) is an industrial solid-state computer that monitors inputs and outputs and makes logic-based decisions for automated processes or machines. A PLC is an industrial digital computer that has been adapted for the control of manufacturing processes, such as assembly lines, or robotic devices, or any activity that requires high reliability control and ease of programming and process fault diagnosis.
You are a penetration tester, and you are conducting a penetration test for a new client. You are using a tool to perform a source code review. The penetration tool incorrectly identifies a vulnerability. What is it called when this happens?
A.A false negative
B.A false positive
C.A true negative
D.A true positive
B.A false positive
Explanation:
A false positive is an error in some evaluation processes in which a condition tested for is mistakenly found to have been detected. The scanner might not have sufficient access to the target system to confirm a vulnerability, or it might simply have an error in a plug-in that generates an erroneous vulnerability report. When a scanner reports a vulnerability that does not exist, this is known as a false positive error.
Panek, Crystal; Tracy, Robb. CompTIA PenTest+ Practice Tests (p. 344). Wiley. Kindle Edition.
You are a penetration tester, and you are getting ready to run a test for a new client. Which of the following statements would come from the new client’s corporate policy?
A.That the corporate systems must store passwords using the MD5 hashing algorithm.
B.That employee passwords must contain a minimum of eight characters, with one being alphanumeric. C.The phone number where the help desk can be reached to perform password resets.
D.That to access corporate assets, employees must use strong passwords.
A.That the corporate systems must store passwords using the MD5 hashing algorithm.
Explanation:
A company policy (corporate policy) is a documented set of guidelines, formulated after an analysis of all internal and external factors that can affect a firm’s objectives, operations, and plans. It is created by the company’s board of directors. Corporate policy lays down the company’s response to known
and knowable situations and circumstances. It also determines the formulation and implementation of strategy and directs and restricts the plans, decisions, and actions of the company’s officers in achievement of its objectives. In this scenario, the corporate policy should be very detailed and specific; hence, the corporate systems must store passwords using the MD5 hashing algorithm.
You and a colleague are discussing which law regulates how financial institutions handle their customers’ personal information. What is this law called?
A.Federal Information Processing Standard (FIPS) Publication 140-2 (FIPS PUB 140-2)
B.Gramm-Leach-Bliley Act of 1999 (GLBA)
C.Health Insurance Portability and Accountability Act of 1996 (HIPPA)
D.Sarbanes-Oxley Act of 2002 (SARBOX)
B.Gramm-Leach-Bliley Act of 1999 (GLBA)
Explanation:
The Gramm-Leach-Bliley Act (GLBA) is also known as the Financial Modernization Act of 1999. It is a U.S. federal law that requires financial institutions to explain how they share and protect their customers’ private information.
You are a penetration tester, and you have been hired to test the physical security of a new client’s facility. You have been given freedom to try to penetrate their facility using any method you want as long as it doesn’t damage their property or harm anyone. What type of assessment is the client asking you to conduct?
A.A compliance-based assessment
B.A goal-based assessment
C.A premerger assessment
D.A supply chain assessment
B.A goal-based assessment
Explanation:
In this scenario, the client is asking the tester to conduct a goal-based assessment. Goals-based assessments are conducted for specific reasons. Some examples include validating a new security design, testing an application or service infrastructure before it enters production, or assessing the security of an organization. A premerger assessment is usually conducted on an organization prior to it merging with another. A compliance-based assessment is done to ensure that an organization is in compliance with government regulations or corporate policies. A supply chain assessment involves testing an organization’s vendors.
You are a penetration tester, and you are scoping an external black box penetration test for a new client. You have created a vulnerability scanner that is extremely assertive. During a previous test using this scanner, the scanner took down a client’s website for more than 40 minutes. But, by doing the scan, the client was able to learn about several vulnerabilities and was able to correct the issues. Prior to running this scanner with your current client, what should you do first?
A.Do not use the vulnerability scanner in the upcoming assessment.
B.Use the vulnerability scanner in the upcoming assessment.
C.Determine what the new client’s tolerance to impact is by conducting an impact analysis.
D.Modify the vulnerability scanner to be less assertive.
C.Determine what the new client’s tolerance to impact is by conducting an impact analysis.
Explanation:
In this scenario, the best approach would be to determine the client’s tolerance to impact by conducting an impact analysis. Since this vulnerability scanner may have the potential of bringing their system down, you need to know what the client’s tolerance levels are and how a down system will affect the client. You also need to make sure the client is aware of all the risks associated with running the scanner.
You and a colleague are discussing open-source intelligence (OSINT), and the discussion leans toward discussing vulnerabilities and other security flaws. There are a number of organizations that work to centralize this knowledge. One of these organizations uses a list as a resource intended to help identify and document attacks and attack patterns. It allows users to search attacks by their mechanism and then breaks down each attack by using various attributes and prerequisites. What organization is being discussed?
A.The Common Attack Pattern Enumeration and Classification (CAPEC)
B.Computer Emergency Response Team (CERT)
C.Common Weakness Enumeration (CWE)
D.National Institute of Standards and Technology (NIST)
A.The Common Attack Pattern Enumeration and Classification (CAPEC)
Explanation:
The Common Attack Pattern Enumeration and Classification (CAPEC) list is a resource intended to help identify and document attacks and attack patterns. Users are allowed to search attacks by their mechanism or domain and then break down each attack by various attributes and prerequisites. CAPEC also suggests solutions and mitigations, which is useful in identifying controls when writing a penetration test report.
You are a penetration tester, and your client wants you to scan their system. They want you to go to great lengths to avoid detection. The client does not want their cybersecurity team to be aware that a penetration test is taking place. What type of scan will you be performing?
A.A compliance scan
B.A discovery scan
C.A full scan
D.A stealth scan
D.A stealth scan
Explanation:
During a penetration test, a tester may want to configure their scans to run as stealth scans. Stealth scans go to great lengths to avoid using tests that might attract attention. Service disruptions, error messages, and log entries caused by scans may attract attention from the cybersecurity team that causes them to adjust defenses in a manner that obstructs the penetration test. Using stealth scans better approximates the activity of a skilled attacker, resulting in a more realistic penetration test.
Panek, Crystal; Tracy, Robb. CompTIA PenTest+ Practice Tests (p. 343). Wiley. Kindle Edition.
Panek, Crystal; Tracy, Robb. CompTIA PenTest+ Practice Tests (p. 343). Wiley. Kindle Edition.
You are a penetration tester, and you are conducting a penetration test for a new client. You are looking to cross-compile code for your penetration activity, and then you plan to deploy it. Why would you plan to cross-compile code?
A.To add additional libraries
B.To allow you to inspect the source code
C.To run it on multiple platforms
D.To run it on different architectures
D.To run it on different architectures
Explanation:
Cross-compiling code is used when a target platform is on a different architecture. The tester may not have access to a compiler on the target machine or may need to compile the code for an exploit from the primary workstation, which is not the same architecture as the target.
Panek, Crystal; Tracy, Robb. CompTIA PenTest+ Practice Tests (p. 345). Wiley. Kindle Edition.
You and a colleague are discussing messaging protocols. One protocol defines how structured information can be exchanged between web applications and is created from WSDL files. Which messaging protocol is being discussed?
A.Simple Object Access Protocol (SOAP)
B.Swagger
C.Web Application Description Language (WADL) D.XML Schema Definition (XSD)
A.Simple Object Access Protocol (SOAP)
Explanation:
The Simple Object Access Protocol (SOAP) is a messaging protocol specification that defines how structured information can be exchanged between web applications. SOAP project files can be created from Web Services Description Language (WSDL) files.
You are a penetration tester, and you are in the middle of conducting a penetration test specifically scoped to a single web application. You learn that the web server also contains a list of passwords to other servers at the target location. You notify the client. The client then asks you to validate those servers. What has occurred once you proceed with testing the passwords against the other servers?
A.Threat hunting
B.Pivoting
C.Scope creep
D.Target expansion
C.Scope creep
Explanation:
A scope creep occurs when additional items are added to the scope of an assessment. The tester has gone beyond the scope of the initial assessment agreement.
You are a penetration tester and will be conducting a test for a new client. The client has requested that you perform a wireless penetration test. What scoping target information will you most likely need before testing can begin?
A.The bands and frequencies of the wireless devices used by the client
B.The preferred wireless access point vendor of the client
C.The number of wireless devices owned by the client
D.The physical location and network ESSIDs to be tested
A.The bands and frequencies of the wireless devices used by the client
Explanation:
In this scenario, you would need to receive the bands and frequencies used by the client’s wireless devices in order to proceed with the wireless penetration test. Wireless devices may operate on a number of bands and frequencies, but knowing the exact bands and frequencies would allow a penetration tester to conduct the wireless penetration test as requested.
Panek, Crystal; Tracy, Robb. CompTIA PenTest+ Practice Tests (p. 347). Wiley. Kindle Edition.
You are a penetration tester, and you are working with a new client to scope out the considerations for an upcoming penetration test. You ask the client if they are willing to accept the fact that a penetration test could possibly cause disruptions within their network. The client states that they understand. What process have you and the client just discussed in this scenario?
A.Due diligence
B.Risk acceptance
C.Security exceptions
D.Threat modeling
B.Risk acceptance
Explanation:
A risk assessment typically involves identifying areas of vulnerability or potential weakness and providing a road map to a stronger security posture. In this scenario, the client fully understands that the penetration testing could cause disruptions to their network, and they are willing to accept those risks.
A member of your help desk team receives a phone call from an individual claiming to be an employee. This person is requesting assistance to help unlock an account that has been locked out. The help desk member asks for proof of identity before access will be granted. What type of attack was the caller trying to perform?
A.Impersonation
B.Interrogation
C.Phishing
D.Shoulder surfing
A.Impersonation
Explanation:
Impersonation involves disguising oneself as another person to gain access to facilities or resources. This may be as simple as claiming to be a staff member or as intricate as wearing a uniform and presenting a fake company ID. In this scenario, the attacker called the help desk technician, pretending to be an employee.
Panek, Crystal; Tracy, Robb. CompTIA PenTest+ Practice Tests (p. 346). Wiley. Kindle Edition.
You are a penetration tester, and you are working with a new client discussing an upcoming penetration test. The client has requested that you perform a “crystal box” test of their network. What type of penetration testing is the client requesting you perform?
A.A black box test
B.A goal-based test
C.A gray box test
D.A white box test
D.A white box test
Explanation:
White box tests, sometimes called crystal box or full knowledge tests, allow testers to see everything inside a network. They are performed with full knowledge of the principal technologies, configurations, and settings that make up the target. Testers will typically have information including network diagrams, lists of systems and IP network ranges, and even credentials to the systems. White box tests are often more complete, as testers can get to every system, service, or other target that is in scope.
You are a penetration tester, and you have been asked to conduct a penetration test for a new client. The client wants to assess their vulnerability to a malevolent insider who has the network privileges of an average employee. What type of test should you perform?
A.A black box test
B.A gray box test
C.A red box test
D.A white box test
B.A gray box test
Explanation:
Gray box tests are a combination of black box and white box testing. A gray box test may provide some information about the environment to the penetration testers without giving full access, credentials, or configuration details. A gray box test can help focus penetration testers’ effort and time while providing a precise view of what the malevolent insider would actually encounter. In a black box penetration test, the tester has no prior knowledge of the target. In a white box test, the tester has extensive knowledge of the target.
You are a penetration tester, and you are putting together the terms of a penetration test that you will be conducting for a new client. Which of the following is an appropriate method to secure legal permission to conduct the test?
A.Send an email asking a member of senior management for permission to start the test.
B.Make a phone call and ask a member of the IT staff for permission to start the test.
C.Ask a member of the IT staff to sign a document granting you permission to start the test.
D.Ask a member of senior management to sign a document granting you permission to start the test
D.Ask a member of senior management to sign a document granting you permission to start the test
Explanation:
Before conducting a penetration test, you must get written permission from the senior management of the client’s organization to start the test. It is not acceptable to get permission verbally or by email. It is also not acceptable to obtain permission from the IT staff.
You are a penetration tester and have been asked to test an organization that uses an authentication method that associates hosts with their public keys. What type of authentication technique is the organization using?
A.Certificate pinning
B.Self-signed server authentication
C.SSL Handshake
D.X.509 bypassing
A.Certificate pinning
Explanation:
Certificate pinning associates a host with an X.509 certificate (or a public key) and then uses that association to make a trust decision. You use certificate pinning to help prevent man-in-the-middle attacks. When communicating over public networks, it is important to send and receive information securely.
You are a penetration tester, and you are conducting a black box penetration test for a large organization. You want to probe the client’s web server IP address. You want to see what information may be associated with it, such as what cipher suite it uses. What tool should you use to complete this task?
A.Censys
B.Nslookup
C.Maltego
D.Shodan
A.Censys
Explanation:
Censys is a web-based tool that probes a given IP address. It is a search engine that helps penetration testers discover, monitor, and analyze devices that are accessible from the Internet. Censys lets researchers find specific hosts and create summative reports on how devices, web sites, certificates, and ciphers used are deployed.
You are a penetration tester, and you have full access to a domain controller. You want to discover any user accounts that have not been active for the past 30 days. What command should you use?
A.dsrm -users “DN=client.com; OU=hq CN=users” B.dsquery user -inactive 4
C.dsquery -o -rdn -limit 30
D.dsuser -name -account -limit 3
B.dsquery us -inactive 4
Explanation:
Dsquery.exe is a command-line utility for finding information about various objects in the Active Directory domain. The utility is available in all Windows Server versions by default. The dsquery command allows you to query the LDAP directory to find objects that meet the specified criteria. As an attribute of the dsquery command, you need to specify the type of the AD object that you are searching for. In this scenario, you are looking for user accounts that have been inactive for the past 30 days, so you would use dsquery user -inactive < NumWeeks >.
You are a penetration tester, and you’ve been asked to determine whether the client’s server farm is compliant with the company’s software baseline. You will be conducting a remote scan. What type of scan should you perform to verify compliance?
A.A credentialed scan
B.A discovery scan
C.A full scan
D.A stealth scan
B.A discovery scan
Explanation:
A discovery scan identifies the operating systems that are running on a network, maps those systems to IP addresses, and enumerates the open ports and services on those systems. Discovery scans provide penetration testers with an automated way to identify hosts that exist on the network and build an asset inventory.
You are a penetration tester and have been scanning a new client’s network. The vulnerability scanner that you are utilizing is using a service access level to better evaluate vulnerabilities across multiple assets within an organization. What type of scan is being performed?
A.A credentialed scan
B.A nonintrusive scan
C.A passive scan
D.A privilege escalation scan
A.A credentialed scan
Explanation:
Credentialed scans are scans in which the scanning computer has an account on the computer being scanned that allows the scanner to do a more thorough check looking for problems that may not be seen from the network. Credentialed scans are widely used in enterprise vulnerability management programs and are a useful tool when performing a penetration test. Credentialed scans may access operating systems, databases, and applications. Credentialed scans typically only retrieve information from target servers and do not make changes to the server itself.
Panek, Crystal; Tracy, Robb. CompTIA PenTest+ Practice Tests (p. 343). Wiley. Kindle Edition.
You are a penetration tester, and you are conducting a test for a new client. You have successfully deployed an evil twin, and you are beginning to see some of the client’s traffic. What would be the next step that you would want to take to capture all the unencrypted web traffic from the client?
A.Harvest the user credentials to decrypt traffic. B.Implement a certification authority (CA) attack by impersonating trusted Cas.
C.Implement an HTTP downgrade attack.
D.Perform a man-in-the-middle (MITM) attack.
C.Implement an HTTP downgrade attack.
Explanation:
A downgrade attack is a form of attack in which a tester forces a network channel to switch to a less secure or unprotected data transmission standard. Downgrading the protocol is one component of a man-in-the-middle type attack and is used to intercept encrypted traffic. Downgrade attacks work by causing the client and server to use a less-secure protocol. In this scenario, since you are trying to capture all unencrypted web traffic, you would want to implement an HTTP downgrade attack.
You and a colleague are discussing different types of attacks that can take place. One such attack is a client-side attack that is used to manipulate an HTML iframe with JavaScript code via web browser. What type of attack are you discussing?
A.Buffer overflow
B.Cross-site scripting (XSS)
C.Man-in-the-middle (MITM)
D.SQL injection (SQLi)
B.Cross-site scripting (XSS)
Explanation:
Cross-site scripting (XSS) attacks occur when web applications allow an attacker to perform HTML injection, inserting their own HTML code into a web page. In this scenario, the attacker is attempting to manipulate an HTML iframe with JavaScript code using a web browser.
You are a penetration tester, and you have been asked by a client to perform a code review of their web application. What type of analysis will you be performing?
A.Dynamic code analysis
B.Fuzzing
C.Fault injection
D.Static code analysis
D.Static code analysis
Explanation:
Code testing is often done using static or dynamic code analysis along with testing methods such as fuzzing and fault injection. Once changes are made to the code and it is deployed, it must be retested to ensure that the changes didn’t create any new security issues. Since you are only reviewing the code in this scenario, you will be conducting a static code analysis. Static code analysis, also known as source code analysis, is done by reviewing the code of an application. Since static analysis uses the source code, it can be seen as a type of white box testing with full visibility. This can allow testers to find problems that other tests might fail to spot.
You and a colleague are discussing social engineering techniques. One technique involves questioning an employee using intimidation to gather information. What is this social engineering technique called?
A.Impersonation
B.Interrogation
C.Phishing
D.Smishing
B.Interrogation
Explanation:
B. Interrogation (also called questioning) is interviewing an individual with the goal of obtaining useful information. Interrogation may involve a wide array of techniques, ranging from developing a bond with the individual to torture. With this technique, fear can be used as a motivator. However, this technique is not usually used by penetration testers.
Panek, Crystal; Tracy, Robb. CompTIA PenTest+ Practice Tests (p. 346). Wiley. Kindle Edition.
You and a colleague are discussing open source intelligence (OSINT) gathering tools. Which of the following tools is not an OSINT-gathering tool?
A.Fingerprinting Organizations with Collected Archives (FOCA)
B.Nessus
C.Nslookup
D.Whois
B.Nessus
Explanation:
Nessus is a commercial vulnerability scanning tool used to scan a wide variety of devices, but it is not part of the tools available for OSINT gathering. There are a variety of tools that assist with this OSINT collection:
Internet and then provides penetration testers with access to that information through a search engine. Fingerprinting Organizations with Collected Archives (FOCA) is an open source tool used to find metadata within Office documents, PDFs, and other common file formats
Maltego is a commercial product that assists with the visualization of data gathered from OSINT efforts.
Nslookup tools help identify the IP addresses associated with an organization.
Recon-ng is a modular web reconnaissance framework that organizes and manages OSINT work.
Shodan is a specialized search engine to provide discovery of vulnerable Internet of Things (IoT) devices from public sources.
theHarvester scours search engines and other resources to find email addresses, employee names, and infrastructure details about an organization.
Whois tools gather information from public records about domain ownership.
The president of your organization reports that he has been receiving a huge number of phone calls from an individual claiming to be with the help desk department. This individual is asking the president to verify his network authentication credentials because his computer is broadcasting across the network. What type of attack is this individual attempting?
A.Impersonation
B.Interrogation
C.Vishing
D.Whaling
C.Vishing
Explanation:
Vishing (voice phishing) is social engineering over the phone system. Phishing attacks target sensitive information such as passwords, usernames, or credit card information. Vishing works like phishing but is carried out using voice technology. A vishing attack can be conducted by voice email, voice over IP (VoIP), or landline or cellular telephone. In this scenario, since the president is receiving telephone calls, this is a vishing attack.
You are a penetration tester, and you are putting together the rules of engagement (ROE) for an upcoming test for a new client. The client has requested a white box assessment. You have already informed the client that:
The client cannot use shunning or blacklisting during the testing.
The client must provide you with internal access to the network.
The client must provide you with a detailed network map.
The client must provide you with authentication credentials.
Applications provided by a software as a service (SaaS) service provider are not allowed during the test.
What did you do wrong in this scenario when putting together the ROE?
A.The client should be allowed to use any means necessary to defend itself.
B.Having detailed information about the internal network undermines the results of the test.
C.All network resources should be subject to testing, including any cloud-based resources.
D.Nothing. The ROE has been defined correctly.
D.Nothing. The ROE has been defined correctly.
Explanation:
The rules of engagement (ROE) have been defined as needed in this scenario. ROE key elements include the following: The timeline for the engagement and when testing can be conducted. What locations, systems, applications, or other targets are included/excluded. Also, any special technical constraints should be addressed in the ROE. Data handling requirements for any information gathered during the penetration testing. What behaviors to expect. Any defensive behaviors such as shunning, blacklisting, or other active defenses may limit the value of a penetration test. What resources will be committed to the testing. Any legal concerns that should be addressed, including a summary of any regulatory concerns affecting the client organization, the penetration testing team, any remote locations, and any service providers who will be in scope.
When and how communications will occur. Who to contact in case of particular events, such as evidence of compromises, accidental breach of ROE, critical vulnerabilities that have been discovered, or other events that merit immediate attention. Who is allowed to contact the penetration testing team.
You and a colleague are discussing rainbow table attacks versus brute-force attacks. Which of the following characteristics distinguish rainbow table attacks from brute-force attacks? (Choose two.)
A.Rainbow table attacks reduce compute cycles at attack time.
B.Rainbow tables must include precompiled hashes. C.Rainbow table attacks do not require access to hashed passwords.
D.Rainbow table attacks must be performed on the network.
E.Rainbow table attacks bypass the maximum failed login restrictions.
A.Rainbow table attacks reduce compute cycles at attack time.
B.Rainbow tables must include precompiled hashes
Explanation:
Rainbow tables provide a powerful way to attack hashed passwords by performing a lookup rather than trying to use brute force. A rainbow table is a precomputed listing of every possible password for a given set of password requirements, which has then been hashed based on a known hashing algorithm like MD5. A rainbow table is used to attack a hashed password in reverse. A rainbow table is generally an offline-only attack. It uses fewer compute cycles than any other forms of attack. A brute-force attack is an attempt to crack a password or username by using a trial-and-error approach with an attacker submitting many passwords or passphrases with the chance of eventually guessing the password correctly.
Panek, Crystal; Tracy, Robb. CompTIA PenTest+ Practice Tests (p. 345). Wiley. Kindle Edition.
You are a penetration tester, and you are working on a penetration scan for a new client. During an external vulnerability scan, you discover the following findings:
Vulnerability Ports
Multiple unsupported versions of Apache found 80, 443
SSLv3 accepted on HTTPS connections 443
Mod_rewrite enabled on Apache servers 80, 443
Windows Server host found 21
Given these results, how should you prioritize the attack strategies?
A.Obsolete software can contain vulnerable components.
B.The web servers may reveal sensitive information. C.Weak password management practices are being utilized.
D.Weak protocols may be intercepted.
.
B.The web servers may reveal sensitive information.
Explanation:
In this scenario, all the ports that the penetration tester discovered have to do with the Web. So, the answer for this question would be that sensitive information may be revealed on the web servers since those were the ports indicated during the vulnerability scan.
Port 21 is TCP/FTP, or the control port. Port 80 is TCP/HTTP and used for transferring web pages. Port 443 is TCP/HTTPS, which is the HTTP Protocol over TLS/SSL, for encrypted transmission.
You are a penetration tester, and you are planning on using black box penetration testing on a new client. Using this type of strategy, what will you be provided with?
A.Privileged credentials
B.A network diagram
C.Source code
D.Nothing, as you must do your own discovery
D.Nothing, as you must do your own discovery
Explanation:
Black box tests, sometimes called zero knowledge tests, are intended to replicate what an outside attacker would encounter.
Testers are not provided with access to or information about an environment, and instead, they must gather information, discover vulnerabilities, and make their way through an infrastructure or systems as an attacker would.
You are a penetration tester, and you have been asked to perform a black box penetration test for a new client. You want to find out who owns the client’s domain name. What tool can you use to find this information?
A.Nslookup
B.Maltego
C.Shodan
D.Whois
D.Whois
Explanation:
Whois is a widely used Internet record listing that identifies who owns a domain and how to get in contact with them. The Internet Corporation for Assigned Names and Numbers (ICANN) regulates domain name registration and ownership. Whois records have proven to be extremely helpful and have developed into an essential resource for maintaining the integrity of the domain name registration and website ownership process.
You are a penetration tester, and you have been asked to perform a penetration test for a client. You need a document that will set the overall terms between your organizations. This will also be used for future work between your organizations as you plan on setting up a support agreement. What is this document called?
A.A noncompete agreement
B.A nondisclosure agreement (NDA)
C.A master services agreement (MSA)
D.A statement of work (SOW)
C.A master services agreement (MSA)
Explanation:
A master services agreement (MSA) sets the overall provisions between two organizations. Many organizations also create an MSA, which will define the terms that the organizations will use for work to be done in the future. This makes ongoing engagements and contracts much easier to work through. This can help organizations prevent the need to renegotiate. MSAs are common when organizations anticipate working together over a period of time or when a support agreement is created.
You are a penetration tester, and you have been tasked to try to penetrate a client’s facility. You notice an unlocked side door that was left open by an employee. You gain access into the facility. The client wants to prevent this from happening again and removes the door and puts in a wall. What type of risk response did the client take in this scenario?
A.Acceptance
B.Avoidance
C.Contingency
D.Exploitation
B.Avoidance
Explanation:
Risk response is the process of controlling identified risks. It is a basic step in any risk management process. Risk response is a planning and decision-making process where the client decides how to deal with each risk. Risk avoidance is the elimination of hazards, activities, and exposures that can negatively affect an organization’s assets. This is scenario, the client used risk avoidance by removing the door and putting up a wall.
You and a colleague are discussing which law requires that healthcare-related organizations must be in compliance with certain security standards. What is this law called?
A.Federal Information Processing Standard (FIPS) Publication 140-2 (FIPS PUB 140-2)
B.Gramm-Leach-Bliley Act of 1999 (GLBA)
C.Health Insurance Portability and Accountability Act of 1996 (HIPPA)
D.Sarbanes-Oxley Act of 2002 (SARBOX)
C.Health Insurance Portability and Accountability Act of 1996 (HIPPA)
Explanation:
The Health Insurance Portability and Accountability Act of 1996 (HIPPA) is a U.S. legislation that requires data privacy and security provisions for safeguarding medical information. The law has emerged into greater importance recently with the explosion of health data breaches caused by cyberattacks and ransomware attacks on health insurers and providers.
You are a penetration tester, and you are putting together the rules of engagement (ROE) for an upcoming test for a new client. The client has requested a white box assessment. This will be an internal test where no third-parties are involved. Which of the following resources would be considered in scope for this testing scenario? (Choose two.)
A.Active Directory users
B.Google Docs Microsoft
C.Azure web servers
D.Microsoft Office 365 cloud applications
E.Password policies defined within Group Policy
A.Active Directory users
E.Password policies defined within Group Policy
Explanation:
In this scenario, the scope of this engagement is limited to the internal network only. Microsoft Office 365, Google Docs, and Microsoft Azure are all cloud-based services hosted by third parties and are therefore considered out-of-scope. The Active Directory users and the password policies that are defined within Group Policy would be considered in scope.
You are a penetration tester, and you are attempting to identify vulnerabilities in a customer’s web application without affecting the system or its data. What best describes the type of vulnerability scan being performed?
A.Aggressive scan
B.Compliance scan
C.Noncredentialed scan
D.Passive scan
D.Passive scan
Explanation:
Passive scanning is a method of vulnerability detection that relies on information obtained from network data that is captured from a target computer without direct interaction. The main advantage of passive scanning for an attacker is that
it does not leave a trail that could alert users or administrators. The main advantage for administrators is that it doesn’t cause undesired behavior on the target computer. Passive scanning does have limitations. It is not as complete in details as an active vulnerability scan and cannot detect any applications that are not currently sending out traffic.
You are a penetration tester, and you are putting together the rules of engagement (ROE) for an upcoming test for a new client. What items do you need to include in the ROE? (Choose two.)
A.The timeline that testing will be conducted
B.A review of any laws, especially any that govern the client
C.A list of similar companies that you have tested previously
D.A list of your client’s competitors
E.A detailed map of the client’s network
A.The timeline that testing will be conducted
B.A review of any laws, especially any that govern the client
Explanation:
The rules of engagement (ROE) should always include the timeline that testing will be conducted as well as a review of any laws, especially any that govern the client to ensure that you don’t break any. A list of other organizations that you have previously tested or a list of the client’s competition is not required to be included in the ROE document. A detailed map of the client’s network would not be needed for the ROE but may be needed for the penetration testing.
You are a penetration tester, and you are planning on doing penetration testing for a new client. You are planning on setting up a security assessment. Which of the following has a major impact on the budget of the assessment?
A.Compliance requirement
B.Scheduling
C.Scoping
D.Target risk
C.Scoping
Explanation:
The first step in most penetration testing engagements is determining what should be tested, often called the scope of the assessment. The scope of the assessment determines what penetration testers will do and how their time will be spent. Thus, this is a major impact on the budget of an assessment.
You are a penetration tester, and you are working on an upcoming test for a new client. The client has requested a white box assessment. The goal of the test is to see whether you can gain access to confidential customer data that is stored on an internal database server. You have asked the client for architectural diagrams. What information should the client provide you with? (Choose two.)
A.The facility maps
B.The network diagrams
C.The Simple Object Access Protocol (SOAP) documentation
D.The Swagger document
A.The facility maps
B.The network diagrams
Explanation:
In this scenario, you are conducting a white box assessment. So, when requesting internal architectural diagrams as a part of testing, you should usually be supplied with documentation such as network diagrams and facility maps. You can use this information to help map out the network topology and to locate key infrastructure devices, such as switches, routers, and servers.
You are a penetration tester, and you have been hired by a new client to conduct a penetration test. The client would like you to test their proprietary design documents. The goal of the test is to bypass security measures and gain unauthorized access to these documents. What type of assessment will you be conducting?
A.A compliance-based assessment
B.A goal-based assessment
C.An objective-based assessment
D.A red team assessment
D.A red team assessment
Explanation:
Red team assessments are typically more targeted than normal penetration tests. The red team acts like an attacker, targeting sensitive data or systems with the goal of acquiring access. Goals-based or objective-based assessments are usually designed to assess the overall security of an organization, and compliance-based assessments are designed to test compliance with specific laws.
You are a penetration tester, and you have just completed a simple compliance scan of your client’s network. The results indicate that there is a subset of assets on a network. This information differs from what was shown on the network architecture diagram that you were given prior to testing. What is most likely the cause for the discrepancy? (Choose two.)
A.A misconfigured DHCP server B.Incorrect credentials C.Limited network access D.Network access controls (NAC) E.Storage access
C.Limited network access
E.Storage access
Explanation:
Compliance scanning focuses on the configuration settings or the security hardening that is being applied to a system. When a compliance scan is performed against a single computing system, it produces a report that defines how well the system is hardened against the selected compliance framework. Compliance scans are not designed to locate vulnerabilities in software applications or operating systems but are designed to locate and assess vulnerabilities in system hardening configurations. In this scenario, since you are seeing more assets on the network than what was provided in the network architecture, you can attribute that to having limited network access or storage access.
You are a penetration tester, and you have been asked to perform a black box penetration test for a new client. Which phase of the assessment will most likely take the longest to complete?
A.The attacking and exploiting phase
B.The information gathering and vulnerability identification phase
C.The planning and scoping phase
D.The reporting and results communication phase
B.The information gathering and vulnerability identification phase
Explanation:
In this scenario, the client has requested that you perform a black box penetration test. Since this is a black box test, you will most likely spend most of your time performing the information gathering and vulnerability identification phase. Black box tests, sometimes called zero-knowledge tests, are intended to duplicate what an outside attacker would encounter. Testers are not provided with access to or information about an environment, so they must gather information, discover vulnerabilities, and make their way through an infrastructure or systems just as an attacker would. This can be time-consuming for the penetration tester.
You are a penetration tester, and you have heard about an attacker who carried out an attack against a government contractor in a neighboring country. The goal of the attack was to gain access through the contractor to the opposing country’s government network infrastructure. The attacker is being backed by the attacker’s own government. What type of threat actor is being described in this scenario?
A.Hacktivist
B.Nation state
C.Organized crime
D.Script kiddie
B.Nation state
Explanation:
A nation state threat actor has been given the “go ahead” to hack. They work for a government to disrupt or compromise target governments, organizations, or individuals to gain access to valuable data or intelligence and can create incidents that have international significance. A script kiddie is an individual who carries out an attack using code written by more advanced hackers. A hacktivist usually attacks targets to make a political statement. An organized crime threat actor is a group of cybercriminals whose goal is financial gain.
You and a colleague are discussing consumer-based Internet of Things (IoT). IoT devices are usually less secure than systems that are designed for conventional desktop computers. Why is this statement true?
A.Developers who design IoT devices are not as concerned with security.
B.It is difficult for administrators to apply the same security standards extensively.
C.IoT systems often lack the hardware power needed by some steadier solutions.
D. Regulatory authorities often have lower constraints for IoT systems.
A.Developers who design IoT devices are not as concerned with security.
Explanation:
The Internet of Things (IoT) refers to the network of physical products and devices that connect to the Internet. Manufacturers and developers want to minimize costs to increase their profits. Hence, security is often not the key feature of the product or device. So, as with any other device on a network, IoT devices may have security vulnerabilities and may be subject to network-based attacks.
Panek, Crystal; Tracy, Robb. CompTIA PenTest+ Practice Tests (p. 345). Wiley. Kindle Edition.
You are a penetration tester, and you are conducting a test for a new client. Upon reviewing the logs for a web application, you find a suspicious request. The request shows the following URL:
http://www.mycompany.com/about.php?i=../../../etc/passwd
What is this request trying to do?
A.The request is attempting cross-site scripting.
B.The request is attempting directory traversal.
C.The request is attempting remote file inclusion.
D.The request is attempting user enumeration.
B.The request is attempting directory traversal.
Explanation:
In this scenario, the .. operators are the revealing giveaway that the attacker was attempting to conduct a directory traversal attack. This particular attack sought to break out of the web server’s root directory and access the /etc/passwd file on the server. A directory traversal attack is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server’s root directory.
You are a penetration tester, and you are conducting a penetration test for a new client. You are using social media to gather information about different employees within your client’s organization. You create a list of popular words used frequently in the employee’s profiles. What type attack could this information be used for?
A.Dictionary attack
B.Exploit chaining attack
C.Karma attack
D.Session hijacking attack
A.Dictionary attack
Explanation:
A dictionary attack is a method of breaking into a password-protected computer or server by thoroughly entering every word in a dictionary as a password. Dictionary attacks work because many computer users use ordinary words as passwords. Dictionary attacks rely on a prebuilt dictionary of words. In many cases, penetration testers can add additional specific dictionary entries to a dictionary file for their penetration test based on knowledge; this can be beneficial in performing a dictionary attack. In this scenario, the penetration tester used social media to find additional keywords that may be beneficial in a dictionary attack.
Panek, Crystal; Tracy, Robb. CompTIA PenTest+ Practice Tests (p. 344). Wiley. Kindle Edition.
You and a colleague are discussing threat actors. You are discussing an attacker attacking a government agency because they are unhappy with a new law that has been passed. What type of threat actor being discussed?
A.Script kiddie
B.Hacktivist
C.Organized crime
D.Nation state
B.Hacktivist
Explanation:
Hacktivists may want to make a political or social point. Hacktivists aren’t typically doing attacks for money. They are individuals or groups of hackers who get together and see themselves as fighting for injustice. Hacktivists employ the same tools and tactics as hackers.
You are a penetration tester, and you are conducting the information gathering phase of a black box penetration test. You want to eavesdrop on the radio frequency emissions being emitted from the client’s facility and try to capture data from their wireless network. You are parked in the client’s parking lot. What utility could you use on your Linux laptop to break the encryption that the client is using on their wireless network?
A.Aircrack-ng
B.nmap
C.tcpdump
D.Wireshark
A.Aircrack-ng
Explanation:
Aircrack-ng is a complete suite of tools to assess wireless network security. It focuses on different areas of Wi-Fi security. Monitoring: Packet capture and export of data to text files for further processing by third-party tools. Attacking: Replay attacks, deauthentication, fake access points, and others via packet injection. Testing: Checking Wi-Fi cards and driver capabilities. Cracking: Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access 2 – Pre-Shared Key (WPA PSK).
You are a penetration tester, and you are in the middle of performing a penetration test on a client’s network. You are gathering information without actively scanning the network. What type of information are you gathering?
A.Background checks
B.Commercial record search
C.Intelligence gathering
D.Open source intelligence (OSINT)
D.Open source intelligence (OSINT)
Explanation:
Open source intelligence (OSINT) tools and techniques are those that go through publicly available information for organizational and technical details that might prove useful during the penetration test. OSINT is information that can be gathered easily. OSINT is often used to determine the organization’s footprint, which includes a listing of all of the systems, networks, and other technology that an organization has.
You are a penetration tester, and you are conducting a test for a new client. You discover the following log entry on a server:
Nov 19 2018 00:21:15 httpd[2342]: GET /app2/prod/proc/process.php?input=change;cd%20../../../etc;cat%20shadow
What type of attack was being attempted?
A.Buffer overflow
B.Command injection
C.Cross-site scripting
D.Password attack
B.Command injection
Explanation:
B. In this scenario, a command was entered, and the attacker was attempting to gain access to the password file within the /etc directory. Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via vulnerable applications. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell.
Panek, Crystal; Tracy, Robb. CompTIA PenTest+ Practice Tests (p. 347). Wiley. Kindle Edition.
You are a penetration tester, and you are discussing the CIA triad model with a colleague. You are discussing the meaning of the word confidentiality. In the context of the CIA triad model, which statement best describes what confidentiality means?
A.Preventing unauthorized access to information or systems
B.Preventing unauthorized modifications to information or systems
C.Ensuring that legitimate use of information and systems remains possible
D.Preventing legitimate access to information and systems
A.Preventing unauthorized access to information or systems
Explanation:
Confidentiality, integrity, and availability is known as the CIA triad. It is a model designed to guide policies for information security within an organization. Cybersecurity professionals use this model to describe the goals of information security. The CIA triad has three main characteristics of information that cybersecurity programs seek to protect: Confidentiality seeks to prevent unauthorized access to information or systems.
Integrity seeks to prevent unauthorized modification of information or systems. Availability seeks to ensure that legitimate use of information and systems remains possible.
You and a colleague are discussing different types of attacks that an attacker might use. One type of attack is carried out when a target is sent unsolicited messages through Bluetooth. What type of attack are you discussing?
A.A bluesnarfing attack
B.A bluesniping attack
C.A bluejacking attack
D.A war chalking attack
C.A bluejacking attack
Explanation:
Bluejacking is when an attacker sends unsolicited messages over Bluetooth devices. Bluejacking is a hacking method that allows an individual to send anonymous messages to Bluetooth-enabled devices within a certain radius. First, a hacker scans their surroundings with a Bluetooth-enabled device, searching for other devices. The hacker then sends an unsolicited message to the detected devices.
Panek, Crystal; Tracy, Robb. CompTIA PenTest+ Practice Tests (p. 347). Wiley. Kindle Edition.
You and a colleague are discussing different types of attacks that can take place. One type of attack is where communications between two parties is intercepted and then forwarded and neither party is aware that an interception even took place. What type of attack are you discussing?
A.A man-in-the-middle attack
B.A spear phishing attack
C.A transitive access attack
D.A URL hijacking attack
A.A man-in-the-middle attack
Explanation:
A. A man-in-the-middle attack happens when communication between two parties is intercepted by an outside entity. Man-in-the-middle attacks are a common kind of cybersecurity attack that allows an attacker to eavesdrop on the communication between two targets. The attack takes place in between two legitimately communicating hosts, allowing the attacker to “listen” to a conversation.
You are a penetration tester, and you are conducting a penetration test for a new client. After several attempts, you were able to gain unauthorized access through a biometric sensor by using your own fingerprint without exploitation. What happened with the biometric device that allowed you to gain access?
A.The device is configured more toward true negatives.
B.The device is set to fail closed.
C.The device replicated a valid user’s fingerprint. D.The device is tuned more toward false positives.
D.The device is tuned more toward false positives.
Explanation:
A false positive is when the system incorrectly accepts a biometric sample as being a match. Biometric sensors sometimes make mistakes for a number of reasons. The identification process compares a biometric, such as a fingerprint or iris scan that is presented to the system, against all entries in a database for a match. This is referred to as a one-to-many search. Live biometrics change due to age, climate, or a possible injury on a finger. Vendors refer to these threshold settings as false acceptance rates (FARs) and false rejection rates (FRRs).
Panek, Crystal; Tracy, Robb. CompTIA PenTest+ Practice Tests (p. 344). Wiley. Kindle Edition.
You are a penetration tester, and you have just completed testing for a new client. You have revealed that a legacy web application is vulnerable to SQL injections. The client indicates that remediating the vulnerability would require an architectural change and management does not want to risk anything happening to the current application. Which of the following conditions would minimize the SQL injection risk while proving a low-effort and short-term solution? (Choose two.)
A.From the stored procedures, identify and remove the dynamic SQL.
B.From the code, identify and remove the inline SQL statements.
C.Identify and sanitize all user inputs.
D.Identify the source of malicious input and block the IP address.
E.For the SQL statements, use a blacklist validation. F.For the SQL statements, use a whitelist validation.
E.For the SQL statements, use a blacklist validation. F.For the SQL statements, use a whitelist validation.
Explanation:
Given this scenario, the client will want to use a blacklist and whitelist validation for the SQL statements. SQL injection is a common attack route that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed. SQL injections are one of the most common web hacking techniques. Blacklist validation tests the external input against a set of known malicious inputs. Whitelist validation tests an external input against a set of known, approved input. With whitelist input validation, the application knows exactly what is wanted and rejects other input.
Panek, Crystal; Tracy, Robb. CompTIA PenTest+ Practice Tests (p. 347). Wiley. Kindle Edition.
You are a penetration tester, and you are conducting a penetration test for a new client. After performing a recent test, you discover that the client’s staff is using dictionary and seasonal passwords. What is the best way to control the use of common dictionary words from being used as passwords?
A.Configure password filters.
B.Disable the accounts after three incorrect attempts.
C.Expand the password length from seven to 14 characters and add special characters.
D.Implement password history restrictions.
C.Expand the password length from seven to 14 characters and add special characters.
Explanation:
C. In this scenario, since the client’s employees are using dictionary words as passwords, the best way to defeat this is by expanding the password length and adding special characters.
Special characters for use in passwords are a selection of punctuation characters that are present on standard U.S. keyboards. These include !”#$%&’()*+,-./:;<=>?@[]^_’{|}~. This will make it harder for attackers to break into your client’s system.
Panek, Crystal; Tracy, Robb. CompTIA PenTest+ Practice Tests (p. 345). Wiley. Kindle Edition.
Panek, Crystal; Tracy, Robb. CompTIA PenTest+ Practice Tests (p. 345). Wiley. Kindle Edition.
You are a penetration tester, and you and a colleague are discussing why it is important to maintain confidentiality of any findings you may have when conducting a penetration test. Why should findings be kept confidential?
A.They can assist an attacker in compromising a network.
B.They can contain company intellectual property. C.They are legal documents that contain privileged information.
D.They could lead to consumer dissatisfaction if the findings were made public.
A.They can assist an attacker in compromising a network.
Explanation:
Confidentiality controls seek to prevent disclosure attacks. Even though confidentiality agreements (CAs) are legal documents that help to enforce confidential relationships between two parties, this question asks why it is important to maintain the confidentiality of findings. If an attacker were to receive word of findings during a penetration test, they could use those to compromise your client’s network.
You and a colleague are discussing open-source intelligence (OSINT), and the discussion leans toward discussing vulnerabilities and other security flaws. There are a number of organizations that work to centralize this knowledge. One of these organizations tackles a broad range of cybersecurity activities. It focuses on security breach and denial-of-service (DoS) incidents by providing alerts, as well as incident-handling and avoidance guidelines. What organization is being discussed?
A.The Common Attack Pattern Enumeration and Classification (CAPEC)
B.Computer Emergency Response Team (CERT) C.Common Weakness Enumeration (CWE)
D.National Institute of Standards and Technology (NIST)
B.Computer Emergency Response Team (CERT)
Explanation:
A Computer Emergency Response Team (CERT) focuses on security breach and denial-of-service incidents, providing alerts and incident-handling and avoidance guidelines. CERT also conducts an ongoing public awareness campaign and engages in research aimed at improving security systems.
You are a penetration tester, and you are conducting a penetration test for a new client. You have discovered a supervisory control and data acquisition (SCADA) device in one of the VLANs in scope. What action best creates a potentially damaging outcome against the device?
A.Beginning a DNS cache poisoning attack B.Beginning a Nessus vulnerability scan
C.Beginning an SMB exploit
D.Beginning an SNMP password brute-force attack
D.Beginning an SNMP password brute-force attack
Explanation:
An SNMP brute-force attack attacks an IP address with SNMP queries to determine the SNMP read-only and read-write community strings (or passwords). It does this by trying every possible password. The master information base (MIB) database that is created by SNMP contains important information on every device on the network. If a tester can crack the password on SNMP, they may be able to control each networked device. This would allow changes to configurations to taking devices offline.
A penetration tester has used SET to make a copy of a company’s cloud-hosted web mail portal and then sends an email trying to obtain the president’s login credentials. This is an example of what type of attack?
A.An elicitation attack
B.An impersonation attack
C.A spear phishing attack
D.A whaling attack
C.A spear phishing attack
Explanation:
The Social Engineer Toolkit (SET) provides a framework for automating the social engineering process, including sending spear phishing messages, hosting fake websites, and collecting credentials. Social engineering plays an important role in many attacks. SET is a menu-driven social engineering attack system. In this scenario, the penetration tester is attempting a spear phishing attack.
You are a penetration tester, and you are conducting a test for a new client. You have discovered a vulnerability in the client’s domain controller. The vulnerability is that null sessions are enabled on the domain controller. What type of attack can be performed to take advantage of this vulnerability?
A.An attacker can attempt a pass the hash to relay credentials.
B.An attacker can attempt password brute forcing to log into the host.
C.An attacker can attempt RID cycling to enumerate users and groups.
D.An attacker can attempt session hijacking to impersonate a system account.
C.An attacker can attempt RID cycling to enumerate users and groups.
Explanation:
One of the first steps when looking to gain access to a host, system, or application is to enumerate usernames. Once usernames are guessed, targeted password–based attacks can then be attempted. A RID cycling attack attempts to enumerate user accounts through null sessions. If a tester specifies a password file, it will automatically attempt to brute-force the user accounts when it’s finished enumerating. So, in this scenario, attempting RID cycling will be the next step the tester should try.
Panek, Crystal; Tracy, Robb. CompTIA PenTest+ Practice Tests (p. 347). Wiley. Kindle Edition.
You are a penetration tester, and you are running a penetration test for a new client. You are using your penetration testing toolkit running on personal computer to conduct scans on various network devices. All of a sudden the network goes dark. What possibly happened?
A.You crashed a perimeter router with your scans. B.You crashed a switch on the network backbone with your scans.
C.Your computer’s IP address got whitelisted.
D.Your computer’s IP address got blacklisted.
D.Your computer’s IP address got blacklisted.
Explanation:
In this scenario, the IP address of your computer was blacklisted. Blacklisting is part of your client’s defensive practices. Your scans were detected by an intrusion protection system (IPS), and as a result, the IP address used by your computer was entered on a blacklist. Blacklisting works by maintaining a list of applications and other “known” information. In this case, your IP address was used to deny you access to the network.
You are a penetration tester, and you are conducting a penetration test for a new client. You want to use rainbow tables against a password file that has been captured. How does the rainbow table crack passwords?
A.By comparing hashes to identify known values
B.By decrypting the passwords
C.By unhashing the passwords
D.By using brute-force testing of hashes
A.By comparing hashes to identify known values
Explanation:
Rainbow tables are lists of precomputed hashes for all possible passwords for a given set of password rules. Rainbow table tools compare hashes to the previously calculated hashes, which match to known password values. This is done via a fairly fast database lookup, allowing “cracking” of hashed passwords, even though hashes aren’t reversible. The password file is a list of hashed values.
You are a penetration tester, and you are planning an engagement for a new client. Which of the following are the most important things to know prior to starting testing? (Choose two.)
A.Architectural diagrams B.Company policies C.Goals/objectives D.Storage time for a report E.Tolerance to impact
B.Company policies
E.Tolerance to impact
Explanation:
Knowing the company policies and their tolerance to impact are two of the most important items needed to know when planning for an engagement. The others are important as well, but in this scenario the question is which are the two most important. Cybersecurity professionals widely agree that vulnerability management is a critical component of any information security program, and for this reason, many organizations mandate vulnerability scanning in corporate policy, even if that is not a regulatory requirement. The risk and impact tolerance of the organization being assessed should be used to define the scope and rules of engagement for the assessment.
