CompTIA PenTest+ Practice Test - Results (Solomon) Flashcards
Which type of testing forces the pentester to gather information using creative methods and sources and typically does not provide any upfront customer knowledge of the environment to be tested? A.White box B.Black box C.Goals-based D.Gray box
B.Black box
Explanation
Correct Answer: Black box is correct. Black box testing forces the pentester to gather information using creative methods and sources prior to being able to conduct the testing. No company-confidential knowledge is available to the tester other than what is legally required to define and limit the scope of the assessment.
Incorrect Answers: White box is incorrect because full access to internal knowledge is provided to the pentester prior to and during white box testing.
Gray box is incorrect because company-confidential knowledge may be made available to the pentester prior to or during gray box testing.
Goals-based is incorrect because it is a type of assessment that attempts to evaluate the security within an organization through a simulated cyber-attack. The pentest team may or may not have company-confidential information available prior to and during the attack.
Which of the following options is an example of Boolean-based SQL injection? (Choose two.)
A.www,example.com/info.php?id-1 AND 1=1
B.www.example.com/info.php?id=2 AND 3=4
C.www.example.com/info.php?id=1;UNION SELECT * from mysql.users;–
D.www.example.com/info.php?id-2;2
A.www,example.com/info.php?id-1 AND 1-1
B.www.example.com/info.php?id=2 AND 3=4
Explanation
Correct Answers: www.example.com/info.php?id=1 AND 1=1 and www.example.com/info.php?id=2 AND 3=4 are correct. Boolean-based SQL injection (SQLi) is where you ask the database true (e.g., id=1 AND 1=1) or false (e.g., id=2 AND 3=4) questions and determine the answer based on the response given by the application, where the response could be a content error or a blank page.
Incorrect Answers: www.example.com/info.php?id=2;2– is incorrect because it terminates the query with a semicolon.
www.example.com/info.php?id=1;UNION SELECT * from mysql.users;– is incorrect because it is a union query SQL injection that builds on top of the original SELECT() statement used in the query to extend the query results beyond what it was intended to query.
Which of the following options provides guidance for planning and conducting technical information security tests? A.NIST SP 800-37 B.DoD 8570 C.NIST SP 800-115 D.FIPS 199
C.NIST SP 800-115
Explanation
Correct Answer: NIST SP 800-115 is correct. National Institute of Standards and Technology (NIST) SP 800-115 provides a technical guide to information security testing and how to conduct these types of tests.
Incorrect Answers: DoD 8570 is incorrect because DoD 8570 is a policy used to address the information technology (IT) certification needs of the U.S. federal government.
NIST SP 800-37 is incorrect because NIST SP 800-37 provides guidance on how to apply the Risk Management Framework (RMF) to U.S. federal information systems.
FIPS 199 is incorrect because Federal Information Processing Standard (FIPS) 199 is the U.S. federal government standard that established security categories of information systems, based on impact levels for confidentiality, integrity, and availability
Which of the following stakeholders from an organization might be interested in the findings and success of a penetration test? A.Contracting or legal department B.Executive management C.IT Department D.All of the answer choices are correct E.The pentest team
D.All of the answer choices are correct
Explanation
Correct Answers: All of the answer choices are correct. All the options identify important roles within an organization that may be interested in the findings and success of a penetration test.
The IT department may be interested in the specific tests and methodology the pentester executed during the assessment so that the same steps can be followed during a re-test to validate the installation and security effectiveness of any mitigations applied against the vulnerabilities.
The contracting or legal department will want to ensure that all legal and contractual obligations were upheld by both parties involved during the pentest.
Executive management might want to gain a better understanding of the security posture of the entire organization, both to ensure that the organizational IT budget is sufficient to support remediation efforts and to influence organizational security policy changes or decisions, as necessary.
The pentest team would be interested in the success of the pentest because this team is responsible for executing the testing and drafting the findings and remediation for the organization.
All of the other choices are incorrect as individual responses because each stakeholder plays an important role in the success of a penetration test, making choice E the correct answer.
The unquoted service path vulnerability can be used to escalate privileges on a Windows target and exploits what function of the operating system? A.Weak access controls B.CreateProcess C.TaskSceduler D.Windows Registry
B.CreateProcess
Explanation
Correct Answer: CreateProcess is correct. Unquoted service paths are a direct result of the CreateProcess function in Windows operating systems, where the name of a directory or program in the search path is truncated when the function identifies a blank space in the path. Windows will attempt to load each truncated executable until it finds the correct one.
Incorrect Answers: Task Scheduler is incorrect because the Task Scheduler is a Windows component used for managing the execution of Windows scheduled tasks.
Weak access controls is incorrect because weak access controls is a misconfiguration of the operating system, not a function.
Windows registry is incorrect because the Windows registry is a collection of databases of Windows configuration settings, not a function of the operating system.
The customer uses unattended installation files to automate configuration of both physical and virtual hosts on the network. The remote file share that contains the unattended installation files is writable by everyone on the network. What mitigation would you recommend to the customer to help secure their network? (Choose three.)
A.Lock access to share down based on domain access
B.Restrict write access to only trusted hosts
C.Discontinue using unattended installation
D.Restrict access based on IP address
A.Lock access to share down based on domain access
B.Restrict write access to only trusted hosts
D.Restrict access based on IP address
Explanation
Correct Answer: Lock access to share down based on domain access, restrict access based on IP address, and restrict write access to only trusted hosts are correct. They enforce an access control to restrict who or what can access the unattended installation file share.
Incorrect Answers: Discontinue using unattended installation is incorrect because it describes a personal preference, and doesn’t provide a mitigation to help the customer resolve the underlying weakness with the world-writable network share.
When conducting network and enumeration scanning on the customer's network, your team requests operating system information to help with the vulnerability mapping process. Given the following nmap syntax, which of the following options can help provide OS fingerprinting?```nmap -vv -n -Pn -sSVC -O -T4 -p- 10.1.10.0/24 -oA 10.1.10.0.syn``` A.'-sSV' B.'-n' C.'-Pn' D.'-O'
D.’-O’
Explanation
Correct Answer: -O’ is correct. The -O option can be used with Nmap to help fingerprint the operating system.’-
Incorrect Answers: ‘-n’ is incorrect because the -n option is used to prevent hostname lookups.
‘-Pn’ is incorrect because -Pn disables host discovery.
‘-sSV’ is incorrect because -sSV is used to execute a TCP SYN scan with version detection for each open service/port found during the scan.
Which of the following can be used as a defense-evasion technique? (Choose three.)
A.Encoding an x86 WIndows payload with shikata_ga_nai
B.Using MD5 to encode a password that can be used in Mimikatz with PtH on a Windows network
C.Base64-encoding a PowerShell command to execute against a remote host on the network
D.CHanging and modifying code from the “invoke-Mimikatz.ps1’
scripts from PowerSploit to evade antivirus signature detection
A.Encoding an x86 WIndows payload with shikata_ga_nai
C.Base64-encoding a PowerShell command to execute against a remote host on the network
D.CHanging and modifying code from the “invoke-Mimikatz.ps1’
scripts from PowerSploit to evade antivirus signature detection
Explanation
Correct Answers: Encoding an x86 Windows payload with shikata_ga_nai is correct because shikata_ga_nai is a valid encoding that can be used with msfvenom to hide a potentially malicious payload.
Changing and modifying code from the Invoke-Mimikatz.ps1 script from PowerSploit to evade antivirus signature detection is correct because the signature detection from an antivirus program can be bypassed if enough of the code can be modified to emulate a little different behavior during runtime.
Base64-encoding a PowerShell command to execute against a remote host on the network is correct because base64 encoding can be used to obfuscate commands that are executed on the system. If a network IDS or host-based IDS (HIDS) is not configured to investigate that type of obfuscation, the malicious activity could go undetected.
Incorrect Answers: Using MD5 to encode a password that can be used in Mimikatz with PtH on a Windows network is incorrect. MD5 is a cryptographic hashing algorithm, not an encoder, and it cannot be used with pass-the-hash (PtH) techniques on a Windows network, as the hash values are required to be NTLM.
The customer is using SSH for remote logins and transferring files to hosts on the local area network. However, you also found FTP and Telnet open on most of the Unix servers in the customer environment. The system administrator says they don’t use those legacy programs any longer. How would you document this in a pentest report, even though you did not exploit these services?
A.Ask for additional time to test the services
B.Record this as a critical finding
C.Do not address this in the report, since the services are on the LAN and are not exposed to external attacks
D.Include as an “unnecessary open services observation in the executive summary
D.Include as an “unnecessary open services observation in the executive summary
Explanation
Correct Answer: Include as an “unnecessary open services” observation in the executive summary is correct. Testing observations, such as the use of unnecessary open services, can be addressed in the executive summary section of the pentest report. This can help management know there may be inconsistent practices used for administration of the network, or a lack of configuration management guidance. These types of cultural issues can be remediated with the help of a top-down management approach for senior leadership to set the vision and delegate subordinates to carry out the new organizational goals.
Incorrect Answers: Record this as a critical finding is incorrect because the observation is not a finding, as the legacy services were not able to be exploited.
Do not address this in the report, since the services are on the LAN and are not exposed to external attacks is incorrect because documenting in the pentest report any noteworthy observations, and ones that might point out a bigger picture of a problem, should be done for senior leadership so they can be addressed and prioritized accordingly. In the case of unnecessary services, if you find that most of the hosts on the network have not been patched in over year, and they are running legacy services, this is evidence that the customer is failing to follow industry best practices on the network in more places than one, which could be a cultural issue (lack of knowledge, expertise, or motivation) or a resource issue (not enough system administrators) in the organization.
Ask for additional time to test the services is incorrect because this could introduce scope creep and affect the timely delivery of the pentest report to the customer.
Which of the following can assist you with brute-forcing a web application login page? (Choose three.) A.CeWL B.Wordlist C.XSS D.CSRF E.Hydra
A.CeWL
B.Wordlist
E.Hydra
Explanation
Correct Answers: Wordlist is correct because a wordlist will provide login password possibilities based on a dictionary of words and commonly used passwords.
CeWL is correct because CeWL is a tool used to scrape web pages to derive a wordlist with which to target specific organizations.
Hydra is correct because Hydra is a tool used to help automate the login process, which can allow the pentester to make the most efficient use of his time.
Incorrect Answers: XSS and CSRF are incorrect. Cross-site scripting (XSS) and cross-site request forgery (CSRF) can be used to capture login credentials, user session data, and sensitive information, or force a user to perform a malicious action, but neither technique will help brute-force login a web page.
!/bin/bash
What does the following script do?
today=$(date +%Y=%m-%d)
log_dir=”/var/www/logs”
dst+dir=”/tmp/logs”
count=$(ls $log_dir | wc -l)
if [ $count -gt 0 ] then
echo “Moving $count logs on $today”»_space;/var/www/moveLog.txt
mv $log_dir/* $dst_dir
for i in ‘ls $dst_dir’; do
scp -i key $dst_dir/$i webusr@logsrvr:/logs/websrv1/www
echo $dst_dir/$i
rm -rf $dst_dir/$i
done
else
echo “No files to move $today”»_space;/var/www/moveLog.txt
fi
A.Secure copies the files and then removes the files from the remote host
B.Moves log files to another directory, then secure copies the files to another host using ‘scp’, and the removes the files that were secure copied
C.Copies log files to another directory and then removes all the logs
D.Moves log files to another directory and then secure copies the files to another host using a password
B.Moves log files to another directory, then secure copies the files to another host using ‘scp’, and the removes the files that were secure copied
Explanation
Correct Answer: Moves log files to another directory, then secure copies the files to another host using scp, and then removes the files that were secure copied is correct. The bash script counts the number of files in the $log_dir directory, and then uses a conditional statement to verify that there are indeed files in that directory. If there are files in the $log_dir directory, then the script proceeds to move the files to the $dst_dir directory, then secure copies the log files from $dst_dir to the logsrv host, then removes the files from $dst_dir after they have been secure copied.
Incorrect Answers: Copies log files to another directory and then removes all the logs is incorrect because the script does not remove all the logs once it copies them to another directory.
Moves log files to another directory and then secure copies the files to another host using a password is incorrect because the secure copy is done with an SSH key, not a password.
Secure copies the files and then removes the files from the remote host is incorrect because the script does not remove the file from the remote host.
Which of the following is a valid reason for executing an authenticated vulnerability scan against a target?
A.It produces more findings
B.It helps to reduce false positives
C.You will be able to show more impact in your test results
D.The scan will help exploit target weaknesses and carry out post-exploitation activities
B.It helps to reduce false positives
Explanation
Correct Answer: It helps to reduce false positives is correct. Executing an authenticated vulnerability scan can help reduce the number of false positives reported by a vulnerability scanner, as the credential used during the scan will have the ability to verify a patch or configuration setting, whereas an unauthenticated scan will go off a service banner or trivial fuzzing technique that may or may not be enough to guess at the existence of a vulnerability.
Incorrect Answers: It produces more findings is incorrect because running an authenticated scan against a target will not necessarily produce additional findings.
You will be able to show more impact in your test results is incorrect because an authenticated vulnerability scan can help verify the existence of a vulnerability and report on the impact or severity of the vulnerability, but showing impact in your test results is based on how you test and the findings you can produce.
The scan will help exploit target weaknesses and carry out post-exploitation activities is incorrect because an authenticated vulnerability scan may execute some tests to validate a vulnerability, such as using code to test for Shellshock, but its primary focus is to detect and report vulnerabilities, not to carry out post-exploitation activities
Using the following example PHP code, what type of attack could this application be susceptible to?Example HTTP GET request:
http://www.example.com/test.php?img=photo1.pngExample PHP code:```
C.Directory traversal attack
Explanation
Correct Answer: Directory traversal attack is correct. The example URL will attempt to retrieve photo1.png from the web server and render the image in the browser. The example PHP code shows that the value of the img= parameter, photo1.png, should be retrieved from $WebDir, which points to the local file system path of '/var/www/html'. However, because the code provides no input validation, it could be susceptible to a directory traversal to access files outside the intended location using ../../../../etc/passwd.
Incorrect Answers: SQLi is incorrect because the application would not be susceptible to SQL injection as there is no mention of a database function within the code.
Directory indexing is incorrect because the PHP code does not execute directory indexing. Clickjacking is incorrect because clickjacking is a client-side attack that tricks users into clicking on a button or link within a web page they were not intending to interact with.
This attack makes use of CSS, iframes, and even text boxes to load legitimate web content through an attacker-controlled web page.
Which of the following Windows shares are readable on the local area network by default? A.All of the answer choices are correct B.C$ C.ADMIN$ D.IPC$
D.IPC$
Explanation
Correct Answer: IPC$ is correct. The IPC$ share, also known as the null session share, allows anonymous hosts on the network to perform certain activities such as enumerating domain accounts and network shares.
Incorrect Answers: ADMIN$ and C$ are incorrect because the ADMIN$ and C$ Windows shares are only accessible over the network by local or domain administrator accounts.
“All answers are correct…” is incorrect because not all of the shares are readable by anonymous users on the network.
Which testing methodology or methodologies should an organization consider when scoping and planning for an engagement? (Choose all that apply.) A.Black box B.White box C.Gray box D.All of the answer choices are correct
D.All of the answer choices are correct
Explanation
Correct Answers: All of the answers are correct. All of the answers are testing methodologies that should be considered when planning and scoping an engagement.
Black box testing can help an organization understand the complexity involved with information gathering and, when given enough time, attacking/exploiting the organizational environment when no company confidential knowledge is provided.
White box and gray box testing could help the organization streamline the testing process, to assist with evaluating various types of external and internal attack vectors, such as insider threats. All three of these testing methodologies could help an organization gain a better understanding of their operational defense capabilities, and their ability to defend against real-world threats.
Incorrect Answers: All of the other choices are incorrect as individual responses because an organization should consider all three testing methodologies when scoping and planning for an engagement, making choice “All answers” the correct answer.
When using the airodump-ng tool to collect wireless network packets, why would you want to define the channel to listen on?
A.You should always specify the channel your target is listening on when conducting wireless surveys and exploitation activities
B.When attempting to crack the wireless encryption key or four-way handshake, its best to stick to the channel your target is listening on to prevent frequency hopping, which could limit your ability to collect all of the packets necessary for password recovery attacks
C.Channel hopping is a technique used by airodump-ng to determine the channel a target host is listening on
D.Use the same channel as your target wireless device will help speed up the time necessary to crack the PSK offline
B.When attempting to crack the wireless encryption key or four-way handshake, its best to stick to the channel your target is listening on to prevent frequency hopping, which could limit your ability to collect all of the packets necessary for password recovery attacksB.When attempting to crack the wireless encryption key or four-way handshake, its best to stick to the channel your target is listening on to prevent frequency hopping, which could limit your ability to collect all of the packets necessary for password recovery attacks
Explanation
Correct Answer: When attempting to crack the wireless encryption key or four-way handshake, it’s best to stick to the channel your target is listening on to prevent frequency hopping, which could limit your ability to collect all of the packets necessary for password recovery attacks is correct. The airodump-ng tool will hop from channel to channel and restrict your ability to collect all of the packets necessary to recover the WEP key or four-way handshake from a WPA network. Camping out on the specific channel will help increase the odds of successful exploitation.
Incorrect Answers: You should always specify the channel your target is listening on when conducting wireless surveys and exploitation activities is incorrect because there are certain times when using a specific channel would be advantageous over not defining the channel, as in the case of attacking the Wireless Encryption Protocol.
Using the same channel as your target wireless device will help speed up the time necessary to crack the PSK offline is incorrect because the time required to crack the PSK is dependent on other external factors such as CPU power, time, word lists, rules, and so on, and is unrelated to the channel the target device is using for communication.
Channel hopping is a technique used by airodump-ng to determine the channel a target host is listening on is incorrect because it describes the channel-hopping technique but doesn’t answer the question of why it would be better to use a single channel versus a channel-hopping technique.
Which of the following algorithms can be used to generate a cryptographic hash value for a password? A.RSA B.Base64 C.AES D.MD5
D.MD5
Explanation
Correct Answer: MD5 is correct. Message Digest 5 (MD5) is an algorithm that takes a variable-length string (message) of input and turns it into a fixed-length hash value (message digest), where the primary objective is integrity, such that the hash value cannot be returned to its original string value and makes hashing an ideal candidate for storing passwords.
Incorrect Answers: AES and RSA are incorrect because the Advanced Encryption Standard (AES) and Rivest, Shamir, and Adleman (RSA) are used for symmetric key encryption, and are used for encrypting and decrypting sensitive information and for authentication purposes.
Base64 is incorrect because base64 encoding is a type of obfuscation and is easily reversible.
Which of the following commands can you use to query information from an organizations OpenLDAPserver? A.'accesschk.exe' B.'ldapsearch' C.'searchsploit' D.'net group'
B.’ldapsearch’
Explanation
Correct Answer: ldapsearch is correct as this command can be used to look for querying the LDAP server.
Incorrect Answers:searchsploit is incorrect because the searchsploit command is a Kali Linux command that can search through local exploit-db contents to look for public exploit code.
net group is incorrect as net group is used in Windows operating systems to list the local groups the host knows about.
accesschk.exe is incorrect because accesschk.exe is a local operating system console program used to identify users or groups that have access to specific resources, such as files, directories, Windows services, etc.
What is the purpose of a table of contents in the pentest report? A.To provide page numbers B.To organize the report C.To list headings and subheading D.All of the answer choices are correct
D.All of the answer choices are correct
Explanation
Correct Answer: All of the answers are correct. The table of contents will help organize the report, list the headings and subheadings, and provide page numbers.
Incorrect Answers: The other answers are incorrect when individually selected, as all of the answers are correct.
Which of the following are considered examples of threat actors? (Choose four.) A.Advanced persistent threat B.Pentester C.Script kiddies D.Hacktivist E.Insider threat
A.Advanced persistent threat
C.Script kiddies
D.Hacktivist
E.Insider threat
Explanation
Correct Answers: Insider thread, script kiddie, advanced-persistent threat and hactivist. They are all different types of threat actors that can pose a significant risk to an organization, depending on the intent and capabilities of the threat actor and how the organization defends against the threat.
Incorrect Answer: Pentester is incorrect because a pentester is not a threat actor, but though this role can simulate the activity of a threat actor in a particular group, depending on the type of assessment.
