CompTIA PenTest+ (PT0-001) Practice Certifications Exams (Jason Dion 4 of 6) Flashcards
Which of the following secure coding best practices ensures special characters like , /, and ‘ are not accepted from the user via a web form? A.Session management B.Input validation C.Error handling D.Output encoding
B.Input validation
Explanation:
OBJ-5.3: Input validation is performed to ensure only properly formed data is entering the workflow in an information system, preventing malformed data from persisting in the database and triggering a malfunction of various downstream components. Input validation should happen as early as possible in the data flow, preferably as soon as the data is received from the user. Improper error handling can introduce various security problems where detailed internal error messages such as stack traces, database dumps, and error codes are displayed to an attacker. The session management implementation defines the exchange mechanism that will be used between the user and the web application to share and continuously exchange the session ID. Output encoding involves translating special characters into some different but equivalent form that is no longer dangerous in the target interpreter, for example, translating the < character into the < string when writing to an HTML page.
An employee contacts the service desk because they cannot open an attachment they receive in their email. The service desk agent conducts a screen sharing session with the user and investigates the issue. The agent notices that the attached file is named Invoice1043.pdf, and a black pop-up window appears and then disappears quickly when the attachment was double-clicked. Which of the following is most likely causing this issue?
A.The user doesnt have a PDF reader installed on their computer
B.The attachment is using a double file extension to mask its identity
C.The file contains an embedded link to a malicious website
D.The email is a form of spam and should be deleted
B.The attachment is using a double file extension to mask its identity
Explanation:
OBJ-2.4: The message contains a file attachment hoping that the user will execute or open it. The attachment’s nature might be disguised by formatting tricks such as using a double file extension, such as Invoice1043.pdf.exe, where the user only sees the first extension since .exe is a known file type in Windows. This would explain the black popup window that appears and then disappeared, especially if the exe file was running a command-line tool. This file is most likely not a PDF, so there is no need for a PDF reader. Additionally, most modern web browsers, such as Chrome and Edge, can open PDF files by default for the user. The file would not contain an embedded link since an embedded link is another popular attack vector that embeds a link to a malicious site within the email body, not within the file. This email is likely not spam and would be better categorized as a phishing attempt instead.
A penetration tester wants to build a workstation that will be used to brute force hash digests. Which of the following is the BEST option to ensure sufficient power and speed to crack them? A.Multi-core CPU B.Dedicated GPU C.Integrated GPU D.7200-RPM HDD
B.Dedicated GPU
Explanation:
OBJ-4.2: Dedicated GPUs are designed to conduct complex mathematical functions extremely quickly. If you want to build a system to perform cracking of a password, hash, or encryption algorithm, it is important to have a high-speed, dedicated GPU. The reason to use a GPU instead of a CPU for password cracking is that it is much faster for this mathematically intensive type of work. Cracking passwords, hashes, and encryption is a lot like mining cryptocurrency in that using dedicated GPUs will give you the best performance.
Consider the following REGEX search string:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).
(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).
(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).
(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Which of the following strings would NOT be included in the output of this search? A.205.255.255.001 B.37.259.129.207 C.1.2.3.4 D.001.02.3.40
B.37.259.129.207
Explanation:
OBJ-4.4: The \b delimiter indicates that we are looking for whole words for the complete string. The REGEX is made up of four identical repeating strings, (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).”. For now, let us refer to these octets, such as the ones used in internet protocol version 4 addresses. Each octet will allow the combination of 25[0-5] OR (|) 2[0-4][9-] OR numbers 00-99 is preceded by (?) a 0 or 1, or just a single number followed by a “.”. Since the period is treated as a special character in a REGEX operator, the escape character () is required to enable the symbol to act as a dot or period in the output. This sequence repeats four times, allowing for all variations of normal IP addresses to be entered for values 0-255. Since 259 is outside the range of 255, this is rejected. More specifically, character strings starting with 25 must end with a number between 0 and 5 (25[0-5]). Therefore, 259 would be rejected. Now, on exam day, if you received a question like this, you can try to figure out the pattern as explained above, or you can take the logical shortcut. The logical shortcut is to look at the answer first and see that they all look like IP addresses. Remember, grep and REGEX are used by a cybersecurity analyst to search logs for indicators of compromise (like an IP address), so don’t be afraid to take a logical guess if you need to conserve time during your exam. So, which one isn’t a valid IP address? Clearly, 37.259.129.107 is not a valid IP address, so if you had to guess as to what wouldn’t be an output of this complex-looking command, you should guess that one!
Your company has just hired a contractor to attempt to exploit a weakness in your network to identify all their vulnerabilities. This person has been permitting to perform these actions and only conduct their actions within the contract's scope of work. Which of the following will be conducted by the contractor? A.Penetration testing B.Social engineering C.Hactivism D.Vulnerability scanning
A.Penetration testing
Explanation;
OBJ-1.3: Penetration testing is the practice of testing a computer system, network, or web application to find security vulnerabilities that an attacker could exploit. Penetration testers only do this with permission of the organization that owns the system, network, or web application and within the bounds of their scope of work. The person will not attempt to exploit a weakness during vulnerability scanning. Social engineering may be used as part of a penetration test, but it does not adequately describe the scenario provided. Hacktivism is when someone is hacking an organization without permission based on their own morals and values.
A facility would like to verify each individual’s identity before allowing access to its server room and datacenter. Additionally, the building should ensure that users do not tailgate behind other users. What solution would BEST meet these requirements?
A.Implement a biometric reader at the datacenter entrance and require passage through a mantrap
B.Implement a security guard at the facility entrace and a keypad at the data center entrance
C.Implement a CCTV camera and a proximity reader at the data center entrance
D>Implement a biometric reader at the facility entrace and a proximity card at the data center entrace
A.Implement a biometric reader at the datacenter entrance and require passage through a mantrap
Explanation:
OBJ-5.3: A biometric reader would read the employee’s fingerprints. A mantrap is most often used in physical security to separate non-secure areas from secure areas and prevent unauthorized access.
What is the proper threat classification for a security breach that employs brute-force methods to compromise, degrade, or destroy systems? A.Attrition B.Improper usage C.Impersonation D.Losss or theft of equipment
A.Attrition
Explanation:
OBJ-2.4: Attrition attacks employ brute-force methods to compromise, degrade, or destroy systems, networks, or services. An impersonation attack occurs when the attacker gains control of an employee’s account and uses it to convince other employees to perform fraudulent actions. Improper usage occurs when an employee or other authorized user utilizes the systems or networks not as intended or designed. The loss or theft of equipment usually relates to a smartphone, tablet, or laptop is lost or stolen, and then the data on it becomes compromised.
Your company has been contracted to develop an Android mobile application for a major bank. You have been asked to verify the security of the Java function’s source code below:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
int verifyAdmin(String password) {
if (password.equals("mR7HCS14@31")) {
return 0;
}
return 1;
}
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Which of the following vulnerabilities exist in this application’s authentication function based solely on the source code provided?
A.The function is vulnerable to a buffer overflow attack
B.The function is vulnerable to an SQL injection attack
C.THe function is using parameterized queries
D.The function is using hard-coded credentials to verify the password entered by the user
D.The function is using hard-coded credentials to verify the password entered by the user
Explanation
OBJ-3.4: The function uses hard-coded credentials in the function, which is an insecure practice that can lead to compromise. The password for the application is shown in the source code as mR7HCS14@31. Even if this was obfuscated using encoding or encryption, it is a terrible security practice to include hard-coded credentials in the application since an attacker can reverse-engineer them. In this case, it could be used to rob the bank or its customers! There is no evidence of a SQL injection or buffer overflow attack vulnerability based on the code being shown. In fact, this code doesn’t even show any SQL or ability to connect to an SQL database. We cannot see the variable initiation in this code, either, so we cannot determine if it is vulnerable to a buffer overflow attack. Finally, a parameterized query is a security feature, not a vulnerability, and this source code does not show any evidence of parameterized queries being used.
You have been contracted to conduct a compliance-based assessment for an organization. What is the MOST important thing for you to understand?
A.The organizations industry
B.The organizations tolerance to impact
C.The organizations policies
D.The organizations architectural diagrams
A.The organizations industry
Explanation:
OBJ-1.4: The organization’s industry is the most important thing to consider and understand when conducting a compliance-based assessment. Compliance-based assessments are government or industry required assessments based on a particular compliance framework. For example, if you are conducting an assessment of a credit card processor, then PCI-DSS would be important to consider. If you are assessing a federal government IT system, then you should consider FEDRAMP. If you are conducting an assessment of a military or military contractor network, you should consider the DISA STIG for those systems.
A company has implemented the capability to send all log files to a central location by utilizing an encrypted channel. The log files are sent to this location to be reviewed. A recent exploit has caused the company’s encryption to become insecure. What would be required to resolve the exploit?
A.Configure the firewall to block port 22
B.Utilize an FTP service
C.Send all log files through SMTP
D.Install recommended updates
D.Install recommended updates
Explanation:
OBJ-5.3: If the encryption is insecure, then we must look for encryption software updates or patches. If they are available, we must install them.
You have been hired to conduct a compliance-based, external network penetration test for an organization. During the engagement planning, you determined that the client has an IPS protecting their network. You have requested to have your source IP whitelisted in the IPS during the engagement. The client states that they do not want to whitelist your source IP. Which of the following should you tell the client?
A.The organization cannot rely solely on the IPS because its signatures need to be constantly updated to prevent vulnerabilities and exploitation
B.Whitelisting the source IP is required since a third-party developed the IPS and therefore, would need to approve the penetration test if the IP is note whitelisted
C.Whitelsiting the source IP will allow us to focus on the discovery of security issues within your system instead of relying solely on the effectiveness of the IPS
C.Whitelisting the source IP is necessary to prevent flooding the IPS and Syslog server with false positives
D.Whitelisting the source IP is necessary to prevent flooding the IPS and Syslog server with false positives during the engagement
C.Whitelisting the source IP is necessary to prevent flooding the IPS and Syslog server with false positives
Explanation:
OBJ-1.4: If the source IP is not whitelisted, the penetration tester will have to waste a lot of time and resources trying to bypass it to test the rest of the systems in the exam’s scope. Instead, the source IP should be whitelisted. The final report should indicate which vulnerabilities found would be a lower risk due to the IPS already installed as a mitigating control.
Which of the following lateral movement techniques provides an HTTP Simple Access Object Protocol (SOAP) standard for specific remote management services on Windows systems? A.PsExec B.Scheduled tasks C.WMI D.WinRM
D.WinRM
Explanation:
OBJ-3.7: Windows Remote Management (WinRM) is a technology that provides an HTTP Simple Object Access Protocol (SOAP) standard for specific remote management services on Windows systems. These remote management services enable you to issue commands to remote systems without using an interactive shell.
Which of the following is the leading cause for cross-site scripting, SQL injection, and XML injection attacks? A.Directory traversals B.Faulty input validation C.Output encoding D.File inclusions
B.Faulty input validation
Explanation:
OBJ-5.3: A primary vector for attacking applications is to exploit faulty input validation. The input could include user data entered into a form or URL, passed by another application or link. This is heavily exploited by cross-site scripting, SQL injection, and XML injection attacks. Directory traversal is the practice of accessing a file from a location that the user is unauthorized to access. The attacker does this by ordering an application to backtrack through the directory path to read or execute a file in a parent directory. In a file inclusion attack, the attacker adds a file to a web app or website’s running process. The file is either constructed to be malicious or manipulated to serve the attacker’s malicious purposes. Cross-site scripting (XSS) is one of the most powerful input validation exploits. XSS involves a trusted site, a client browsing the trusted site, and the attacker’s site.
You are working as part of a DevSecOps team at Dion Training on a new practice exam web application. You need to conduct static analysis of the code as part of your software assurance responsibilities. Which of the following tools should you utilize? A.APK Studio B.YASCA C.Hydra D.FOCA
B.YASCA
Explanation:
OBJ-4.2: YASCA (Yet Another Source Code Analyzer) is an open-source software assurance static test (SAST) program that inspects the source code for security vulnerabilities, code quality, and performance. FOCA, Hydra, and APK studio are not categorized as SAST tools. FOCA (Fingerprinting and Organization with Collected Archives) is a network infrastructure mapping tool that analyzes metadata from many file types to enumerate users, folders, software and OS information, and other information. Hydra is a free network login password cracking tool that is included with Kali Linux. It supports several authentication protocols. APK Studio is a cross-platform IDE for reverse engineering Android applications.
During a penetration test, which of the following should you perform if your goal is to conduct a successful smishing attack?
A.Send targetd emails with a malicious attachment to the sales team
B.Send a text message with a malicious link to the organizations executives
C.Send a targeted email with a malicious attachment to the organizations CEO
D.Call the CTOs assistant using a pretext to gather information about their schedule
B.Send a text message with a malicious link to the organizations executives
Explanation
OBJ-3.1: Smishing (SMS phishing) is a phishing attack in which the attacker entices their victim through SMS text messages. If the messages are sent by text message, then the attack is considered smishing.
You are reviewing the logs in your IDS and see that entries were showing SYN packets received from a remote host targeting each port on your web server from 1 to 1024. Which of the following MOST likely occurred?
A.SYN Flood
B.UDP Probe
C.Remote host cannot find the right service port
D.Port scan
D.Port scan
Explanation
OBJ-3.2: Based on the description provided, this is most likely a port scan. Using a tool like nmap, an attacker can create an SYN scan across every port in a range against the desired target. A port scan or SYN scan may trigger an alert in your IDS. While scanners support more stealthy scans, default scans may connect to each port sequentially. The other options are incorrect because a remote host will typically connect to only a single port associated with a service. An SYN flood normally sends many SYNs to a single system. Still, it doesn’t send them to unused ports, and a UDP probe will not send SYN packets.
A small business network was recently infected by a piece of malware from a USB drive that copied sensitive data from a computer, infected the system, and then spread across the network by infecting other systems. Which of the following actions could have prevented this type of attack from occurring?
A.Enabling full disk encryption
B.Disabling AutoRun on the computer
C.Replacing the default credentials on the system
D.Enforcing the use of complex passwords
B.Disabling AutoRun on the computer
Explanation
OBJ-5.3: The Windows AutoRun feature is turned on by default on most Windows versions, allowing programs to run from an external device as soon as it is attached to a computer. Malware can exploit the AutoRun feature and allow it to spread its payload from your external USB device to a computer. For this reason, users should disable the AutoRun feature.
What technique is most effective in determining whether or not increasing end-user security training would benefit the organization during your technical assessment of their network? A.Network sniffing B.Application security testing C.Social Engineering D.Vulnerability scanning
C.Social Engineering
Explanation
OBJ-3.1: Social engineering refers to the psychological manipulation of people into performing actions or divulging confidential information. During your technical assessment, utilizing social engineering techniques such as phishing or pharming can help you determine if additional end-user security training should be included in the organization. The other three options focus solely on technical controls. Therefore adding end-user training would not affect these technology options.
Which of the following phase of a penetration test are not usually conducted by a real attacker? A.Reconnaissance B.Gaining access C.Reporting D.Covering tracks
C.Reporting
Explanation:
OBJ-1.1: While a penetration test closely mirrors the same attack process used by a real attacker, the reporting phase is used only by penetration testers. The reporting phase is where the information gathered during testing and analysis is shared with stakeholders. Normally, this includes the vulnerabilities detected, vulnerabilities exploited, sensitive data accessed, length of access maintained, and recommendations for remediation.
Your company failed a recent security audit. The IT Directory has issued a new policy dictating that all workstations must be locked when not in use for more than 2 minutes. A password must be entered before booting up the operating system, and that the hard drive is fully encrypted. You have been asked to configure the corporate workstations to enforce these new security measures. Which THREE of the following should you configure FIRST? A.Enable a UEFI password B.Enable BitLocker C.Require multifactor authentication D.Enable strong passwords E.Enable a screen lock F.Require the use smart cards
A.Enable a UEFI password B.Enable BitLocker E.Enable a screen lock Explanation OBJ-5.3: These requirements can be met by enabling BitLocker to encrypt the hard drive, enable a UEFI password to require a password to be entered before booting an operating system, and enabling a screen lock that turns on after 2 minutes of inactivity.
Jason is conducting a penetration test against Dion Training’s Windows-based network. He wants to laterally move to another host and execute an exploit he previously trick a user into downloading to the C:\Windows\temp directory on the workstation with an IP of 192.168.1.50. He types the following into his terminal:
-=-=-=-=-=-=-
PS C:\Users\jason> $obj = [activator]::CreateInstance([type]::GetTypeFromProgID(“MMC20.Application”,”192. 168.1.50”))
Based on these commands, what type of post-exploitation lateral movement did Jason utilize? A.Scheduled tasks B.PsExec C.RPC/DCOM D.WMIC
C.RPC/DCOM
Explanation
OBJ-3.7: Remote Procedure Call (RPC) enables inter-process communication between local and remote processes on Windows. Distributed Component Object Model (DCOM) enables the communication between software components over a network. DCOM applications use RPC as a transport mechanism for client requests. Flaws in DCOM can enable you to execute code on a remote system by assuming user privileges. For example, a DCOM application commonly used to initiate lateral movement is MMC20.Application. This enables users to execute Microsoft Management Console (MMC) snap-in operations on a Windows computer. The MMC20.application includes an ExecuteShellCommand() method that allows for a command’s remote execution using a remote computer’s shell. In this example, the first command told PowerShell on Jason’s machine to select the MMMC snap-in on the remote computer with the IP address of 192.168.1.50. The second command then started the exploit on the remote system with a null current working directory, null parameters passed to the exploit.exe command and started it with a window state of 7. Ultimately, this would launch the exploit.exe program on the remote machine using the local administrator account.
Fail To Pass Systems has just been the victim of another embarrassing data breach. Their database administrator needed to work from home this weekend, so he downloaded the corporate database to his work laptop. On his way home, he left the laptop in an Uber, and a few days later, the data was posted on the internet. Which of the following mitigations would have provided the greatest protection against this data breach?
A.Require data masking for any information stored in the datastore
B.Require data at rest encryption on all endpoints
C.Require a VPN to be utilized for all telework employees
D.Require all new employees to sign an NDA
B.Require data at rest encryption on all endpoints
Explanation
OBJ-5.3: The greatest protection against this data breach would have been to require data at rest encryption on all endpoints, including this laptop. If the laptop were encrypted, the data would not have been readable by others, even if it was lost or stolen. While requiring a VPN for all telework employees is a good idea, it would not have prevented this data breach since the laptop’s loss caused it. Even if a VPN had been used, the same data breach would have still occurred if the employee copied the database to the machine. Remember on exam day that many options are good security practices, but you must select the option that solves the issue or problem in the question being asked. Similarly, data masking and NDAs are useful techniques, but they would not have solved this particular data breach.
You have just concluded a two-month engagement that targeted Dion Training’s network. You have a detailed list of findings and have prepared your report for the company. Which of the following reasons explains why you must keep your report confidential and secure?
A.The findings contain privileged information about their customers
B.The findings could be used by attackers to exploit the clients systems
C.The findings included may contain company intellectual property
D.The findings could hurt the companys reputation if disclosed
B.The findings could be used by attackers to exploit the clients systems
Explanation
OBJ-5.1: To further reinforce the SOW, NDA, and any other legal documentation in effect, the client is likely to include confidentiality provisions within the engagement plan. This ensures that the information discovered during the penetration test is shared only with the appropriate entities. For example, if a penetration tester finds a major code injection vulnerability in the company’s public-facing website, the organization may require them to keep this information confidential to minimize the risk of it being exploited by an attacker.
You are working at the service desk and just received the following email from an end-user who believes it is suspicious:
From: user@diontraining.com
To: abuse@diontraining.com
Subject: You won a free iPhone!
You have won a brand new iPhone!
Just click the following link to provide your address so we can ship it out to you this afternoon: (http://www.freephone.io:8080/winner.php)
*******
How should you classify this email? A.Spearphishing B.Malware C.Phishing D.SPoofing
C.Phishing
Explanation
OBJ-3.1: This is an example of a phishing campaign. Phishing refers to obtaining user authentication or financial information through a fraudulent request for information. Phishing is specifically associated with emailing users with a link to a faked site (or some other malware that steals the information they use to try to authenticate). Spear phishing is an email or electronic communications scam targeted towards a specific individual, organization, or business. In this example, the specific user wasn’t clearly targeted by their name or by their association with a particular store, company, or website.
Which of the following is the MOST important thing to receive from the client during the planning for an engagement? A.Password policies B.Goals and Objectives C.SOAP project files D.Architectural diagrams
B.Goals and Objectives
Explanation
OBJ-1.3: When planning an engagement, it is crucial to understand the client’s goals and objectives. Basically, they need to answer the question, “What do I hope to achieve by conducting this penetration test?” This will allow you to better plan the engagement within the boundaries you and the client agree upon. For example, are they conducting the penetration test due to regulatory or compliance requirements? Are they trying to determine if a social engineering campaign would trick their employees? Are they trying to determine if their patch management program is effective? Each of these objectives has different methods that would be used in the engagement.
While conducting a security test to ensure that information about your company’s web server is protected from inadvertent disclosure, you request an HTML file from the webserver and receive the following output:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- HTTP/1.1 404 Object Not Found Server: Microsoft-IIS/6.0 Date: Tuesday, 5 Sep 2017 1034:12 GMT Content-Type: text/html Content-Length: 132
There is no web site configured at this address.
This page is a placeholder until construction begins.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Which of the following actions should you take to remediate this vulnerability
A.Set “PerProcessLogging” to 1 in ther URLScan.ini configuration file
B.Set “VerifyNormalization” to 1 in the URLScan.ini in configuration file
C.Set “EnableLogging” to 1 in the URLScan.ini configuration file
D.Set “RemoveServerHeader” to 1 in the URLScan.ini configuration
D.Set “RemoveServerHeader” to 1 in the URLScan.ini configuration
Explanation
OBJ-3.5: This output is an example of banner grabbing being conducted against your web server. To prevent valuable information from being sent in the response, you should configure the “RemoveServerHeader” in the Microsoft IIS configuration file (URLScan.ini). If you set “RemoveServerHeader” to 1, UrlScan will remove the server header on all responses, and the value of AlternateServerName will be ignored. If you set “EnableLogging” to 1, UrlScan will log its actions in a file called UrlScan.log that will be created in the same directory that contains UrlScan.dll. If you set “PerProcessLogging” to 1, UrlScan will append the process ID of the IIS process that is hosting UrlScan.dll to the log file name; for example, UrlScan.1234.log. If you set “VerifyNormalization” to 1, UrlScan verifies the URL’s normalization and will defend against canonicalization attacks, where a URL contains a double encoded string in the URL. Please note, this question may seem beyond the scope of the exam. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s complete content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess, and move on!
You are working as part of a penetration team that is assessing the security of a java-based practice exam application for Dion Training. You want to perform static code analysis on the application, but you don’t have the source code. Luckily, you were able to download a copy of the Java bytecode. Which of the following techniques should you utilize to get the bytecode ready for running through a static code analysis tool?
A.Decompile the application with JAD
B.Use Peach to conduct fuzzing
C.Brute force the source code using Hydra
D.Use a bugger like GDB to reverse engineer it
A.Decompile the application with JAD
Explanation
OBJ-4.2: To conduct a static analysis, you need to have the source code. Since the company didn’t provide it, you can use the Java bytecode (binary) and a decompiler to create the source code. JAD is a Java Application Decompiler. Brute forcing the application with hydra wouldn’t provide you the source code. It would only provide a password. Debuggers can be useful, but they will return bytecode level information and not source code. Peach is a great fuzzing tool, but fuzzing is a dynamic technique and not a static one.
Jason is conducting a physical penetration test against a company. His objective is to enter the server room that is protected by a lock using a fingerprint reader. Jason attempts to use his finger to open the lock several times without success. He then turns his finger 45 degrees to the left, and the lock authenticates him. What is MOST likely the reason the lock opened?
A.The crossover error rate is turned towards false positives
B.The crossover error rate is tuned toward true negatives
C.The biometric lock is set to fail open after five invalid attempts
D>The biometric lock is set to fail closed after five invalid attemps
A.The crossover error rate is turned towards false positives
Explanation
OBJ-2.4: A biometric lock is difficult to bypass unless the installer incorrectly configures it. If the biometric lock has a high false acceptance rate, it will allow unauthorized people to open the door. The crossover error rate (CER) is the point where the false acceptance and false rejection rates are equal. When charted on a graph, this point can lean more towards accepting false positives or rejecting true positives. If it leans more towards accepting false positives, the sensitivity has decreased to allow less frustration for its users.
Which of the following tools is used to cross-compile code on a Kali Linux machine to run on a Windows client? A.Metasploit B.APK Studio C.Ollydbg D.MSFVenom
D.MSFVenom
Explanation
OBJ-4.2: MSFvenom is a combination of Msfpayload and Msfencode, putting both of these tools into a single Framework instance. This tool allows a Kali Linux user to cross-compile code as an executable for a Windows client or Android device. MSFvenom is part of the Metasploit framework.
DeepScan supports data-flow analysis and understands the execution flow of a program. It allows you to see possible security flaws without executing the code. Which of the following types of tools would DeepScan be classified as? A.Decompiler B.Fault injector C.Static code analyzer D.Fuzzer
C.Static code analyzer
Explanation
OBJ-4.2: DeepScan is an example of a static code analysis tool. It inspects the code for possible errors and issues without actually running the code. Fuzzing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program through a fuzzer. A decompiler is a computer program that takes an executable file as input and attempts to create a high-level source file that can be recompiled successfully. Fault injection is a testing technique that aids in understanding how a system behaves when stressed in unusual ways. A fuzzer, decompiler, and fault injector are all dynamic analysis tools because they require the program being tested and run for analysis.
Which of the following tools is used by a penetration tester to conduct open-source intelligence (OSINT)? A.Empire B.Maltego C.Nessus D.AirCrack-NG
B.Maltego
Explanation
OBJ-4.2: Maltego is an OSINT tool that is used to gather information from public resources. It has a graphical user interface (GUI) that visualizes the information gathered to help a penetration tester make logical connections between the different data sets collected.
A recently hired security employee at a bank was asked to perform daily scans of the bank's intranet to look for unauthorized devices. The new employee decides to create a script that scans the network for unauthorized devices every morning at 2:00 am. Which programming language would work best to create this script? A.PHP B.ASP.NET C.Python D.C#
C.Python
Explanation
OBJ-4.4: Python is a commonly used scripting language used in cybersecurity. PHP is used as a scripting language for web applications. C# and ASP.NET are both compiled languages, not scripting languages.
What kind of attack is an example of IP spoofing? A.ARP Poisoning B.Man-in-the-middle C.Cross-site scripting D.SQL Injections
B.Man-in-the-middle
Explanation
OBJ-3.2: The man-in-the-middle attack intercepts communications between two systems. For example, in an HTTP transaction, the target is the TCP connection between client and server. Using different techniques, the attacker splits the original TCP connection into 2 new connections, one between the client and the attacker and the other between the attacker and the server. This often uses IP spoofing to trick a victim into connecting to the attack. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. A man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other. ARP Poisoning, also known as ARP Spoofing, is a type of cyber attack carried out over a Local Area Network (LAN) that involves sending malicious ARP packets to a default gateway on a LAN to change the pairings in its IP to MAC address table. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user.
What type of threat actor is highly funded and often backed by nation-states? A.Insider Threat B.Hacktivist C.Script Kiddies D.APT
D.APT
Explanation
OBJ-1.3: Advanced Persistent Threats are a group of hackers with great capability and intent. Nation-states and other large organizations often fund them to conduct highly covert hacks over a long period of time for political or economic gain. Script kiddies are people who use existing computer scripts or code to hack into computers, lacking the expertise to write their own. An insider threat is a malicious threat to an organization from people within the organization, such as employees, former employees, contractors, or business associates, who have inside information concerning the organization’s security practices, data, and computer systems. A hacktivist is someone who uses hacking to bring about political and social change.
What type of malicious application does not require user intervention or another application to act as a host to replicate? A.Trojan B.Macro C.Virus D.Worm
D.Worm
Explanation
OBJ-3.1: A worm is a self-replicating type of malware that does not require user intervention or another application to act as a host for it to replicate. Viruses and Macros require user intervention to spread, and Trojans are hosted within another application that appears harmless.
Which of the following vulnerabilities can be prevented by using proper input validation? (Select ANY that apply) A.Cross-site scripting B.SQL Injection C.XML Injection D.Directory traversal
A.Cross-site scripting
B.SQL Injection
C.XML Injection
D.Directory traversal
Explanation
OBJ-5.3: Proper input validation can prevent cross-site scripting, SQL injection, directory traversal, and XML injections from occurring. When an application accepts string input, the input should be subjected to normalization or sanitization procedures before being accepted. Normalization means that a string is stripped of illegal characters or substrings and converted to the accepted character set. This can prevent SQL and XML injections from occurring. Input validation is also good at preventing cross-site scripting (XSS) in forms that accept user input. Directory traversals can be prevented by conducting input validation in file paths or URLs accepted from a user. This prevents a canonicalization attack from disguising the nature of the malicious input that could cause a directory traversal.
Which analysis framework provides the most explicit detail regarding how to mitigate or detect a given threat? A.Lockheed Martin cyber kill chain B.DIamond Model of Intrusion Analysis C.OpenIOC D.MTIRE ATT&CK Framework
D.MTIRE ATT&CK Framework
Explanation
OBJ-1.3: The MITRE ATT&CK framework provides explicit pseudo-code examples for detecting or mitigating a given threat within a network and ties specific behaviors back to individual actors. The Diamond Model provides an excellent methodology for communicating cyber events and allowing an analyst to implicitly derive mitigation strategies. The Lockheed Martin cyber kill chain provides a general life cycle description of how attacks occur but does not deal with the specifics of how to mitigate. OpenIOC contains a depth of research on APTs but does not integrate the detection and mitigation strategy.
Which one of the following methods would provide the most current and accurate information about any vulnerabilities present in a system with a misconfigured operating system setting? A.Agent-based monitoring B.Continuous vulnerability scanning C.Scheudler vulnerability scanning D.On-demand vulnerability scanning
A.Agent-based monitoring
Explanation
OBJ-2.2: An agent-based monitoring solution would be the best choice to meet these requirements. Agent-based monitoring provides more details of the configuration settings for a system and can provide an internal perspective. While vulnerability scans can give you a snapshot of a system’s status at a certain time, it will not remain current and accurate without continual rescanning.
Which of the following tools provides a penetration tester with Python classes with low-level program access to packets, protocols, and their implementation? A.Responder B.Impacket C.Empire D.Searchsploit
B.Impacket
Explanation
OBJ-4.2: Impacket is a collection of Python classes that provide low-level program access to packets, as well as to protocols and their implementation. Empire (PowerShell Empire) is a post-exploitation framework for Windows devices that allows the attacker to run PowerShell agents without needing powershell.exe. It is commonly used to escalate privileges, launch other modules to capture data, extract passwords, and install persistent backdoors. Searchsploit is a tool included in the exploitdb package on Kali Linux that enables you to search the Exploit Database archive. Responder is a fake server and relay tool that is included with Kali Linux. It responds to LLMNR, NBT-NS, POP, IMAP, SMTP, and SQL queries to recover sensitive information such as user names and passwords.
Jason is conducting an assessment of a network-enabled software platform that contains a published API. In reviewing the platform’s key management, he discovers that API keys are embedded in the application’s source code. Which of the following statements best describes the security flaw with this coding practice?
A.It is difficult to control the permission levels for embedded keys
B.Key management is no longer required since the key is embedded in the source code
C.The embedded key may be discovered by an attacker who reverse engineers the source code
D.Changing the API key will require a corresponding software upgrade
C.The embedded key may be discovered by an attacker who reverse engineers the source code
Explanation
OBJ-3.4: A sophisticated adversary may discover the software’s embedded key through reverse engineering the source code. This inadvertent key disclosure could then allow an attacker to abuse the API in ways other than intended. Key management would still be required, even if the key is embedded in the source code. Permission levels of a software-embedded key are still controlled like any other key. While the added inconvenience of installing new software on the client side every time the key is changed would be inconvenient, this option does not address the underlying security issues with embedding API keys into the source code.
Which file on a Linux system contains the passwords for each user on the system? A./etc/password B./etc/users C./etc/passwd D./etc/shadow
D./etc/shadow
Explanation
OBJ-3.5: The /etc/shadow file stores the actual password in an encrypted format (more like the hash of the password) for the user’s account with additional properties related to the user password. Basically, it stores secure user account information. All fields are separated by a colon (:) symbol. It contains one entry per line for each user listed in /etc/passwd file.
Which type of monitoring would utilize a network tap? A.Active B.Passive C.Router-based D.SNMP
B.Passive
Explanation
OBJ-3.2: Network taps are devices that allow a copy of network traffic to be captured for analysis. They conduct passive network monitoring and visibility without interfering with the network traffic itself. Active monitoring relies on scanning targeted systems, not a network tap. Router-based monitoring would involve looking over the router’s logs and configuration files. SNMP is used to monitor network devices but is considered active monitoring and doesn’t rely on network taps.
What is a common Service Oriented Architecture Protocol (SOAP) vulnerability? A.SQL Injection B.XML denial of service issues C.Xpath injection D.Cross-site scripting
B.XML denial of service issues
Explanation
OBJ-1.1: An XML denial of service (or XML bomb) attempts to pull in entities recursively in a defined DTD and explode the amount of memory used by the system until a denial of service condition occurs. Service-Oriented Architecture (SOA) is an architectural paradigm, and it aims to achieve a loose coupling amongst interacting distributed systems. SOA is used by enterprises to efficiently and cost-effectively integrate heterogeneous systems. However, SOA is affected by several security vulnerabilities, affecting the speed of its deployment in organizations. SOA is most commonly vulnerable to an XML denial of service. While the other options could be used as part of an attack on SOAP, the SOAP message itself is formatted as an XML document making an XML denial of service the most common vulnerability. While SOAP requests are vulnerable to SQL injections, this occurs by submitting a parameter as a morphed SQL query that can authenticate or reveal sensitive information as an attack on the underlying SQL. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XPath Injections operate on web sites that use user-supplied information to construct an XPath query for XML data.
A penetration tester is emulating an insider threat during an engagement. The penetration tester was given access to a regular user account and a basic Windows 10 client on the network. The penetration tester did not receive any network diagrams, maps, or target IP address. Their goal is to identify any possible Windows domain controllers on the intranet.diontaining.com domain. Which of the following commands should they use from the command prompt to achieve their goal?
A.nslookup -type=any_kerberos._tcp.intranet.diontraining.com
B.nslookup -type=any_ntlm_tcp.intranet.diontraining.com
C.nslookup -type=any_ldap._tcp.intranet.diontraining.com
D.nslookup -type=any_smtp._tcp.intranet.diontraining.com
E.nsllokup -type=any_lanman_tcp.intranet.diontraining.com+
A.nslookup -type=any_kerberos._tcp.intranet.diontraining.com
C.nslookup -type=any_ldap._tcp.intranet.diontraining.com
Explanation
OBJ-4.3: There are several methods for locating Domain Controllers, depending on what you know about the environment you are using. If you are using a Windows client, you can use the nslookup command. You need to specify which protocol you are searching for in the name. Since we are trying to identify domain controllers, we need to look for Kerberos and LDAP based protocols on the intranet.diontraining.com domain. If you were using a Linux client, you could run a similar command syntax using dig.
You have just finished running an nmap scan on a server are see the following output:
-=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=- # nmap diontraining.com
Starting Nmap ( http://nmap.org ) Nmap scan report for diontraining.com (64.13.134.52) Not shown: 996 filtered ports
PORT STATE 22/tcp open 23/tcp open 53/tcp open 443/tcp open
Based on the output above, which of the following ports listed as open represents the most significant security vulnerability to your network? A.443 B.23 C.53 D.22
B.23
Explanation
OBJ-2.3: Port 23 is used by telnet and is not considered secure because it sends all of its data in cleartext, including authentication data like usernames and passwords. As an analyst, you should recommend that telnet is disabled and blocked from use. The other open ports are for SSH (port 22), DNS (port 53), and HTTPS (port 443).
Which technique is used with the ProxyChains command to allow a penetration tester to pivot to a new subnet? A.Modifying routing tables B.SSH pivoting C.VPN pivoting D.Port forwarding
A.Modifying routing tables
Explanation
OBJ-3.7: ProxyChains is a tool that allows a penetration tester to pivot to a new subnet, but it must be combined with the modification of the penetration tester’s routing tables on their machine. For example, assume that the exploited client machine is located in the 192.168.5.0/24 subnet, but you need to access a server in the 10.0.0.0/24 subnet. You would then need to “route add 10.0.0.0 255.255.255.0 1” (1 is the ID of your Meterpreter session). Then, you can run “proxychains “ to target the new subnet. For example, “proxychains nmap -sT -Pn -p21,23,25,80,443 10.0.0.5” would perform an nmap scan of the targeted server in the new subnet by chaining the connections together using a proxy on the localhost.
Following an engagement, the penetration testing team has generated many recommendations for additional controls and items to be purchased to prevent future recurrences. Which of the following approaches BEST describes what the organization should do next?
A.Immediately procure and install all of them because the adversary may attack at any time
B.Conduct a cost/benefit analysis of each recommendation against the company current fiscal posture
C.Create a prioritized list with all of the recommendations for review, procurement and installation
D.Contact an outside security consultant to provide an independent assessment of the network and outsource the remediation efforts
C.Create a prioritized list with all of the recommendations for review, procurement and installation
Explanation
OBJ-5.3: Since an engagement has just finished, it is important to act swiftly since its results are a point-in-time assessment. The organization should still take a defined and deliberate approach to choosing the proper controls and risk mitigations. Therefore, execution through a rational business management process is the best approach, including creating a prioritized list of recommendations. Once this list has been created, the organization can conduct a cost/benefit analysis of each recommendation and determine which controls and items will be implemented in the network-based upon resource availability in terms of time, person-hours, and money. This process does not need to be a long term study or filled with complexity. Instead, it should be rapidly conducted due to the probability that an attacker may compromise the network using the same vulnerabilities the penetration testing team found in their engagement.
Which of the following vulnerability scanning tools would be used to conduct a web application vulnerability assessment? A.Nikto B.Nessus C.Qualys D.OpenVAS
A.Nikto
Explanation
OBJ-4.2: Nikto is a web application scanner that can perform comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. While OpenVAS, Nessus, and Qualys have the ability to scan the web servers themselves for vulnerabilities, they are not the best option to conduct a web application vulnerability assessment. OpenVAS, Nessus, and Qualys are infrastructure vulnerability scanners that focus on vulnerabilities with hosts and network devices.
What containment technique is the strongest possible response to an incident? A.Isolating the attacker B.Segmentation C.Enumeration D.Isolating the affected systems
D.Isolating the affected systems
Explanation
OBJ-5.3: Isolation involves removing an affected component from whatever larger environment it is a part of. This can be everything from removing a server from the network after it has been the target of a DoS attack, placing an application in a sandbox virtual machine (VM) outside of the host environments it usually runs on. Segmentation-based containment is a means of achieving the isolation of a host or group of hosts using network technologies and architecture. Segmentation uses VLANs, routing/subnets, and firewall ACLs to prevent a host or group of hosts from communicating outside the protected segment. Removal is not an industry term used but would be a synonym for isolation. Enumeration is defined as the process of extracting user names, machine names, network resources, shares, and services from a system. Isolating the attacker would only stop their direct two-way communication and control of the affected system. However, it would not be the strongest possible response since there could be malicious code still running on your victimized machine.
You are working as part of a penetration testing team conducting engagement against Dion Training’s network. You have been given a list of targets in a text file called servers.txt. Which of the following Nmap commands should you use to find all the servers from the list with ports 80 and 443 enabled and save the results in a greppable file called results.txt?
a.NMAP -P80,443 -Sl SERVERS.TXT -Ox RESULTS.TXT
B.nmap -p80,443 -sL servers.txt -oG results.txt
C.nmap -p80,443 -iL servers.txt -oX results.txt
D.nmap -p80,443 -iL servers.txt -oG results.txt
D.nmap -p80,443 -iL servers.txt -oG results.txt
Explanation
OBJ-4.1: The command (nmap -p80,443 -iL servers.txt -oG results.txt) will only perform an nmap scan against ports 80 and 443. The -iL option will scan each of the listed server’s IP addresses. The -oG option will save the results in a greppable format to the file results.txt while still displaying the normal results to the shell. The option of -sL will only list the servers to scan. It will not actually scan them. The option of -oX is for outputting the results to a file in an XML format.
You are conducting a social engineering attack against an organization as part of an engagement. You send a series of emails to a victim, posing as several different coworkers. In the emails, you tell the victim about this great new website for watching new movies live from their laptop for free. Each email appears to come from a different coworker and informs this person about this awesome new free service. What type of social engineering principle is being exploited here? A.Scarcity B.Fear C.Social Proof D.Authority
C.Social Proof
Explanation
OBJ-3.1: Social proof relies on the fact that people want to fit in and conform. If a victim sees or believes others are performing some action, they will believe it is okay for them to do it. In this case, the victim is convinced that “everyone else” is also using this website to watch a new movie, so they decide to join in. Little do they know, the penetration testing team set up this website to collect their information or load malicious code onto their laptop for a future exploit.
An independent cybersecurity researcher has contacted your company to prove a buffer overflow vulnerability exists in one of your applications. Which technique would have been most likely to identify this vulnerability in your application during development? A.Dynamic code analysis B.Manual Peer Review C.Static Code Analysis D.Pair programming
C.Static Code Analysis
Explanation
OBJ-2.2: Buffer overflows are most easily detected by conducting a static code analysis. Manual peer review or pair programming methodologies might have been able to detect the vulnerability. Still, they do not have the same level of success as a static code analysis using proper tools. DevSecOps methodology would also improve the likelihood of detecting such an error but still rely on human-to-human interactions and human understanding of source code to detect the fault. Dynamic code analysis also may have detected this if the test found exactly the right condition. Still, again, a static code analysis tool is designed to find buffer overflows more effectively.
A cybersecurity analyst at Yoyodyne Systems just finished reading a news article about their competitor, Whamiedyne Systems, being hacked by an unknown threat actor. Both companies sell to the same basic group of consumers over the internet since their products are used interchangeably by consumers. Which of the following is a valid cybersecurity concern for Yoyodyne Systems?
A.They may now be vulnerable to a credential stuffing attack
B.The attacker will conduct a man-in-the-middle attack
C.The same vulnerability will be compromised on their servers
D.The attacker will conduct a SQL injection against their database
A.They may now be vulnerable to a credential stuffing attack
Explanation
OBJ-2.4: The largest and most immediate cybersecurity concern that the analyst should have is credential stuffing. Credential stuffing occurs when an attacker tests username and password combinations against multiple online sites. Since both companies share a common consumption group, it is likely that some of Yoyodyne’s consumers also had a user account at Whamiedyne. If the attackers compromised the username and passwords from Whamiedyne’s servers, they might attempt to use those credentials on Yoyodyne’s servers, too. There is no definitive reason to believe that both companies are using the same infrastructure. Therefore, the same vulnerability that was exploited by the attacker may not exist at Yoyodyne. The question doesn’t mention an SQL database. Therefore, there is no direct threat of an SQL injection. A man-in-the-middle (MitM) attack occurs when the attacker sits between two communicating hosts and transparently captures, monitors, and relays all communications between the host. Nothing in this question indicates that a MitM was utilized or is a possible threat.
You are working as a penetration tester conducting an engagement against Dion Training's corporate network. The white-box assessment was designed to take four months of reconnaissance and two weeks of active engagement. The first week is focused on breaching the external perimeter, and the second week is focused on the internal servers. Your team has spent the last 3 months researching ways to exploit and bypass the firewalls and IPS at Dion Training. You just received a call from Dion Training stating that they just replaced their firewalls and IPS appliances with a state-of-the-art UTM. You recommend to the client that if you cannot exploit the UTM within the first 3 days, your team's source IP addresses should be whitelisted to focus their time on the internal network. Which of the following BEST describes this scenario? A.Situational awareness B.De-escalation C.De-confliction D.Goal reprioritization
D.Goal reprioritization
Explanation
OBJ-5.4: A penetration test is a fluid process based on the people, processes, and technology involved. When the company changed its architecture, it essentially invalidated much of the research your team conducted. The recommendation to whitelist the source IP addresses is a goal reprioritization. Without adequate preparation time, it is unlikely you will exploit or bypass the new UTM appliances. Therefore, you suggest that the client reprioritize the engagement to focus on the internal network during this assessment to make the best use of your time and resources.
Raj is working to deploy a new vulnerability scanner for an organization. He wants to verify the information he gets is the most accurate view of the configurations on the organization's traveling salespeople's laptops to determine if any configuration issues could lead to new vulnerabilities. Which of the following technologies would work BEST to collect the configuration information in this situation? A.Non-credentialed scanning B>Server-based scanning C.Passive network monitoring D.Agent-based scanning
D.Agent-based scanning
Explanation
OBJ-2.2: Using agent-based scanning, you typically get the most reliable results for systems that are not connected to the network, as well as the ones that are connected. This is ideal for traveling salespeople since their laptops are not constantly connected to the organization’s network. These agent-based scans can be conducted when the laptop is offline and then sent to a centralized server the next time it is connected to the network. Server-based scanning, non-credentialed scanning, and passive network monitoring require a continuous network connection to collect the devices’ configurations accurately.
If an attacker can compromise an Active Directory domain by utilizing an attack to grant administrative access to the domain controllers for all domain members, which type of attack is being used? A.Pivoting B.Lateral movement C.Golden ticket D.Pass the hash
C.Golden ticket
Explanation
OBJ-3.2: A golden ticket is a Kerberos ticket that can grant other tickets in an Active Directory environment. Attackers who can create a golden ticket can use it to grant administrative access to other domain members, even to domain controllers. Pass the Hash (PtH) is the process of harvesting an account’s cached credentials when the user logs in to a single sign-on (SSO) system. This would then allow the attacker to use the credentials on other systems, as well. Lateral movement is an umbrella term for a variety of attack types. Attackers can extend their lateral movement by a great deal if they can compromise host credentials. Pivoting is a process similar to lateral movement. When attackers pivot, they compromise one central host (the pivot) that allows them to spread out to other hosts that would otherwise be inaccessible.
Dion Training hosts its new learning management system (LMS) servers in its own data center. You have been contracted to perform a penetration test against this new LMS. What target type would this engagement be classified as? A.Off-site B.First-party hosted C.Internal D.Third-party hosted
B.First-party hosted
Explanation
OBJ-1.3: First-party hosted target types are used when a client organization hosts the targeted network or system in their own data center. Since the data center is owned by Dion Training and hosted internally, this would not be considered third-party hosted or off-site. Simultaneously, this may become an internal target type, depending on where the penetration tester attacks from, which is not clear just by the wording in this question. Therefore, the third-party target type is the BEST answer to this question.
Jay is replacing his organization’s current vulnerability scanner with a new tool. As he begins to create the scanner’s configurations and scanning policy, he notices a conflict in the settings recommended between different documents. Which of the following sources must Jay follow when trying to resolve these conflicts?
A.NIST guideline documents
B.Corporate policy
C.Vendor best practices
D.Configuration settings from the prior system
B.Corporate policy
Explanation
OBJ-1.2: Policies are formalized statements that apply to a specific area or task. Policies are mandatory, and employees who violate a policy may be disciplined. Guidelines are general, non-mandatory recommendations. Best practices are considered procedures that are accepted as being correct or most effective but are not mandatory to be followed. Configuration settings from the prior system could be helpful, but this is not a mandatory compliance area like a policy. Therefore, Jay should first follow the policy before the other three options if there is a conflict.
Joseph is interpreting a vulnerability that has a CVSS (v3.1) base score of 8.3. In what risk category would this vulnerability fit? A.Critical B.Low C.Medium D.High
D.High
Explanation
OBJ-2.3: CVSS metrics are categorized as critical, high, medium, low, or none based on their numerical score. Vulnerabilities with CVSS base scores rated 9.0 or above are classified as critical. CVSS scores between 7.0 and 8.9 are classified as high. CVSS scores between 4.0 and 6.9 are classified as medium. CVSS scores between 0.1 and 3.9 are classified as low. CVSS scores of 0.0 are classified as none.
You are a cybersecurity analyst, and your company has just enabled key-based authentication on its SSH server. Review the following log file:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
BEGIN LOG
————-
Sep 09 13:15:24 diontraining sshd[3423]: Failed password for root from 192.168.3.2 port 45273 ssh2
Sep 09 15:43:15 diontraining sshd[3542]: Failed password for root from 192.168.2.24 port 43543 ssh2
Sep 09 15:43:24 diontraining sshd[3544]: Failed password for jdion from 192.168.2.24 port 43589 ssh2
Sep 09 15:43:31 diontraining sshd[3546]: Failed password for tmartinez from 192.168.2.24 port 43619 ssh2
Sep 09 15:43:31 diontraining sshd[3546]: Failed password for jdion from 192.168.2.24 port 43631 ssh2
Sep 09 15:43:37 diontraining sshd[3548]: Failed password for root from 192.168.2.24 port 43657 ssh2
————-
END LOG
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Which of the following actions should be performed to secure the SSH server?
A.Disable remote root SSH logons
B.Disable password authentication for SSH
C.Disable SSHv1
D.Disable anonymous logon
B.Disable password authentication for SSH
Explanation
OBJ-3.4: It is common for attackers to log in remotely using the ssh service and the root or other user accounts. The best way to protect your server is to disable password authentication over ssh. Since your company just enabled key-based authentication on the SSH server, all legitimate users should be logging in using their RSA key pair on their client machines, not usernames and passwords. Based on the logs, you see the server runs SSHv2, so there is no need to disable SSHv1 (it may already be disabled). You don’t want to fully disable remote root SSH logins, either, since this would make it difficult for administrators to conduct their work. Finally, based on the logs, it doesn’t appear that anonymous SSH logins are an issue, either, as we don’t see any anonymous attempts in the logs.
Which of the following types of output encoding is being used in the following output?
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- aGVsbG8gd29ybGQNCg== -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- A.Hex B.XML C.Base64 D.ASCII
C.Base64
Explanation
OBJ-3.4: The string aGVsbG8gd29ybGQNCg== is using Base64 encoding. Base64 encoding is commonly used to convert binary data, such as ASCII text characters, into an encoded string to bypass detection mechanisms in a network. While a Base64 string won’t always end with an equal or double equal sign, it is common to see them used. This is because the equal signs are used to pad the string to the proper length and complement the final processing of the message’s encoding
During which phase of an attack would a penetration tester seek to gain complete control of a system? A.Discovery B.Planning C.Reporting D.Attack
D.Attack
Explanation
OBJ-1.1: During the attack phase, the attacker seeks to gain access to a system, escalate that access to obtain complete control, and then conduct browsing to identify mechanisms to gain access to additional systems. The planning phase is where the assignment’s scope is defined, and management approvals, documents, and agreements are signed. The discovery phase is where the actual testing starts; it can be regarded as an information-gathering phase. The attack phase is at the heart of any penetration test; it is the part of the process where a penetration test attempts to exploit a system, conduct privilege escalation, and then pivot or laterally move around the network. The reporting phase is focused on developing the final report presented to management after the penetration test.
Your team is developing an update to a piece of code that allows customers to update their billing and shipping addresses in the web application. The shipping address field used in the database was designed with a limit of 75 characters. Your team’s web programmer has brought you some algorithms that may help prevent an attacker from trying to conduct a buffer overflow attack by submitting invalid input to the shipping address field. Which pseudo-code represents the best solution to prevent this issue?
A.if(shippingAddress != 75) [update field] else exit
B. if (shippingAddress = 75) [update field] else exit
C.if (shippingAddress <= 75) [update field] else exit
D.if (shippingAddress > = 75) [update field] else exit
C.if (shippingAddress <= 75) [update field] else exit
Explanation
OBJ-5.3: To ensure that the field is not overrun by an input that is too long, input validation must occur. Checking if the shipping address is less than or equal to 75 characters before updating the field will prevent a buffer overflow from occurring in this program. If the input is 76 characters or more, then the field will not be updated, and the algorithm will exit the function.
What type of scan will measure the size or distance of a person's external features with a digital video camera? A.Facial recognition scan B.Retinal scan C.Iris scan D.Signature kinetics scan
A.Facial recognition scan
Explanation
OBJ-2.5: A face recognition system is a computer application capable of identifying or verifying a person from a digital image or a video frame from a video source. One way to do this is by comparing selected facial features from the image and a face database. By measuring the external facial features, such as the distance between your eyes and nose, you can uniquely identify the user. A retinal scan is a biometric technique that uses unique patterns on a person’s retina blood vessels. Iris recognition or iris scanning is the process of using visible and near-infrared light to take a high-contrast photograph of a person’s iris. A signature kinetics scan measures a user’s action when signing their name and compares it against a known-good example or baseline.
You are analyzing a Python script that isn’t functioning properly. You suspect the issue is with the string manipulation being used in the code. Review the following Python code snippet:
-=-=-=-=-=- #!/usr/bin/python s = "DionTraining.com" print(s[4::-1]) -=-=-=-=-=-
Based on your analysis, what should be displayed on the screen by the print command? A.moc. B.DionT C.oc.g D.TnoiD
D.TnoiD
Explanation
OBJ-4.4: When evaluating the code s[4::-1], you would receive “TnoiD” in response. Within Python, characters in a string can be accessed by their index location. If the string (s) is “DionTraining.com”, then each letter from left to right is referenced as s[0] to s[15]. For example, if you enter s[5], you would receive the letter “r” in response. The format for the array is [start:end:increment], so s[4::-1] is evaluated as starting with the 4th position (T in DionTraining.com since computers start counting at 0), count until it reaches the beginning or end of the word, and then increment by one position each time to the left (since it was -1). This would display the 4th position (T), 3rd position (n), 2nd position (o), 1st position (i), the zero position (D), and then stop.
Alex is conducting a penetration test of Dion Training's network. They just successfully exploited a host on the network. Which of the following command should Alex utilize to establish persistence on the machine by creating a netcat listener on it? A.nc -lp 52154 -e /bin/sh B.nc -lvp 52154 /bin/sh C.nc -p 52154 /bin/sh D.nc -p 52154 -e /bin/sh
A.nc -lp 52154 -e /bin/sh
Explanation
OBJ-3.7: Netcat (nc) is an open-source networking utility for debugging and investigating the network, and that can be used to create TCP/UDP connections and investigate them. It is extremely popular with penetration testers and attackers alike due to its multiple use cases. You should be familiar with setting up a listener and establishing a connection to the listener using netcat. Using the -lp option sets up a listener on the machine using the port specified (52154 in this scenario). To start the connection to the listener, you would enter “nc -e “, substituting the details for each parameter in each set of brackets.
Samantha works in the human resource department in an open floorplan office. She is concerned about the possibility of someone conducting shoulder surfing to read sensitive information from employee files while accessing them on her computer. Which of the following physical security measures should she implement to protect against this threat? A.Hardware token B.Privacy screen C.Bio metric lock D.Badge reader
B.Privacy screen
Explanation
OBJ-3.1: A privacy screen is a filter placed on a monitor to decrease the viewing angle of a monitor. This prevents the monitor from being viewed from the side and can help prevent shoulder surfing. The standard type of anti-glare filter consists of a coating that reduces the reflection from a glass or plastic surface.
Which type of method is used to collect information during the passive reconnaissance? A.Social engineering B.Publicly accessible sources C.Network traffic sniffing D.Man-in-the-middle attacks
B.Publicly accessible sources
Explanation
OBJ-2.1: Passive reconnaissance focuses on collecting information that is widely and openly available from publicly accessible sources. While network traffic sniffing is considered passive, gaining access to the network to place a sniffer in a good network tap location would not be considered passive. Of the choices provided, publicly accessible sources are the best answer to choose. Man-in-the-middle attacks would involve a penetration tester coming in between the traffic source and destination, which would allow its active inception and possible modification. Social engineering is also an active reconnaissance technique that uses deception to trick a user into providing information to an attacker or penetration tester.
Which of the following devices on the network should you target to access sensitive sales and financial data? A.RTOS B.ICS C.IoT D.PoS
D.PoS
Explanation
OBJ-2.5: The point of sale (POS) refers to the place where customers purchase goods or services from a business, and a POS system incorporates devices and networking capabilities that support this practice. POS devices can include everything from cash registers to mobile devices like tablets and smartphones. These devices are networked to backend servers that process and store transactional data, payment card data, and more.
Dion Training has hired you to assess its voucher fulfillment web application on its e-commerce website. The web application relies on a SOAP-based web service. Which of the following support resources would be MOST helpful in your assessment? A.WSDL document B.XSD file C.SDK documentation D.Swagger document
A.WSDL document
Explanation
OBJ-1.1: The WSDL (Web Services Description Language) document is an XML formatted document defining a web service’s capabilities and how to access it. Since this scenario states that the company relies on a SOAP-based web service, the assessment’s best support resource would be a copy of their WSDL document.
An organization has hired a cybersecurity analyst to conduct an assessment of their current security posture. The analyst begins by conducting an external assessment against the organization's network to determine what information is exposed to a potential external attacker. What technique should the analyst perform first? A.DNS query log reviews B.Intranet portal reviews C.Technical control audits D.Enumeration
D.Enumeration
Explanation
OBJ-2.1: Scanning and enumeration are used to determine open ports and identify the software and firmware/device types running on the host. This is also referred to as footprinting or fingerprinting. This technique is used to create a security profile of an organization by using a methodological manner to conduct the scanning. If this scan is conducted from outside of the organization’s network, it can be used to determine the network devices and information available to an unauthorized and external attacker. A DNS query log review, intranet portal review, or technical control audit would require internal access to the network, which is typically not accessible directly to an external attacker.Network diagrams can show how a network was initially configured. Unless the diagrams are up-to-date, which they usually aren’t, they cannot show the current “as is” configuration. If you can only select one tool to find your attack surface’s current and historical view, shodan is your best choice.
Which of the following is the biggest weakness with ICS and SCADA systems in a network?
A.They are patched using standard vendor OS patches
B.ICS/SCADA must be connected to the internet to function
C.These systems are difficult to reofit with modern security
D.Cybersecurity experts dont know how to secure ICS/SCADA
C.These systems are difficult to reofit with modern security
Explanation
OBJ-2.5: Industrial control system (ICS) and supervisory control and data acquisition (SCADA) systems were developed many years before security standards were established and integrated into their design. Many of these older systems date back to the 1970s and are still in use today. Over time, these systems were incorporated into the organization’s TCP/IP data networks, which provides a huge exploitation area by penetration testers and attackers alike. Many ICS and SCADA vendors are slow to implement security measures since they cannot be easily retrofitted with the newer security required. Therefore, ICS and SCADA systems should ALWAYS be isolated from production networks and segmented into their own logical network. For example, some ICS/SCADA systems use a proprietary operating system. More modern ICS/SCADA operates using a version of Windows. However, many still use Windows XP, making them much more vulnerable since they cannot be upgraded to Windows 10 without hardware replacement
A company wants to ensure that its mobile devices are configured to protect any data stored on them if they are lost or stolen. Which of the following should you enable and enforce through their MDM? A.ENable SSO B.ENale OS updates C.Full storage encryption D.Remove backups
C.Full storage encryption
Explanation
OBJ-5.3: Since the company is concerned with protecting data on the devices, you should enforce full storage encryption on the devices. Even if the device is lost or stolen, the device’s data would be inaccessible to the person who stole or found the device. Additionally, the company may wish to enable the capability to conduct remote wipes of the device if they are lost or stolen to protect the data further.. Shoulder surfing is a type of social engineering technique used to obtain personal identification numbers (PINs), passwords, and other confidential data by looking over the victim’s shoulder.
While conducting a penetration test of a web application, you enter the following URL, http://test.diontraining.com/?param=
C.XSS
Explanation
OBJ-3.4: This is an example of a URL-based XSS (cross-site scripting) attack. A cross-site scripting attack uses a specially crafted URL that includes attack code that will cause information that users enter into their web browser to be sent to the attacker. In this example, everything from ?param onward is part of the attack. You can see the base64 encoded string of PHNjcmlwdD5hbGVydCgnSSBsb3ZlIERpb24gVHJhaW5pbmcnKTwvc2NyaXB0Pg== being used. While you could not convert it during the exam without a base64 decoder, you should be able to tell that it is not a SQL injection nor an XML injection based on your studies. It is also not an attempt to conduct password spraying by logging into different usernames with the same password. So, by process of elimination, you can determine this is an XSS attack. If you did have a base64 decoder, you would have found that the parameter being passed would translate to alert(‘I love Dion Training’), which is a simple method to cause your web browser to create a popup that displays the text “I love Dion Training.” If you attempt to load this URL in your browser, it may or may not function depending on your browser’s security.
A user receives certificate errors in other languages within their web browser when accessing your company's website. Which of the following is the MOST likely cause of this issue? A.Man-in-the-middle B.DoS C.Reflective DNS D.ARP Poisoning
A.Man-in-the-middle
Explanation:
OBJ-3.2: A man-in-the-middle attack is a general term when a perpetrator positions himself in a conversation between a user and an application, either to eavesdrop or impersonate one of the parties, making it appear as if a normal exchange of information is occurring. For example, if your user and server are both in the United States (English language), the attacker performing the MITM is from Russia. The user may see a certificate error in Russian instead of English.
What is not an example of a type of support resource that a pentester might receive as part of a white box assessment? A.SOAP project files B.XSD C.Network diagrams D.PII of employees
D.PII of employees
.
Explanation
OBJ-1.1: White box support resources include architectural diagrams, sample application requests, SDK documentation, SOAP project files, Swagger documents, WSDL/WADL, and XML Scheme Definitions (XSD). The PII of employees should not be given to a penetration tester as this could violate laws and regulations regarding maintaining employee data confidentiality and privacy. White-box testing falls on the opposite end of the spectrum from black-box testing, and penetration testers are given full access to source code, architecture documentation, and so forth.
After issuing the command "telnet diontraining.com 80" and connecting to the server, what command conducts the banner grab? A.HEAD /HTTP/2.0 B.PUT /HTTP/2.0 C. HEAD /HTTP/1.1 D.PUT /HTTP/1.1
C. HEAD /HTTP/1.1
Explanation
OBJ-2.1: To conduct a banner grab using telnet, you first must connect to the server using “telnet webserver 80”. Once the connection establishes, you will receive a blank prompt, and you then issue the command “HEAD / HTTP/1.1”. It requests the document header from the server and provides information such as the server software version and the server’s operating system.
Which of the following techniques does a vulnerability scanner use to detect a vulnerability on a specific service?
A.Fuzzing
B.Analyzing the response received from the service when probed
C.Banner grabbing
D.Port scanning
B.Analyzing the response received from the service when probed
Explanation
OBJ-2.2: When a vulnerability scanner analyzes the response received from services during a scan or probe, it can determine if the vulnerability exists on the given service on a particular host. Port Scanning is the name for the technique used to identify open ports and services available on a network host. Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. Banner grabbing is a technique used to gain information about a computer system on a network and the services running on its open ports.
Which technique would provide the largest increase in security on a network with ICS, SCADA, or IoT devices?
A.Use of a host-based IDS or IPS
B.User and entity behavior analytics
C.Installation of anti-virus tools
D.Implement endpoint protection platforms
B.User and entity behavior analytics
Explanation:
OBJ-2.5: Since ICS, SCADA, and IoT devices often run proprietary, inaccessible, or unpatchable operating systems, the traditional tools used to detect the presence of malicious cyber activity in normal enterprise networks will not function properly. Therefore, user and entity behavior analytics (UEBA) is best suited to detect and classify known-good behavior from these systems to create a baseline. Once a known-good baseline is established, deviations can be detected and analyzed. UEBA may be heavily dependent on advanced computing techniques like artificial intelligence and machine learning and may have a higher false-positive rate. As the name suggests, the analytics software tracks user account behavior across different devices and cloud services. Entity refers to machine accounts, such as client workstations or virtualized server instances, and embedded hardware, such as the Internet of Things (IoT) devices. Traditional technologies include anti-virus tools, host-based IDS and IPS, and endpoint protection platforms.
You are planning a penetration test against an organization. During your reconnaissance, you determined that they are using encryption on their hard drives to provide data at rest. The organization has agreed to provide you one day of physical access to a standard workstation to bypass the encryption. Which of the following attacks should you use to retrieve their encryption keys? A.Credential brute forcing B.JTAG debugging C.Cold boot attack D.COnnect to the serial console
C.Cold boot attack
Explanation:
OBJ-3.5: A cold boot attack can be used by an attacker who has physical access to a computer whose hard drive is encrypted. During a cold boot attack, it is possible to retrieve the encryption keys after starting the computer from its powered down state. When the operating system begins to load, you may capture the encryption keys stored in temporary memory by performing a RAM dump on the system and analyzing its contents.
You are conducting a password audit. Which of these options is the most complex password? A.5VwEz35b B.tYSeNDnV C.4@kn?Q9$ D.ujepmnxf
C.4@kn?Q9$
Explanation:
OBJ-4.3: The most complex password of these four options is 4@kn?Q9$. All four passwords are eight characters, so the most complex password will use the largest character set. As shown in the password 4@kn?Q9$, there are four character types: uppercase letters, lowercase letters, numbers, and symbols. The other options only use one, two, or three of these character types. This password uses all four, making it the most complex and secure option.
During a business trip, Bobby connects to the hotel's wireless network to send emails to some of his clients. The next day, Bobby notices that additional emails have been sent out from his account without consent. Which of the following protocols was MOST likely used to compromise Bobby's email password utilizing a network sniffer? A.SSL B.HTTP C.DNS D.TFTP
B.HTTP
Explanation:
OBJ-3.2: HTTP is an unsecured protocol, and information is passed without encryption. If the user signed into their webmail over HTTP instead of HTTPS, a network sniffer could compromise the username and password. Additionally, if the user was using an email client, then the SMTP connection could have been compromised, but since that wasn’t an option in this question, we must assume Bobby used a webmail client over HTTP instead.
As a newly hired cybersecurity analyst, you are attempting to determine your organization's current public-facing attack surface. Which of the following methodologies or tools generates a current and historical view of the company's public-facing IP space? A.nmap B.Review network diagrams C.Google hacking D.shodan.io
D.shodan.io
Explanation:
OBJ-2.1: Shodan (shodan.io) is a search engine that identifies Internet-connected devices of all types. The engine uses banner grabbing to identify the type of device, firmware/OS/app type, and version, plus vendor and ID information. This involves no direct interaction with the company’s public-facing internet assets since this might give rise to detection. This is also the first place an adversary might use to conduct reconnaissance on your company’s network. The nmap scanning tool can provide an analysis of the current state of public exposure but has no mechanism to determine the history, nor will it give the same depth of information that shodan.io provides. Google Hacking can determine if a public exposure occurred over public-facing protocols, but it cannot conclusively reveal all the exposures present. Google hacking relies on using advanced Google searches with advanced syntax to search for information across the internet. Network diagrams can show how a network was initially configured. Unless the diagrams are up-to-date, which they usually aren’t, they cannot show the current “as is” configuration. If you can only select one tool to find your attack surface’s current and historical view, shodan is your best choice.
An organization is conducting a cybersecurity training exercise. What team is Jason assigned to if he has been asked to monitor and manage the defenders' and attackers' technical environment during the exercise? A.Blue team B.Purple team C.Red team D.White team
D.White team
Explanation:
OBJ-1.3: Jason is assigned to the white team. The white team acts as the judges, enforces the rules of the exercise, observes the exercise, scores teams, resolves any problems that may arise, handles all requests for information or questions, and ensures that the competition runs fairly and does not cause operational problems for the defender’s mission. A red team is a group of people authorized and organized to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s security posture. A blue team is a group of people responsible for defending an enterprise’s use of information systems by maintaining its security posture against a group of mock attackers. The purple team is made up of both the blue and red teams to work together to maximize their cyber capabilities through continuous feedback and knowledge transfer between attackers and defenders.
An ethical hacker has been hired to conduct a physical penetration test of a company. During the first day of the test, the ethical hacker dresses up like a plumber and waits in the building's main lobby until an employee goes through the main turnstile. As soon as the employee enters his access number and proceeds to go through the turnstile, the ethical hacker follows them through the access gate. What type of attack did the ethical hacker utilize to access the restricted area of the building? A.SHoulder surfing B.SOcial Engineering C.Mantrap D.Tailgating
D.Tailgating
Explanation:
Explanation
OBJ-3.6: Based on the description, the ethical hacker conducted a very specialized type of social engineering attack known as tailgating. Sometimes on a certification exam, there are two correct answers, but one is more correct. This question is an example of that concept. Tailgating involves someone who lacks the proper authentication following an employee into a restricted area. Social engineering uses deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. Shoulder surfing is a type of social engineering technique used to obtain personal identification numbers (PINs), passwords, and other confidential data by looking over the victim’s shoulder.
