Dump 5 Flashcards
Which of the following documents should be consulted if a client has an issue accepting a
penetration test report that was provided?
A.
Rules of engagement
B.
Signed authorization letter
C.
Statement of work
D.
Non-disclosure agreement
Answer: C
A penetration testing firm performs an assessment every six months for the same customer. While
performing network scanning for the latest assessment, the penetration tester observes that
several of the target hosts appear to be residential connections associated with a major television
and ISP in the area. Which of the following is the most likely reason for the observation?
A.
The penetration tester misconfigured the network scanner.
B.
The network scanning tooling is not functioning properly.
C.
The IP ranges changed ownership.
D.
The network scanning activity is being blocked by a firewall.
Answer: C
After successfully compromising a remote host, a security consultant notices an endpoint
protection software is running on the host. Which of the following commands would be best for the
consultant to use to terminate the protection software and its child processes?
A.
taskkill /PID <PID> /T /F
B.
taskkill /PID <PID> /IM /F
C.
taskkill /PID <PID> /S /U
D.
taskkill /PID <PID> /F /P</PID></PID></PID></PID>
Answer: A
Which of the following is the most secure way to protect a final report file when delivering the
report to the client/customer?
A.
Creating a link on a cloud service and delivering it by email
B.
Asking for a PGP public key to encrypt the file
C.
Requiring FTPS security to download the file
D.
Copying the file on a USB drive and delivering it by postal mail
Answer: B
A local firewall is configured to drop all incoming packets with the TCP SYN or URG flags set.
Which of the following Nmap commands should a penetration tester use to scan the ports 22, 53,
80, and 443 on the target machine and get the most reliable results?
A.
nmap -sY 10.4.7.18 -Pn -p 22,53,80,443
B.
nmap -sS 10.4.7.18 -Pn -p 22,53,80,443
C.
nmap -sA 10.4.7.18 -Pn -p 22,53,80,443
D.
nmap -sT 10.4.7.18 -Pn -p 22,53,80,443
Answer: C
Which of the following Python data structures is the best way to store a group of key-value pair
objects?
A.
Arrays
B.
Lists
C.
Trees
D.
Dictionaries
Answer: D
In order to improve the security of a company, an information security officer decided to implement
multifactor authentication (MFA) technology. The company currently requires badges to access its
facilities. Which of the following additional types of physical controls should the security officer
recommend to enforce MFA?
A.
What you have
B.
Where you are
C.
What you know
D.
Who you are
Answer: C
Which of the following should penetration testers keep with them while conducting on-site security
reviews to assist with de-escalating confrontational situations?
A.
A signed statement of work
B.
A written letter of authorization
C.
Clients’ contact information
D.
Rules of engagement
Answer: B
After obtaining a reverse shell connection, a penetration tester runs the following command:
Which of the following is the fastest way to escalate privileges on this server?
A.
Editing the file /etc/passwd to add a new user with UID 0
B.
Creating a Bash script, saving it on the /tmp folder, and then running it
C.
Executing the command sudo vi -c ‘!bash’
D.
Editing the file /etc/sudoers to allow any command
Answer: C
During a penetration testing engagement, a penetration tester discovers a buffer overflow
vulnerability. Which of the following actions should the tester take to maintain professionalism and
integrity?
A.
Apply for a bug bounty reward from the manufacturer.
B.
Inform the appropriate authorities about the vulnerability before informing the client.
C.
Report the vulnerability to the client and provide recommendations for remediation.
D.
Exploit the vulnerability to demonstrate its impact to the client.
Answer: C
During a REST API security assessment, a penetration tester was able to sniff JSON content
containing user credentials. The JSON structure was as follows:
Assuming that the variable json contains the parsed JSON data, which of the following Python
code snippets correctly returns the password for the user ozzy?
A.
json[‘content’][‘password’][1]
B.
json[‘user_id’][‘password’][0][1]
C.
json[‘content’][1][‘password’][0]
D.
json[‘content’][0][‘password’][1]
Answer: C
During an assessment of a web application, a penetration tester would like to test the application
for blind SQL injection. Which of the following techniques should the penetration tester perform
next?
A.
1’ ORDER BY 1–+
B.
‘; IF (1=1) WAITFOR DELAY ‘0:0:10’–
C.
xyz’ AND ‘1’ = ‘1
D.
xyz’ AND (SELECT CASE WHEN (1=1) THEN 1/0 ELSE ‘a’ END)=’a)
Answer: B
A penetration tester would like to crack a hash using a list of hashes and a predefined set of rules.
The tester runs the following command:
hashcat.exe -a 0 .\hash.txt .\rockyou.txt -r .\rules\replace.rule
Which of the following is the penetration tester using to crack the hash?
A.
Hybrid attack
B.
Dictionary
C.
Rainbow table
D.
Brute-force method
Answer: A
A penetration tester discovered a vulnerability that has the following CVEs:
Which of the following CVEs should be remediated first?
A.
CVE-2007-6750
B.
CVE-2011-3192
C.
CVE-2012-2122
D.
CVE-2014-0160
E.
CVE-2017-7494
Answer: E
A penetration tester is performing DNS reconnaissance and has obtained the following output
using different dig commands:
Which of the following can be concluded from the output the penetration tester obtained?
A.
mxc.company.com is the preferred mail server.
B.
The company.com record can be cached for five minutes.
C.
The company’s website is hosted at 120.73.220.53.
D.
The nameservers are not redundant.
Answer: C
After compromising a remote host, a penetration tester is able to obtain a web shell. A firewall is
blocking outbound traffic. Which of the following commands would allow the penetration tester to
obtain an interactive shell on the remote host?
A.
bash -i >& /dev/tcp 8443 0>&1
B.
nc -e host 8443 /bin/bash
C.
nc -vlp 8443 /bin/bash
D.
nc -vp 8443 /bin/bash
Answer: C
A security engineer is working to identify all email servers on a network. Which of the following
commands should the engineer use to identify the servers as well as the software version the
servers are running?
A.
nmap 10.0.0.1/24 -sT -sV -p 25,110,143,465,993,995
B.
nmap 10.0.0.1/24 -sT -v -p 21,22,23,53,110,135
C.
nmap 10.0.0.1/24 -sS -sV -p 37,110,119,161,445,3389
D.
nmap 10.0.0.1/24 -sA -sU -p 80,110,443,209,389,464
Answer: A
During the execution of a cloud penetration test, a tester was able to gain an initial footprint on the
customer cloud infrastructure. Now the tester wants to scan the cloud resources, possible
misconfigurations, and other relevant data that could be exploited. Which of the following tools
should the tester most likely use?
A.
Nikto
B.
Recon-ng
C.
Cobalt Strike
D.
Pacu
Answer: D
A penetration tester has compromised a customer’s internal network, gaining access to a file
server that hosts email server backups. Which of the following is the best tool to assist with data
exfiltration?
A.
SFTP
B.
Nmap
C.
Netcat
D.
SCP
Answer: A
A penetration tester discovers a file, key.enc, on a shared drive and then executes the following
command, which yields the following output:
Which of the following are the best recommendations for the penetration tester to suggest?
(Choose two).
A.
Implementing password management
B.
Switching to using DSA keys
C.
Using stronger encryption for private key files
D.
Deleting unencrypted files from the share
E.
Disabling the openssl command
F.
Initiating key rotation
Answer: A,F
A penetration tester compromised a system and wants to connect to a port on the system from the
attacking machine in order to control the system. Which of the following commands should the
tester run on the compromised system?
A.
nc 10.0.0.1 5555
B.
nc 127.0.0.1 -e /bin/bash
C.
nc localhost 5555
D.
nc -nvlp 5555 - bin/bash
Answer: A
For a penetration test engagement, a security engineer decides to impersonate the IT help desk.
The security engineer sends a phishing email containing an urgent request for users to change
their passwords and a link to https://example.com/index.html. The engineer has designed the
attack so that once the users enter the credentials, the index.html page takes the credentials and
then forwards them to another server that the security engineer is controlling. Given the following
information:
Which of the following lines of code should the security engineer add to make the attack
successful?
A.
window.reload ()
B.
crossDomain: true
C.
geturlparameter(‘username’)
D.
redirectUrl = ‘https://example.com’
Answer: B
An organization is using Android mobile devices but does not use MDM services. Which of the
following describes an existing risk present in this scenario?
A.
Device log facility does not record actions.
B.
End users have root access by default.
C.
Unsigned applications can be installed.
D.
Push notification services require internet.
Answer: C
A penetration tester wants to perform a SQL injection test. Which of the following characters
should the tester use to start the SQL injection attempt?
A.
Colon
B.
Double quote mark
C.
Single quote mark
D.
Semicolon
Answer: C
During an assessment, a penetration tester compromised a mobile application by decompiling the
APK binary file. Which of the following was most likely the issue?
A.
Outdated firmware
B.
Third-party library
C.
Hard-coded credentials
D.
Data corruption
Answer: C
A penetration tester wants to find the password for any account in the domain without locking any
of the accounts. Which of the following commands should the tester use?
A.
enum4linux -u user1 -p /passwordList.txt 192.168.0.1
B.
enum4linux -u user1 -p Password1 192.168.0.1
C.
cme smb 192.168.0.0/24 -u /userList.txt -p /passwordList.txt
D.
cme smb 192.168.0.0/24 -u /userList.txt -p Summer123
Answer: C
A penetration tester is testing an Android application. Which of the following specialized tools
would be best to use during the test?
A.
Burp Suite
B.
Drozer
C.
Ettercap
D.
Frida
Answer: B
Which of the following would be the most efficient way to write a Python script that interacts with a
web application?
A.
Create a class for requests.
B.
Write a function for requests.
C.
Import the requests library.
D.
Use the cURL OS command.
Answer: C
Given the following finding:
Which of the following recommendations should a penetration tester make?
A.
Encrypting passwords
B.
Improving the account lockout policy
C.
Sanitizing user input
D.
Implementing time-of-day restrictions
Answer: B
A penetration tester is enumerating shares and receives the following output:
Which of the following should the penetration tester enumerate next?
A.
dev
B.
print$
C.
home
D.
notes
Answer: D
A penetration tester gained access to a customer’s internal corporate network via a wireless guest
network. The penetration tester’s laptop was blocked by a NAC system after several Nmap scans.
Which of the following techniques would be the most effective in evading the organization’s NAC
system?
A.
Using only UDP scans
B.
MAC address spoofing
C.
Using only ICMP scans
D.
User-agent spoofing
Answer: B
A penetration tester is performing an assessment for an organization and must gather valid user
credentials. Which of the following attacks would be best for the tester to use to achieve this
objective?
A.
Wardriving
B.
Captive portal
C.
Deauthentication
D.
Impersonation
Answer: C
A penetration tester would like to monitor the requests sent by Nikto with Burp Suite. Which of the
following tools should the penetration tester use?
A.
Impacket tools
B.
Metasploit
C.
Responder
D.
ProxyChains
Answer: D
Which of the following approaches would be the most appropriate for a penetration tester who is
doing a one-week timeboxed assessment for a large electronics retail business with hundreds of
locations around the world?
A.
Testing virtually with no on-site activities
B.
Testing on a limited sample of retail locations
C.
Testing on site for every retail location
D.
Testing on site for 50% of the retail locations
Answer: B
During an engagement, a penetration tester runs a command and receives the following output:
Which of the following is the most likely reason the penetration tester received the output above?
A.
The application queried an internal database service and showed the results.
B.
The application queried the cloud provider metadata service and showed the results.
C.
The application accessed a file on its filesystem and displayed its content.
D.
The application could not handle the request and displayed an error message.
Answer: B
A penetration tester is assessing the security of a client’s externally facing cloud infrastructure.
After running reconnaissance, the tester notices that several services and systems are exposed,
including a web server, application server, storage buckets, and an unknown portal requiring
authentication. After closely examining each of the exposed resources, the tester stumbles upon
confidential documents available without any security controls. Which of the following is the most
likely reason the resources are exposed?
A.
IAM misconfiguration
B.
Federation misconfiguration
C.
Access token misconfiguration
D.
Object storage misconfiguration
Answer: D
A penetration tester would like to use a vulnerability scanner to assess the security of a web
server. Which of the following specialized tools would be the best for the tester to use?
A.
OpenVAS
B.
Nikto
C.
Brakeman
D.
SCAP
Answer: B
A penetration tester is working to identify non-relational databases on the 10.0.0.1/24 subnet as
well as the version of software. Which of the following commands should the tester use to achieve
the objective?
A.
nmap 10.0.0.1/24 -p 3306 –script=mysql*
B.
nmap 10.0.0.1/24 -p 27017 –script=mong*
C.
nmap 10.0.0.1/24 -p 5432–script=pgsql*
D.
nmap 10.0.0.1/24 -p 1433 –script=ms-sql*
Answer: B
A penetration tester is trying to identify the host’s OS version on the subnet 10.7.8.1/25. Which of
the following commands will achieve the objective the fastest?
A.
nmap -sT 10.7.8.1/25
B.
nmap -A 10.7.8.1/25
C.
nmap -O 10.7.8.1/25
D.
nmap -sS 10.7.8.1/25
Answer: C
A penetration tester obtains the hash of a service account within a customer’s Active Directory.
Which of the following attacks should the penetration tester attempt next?
A.
Password spraying
B.
Golden ticket
C.
Cache poisoning
D.
Kerberoasting
Answer: D
A vulnerability scan returned the following results:
Which of the following best describes the meaning of this output?
A.
No CVE is present, so this is a false positive caused by Apache running on a Windows server.
B.
An unknown bug is in an Apache server with no Bugtraq ID.
C.
Windows Defender has a known exploit that must be resolved or patched.
D.
Connecting to the host using a null session allows listing of the share names on the host.
Answer: D
A penetration tester issues the following command after obtaining a low-privilege reverse shell:
wmic service get name,pathname,startmode
Which of the following is the most likely reason the penetration tester ran this command?
A.
To search for passwords in the service directory
B.
To list scheduled tasks that may be exploitable
C.
To register a service to run as System
D.
To find services that have unquoted service paths
Answer: D
A security analyst is conducting a wireless penetration test on a corporate network. The goal is to
capture and analyze handshakes between wireless clients and the access point. Which of the
following tools would be the most appropriate for the analyst to use?
A.
Amplified antenna
B.
Evil twin
C.
Aircrack-ng suite
D.
Captive portal
Answer: C
While performing a vulnerability assessment over an OT/ICS environment, the tester runs a tool
that causes a malfunction on one of the systems in charge of water pumping at the plant. Which of
the following is the best way to avoid these disruptions in future engagements?
A.
Using Nmap or other scanning solutions that also are used on IT environments
B.
Not testing water pumps or other OT/ICS devices that are critical
C.
Changing the scanning approach to use passive-only scans and tools
D.
Including disruption of services on the SOW
Answer: C
For an engagement, a penetration tester is required to use only local operating system tools for file
transfer. Which of the following options should the penetration tester consider?
A.
Netcat
B.
WinSCP
C.
Filezilla
D.
Netstat
Answer: A
As part of active reconnaissance, penetration testers need to determine whether a protection
mechanism is in place to safeguard the target’s website against web application attacks. Which of
the following methods would be the most suitable?
A.
Direct-to-origin testing
B.
Antivirus scanning
C.
Scapy packet crafting
D.
WAF detection
Answer: D
A penetration tester accessed a database and viewed all the user information in order to access
an application. However, the passwords for the application did not work. Which of the following is
most likely the issue in this situation?
A.
The application changes passwords often.
B.
The database belongs to another application.
C.
The passwords are hashed.
D.
The database is encrypted.
Answer: C
A penetration tester noticed that an employee was using a wireless headset with a smartphone.
Which of the following methods would be best to use to intercept the communications?
A.
Multiplexing
B.
Bluejacking
C.
Zero-day attack
D.
Smurf attack
Answer: B
A penetration tester received the following output after running the Nmap command:
Which of the following should the penetration tester try next?
A.
Brute force the FTP service
B.
Attack the SSH service
C.
Mount the file sharing
D.
Connect to the web server
Answer: C
During the reconnaissance phase, a penetration tester runs the following command:
sudo responder -I tun0
The result of the command is a list of NTLMv2 hashes. Which of the following should the
penetration tester do next?
A.
Use the hash in a password spraying attack.
B.
Use the hashes in a collision attack.
C.
Attempt to pass the hash with CrackMapExec.
D.
Crack the hash with Hashcat.
Answer: D
A penetration tester is testing a client’s infrastructure and discovers an API that provides
information about the infrastructure that can be used to configure or manage the instances. The
penetration tester uses this API to obtain temporary credentials used to access the infrastructure.
Which of the following types of attacks did the penetration tester use?
A.
Direct-to-origin
B.
Side-channel
C.
Cloud malware injection
D.
Metadata service
Answer: D
A penetration tester is performing a red-team assessment and needs to attempt to compromise
the laptop that belongs to the customer’s Chief Executive Officer (CEO). Which of the following
phishing targets would be most likely to assist with accomplishing this task?
A.
A new customer service agent
B.
The Chief Financial Officer
C.
A newly hired college intern
D.
The CEO’s executive assistant
Answer: D
During a penetration test of a server application, a security consultant found that the application
randomly crashed or remained stable after opening several simultaneous connections to the
application and always submitting the same packets of data. Which of the following is the best
sequence of steps the tester should use to understand and exploit the vulnerability?
A.
Attach a remote profiler to the server application. Establish a random number of connections to the
server application. Send fixed packets of data simultaneously using those connections.
B.
Attach a remote debugger to the server application. Establish a large number of connections to the
server application. Send fixed packets of data simultaneously using those connections.
C.
Attach a local disassembler to the server application. Establish a single connection to the server
application. Send fixed packets of data simultaneously using that connection.
D.
Attach a remote disassembler to the server application. Establish a small number of connections
to the server application. Send fixed packets of data simultaneously using those connections.
Answer: B
Which of the following is the most important for the tester to have during a physical penetration
test?
A.
Authorization form
B.
Emergency contact information
C.
Scoping document
D.
Credentials of the executive team
Answer: A
A penetration tester is looking for insecure configurations. The tester wants to identify all hosts on
the 10.0.0.0/16 network that are potentially vulnerable to an SMB relay attack. Which of the
following reconnaissance commands is best for this task?
A.
sudo python3 Responder.py -I eth0 -i 10.0.0.0/16
B.
sudo python3 Icmp-Redirecr.py -r eth0 -i 10.0.0.0/16
C.
sudo python3 RunFinger.py -i 10.0.0.0/16
D.
sudo python3 MultiRelay.py -i 10.0.0.0/16
Answer: A
A penetration tester runs the following command and obtains the output shown:
After preparing the penetration test report, the penetration tester runs the following commands:
rm -f 127.0.0.1.unshadow
rm -f .john/john.pot
Which of the following best explains why the penetration tester ran the last two commands?
A.
To remove tester-created credentials
B.
To update John’s database of cracked hashes
C.
To prevent john from recracking the same hashes
D.
To delete hashes and any recovered passwords
Answer: D
During an assessment a penetration tester runs the following command:
cme smb 192.168.9.14 -u alice -p Alice2021 –users
Which of the following is the penetration tester trying to do?
A.
Brute force local users
B.
Crack the password
C.
Enumerate domain users
D.
Perform a dictionary attack
Answer: C
A penetration tester wants to bypass a NAC mechanism that restricts access to a network
circumvent the MAC and gain unauthorized access to the network. Which of the following
techniques should the tester use?
A.
MAC spoofing
B.
VLAN hopping
C.
Brute-force attack
D.
DNS cache poisoning
Answer: A
During an assessment a penetration tester found an application with the default credentials
enabled. Which of the following best describes the technical control required to fix this issue?
A.
Password encryption
B.
System hardening
C.
Multifactor authentication
D.
Patch management
Answer: B
During a penetration test, a team discovers that the Windows hosts share the same local
administrator account password. Which of the following is the best remediation recommendation?
A.
Using a multifactor authentication solution
B.
Giving a team or person the responsibility of managing unique passwords per host
C.
Creating a new local administration account with a different name
D.
Using a technical solution to randomize the password per host
Answer: D
Which of the following standards or methodologies is the most widely recognized as a structured
approach for conducting penetration testing engagements?
A.
PTES
B.
OWASP
C.
MITRE ATT&CK
D.
NIST Cybersecurity Framework
Answer: A
A penetration tester wants to launch an attack that intercepts and alters network traffic between a
client and a server. Which of the following tools should the penetration tester use to perform this
network attack?
A.
Nmap
B.
Ettercap
C.
Metasploit
D.
Netcat
Answer: B
A penetration tester is performing an assessment of a file server that the customer uses to
exchange reports and other documents with business partners. The penetration tester executes
the following command while connected to the organization’s VPN:
Which of the following is the most likely reason for the difference in the two responses?
A.
Internal requests to the server require single sign-on
B.
An Apache web proxy server is being used
C.
A WAF is blocking some requests
D.
VPN users make use of internal DNS servers
Answer: D
Which of the following reasons explains why a penetration tester should communicate with a client
during an assessment?
A.
To check if all shells have been removed
B.
To discuss the penetration testing budget
C.
To identify any false positives
D.
To validate customer data destruction
Answer: C
Which of the following is the most important to include in the SOW during a wireless security
assessment?
A.
The IP ranges in scope
B.
The 5GHz channels available
C.
The 802.11 frequencies
D.
The SSIDs being tested
Answer: D
A penetration tester is performing various tests against an application and is repeatedly locked out
due to excessive failed log-in attempts. After each attempt, the penetration tester is able to create
a new account using the same email address with a new username. Which of the following attack
vectors is the penetration tester most likely attempting?
A.
Session fixation
B.
Business logic flaw
C.
Session replay
D.
Privilege escalation
Answer: B
A penetration tester enters a command into the shell and receives the following output:
C:\Users\UserX\Desktop>vmic service get name, pathname, displayname, startmode | findstr /i
auto | findstr /i /v |C:\Windows\” | findstr /i /v””
VulnerableService Some Vulnerable Service C:\Program Files\A Subfolder\B
Subfolder\SomeExecutable.exe Automatic
Which of the following types of vulnerabilities does this system contain?
A.
Unquoted service path
B.
Writable services
C.
Clear text credentials
D.
Insecure file/folder permissions
Answer: A
During an assessment, a penetration tester is looking for API keys and tokens for an application
so the tester can access the application. Which of the following is the most likely location for the
keys and tokens?
A.
Robots.txt file
B.
Public repositories
C.
File metadata
D.
Password dumps
Answer: B
A penetration tester performed an Nmap scan that revealed the presence of a web server, a file
server, and a database server. Which of the following Nmap scans should the tester use to potentially find more services that were undetected during the regular Nmap scan?
A.
-sC
B.
-sU
C.
-sT
D.
-sS
Answer: B
A project manager needs to validate that members of the penetration testing team are technically
qualified to perform work within the customer’s environment. Which of the following is the best way
to satisfy this requirement?
A.
Verify that every member of the team had a criminal background check
B.
Validate that the organization is ISO 9000 and ISO 9002 certified
C.
Confirm each team member holds an industry certification for all SOW tasks
D.
Obtain documentation showing that the organization meets GDPR
Answer: C
A penetration tester team is looking for the best way to steal an active session cookie that is
managed on an unprotected JavaScript variable on the client side. Which of the following is the
best tool to use for this task?
A.
BeEF
B.
Burp Suite
C.
Gobuster
D.
SET
Answer: A
A penetration tester would like to conduct an on-path attack against a target system in a local
network. Which of the following techniques should the tester use in order to make the tester
appear to have an IP address of a trusted server?
A.
ARP spoofing
B.
DNS spoofing
C.
MAC spoofing
D.
IP spoofing
Answer: D
A penetration tester is conducting a vulnerability scan on a remote oil rig, which has limited
satellite internet connectivity. The bandwidth available for the scan is significantly restricted due to
the remote location and the bandwidth limitations of the satellite link. The penetration tester wants
to ensure the effectiveness of the vulnerability scan while minimizing the impact on the network
performance and connectivity. Which of the following should be considered?
A.
Query throttling
B.
Network topology
C.
Time to run the scans
D.
Protocols used for scanning
Answer: A
A penetration tester is conducting an assessment on a web application. Which of the following
active reconnaissance techniques would be best for the tester to use to gather additional
information about the application?
A.
Using cURL with the verbose option
B.
Crawling URIs using an interception proxy
C.
Using Scapy for crafted requests
D.
Crawling URIs using a web browser
Answer: B
A penetration tester is planning a phishing campaign for a client that targets all full-time
employees. The client requested that the assessment team go easy on the employees because
several recent rounds of layoffs have negatively impacted morale. Which of the following email
phishing campaign pretexts best aligns with the customer’s preferences?
A.
Emailing a link to access a human resources notice
B.
Emailing a link to redeem a free coffee card
C.
Emailing a link to view an urgent message from the Chief Executive Officer
D.
Emailing a link to confirm a human resources payroll update
Answer: B
Which of the following is the most important consideration when performing a penetration test on a
SCADA system?
A.
Documentation might be lacking
B.
The system might be fragile
C.
Network segmentation might be required
D.
System patches might not be available
Answer: B
A hacker wants to exploit a vulnerability in a Bluetooth-enabled device by secretly pairing with it
and gaining unauthorized access. Which of the following attack methods would be the most
effective for the hacker to use?
A.
Spoofing
B.
Data modification
C.
Deauthentication
D.
Eavesdropping
Answer: A
A penetration tester would like to use a system that places a redirector between the attacker
system and the target system. Which of the following should the penetration tester use?
A.
Empire
B.
Covenant
C.
Impacket tools
D.
Medusa
Answer: B
A penetration tester is conducting a penetration test for a client that has many industrial devices.
Which of the following would be the best tool for the tester to use?
A.
Censys
B.
Recon-ng
C.
Maltego
D.
Shodan
Answer: D
A penetration tester managed to access an internal Windows workstation for a target company.
The tester used Mimikatz during the post exploitation of this compromised host. Which of the
following would be a relevant reason for the tester to use this tool?
A.
When a network device was compromised and the tester wants to have persistence on the
network
B.
When a computer or server was compromised and the tester wants to move laterally
C.
When the tester wants to test reactions to ransomware infections on servers and computers
D.
When the tester wants to crack and capture password hashes
Answer: B
A penetration tester managed to exploit a vulnerability using the following payload:
IF (1=1) WAIT FOR DELAY ‘0:0:15’
Which of the following actions would best mitigate this type of attack?
A.
Encrypting passwords
B.
Parameterizing queries
C.
Encoding output
D.
Sanitizing HTML
Answer: B
A penetration tester scans a website and obtains the following output:
Which of the following would be the best next step tor the penetration tester?
A.
Use WPScan
B.
Review the robots.txt file
C.
Open the phpinfo page
D.
Browse the /wp-admin folder
Answer: B
An organization is required to undergo a penetration test to assess the segmentation of its
network. Which of the following standards or regulations requires this type of testing?
A.
ISSAF
B.
GDPR
C.
PCI DSS
D.
ISO 27001
Answer: C
While wrapping up a penetration engagement, a penetration tester remembered that the following
changes were made to the root crontab:
Which of the following would be best for the penetration tester to do as part of the postengagement
cleanup?
A.
Change the fourth entry to perform a reload of the Apache2 service rather than a restart
B.
Delete the third entry, as it is generating a backdoor into the server
C.
Remove the /dev/null redirect of the output from the second entry
D.
Change the first entry to run every day rather than every Monday
Answer: B
Which of the following is the most important document for a penetration tester to verify is
completed and signed before beginning any external or social engineering engagement?
A.
NDA
B.
SOW
C.
PTES
D.
ROE
Answer: D
