Dump 5

Question 1

Which of the following documents should be consulted if a client has an issue accepting a
penetration test report that was provided?

A.
Rules of engagement
B.
Signed authorization letter
C.
Statement of work
D.
Non-disclosure agreement

Answer 1

Answer: C

Question 2

A penetration testing firm performs an assessment every six months for the same customer. While
performing network scanning for the latest assessment, the penetration tester observes that
several of the target hosts appear to be residential connections associated with a major television
and ISP in the area. Which of the following is the most likely reason for the observation?

A.
The penetration tester misconfigured the network scanner.
B.
The network scanning tooling is not functioning properly.
C.
The IP ranges changed ownership.
D.
The network scanning activity is being blocked by a firewall.

Answer 2

Answer: C

Question 3

After successfully compromising a remote host, a security consultant notices an endpoint
protection software is running on the host. Which of the following commands would be best for the
consultant to use to terminate the protection software and its child processes?

A.
taskkill /PID <PID> /T /F
B.
taskkill /PID <PID> /IM /F
C.
taskkill /PID <PID> /S /U
D.
taskkill /PID <PID> /F /P</PID></PID></PID></PID>

Answer 3

Answer: A

Question 4

Which of the following is the most secure way to protect a final report file when delivering the
report to the client/customer?

A.
Creating a link on a cloud service and delivering it by email
B.
Asking for a PGP public key to encrypt the file
C.
Requiring FTPS security to download the file
D.
Copying the file on a USB drive and delivering it by postal mail

Answer 4

Answer: B

Question 5

A local firewall is configured to drop all incoming packets with the TCP SYN or URG flags set.
Which of the following Nmap commands should a penetration tester use to scan the ports 22, 53,
80, and 443 on the target machine and get the most reliable results?

A.
nmap -sY 10.4.7.18 -Pn -p 22,53,80,443
B.
nmap -sS 10.4.7.18 -Pn -p 22,53,80,443
C.
nmap -sA 10.4.7.18 -Pn -p 22,53,80,443
D.
nmap -sT 10.4.7.18 -Pn -p 22,53,80,443

Answer 5

Answer: C

Question 6

Which of the following Python data structures is the best way to store a group of key-value pair
objects?

A.
Arrays
B.
Lists
C.
Trees
D.
Dictionaries

Answer 6

Answer: D

Question 7

In order to improve the security of a company, an information security officer decided to implement
multifactor authentication (MFA) technology. The company currently requires badges to access its
facilities. Which of the following additional types of physical controls should the security officer
recommend to enforce MFA?

A.
What you have
B.
Where you are
C.
What you know
D.
Who you are

Answer 7

Answer: C

Question 8

Which of the following should penetration testers keep with them while conducting on-site security
reviews to assist with de-escalating confrontational situations?

A.
A signed statement of work
B.
A written letter of authorization
C.
Clients’ contact information
D.
Rules of engagement

Answer 8

Answer: B

Question 9

After obtaining a reverse shell connection, a penetration tester runs the following command:

Which of the following is the fastest way to escalate privileges on this server?

A.
Editing the file /etc/passwd to add a new user with UID 0
B.
Creating a Bash script, saving it on the /tmp folder, and then running it
C.
Executing the command sudo vi -c ‘!bash’
D.
Editing the file /etc/sudoers to allow any command

Answer 9

Answer: C

Question 10

During a penetration testing engagement, a penetration tester discovers a buffer overflow
vulnerability. Which of the following actions should the tester take to maintain professionalism and
integrity?

A.
Apply for a bug bounty reward from the manufacturer.
B.
Inform the appropriate authorities about the vulnerability before informing the client.
C.
Report the vulnerability to the client and provide recommendations for remediation.
D.
Exploit the vulnerability to demonstrate its impact to the client.

Answer 10

Answer: C

Question 11

During a REST API security assessment, a penetration tester was able to sniff JSON content
containing user credentials. The JSON structure was as follows:

Assuming that the variable json contains the parsed JSON data, which of the following Python
code snippets correctly returns the password for the user ozzy?

A.
json[‘content’][‘password’][1]
B.
json[‘user_id’][‘password’][0][1]
C.
json[‘content’][1][‘password’][0]
D.
json[‘content’][0][‘password’][1]

Answer 11

Answer: C

Question 12

During an assessment of a web application, a penetration tester would like to test the application
for blind SQL injection. Which of the following techniques should the penetration tester perform
next?

A.
1’ ORDER BY 1–+
B.
‘; IF (1=1) WAITFOR DELAY ‘0:0:10’–
C.
xyz’ AND ‘1’ = ‘1
D.
xyz’ AND (SELECT CASE WHEN (1=1) THEN 1/0 ELSE ‘a’ END)=’a)

Answer 12

Answer: B

Question 13

A penetration tester would like to crack a hash using a list of hashes and a predefined set of rules.
The tester runs the following command:

hashcat.exe -a 0 .\hash.txt .\rockyou.txt -r .\rules\replace.rule

Which of the following is the penetration tester using to crack the hash?

A.
Hybrid attack
B.
Dictionary
C.
Rainbow table
D.
Brute-force method

Answer 13

Answer: A

Question 14

A penetration tester discovered a vulnerability that has the following CVEs:

Which of the following CVEs should be remediated first?

A.
CVE-2007-6750
B.
CVE-2011-3192
C.
CVE-2012-2122
D.
CVE-2014-0160
E.
CVE-2017-7494

Answer 14

Answer: E

Question 15

A penetration tester is performing DNS reconnaissance and has obtained the following output
using different dig commands:

Which of the following can be concluded from the output the penetration tester obtained?

A.
mxc.company.com is the preferred mail server.
B.
The company.com record can be cached for five minutes.
C.
The company’s website is hosted at 120.73.220.53.
D.
The nameservers are not redundant.

Answer 15

Answer: C

Question 16

After compromising a remote host, a penetration tester is able to obtain a web shell. A firewall is
blocking outbound traffic. Which of the following commands would allow the penetration tester to
obtain an interactive shell on the remote host?

A.
bash -i >& /dev/tcp 8443 0>&1
B.
nc -e host 8443 /bin/bash
C.
nc -vlp 8443 /bin/bash
D.
nc -vp 8443 /bin/bash

Answer 16

Answer: C

Question 17

A security engineer is working to identify all email servers on a network. Which of the following
commands should the engineer use to identify the servers as well as the software version the
servers are running?

A.
nmap 10.0.0.1/24 -sT -sV -p 25,110,143,465,993,995
B.
nmap 10.0.0.1/24 -sT -v -p 21,22,23,53,110,135
C.
nmap 10.0.0.1/24 -sS -sV -p 37,110,119,161,445,3389
D.
nmap 10.0.0.1/24 -sA -sU -p 80,110,443,209,389,464

Answer 17

Answer: A

Question 18

During the execution of a cloud penetration test, a tester was able to gain an initial footprint on the
customer cloud infrastructure. Now the tester wants to scan the cloud resources, possible
misconfigurations, and other relevant data that could be exploited. Which of the following tools
should the tester most likely use?

A.
Nikto
B.
Recon-ng
C.
Cobalt Strike
D.
Pacu

Answer 18

Answer: D

Question 19

A penetration tester has compromised a customer’s internal network, gaining access to a file
server that hosts email server backups. Which of the following is the best tool to assist with data
exfiltration?

A.
SFTP
B.
Nmap
C.
Netcat
D.
SCP

Answer 19

Answer: A

Question 20

A penetration tester discovers a file, key.enc, on a shared drive and then executes the following
command, which yields the following output:

Which of the following are the best recommendations for the penetration tester to suggest?
(Choose two).

A.
Implementing password management
B.
Switching to using DSA keys
C.
Using stronger encryption for private key files
D.
Deleting unencrypted files from the share
E.
Disabling the openssl command
F.
Initiating key rotation

Answer 20

Answer: A,F

Question 21

A penetration tester compromised a system and wants to connect to a port on the system from the
attacking machine in order to control the system. Which of the following commands should the
tester run on the compromised system?

A.
nc 10.0.0.1 5555
B.
nc 127.0.0.1 -e /bin/bash
C.
nc localhost 5555
D.
nc -nvlp 5555 - bin/bash

Answer 21

Answer: A

Question 22

For a penetration test engagement, a security engineer decides to impersonate the IT help desk.
The security engineer sends a phishing email containing an urgent request for users to change
their passwords and a link to https://example.com/index.html. The engineer has designed the
attack so that once the users enter the credentials, the index.html page takes the credentials and
then forwards them to another server that the security engineer is controlling. Given the following
information:

Which of the following lines of code should the security engineer add to make the attack
successful?

A.
window.reload ()
B.
crossDomain: true
C.
geturlparameter(‘username’)
D.
redirectUrl = ‘https://example.com’

Answer 22

Answer: B

Question 23

An organization is using Android mobile devices but does not use MDM services. Which of the
following describes an existing risk present in this scenario?

A.
Device log facility does not record actions.
B.
End users have root access by default.
C.
Unsigned applications can be installed.
D.
Push notification services require internet.

Answer 23

Answer: C

Question 24

A penetration tester wants to perform a SQL injection test. Which of the following characters
should the tester use to start the SQL injection attempt?

A.
Colon
B.
Double quote mark
C.
Single quote mark
D.
Semicolon

Answer 24

Answer: C

Question 25

During an assessment, a penetration tester compromised a mobile application by decompiling the APK binary file. Which of the following was most likely the issue? A. Outdated firmware B. Third-party library C. Hard-coded credentials D. Data corruption

Answer 25

Answer: C

Question 26

A penetration tester wants to find the password for any account in the domain without locking any of the accounts. Which of the following commands should the tester use? A. enum4linux -u user1 -p /passwordList.txt 192.168.0.1 B. enum4linux -u user1 -p Password1 192.168.0.1 C. cme smb 192.168.0.0/24 -u /userList.txt -p /passwordList.txt D. cme smb 192.168.0.0/24 -u /userList.txt -p Summer123

Answer 26

Answer: C

Question 27

A penetration tester is testing an Android application. Which of the following specialized tools would be best to use during the test? A. Burp Suite B. Drozer C. Ettercap D. Frida

Answer 27

Answer: B

Question 28

Which of the following would be the most efficient way to write a Python script that interacts with a web application? A. Create a class for requests. B. Write a function for requests. C. Import the requests library. D. Use the cURL OS command.

Answer 28

Answer: C

Question 29

Given the following finding: Which of the following recommendations should a penetration tester make? A. Encrypting passwords B. Improving the account lockout policy C. Sanitizing user input D. Implementing time-of-day restrictions

Answer 29

Answer: B

Question 30

A penetration tester is enumerating shares and receives the following output: Which of the following should the penetration tester enumerate next? A. dev B. print$ C. home D. notes

Answer 30

Answer: D

Question 31

A penetration tester gained access to a customer’s internal corporate network via a wireless guest network. The penetration tester’s laptop was blocked by a NAC system after several Nmap scans. Which of the following techniques would be the most effective in evading the organization’s NAC system? A. Using only UDP scans B. MAC address spoofing C. Using only ICMP scans D. User-agent spoofing

Answer 31

Answer: B

Question 32

A penetration tester is performing an assessment for an organization and must gather valid user credentials. Which of the following attacks would be best for the tester to use to achieve this objective? A. Wardriving B. Captive portal C. Deauthentication D. Impersonation

Answer 32

Answer: C

Question 33

A penetration tester would like to monitor the requests sent by Nikto with Burp Suite. Which of the following tools should the penetration tester use? A. Impacket tools B. Metasploit C. Responder D. ProxyChains

Answer 33

Answer: D

Question 34

Which of the following approaches would be the most appropriate for a penetration tester who is doing a one-week timeboxed assessment for a large electronics retail business with hundreds of locations around the world? A. Testing virtually with no on-site activities B. Testing on a limited sample of retail locations C. Testing on site for every retail location D. Testing on site for 50% of the retail locations

Answer 34

Answer: B

Question 35

During an engagement, a penetration tester runs a command and receives the following output: Which of the following is the most likely reason the penetration tester received the output above? A. The application queried an internal database service and showed the results. B. The application queried the cloud provider metadata service and showed the results. C. The application accessed a file on its filesystem and displayed its content. D. The application could not handle the request and displayed an error message.

Answer 35

Answer: B

Question 36

A penetration tester is assessing the security of a client’s externally facing cloud infrastructure. After running reconnaissance, the tester notices that several services and systems are exposed, including a web server, application server, storage buckets, and an unknown portal requiring authentication. After closely examining each of the exposed resources, the tester stumbles upon confidential documents available without any security controls. Which of the following is the most likely reason the resources are exposed? A. IAM misconfiguration B. Federation misconfiguration C. Access token misconfiguration D. Object storage misconfiguration

Answer 36

Answer: D

Question 37

A penetration tester would like to use a vulnerability scanner to assess the security of a web server. Which of the following specialized tools would be the best for the tester to use? A. OpenVAS B. Nikto C. Brakeman D. SCAP

Answer 37

Answer: B

Question 38

A penetration tester is working to identify non-relational databases on the 10.0.0.1/24 subnet as well as the version of software. Which of the following commands should the tester use to achieve the objective? A. nmap 10.0.0.1/24 -p 3306 --script=mysql* B. nmap 10.0.0.1/24 -p 27017 --script=mong* C. nmap 10.0.0.1/24 -p 5432--script=pgsql* D. nmap 10.0.0.1/24 -p 1433 --script=ms-sql*

Answer 38

Answer: B

Question 39

A penetration tester is trying to identify the host’s OS version on the subnet 10.7.8.1/25. Which of the following commands will achieve the objective the fastest? A. nmap -sT 10.7.8.1/25 B. nmap -A 10.7.8.1/25 C. nmap -O 10.7.8.1/25 D. nmap -sS 10.7.8.1/25

Answer 39

Answer: C

Question 40

A penetration tester obtains the hash of a service account within a customer’s Active Directory. Which of the following attacks should the penetration tester attempt next? A. Password spraying B. Golden ticket C. Cache poisoning D. Kerberoasting

Answer 40

Answer: D

Question 41

A vulnerability scan returned the following results: Which of the following best describes the meaning of this output? A. No CVE is present, so this is a false positive caused by Apache running on a Windows server. B. An unknown bug is in an Apache server with no Bugtraq ID. C. Windows Defender has a known exploit that must be resolved or patched. D. Connecting to the host using a null session allows listing of the share names on the host.

Answer 41

Answer: D

Question 42

A penetration tester issues the following command after obtaining a low-privilege reverse shell: wmic service get name,pathname,startmode Which of the following is the most likely reason the penetration tester ran this command? A. To search for passwords in the service directory B. To list scheduled tasks that may be exploitable C. To register a service to run as System D. To find services that have unquoted service paths

Answer 42

Answer: D

Question 43

A security analyst is conducting a wireless penetration test on a corporate network. The goal is to capture and analyze handshakes between wireless clients and the access point. Which of the following tools would be the most appropriate for the analyst to use? A. Amplified antenna B. Evil twin C. Aircrack-ng suite D. Captive portal

Answer 43

Answer: C

Question 44

While performing a vulnerability assessment over an OT/ICS environment, the tester runs a tool that causes a malfunction on one of the systems in charge of water pumping at the plant. Which of the following is the best way to avoid these disruptions in future engagements? A. Using Nmap or other scanning solutions that also are used on IT environments B. Not testing water pumps or other OT/ICS devices that are critical C. Changing the scanning approach to use passive-only scans and tools D. Including disruption of services on the SOW

Answer 44

Answer: C

Question 45

For an engagement, a penetration tester is required to use only local operating system tools for file transfer. Which of the following options should the penetration tester consider? A. Netcat B. WinSCP C. Filezilla D. Netstat

Answer 45

Answer: A

Question 46

As part of active reconnaissance, penetration testers need to determine whether a protection mechanism is in place to safeguard the target’s website against web application attacks. Which of the following methods would be the most suitable? A. Direct-to-origin testing B. Antivirus scanning C. Scapy packet crafting D. WAF detection

Answer 46

Answer: D

Question 47

A penetration tester accessed a database and viewed all the user information in order to access an application. However, the passwords for the application did not work. Which of the following is most likely the issue in this situation? A. The application changes passwords often. B. The database belongs to another application. C. The passwords are hashed. D. The database is encrypted.

Answer 47

Answer: C

Question 48

A penetration tester noticed that an employee was using a wireless headset with a smartphone. Which of the following methods would be best to use to intercept the communications? A. Multiplexing B. Bluejacking C. Zero-day attack D. Smurf attack

Answer 48

Answer: B

Question 49

A penetration tester received the following output after running the Nmap command: Which of the following should the penetration tester try next? A. Brute force the FTP service B. Attack the SSH service C. Mount the file sharing D. Connect to the web server

Answer 49

Answer: C

Question 50

During the reconnaissance phase, a penetration tester runs the following command: sudo responder -I tun0 The result of the command is a list of NTLMv2 hashes. Which of the following should the penetration tester do next? A. Use the hash in a password spraying attack. B. Use the hashes in a collision attack. C. Attempt to pass the hash with CrackMapExec. D. Crack the hash with Hashcat.

Answer 50

Answer: D

Question 51

A penetration tester is testing a client's infrastructure and discovers an API that provides information about the infrastructure that can be used to configure or manage the instances. The penetration tester uses this API to obtain temporary credentials used to access the infrastructure. Which of the following types of attacks did the penetration tester use? A. Direct-to-origin B. Side-channel C. Cloud malware injection D. Metadata service

Answer 51

Answer: D

Question 52

A penetration tester is performing a red-team assessment and needs to attempt to compromise the laptop that belongs to the customer's Chief Executive Officer (CEO). Which of the following phishing targets would be most likely to assist with accomplishing this task? A. A new customer service agent B. The Chief Financial Officer C. A newly hired college intern D. The CEO's executive assistant

Answer 52

Answer: D

Question 53

During a penetration test of a server application, a security consultant found that the application randomly crashed or remained stable after opening several simultaneous connections to the application and always submitting the same packets of data. Which of the following is the best sequence of steps the tester should use to understand and exploit the vulnerability? A. Attach a remote profiler to the server application. Establish a random number of connections to the server application. Send fixed packets of data simultaneously using those connections. B. Attach a remote debugger to the server application. Establish a large number of connections to the server application. Send fixed packets of data simultaneously using those connections. C. Attach a local disassembler to the server application. Establish a single connection to the server application. Send fixed packets of data simultaneously using that connection. D. Attach a remote disassembler to the server application. Establish a small number of connections to the server application. Send fixed packets of data simultaneously using those connections.

Answer 53

Answer: B

Question 54

Which of the following is the most important for the tester to have during a physical penetration test? A. Authorization form B. Emergency contact information C. Scoping document D. Credentials of the executive team

Answer 54

Answer: A

Question 55

A penetration tester is looking for insecure configurations. The tester wants to identify all hosts on the 10.0.0.0/16 network that are potentially vulnerable to an SMB relay attack. Which of the following reconnaissance commands is best for this task? A. sudo python3 Responder.py -I eth0 -i 10.0.0.0/16 B. sudo python3 Icmp-Redirecr.py -r eth0 -i 10.0.0.0/16 C. sudo python3 RunFinger.py -i 10.0.0.0/16 D. sudo python3 MultiRelay.py -i 10.0.0.0/16

Answer 55

Answer: A

Question 56

A penetration tester runs the following command and obtains the output shown: After preparing the penetration test report, the penetration tester runs the following commands: rm -f 127.0.0.1.unshadow rm -f .john/john.pot Which of the following best explains why the penetration tester ran the last two commands? A. To remove tester-created credentials B. To update John's database of cracked hashes C. To prevent john from recracking the same hashes D. To delete hashes and any recovered passwords

Answer 56

Answer: D

Question 57

During an assessment a penetration tester runs the following command: cme smb 192.168.9.14 -u alice -p Alice2021 --users Which of the following is the penetration tester trying to do? A. Brute force local users B. Crack the password C. Enumerate domain users D. Perform a dictionary attack

Answer 57

Answer: C

Question 58

A penetration tester wants to bypass a NAC mechanism that restricts access to a network circumvent the MAC and gain unauthorized access to the network. Which of the following techniques should the tester use? A. MAC spoofing B. VLAN hopping C. Brute-force attack D. DNS cache poisoning

Answer 58

Answer: A

Question 59

During an assessment a penetration tester found an application with the default credentials enabled. Which of the following best describes the technical control required to fix this issue? A. Password encryption B. System hardening C. Multifactor authentication D. Patch management

Answer 59

Answer: B

Question 60

During a penetration test, a team discovers that the Windows hosts share the same local administrator account password. Which of the following is the best remediation recommendation? A. Using a multifactor authentication solution B. Giving a team or person the responsibility of managing unique passwords per host C. Creating a new local administration account with a different name D. Using a technical solution to randomize the password per host

Answer 60

Answer: D

Question 61

Which of the following standards or methodologies is the most widely recognized as a structured approach for conducting penetration testing engagements? A. PTES B. OWASP C. MITRE ATT&CK D. NIST Cybersecurity Framework

Answer 61

Answer: A

Question 62

A penetration tester wants to launch an attack that intercepts and alters network traffic between a client and a server. Which of the following tools should the penetration tester use to perform this network attack? A. Nmap B. Ettercap C. Metasploit D. Netcat

Answer 62

Answer: B

Question 63

A penetration tester is performing an assessment of a file server that the customer uses to exchange reports and other documents with business partners. The penetration tester executes the following command while connected to the organization's VPN: Which of the following is the most likely reason for the difference in the two responses? A. Internal requests to the server require single sign-on B. An Apache web proxy server is being used C. A WAF is blocking some requests D. VPN users make use of internal DNS servers

Answer 63

Answer: D

Question 64

Which of the following reasons explains why a penetration tester should communicate with a client during an assessment? A. To check if all shells have been removed B. To discuss the penetration testing budget C. To identify any false positives D. To validate customer data destruction

Answer 64

Answer: C

Question 65

Which of the following is the most important to include in the SOW during a wireless security assessment? A. The IP ranges in scope B. The 5GHz channels available C. The 802.11 frequencies D. The SSIDs being tested

Answer 65

Answer: D

Question 66

A penetration tester is performing various tests against an application and is repeatedly locked out due to excessive failed log-in attempts. After each attempt, the penetration tester is able to create a new account using the same email address with a new username. Which of the following attack vectors is the penetration tester most likely attempting? A. Session fixation B. Business logic flaw C. Session replay D. Privilege escalation

Answer 66

Answer: B

Question 67

A penetration tester enters a command into the shell and receives the following output: C:\Users\UserX\Desktop>vmic service get name, pathname, displayname, startmode | findstr /i auto | findstr /i /v |C:\\Windows\\" | findstr /i /v"" VulnerableService Some Vulnerable Service C:\Program Files\A Subfolder\B Subfolder\SomeExecutable.exe Automatic Which of the following types of vulnerabilities does this system contain? A. Unquoted service path B. Writable services C. Clear text credentials D. Insecure file/folder permissions

Answer 67

Answer: A

Question 68

During an assessment, a penetration tester is looking for API keys and tokens for an application so the tester can access the application. Which of the following is the most likely location for the keys and tokens? A. Robots.txt file B. Public repositories C. File metadata D. Password dumps

Answer 68

Answer: B

Question 69

A penetration tester performed an Nmap scan that revealed the presence of a web server, a file server, and a database server. Which of the following Nmap scans should the tester use to potentially find more services that were undetected during the regular Nmap scan? A. -sC B. -sU C. -sT D. -sS

Answer 69

Answer: B

Question 70

A project manager needs to validate that members of the penetration testing team are technically qualified to perform work within the customer's environment. Which of the following is the best way to satisfy this requirement? A. Verify that every member of the team had a criminal background check B. Validate that the organization is ISO 9000 and ISO 9002 certified C. Confirm each team member holds an industry certification for all SOW tasks D. Obtain documentation showing that the organization meets GDPR

Answer 70

Answer: C

Question 71

A penetration tester team is looking for the best way to steal an active session cookie that is managed on an unprotected JavaScript variable on the client side. Which of the following is the best tool to use for this task? A. BeEF B. Burp Suite C. Gobuster D. SET

Answer 71

Answer: A

Question 72

A penetration tester would like to conduct an on-path attack against a target system in a local network. Which of the following techniques should the tester use in order to make the tester appear to have an IP address of a trusted server? A. ARP spoofing B. DNS spoofing C. MAC spoofing D. IP spoofing

Answer 72

Answer: D

Question 73

A penetration tester is conducting a vulnerability scan on a remote oil rig, which has limited satellite internet connectivity. The bandwidth available for the scan is significantly restricted due to the remote location and the bandwidth limitations of the satellite link. The penetration tester wants to ensure the effectiveness of the vulnerability scan while minimizing the impact on the network performance and connectivity. Which of the following should be considered? A. Query throttling B. Network topology C. Time to run the scans D. Protocols used for scanning

Answer 73

Answer: A

Question 74

A penetration tester is conducting an assessment on a web application. Which of the following active reconnaissance techniques would be best for the tester to use to gather additional information about the application? A. Using cURL with the verbose option B. Crawling URIs using an interception proxy C. Using Scapy for crafted requests D. Crawling URIs using a web browser

Answer 74

Answer: B

Question 75

A penetration tester is planning a phishing campaign for a client that targets all full-time employees. The client requested that the assessment team go easy on the employees because several recent rounds of layoffs have negatively impacted morale. Which of the following email phishing campaign pretexts best aligns with the customer's preferences? A. Emailing a link to access a human resources notice B. Emailing a link to redeem a free coffee card C. Emailing a link to view an urgent message from the Chief Executive Officer D. Emailing a link to confirm a human resources payroll update

Answer 75

Answer: B

Question 76

Which of the following is the most important consideration when performing a penetration test on a SCADA system? A. Documentation might be lacking B. The system might be fragile C. Network segmentation might be required D. System patches might not be available

Answer 76

Answer: B

Question 77

A hacker wants to exploit a vulnerability in a Bluetooth-enabled device by secretly pairing with it and gaining unauthorized access. Which of the following attack methods would be the most effective for the hacker to use? A. Spoofing B. Data modification C. Deauthentication D. Eavesdropping

Answer 77

Answer: A

Question 78

A penetration tester would like to use a system that places a redirector between the attacker system and the target system. Which of the following should the penetration tester use? A. Empire B. Covenant C. Impacket tools D. Medusa

Answer 78

Answer: B

Question 79

A penetration tester is conducting a penetration test for a client that has many industrial devices. Which of the following would be the best tool for the tester to use? A. Censys B. Recon-ng C. Maltego D. Shodan

Answer 79

Answer: D

Question 80

A penetration tester managed to access an internal Windows workstation for a target company. The tester used Mimikatz during the post exploitation of this compromised host. Which of the following would be a relevant reason for the tester to use this tool? A. When a network device was compromised and the tester wants to have persistence on the network B. When a computer or server was compromised and the tester wants to move laterally C. When the tester wants to test reactions to ransomware infections on servers and computers D. When the tester wants to crack and capture password hashes

Answer 80

Answer: B

Question 81

A penetration tester managed to exploit a vulnerability using the following payload: IF (1=1) WAIT FOR DELAY '0:0:15' Which of the following actions would best mitigate this type of attack? A. Encrypting passwords B. Parameterizing queries C. Encoding output D. Sanitizing HTML

Answer 81

Answer: B

Question 82

A penetration tester scans a website and obtains the following output: Which of the following would be the best next step tor the penetration tester? A. Use WPScan B. Review the robots.txt file C. Open the phpinfo page D. Browse the /wp-admin folder

Answer 82

Answer: B

Question 83

An organization is required to undergo a penetration test to assess the segmentation of its network. Which of the following standards or regulations requires this type of testing? A. ISSAF B. GDPR C. PCI DSS D. ISO 27001

Answer 83

Answer: C

Question 84

While wrapping up a penetration engagement, a penetration tester remembered that the following changes were made to the root crontab: Which of the following would be best for the penetration tester to do as part of the postengagement cleanup? A. Change the fourth entry to perform a reload of the Apache2 service rather than a restart B. Delete the third entry, as it is generating a backdoor into the server C. Remove the /dev/null redirect of the output from the second entry D. Change the first entry to run every day rather than every Monday

Answer 84

Answer: B

Question 85

Which of the following is the most important document for a penetration tester to verify is completed and signed before beginning any external or social engineering engagement? A. NDA B. SOW C. PTES D. ROE

Answer 85

Answer: D