Pocket Prep CompTIA Pentest+ Flashcards

Question 1

Q

Alex is writing a python script to test multiple credentials against a login page.

How would Alex loop the credential testing function?
A. user = user++
         user.connect(target)
B. if user in creds:
           connect (target,user)
C, user = creds 
            connect user, target
D.for user in creds:
         connect(target,user)

Answer

A

D.for user in creds:
connect(target,user)

Explanation:
A simple method of iterating a list is the “for loop”.
The above code will run the “connect)target,user)” function for each user found in the “creds” array

Question 2

Q

Which of the following describes the process of deconfliction?
A.A change management process for remediating vulnerabilities
B.A communication process of sorting out pentesters artifacts from real compromise
C.A risk assessment process
D.A vulnerability scanning process with limited impact

Answer

A

B.A communication process of sorting out pentesters artifacts from real compromise

Explanation:
Communication with the client provides the ability for deconfliction, which is the process of sorting out pentesters artifacts from real world compromise.

This limits the risk of the pentester becoming the scapegoat in case of business impact

Question 3

Q

Alex is preparing for a pentest, but the client has a network access control in place that would prevent most, if not all, of Alex’s packets during testing.

What can be done to enable the testing?
A,.Devices behind the firewall can be execluded from the testing scope
B.Alex can test out of office hours
C.The client can disable the firewall
D.The client can make a security exception in the NAC

Answer

A

D.The client can make a security exception in the NAC

Explanation:
Sometimes a security exception at the network layer is needed to enable a pentester to complete their tests

Question 4

Q

During reconnaissance, Ryan identified a service running on the remote host with an older version.

Where would Ryan look for an exploit for this version?
A.Kali Linux website
B.Exploit-DB Website
C.SANS Website
D.OWASP Website

Answer

A

B.Exploit-DB Website

Explanation:
Exploit DB is a huge database with extensive lists of exploits for many different kinds of software.

They maintain up-to-date lists of exploits and POCs for older and newer version of software

Question 5

Q

Alex is asked to perform a pentest against a web application.

Part of her task involves software assurance.

She has identified 11 dynamic parameters on the web app that need testing.

Which method should she start with?
A.Directory traversal
B.Spear Phishing
C.Fuzzing
D.Code Injection

Answer

A

C.Fuzzing

Explanation:
In this type of testing Alex is evaluating how well a website or web application processes and filters-user supplied input.

Web fuzzing is a technique used to provide invalid or random data as inputs to form fields, URL parameters and so forth in an effort to elicit an error and an unintentional response that could identify a potential injection flaw

Question 6

Q

In what situation would a goal re prioritization likely occur?
A.When a critical target is successfully exploited
B.When new systems are added to the environment
C.Every time the scope changes
D.If third-party malware or traces of compromise are found during testing

Answer

A

D.If third-party malware or traces of compromise are found during testing

Explanation:
During the pentest you may discover malware, malicious binaries, or services running on servers that neither you nor the client created.

These indicators of prior compromise should be brought to the clients attention immediately, because goal reprioritzation may be necessary to properly plan and address the new problem

Question 7

Q

Where would a regular vulnerability can be mandated within an organization?
A.In the legal disclaimers
B.In the corporate policy
C.In the corporate goals
D.In a change management procedure

Answer

A

B.In the corporate policy

Explanation:
Even though it is not a regulatory requirement, many organizations mandate vulnerability scanning in their corporate policy

Question 8

Q

Through reconnaissance, Alex has identified a group of top-ranking managers in his targeted organization.

His next move is to send all of them a specially crafted email that contains a malicious attachment in the form of an Excel financial report.

What type of attack is Alex using?
A.Spear phishing
B.XSS
C.CSRF
D.Whaling

Answer

A

D.Whaling

Explanation:
Whaling is a spoofed-email attack that is used to target members of an organization that have credentials and access to the types of resources that could cause catastrophic damage to a business if compromised

Question 9

Q

Alex is preparing the remediation section of her report.
The issue in question is an authentication service open to the Internet.

This is at risk of brute-force attacks and Alex needs to address it.

Which suggestion would best fir the given situation?
A.Using cookies
B.Implementation of multifactor authentication methods
C.Changing the default service port to one less frequently used
D.Enabling PAM (Password Authentication Manager)

Answer

A

B.Implementation of multifactor authentication methods

Explanation:
Adding a pin from a third-party device or a private key along with password would apply an additional layer of security to the authentication mechanism

Question 10

Q

During a pentest, Erik notices that the website manages sessions using session tokens.

However, he believes that those tokens could be a potential weakness and would like to test the entropy or weak attributes.

Witihn Burp Suite Pro, which plugin would be able to perform the analysis?
A.Burp Decoder
B.Burp Sequencer
C.Burp Repeater
D.Burp Intruder

Answer

A

B.Burp Sequencer

Explanation:
Burp Sequencer is a tool for analyzing the quality of randomness in a sample of data items.

You can use it to test an applications session tokens or other important data items that are intended to be unpredictable, such as anti-CSRF tokens, password reset tokens, etc.

Burp Intruder is a tool for automating customized attacks against web applications.
It is extremely powerful and configurable, and can be used to perform a huge range of tasks, from simple brute-force guessing of web directories through to active exploitation of complex blind SQL injection vulnerabilities

Burp Repeater is a simple tool for manually manipulating and reissuing individual HTTP Websocket messages and analyzing responses.
You can use Repeater for all kinds of purposes, such as changing parameter values to test for input-based vulnerabilities, issuing requests in a specific sequence to test for logic flaws and reissuing requests from Burp Scanner issues to manually verify reported issues

Burp Decoder is a simple tool for transforming encoded data into its canonical form, or for transforming raw data into various encoded and hashed forms.
It is capable of intelligently recognizing several encoding formats using heuristic techniques

Question 11

Q

Jenny is performing a pentest and she managed to gain access to a Windows host.

What tool should she consider using in order to extract credentials from the Windows host?
A.netcat
B.Mimicatz
C.PowerShell
D.WMIC

Answer

A

B.Mimicatz

Explanation:
Mimikatz is a leading post-exploitation tool that dumps passwords from memory, as well as hashes, PINs and Kerberos tickets.

Other useful attacks it enables are pass-the-hash, pass-the-ticket or building Golden Kerberos tickets.
This makes post-exploitation lateral movement within a network easy for attackers.

Wrong Answers:
Netcat is a computer networking utility for reading and writing to network connections using TCP or UDP.
The command is designed to be a dependable back-end that can be used directly or easily driven by other programs and scripts.

The Windows Management Instrumentation Command line (WMIC) is a software utility that allows user to perform Windows Management Instrumentation (WMI) operations with a command prompt

PowerShell is a task automation and configuration management framework from Microsoft, consisting of a command-line shell and associated scripting language

Question 12

Q

What is the downside of injection malicious code into a legitimate service using Meterpreter?
A.The malicious code is easily detected
B.The malicious code might be spotted by AV
C,The malicious code will likely not survive a reboot
D.It is impossible to control the malicious code once its injected into a legitimate service

Answer

A

C,The malicious code will likely not survive a reboot

Explanation:
Having the malicious code injected into a service (legitimate or not) would mean that the code would be ran from that services memory space, but it would not ensure persistence.

If the machine is rebooted, the service will be restarted, but the malicious code will not be executed

Question 13

Q

When would be an appropriate time for system hardening to take place?
A.At the initial system setup
B.Before any pentest engagement
C.After every pentest that find critical vulnerabilities
D.When the system is initially deployed and on a regular basis after that

Answer

A

D.When the system is initially deployed and on a regular basis after that

Explanation:
Administrators should initially setup the host with system hardening in mind.

They should repeat this process on a periodic basis and configure the systems as business needs change

Question 14

Q

What type of attack is the following request?

‘https://target.com/login.php?user=James&pass=test’or’1’=’1

A.Credentials brute-force
B.Cross-site scripting
C.Weak credentials attack
D.SQL Injection attack

Answer

A

D.SQL Injection attack

Explanation:
SQL Injection is a method where a malicious user can create a true statement using OR 1=1 and pass it in the username or password field of the HTML form page

Question 15

Q

Alex is a about to conduct a pentest.
This client has informed her that a large percentage of their services are hosted in an AWS cloud.

What requirements would have to be fulfilled before Alex proceeds with the test?
A.A third-party authorization
B.The pentest should be declined due to the third party
C.An NDA with the third-party provider
D,A new pentest agreement with the third-party provider

Answer

A

A.A third-party authorization

Explanation:
In cases where a third-party provider is involved, additional authorization would be required by that particular provider

Question 16

Q

Kayla is pentesting a web application.
She managed to find a search parameter and, after poking around, she got the following message from the server.

‘You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near “’”.

What kind of potential vulnerability has Kayla found?

A.Sensitivbe Data Exposure
B.Directory Traversal
C.Cross-Site Scripting (XSS)
D.SQL Injection

Answer

A

D.SQL Injection

Explanation:
A SQL Injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database.

It generally allows an attacker to view data that they are not normally able to retrieve.

This error message is usually generated by the SQL server, suggesting that the intial request did reach the SQL server and was executed.

However, due to the way the request was structured, the output produced an error.

It is likely that a properly structured SQL query will succeed in extracted data from the database.

Incorrect Answers:
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.
XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.

Directory Traversal (also known as file path traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. This might include application code and data, credentials for back-end systems, and sensitive operating system files

Sensitive Data exposure differs from a data breach, in which an attacker accesses and steals information

Question 17

Q

Patrick has gained access to a corporate WIFi network.
He is using Kali Linux and going to execute a man-in-the-middle attack.

Which of the following is his best choice to execute this attack?
A.Nmap
B.Ettercap
C.Nikto
D.Aircrack-ng

Answer

A

B.Ettercap

Explanation:
Ettercap is a free and open source network security tool for man-in-the-middle attacks on LAN.
It can be used for computer network protocol analysis and security auditing.
It runs on various UNix-like operating systems including Linux, Mac OS X, BSD and Solaris and on Microsoft Windows.

It features sniffing of live connections, content filtering on the fly and many other interesting tricks.

It supports active and passive dissection of many protocols and includes many features for the network and host analysis

Question 18

Q

Your client needs to verify the successful implementation of limited network access and limited storage access for part of their environment.

What sort of assessment would that be?
A.Compliance-driven assessment
B. Goal-based assessment
C.Vulnerability Scanning
D.Black box assessment

Answer

A

A.Compliance-driven assessment

Explanation:
Limited network access and limited storage access are common conditions in PCI compliance, for example.

This usually applies to specific systems involved in transactions processing to other specific services

Question 19

Q

In Burp Suite Pro, when you want to replay a request but change some of the parameters, which module will you use?
A.Extender
B.Sequencer
C.Scanner
D.Repeater

Answer

A

D.Repeater

Explanation:
Using the Repeater, you can replay any specific request and be able to change all of its properties as well as the type of the request:
GET/POST, etc.

The Extender is used to add extensions to your Burp setup

Burp Sequencer is a tool for analyzing the quality of randomness in a same of data items

Burp Scanner is a tool for performing automated scans of web sites

Question 20

Q

John is listing out his findings in the pentest report.
For each finding, John has provided in the following:
Finding ID, Vulnerability, Risk Rating, Remediation, Reference

A.Source
B.Exploit
C.Impact
D.Results

Answer

A

C.Impact

Explanation:
For each finding, the pentest report should also include the impact of it,

This could include the criticality level (low, medium, high and critical)

Question 21

Q

Which of the following is mandatory for a compliance scan?
A.Involve a compliance officer
B.Scan all registered ports
C.Test the environment against the security standards
D.Sign an NDA

Answer

A

C.Test the environment against the security standards

Explanation:
Compliance-based assessments audit an organizations ability to follow and implement a given set of security standards in an environment.

Many industry standards affect and regulate the way sensitive data may be protected, stored and processed within an information system

Question 22

Q

Apart from criticality of the impacted system, what other measures should be considered when prioritizing mitigation actions?
A.Whether a POC is available for free on the internet
B.OS of the vulnerable system
C.Difficulty of remediating the vulnerability
D.How long it takes to exploit the vulnerability

Answer

A

C.Difficulty of remediating the vulnerability

Explanation:
If fixing a vulnerability will require a very large commitment of human or financial resources, that needs to be considered when prioritizing mitigation steps

Question 23

Q

George went through the following path of exploitation to successfully gain access to a targeted host:
He initially scanned the host, found a vulnerable DB service leaking some credential information and used those creds to authenticate to the DB.
Using the DB access, he managed to create a backdoor on the system and finally obtained access to it.

What is this string of attacks called?
A.Exploit Chaining
B.Black Box Testing
C.White Box Testing
D.Vulnerability Scanning

Answer

A

A.Exploit Chaining

Explanation:
Exploit chaining is the process of using multiple exploit methods and techniques in a sequence in order to successfully exploit the host

Question 24

Q

While testing, Rob was able to exploit a SQL Injection on the clients website.

He was able to generate a POC,

Should Rob inform the client of the vulnerability at this stage, or should he wait and present it in the final report?
A.All findings are listed in the final report, there is no need to contact the client during the testing
B.SQL Injection is not critical enough to be communicated to the customer before the final report
C. Its a good practice to communicate critical findings in a timely manner; Rob should contact his client and share his finding
D.All findings, large or small should be reported as soon as they are identified

Answer

A

C. Its a good practice to communicate critical findings in a timely manner; Rob should contact his client and share his finding

Explanation:
High criticality findings are usually reported to the client the moment they are discovered.

The client might need to take some action or provide some guidance on future tests on those vulnerabilities

Findings with low, medium or informational classification are usually only reported in the final report.

Those would not require immediate response from the client

Question 25

Q

How would you classify a vulnerability found on a Linux machine associated with Microsoft Remote Desktop service?
A.Critical
B.Informational
C.False-Negative
D.False-Positive

Answer

A

D.False-Positive

Explanation:
Non-credentialed vulnerability scans can produce a fair share of false positives and may provide little to no verification of discovered vulnerabilities.

Microsoft Remote Desktop service could not be ran on a Linux machine thus suggesting that the vulnerability is a false positive and not exploitable

Question 26

Q

In what way could Alex potentially exploit an FTP service with allowed Anonymouse access?
A.User her Anonymouse account to upload malicious code or tools for remote code execution
B.User her Anonymouse account to log into the FTP server host on a shell terminal
C.Use her Anonymouse account to enumerate users
D.User her Anonymouse account to download restricted data from the FTP site

Answer

A

A.User her Anonymouse account to upload malicious code or tools for remote code execution

Explanation:
The reason for anonymouse access is to allow public, untrusted users to download files from a restricted environment.

However, misconfigurations with directory permissions could allow arbitrary files/directories to be uploaded and lead to remote code execution

Question 27

Q

You are tasked with a compliance-based pentest.

The clients key management solution is hosted on a third-party vendor.

How could this affect the pentest?
A.The client will have to arrange local key management in order to fulfill the compliance requirements
B.The pentestd scope might have to exclude key management from testing, as it falls outside of the clients environment
C.The third-party service provider needs to request an additional pentest and pass the compliance requirements
D.The pentests scope might have to include the third partys policies and practices regarding key management

Answer

A

D.The pentests scope might have to include the third partys policies and practices regarding key management

Explanation:
Depending on the third-party provider, the scope of the test might have to be increased to cover the additional policies and practices.

Some key management service providers do not have the certification needed to fulfill the compliance requirements, in which case the pentestes scope would not need to be increased

Question 28

Q

During information gathering, Erika is attempting to complete a successful zone transfer request.

Out of her arsenal of tools, which one would allow her to complete this?
A.Nmap
B.Ping
C.net use
D.Telnet

Answer

A

A.Nmap

Explanation:
Nmap, a free open-source scanner, is used ti discover hsots and services on a computer network by sending packets and analyzing the responses.

Nmap provides a number of features for proving computer networks, including host discovery and service and OS detection.

Nmaps capabilities are enhanced by the NSE scripts.

Nmap can be utilized with the “dns-zone-transfer.nse’ script to complete a successful zone transfer request

Question 29

Q

What sort of attack is the jamming attack?
A.Denial of service against Wi-Fi
B. Social Engineering Attack
C.VoIP Attack
D.Web Application Attack

Answer

A

A.Denial of service against Wi-Fi

Explanation:
The goal if jamming is to overwhelm the good signal.

The targeted victim would not be able to connect and thus the service would be disrupted

Question 30

Q

When planning a pentest, one of the most important things that needs to be considered is?
A. Number of VLANs in the environment
B.Pentesting tools
C.Firewall rules
D.Target selection

Answer

A

D.Target selection

Explanation:
Selecting the targets to include in the engagement is crucial, as the organization may have many assets (people, processes, facilities, and technologies) located throughout the world that need to be considered during the target selection process

Question 31

Q

George is reviewing a vulnerability scan report.

He notices a critical vulnerability on a Linux host, but the vulnerability is related to a Windows-only service.

How should George categorize this finding?
A.False negative
B.True positive
C.True negative
D.False positive

Answer

A

D.False positive

Explanation:
False positive means that the positive finding is false

False negative would mean that even though something is reported “not vulnerable” it is vulnerable

True positive means that a vulnerability is in fact vulnerable

True negative would mean that a lack of vulnerability is in fact correct

Question 32

Q

When planning a penetration test, the client informs the testing company a specific type of data that falls under national export restrictions.

What does that mean for the pentesters?

A.It means this data is out of the pentests scope
B.It means that a nondisclosure agreement should be signed
C.It means the data is a high-value target
D.It prohibits the testing company from exporting this data to restricted countries

Answer

A

D.It prohibits the testing company from exporting this data to restricted countries

Explanation:
Export restrictions apply to services, technology or data

National export restrictions would mean that the given services, data or technology should not leave the country

Question 33

Q

What sort of exploitation technique can be used with the following command:

’.\PsExec.exe -u administrator -p secure \dc01 cmd’

A.Lateral movement
B.Credential dumping
C.Pass the hash technique
D.Host discovery

Answer

A

A.Lateral movement

Explanation:
PsExec is a legitimate tool, often used by Windows Administrators to perform remote tasks.

It is also widely known among penetration testers and malicious attackers, as it provides perfect grounds for lateral movement in a targeted environment

Question 34

Q

What is SMB?
A.A tool in Kali Linux
B.A protocol that allows remote command execution
C.A protocol for remote access in Windows
D.A file sharing protocol

Answer

A

D.A file sharing protocol

Explanation:
SMB stands for Server Message Block..

This protocol allows sharing of files between Windows-based systems within the same network

Question 35

Q

In the mitigation section of his report, James suggests that the client enforce a strong password policy and high complexity.

Passwords should be changed often and shared with as few people as possible.

What vulnerability is he addressing is he addressing with this suggestion?
A.Shared admin password
B.Cross-site Request Forgery
C.Password in cleartext
D.SQL Injection

Answer

A

A.Shared admin password

Explanation:
Organizations should randomize the passwords of admin accounts, making them strong, complex passwords that are unique on each system

They may then use a password management tool to track all of these passwords

Question 36

Q

John is starting a penetration test; which opf the following tools can he use to gather intel passively?
A.Nmap
B.Burp Suite
C.theHarvester
D.OWASP ZAP

Answer

A

C.theHarvester

Explanation:
The tool is designed to scan databases and structure the results.

Nmap is a port/service scanner

Burp Suite and OWASP ZAP are proxy software, not OSINT tools

Question 37

Q

Analyze the Ruby code below. What purpose does it serve?

File.foreach(wordlistfile).with_index do |line, idx|

pass= line.chomp

print "\rTrying password number #{idx} : #{pass}"

begin

    result1 = Net::SSH.start(target,

                                                user,

                                                :password => pass,

                                                :auth_methods => ["password"].

                                                :number_of_password_prompts => 0

                                                )

rescue Net::SSH::AuthenticationFailed => auth

else

    abort "\nThe password is #{pass}"

end

end

A.Remote control script
B.SSH Brute-forcing
C.Password changing script
D.Pass-the-hash script

Answer

A

B.SSH Brute-forcing

Explanation:
Ruby is a general purpose programming language commonly used by pentesters to create usable code.

As a programming language, Ruby differes from Bash and PowerShell in its flexibility and usefullness.

The script above shows a standard look that goes through a list of passwords and attempts to authenticate a user with each of them.

Upon success, it will print out the correct password.

This process is called brute-forcing

Question 38

Q

What method is used in Linux and macOS to help mitigate the possibility of a malicious user removing files from within a directory with another trusted user account?
A.Sticky bit
B.sudo
C.PAM for Unix 
D.AC tables

Answer

A

A.Sticky bit

Explanation:
A sticky bit is a permission but, like a setuid or setgid bit, but it is set on a directory that allows only the owner of the file within the directory to delete or rename the file

An example of a directory with the sticky bit set would be /tmp in Linux and macOS

Question 39

Q

George has submitted his pentest report and received acceptance of the results from the client.

To conclude the penetration testing, what else is required of George?
A.Nothing; George is completely done with this pentest and all activities related to it
B.George should conduct to a post-engagement cleanup
C.George should stop all running scans and tests
D.George should start retesting the environment

Answer

A

B.George should conduct to a post-engagement cleanup

Explanation:
He should removal all tools, accounts and other traces of his work from the clients environment

Question 40

Q

What type of assessment is a password policy assessment?
A.White box
B.Compliance-based
C.Red team
D.Black box

Answer

A

B.Compliance-based

Explanation:
Compliance-based assessments usually verify the company’s ability to enforce specific security policies, for example, minimum password strength or minimum encryption strength on data in transit or at rest

Question 41

Q

A rainbow table is best described as:
A.A dynamically generated table or a list of values based on predefined criteria
B.A Windows password hashes table
C.A database table of a Postgre server
D.A precomputed list or a table of all possible hash values

Answer

A

D.A precomputed list or a table of all possible hash values

Explanation:
Rainbow tables are prehashed values and because of this they tend to grow in size and require more storage

Question 42

Q

By determining the risk appetite of the client, what is James attempting to find out?
A.How much risk the client is ready to tolerate to achieve their goals
B.The security posture of the client
C.What type of engagement should be conducted
D.Whether the company has been successfully hacked before

Answer

A

A.How much risk the client is ready to tolerate to achieve their goals

Explanation:
Every organization has its own level of risk appetite, which is how much risk the organization is willing to tolerate to achieve its goals.

In the case of pentesting, the organization may apply some tight constraints on how their internal environment is accessed, how sensitive data is being handled and who is allowed to conduct the testing

Question 43

Q

Common Weakness and Enumeration (CWE) is maintained and published by which of the following?
A.OWASP
B.MITRE
C.CAPEC
D.SANS

Answer

A

B.MITRE

Explanation:
Common Weakness Enumeration is a community developed list of common software and hardware security weaknesses.

It is published and maintained by the MITRE Corp

Question 44

Q

Richard is using aircrack-ng suite against the clients wireless network.
He is at the point where he needs to start capturing packets.

Which tool of the aircrack-ng suite should Richard use?
A.airodump-ng
B.airmon-ng
C.None of these
D.airplay-ng

Answer

A

A.airodump-ng

Explanation:
Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs.

It works with any wireless network interface controller whose driver supports raw monitoring mode and can sniff 802.11a, 802.11b and 802.11g traffic.

Airodump-ng is used for packet capturing of raw 802.11 frames.

It is ideal for collection WEP IVs for use with aircrack-ng.

If you have a GPS receiver connected to the computer, airodump-ng can log the coordinates of the discovered access points.

Airmon-ng is used to enable and disable monitor mode on wireless interfaces.

It may also be used to go back from monitor mode to managed mode.

Aireplay-ng is included in the aircrack-ng package and is used to inject wireless frames.

Its main role is to generate traffic for later use in aircrack-ng for cracking WEP and WPA-PSK keys.

Aireplay-ng has many attacks that can de-authenticate wireless clients for the purpose of captuiring WPA handshake data, fake authentications, interactive packet replay, hand-crafted ARP request injection and ARP-request re-injection

Question 45

Q

Company XYZ has accepted the pentest report created by George and requested all other copies of it to be properly disposed of.

Can George keep his personal copy of the report for his own reference?
A.No; the data in the report is the property of the client.
B.Yes; as long as he keeps it only for his personal reference
C.Penetester reports are always stored by the penetration company or the consultant that produces the pentest for a period of six months after test completion for legal reasons
D.Yes, the report was created by George and he is the owner of the document

Answer

A

A.No; the data in the report is the property of the client.

Explanation:
The information in the report is owned by the client.

Upon request, the pentester should destroy all of the data collected during testing, including his copy of the pentest report

Question 46

Q

Jack is attempting to enter a high-security area on the clients premises.

There is no security guard, but the automated door is controlled by RFID on the outside and a motion sensor on the inside.

Clearly, the aim is to prevent people from entering and to enable easy exit.

Jack is using a single sheet of paper, which he pushes through the small gap between the door and the root.

The paper sheet triggers the motion sensor and the door opens.

Which security mechanism has Jack exploited?
A.Jack used the tailgating technique
B.The emergency exit
C.The RFID sensor
D.The egress sensor

Answer

A

D.The egress sensor

Explanation:
The egress sensor is the motion detector that enables easy exit

Question 47

Q

WHich of the following tools could be used for making automatic scans and setting automatic updates?
A.Nmap
B.Burp Suite
C.Metasploit
D.Nessus

Answer

A

D.Nessus

Explanation:
Nessus is a scanning tool that can automate the enumeration process and be left in the background to collect information

Incorrect answers:
Burp Suite is a set of tools used for manual information-gathering. It allows manual testers to intercept all request and responses between the browser and the target application, even when HTTPS is being used

Nmap is an open-source network scanner that discovers hosts and servers manually

Metasploit is a framework that is best known for its automation in making attacks and creating shells on a victims machine

Question 48

Q

During the pentest, Robert was able to successfully exploit SQL injection vulnerability on the clients website.

When dumping the database, he noticed that all passwords were stored in clear text.

He then used the credentials from the database and attempted to authenticate against other clients asset.

EVentually he managed to gain shell access to one of the file share servers.

What mitigation should Robert suggest to the client based on the above results?
A.Change website technology to NoSQL
B.Train users to use more complex passwords
C.Always store passwords in an encrypted state
D.Prevent external logging with a firewall

Answer

A

C.Always store passwords in an encrypted state

Explanation:
Regardless of the technology and platform, passwords should always be stored in an encrypted state.

There is always the danger of compromising the host when passwords are stored in plain text.

Question 49

Q

What could be the result when a program writes more data to a buffer located on the stack than what is actually allocated for that buffer?
A.The allocated stack size will be increased dynamically
B.None of these
C>Corruption of adjacent data on the stack
D.Overfilling a buffer on the heap

Answer

A

C>Corruption of adjacent data on the stack

Explanation:
A stack buffer overflow or stack buffer overrun occurs when a program writes to a memory address on the programs call stack outside of the intended data structure, which is usually a fixed-length buffer.

Stack buffer overflow bugs are caused when a program writes more data to a buffer located on the stack than what is actually allocated for that buffer/

This almost always results in corruption of adjacent data on the stack, and in cases where the overflow was triggered by mistake, will often cause the program to crash or operate incorrectly.

Stack buffer overflow is a type of the more general programming malfunction known as buffer overflow (or buffer overrun)

Overfilling a buffer on the stack is more likely to derail program execution than overfilling a buffer on the heap because the stack contains the return addresses for all active function calls

A stack buffer overflow can be cause deliberately as part of an attack known as stack smashing.

If the affected program is running with special privileges, or accepts data from untrusted network hosts then the bug is a potential security vulnerability.

If the stack buffer is filled with data supplied from an untrusted user then that user can corrupt the stack in such a way as to inject executable code into the running program and take control of the process.

This is one of the oldest and more reliable methods for attackers to gain unauthorized access to a computer

Question 50

Q

Alex is using a reporting tool that can take input in XML format and produce a natively converted report in HTML.

What flag in an XML format ready to be imported into the reporting tool?
A.--output=html
B.--report=xml
C.-oX
D.-xml

Answer

A

C.-oX

Explanation:
-oX will instruct Nmap to produce the final results in XML format

Other options:
-oN = Normal output

oG = grepable format
oA = output the results in all formats

Question 51

Q

WHich of the following is the most important reason for the need for good and clear communication between the client and the penteser during the pentest engagement?
A.Situational awareness
B.Exchange of penetesting ideas and approaches
C.Regular updates on current status and progress
D.Quick response to changes in the scope

Answer

A

A.Situational awareness

Explanation:
For pentesters to ensure that they are in line with the pentests scope and the clients expectations, it is essential that they keep clear and open channels of communication.

Such communication is useful to provide situational awareness by keeping the pentesters informed of any changes in the clients environment.

For example, if the client needs to make changes to increase their productivity, pentesters should be made aware so that testing does not interfere with the clients business activities

Question 52

Q

What is the CVSS used for?

A. To describe a vulnerability
B.To determine the impact of a vulnerability
C.As a web pentest tool
D.As an exploit database

Answer

A

B.To determine the impact of a vulnerability

Explanation:
CVSS stands for Common Vulnerability Scoring Syste,

This system is used to provide metrics that can be used to determine the impact of a vulnerability to the environment of the organization.

Things that are considered when assigning a CVSS score are: exploitation difficulty, impact on data integrity etc.

Question 53

Q

What is a honeypot in IT security?
A.A security tool for debuting of malicious code
B>A pentesting tool
C.A social engineering technique
D.A method of deception used by security teams

Answer

A

D.A method of deception used by security teams

Explanation:
Honeypots are systems that can be found in the targeted organizations environment that appear to be vulnerable and thus are usually targted by malicious attackers.

However, they are simply a method of deception with the goal of distracting attackers from the real target

Question 54

Q

Using “wash”, George has identified WPS-enabled networks.

He is attempting to exploit the WPS vulnerability associated with some old APs and brute force the WPS PIN.

Which command will he use?
A.wpshack -wlan0 --host HackMe
B.Airodump-ng -i wlan0 --wps -b HackMe
C.Aircrack-ng -i wlan0 -c 11 --ap HackMe
D.reaver -i wlan0 -b HackMe -c 11 -K 1

Answer

A

D.reaver -i wlan0 -b HackMe -c 11 -K 1

Explanation:
The command options include the following:

i Your wireless interface name
b MAC of the target AP
c Channel to camp on
K Execute pixie dust attack (brute-force WPS PIN)

Question 55

Q

James has completed the pentest engagement, but because some of the applications were still in development stage, he was unable to properly test them.

How could he BEST address the issue?
A.He could test the development environment as a gesture of goodwill
B.He could use the conclusion section to suggest future tests of previously excluded items
C.He could prepare a new pentest offer and send it to the client with the pentest report
D.He could mention this issue in a face-to-face meeting with the client

Answer

A

B.He could use the conclusion section to suggest future tests of previously excluded items

Explanation:
The conclusion section is where such information should be included.

For example, if your pentest scope excluded web application testing, you might recommend conducting that testing in a future engagement

Question 56

Q

Parameterized queries are usually remediation for what type of vulnerability?
A.DNS Zone Transfer
B.CSRF
C.Man-in-the-Middle
D.SQL Injection

Answer

A

D.SQL Injection

Explanation:
Input validation and parameterized queries are the usual remediation for SQL Injection vulnerabilities.

ANy unnecessary open services should be closed as part of system-hardening activities

Question 57

Q

James is involved in a pentest, and the client would like to add his IP address to the IPS whitelist.

What sort of engagement will it likely be?
A.Grey box 
B.APT
C.White box
D.Red team

Answer

A

C.White box

Explanation:
Usually in a white box engagement, the pentester is allowed through the firewall and other preventive measures

Question 58

Q

Through threat modeling, the client determines that their main concern is persistent attackers using complex attacking techniques and models.

Which sort of threat actor is the organization most worried about?
A.Insider Threat
B.Pentester
C.APT
D.HAcktivist

Answer

A

C.APT

Explanation:
The advanced persistent threat (APT) is a type of threat actor motivated to steal sensitive information from high-profile targets using sophisticated hacking capabilities

Question 59

Q

Which of the following is a fairly easy and underestimated attack vector?
A.Wi-Fi Password Cracking
B.Insider Threats
C.Phishing Emails
D.Zero-Day exploits

Answer

A

C.Phishing Emails

Explanation:
Phishing attacks target sensitive information like passwords, usernames or credit card information.

While most phishing is done via email, there are many related attacks that can be categorized as types of phishing

WiFi password cracking requires physical access to the location, and besides that there is a whole exploitation chain associated with that attack

Zerp-day exploits are very hard to find and usually not available to the public

INsider threats are not exactly pentest-related and would require a rogue employee

Question 60

Q

During a web penetration test, Sara identified a user input field and attempted the following input:

“test; SELECT Username,Password FROM Users;–”

What is Sara testing for?
A.Directory Traversal
B.Remote Code Execution (RCE)
C.SQL Injection
D.Code Injection

Answer

A

C.SQL Injection
Explanation:

“test; SELECT Username,Password FROM Users;–”
is a SQL query and, if not validated properly, would be executed by the server.

Even if the query is incorrect, a vulnerable server would return and SQL error, thus suggesting that the query in fact reached the DB server

Question 61

Q

WHat combination of tools could ALex use to obtain an administrators password from a domain controller once he has access to it?
A.Nessus and Burp
B.Mimikatz and John The RIpper
C.SQLmap and Mewl
D.SET and Burp

Answer

A

B.Mimikatz and John The RIpper

Explanation:
Mimikatz is good for obtaining password hash files and databases such as Windows SAM database,

While Mimikatz could also attempt to crack the passwords, John the Ripper is specifically focused on password cracking using a file with stored passwords.

In combination, both tools complement each other

Question 62

Q

George suspects that he has managed to comrpomise a virtual Windows machine during his penetesting actions.

What method could he use to determine whether the machine is in fact virtual or physical?

A.Check the network adapter drivers to determine if its a VM interface
B.Check the Windows version and determine if its associated with virtualization
C.Run the “wmic baseboard get manufacturer, product” command
D.Check the network configuration and look for a VMnet identifier

Answer

A

C.Run the “wmic baseboard get manufacturer, product” command

Explanation:
This command provides the manufactuer and the product name of the machines motherboard.

On a virtual machine, this command would output the virtualization platform

Question 63

Q

The following code is an excerpt of what type of attack?

A.PHP Web SHell
B.Cross-site scripting
C.PHP System function
D.HTML Code Injection

Answer

A

A.PHP Web SHell

Explanation:
Web servers that support various web scripting languages such as PHP can easily fall victim to backdoor shells.

Controlling access to where files are uploaded and controlling supported file types are ways to mitigate against this type of vulnerability.

A simple PHP one-liner is sometimes all you need

Question 64

Q

What remediation method could be suggested in the following scenario?

On a client’s host the following services are found to be running:

port service

22 SSH

23 Telnet

25 SMTP

80 HTTP

443 HTTPS

Upon checking with the client, Alex is informed that they haven’t used telnet for years.
A.Institute a regular user password changing policy
B.Change the telnet port to one less frequently used
C.Close all unused ports and disable all unused services
D.Use two-factor authentication for telnet login

Answer

A

C.Close all unused ports and disable all unused services

Explanation:
One of the best and in fact mandatory ways to improve the security state of a system or even of an environment is to make sure there are no running services or open ports that are not being used

Answer 65

A

B.A cron job running a file from the /tmp folder

Explanation:
Such a cron job is usually associated with a malicious file being executed from the /tmp folder.

This indicator of prior compromise should be brought to the attention of the customer immediately

Having multiple user accounts is fairly common and likely benign

Use of the psexec command could be related to legitimate admin work

Sysinternal tools are quite often used by Windows admins

Answer 66

A

C.They need to be PCI DSS compliant

Explanation:
POS (Point of Sale) systems involved in credit and debit card transactions must comply with the Payment Card Industry Data Security Standard (PCI DSS), which outlines strict, specific rules for all the handling of credit card information and the security of devices involved in those transactions

Answer 67

A

B.To prevent his next commands from being recorded

Explanation:
Both Linux and Mac OS keep track of the commands user type in the terminal.

The BASH shell will record keystrokes in the $HOME/.bash_history file.

During a pentest, once you obtain access to a Unix/Linux/Mac operating system, it is a best practice to unset the history file to prevent the user/administrator from known what commands you are executing, as well as not commingling your dirty/malicious commands with a users history

Answer 68

A

B.List groups on the AMS domain

Explanation:
Exploring Windows domains will be a lot easier if you are familiar with the Windows net commands

Answer 69

A

D.Maltego, Shodan

Explanation:
Maltego is a very powerful tool for collecting reconnaissance data and identfying connections between objects of interest.

Shodan is a search engine, specialized in identifying hardware appliances and servers along with running services and software version.

Shodan is very helpful when performing reconnaissance against internet facing targets

Burp is a local proxy tool, heavily used when performing web pen test.

Sqlmap is a python based tool focused on SQL injection attacks

Aircrack-ng is a tool used for WiFi pentesting

Answer 70

A

A.Cron

Explanation:
Linux uses cron or cron jobs for scheduled activities.

It is similar to Windows scheduled tasks and could be used in a similar way to establish persistence on a system and survive reboot

Answer 71

A

D.Look for writable scheduled tasks

Explanation:
In some cases, it may be possible to abuse writable services that run as SYSTEM or elevated privileges.

Answer 72

A

B.Using X-server forwarding

Explanation:
X-server forwarding is an SSH configuration element that allows X-server content to be pushed through the SSH connection; for example, browser, calculator and other graphical applications.

X-Server forwarding needs to be enabled in the configuration in order to be used.

Another method of exploiting the internal site through SSH would be to use the SSH connection as a SOCKS proxy, but this would require more in-depth SSH knowledge

Answer 73

A

C.Untethered

Explanation:
With an untethered jailbreak, the device could be powered on and off without the use of a computer

With a tethered jailbreak, a computer and software would be required to boot the jailbroken device each time.

Semi-tethered would mean that if the device was rebooted, a computer would be needed to patch the kernel again and jailbreak the device each time.

A semi-untethered jailbreak would be the same as a semi-tethered, except that it could be accomplished using the jailbreak app that is already on the device and would not require a computer

Answer 74

A

B.Kerberoasting

Explanation:
Adversaries possessing a valid Kerberos ticket-granting ticket (TGT) may request one or more Kerberos ticket-granting service (TGS) tickets for any SPN from a domain controller (DC)

Answer 75

A

D.Shodan

Explanation:
Shodan is a security search engine for misconfigured or exposed systems

Nmap is a tool for active scanning

WHOIS cannot provide exposed device information

DuckDuckGo is simply a normal search engine, like Google

Answer 76

A

A.The phone needs to be jailbroken

Explanation:
Once elevated privileges are obtained through jailbreaking (exploiting a vulnerability that essentially provides root access), unsigned applications can be installed on the device as if they were approved by Apple

Answer 77

A

D.As an agent (server) running on the mobile device and a client with command line interface running on a PC.

Explanation:
As an agent (server) running on the mobile device and a client with command line interface running on a PC

Drozer consist of an agent, also known as a server, running on the mobile device and a client with command line interface.

Drozer is modular and can be used to text existing exploits

Answer 78

A

D.Use social engineering

Explanation:
Social engineering is the most reliable way to gather data such as email addresses.

WHOIS cannot provide personal email addresses

John The RIpper is a password cracking tool

Nmap has no option for scanning for emails

Answer 79

A

A.Executive summary

Explanation:
The executive summary is usually in the beginning of the report and summarizes the big picture, methodology used, and a high or critical level findings.

Answer 80

A

B.BeEF

Explanation:
BeEF (browser Exploitation Framework) is a built-on tool in Kali Linux that allows browser manipulation if the victim is hooked

Answer 81

A

C.Telnet does not enforce encryption and communicate is plaintext

Explanation:
Telnet is a communication application, similar to SSH, but as it is quite old and hasnt been updated for a long time, it is lacking in cryptographic security and all the communication passing through it is in plaintext

Answer 82

A

D.Cloning the MAC address of a device that was previously connected to the same network port

Explanation:
NAC systems are used to authenticate new devices to the corporate network.

Some NAC systems, however, can be tricked by simple actions like cloning the MAC address of an already authenticated host, or setting up a static IP matching the authenticated host

Answer 83

A

C.Metasploit

Explanation:
Metasploit is a powerful framework and consist of multiple modules.

Auxiliary modules are usually scanners or other reconnaissance tools.

This module uses Google, Bing and Yahoo to create a list of valid email addresses for the target domain and is useful in automated information gathering during a penetration test

Answer 84

A

B.Ask the pentesting company to sign an NDA

Explanation:
A non-disclosure agreement (NDA) is an agreement that legally obliges the parties involved to not disclose any information obtained during the pentest

Answer 85

A

D.Add them as an object in a Word version of the report

Explanation:
The conclusion of a pentest report may include an appendix, which references artifacts that are associated with the pentest activities, including scan data, notes, etc.

These artifacts can be inserted as objects in a pentest report formatted in Mircrosoft Windows

Answer 86

A

B.A dictionary attack utilizes a dictionary of words as a possible password, while a brute-force attacks test all possible combinations defined in the setup

Explanation:
A dictionary attack utilizes a dictionary of words as a possible password, while a brute-force attack tests all possible combinations defined in the setup

Answer 87

A

A.The VRFY command could be used for user enumeration

Explanation:
After you connect with Netcat or Telnet, issue the VRFY or EXPN command using an internal email address is an attempt to enumerate local or domain users in the environmet.

For example, VRFY root.
If the VRFY command is enabled on the relay server and the account doesnt exist, you will receive an error message

Answer 88

A

B.Technology

Explanation:
In this situation, simple technology improvement could resolve the vulnerability and completely remove the risk
..
Migration to more secure password hashing functions would be mandatory

Answer 89

A

D.Reference the results in an appendix in the conclusion section

Explanation:
It is a good practice to keep the report clean and tidy with only relevant information in it.

However, it is also good to practice to provide all secondary information related to the test in an appendix for detailed technical review

Answer 90

A

A.Microsoft’s Local Administrator Password Solution

Explanation:
Microsoft’s Local Administrator Password Solution (LAPS) is a tool that manages administrative credentials for organizations.

It stores and manages passwords in Active Directory, where they may be directly tied to computer accounts

Answer 91

A

B.Stakeholders

Explanation:
Stakeholders are among the targeted audience when preparing a pentest report

The stakeholders are information consumers, not just escalation points.

Each group will have a different understanding and expectation of the process.

Since the stakeholders group is not made up of technically oriented individuals, they should not be taking part in the scoping process

Answer 92

A

A.Nmap -sS

Explanation:
The Nmap -sS command will initiate a “syn scan” which is also called a stealth scan due to the nature of the packets being sent

Answer 93

A

C.John is an insider threat

Explanation:
Being part of the organization and possessing internal knowledge, John is in the position of an insider or also known as insider threat.

Insider threats are very common and are considered high risk.

Answer 94

A

A.Yes using Zenmap

Explanation:
Zenmap (NMAP GUI) build an automatic topology upon scanning targets

OWASP ZAP is a web application scanner proxy software

theHarvester is an OSINT tool for collecting emails and other information

Answer 95

A

C.Impersonation

Explanation:
Impersonation (regardless of whether the individual is an officer of the law) can be a criminal offense and is governed by state law.

The criminality of impersonation varies and may taker the form of assuming false identity with the intent to defraud another, pretending to be another person or organization, or opening bank and credit accounts under someone else name, otherwise known as identity theft

Answer 96

A

D.Wireshark

Explanation:
Wireshark is a very powerful tool for analyzing and inspecting network traffic and packet captures.

It has extensive GUI interfaces rich with features

Answer 97

A

A.Eavesdropping

Explanation:
Eavesdropping is a passive form of information gathering, because John simply hears them talking about it and doesnt have to do anything else to get this information

Answer 98

A

D.A tool like Metasploit, Medusa, or Hydra in a pass the hash attack

Explanation:
In a Windows network, NT LAN MAnager (NTLM) is a suite of Microsooft security protocols.

It was the feault for network authentication in the Windows NT 4.0 OS that provides authentication, integrity and confidentiality to users.

The NTLMv2 is the latest version and uses the NT MD4 based one-way function.

The hash lengths are 128 bits and work for a local account and Domain account

The NTLM protocol uses one or both of two hashed password values, both of which are also stored on the server (or domain controller) and which through a lack of salting are password equivalent, meaning that if you grab the hash value from the server, you can authenticate without knowing the actual password

Pass The Hash is a hacking technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LanMan hash of a users password, instead of requiring the associated plaintext password as is normally the case.

Answer 99

A

B.The legal department

Explanation:
Legal representatives may be necessary to ensure that legal and contractual commitments are upheld by all parties involved in the engagement.

The group of stakeholders usually involved in the pentester discussions includes executive management, security personnel, it IT department, pentesters, and the legal department

Answer 100

A

C.Mimikatz

Explanation:
Mimikatz is a post-exploitation tool used for obtaining plain text user accounts and passwords

Answer 101

A

B.DirBuster

Explanation:
A popular tool for this purpose is DirBuster which is a Java-based framework.

DirBuster is included in Kali Linux, which also provides a common wordlist found in /usr/share/dirbuster/wordlists

Answer 102

A

C.Start the process of deconfliction

Explanation:
Communication with the customer provides the ability for deconflicition, which is the process of sorting out your pentest artifacts from the artifacts of a real compromise, for example

Answer 103

A

B.Account Information

Explanation:
Social media enumeration focuses on identifying all of an individuals or organizations social media accounts.

This would include LinkedIn, Facebook, Twitter and so on.

The information shared on those platforms could potentially aid the attacker in a social engineering attack in the future.

Answer 104

A

C.Sample application requests

Explanation:
Having a list of sample APLI calls would help you no to miss any possible parameter you could test and also would help identify the boundaries of a proper request, which could later be exploited .

Answer 105

A

B.ExifTool

Explanation:
ExifTool is a free and open-source software program for reading, writing and manipulating image, audio, video and PDF metadata.

This data might provide additional useful information, for example location

Answer 106

A

D.Evil Twin can be used for a downgrade attack

Explanation:
Evil Twin can also be used for a downgrade attack, which tricks clients into using a less secure protocol or encryption scheme.

Once George has successfully conducted a MiTM attack,m he can also work on credential harvesting by capturing unencrypted traffic between the client and remote systems and services

Answer 107

A

A.Nmap

Explanation:
A ping sweep (also known as an ICMP sweep) is a basic network scanning technique used to determine which of a range of IP addresses map to live hosts.

Whereas a single ping will tell you whether one specified host computer exists on the network, a ping sweep consist of ICMP ECHO requests sent to multiple hosts.

If a given address is live, it will return an ICMP ECHO reply.

Ping sweeps are among the older and slower methods used to scan a network

There are a number of tools that can be sued to do a ping sweep, such as fping, gping and nmap for UNIX systems, and the Pinger software from Rhino9 and Ping Sweep from SolarWinds for Windows systems.

Both Pinger and Ping Sweep send multiple packets at the same time and allow the user to resolve host names and save output to a file

You can use Nmap for quick ping sweep of a local network.

For example: Nmap -vv -n -sn 192.168.0.0/24 -oA pingscan.out

Answer 108

A

D.Employee security awareness training

Explanation:
Regular security awareness training could help the employees properly identify phishing emails

A social engineering test can provide information about employee behavior, policy compliance and enforcement, and security awareness in addition to the information and access that it may provide through an organizations security boundaries.

If employees are well trained to recognize malicious emails, this information could be protected

Answer 109

A

C.Local File Inclusion (LFI)

Explanation:
An attacker can use Local File Inclusion (LFI) to trick the web application into exposing or running files on the web server.

An LFI attack may lead to information disclosure, remote code execution, or even Cross-site Scripting (XSS)

Typically, LFI occurs when an application uses the path to a file as input.

If the application treats this input as trusted, a local file may be used in the include statement.

Local File Inclusion is very similar to Remote File Inclusion (RFI).

However an attacker using LFI may only include local files (not remote files like in the case of RFI)

Remote File Inclusion (RFI) is an attack targeting vulnerabilities in web applications that dynamically reference external scripts.

The perpetrators goal is to exploit the referencing function in an application to upload malware from a remote URL located within a different domain.

The consequences of a successful RFI attack incluide information theft, compromised servers and a site take over that allows for content modification

Answer 110

A

C.DNS Cache Poisoning Attack

Explanation:
In a DNS cache poisoning attack, the victim sends a DNS query to the respective DNS server.

If the server does not know the answer, the query is then forwarded to its parent DNS server.

If the hacker manages to respond to the query before the genuine, authoritative answer arrives, he can provide his own host information and potentially poison the DNS cache of the server with a malicious response

Answer 111

A

A.By using port scanners

Explanation:
Port scanners are tools that generate traffic and can enumerate hosts, ports and services

Burp Suite cannot perform host scanning

Directory traversal has nothing to do with identifying live hosts

A honeypot is used as a method of defense against hackers

Answer 112

A

D.Lessons learned

Explanation:
The lessons learned section is an internal session between the pentesting team members that is held after the successful completion of a pentest.

In this session the team usually discusses the future methods and ways to improve the testing service they provide

Answer 113

A

C.Hold regular meetings with the client

Explanation:
The reason for holding regular meetings with the client is to maintain situation awareness and be able to respond to any necessary changes in the client environment

Answer 114

A

A.Yes because they could reassure management

Explanation:
Providing some general observations you made during the pentest can help senior management know some things concerning the culture of the organization that they may not already know

Answer 115

A

A.Zenmap

Explanation:
Zenmap GUI is a graphical Nmap tool with some neat features under the hood, one of which is creating topology map of the network it scans.

This can be very useful when planning attacks

Answer 116

A

D.Timestomp

Explanation:
Timestoping is used to modify the timestamps of files on the disk.

Idletime will display the number of seconds that the user at the remote machine has been idle

Shell will drop your session to OS shell

Karmetasploit allows you to fake access points, capture passwords, harvest data and conduct browser attacks against clients

Answer 117

A

A.Jack should communicate directly with the contact person appointed in the contract

Explanation:
A clear communication path should be predefined and strictly followed by the penetration tester.

Upon discovering a critical vulnerability, it is a good practice to report it in a timely manner.

The information should not be shared with the admin unless this is explicitly allowed in the contract

Answer 118

A

B.lsb_release -a

Explanation:
“lsb_release” command with -a parameter would likely show the current release and kernel version.

Another helpful command that would show detailed kernel information is “uname -a”

Answer 119

A

B.Default credentials

Explanation:
Some systems run web-based applications and are configured with default credentials, which make them easy targets for attacks.

A pentesters approach to accessing these devices over the network should be similar to the approach taken against a corporate IT system

Answer 120

A

A.A free retest is a common request, but it should be considered a new engagement and charged for

Explanation:
Retest is a common request with pentests.

However, if the scope of the restest is larger or different than the scope of the test, it should be considered a new engagement and should be charged for

The nature of follow-up actions varies, and testers should make a judgement call about the level of formality involved.

If the client is request a quick retest that falls within the original scope of work and rules of engagement, the testers may choose to simply conduct the retest at no charge.

If, however, the client is requesting significant work or changes to the scope or rules of engagement, the testers may ask the client to go through a new planning process

Answer 121

A

A.Proxychains

Explanation:
As you send traffic to and from systems during a pentest, you will likely want to hide the content of the traffic you are sending,.

You can use proxychains to tunnel any traffic through a proxy server, with full support for HTTP, SOCKS$ and SOCKS5 proxy servers and with the ability to chain multiple proxies together to further conceal your actions

Answer 122

A

B.Generate a word list for future password cracking

Explanation:
Spiders are used to browse a given URL and return a word list that can be sued with either password crackers (like John the Ripper) or brute force login tools (like Hydra)

Answer 123

A

D.DNS Cache Poisoning

Explanation:
The DNS resolver cache is overwritten on the DNS server with a malicious web address and the user will be directed to the malicious site instead of the intended one

Answer 124

A

B.SOW

Explanation:
The SOW is a document that defines what deliverables will be created, the timeline for the work to be completed, the price of the work and any additional terms and conditions

Answer 125

A

A.Using Burp Suites Intruder to brute-force a login page of a website

Explanation:
In a dictionary attack, the attacker uses a dictionary (list) of common words and phrases that are often used as passwords.

Then a tool, such as Burp Suite Intruder, iterates through the list and attempts to authenticate against the login mechanism

Answer 126

A

D.Operating system fingerprinting

Explanation:
OS scanning is the wrong term, because the OS cannot be scanned; the way a PC behaves determines which OS it is using.

While probing different servcies and ports, the scanner is matching the response against a predefined table of responses.

Based on the results, the OS is determined

OS listing is a term used when working with asset management tools

Answer 127

A

C.Governmental restriction

Explanation:
Export restrictions are governmental rules prohibiting the export of certain goods and services to other countries.

US export laws prohibit the export of certain encryption technology

Answer 128

A

D.Fuzzing

Explanation:
Fuzz testing (fuzzing) is a software testing technique that inputs invalid or random data called fuzz into the software system to discover coding errors and security loopholes. Data is inputted using automated or semi-automated testing techniques after which the system is monitored for various exceptions, such as crashing down of the system or failing built-in code, etc. The goal of fuzzing is to detect validation logic, memory leaks, or error handling.

A brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found.

Pass the hash is a hacking technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LanMan hash of a user’s password, instead of requiring the associated plaintext password as is normally the case.

Code review is a software quality assurance activity in which one or several people check a program mainly by viewing and reading parts of its source code, and they do so after implementation or as an interruption of implementation. At least one of the persons must not be the code’s author.

Answer 129

A

C.References to online articles and databases

Explanation:
References to online articles or CWE or CVE databases and other online sources of vulnerability information, would help the client understand the impact as well as the method of remediating it

Answer 130

A

B.Read the HTTP response header

Explanation:
A simple netcat (nc) request over port 80 or 443 will return an HTTP response header.

This header usually contains the web server version

Answer 131

A

A.theharvester, nslookup

Explanation:
theHarvester and nslookup are two easy to use and very helpful tools used to interrogate DNS servers.

theHarvester is a tool for gathering email accounts, subdomain names, virtual hosts, open ports/ banners, and employee names from different public sources (search engines, pgp key servers).

nslookup is a network administration command-line tool available in many computer operating systems for querying the Domain Name System to obtain domain name or IP address mapping, or other DNS records. The name “nslookup” means “name server lookup”.

The msfconsole is probably the most popular interface to the Metasploit Framework (MSF). It provides an “all-in-one” centralized console and allows you efficient access to virtually all of the options available in the MSF.

CeWL is a ruby app which spiders a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers.

Answer 132

A

B.Proof of concept (POC)

Explanation:
POC, or proof of concept is usually a script or a piece of code that is created solely for exploiting a targeted service or software.

Such POCs can be found in exploitdb, for example

Answer 133

A

D.DOM-based XSS is executed directly in the browser; reflected or stored XSS is passed back to the server

Explanation:
The document object model (DOM) is passed down to the browser from the application during runtime and is used for structuring content.

Unlike with stored or reflected XSS attacks that get passed back to the server, the execution happens directly in the users browser, since not every object is treated as a query by the browser.

This can make the detection process even more difficult if the logging only occurs on the client side

Answer 134

A

A.Stored cross-site scripting (Stored XSS)

Explanation:
Cross-site scripting attacks can be broken down into two types: stored and reflected.

Stored XSS, also known as persistent XSS, is the more damaging of the two.
It occurs when a malicious script is injected directly into a vulnerable web application.

To successfully execute a stored XSS attack, an attacker has to locate a vulnerability in a web application and then inject malicious script into its server. One of the most frequent targets are websites that allow users to share content, including blogs, social networks, video sharing platforms and message boards. Every time the infected page is viewed, the malicious script is transmitted to the victims browser

In the example. Alex would also store the script “alert(hacked)”

If vulnerable, the script would be executed every time the page is loaded.
This applies to all user that would open the page.

Reflected XSS involves the reflecting of a malicious script off of a web application onto a users browser.

The script is embedded into a link, and is only activated once that link is clicked on

Code Injection is the exploitation of a computer bug that is caused by processing invalid data. Injection is used by an attacker to introduce (or “inject”) code into a vulnerable computer program and change the course of execution

SQL Injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database

Answer 135

A

D.Atheros AR921

Explanation:
It has been verified many tiumes that Kali Linux works best with chipsets of Aetheros and Ralink.

There are native drivers in Kali that support this hardware are proven to work flawlessly

Answer 136

A

C.Medusa

Explanation:
Patator is a less user-friendly tool used for brute-forcing.

It provides functionality similar to that of Hydra and Medusa, but with a different approach

Answer 137

A

B.A working exploit, and the hypervisor should not be patched

Explanation:
Exploit tools that allows attacker to escape a virtual machine to directly attack the hypervisor have been sought for years, with high prices paid for working exploits on the open market.

Exploits have been found for VMware, Xen Project, Hyper-V and VirtualBox, but each has been patched shortly after it was found.

In most virtualization environments, VM escape isnt likely to work unless a new exploit is introduced and you are able to use it to exploit a compromised host before it is patched by your target organization

Answer 138

A

D.Local File Inclusion

Explanation:
There are two kinds of file inclusion: Local (LFI) and Remote (RFI)

Local File Inclusion includes files outside of the web root and renders the contents of local operating system files, such as the password file, to the browser window

Answer 139

A

D.It will list all services with their name, display name and executable location

Explanation:
Lower-privilege users will not be able to modify the service; however, they can still search services.

The WMIC command can be used to look for services with unquoted executable paths

Answer 140

A

C.Remote File Inclusion

Explanation:
Remote file inclusions allow files or even whole pages to be displayed inside a vulnerable web page.

If the parameters of the HTTP request can be altered to point to a malicious location, its possible the web application is susceptible to remote file inclusion, which in turn could allow for malicious code to be run on the server or on the client

Answer 141

A

B.Debuggers

Explanation:
OllyDbg is an x86 debugger that emphasizes binary code analysis, which is useful when source code is not available. It traces registers, recognizes procedures, API calls, switches, tables, constants and strings, as well as locates routines from object files and libraries.

WinDbg is a multipurpose debugger for the Microsoft Windows computer operating system, distributed by Microsoft. Debugging is the process of finding and resolving errors in a system; in computing it also includes exploring the internal operation of software as a help to development.

The Interactive Disassembler (IDA) is a disassembler for computer software which generates assembly language source code from machine-executable code. It supports a variety of executable formats for different processors and operating systems.

Answer 142

A

A.VNC

Explanation:
Virtual Networking Computing (VNC) is a common remote control tool.

Much like Remote Desktop Protocol (RDP), VNC can be used to remotely control a host through the graphical user interface.

There are several VNC solutions and each has its pros and cons.

VNC solutions and each has its pros and cons.

VNC, in most cases, is cross-platform software, meaning it can be used on Windows, Linux and MAC

Answer 143

A

B.Wi-Fi

Explanation:
The 802.11 (routers and access points) is a family of Wi-Fi devices.

Wireless networks that use IEEE 802.11 standards rely on RF for transmitting and receiving data

Answer 144

A

A.Vulnerabilities

Explanation:
While theHarvester does collect a wide variety of data, such as emails, domain, subdomains, virtual hosts, open ports, and service banners, theHarvester is not a vulnerability scanner and does not provide vulnerability information

Answer 145

A

D.Sudo stands for super user do and is used for elevating privileges

Explanation:
Sudo is a program for Unix-like operating systems that allows administrators to delegate authority within the operating system to low privileged user accounts

Answer 146

A

A.Firewall, IPS and IDS

Explanation:
In computer security, whitelisting and blacklisting are basic access control mechanisms that can be implemented in network firewalls, spam filters, web application firewalls (WAFs) etc.

A blacklist is the opposite - it allows all but denies members of the blacklist

Answer 147

A

B.-Pn disables ICMP requests

Explanation:
-Pn means “disable ping” or “do not use ICMP echo requests” to determine if a host is online or not.

Many operating systems are configured not to respond to ICMP echo requests (or ping),

With a default configuration, Nmap would assume hosts and not responding to ping were offline hosts and would skip them

Answer 148

A

C.Check what commands he can run and focus on SUID commands

Explanation:
When greeted with a restricted shell, a pentester can try the following techniques:

Check the commands you can run, particularly looking for SUID commands
Check to see if you can use sudo and what sudo commands you can execute
Check for languages like Perl, Python or Ruby that you can run
Check to see if you can use redirect operators like | or > and escape characters like single quotes, double quotes or other execution tags

Answer 149

A

A.Recover encryption keys from the memory of a powered-off device

Explanation:
The cold boot attack is an attack method discovered by Princeton University researches (roughly a decade ago) who were able to demonstrate the ability to recover disk encryption keys from random access memory (RAM) when the power is cycled on the device

Answer 150

A

A.Burp Suite

Explanation:
Burp Suite would be the most suitable tool because it uses a proxy to intercept the HTTP requests going to and from a website in an easily readable way

Nikto is an open-source web application scanning tool that uses a command-line interface that does not have a proxy and cannot intercept HJTTP requests

Wfuzz is a web application fuzzer that uses payloads of data to sniff out directories, files or headers.
It cannot intercept HTTP requests

DirBuster is a tool used for finding directories in a web application, not to intercept HTTP requests

Answer 151

A

C.Third-party assets belong to another company, and third-party hosted assets belong to the client company but are hosted on another resources

Explanation:
When defining the scope of a pentest, it is very important to be able to distinguish assets owned by the client and those owned by a third party

Answer 152

A

D.Notify the client immediately

Explanation:
When a pentester finds a critical finding on the network such as a publicly exploitable vulnerability from outside the firewall that anyone on the Internet could exploit, it should be brought to the clients attention so the proper mitigation can be applied to prevent the potential risk of compromise

Answer 153

A

A.Golden Tickets

Explanation:
When attackers succeed in acquiring TGTs, they often call them golden tickets because they allow complete access to Kerberos-connected systems, including creation of new tickets, account changes and even creation of accounts or services

Answer 154

A

C.Reverse shell

Explanation:
The Metasploit Meterpreter shell and reverse shell are effective ways of interacting with a target environment, as they run entirely in memory and leave little or no trace after disconnecting

Answer 155

A

D.Start of a Wi-Fi monitoring interface on channel 9

Explanation:
The “airmon-ng” command is included in the Aircrack-ng suite of tools, in order to configure an adapter in monitor mode.

Answer 156

A

A.WMI

Explanation:
Windows management instrumentation (WMI) is a powerful tool that allows local and remote data-gathering and is installed on all Windows machines

Answer 157

A

A.Hashcat

Explanation:
Hashcat is a password cracking utility that uses graphics processing unites (GPUs) to crack passwords at a very high rate of speed.

Hashcat is much faster than the traditional tools (like John the Ripper, which is CPU-bound), making it a tool of choice if you have access to appropriate hardware

Answer 158

A

A.Create a daemon with malware

Explanation:
Daemons are programs that run in the bacvkground and not under the control of the user. Think of daemons like services in WIndows

Code Injection would require much more effort and would only benefit if the goal was to hide the attack

DLLs are used in WIndows OS only

Editing the boot loader would require much higher privileges and much more effort in comparison to creating a daemon

Answer 159

A

B.Bluejacking

Explanation:
This method transmits data to the device without the users knowledge

A typical way to carry out this type of attack is by sending an electronic business card via Bluetooth to an unsuspecting victim

Answer 160

A

B.Certificate pinning

Explanation:
Certificate pinning is the technique of associating one host with its public key and using it to make a trust decision.

Once the public key changes, the host is no longer trusted.

SSH is an example of a service that uses this technology

Answer 161

A

B.Yes, all information should be included in the report

Explanation:
In the pentest report, all methods and objectives previously discussed in the statement of work (SOW) should be addressed. Any information, even insignificant, could be useful for the client. Sometimes, a given method does not produce successful results, but could still provide good insight to the client environment and help find room for improvement.

Answer 162

A

D.Reflected HTML injection

Explanation:
A reflected HTML injection vulnerability is a non-persistent browser execution attack, meaning that the injection would be lost once the current browser session was closed

Answer 163

A

B.Password authentication and SMS-received PIN

Explanation:
Multifactor authentication would suggest more than one authentication method.

Passwords, even if used several times, are a single method of authentication.

Multifactor authentication implementations combine two or more authentication mechanisms coming from different authentication categories (or factors)

Answer 164

A

C.iGoat

Explanation:
iGoat and DVIA (Damn Vulnerable iOS App) was developed to assist pentesters and security researches with testing against common weakness in a safe and legal environment

Answer 165

A

B.Brute-forcing

Explanation:
Brute-force apssword attacks are very inefficient and are typically a last resort.

However, tools like John the Ripper, Cain and Abel, and Hashcat help increase the chances of successful password exploitation.

JTR can conduct both dictionary and brute-force password attacks against common hashing algorithms

Answer 166

A

B.Spidering is also called web crawling and it indexes pages on the website

Explanation:
Crawling a website usually involves bots and scripts that automatically browse the website and index all pages.

Answer 167

A

A.Hijacking the session

Explanation:
Rob could try hijacking the OpenSSH X11 session.

OpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing SSH ti set DISPLAY to :10, even when another process is listening on the associated port

Answer 168

A

C.A list of hosts in the AMS domain

Explanation:
You can also use /domain:[domain name] to search a domain that the system has access to other than the current domain.

In thise case the domain name is “AMS”, which usually stands for “Americas”

Answer 169

A

B.The command is “net share” and the output shows current SMB shares on a local host

Explanation:
The “net: command in Windows is very powerful.

You can use net view \ to discover available Windows shared drives or showmount -e for NFS shares

Answer 170

A

B.Compliance Based

Explanation:
Data isolation usually is related to systems covered by a compliance requirement.

Such systems fall under specific conditions directly related to the purpose they are built for.

Answer 171

A

C.RPC (Remote Proecure Call)/ Distributed Component Object Model (DCOM)

Explanation:
The MITRE ATT&CK matrix identifies the Microsoft Windows distributed component object model (DCOM) as a valid lateral movement technique that can be used to extend the functionality of the component object model (COM) from the local computer to other computers, using remote procedure call (RPC) technology

RCE stands Remote Code Execution

LFI stands for local file inclusion

Man in the middle is a traffic capture and sniffing technique

Answer 172

A

C.Stored Cross-site scripting (Stored XSS)

Explanation:
Stored or persistent XSS is a vulnerability much like reflected XSS: however, it does not disappear upon reloading of the page

Answer 173

A

D.TO ensure minimal password requirements are met

Explanation:
Weak passwords may be remediated through the use of minimum passwords requirements and password filters.

Password filters are used to enforce specific password restrictions for the system in question.

They filter out passwords that, for example, are missing a symbol or are shorter than a specific number of letters

Answer 174

A

B.Ettercap

Explanation:
Ettercap is a free open source network security tool for man-in the middle attacks on LAN

It can be used for computer network protocol analysis and security auditing.

It runs on various Unix like OS including Linux, Mac OS X, BSD and Solaris and on Microsoft Windows

Answer 175

A

A.PArt of the application documentation

Explanation:
Simple Object Access Protocol (SOAP) project file describes the format for sending and receiving messages in a web applications.

THis file could be used by an attacker to learn the recommended methods of sending messages and potentially suggest ways to force it into error condition

Answer 176

A

C.To obtain the corporate address and other internal information

Explanation:
Financial files almost always contain information that can be used by hackers to better understand the target.

No vulnerabilities can be displayed from such files, since vulnerability information usually comes with running a service

No exploit information can be extracted from these types of files

User credentials are not stored in financial files where multiple people can see them

Answer 177

A

B.Gather information about the organization via passive intelligence-gathering methods

Explanation:
Passive information gathering is a process of collecting information about the target (company, person, organization etc.) without interacting with it

You cannot exploit something you haven’t already found. To find a vulnerability you need to perform active scans

Active Scanning is based on the information gathered from the passive process

You cannot develop an exploit for engagement without first knowing the vulnerability

Answer 178

A

D.COokie manipulation

Explanation:
In cases where developers use their own sessions IDs, if randomness and complexity are not adequately applied to the equation, the cookie value can be manipulated to identify a valid session, which means the application could be susceptible to brute-force attacks

Answer 179

A

C.Phone book contacts from Blue-enabled devices

Explanation:
Bluesnarfing is a technique that can potentially provide access to the phone book of a targeted device

Answer 180

A

C.Search command

Explanation:
The search command can be used inside Metasploit and will search for the next argument passed to it

The easiest way of using the search function is by issuing the command search followed by a search term, for example, flash to search for exploits related to Flash player.

By using the search command, Metasploit will search for the given search term in the module names and description.

You can also use the search command with a keyword to search for a specific author, an OSVDB ID, or a platform.

The ‘help search’ command displays the available keywords in the msfconsole

Answer 181

A

B.nmap -O 10.15.0.0/24 -oX results

Explanation:
The -O option stands for OS detection

15.0.0/24 is the IP range for scanning
- oX stands for output to XML file

Answer 182

A

A. Set it as a cron job

Explanation:
Much like scheduled tasks in Windows, Linux uses cron jobs.

Cron jobs can be set to run on a specific time frame, such as hourly, daily, monthly or yearly.

They can also be ran on boot!!!

Answer 183

A

C.John the Ripper

Explanation:
John the Ripper is a free, powerful cracking software tool.

Originally developed for the Unix OS, it can now run on fifteen different platforms

Answer 184

A

C.Honeypots

Explanation:
Honeypots are a deception technology used to entice attackers to follow false trails that increase visibility into the attack. An example of a honeypot is a system on the network that would appear vulnerable to many exploits and could even be named in a way that would suggest that high-value information is stored on it.

Answer 185

A

B.PsExec

Explanation:
PsExec is a legitimate tool created by Sysinternals and is widely used by many Windows admins.

It is likely that the tool will already be deployed on the server and George will not have to download anything else.

Additionally PsExec is fairly covert tool and, unless one is going through the Windows logs, it would likely be unnoticed

Remote Desktop protocol is likely to make some noise and be noticed.

PowerShell Empire would require additional files to be deployed.

Meterpreter would also require a download

Answer 186

A

D.SMB and SNMP services

Explanation:
These services contain a lot of user information that can be really handy for the pentester

SSH is a service for remote terminal access

RDP is a service for remote desktop access

HTTP is a web service

Answer 187

A

D.The code will take a host as an input and scan ports between 20 and 1025 on it

Explanation:
The script will take user input from the terminal. It will attempt to get the IP address in case of hostname being provided. There are few print lines, which will produce status updates. For example ‘Starting scan on host’, targetIP This line will print out something like “Starting scan on host 127.0.0.1”.

The for loop will go through all ports between 20 and 1025 and attempt to open a socket (connection) to these ports on the targeted host.

Answer 188

A

A.Whitelisting means only allowing a specific list of accepted items and blocking everything else; blacklisting is only blocking a specific item and allow everything else

Explanation:
For example, in relation to firewalls, when you whitelist a short list of ports it means that all ports are closed and only those in the whitelist are open. In blacklisting, a specific list of “known bad” characters is created, and the web application firewall will block all requests containing the characters in the blacklist and allow everything else.

Answer 189

A

C.Scanning

Explanation:
Nikto is a n open-source web application scanning tool that uses a command line interface and displays the results in text form

Brute-force is a type of attack where the attacker tries lots of combinations of credentials to compromise a victim machine

Decryption is the process of taking encoded or encrypted text or other data and converting it back into text that you or the computer can read and understand

A DoS attack is a cyberattack which the attacker sends lots and lots of network packets to the victim in order to disrupt his web services for a certain amount of time

Answer 190

A

A.0-1023

Explanation:
An important part of port scanning is having an understanding of common ports and services.

While ports 0-1023 are known as “well known ports” or “system ports” there are a quite a few higher ports that are commonly of interest when conducting port scanning

Answer 191

A

D.wget

Explanation:
GNU Wget (written as wget) is a computer program that retrieves content from web servers.

It supports downloading via HTTP, HTTPS, and FTP

Its features include recursive download, conversion of links for offline viewing of local HTML, and support for proxies.

Wget is almost always preinstalled on the Linux host

Apt-get for installing, upgrading and cleaning packages

Yum is an open source package management utility and yum install is the command to install a package

mv is an integrated Linux command used to move files and directories from one directory to another or to rename a file or directory

Answer 192

A

A.Building an asset inventory

Explanation:
Pentesters use scanning tools that provide host discovery services in order to build an inventory database.

The results can help to determine the scope of the engagement

Answer 193

A

D.George could try a user enumeration exploit

Explanation:
Running Server Message Block (SMB) services could potentially be exploited in a user enumeration attack.

THere are Metasploit plugins that can be used in such an attack

Answer 194

A

A.hping -S -V targetsite.com -p 8080

Explanation:
hping supports sending different types of packets.

ping -S -V targetsite.com -p 8080 is incorrect because ping only sends ICMP.

ping -S -V targetsite.com is an invalid command.

dirb targetsite.com -r -s SYN is incorrect because dirb is a directory brute-forcer.

Answer 195

A

A.Conclusion

Explanation:
The conclusion is where James would provide a summary and make recommendations for future work. He might also include metrics and measures that help put the information presented in the report in the context of the organization or a peer group of similar organizations, or in a global context.

Answer 196

A

A.PsExec

Explanation:
The PsExec SysInternals command can help facilitate this type of connection when using privileged user accounts.

All the same theories and restrictions apply with PsExec, except you would be using a hash value instead of a password

Answer 197

A

C.Dynamic Application Analysis

Explanation:
Dynamic and runtime analysis is the process of executing and testing a program in real time, also known as dynamic application security testing (DAST).

This type of analysis includes the following:

Brute-force of the PIN or pattern lock on the device
Binary attacks against the mobile app to escalate privileges
Client-side injection attacks (e.g., SQL injection)
Access to application functions when the PIN or pattern lock on the device is not enabled
Copy/paste buffer caching
Obtaining sensitive information stored in memory
Evaluating shared application data storage

Answer 198

A

D.Nessus

Explanation:
Nessus is a vulnerability scanning tool that also scans for open ports and running services. If a tester is provided with a list of hosts, Nessus can be configured to scan a range of ports and identify the services running on them. Listing known vulnerabilities for each of these services is where Nessus really shines, thanks to its wide range of plugins.

Nmap is another tool that could be used to similar effect.

Answer 199

A

A.Perform network testing outside of working hours and use less aggressive scanning techniques

Explanation:
Obviously there are some client considerations to take into account. Many tools like Nessus, OpenVAS and others do have options for scheduling tasks. You could configure less aggressive scans and schedule them to be run outside the client’s working hours.

Answer 200

A

A.The command will generate and save a list of characters with a minimum length while spidering the site to depth 3

Explanation:
The Cewl tool will create a word list by using words and phrases from the targeted site. While gathering info, the tool will spider the site to depth 3. Because of “-m 3” the minimum length of words in the word list will be 3 characters. The results will be saved in a file named “list.txt”.

Cewl is useful for generating word lists related to specific targets.

Answer 201

A

B.Exploitation

Explanation:
Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral movement, Collection, Command and Control, Exfiltration and Impact

Answer 202

A

D.A compliance-based pentest

Explanation:
COmpliance-based assessments audit an organizations ability to implement and follow a given set of security standards within an environment

Answer 203

A

D.Wi-Fi AP

Explanations;
In order to test wireless access points (APs), the pentester needs to be on-site and in proximity to the AP.

Domain controllers and social engineering are usually tested through the internet. Internal web applications are usually tested once an internal account is being compromised.

Answer 204

A

C.An arpspoofing attack where 192.168.11.33 is the target and 192.168.11.1 is the gateway

Explanation:
The command is part of the arpspoof tool and is used in man-in-the-middle attacks. The -i eth0 is used to select the network interfaces for the attack, -t is used to specify the target, and -r is showing the route, or in this case the gateway, of the network.

Answer 205

A

D.Lack of best practices

Explanation:
The Center for Internet Security (CIS) provides best-practice solutions. Those best practices describe how similar situations should be handled. For example, services that are no longer used should be disabled. Accounts that are no longer used should also be disabled and in some cases deleted.

Answer 206

A

D.White box assessment

Explanation:
White box testing allows the pentest team to have insider knowledge of organizational network assets, policies, and procedures. In many cases, this also means full access to the application code. In order to include all of the listed criteria, you would need to conduct a white box pentest.

Black box and red team assessments would exclude the code review and internal testing.

Code review does not include either external or internal application testing.

Answer 207

A

D.Assurance of persistence

Explanation:
By creating a new local user account, an attacker can easily ensure persistence even after reboot or password change of the original account.

New accounts are usually easily detected, but in some cases they can remain long enough for the attacker to carry out his purpose

Answer 208

A

C.SSID of the APs being tested

Explanation:
When conducting on-site pentests involving Wi-Fi access points (APs), it is important to have a clear understanding which APs are in the scope of the test. This will help you exclude potential out-of-scope or third-party APs.

Answer 209

A

A.Impact analysis

Explanation:
Performing an impact analysis (IA) and proper threat modeling can help an organization define attack paths and aid in the target selection process. The impact analysis is a key aspect of requirements management and the formal approach to assessing the pros and cons of pursuing a course of action.

Answer 210

A

C.Container-based virtualization

Explanation:
Docker is a container-based virtualization tool.

Attacks against OS-level virtualization tools like Docker often start by compromising the application that is running in the container.

Answer 211

A

D.This is a technical constraint

Explanation:
The situation is a typical technical constraint and should be discussed when planning the pentest. It does not affect the pentest’s strategy or its methodology. The scope of the test is not changed either, as it is not yet defined.

Answer 212

A

A.Scanning modules

Explanation:
The complete recon-ng category list of modules consists of:

Recon modules - for reconnaissance activities;
Reporting modules - for reporting results on a file;
Import modules - for importing values from a file into a database table;
Exploitation modules - for exploitation activities;
Discovery modules - for discovery activities.

Answer 213

A

B.Examine the cloud provider and its key management policies and procedures

Explanation:
In some cases, cloud providers are already certified with the necessary compliance for key management services

They could easily provide documentation to support it.

If the cloud provider is not compliant with the specific requirements, the assessment should be extended to the cloud providers key management policies and procedures

Answer 214

A

C.Grey Box Test

Explanation:
Gray Box Testing is a combination of white-box testing and black-box testing. The aim of this testing is to search for the defects if any due to improper structure or improper usage of applications. The attacker would have limited knowledge of the targeted environment. Being provided with network topology could help the attacker, but at the same does not reveal too much of the infrastructure. Gray Box Testing gives the ability to test both sides of an application, presentation layer as well as the code part.

Black Box Testing is a method of software testing that examines the functionality of an application without peering into its internal structures or workings. This method of test can be applied virtually to every level of software testing: unit, integration, system and acceptance.

White Box testing is a method of software testing that tests internal structures or workings of an application, as opposed to its functionality. In White Box Testing, an internal perspective of the system, as well as programming skills, are used to design test cases. White Box Tests allow the pentester to have insider information that could aid the test process. Such information could include network firewall policies, security patches, etc.

A Red Team Assessment is similar to a penetration test in many ways but is more targeted. The goal of the Red Team Assessment is NOT to find as many vulnerabilities as possible. The goal is to test the organization’s detection and response capabilities. The red team will try to get in and access sensitive information in any way possible, as quietly as possible. The Red Team Assessment emulates a malicious actor targeting attacks and looking to avoid detection, similar to an Advanced Persistent Threat (APT).

To recap:

In White Box Testing internal structure (code) is known
In Black Box Testing internal structure (code) is unknown
In Grey Box Testing internal structure (code) is partially known

Answer 215

A

A.Run strings against the binary and analyze the output

Explanation:
Alex could run strings against the binary and analyze the output for possible clues. To be able to run a debugger and get meaningful results, she would need to first decompile the binary file.

Answer 216

A

C.For the pentesting team to review their processes and look for room for improvement

Explanation:
The lessons learned session is the team’s opportunity to get together and discuss the testing process and results without the client present. Team members should speak freely about the test and offer any suggestions they might have for improvement.

Answer 217

A

A.By using Nessus

Explanation:
Nessus is a tool that allows scanning for various security issues such as network or web application vulnerabilities. It can be easily configured to run automated scans.

Masscan and Nmap are port scanners, not vulnerability scanners.

Wfuzz is a fuzzing tool, not a vulnerability scanner.

Answer 218

A

C,Using an -sV flag to do a service identification

Explanation:
Using “-sV” in George’s situation would produce something like this:

PORT STATE SERVICE VERSION

21/tcp open ftp ProFTPD 1.3.5

Where “ProFTPD” is the name of the software and “1.3.5” is a vulnerable version currently running.

Answer 219

A

C.THC Hydra

Explanation:
Hydra or THC Hydra is a popular and respected network logon cracker (password cracking tool) that can support many different services. Hydra can perform rapid dictionary attacks against more than 50 Protocols, including Telnet, RDP, SSH, FTP, HTTP, HTTPS, SMB, several databases and much more.

Answer 220

A

A.CVE

Explanation:
Metasploit can search for exploits based on CVE.

Answer 221

A

A.telnet

Explanation:
Telnet is an application protocol used on the Internet or local area network to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection.

Nessus is a proprietary vulnerability scanner. Nikto is a free software command-line vulnerability scanner that scans web servers for dangerous files/CGIs, outdated server software and other problems. It performs generic and server type specific checks. It also captures and prints any cookies received. Acunetix is an end-to-end web security scanner that offers a 360 view of an organization’s security.

Answer 222

A

B.Intercepting proxy

Explanation:
OWASP ZAP is an open-source web application security scanner. It is an intercepting proxy that serves as a great tool for security beginners and professional penetration testers. It provides tools to intercept and modify HTTP/HTTPS and WebSocket traffic, as well as an assortment of other useful tools.

Answer 223

A

A.BeEF uses a JavaScript code in hook.js

Explanation:
The Browser Exploitation Framework (BeEF) is a pentest tool that focuses on the web browser.

BeEF allows the professional pentester to assess the actual security posture of a target environment by using client side attack vectors.

Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the content of the one open door; the web browser.

BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context

BeEF uses a JavaScript code in hook.js, which when executed by a browser, gives a hook to BeEF.

With a hooked browser, similar to metasploit, you have an array of exploits in front of you.

SOme of them are viewing cookies, browser history to the more sophisticated attacks of getting a shell

Answer 224

A

B.host -t axfr domain.name dns-server

Explanation:
The host with the -t axfr switch could be used to enumerate DNS zones.

-t stands for “type” and “axfr” is used for DNS zone replication transactions.

Answer 225

A

D.Enforce encryption using HTTPS

Explanation:
Even though sniffing passwords on the wire is less frequently useful in modern networks, encryption should be used for all authentication systems.

Answer 226

A

C.Scope

Explanation:
When determining the list of targets and the limits of the penetration test, this information is structured and detailed as the scope of the test. The test scope could be a separate document or part of some other document related to the pentest. Defining the scope is extremely important and should be done with care.

Answer 227

A

C.Red Team

Explanation:
Red team assessment involves stealth and blended methodologies (i.e., network penetration testing and social engineering) to conduct scenarios of real-world attacks and determine how well an organization would fare with the use of the customer’s existing counter-defense and detection capabilities (i.e., what an attacker could do with a certain level of access).

Answer 228

A

D.Inform the client of the prior compromise

Explanation:
In cases where prior compromise traces are found, the pentester should stop all his activities and inform the client of the potential security risk.

James should not risk contaminating potential evidence by analyzing it himself or retracing the attackers steps

Answer 229

A

D.Asking leading or open-ended questions in order to gain information on the topic of interest

Explanation:
In elicitation, one asks open-ended questions on the topic of interest, but indirectly. They leave some questions or sentences incomplete, thus inviting the target to finish by providing the relevant information.

Answer 230

A

D.Yes, Alex needs to provide a full explanation and all relevant details for the client to be able to reproduce the results

Explanation:
When disproving a successfully exploited vulnerability, it is imperative that the report contain a full detailed explanation of the vulnerability and the method used to exploit it. The client should be able to reproduce it in order to mitigate it.

Answer 231

A

A.A face-to-face meeting on the topic of the report

Explanation:
In most cases, a face-to-face meeting with the client and the penetration testers is held. The meeting is focused on the report results and any questions that the client or their security representatives might have.

Answer 232

A

B.PsExec is slient and less evident

Explanation:
In a read team engagement, one is supposed to mimic a real-world attack.

No actual attacker would prefer to use RDP, which might even cause a logout for another user.

PsExec activities can usually be found in the event logs, but other than that they are rather silent and would likely not trigger any IDS/IPS alerts, because PsExec is also regularly used by admin

Answer 233

A

B.options list

Explanation:
The “options list” command is available once a plugin is selected and will provide all options related to this plugin

Answer 234

A

A.Stored XSS

Explanation:
Stored XSS can be used by injecting code in a log file to steal and redirect a session token, which is later accessed through a web interface by an administrative user

Answer 235

A

C.hping -S -V target.com -p 8181

Explanation:
In this example, an hping would send SYN packets to target.com on TCP port 8181, with the result of verbose output.

Answer 236

A

C.THC Hydra

Explanation:
Hydra or THC Hydra is a popular and respected network logon cracker (password cracking tool) that can support many different services.

Hydra can perform rapid dictionary attacks against more than 50 protocols, including telnet, RDP, SSH, FTP, HTTP, HTTPS, SMB, several database and much more

Answer 237

A

D.Full disclosure at http://seclist.org/fulldisclosure

Explanation:
Full disclosure is a public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community.

Answer 238

A

A.Force Wi-Fi client de-authentication

Explanation:
You can use aireplay-ng to deautnehtcate an existing wireless client from the network to capture the four-way handshake

-0 Deauthentication

How many deauthentications to send to the wireless client?

a MAC of the target AP
C MAC of the target wireless client

Your wireless interface name

Answer 239

A

D.Clearing tracks

Answer 240

A

B.Web-based pentests

Explanation:
Things like sample application requests are usually part of a web application development and would be helpful in a web-based pentest. An example of a sample request could be a list of API calls compiled by developers.

Answer 241

A

A.Arpsoof

Explanation:
Arpspoof is a tool regularly used in man-in-the-middle attacks. The tool floods the MAC tables of a target with spoofed ARP responses for the MAC address of the network route or gateway.

Answer 242

A

C.By using specific plugins

Explanation:
There are plugins designed to enhance scanning techniques and also the range of vulnerabilities, thus simplifying the process of scanning. Each plugin consists of a list of known vulnerabilities and different techniques for testing them.

Using another vulnerability scanner software would increase time, traffic and the chance for mistakes.

Running the scan again is a useless procedure.

Not doing anything else is incorrect because there are ways to improve performance.

Answer 243

A

D.WinRM

Explanation:
Once enabled, WIndows Remote Management (WinRM) can allow remote PS command execution, usually associated with administrative work

Nc (netcat) is not a Windows feature but a single tool.

Empire is a pivoting and privilege escalation framework.

PowerSploit is a PowerShell exploitation framework

Answer 244

A

D.Stealth scan

Explanation:
When the targeted organization’s security team is not aware of the pentest being carried out, it makes more sense to avoid detection and imitate a real attack vector.

Answer 245

A

C.Bluesnarfing

Explanation:
Bluesnarfing is the process of exploiting vulnerabilities found in certain Bluetooth firmware in order to steal information from a wireless device. With successful attacks, one can steal contacts, calendar info, email, and text messages when the Bluetooth device is turned on and set to discoverable mode.

Answer 246

A

A.sqlmap.py –host “https://example.com/article.php?id=16” –dbms=MYSQL

Explanation:
When running sqlmap command, you would need to most importantly provide it with a target or a URL to use. The proper flag for this is “-u”. –host is also legitimate flag, but is used to specify the HTTP Host header value.

Answer 247

A

A.Windows Management Instrumentation

Explanation:
Windows Management Instrumentation, or WMI, provides access to a wide variety of information and commands. It can be used to obtain Application Inventory listings or to enable remote command execution or file transfers.

Answer 248

A

A.HTTP parameter pollution

Explanation:
HTTP parameters are assigned and typically managed and processed by the web application server. HTTP parameter pollution (HPP) involves entering arbitrary values into web parameters in an effort to cause unexpected behavior that could lead to either client- or server-side weakness, such as HTML injection or command injection.

Answer 249

A

B.It will locate all setuid executable files on a Lunix/Unix host

Explanation:
The command will traverse through the file systems, starting with the root partition and look for files that have the setuid bit applied that the account user has read access to.

Once the file located, the -exec option executes a long listing formatted with ls -al for each file that is returned

STDERR (standard error) is discarded and redirected to /dev/null

Answer 250

A

A.Jacob will need to be inside of the broadcast domain of a targeted system

Explanation:
ARP Spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network.

This results in the linking of an attackers MAC address with the IP address of a legitimate computer or server on the network

Once the attackers MAC address is connected to an authentic IP address, the attacker will begin receiving any data that is intended for that IP address.

ARP spoofing can enable malicious parties to intercept, modify or even stop data in-transit. ARP spoofing attacks can only occur on local area networks that utilize the Address Resolution Protocol.

ARP spoofing attacks are often used to facilitate other attacks such as:

Denial-of-service attacks
Session hijacking
Man-in-the-middle attacks

Answer 251

A

D.Processes

Explanation:
Apart from improving the technology and training employees, Alex could also suggest process improvements that could result in a better security posture for her client.

Answer 252

A

B.options list

Explanation:
The “options list” command is available once a plugin is selected and will provide all options related to this plugin (i.e., source of input).

Answer 253

A

A.Man-in-the-middle

Explanation:
Man-in-the-middle is an attack that allows the attacker to position himself in the middle of the traffic between two entities. Thus is has nothing to do with social engineering.

Answer 254

A

D.He can use Airplay-ng to force Wi-Fi clients to de-authenticate and then re-authenticate

Explanation:
Aireplay-ng is part of the Aircrack-ng suite and provides the functionality to craft a packet in way that will de-authenticate the targeted machine. The correct command is as follows:

Aireplay-ng -0 1 -a -c

-0 flag stands for de-authentication

1 is the number of packets to be sent

a is the MAC of the targeted AP
c is the MAC of the targeted client

Answer 255

A

C.Check what commands he can run and focus on SUID commands

Explanation:
When greeted with a restricted shell, a pentester can try the following techniques:

■ Check the commands you can run, particularly looking for SUID commands.

■ Check to see if you can use sudo and what sudo commands you can execute.

■ Check for languages like Perl, Python, or Ruby that you can run.

■ Check to see if you can use redirect operators like | or > and escape characters like single quotes, double quotes, or other execution tags.

Answer 256

A

C.WIndows SMB Share

Explanation:The Windows Server Message Block (SMB) protocol is a network file sharing protocol that allows applications on a computer to read and write to files and to request services from server programs in a computer network. The SMB protocol can be used on top of its TCP/IP protocol or other network protocols. Windows SMB shares are usually using port 445. There are many exploits and attacking methods against port 445.

Answer 257

A

A.-Pn

Explanation:
Nmap flags are the parameters we use after calling the program, for example -Pn (no ping) is the flag or parameter to prevent Nmap from pinging targets. The Nmap flag used to treat all hosts as online is -Pn.

Answer 258

A

A.USe searchsploit in attempt to find an exploit for the current version of “vsftpd”

Explanation:
Lisa should utilize all known exploit databases, such as exploit-db, metasploit, etc. in order to find a possible exploit for the current vsftp version.

Answer 259

A

C.COmmand Injection

Explanation:
The “curl” command is used against a targeted website with a vulnerable “article” parameter. The command is URL-encoded and when decoded looks like this:

cat /etc/passwd

The output should display the contents of the /etc/passwd file on the machine.

Answer 260

A

C.A trojan horse

Explanation:
A Trojan horse is disguised as legitimate software or a tool that serves a specific purpose, but it also has hidden functionality, usually providing back-door access or remote control to malicious attackers.

Answer 261

A

B.Confidentiality, Integrity, Availability

Explanation:
The CIA triad is a model that shows the three main goals needed to achieve information security. While a wide variety of factors determine the security situation of information systems and networks, some factors stand out as the most significant. The assumption is that there are some factors that will always be important in information security. These factors are the goals of the CIA triad, as follows:

Confidentiality - preventing unauthorized access to information or systems
Integrity - preventing unauthorized changes and modifications of information or systems
Availability - ensure that use or access to systems and information remains possible

Confidentiality, integrity and availability are the concepts most basic to information security. These concepts in the CIA triad must always be part of the core objectives of information security efforts.

Answer 262

A

D.The client should sanitize user input or use parameterized queries

Explanation:
Even though blacklisting a specific character might resolve the issue on the surface, blacklisting is not a solution. Best practices in this situation suggest sanitation of user input and usage of parameterized queries when possible.

Answer 263

A

D.A syn scan can work through most firewalls

Explanation:
Firewalls tend to allow “syn” packets to pass through, assuming they are part of a live connection, while a full connect scan attempts to initiate a new connection and is recognized by firewalls.

Answer 264

A

A.Whois database could contain information about the domain owner

Explanation:
Even though there are many online services that provide whois anonymity, some useful information could be extracted from the Whois database. It could contain information about the domain owner, contact details and addresses as well as dns servers.

Answer 265

A

B>Remove all rogue users

Explanation:
The post-engagement cleanup involves removing shells and tester-created credentials, and possibly removing tools from local or remote file shares. In some cases, the client may need to reboot target hosts in order to clear the contents of memory, even if nothing was written to disk. The pentester should also remove all users and accounts created for the purpose of the pentest.

Answer 266

A

D.He should remove his backdoor but leave the temporary mitigation and inform the client of the current situation

Explanation:
In general, testers should remove their changes and restore the system to its original state. The exception to this rule is that testers may have made emergency changes to assist with the remediation of critical vulnerabilities. If this occurred, testers should coordinate with management and determine appropriate actions.

Answer 267

A

A.Estimated number of hours

Explanation:
For an external or commercial pentest, budget determination normally begins with estimating the number of hours the testing will take, based on the complexity of the test.

Answer 268

A

A.UNION-based SQL injection

Explanation:
Sqlmap is a python-based database scanning and exploitation tool. The above command provides the targeted url using “-u” and the type of the injection attack using “–technique=U” where “U” stands for UNION.

Answer 269

A

D.As a significant finding of weak password complexity

Explanation:
Password length and complexity should adhere to security best practices and standards. Password complexity standards often change to increase the complexity level. Previously, it may have been okay to have a password containing only letters, but these days passwords should include lower and uppercase letters, numerals, and symbols.

Answer 270

A

B.Brute-forcing

Explanation:
Brute-force password attacks are very inefficient and are typically a last resort. However, tools like John the Ripper (JTR), Cain and Abel, and Hashcat help increase the chances of successful password exploitation. JTR can conduct both dictionary and brute-force password attacks against common hashing algorithms.

Answer 271

A

D.OWASP ZAP

Explanation:
He can use the OWASP Zed Attack Proxy (ZAP), which is a free and popular application testing framework, to assess the vulnerable application. ZAP is included in Kali Linux. Web application testing is a critical skill for a pentester.

Answer 272

A

D.There is no reason to keep the account on the system unless explicity requested by the client

Explanation:
Usually as part of the post-engagement activities, penetration testers clear all exploitation tools and changes made. Leaving such an account could pose a great risk, and it should only remain if the client has explicitly requested it.

Answer 273

A

B.This account should be used only in emergency situations and should have extreme password complexity to prevent possible compromise

Explanation:
No employee should know the password of this account, and it should only be accessed in emergency situations. The password should be stored securely and should be changed once it is used.

Answer 274

A

D.Rainbow tables

Explanation:
Rainbow tables contain precomputed hash values of a defined length that can be used to speed up the process of offline password cracking.

Answer 275

A

B.To create a reverse shell on a WIndows host

Explanation:
Nc provides the ability to execute programs upon successful connection. The nc -e cmd.exe command will execute “cmd.exe” once it is connected to the remote IP, thus serving a shell to the remote host. The fact that the command is executed on the target and then connects back to the host makes it a reverse shell.

Answer 276

A

B.Nmap script known as “smb-enum-shares.nse” to enumerate SMB shares in the network

Explanation:
“IPC$”, “C$” and “ADMIN$” are Windows hidden shares running on port 445 as SMB service. Nmap provides a script using Nmap Scripting Engine language (NSE) that will enumerate such hidden shares on a network.

Answer 277

A

B.A fragmentation attack

Explanation:
A way to accomplish WEP key recovery when there are no clients on the network is by executing a fragmentation attack, which is very similar to the ChopChop attack. This type of attack will speed up the cracking process by injecting arbitrary packets into the wireless access point, but it does not actually crack the key.

Answer 278

A

C.Because pentesters are rarely provided with the source code

Explanation:
Penetration testers are much more likely to find themselves able to conduct dynamic analysis of code rather than static analysis because the terms of penetration-testing SOWs often restrict access to source code.

Answer 279

A

C.nslookup example.com

Explanation:
nslookup is an integrated tool on both Linux and Windows machines. It can be used to interrogate DNS servers.

Answer 280

A

D.Non-disclosure agreement

Explanation:
A Statement of Work (SOW) is a key document for your pentesting project.

If you are at the stage of executing an SOW, it should mean that you have completed your vetting process and will be locking i your penetration testing vendor

Key Items in a pentest DOE:

Scope
Deliverable
Price
Completion date
Location of work
Payment Schedule

A non-disclosure agreement (NDA) is typically a separate document and only covers the confidentiality of the information owned by the organization

Answer 281

A

B,Debug it

Explanation:
Debugging is the process of running software line by line slowly to fully understand what is happening

Running it could not give detailed information about what is happening on a deep level

Reverse engineering it is useless when you have the source code

Answer 282

A

C.RObots.txt is a list of web server locations that should not be crawled by search engines

Explanation:
When a legitimate search engine is crawling a website in order to index its pages and links, it will read the robots.txt file and follow the instructions from it. This file usually contains the path to the “admin login page” or other resources that should not necessarily be presented in the search results. Malicious search engines or automated crawlers ignore the robots.txt file.

Answer 283

A

C.Appropriate signing authority from the client site

Explanation:
Contracts are mutual agreements that are enforceable by law and require an authorized representative from each party (ie contract signing authority) to sign the contract

Answer 284

A

C.Contact the appropriate support based on the predefined escalation path

Explanation:
The escalation path is a pre-engagement document to be used in case an issue arises during the engagement. This escalation path usually contains contact details for appropriate support teams.

Answer 285

A

A.Look for the VNC password in the $HOME/.vnc/passwd file

Explanation:
The VNC password is stored in the user’s home directory ($HOME/.vnc/passwd) for Mac and Linux operating systems (in Windows, the password is stored either in an .ini file or in the registry) and is in DES format.

Answer 286

A

B.Credential brute-forcing

Explanation:
During a pentest engagement, you are likely to come across application servers that allow users to authenticate access via username and password. These types of forms are typically the target of brute-force login attacks. CeWL is a Ruby application that spiders a given URL and returns a wordlist that can be used for either password crackers (like John the Ripper) or brute-force login tools (like Hydra).

Answer 287

A

A.He is looking for WPS-enabled networks

Explanation:
In Kali, you can use a tool called “wash” to identify all WPS-enabled networks. The list of WPS-enabled networks could also be used in an automated attack using “reaver”.

Answer 288

A

B.OpenVAS

Explanation:
OpenVAS is a software framework of several services and tools offering vulnerability scanning and vulnerability management. All OpenVAS products are free software, and most components are licensed under the GNU General Public License. Plugins for OpenVAS are written in the Nessus Attack Scripting Language, NASL.

Answer 289

A

B.Implement salted encryption on the database

Explanation:
Encrypting data in rest is as important as encrypting data in transit. They should implement salted encryption on the database. A user password stolen from a website’s password file might be the same password that protects sensitive information stored in the user’s email account. The solution to this issue is to always store passwords in encrypted or hashed form. This prevents an attacker who gains access to the server from easily accessing all of the passwords stored on that server.

Answer 290

A

C.-oA

Explanation:
Nmap can produce reports in a few different outputs, but sometimes you need more than one at the same time. Instead of conducting the same scan twice to get the desired output, George could use -oA to output the results into all available formats.

Answer 291

A

D.SMBMap

Explanation:
This tool is built into Kali Linux and enumerates shares and access levels.

hping is bandwidth testing software. Dig is a tool for accessing WHOIS records. rpcclient is a tool for running remote procedures over remote procedure call (RPC) service.

Answer 292

A

D.NTLM Hashes

Explanation:
One of the most common replay attacks used by pentesters is an NTLM pass-the-hash attack. Once the NTLM hashes are acquired, pentesters can identify systems that do not need SMB signing. When targets are selected, the attack can be carried out with the help of an NTLM relay tool.

Answer 293

A

B.Pass-the-hash attack

Explanation:
Pass-the-hash attacks rely on injecting hashes into LSASS, or presenting NTLM hashes to services like SMB or WMI. This is made easier by the fact that the Sysinternals PsExec tool can directly accept an NTLM hash as an argument instead of a password.

Answer 294

A

A.Threat modeling

Explanation:
Threat modeling is a complex process that takes a structured approach to identify, quantify, and address the risks associated with an organization’s information system. It involves activities such as identifying assets, getting an overview of the architecture, decomposing the application, and identifying the threats.

Answer 295

A

A.Evil Twin

Explanation:
One way to trick the client into sharing their RADIUS login credentials is to act as a fraudulent Wi-Fi access point, otherwise known as the Evil Twin. HostAP (in Kali Linux: apt-get install hostapd) is a popular access point software that can be run from a computer operating system such as Kali Linux. It allows the host to perform all functions of a typical wireless router. For WPA and WPA2 enterprise networks, HostAP provides support for RADIUS authentication and supports the ability to carry out impersonation attacks against wireless clients.

Answer 296

A

D.1.Check if name queried,2.Search local host files,3.DNS servers queried,4.NetBIOS name resolution

Explanation:Correct answer: 1. Check if name queried, 2. Search local Hosts file, 3. DNS servers queried, 4. NetBIOS name resolution sequence

In Windows systems, host name resolution generally uses the following sequence:

The client checks to see if the name queried is its own.
The client then searches a local Hosts file, a list of IP address and names stored on the local computer.
Domain Name System (DNS) servers are queried.
If the name is still not resolved, NetBIOS name resolution sequence is used as a backup. This order can be changed by configuring the NetBIOS node type of the client.

Answer 297

A

A.ExifTOol

Explanation:
ExifTool is software that displays metadata from different kinds of files (img, txt, etc.).

Ghidra is a tool for reverse engineering.

CherryTree is a tool for note-taking.

Maltego is a tool for passive or active information-gathering.

Answer 298

A

A.Directory traversal

Explanation:
Some web servers suffer from a security misconfiguration that allows users to navigate the directory structure and access files that should remain secure. These directory traversal attacks work when web servers allow the inclusion of operators that navigate directory paths and file system access controls don’t properly restrict access to files stored elsewhere on the server.

Answer 299

A

D.Discovery Scan

Explanation:
A discovery scan is used usually in the beginning of testing in order to build a list of targets, similar to an asset inventory list.

Answer 300

A

D.Preloading hacking tools on a USB drive and leaving it with an interesting label at the organizations office

Explanation:
The USB key drop technique is done by preloading hacking tools aimed against the targeted OS on a USB thumb drive and then leaving it with an interesting label somewhere in the organization’s office. This method is usually a last resort, used when everything else fails.

Answer 301

A

D.Reflected HTML Injection

Explanation:
A reflected HTML injection vulnerability is a nonpersistent browser execution attack, meaning that the injection would be lost once the current browser session was closed.

Answer 302

A

B.The command is “net share” and the output shows current SMB shares on a local host

Explanation:
The “net” command in Windows is very powerful. You can use net view \ to discover available Windows shared drives or showmount -e for NFS shares.

Answer 303

A

C.WSDL and SDK documentation

Explanation:
Alex could look for exposed web services through Web Services Description Language (WSDL) documents and software development kit (SDK) documentation. Those documents are usually associated with the developing of an application and would contain useful information provided by the developers.

Answer 304

A

B.Insider threat

Explanation:
Insider threat is usually related to information exfiltration. It is fairly easy to copy sensitive internal information to a thumb drive and take it off the premises.

Answer 305

A

A.Setup the scanning parameters for “Port Scanning and Host Discovery” intensity to “Low”

Explanation:
QualysGuard is a web-based UI which offers network discovery and mapping, asset prioritization, vulnerability assessment reporting and remediation tracking according to business risk. Most massive scanners, especially the commercial ones, offer fine-tuning of the scan configuration. You could dive deep in the scanner configuration and limit it in a way that it would not impact the company’s bandwidth.

Answer 306

A

A.Create a daemon with the malware

Explanation:
Daemons are programs that run in the background and not under the control of the user. Think of daemons like services in Windows.

Code injection would require much more effort and would only benefit if the goal was to hide the attack.

DLLs are used in Windows operating systems only.

Editing the boot loader would require high privileges and much more effort in comparison to creating a daemon.

Answer 307

A

A.TCP ACK (-sA)

Explanation:
When performing port scanning, there is always the possibility to hit a firewall. The stateless firewall would not keep track of the connections state; when it detects an “ACK” packet it would consider it part of an active connection and pass it through. The same logic applies for “FIN” packets.

Answer 308

A

C.POC (Proof of Concept)

Explanation:
A proof of concept is exactly what it sounds like: some sort of proof that the vulnerability found could be exploited. This is usually a short code in the form of a script that could be used to exploit it. You may need a compiler to compile proof-of-concept source code for a given operating system, or to modify an exploit to account for certain environmental conditions like firewalls and proxy servers.

Answer 309

A

A.NDA

Explanation:
A non-disclosure agreement (NDA) is protecting the business’s competitive advantages from being disclosed to third parties. In the event the organization is compromised, the vendor is obligated to maintain the secrecy of the privileged information it might obtain during the pentest.

Answer 310

A

C.3283/tcp

Explanation:
Port 5900/tcp is usually associated with VNC service.

Port 3389/tcp is reserved for Windows Remote Desktop service.

Port 22/tcp is the standard SSH port.

Answer 311

A

D.Piggybacking

Explanation:
Piggybacking is a type of social engineering technique that can be used to exploit physical access controls in order to gain unauthorized access to a restricted area. This is accomplished by an unauthorized person walking in through the door behind an authorized employee with legitimate access who consents to the access. A social-engineered response might sound something like, “Sorry about that, I’m new here and left my badge at my desk.”

Answer 312

A

B.Script kiddie

Explanation:
In programming and hacking cultures, a script kiddie, skiddie, or skid is an unskilled individual who uses scripts or programs developed by others to attack computer systems, networks, and websites. They rely heavily on open-source tools and scripts.

Hacktivism (the individual is known as a hacktivist) is the use of computer-based techniques such as hacking as a form of civil disobedience to promote a political agenda or social change.

An advanced persistent threat (APT) is a stealthy computer network threat actor which gains unauthorized access to a computer network and remains undetected for an extended period.

A black hat hacker is a hacker who violates computer security for personal gain or maliciousness.

Answer 313

A

D.Using port scanners

Explanation:
Ports scanners are tools that send traffic to specific ports and can enumerate services based on the server response.

OSINT information cannot be escalated in order to enumerate services, but it can be useful for gathering IP ranges.

WHOIS does not provide service information.

theHarvester is an OSINT email and social scanning tool.

Answer 314

A

A.Empire

Explanation:
Empire is a PowerShell tool used in the post-exploitation stage. It offers functionality to establish persistence as well as lateral movement.

Answer 315

A

A.Fragmentation attack

Explanation:
Fragmentation attacks are not very useful in modern networks. When WEP (Wired Equivalent Privacy) was commonly used to protect wireless traffic, fragmentation attacks were used to speed up the cracking process by injecting arbitrary packets into the traffic stream and then using that traffic to more quickly extract the WEP key. You’re very unlikely to run into a need to conduct one on a modern network.

Answer 316

A

D.The issuer and expiration date

Explanation:
By examining the certificate, Alex could find some useful details to aid in his penetration testing, such as other domains under the certificate, the issuer, the expiration date, and so on.

Answer 317

A

C.He should only test in-scope resources and completely exclude any other assets from testing

Explanation:
Third-party assets or resources are owned by another company. Unless explicitly approved by that company, George should not attack them. There needs to be a written statement from the third party that such tests are approved.

Answer 318

A

C.Hard-coded credentials

Explanation:
It is amazing how often you can find hard-coded credentials in the source code of an application. Insecure code practices is a whole segment of penetration testing and covers all sorts of similar developers’ mistakes.

Answer 319

A

D.Session hijacking

Explanation:
Web sessions are designed to accompany the user’s interaction with the web framework. A unique session identifier is generated by the web server or web application and lasts for the duration of the user’s visit. A session ID (or token) can be stored locally on the user’s hard drive as a cookie, form field, or URL.

Answer 320

A

D.1024-49151

Explanation:
Ports ranging from 1024 to 49151 are registered ports and are assigned by IANA when requested. Many are also used arbitrarily for services.

Answer 321

A

D.A compromised business email

Explanation:
A compromised business email could be used to aid in elicitation, because it provides an automatic level of trust for many targets. For example, if a phishing email was sent from a legitimate email address in the organization, it would likely pass through the spam filters and as a result would likely be trusted by more victims.

Answer 322

A

A.He is looking for a WPS-enabled networks

Explanation:
In Kali, you can use a tool called “wash” to identify all WPS-enabled networks. The list of WPS-enabled networks could also be used in an automated attack using “reaver”.

Answer 323

A

B.OSINT Framework

Explanation:
OSINT Framework is a cybersecurity framework; a collection of OSINT tools to make your intel and data collection tasks easier. This tool is mostly used by security researchers and penetration testers for digital footprinting, OSINT research, intelligence gathering, and reconnaissance.

OWASP ZAP is an open-source web application security scanner. Nessus is a proprietary vulnerability scanner. The Common Weakness Enumeration (CWE) is a category system for software weaknesses and vulnerabilities.

Answer 324

A

D.Goal-based assessment

Explanation:
Goal-based or objective-based assessments usually provide general instruction for a given scenario. For example, obtain administrative access from a specific server.

Compliance-based assessments audit an organization’s ability to follow and implement a given set of security standards within an environment. Red team assessment, or red teaming, will evaluate how well an organization would fare given a scenario of a real-world attack.

Answer 325

A

A.Statement of work

Explanation:
The statement of work (SOW) usually contains the following main topics:

Purpose

Scope of work

Location of work

Period of performance

Deliverable schedule

Applicable industry standards

Acceptance criteria

Special requirements

Payment schedule

Answer 326

A

A.Implementation of a new process

Explanation:
The client might implement a new process that lays out specific approved techniques for requesting wire transfers, thus removing ambiguity.

Answer 327

A

C.There could be third party-providers involved

Explanation:
The supply chain may include parties outside of the target organization’s control. During the scoping process, ensure that you know who all the players are going to be, and define authorized boundaries for the pentest.

Answer 328

A

C.Nikto

Explanation:
Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated. Nikto is not designed as a stealthy tool. It will test a web server in the quickest time possible, and is obvious in log files or to an IPS/IDS.

Grep is a command-line utility for searching plain-text data sets for lines that match a regular expression. Its name comes from the ed command g/re/p, which has the same effect: doing a global search with the regular expression and printing all matching lines.

Hping is a free packet generator and analyzer for the TCP/IP protocol.

ExifTool is a free and open-source software program for reading, writing, and manipulating image, audio, video, and PDF metadata. It is platform independent, available as both a Perl library and command-line application.

Answer 329

A

D.The pentest scope

Explanation:
The pentest scope usually includes the following:

Testing requirements 
Target selection 
Scheduling and timelines 
Strategy for testing

Answer 330

A

B.snmpwalk

Explanation:
snmpwalk supports SNMP enumeration, including for users.

hping3 is tool for bandwidth testing. Burp Suite is a web app scanner tool. TheHarvester is an OSINT tool for emails and other information.

Answer 331

A

A.Burp Suite

Explanation:
Burp Suite is proxy software, and one of its functionalities is crawling.

CeWL and Crunch are both tools for word list generation. Sqlmap is for automation of SQL injection.

Answer 332

A

A.This will create a proxy connection

Explanation:
The “ssh -D 8080 user@intranetserver -p 443” command will create a connection to “intranetserver” over SSH and push all https traffic on port 443 through the SSH connection locally on the source on port 8080. Basically, it will proxy https traffic through “intranetserver” to localhost on port 8080.

Answer 333

A

D.Denial of Service (DoS)

Explanation:
A SYN flood is a form of denial-of-service (DoS) attack in which an attacker sends a succession of SYN requests to a target’s system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic. A DoS attack is when the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet.

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request.

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.

Answer 334

A

B.He is looking for insecure code practices

Explanation:
Insecure code practices are very common. George is quite likely to find a username and password listed in the comments that were forgotten by the developers.

Answer 335

A

C.Netcat

Explanation:
Netcat (NC) is a computer networking utility for reading from and writing to network connections using TCP or UDP. The command is designed to be a dependable back-end that can be used directly or easily driven by other programs and scripts. NC could be used for information gathering, scanning, and exploitation. Because of the various applications of NC, it is a preferred choice. You can easily deploy NC on the compromised machine with a wget command.

Once on the machine, scanning the internal network is as simple as the following for loop:

for i in {1..254}; do nc -v -n -z -w 1 192.168.0.$i 443; done

The above command line will scan all hosts between 192.168.0.1 and 192.168.0.254 for open port 443. With -z you specify to NC that it should only scan for listeners on the specified port, but not send any data. The “-n” means it will not attempt DNS resolution and “-w 1” is a wait time of 1 second.

OpenVas is a full blown vulnerability scanner, the same is Nessus.

DirB is not a tool for network mapping.

Answer 336

A

B.Infrastructure, domains, IP ranges and routes for the organization

Explanation:
Correct answer: Infrastructure, domains, IP ranges and routes for the organization

Infrastructural recon is a part of the passive information-gathering process.

Opened ports and running services are discovered by active scanning.

Vulnerabilities are discovered by active scanning or manual validation (which is also active).

Answer 337

A

D.Probability and damage potential

Explanation:
Basic risk calculation is made with the following formula: Risk = Probability * Damage Potential

A more complex risk scoring system could be used, for example CVSSv3, where more factors are taken into consideration.

Answer 338

A

B.RoE

Explanation:
The storage time for the report is included in the terms outlined in the RoE (rules of engagement). Once the findings have been retested and the customer is satisfied with the results, the remaining copies of the report can be properly disposed of.

Answer 339

A

A.Its a Python array

Explanation:
In the given example, “list” is likely an array of variables or strings. This Python code is a standard example of iteration.

Answer 340

A

B.Shoulder surfing

Explanation:
Shoulder surfing is the technique in which you pretend to be doing something else when in fact you are trying to see the password that someone near you is typing.

Answer 341

A

C.Mimikatz uses some 64-bit processes during the credentials extraction

Explanation:
TO be able to take advantage of the credential extraction functionality that Mimikatz offers, it would need to be migrated to a 64-bit process, because it uses 64-bit functions

Answer 342

A

B.clearev

Explanation:
Meterpreter is very powerful and provides a lot of functionality. When clearing your tracks, you can use clearev to clear the event logs and also timestomp to change any files’ timestamps, if necessary.

Answer 343

A

D.Covering tracks

Explanation:
Timestomping is a method of modifying the MAC times of files on a system in order to confuse the incident investigation.

This is usually used by attackers to cover their tracks

Answer 344

A

A.SSH -D 9050 www.compromisedmachine.com

Explanation:
SOCKS, which stands for Socket Secure, is a network protocol that facilitaties communication with servers through a firewall by routing network traffic to actual server on behalf of a client.

SOCKS is designed to route any type of traffic generated by any protocol or program.

A SOCKS proxy server creates a Transmission Control Protocol (TCP) connection to another server behind the firewall on the clients behalf, then exchanges network packets between the client and the actual server.

The SOCKS proxy server doesnt interpret the network traffic between client and server in any; it is often used because clients are behind a firewall and are not permitted to establish TCP connections to outside servers unless they do it through the SOCKS proxy server..

Therefore, a SOCKS proxy relays a users TCP and User Datagram Protocol (UDP) session over firewall

SSH -D 9050 www.compromisedmachine.com will create a connection to the compromisedmachine.com on port 9050. Once this is established, you could use any tool which supports SOCKS proxy and set it up to use port 9050 on the localhost.

Answer 345

A

B.-Pn disables ICMP requests

Explanation:
-Pn means “disable ping” or “do not use ICMP echo requests” to determine if a host is online or not. Many operating systems are configured not to respond to ICMP echo requests (or ping). With a default configuration, Nmap would assume hosts not responding to ping were offline hosts and would skip them.

Answer 346

A

A./etc/shadow

Explanation:
/etc/shadow is a text file that contains information about the systems users passwords.

It is owned by user root and group shadow, and has 640 permissions

/etc/passwd is a text file that contains the attribute of (ie basic information about) each user or account on a computer running Linux or another Unix like OS

Answer 347

A

C.Wireshark

Explanation:
Packet capture has another major use during penetration tests; documentation.

One of the most powerful tools for capturing traffic and at the same time using it for packet analysis is Wireshark

During testing, pentester attempt to capture most, if not all, of the traffic associated with their pentesting efforts.

If something goes wrong, the logged traffic can be used to document what occurred and when,

Packet captures can also be useful if you think you missed something or cannot get a response to reoccur.

Because of its intuitive interface, WIreshark can easily be used to review the traffic and find any possible issues

Answer 348

A

C.TCP SYN (-sS)

Explanation:
TCP SYN (Stealth) Scan (-sS) SYN scan is the default and most popular scan option for good reason.

It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by intrusive firewalls.

It requires raw-packet privileges, and is the default TCP scan when they are available.

Because the three-way handshake is never completed, SYN scan is sometimes called half-open scanning

Answer 349

A

D.Host operating systems and service identification

Explanation:
The ability to identify an operating system based on the network traffic that it send is known as operating system fingerprinting and it can provide use information when performing reconnaissance

Answer 350

A

A.Prepare the email in such a way that it will appear to be sent by higher management

Explanation:
By pretending to be a higher ranking manager, Alex is using authority motivation

Sending the email multiple times would not make it more plausible; if anything, it would appear less genuine

Marking it as “high importance” could potentially have some impact, but nothing in comparison to impersonating higher management

Using the company logo is easy; downloading it from the internet would suffice. But this would likely to be easily be spotted by the target

Answer 351

A

B.Burp Suite

Explanation:
Burp Suite is a powerful tool that provides a proxy functionality. It is able to capture the HTTP request and allow manipulation.

Answer 352

A

C.Validating user input and parameterizing queries

Explanation:
By validating user input and parameterizing queries, you make the application itself more secure

Entrusting SQL injection protection to WAF or third-party solutions like Cloudflare is bad practice.
Those solutions are additional layers of security but cannot guarantee 100 percent protection

Blacklisting characters is the wrong way to go, as there are many obfuscation techniques and there is no way to be sure that all bad characters are blacklisted.
Also some might be needed for normal operation of the web application

Answer 353

A

B.Weakness ID

Explanation:
Each Common Weakness Enumeration (CWE) record should include a weakness ID>

The name of each CWE is also its ID.

For example, CWE-36 stands for “Absolute Path Traversal”

Answer 354

A

C.The cookie is set with a secure flag

Explanation:
The secure flag is used to ensure a cookie never makes its way over an unencrypted connection, like HTTP.

This helps prevent against credential theft when a malicious user is sniffing the network

Answer 355

A

C.The pentest is limited to the devices and services listed in the scope

Explanation:
The scope of the test defines all machines that should be tested, services running on those machines, and any other details that should be included. Unless a target is specifically listed in the documented scope, it should not be tested

Answer 356

A

C.Stored XSS

Explanation:
Alex is attempting to store injection in the database to steal and redirect a session token.

The stored XSS could later be accessed through a web interface by an administrative user.

This would allow Alex to steal the administrative user session

Answer 357

A

A.Nmap -S -A -Pn -p 100-2000 10.0.10.0/24

Explanation:
Using -sS will tell Nmap to perform SYN scan (using a fast method, -A will ask Nmap to attempt OS and software version detection
-Pn will tell Nmap to treat all hosts as live and -p 100-2000 will define the port range.

Finally, you provide the subnet using /24 as a mask identifier

Answer 358

A

D.Netcat

Explanation:
Netcat is a handy tool for banner enumeration.

WHOIS records cannot do banner grabbing of specific services on specific ports. Dirb and Gobuster are tools for brute-forcing directories and files.

Answer 359

A

A.Data isolation compliance assessment

Explanation:
Understanding how the data isolation design fits in the context of the organization’s infrastructure is crucial. Data isolation is also an important concept to understand when dealing with third-party service providers.

Answer 360

A

A. A face-to-face meeting on the topic of the report

Explanation:
In most cases, a face-to-face meeting with the client and the penetration testers is held. The meeting is focused on the report results and any questions that the client or their security representatives might have.

Answer 361

A

A.UPDATE Statement

Explanation:
Structured Query Language (SQL) is a standard language for storing, manipulating and retrieving data in databases.
SQL can:

execute queries against a database
retrieve data from a database
insert records in a database
update records in a database
delete records from a database
create new databases
create new tables in a database
create stored procedures in a database
create views in a database
set permissions on tables, procedures and view

The UPDATE statement is used to modify the existing records in a table..

The DELETE statement is used to delete existing records in a table

The SELECT statement is used to select data from a database

The INSERT INTO statement is used to insert new records in a table

Answer 362

A

A.Burp Suite

Explanation:

Burp Suite would be the most suitable tool because it uses a proxy to intercept the HTTP requests going to and from a website in an easily readiable way

Nikto is an open-source web application scanning tool that uses a command line interface that does not have a proxy and cannot intercept HTTP requests

Wfuzz is a web application “fuzzer” that uses payloads of data to sniff out directories, files, or headers.
It cannot intercept HTTP requests

DirBuster is a tool used for finding directories in a web application, not to intercept HTTP requests

Answer 363

A

D.ASLR protection is enabled

Explanation:
By definition, Address Space Layout Randomization (ASLR) is a computer security technique which involves randomly positioning the base address of an executable and the position of libraries, heap and stack in a processes’ address space

Essentially, ASLR randomizes the memory space, such that the fixed location contents are different each time the program is executed.
This will render any malicious payload useless.
ASLR is a buffer overflow protection

AppArmor is a Linux kernel security module that allows the sysadmin to restricts programs capabilities with pre-program profiles.
Profiles can allow capabilities like network access, raw socket access, and the permission to read, write or execute files on matching paths

Answer 364

A

B.SMB

Explanation:
User Account Control (UAC) is a security mechanism designed to limit the ability of a piece of malware to take total control of your system or network.

However, developers with local administrative access can possibly disable this feature and potentially allow remote logins over SMB (server message block) or RDP with the local admin account

Answer 365

A

A.Public exploits available

Explanation:
Although it might have some impact on the exploitation of the vulnerability if there are available public exploits, it is not usually a deciding factor in the remediation planning.

Exploits for a specific vulnerability might be available but not released publicly; thus other factors such as criticality, exposure, severity and so on are more relevant

Answer 366

A

C.Create a scheduled task that “calls home”

Explanation:
Create a scheduled tasks that executes a script or command that connects to the attack hosting and provides shell access.

It is very similar to establishing a NC session with the attacking hist; however, because it is a scheduled task it also will survive a restart; hence the persistence

Answer 367

A

D.hashcat -m 1000 -a 0 –force –show –username hash.txt wordlist1.lst

Explanation:
Hashcat is a password-cracking utility that uses graphics processing units (GPUs) to crack passwords at a very high rate of speed. Hashcat is much faster than traditional tools (like John the Ripper, which is CPU-bound), making it a tool of choice if you have access to appropriate hardware.

Answer 368

A

B.Set the last access time of a file

Explanation:
This technique can be executed by an attacker against files/directories that were modified.

The TImestomp feature in a Meterpreter shell can be a good way to limit the digital footprint of reading/writing data on the file system

Answer 369

A

B.Search through SCCMs or other inventory systems

Explanation:
In some tests (usually white box or grey box) an SCCM (system center configuration manager) or other inventory systems is available to the pentesters

A simple search in those systems might reveal hosts that are not detectable by regular port scanning

Answer 370

A

C.Reverse shell

Explanation:
The Metasploit Meterpreter shell and reverse shell are effective ways of interacting with a target environment, as they run entirely in memory and leave little or no trace after disconnecting

Answer 371

A

A.George should suggest the SMTP be stopped and the port be closed, as it is no longer needed

Explanation:
All unused services should be stopped and all unused ports should be closed. Even though this service was not exploitable at the time, it could be exploited later.

Answer 372

A

D.Start a Wi-Fi monitoring interface on channel 9

Explanation:
The “airmon-ng” command is included in the Aircrack-ng suite of tools, in order to configure an adapter in monitor mode.

Answer 373

A

B.Scope creep

Explanation:
Scope creep occurs during a pentest when additional tasks or testing activities are added to the project and exceed the original expectations documented in the statement of work. This can negatively affect the overall schedule or delivery of the final pentest report.

Answer 374

A

C.DUmpster Diving

Explanation:
Dumpster diving is a social engineering method used to retrieve sensitive information from an organization’s dumpster/trash in order to attack the computer network. The objective is to find sensitive information that may not have been shredded, such as usernames, passwords, software, account information, financial statements, meeting notes, etc.

Answer 375

A

B.Via SMS or a communication method other than email

Explanation:
You should not use the same delivery mechanism for the decryption password as you do for the encrypted report. This way, you maximize continuity and reduce the risk of unauthorized disclosure should one path become compromised.

Answer 376

A

D.In the scan configuration, disable all Windows related plugins as they would not apply for Linux hosts

Explanation:
Disable the plugins that would not apply for Linux hosts. Nessus comes with a wide variety of plugins and it would help improve scanning speed and results if you disable plugins that do not apply.

Answer 377

A

B.Cross-compile Code

Explanation:
Cross-compiling is used when the targeted platform is running a different architecture. Actual cross-compiling like GCC could compile to multiple architectures, but the binaries would only run on the targeted platform.

Answer 378

A

A.Evil Twin

Explanation:
One way to trick the client into sharing their RADIUS login credentials is to act as a fraudulent Wi-Fi access point, otherwise known as the Evil Twin. HostAP (in Kali Linux: apt-get install hostapd) is a popular access point software that can be run from a computer operating system such as Kali Linux. It allows the host to perform all functions of a typical wireless router. For WPA and WPA2 enterprise networks, HostAP provides support for RADIUS authentication and supports the ability to carry out impersonation attacks against wireless clients.

Answer 379

A

B.She could use the Nmap flag “-iL” to provide Nmap a file with targets

Explanation:
The “-iL” flag is used if Nmap needs to take its targets from a source file.

Answer 380

A

C.They are difficult to patch

Explanation:
Real-time operating (RTOSs) are difficult to patch; the patches are typically in the form of a firmware update or upgrade and are not released often or by many vendors

Answer 381

A

B.Common Vulnerability Scoring System

Explanation:
The common vulnerabilities and exposure (CVE) dictionary is the standard for documenting publicly disclosed vulnerabilities NIST maintains the National Vulnerability Database (NVD), which performs analysis on the vulnerabilities that have been published to the CVE dictionary, using the Common Vulnerability Scoring System (CVSS).

The results of the analysis provide metrics that can be used by an organization to determine the overall impact of a vulnerability to the environment, if exploited

Answer 382

A

C.Implement email content filtering to block inbound messages that appear to come from internal sources without proper authentication

Explanation:
Technological controls provide effective defenses against security threats.

For example, an organization might implement email content filtering to block inbound messages that appear to come from internal sources without proper authentication.

They may also filter out messages containing high-risk
key words coming from known malicious sources

Answer 383

A

D.Evasion

Explanation:
Running Mimikatz in memory rather than on disk has benefits, such as antivirus evasion.

You can also use some trivial encoding or obfuscation techniques like updating Invoke-Mimikatz.ps1 command from the PowerSploit framework until it can no longer be detected by antivirus signatures

Answer 384

A

B.-A

Explanation:
Nmap -A option enables service version detection and host OS detection. This flag will attempt to identify the services listening on all open ports and the current software version of each one. Using heuristics, Nmap will also attempt to determine the host OS.

Answer 385

A

C.iGoat

Explanation:
iGoat and DVIA (Damn Vulnerable iOS App) were developed to assist pentesters and security researches with testing against common weaknesses in a safe and legal environment

Answer 386

A

B.Critical

Explanation:
According to CVSS v3, there are five categories of risk:

CVSS score between 9 and 10 - Critical

CVSS score between 7 and 8.9 - High

CVSS score between 4 and 6.9 - Medium

CVSS score between 0.1 and 3.9 - Low

CVSS score 0 - None

Answer 387

A

B.It is irrelevant whether the limitations are in the pentest report

Explanation:
Some limitations (for example, no DDoS, no social engineering, or exclusion of some legacy machines) could seriously impact the outcome of the test. By listing the limitations, you prevent the false sense of security that a client might gain based on some results of the report.

Answer 388

A

A.SSL Stripping

Explanation:
During man-in-the-middle attacks, it may be necessary to set up a proxy service to force SSL stripping from client requests, so that when a client goes to connect to an SSL-enabled website, the certificate will be stripped from the session and the browser window will not display any SSL certificate message.

Answer 389

A

B.George is doing a ping scan and outputting the results in XML format

Explanation:
An Nmap ping scan (-sn or -sP flag) is a simple method of determining if a host is alive on the network. The ping scan uses the layer 3 Internet Control Message Protocol (ICMP) for sending ping probes to hosts over the network. Hosts communicate over the network using ICMP messages, which are defined as specific types and codes that determine the state of the communication.

Answer 390

A

C.APTs

Explanation:
APT stands for Advanced Persistent Threat.
APTs are the most motivated and well-prepared threat actors and are therefore at the bottom of the adversary tier.

Professional black hats are in the middle of the adversary tier.

Script kiddies are at the top of the adversary tier, as they are less prepared and skilled.

Hackers are not in the adversary tier.

Answer 391

A

B.You could try using a picture of the fingerprint

Explanation:
As it is an optical fingerprint sensor, it would operate by using a camera and comparing the image of the fingerprint to a database of images. Therefore, this sensor might be tricked by an image of the fingerprint.

Answer 392

A

D.privileges;

Explanation:
MySQL database does have an extensive list of privileges associated to a user for any given database. You could have users that are only able to read the database. There are cases, where users only have permissions to create and update, but no drop any tables or delete anything. Information about account privileges is stored in the grant tables in the mysql system database. It is important not forget the semicolon (;) at the end of the command.

Answer 393

A

B.Perform query throttling

Explanation:
When performing a penetration test, there are several aspects that need to be considered. The appropriate time for testing might be specific based on the business of the client. In some cases, the application that is being tested has specific query quotas that need to be taken into consideration.

Answer 394

A

C.Buffer overflow attack for Linux machines

Explanation:
The “return-to-libc” (Ret2libc) attack is a technique used to hijack program control flow by exploiting a buffer overrun vulnerability in subroutines in libc.

Answer 395

A

C.sqlmap -u “https://target.com/vendors.php?vendID=4”

Explanation:
To evaluate whether a parameter is injectable, such as the id= field in this example, you may need to try a series of injection criteria to elicit an error from the database. SQLmap would be able to do this test automatically.

Answer 396

A

C.DirBuster

Explanation:
The DirBuster tool is a multi-threaded java application that is used to perform brute force over directories and file names on web and application servers. DirBuster attempts to find hidden directories and pages within a web application, providing users with an additional attack vector.

Answer 397

A

B.In a compliance-based engagement

Explanation:
If the client conducted the test as part of a regulatory or contractual commitment, they may request that the tester prepare a formal attestation of their work and findings.

Answer 398

A

A.Client acceptance

Explanation:
Pentesters should obtain formal client acceptance of their deliverables. This may simply be a written acknowledgment of the final report, but it usually includes a face-to-face meeting where the testers discuss the results of the engagement with business and technical leaders and answer any questions that might arise.

Answer 399

A

D.NTLM Hashes

Explanation:
One of the most common replay attacks used by pentesters is an NTLM pass-the-hash attack. Once the NTLM hashes are acquired, pentesters can identify systems that do not need SMB signing. When targets are selected, the attack can be carried out with the help of an NTLM relay tool.

Answer 400

A

C.Stored cross-site scripting (stored XSS)

Explanation:
Stored or persistent XSS is a vulnerability much like reflected XSS; however, it does not disappear upon reloading of the page.

Answer 401

A

C.port:1194 net:”8.8.8.0/24”

Explanation:
The correct command for shodan requires “port” and “net” parameters. The network segment also needs to be in quotes. Therefore, the correct Shodan query is port:1194 net:”8.8.8.0/24”.

Answer 402

A

C.Master Service Agreement

Explanation:
The master service agreement (MSA) documents the following topics:

Payment terms

Product warranties

Intellectual property ownership

Dispute resolution

Allocation of risk

Indemnification

Answer 403

A

D.Use PsExec and execute commands remotely on another machine

Explanation:
An example of a PsExec remote command:

./PsExec.exe -u domainadmin -p adminpass //remotehost cmd

This will open a cmd session on the remote host

Answer 404

A

D.WinRM

Explanation:
The Windows Remote Management (WinRM) protocol is a feature of PowerShell that provides native Windows remote command execution.

Answer 405

A

D.SSL Stripping or downgrading

Explanation:
SSL stripping, also known as downgrading, is an exploitation technique that allows an attacker to capture plaintext traffic during man-in-the-middle attacks.

Answer 406

A

A.In many cases, you would need formal approval from the hosting company or the cloud provider

Explanation:
If the targets are hosted in a third-party environment, such as a cloud service provider (CSP), testing is not only subject to the company’s policies, it is also subject to the third party’s acceptable use policies. For instance, Amazon Web Services (AWS) requires that tenants submit pentesting request forms to receive authorization prior to penetration testing to or from any AWS resource.

Answer 407

A

D.Wireshark

Explanation:
Wireshark is a sniffer and packet analyzer that can capture all kinds of traffic

Nmap is a simply a scanner

Aircrack-ng is software for brute-forcing wireless networks

Airmon-ng is part of the Aircrack page and cannot capture packets

Answer 408

A

A.Vulnerability mapping is the process of prioritizing vulnerabilities

Explanation:
Vulnerability mapping is the process of prioritizing a vulnerability based on its usefulness to a malicious actor (i.e., does it allow remote code execution, facilitate privilege escalation, create data disclosure, or enable lateral movement?).

Answer 409

A

B.Web Application

Explanation:
Burp Suite Pro and Burp Suite Community are tools developed by PortSwigger for Web Application testing. They act as a local proxy, but do posses multiple plugins and a very wide functionality.

Answer 410

A

B.snmpwalk

Explanation:
Snmpwalk, snmpget, and snmpset are useful when requesting specific OIDs related to an MIB or “walking” the MIB files to extract content from each variable. The data is not well formatted and it might be a bit hard to beautify the results.

Answer 411

A

B.rsh and rlogin

Explanation:
RSH, rlogin, and rexec (513/tcp or 514/tcp) are otherwise known as “R-services” (each service has been superseded by features provided by SSH). These services do not encrypt remote connections and will expose login credentials and potentially sensitive data while in use.

Answer 412

A

A.Spear Phishing

Explanation:
By collecting details about the person’s habits, George could craft a phishing email with a malicious payload, which is likely to be executed due to the level of accuracy in the email statements. For example, he could send an email from a shipping company about a lost package, with a tracking link.

Answer 413

A

A.DNS Zone Transfer

Explanation:
A DNS zone transfer (AXFR) is a transaction that is intended to be used between DNS servers to replicate databases. It could also be used for information gathering by attackers.

Answer 414

A

D.Drozer

Explanation:
Drozer from MWR labs (formerly known as Mercury) is one of the most leveraged Android security frameworks for pentesting Android applications
Drozer enables scanning for security vulnerabilities in Android applications by taking the role of a native Android application and interacting with the Dalvik Virtual Machine, other applications IPC endpoints and the OS beneath

OpenVAS is a software framework of several services and tools offering vulnerability scanning and vulnerability management.

Rapid7 Nexpose is a vulnerability scanner which aims to support the entire vulnerability management lifecycle, including discovery, detection, verification, risk classification, impact analysis, reporting and mitigation. It integrates with Rapid7’s Metasploit for vulnerability exploitation.

Answer 415

A

C.OWASP ZAP

Explanation:
OWASP ZAP is an open-source web application security scanner. It is intended to be used by both those new to application security as well as professional penetration testers. The method of using OWASP ZAP is quite similar to Burp.

Answer 416

A

A.Part of the application documentation

Explanation:
The SOAP project file describes the format for sending and receiving messages in a web application. This file could be used by an attacker to learn the recommended methods of sending messages and potentially suggest ways to force it into error condition.

Answer 417

A

D.Company B may have a vested interest in how the companys assets and best interests are being protected

Explanation:
There is high probability that company B would inherit the weaknesses of company A when both environments are merged. Any potential vulnerability in the environment of company A could impact the environment of company B, as they would eventually be interconnected.

Answer 418

A

B.Any secure method preapproved by all parties involved

Explanation:
The report does contain sensitive client information and should be handled with extreme care. The transmission method is usually decided on during the RoE discussion.

Answer 419

A

A.CSRF Token

Explanation:
A cross-site request forgery is a type of client-side injection attack that causes a user to perform an action against a trusted website where the user is already authenticated with a valid session. The CSRF token is a unique, secret, randomized value that is generated by the server-side application and transmitted to the client in such a way that it is included in a subsequent HTTP request made by the client.

Answer 420

A

D.The os library does not have a win32 module

Explanation:
Python is arguably the most popular programming language used by developers today. Like Ruby, Python is a general-purpose programming language and is also an interpreted language.

Answer 421

A

D.Dumpster Diving

Explanation:
Penetration testers do occasionally engage in dumpster diving, or retrieving information from the organization’s trash receptacles.

Answer 422

A

B.John could use the “-T” flag to speed up the test

Explanation:
The -T option is used to specify timing, using the numbers 0 to 5 or their corresponding names:

The template names are paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4) and insane (5). The first two are for IDS evasion. Polite mode slows down the scan to use less bandwidth and target machine resources. Normal mode is the default and so -T3 does nothing. Aggressive mode speeds up scans by making the assumption that you are on a reasonably fast and reliable network. Insane mode assumes that you are on an extraordinarily fast network or are willing to sacrifice some accuracy for speed.

Answer 423

A

A.CSRF

Explanation:
CSRF (cross-site request forgery) attack vectors can include vulnerable web pages, blogs, email, etc. These attacks are typically targeted and, when successful, can result in the the purchase of an item, the transfer of money, or the changing of a password. If the victim is an admin or has elevated privileges, the attack can target the ability to create or modifying existing accounts in an application.

Answer 424

A

B.Hping

Explanation:
Denial-of-service (DOS) attacks can be conducted using stress-testing tools (sometimes called stressers); however, a tool like hping, which allows for packet modification, is also cable of producing denial-of-service conditions. Another tool that can be used for many attacks, including DOS, is Metasploit.

Answer 425

A

B.Karma listens to network probe requests and presents itself as the network

Explanation:
The Karma attack is an AP method used to listen for any network probe requests from a client to join a given network (not just one specifically targeted network, as in the Evil Twin attack). In turn, it will rebroadcast the ESSID from the victim in order to entice the victim to connect to the evil network.

Answer 426

A

B.SCADA systems need to be handled carefully, as they could be easily knocked out

Explanation:
SCADA systems are delicate, fragile environments that were never really developed with security in mind. A single TCP or UDP port scan against a SCADA component can cause catastrophic damage.

Answer 427

A

B.Nikto

Explanation:
Nikto is a vulnerability scanner

Hydra and Medusa are brute-force tools.

Patator is also a brute forcing tool that was written as a result of frustration with using Hydra and Medusa

Answer 428

A

B.Leave behind all restricted tools/software and travel without them

Explanation:
Penetration testers need to be aware of the export restrictions of their country and abide by them.

Answer 429

A

A.Modify the exploit by editing its code

Explanation:
Exploit modification is common practice in penetration tests, when an exploit or POC for a specific target is available online, but it requires some minor changes. Usually such changes are rather simple to make and thus are done on the fly.

Answer 430

A

D.Add them as an object in a Word version of the report

Explanation:
The conclusion of a pentest report may include an appendix, which references artifacts that are associated with the pentest activities, including scan data, notes, etc. These artifacts can be inserted as objects in a pentest report formatted in Microsoft Word.

Answer 431

A

B.Exploit-DB Website

Explanation:
Exploit-DB is a huge database with extensive lists of exploits for many different kinds of software. They maintain up-to-date lists of exploits and POCs for older and newer versions of software.