Practice Exam Flashcards

Question 1

Q

Charles has compromised a Linux system and wants to capture traffic from the command line. What tool should he select?

A. Wireshark
B. netcat
C. grep
D. tcpdump

Answer

A

tcpdump

Charles will be most successful with tcpdump. Although you can capture packets with netcat, it provides far fewer built‐in functions and wouldn’t be the first choice for most penetration testers if they have a better option. Wireshark is a graphical tool, and grep is used for text searching, not packet capture.

Question 2

Q

Karen wants to use a wireless security tool to create a fake access point. Which of the common wireless security tools is best suited to this?

A. Aircrack‐ng
B. Kismet
C. WiFite
D. AirShark

Answer

A

Aircrack‐ng

Aircrack‐ng provides all of the tools required to conduct an evil‐twin attack. Wifite and Kismet both have other useful wireless security tools, and AirShark was made up for this question.

Question 3

Q

Kismet

Answer

A

Kismet is a wireless network detector, sniffer, and intrusion detection system used for penetration testing.

Question 4

Q

WiFite

Answer

A

WiFite is a tool designed to automate wireless attacks against various encryption types, including WEP, WPA, and WPS. It simplifies the process of testing the security of wireless networks by chaining together multiple attacks.

Question 5

Q

mdk4

Answer

A

MDK4 is a Wi-Fi testing tool used to perform various wireless network attacks, such as deauthentication, beacon flooding, and other stress tests. It is commonly utilized for penetration testing of wireless networks to identify vulnerabilities.

Question 6

Q

Fern

Answer

A

Fern WiFi Cracker is a penetration testing tool designed for discovering and exploiting vulnerabilities in wireless networks. It provides capabilities for network discovery, cracking WEP/WPA/WPS keys, and performing other Wi-Fi security assessments.

Question 7

Q

John has been asked to notify his target organization of the specific times that his tests will occur during an unknown environment penetration test. After testing with limited success, he discovers that the system and security administrators were notified that he would be testing during that timeframe. What concern should John express to his employer?

A. The test should be conducted after hours to test staff responses outside the business day.
B. The system administrators may not accept the results of the test.
C. The test may not represent typical behavior due to the administrators knowing about it.
D. The test is valid and will provide more useful information about response capabilities due to the notification.

Answer

A

The test may not represent typical behavior due to the administrators knowing about it.

Penetration testers who discover that their target was notified of their testing when notification was not previously discussed may have to worry about their testing being spoiled. Administrators may have changed specific settings during the time the test occurred, and restored them after the fact—the authors of this book have seen this happen, with administrators turning firewalls on during the testing time to make systems “invisible,” and then turning them back off as soon as the test was over!

Question 8

Q

Maria is preparing to conduct a penetration test and wants to follow a penetration testing standard. Which of the following standards is most useful for her to base her process and procedures on?

A. OWASP
B. OSSTMM
C. ATT&CK
D. NIST

Explanation

The Open Source Security Testing Methodology Manual is the only standard from this list that is a penetration testing methodology. NIST is the National Institute for Standards and Technology and provides standards but isn’t a standard itself. ATT&CK is a framework and knowledgebase used to track and classify adversary tactics and techniques. OWASP is the Open Web Application Security Project, a foundation that works to improve the security of software, particularly web applications.

Answer

A

OSSTMM

The Open Source Security Testing Methodology Manual is the only standard from this list that is a penetration testing methodology. NIST is the National Institute for Standards and Technology and provides standards but isn’t a standard itself. ATT&CK is a framework and knowledgebase used to track and classify adversary tactics and techniques. OWASP is the Open Web Application Security Project, a foundation that works to improve the security of software, particularly web applications.

Question 9

Q

OSSTMM

Answer

A

The OSSTMM (Open Source Security Testing Methodology Manual) is a comprehensive framework for conducting security testing and analysis. It provides standardized guidelines for evaluating the operational security of systems, networks, and processes. The OSSTMM emphasizes verifiable and measurable results to ensure the reliability of the security assessment process.

Question 10

Q

Shen is conducting a penetration test and discovers signs of a past intrusion on the system. What action should she take first?

A. Document the evidence in her report.
B. Notify management.
C. Review the attack evidence and incorporate techniques in her own test.
D. Eradicate all traces of the attack from the system.

Answer

A

Notify management.

Shen is ethically obligated to immediately report the signs of a prior attack or criminal activity to management. She should do this prior to conducting any other activity and should await instructions before resuming the test.

Question 11

Q

Cameron is negotiating with a penetration testing organization and wants to create a document that details the deliverables and timelines that the vendor will use while providing the service. What type of document is he creating?

A. An EULA
B. An SOW
C. An NDA
D. An MSA

Answer

A

An SOW

Cameron is creating a statement of work, which describes what will be done and the amount of time it will take to complete it. A EULA is an end‐user license agreement, often associated with software. An NDA is a nondisclosure agreement, and an MSA is a master services agreement.

Question 12

Q

Which one of the following is an example of a process control that might be suggested to remediate a penetration test finding?

A. Firewall rule change
B. Security awareness campaign
C. DLP implementation
D. Two‐person control

Answer

A

Two‐person control

Two‐person control is an example of a business process that might be implemented as a security control. Firewall rule changes, and the implementation of a DLP system are examples of technical controls. A security awareness campaign is an example of a personnel control.

Question 13

Q

Victor is attempting to penetrate a web application and sends the following input to the application:

Victor’ AND 1=2;–
What type of SQL injection attack is Victor attempting?

A. Standard SQL injection
B. Blind content‐based SQL injection
C. Blind timing‐based SQL injection
D. Privileged SQL injection

Answer

A

Blind content‐based SQL injection

The use of the statement 1=2, which always evaluates to false, is a sign of a content‐based SQL injection attack. Standard SQL injection would not need to include this technique. Timing‐based attacks would include a command that triggers a delay. Privileged SQL injection is not a normal category of exploit.

Question 14

Q

Tim recently wrote a Bash script called passwordcracker.sh to perform password cracking. When he tried to execute the script during a penetration test, he received a permission denied error message. What command can Tim execute to correct this permission and allow only him, as the file’s owner, to execute the script?

A. chmod o+x passwordcracker.sh
B. chmod u+x passwordcracker.sh
C. chmod g+x passwordcracker.sh
D. chmod a+x passwordcracker.sh

Answer

A

chmod u+x passwordcracker.sh

The chmod u+x command adds execute permission for the file’s owner. The other commands all grant different permissions. The g+x argument provides execute permission to members of the file’s group. The o+x argument to chmod grants execute permission to everyone other the file’s user or group. The a+x argument provides execute permission to everyone.

Question 15

Q

Christopher is conducting a penetration test of an organization as part of an unknown environment assessment. He is currently testing a public‐facing web application. Which one of the following software testing techniques will not be available to him?

A. Static analysis
B. Dynamic analysis
C. Fuzz testing
D. Vulnerability scanning

Answer

A

Static analysis

Christopher can easily conduct vulnerability scanning using a web application testing tool because the website is public‐facing. This tool should be able to assist him with fuzz testing, which is a form of dynamic analysis. Christopher cannot, however, perform static analysis of the source code because he does not have access to that inside information as part of an unknown environment test.

Question 16

Q

MCDS, Inc. uses Microsoft’s Azure cloud to host their primary website and e‐commerce infrastructure. Steve has been asked to include both cloud‐hosted environments in a penetration test he is conducting. What step is critical to ensuring he has proper authorization to conduct scans of the cloud‐hosted systems?

A. He needs administrative rights for the Azure environment.
B. He needs sign‐off from the lead or manager of the infrastructure team.
C. He needs authorization from the third‐party provider.
D. He needs authorization from the organization’s ISP.

Answer

A

He needs authorization from the third‐party provider.

Steve needs authorization from the cloud service provider. In most cases, third‐party providers require prior authorization for penetration testing or other efforts that may cause issues for other users of their shared infrastructure or that may register as attacks against systems or services they host. Some simply don’t allow penetration tests, whereas others may have specific requirements for penetration testers.

Question 17

Q

Tiffany wants to gather OSINT data about the services that specific systems run in her target organization. Which of the following tools will not allow her to do this?

A. Censys
B. nmap
C. Shodan
D. theHarvester

Answer

A

nmap

Censys, Shodan, and theHarvester will all allow Tiffany to conduct OSINT information gathering that does not actively scan her target. Nmap is an active scanning tool and will not allow her to gather this type of information without connecting to the target systems and networks.

Question 18

Q

Censys

Answer

A

OSINT tool

Censys is an Open Source Intelligence (OSINT) tool used for discovering and analyzing devices connected to the internet. It collects data about servers, networks, and websites, allowing penetration testers to gather valuable information such as open ports, SSL certificates, and software versions. This makes it particularly useful for identifying potential vulnerabilities during the reconnaissance phase.

Question 19

Q

Shodan

Answer

A

OSINT Tool

Shodan is a search engine designed to locate and provide details about internet-connected devices and systems, such as servers, webcams, routers, and industrial control systems. It allows penetration testers to gather information on exposed devices, open ports, services, and vulnerabilities. Shodan is widely used for passive reconnaissance during penetration testing.

Question 20

Q

theHarvester

Answer

A

OSINT tool

theHarvester is a reconnaissance tool used to gather information about a target organization from publicly available sources. It automates the collection of data such as email addresses, subdomains, IPs, and URLs by querying search engines, public databases, and other resources. It is commonly employed during the passive reconnaissance phase of penetration testing.

Question 21

Q

Jack performs a scan using the command nmap 10.11.45.0/24. How many TCP ports will he scan?

A. 512
B. 1,000
C. 1,024
D. 65,535

Answer

A

1,000

By default, nmap will scan the most 1,000 most common TCP and UDP ports if it is not used with a command flag that provides it with a range of ports.

Question 22

Q

What happens in a double‐tagging attack after the tagged packet arrives at the first switch?

A. The switch reads both tags and forwards the packet to the VLAN listed in the first tag.
B. The switch reads both tags and forwards the packet to the VLAN listed in the second tag.
C. The switch forwards the packet to the VLAN listed in the first tag and removes it.
D. The switch forwards the packet to the VLAN listed in the second tag and removes it.

Answer

A

The switch forwards the packet to the VLAN listed in the first tag and removes it.

Double tagging relies on the fact that trunking is enabled on the target switch and that it will read the first tag and forward the packet to that VLAN after removing the tag. The next switch will see only the second tag (now the only tag) and will treat it like a normally tagged packet for that VLAN.

Question 23

Q

Which one of the following methods is not used to obtain user session cookies during a penetration test?

A. On‐path attack
B. Malware
C. Network eavesdropping
D. Tailgating

Answer

A

Tailgating

Tailgating is used to obtain physical access to a facility and can’t be used to obtain session cookies. Penetration testers seeking to obtain a session cookie may steal it by performing an on‐path attack, conducting network eavesdropping, or installing malware on the target user’s system.

Question 24

Q

Ann is performing a kerberoasting attack and has scanned for user accounts with SPNs set and had requested service tickets using SPNs. What should she do next?

A. Send service tickets to the server.
B. Extract the service tickets from memory and save them.
C. Insert NTLM hashes into the service tickets to authenticate.
D. Conduct an offline brute‐force attack against the SPNs.

Answer

A

Extract the service tickets from memory and save them.

The next step in Ann’s attack is to extract the service tickets from memory and to save them to a file. Then she can use an offline brute‐force attack against the passwords in the service tickets.

Question 25

Q

Keberoasting

Answer

A

Kerberoasting is an attack method used to exploit vulnerabilities in the Kerberos authentication protocol to obtain and potentially crack service account credentials.

This attack relies on weak passwords for service accounts, making strong password policies essential to defend against it

Question 26

Q

Steps of Keberoasting

Answer

A

Kerberoasting is an attack method used to exploit vulnerabilities in the Kerberos authentication protocol to obtain and potentially crack service account credentials.

Steps:
* Request a Service Ticket: The attacker, authenticated as a domain user, requests a service ticket (TGS) for a service principal name (SPN) of a target service account.
* Receive the Encrypted Ticket: The domain controller provides the TGS, which is encrypted using the service account’s NTLM hash.
* Extract the Ticket: The attacker extracts the TGS from memory using tools such as Mimikatz or PowerShell scripts.
* Crack the Ticket: The attacker uses offline brute force or dictionary attacks against the encrypted ticket to recover the plaintext password of the service account.

This attack relies on weak passwords for service accounts, making strong password policies essential to defend against it

Question 27

Q

Which one of the following combinations of authentication techniques is an example of multifactor authentication?

A. Username and password
B. Security question and PIN
C. ID card and fingerprint
D. ID card and smartphone app

Answer

A

ID card and fingerprint

An ID card is an example of “something you have” and a fingerprint is “something you are,” so that scheme qualifies as multifactor authentication. A username is an identification mechanism, not an authentication mechanism. Security questions and PINs are both “something you know,” so they do not constitute multifactor authentication when used together. ID cards and smartphone apps are both examples of “something you have.”

Question 28

Q

Richard is conducting network reconnaissance as part of a penetration test and would like to use a tool that allows him to scan the entire network and identify potential vulnerabilities on servers in the target organization. Which one of the following tools would meet Richard’s needs?

A. Nmap
B. Metasploit
C. Nessus
D. Kismet

Answer

A

Nessus

Nessus is a popular network vulnerability scanning tool that would meet Richard’s requirements. The other tools listed do not perform network vulnerability scanning. Nmap is a port scanner that only reports open ports, not vulnerabilities. Metasploit is an exploitation framework useful in later phases of the penetration test.

Question 29

Q

The company that Greg works for has recently undergone a penetration test, and the pentesters discovered that employees did not have appropriate separation of duties. Which of the following operational controls is not helpful when attempting to address this finding?

A. Job rotation
B. Time‐of‐day restrictions
C. Mandatory vacation
D. User training

Answer

A

Time‐of‐day restrictions

Separation of duties is intended to ensure that a single individual cannot take inappropriate actions. Time‐of‐day restrictions do not help with separation of duties, but they do help prevent staff or members or penetration testers from using credentials after hours. That means that job rotation and mandatory vacations are useful because they can offer a chance for malfeasance to be discovered. User training can also help by ensuring that staff members know what is expected of them and what is not allowed.

Question 30

Q

Examine the following code snippet, used to create a URL:

$ip = “10.5.5.2”
$port = “80”
$url = “http://” + $ip + “:” + $port
What language is being used?

A. Python
B. Ruby
C. PowerShell
D. Bash

Answer

A

PowerShell

The use of dollar signs to prefix variable names signals that this is code written in PowerShell. Ruby and Python also use the + operator for concatenation.

Question 31

Q

Matthew is writing the report from a penetration test and would like to communicate his results using standard language. Which one of the following components of the NIST Security Content Automation Protocol (SCAP) can he use to describe security flaws in a standardized way?

A. CPE
B. CVSS
C. CCE
D. CVE

Answer

A

CVE

The Common Vulnerabilities and Exposures (CVE) standard provides a consistent way to describe security flaws. The Common Vulnerability Scoring System (CVSS) also involves vulnerabilities but provides a standardized way to discuss vulnerability severity, not the vulnerabilities themselves. Common Platform Enumeration (CPE) is used to provide a standard nomenclature for describing product names and versions. Common Configuration Enumeration (CCE) provides a standard nomenclature for discussing system configuration issues.

Question 32

Q

PowerShell script identifiers

Answer

A

Uses cmdlet-based syntax like Get-, Set-, and Invoke-.
Often includes .ps1 file extensions.
May use Write-Output or Write-Host for displaying text.
Variables are prefixed with a $ (e.g., $VariableName).

Question 33

Q

Bash script identifiers

Answer

A

Often includes #!/bin/bash as a shebang line at the start of scripts.
Uses shell commands like echo, ls, and cat.
Variable assignment does not use a $ but references variables with $ (e.g.,
myVar=value and echo $myVar).
Includes control structures like if [ … ]; then.

Question 34

Q

Python script identifiers

Answer

A

Uses indentation to define blocks instead of braces or keywords.
File extensions are .py.
Common syntax includes print(), def for functions, and import for libraries.
Variables are untyped and not prefixed.

Question 35

Q

Ruby script identifiers

Answer

A

File extensions are .rb.
Uses puts or print for output.
Commonly uses def to define methods and end to close blocks.
Includes symbols like : (e.g., :symbolName) and often uses do … end for blocks.

Question 36

Q

Perl script identifiers

Answer

A

File extensions are .pl.
Variables are prefixed with $ (scalars), @ (arrays), or % (hashes).
Uses print for output.
Frequently uses regular expressions, indicated by =~ or /…/.

Question 37

Q

JavaScript script identifiers

Answer

A

May use .js as file extensions.
Frequently includes function keyword or arrow syntax (=>).
Uses {} for blocks and console.log() for output.
Variables are defined using var, let, or const.

Question 38

Q

CPE

Answer

A

CPE stands for Common Platform Enumeration, a standardized method of naming software, hardware, and operating systems. It provides a consistent way to identify technology products, enabling easier integration and analysis of vulnerability information.

Question 39

Q

CVSS

Answer

A

CVSS, or Common Vulnerability Scoring System, is a standardized framework for assessing the severity of software vulnerabilities. It provides a numerical score (ranging from 0.0 to 10.0) and corresponding qualitative ratings (e.g., Low, Medium, High, Critical) to help organizations prioritize remediation efforts

Question 40

Q

CCE

Answer

A

CCE stands for Common Configuration Enumeration, a standardized identifier system for security-related configuration issues. It provides unique identifiers for configuration settings to help organizations manage and audit their systems more effectively. CCE is often used alongside other frameworks like CVE to enhance vulnerability and compliance management

Question 41

Q

CVE

Answer

A

CVE stands for Common Vulnerabilities and Exposures, a standardized system for identifying and cataloging known security vulnerabilities in software and hardware. Each CVE entry includes a unique identifier, a brief description of the vulnerability, and references to additional information about it. CVEs are widely used by vulnerability management tools to assess and prioritize risks in systems.

Question 42

Q

What information is most important to target selection for wireless networks?

A. The wireless standard (G, N, AC) used by the organization
B. The SSIDs that belong to the target company
C. The EMEI number associated with the access points
D. Whether the network uses WPA2 or WEP

Answer

A

The SSIDs that belong to the target company

Selecting the correct target is critical to a penetration test, and that requires you to know the SSIDs used by the target. If you conduct penetration testing activities against a network that you are not authorized to attack, you may be breaking the law and could cause unintended harm to an organization that you don’t have a contract with!

Question 43

Q

Joe is conducting a network vulnerability scan against his data center and receives reports from system administrators that the scans are slowing down their systems. There are only performance problems on individual hosts and no network connectivity issues.

Which setting would be most likely to correct the problem?

A. Scan IP addresses in a random order
B. Network timeout (in seconds)
C. Max simultaneous checks per host
D. Max simultaneous hosts per scan

Answer

A

Max simultaneous checks per host

Of the choices presented, the maximum number of simultaneous checks per host is the only setting that would positively affect individual systems. Changing the number of simultaneous hosts per scan and the network timeout would have an effect on the broader network. Randomizing IP addresses would not have a performance impact.

Question 44

Q

After compromising a user account on a Linux system, Ben discovers that he is unable to change directories and that he can’t set path or shell variables or redirect output. What has he most likely encountered?

A. The account is not on the sudoers list.
B. The account is a service account.
C. The account is using a restricted shell.
D. The account is not a valid user account.

Answer

A

The account is using a restricted shell.

Ben’s first guess should be that the account he has gained access to is using a restricted shell. Restricted shells commonly prevent users from changing directories, setting PATH or SHELL variables, specifying absolute pathnames, and redirecting output.

Question 45

Q

Restricted Shell

Answer

A

A restricted shell is a security feature used to limit the commands and actions that a user can perform in a shell environment. It modifies the behavior of the standard shell to restrict access to certain commands, directories, and functionalities, thereby reducing the risk of unauthorized or harmful activities by the user.

Common restrictions in a restricted shell include:
* Limiting the ability to change directories.
* Preventing the execution of certain commands or scripts.
* Restricting access to specific files or system paths.

Question 46

Q

Mike is conducting a penetration test and is using the results of an internal network vulnerability scan to guide his work. He is conducting his test from an external location. The report shows that a web application has a SQL injection vulnerability. He can access the web server but cannot exploit the vulnerability successfully. What is the least likely cause of Mike’s inability to exploit the vulnerability?

A. A network firewall is blocking access to the server.
B. An intrusion prevention system is detecting the attempt and blocking it.
C. Administrators already remediated the vulnerability.
D. A web application firewall is filtering the request.

Answer

A

A network firewall is blocking access to the server.

If a network firewall were blocking access to the server, Mike would not be able to access the application at all. However, an intrusion prevention system or web application firewall might allow normal access to the server but block attempts to conduct a SQL injection attack. It is also possible that administrators detected and remediated the vulnerability before Mike attempted his exploit.

Question 47

Q

Anand has discovered the following exploit code. What language is it written in and what does it do?

import requests
url = ‘https://example.com/example.txt’
data = requests.get(url, allow_redirects=True)
open(‘example.txt’, ‘wb’).write(data.content)

A. Perl, file upload
B. JavaScript, file download
C. Ruby, file upload
D. Python, file download

Answer

A

Python, file download

This is a simple Python file download script. You can see it defines a request and then opens it to write the content to a file from a URL.

Question 48

Q

Ralph discovers a file containing hashed passwords during a penetration test but is able to crack 90 percent of them using Jack the Ripper. What finding should Ralph report in his final report?

A. Plain‐text passwords
B. Weak password encryption
C. Weak password complexity
D. No multifactor authentication

Answer

A

Weak password complexity

The only conclusion Ralph can reach from the information available is that the organization does not have a strong password complexity policy. If they did, the percentage of cracked passwords would be much lower. The scenario indicates that the passwords are hashed, so they are neither stored in plain text nor encrypted. We do not know from the information given whether multifactor authentication is in use.

Question 49

Q

Examine the following object. What language was most likely used for this object?

{
“system”: {
“hostname”: “www.certmike.com”,
“ip”: “54.174.107.98”,
“security_scanned”: true
}
}

A. JSON
B. XML
C. HTML
D. SQL

Answer

A

JSON

This is an example of a JavaScript Object Notation (JSON) object. We can determine this by noting that it uses the key‐value store format to define attributes. The object lacks the ˂˃ and ˂/˃ tags that would be found in a markup language like XML or HTML. It is not a database query written in Structured Query Language (SQL)

Question 50

Q

Conducting a social engineering exercise against his target, Greg tells a story claiming that only a few members of the staff will be recognized for assisting with the project he is working on. What motivation technique has he used?

A. Authority
B. Scarcity
C. Urgency
D. Likeness

Explanation

Scarcity‐based persuasion focuses on limited rewards or opportunities. This can sound similar to urgency‐based efforts, which focus on limited time. Appeals to authority leverage making the target believe that you have the right or role to require them to perform an action, whereas likeness uses similarity with the penetration tester to build trust.

Answer

A

Scarcity

Scarcity‐based persuasion focuses on limited rewards or opportunities. This can sound similar to urgency‐based efforts, which focus on limited time. Appeals to authority leverage making the target believe that you have the right or role to require them to perform an action, whereas likeness uses similarity with the penetration tester to build trust.

Question 51

Q

Orlando is writing a PowerShell script and tests the TCP ports open on a system using the following syntax:

port -lt 80

Which of the following ports would match this expression?

A. 22
B. 80
C. 443
D. All of the above

Answer

A

22

The -lt operator says that the variable on the left must be strictly less than the variable on the right. Port 22 is the only port that is strictly less than 80.

Question 52

Q

XML things to remember

Answer

A

Uses custom-defined tags for structuring data, e.g., < tag > value < / tag >.
Requires closing tags for each element or uses self-closing tags, e.g., \ < tag / >
Supports attributes within tags, e.g., <tag attribute=”value”>content</tag>.

Question 53

Q

JSON things to remember

Answer

A

Data is organized in key-value pairs within curly braces, e.g., {“key”: “value”}.
Arrays are enclosed in square brackets, e.g., [“value1”, “value2”].
Values can be strings, numbers, objects, arrays, or true, false, and null.

Question 54

Q

HTML things to remember

Answer

A

Uses predefined tags for web content, e.g., < html >, < body >.
Tags are not case-sensitive but typically written in lowercase.
Allows inline JavaScript and CSS, often leading to potential security issues (e.g., XSS).

Question 55

Q

SQL things to remember

Answer

A

Consists of commands and clauses, e.g., SELECT, INSERT, WHERE.
Uses semicolon (;) to terminate statements.
Case-insensitive for commands but case-sensitive for database and column names depending on the system.

Question 56

Q

PowerShell comparsion operators

Answer

A

always start with a hyphen

-lt: Less than
-le: Less than or equal to
-eq: Equal to
-ne: Not equal to
-gt: Greater than
-ge: Greater than or equal to

Question 57

Q

Analyze the following segment of code:

if server == 1
ip = ‘10.1.1.1’
elsif server == 2
ip = ‘10.1.1.2’
else
ip = ‘10.1.1.3’
end

What language is this code written in?

A. Ruby
B. Bash
C. Python
D. PowerShell

Answer

A

Ruby

We can analyze this code using the flowchart shown in this figure. Following this chart, we can quickly determine that the code is written in Ruby due to the use of the end statement.

Question 58

Q

Which of the following programming languages will generate an error if the script attempts to concatenate a string and an integer without first performing an explicit conversion?

A. Bash
B. Ruby
C. PowerShell
D. All of the above

Answer

A

Ruby

Bash and PowerShell both allow the concatenation of strings and integers without an explicit conversion. Ruby (and Python) will generate an error if this is attempted.

Question 59

Q

Kaiden is in the process of penetration testing a web application belonging to his target organization. He would like to use a tool specifically designed to perform automated web application testing. Which one of the following tools is best suited for this task?

A. Immunity
B. Nikto
C. ZAP
D. Metasploit

Answer

A

Nikto

Nikto is an automated web application vulnerability scanner that would be perfect for Kaiden’s purposes. Immunity Debugger is a software debugging tool for developers that would not be useful during a web application test. ZAP is a web proxy, and Metasploit is an exploitation framework. Both ZAP and Metasploit may be used during testing, but they are manual tools that do not perform automated scans.

Question 60

Q

Immunity

Answer

A

Immunity in the context of penetration testing tools refers to Immunity Debugger, which is designed specifically for supporting penetration tests and reverse engineering malware. It allows for dynamic analysis of executable files, making it a valuable tool for identifying vulnerabilities in software.

Question 61

Q

ZAP

Answer

A

ZAP, short for Zed Attack Proxy, is an interception proxy developed by the Open Web Application Security Project (OWASP). It allows penetration testers to intercept, modify, and analyze requests sent from web browsers to web servers, making it a valuable tool for identifying web application vulnerabilities. ZAP supports manual and automated testing

Question 62

Q

Sticky Bit

Answer

A

a permission setting on a directory. It restricts the ability to delete or rename files in the directory to the file owner, the directory owner, or the root user.

In Linux permissions, the sticky bit is represented by the letter t in the execute (x) position for others. It appears in the file or directory’s permission string when listed with ls -l.

drwxrwxrwt 7 root root 4096 Dec 14 /tmp

Question 63

Q

SUID file

Answer

A

on Linux with the Set User ID (SUID) bit set. This bit tells the system that the file should execute with the permissions of the file’s owner rather than the user running it. This is particularly useful for files that need root-level privileges to perform specific functions.

The SUID bit is represented as an s in the file’s permissions (e.g., -rwsr-xr-x).

-rwsr-xr-x 7 root root 4096 Dec 14 /tmp

Question 64

Q

find / -perm -4000

Answer

A

This locates all files with the SUID bit set

Answer 65

A

Ruby

The puts command is used to display output when developing code in Ruby.

Answer 66

A

Session hijacking

Session hijacking attacks involve stealing the cookie belonging to a valid user and using it to take over the HTTP session. Cookies would not be useful in password cracking attacks because the password has already been exchanged when the user has a cookie. On‐path attacks involve serving as an intermediary in user communication with a server and do not require a valid cookie. Pass‐the‐ticket attacks exploit vulnerabilities in Kerberos, which is not mentioned in this scenario.

Answer 67

A

SSH

Web servers commonly run on ports 80 (HTTP) and 443 (HTTPS). Database servers commonly run on ports 1433 (Microsoft SQL Server), 1521 (Oracle), and 3306 (MySQL). Remote Desktop Protocol (RDP) services commonly run on port 3389. There is no evidence that SSH, which uses TCP port 22, is running on this server.

Answer 68

A

20, 21 (TCP/UDP): FTP (File Transfer Protocol) – Data and control channels.
22 (TCP/UDP): SSH (Secure Shell).
23 (TCP/UDP): Telnet.
25 (TCP/UDP): SMTP (Simple Mail Transfer Protocol).
53 (UDP): DNS (Domain Name System).
67, 68 (TCP/UDP): DHCP (Dynamic Host Configuration Protocol) – Server and client.
69 (UDP): TFTP (Trivial File Transfer Protocol).
80 (TCP/UDP): HTTP (Hypertext Transfer Protocol).
88 (TCP/UDP): Kerberos.
110 (TCP/UDP): POP3 (Post Office Protocol 3).
123 (TCP/UDP): NTP (Network Time Protocol).
135, 136 (TCP/UDP): Microsoft RPC
137, 138, 139 (TCP/UDP): NetBIOS services.
143 (TCP): IMAP (Internet Message Access Protocol).
161, 162 (UDP): SNMP (Simple Network Management Protocol).
389 (TCP/UDP): LDAP (Lightweight Directory Access Protocol).
443 (TCP/UDP): HTTPS (Hypertext Transfer Protocol Secure).
445 (TCP): SMB (Server Message Block) and Microsoft AD.
500 (TCP/UDP): ISAKMP/IKE (Internet Key Exchange).
1433, 1434 (TCP/UDP): Microsoft SQL services.
1521 (TCP): Oracle database listener.
1812, 1813 (TCP/UDP): RADIUS (Remote Authentication Dial-In User Service).
3389: RDP
8080, 8443 (TCP): Alternative HTTP/HTTPS ports for web services

Answer 69

A

String

A domain name is a text value, so it should be stored in a string variable. Integers are numeric data, so that would not be appropriate in this case. Arrays and lists could contain multiple domain names, but they are too complex for Chuck’s needs.

Answer 70

A

Mimikatz

Although Mimikatz is an excellent tool for obtaining and using hashes, it doesn’t include hash cracking features like John, RainbowCrack, and hashcat.

Answer 71

A

The Windows SAM (Security Accounts Manager) is a database used by Windows to store user account credentials, including password hashes. It resides in the file system, typically located at:

C:\Windows\System32\config\SAM

The SAM file is encrypted and protected to prevent unauthorized access. It contains password hashes rather than plaintext passwords and is commonly targeted by penetration testers or attackers after gaining system-level access. Tools like Mimikatz or Metasploit are often used to dump the SAM file for analysis and potential hash cracking

Answer 72

A

Stored XSS

Stored (or persistent) cross‐site scripting (XSS) attacks use content that is stored in a location where the victim is likely to retrieve it. A message board posting fits into this category. Reflected XSS attacks occur when the script is provided to a web application as input that is immediately displayed as output. Consistent and decentralized are not categories of XSS attacks.

Answer 73

A

occurs when malicious input sent to a web server is immediately returned to the victim in the server’s response, without proper validation or sanitization.

- Delivery: Typically via phishing emails, malicious links, or forms.
Immediate execution: The script is embedded in the server’s response and executes as soon as the victim accesses the crafted link.
Scope: Affects individual users, not stored on the server.

Answer 74

A

occurs when malicious scripts are permanently stored on a server (e.g., in a database, message board, or comment section). When other users access the affected page, the malicious script is executed in their browsers.

Persistent attack: The malicious payload is stored on the server and affects all users who access the content.
Higher impact: Can target multiple users over time.
Common entry points: Input fields like comments, profile updates, or feedback forms.

Answer 75

A

occurs when a malicious script is executed entirely on the client side, within the browser’s Document Object Model (DOM). The server does not directly include the malicious payload in its response; instead, the client-side JavaScript processes the input in an insecure way, leading to the execution of malicious code.

Client-side vulnerability: The issue lies in how the browser’s DOM manipulates or renders user-supplied input.
No server reflection: The server itself does not send the malicious script. Instead, client-side code dynamically creates or modifies DOM elements based on user input.
Example sources: window.location, document.URL, or document.referrer.

Answer 76

A

Unvalidated redirect

The presence of another URL (www.anothercompany.com) in the query string indicates that this site may be susceptible to an unvalidated redirect attack. Renee should further test this by attempting to change the URL and determining whether the redirection still takes place.

Answer 77

A

None of the above

Modern Linux systems do not store password hashes in /etc/passwd and instead store them in /etc/shadow. Gaining access to /etc/passwd can be helpful to understand the accounts that a system has provisioned locally and what shells they use, but doing so won’t be useful for actual password recovery in almost all cases.

Answer 78

A

NAC

Network Access Control (NAC) systems can use a number of techniques to prevent unknown systems from connecting, but some use MAC address validation as part of their filtering. Of the list of options, the most likely is that Jessica is trying to bypass the organization’s NAC system.

Answer 79

A

All of the above

This is a critical finding and should trigger an immediate communication to the client so that it may be remediated. Frank should also include the finding in the detailed and executive summary sections of the final report, since it is a very significant issue.

Answer 80

A

The web server’s banner

This command calls Netcat to connect to TCP port 80 on a system with the IP address 10.10.11.55. Presuming this is a web server, the HTTP GET command that follows will fetch the web server’s banner—or at least an error message with useful banner information!

Answer 81

A

exiftool

Exiftool is a quick and easy tool that can allow Lucas to see the metadata embedded in image files. The strings tool can be used to extract text strings from files, but it’s not as useful for metadata recovery. Grep is a search tool, and metascan was made up for this question.

Answer 82

A

Netcat will open a reverse shell to 10.10.10.1 on port 1024 every month on the 2nd day of the month.

This cronjob runs at 12:45 on the 2nd day of every month and opens a reverse shell to 10.10.10.1 on port 1024.

Answer 83

A

SSH brute forcing, an SSH server

Hydra is a brute‐forcing tool, and port 22 is typically associated with SSH. It is most likely that Isaac is attempting to brute‐force an SSH server.

Answer 84

A

widely used brute-force password attack tool designed to crack authentication for various protocols and services, including SSH, HTTP/HTTPS, SMB, and databases. It uses wordlists or dictionaries to test username and password combinations against a target system and supports parallel threads for faster attacks.

Answer 85

A

Unnecessary open services

Port 1433 is used to access a database directly and should never be exposed to the Internet. Therefore, Robert may accurately report the use of unnecessary open services. He is not able to confirm the presence of any of the other issues mentioned in the question without further information.

Answer 86

A

Attestation of findings

The attestation of findings is normally used to communicate a summary of findings from the firm conducting penetration testing to a regulatory body. That would be the appropriate document to share in this case.

Answer 87

A

Export restrictions

In the United States and other countries, some technologies are covered by export restrictions, prohibiting them from being exported to specific countries. In this case, Iran is a country that is typically on the short list of countries that have export restrictions for many technologies.

Answer 88

A

The directory the application is in

The Windows search order is the directory the application is in, the current directory, the Windows system directory, the Windows directory, and then any directories listed in the PATH variable.

Answer 89

A

An on‐path attack

Charles is using the arpspoof command to hijack traffic destined for another system, thus allowing him to conduct an on‐path attack.

Answer 90

A

The client will send a new ClientHello with a lower TLS version.

This is an example of an SSL downgrade attack, and Mary is attempting to cause the client to reconnect with a less secure TLS version. The client will attempt to reconnect by sending a new ClientHello with a lower TLS version if it is supported.

Answer 91

A

She has enabled remote PowerShell access from 10.45.11.22.

If she restarts the Windows remote management service after executing her command, Olivia will have remote PowerShell access to the system she ran this command on. Once that is enabled, she has use PowerShell for a multitude of exploits—all from her remote system!

Answer 92

A

Slide something between the doors and shake it to trip the sensor.

Although it may seem like an overly simple answer, egress sensors can be tripped by simply sliding something between or under the doors that will be detected by the sensors on the inside of the door. A thin rod or stick with paper on it, or even a helium balloon that is inflated under the door, can be used against egress sensors.

Answer 93

A

Sanitizing documents

Documents created during the test should be preserved as evidence of a successful test and retained according to the organization’s document retention policy. The post‐engagement cleanup phase should include removing any shells, tools, or user accounts created or installed by the penetration testers.

Answer 94

A

She is attempting to avoid IDS systems, and her scan may be very slow.

The timing settings for nmap determine how quickly scan traffic is sent. -T0 sends a probe every 5 minutes, whereas -T1 sends one every 15 seconds. Both will be very slow for most reasonably sized networks—scanning even the 1,000 default TCP ports a default nmap TCP scan covers will take three and a half days for a single host!

Answer 95

A

Change the system’s host file.

Adding an entry to the local hosts file is an easy way to redirect traffic to a system of your choice, and Scott can do this with the administrative access he has acquired.

Answer 96

A

Reconnaissance: Attackers gather information about the target, including open-source intelligence and initial scans of the environment.
Weaponization: Developing specific tools or payloads to exploit identified vulnerabilities
Delivery: Sending the payload to the target via methods such as phishing emails, exploiting network vulnerabilities, or distributing malware
Exploitation: Triggering the malicious payload to exploit the target system and gain access
Installation: Establishing persistence by creating backdoors or modifying configurations to ensure ongoing access
Command and Control (C2): Gaining remote control of the compromised system using tools like remote shells or automated botnet commands
Actions on Objectives: Executing the attacker’s goals, such as data theft, system disruption, or further exploitation within the network.

Answer 97

A

The Cyber Kill Chain is a framework developed by Lockheed Martin to describe the stages of a cyberattack. It provides a structured approach to understanding and disrupting an attack by identifying the steps an attacker typically takes, from initial reconnaissance to achieving their objectives

Brainscape's Knowledge GenomeTM

Practice Exam Flashcards

Brainscape's Knowledge Genome^TM