1. Olivia is considering potential sources for threat intelligence information that she might
incorporate into her security program. Which one of the following sources is most likely to
be available without a subscription fee?
A. Vulnerability feeds B. Open source C. Closed source D. Proprietary.
During the reconnaissance stage of a penetration test, Cynthia needs to gather information
about the target organization’s network infrastructure without causing an IPS to alert the
target to her information gathering. Which of the following is her best option?
A. Perform a DNS brute-force attack. B. Use an nmap ping sweep. C. Perform a DNS zone transfer. D. Use an nmap stealth scan.
A port scan of a remote system shows that port 3306 is open on a remote database server.
What database is the server most likely running?
A. Oracle B. Postgres C. MySQL D. Microsoft SQL.
Brad is working on a threat classification exercise, analyzing known threats and assessing the possibility of unknown threats. Which one of the following threat actors is most likely to be associated with an advanced persistent threat (APT)?
A. Hacktivist B. Nation-state C. Insider D. Organized crime.
Jamal is assessing the risk to his organization from their planned use of AWS Lambda, a serverless computing service that allows developers to write code and execute functions directly on the cloud platform. What cloud tier best describes this service?
A. SaaS B. PaaS
C. IaaS
D. FaaS.
During a network reconnaissance exercise, Chris gains access to a PC located in a secure network. If Chris wants to locate database and web servers that the company uses, what command-line tool can he use to gather information about other systems on the local network
without installing additional tools or sending additional traffic?
A. ping B. traceroute C. nmap D. netstat.
Kaiden’s organization uses the AWS public cloud environment. He uses the CloudFormation tool to write scripts that create the cloud resources used by his organization. What type of service is CloudFormation?
A. SaaS B. IAC C. FaaS D. API.
What is the default nmap scan type when nmap is not provided with a scan type flag?
A. A TCP FIN scan B. A TCP connect scan C. A TCP SYN scan D. A UDP scan.
Isaac wants to grab the banner from a remote web server using commonly available tools.
Which of the following tools cannot be used to grab the banner from the remote host?
A. Netcat B. Telnet C. Wget D. FTP.
Lakshman wants to limit what potential attackers can gather during passive or semipassive reconnaissance activities. Which of the following actions will typically reduce his organization’s footprint the most?
A. Limit information available via the organizational website without authentication. B. Use a secure domain registration. C. Limit technology references in job postings. D. Purge all document metadata before posting.
Latisha has local access to a Windows workstation and wants to gather information about the organization that it belongs to. What type of information can she gain if she executes the command nbtstat -c?
A. MAC addresses and IP addresses of local systems B. NetBIOS name-to-IP address mappings C. A list of all NetBIOS systems that the host is connected to D. NetBIOS MAC-to-IP address mappings.
Alex wants to scan a protected network and has gained access to a system that can communicate to both his scanning system and the internal network, as shown in the image here. What type of nmap scan should Alex conduct to leverage this host if he cannot install nmap
on system A? A. A reflection scan B. A proxy scan C. A randomized host scan D. A ping-through scan.
As a member of a blue team, Lukas observed the following behavior during an external penetration test. What should he report to his managers at the conclusion of the test? A. A significant increase in latency B. A significant increase in packet loss C. Latency and packet loss both increased. D. No significant issues were observed.
Maddox is conducting an inventory of access permissions on cloud-based object buckets, such as those provided by the AWS S3 service. What threat is he seeking to mitigate? A. Insecure APIs B. Improper key management C. Unprotected storage D. Insufficient logging and monitoring.
Lucy recently detected a cross-site scripting vulnerability in her organization’s web server.
The organization operates a support forum where users can enter HTML tags and the resulting code is displayed to other site visitors. What type of cross-site scripting vulnerability did Lucy discover?
A. Persistent B. Reflected C. DOM-based D. Blind.
Which one of the following tools is capable of handcrafting TCP packets for use in an attack?
A. Arachni B. Hping C. Responder D. Hashcat.
Which one of the following IoT components contains hardware that can be dynamically reprogrammed by the end user?
A. RTOS B. SoC C. FPGA D. MODBUS.
Geoff is reviewing logs and sees a large number of attempts to authenticate to his VPN server using many different username and password combinations. The same usernames are attempted several hundred times before moving on to the next one. What type of attack is
most likely taking place?
A. Credential stuffing B. Password spraying C. Brute-force D. Rainbow table.
The company that Dan works for has recently migrated to an SaaS provider for its enterprise resource planning (ERP) software. In its traditional on-site ERP environment, Dan conducted regular port scans to help with security validation for the systems. What will Dan most likely have to do in this new environment?
A. Use a different scanning tool. B. Rely on vendor testing and audits. C. Engage a third-party tester. D. Use a VPN to scan inside the vendor’s security perimeter.
Ricky discovered a vulnerability in an application where privileges are checked at the beginning of a series of steps, may be revoked during those steps, and then are not checked before new uses of them later in the sequence. What type of vulnerability did he discover?
A. Improper error handling B. Race condition C. Dereferencing D. Sensitive data exposure.
Abdul is conducting a security audit of a multicloud computing environment that incorporates resources from AWS and Microsoft Azure. Which one of the following tools will be most useful to him?
A. ScoutSuite B. Pacu C. Prowler D. CloudSploit.
Jake is performing a vulnerability assessment and comes across a CAN bus specification.
What type of environment is most likely to include a CAN bus?
A. Physical access control system B. Building automation system C. Vehicle control system D. Workflow and process automation system.
Darcy is conducting a test of a wireless network using the Reaver tool. What technology does Reaver specifically target?
A. WPA B. WPA2 C. WPS D. WEP.
Lucas believes that an attacker has successfully compromised his web server. Using the following output of ps, identify the process ID he should focus on.
root 507 0.0 0.1 258268 3288 ? Ssl 15:52 0:00 /usr/sbin/rsyslogd -n
message+ 508 0.0 0.2 44176 5160 ? Ss 15:52 0:00 /usr/bin/ dbusdaemon --system --address=systemd: --nofork --nopidfile --systemd-activa
root 523 0.0 0.3 281092 6312 ? Ssl 15:52 0:00 /usr/lib/ accountsservice/accounts-daemon
root 524 0.0 0.7 389760 15956 ? Ssl 15:52 0:00 /usr/sbin/ NetworkManager --no-daemon
root 527 0.0 0.1 28432 2992 ? Ss 15:52 0:00 /lib/systemd/ systemd-logind
apache 714 0.0 0.1 27416 2748 ? Ss 15:52 0:00 /www/temp/webmin
root 617 0.0 0.1 19312 2056 ? Ss 15:52 0:00 /usr/sbin/irqbalance --pid=/var/run/irqbalance.pid
root 644 0.0 0.1 245472 2444 ? Sl 15:52 0:01 /usr/sbin/VBoxService
root 653 0.0 0.0 12828 1848 tty1 Ss+ 15:52 0:00 /sbin/agetty--noclear tty1 linux
root 661 0.0 0.3 285428 8088 ? Ssl 15:52 0:00 /usr/lib/policykit-1/polkitd --no-debug
root 663 0.0 0.3 364752 7600 ? Ssl 15:52 0:00 /usr/sbin/gdm3
root 846 0.0 0.5 285816 10884 ? Ssl 15:53 0:00 /usr/lib/upower/upowerd
root 867 0.0 0.3 235180 7272 ? Sl 15:53 0:00 gdm-sessionworker[pam/gdm-launch-environment]
Debian-+ 877 0.0 0.2 46892 4816 ? Ss 15:53 0:00 /lib/systemd/systemd --user
Debian-+ 878 0.0 0.0 62672 1596 ? S 15:53 0:00 (sd-pam)
D. 714 A. 508 B. 617 C. 846 D. 714.
Geoff is responsible for hardening systems on his network and discovers that a number of network appliances have exposed services, including telnet, FTP, and web servers. What is his best option to secure these systems?
A. Enable host firewalls. B. Install patches for those services. C. Turn off the services for each appliance. D. Place a network firewall between the devices and the rest of the network.
During the reconnaissance stage of a penetration test, Fred calls a number of staff at the target organization. Using a script he prepared, Fred introduces himself as part of the support team for their recently installed software and asks for information about the software and its configuration. What is this technique called?
A. Pretexting B. OSINT C. A tag-out D. Profiling.
Adam’s port scan returns results on six TCP ports: 22, 80, 443, 515, 631, and 9100.
If Adam needs to guess what type of device this is based on these ports, what is his
best guess?
A. A web server B. An FTP server C. A printer D. A proxy server.
While conducting reconnaissance, Piper discovers what she believes is an SMTP service running on an alternate port. What technique should she use to manually validate her guess?
A. Send an email via the open port. B. Send an SMTP probe. C. Telnet to the port. D. SSH to the port.
What two pieces of information does nmap need to estimate network path distance?
A. IP address and TTL B. TTL and operating system C. Operating system and BGP flags D. TCP flags and IP address.
During an on-site penetration test of a small business, Ramesh scans outward to a known host to determine the outbound network topology. What information can he gather from the results provided by Zenmap? A. There are two nodes on the local network. B. There is a firewall at IP address 96.120.24.121. C. There is an IDS at IP address 96.120.24.121. D. He should scan the 10.0.2.0/24 network.
Marta wants to perform regular scans of the entire organizational network but only has a budget that supports buying hardware for a single scanner. Where should she place her scanner to have the most visibility and impact?
A. Location A B. Location B C. Location C D. Location D.
Chris wants to gather as much information as he can about an organization using DNS harvesting techniques. Which of the following methods will most easily provide the most useful information if they are all possible to conduct on the network he is targeting?
A. DNS record enumeration B. Zone transfer C. Reverse lookup D. Domain brute-forcing.
While gathering DNS information about an organization, Ryan discovered multiple AAAA records. What type of reconnaissance does this mean Ryan may want to consider?
A. Second-level DNS queries B. IPv6 scans C. Cross-domain resolution D. A CNAME verification.
80/cap1 Scott is part of the white team who is overseeing his organization’s internal red and blue teams during an exercise that requires each team to only perform actions appropriate to the penetration test phase they are in. During the reconnaissance phase, he notes the following behavior as part of a Wireshark capture. What should he report? A. The blue team has succeeded. B. The red team is violating the rules of engagement. C. The red team has succeeded. D. The blue team is violating the rules of engagement.
Kai has identified a privilege escalation flaw on the system she targeted in the first phase of her penetration test and is now ready to take the next step. According to the NIST 800-115 standard, what is step C that Kai needs to take, as shown in this diagram?
Gaining Access Escalating Privileges C Install Additional Tools
A. System browsing B. Scanning C. Rooting D. Consolidation.
While application vulnerability scanning one of her target organization's web servers, Andrea notices that the server’s hostname is resolving to a cloudflare.com host. What does Andrea know about her scan?
A. It is being treated like a DDoS attack. B. It is scanning a CDN-hosted copy of the site. C. It will not return useful information. D. She cannot determine anything about the site based on this information.
While tracking a potential APT on her network, Cynthia discovers a network flow for her company’s central file server. What does this flow entry most likely show if 10.2.2.3 is not a system on her network?
Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows
2017-07-11 13:06:46.343 21601804 TCP 10.1.1.1:1151- >10.2.2.3:443 9473640 9.1 G 1
2017-07-11 13:06:46.551 21601804 TCP 10.2.2.3:443->10.1.1.1:1151 8345101 514 M 1
A. A web browsing session B. Data exfiltration C. Data infiltration D. A vulnerability scan.
Part of Tracy’s penetration testing assignment is to evaluate the WPA2 Enterprise protected wireless networks of her target organization. What major differences exist between reconnaissances of a wired network versus a wireless network?
A. Encryption and physical accessibility B. Network access control and encryption C. Port security and physical accessibility D. Authentication and encryption.
Ian’s company has an internal policy requiring that they perform regular port scans of all of their servers. Ian has been part of a recent effort to move his organization’s servers to an infrastructure as a service (IaaS) provider. What change will Ian most likely need to make
to his scanning efforts?
A. Change scanning software B. Follow the service provider’s scan policies C. Sign a security contract with the provider D. Discontinue port scanning.
Saanvi knows that the organization she is scanning runs services on alternate ports to
attempt to reduce scans of default ports. As part of her intelligence-gathering process, she
discovers services running on ports 8080 and 8443. What services are most likely running
on these ports?
A. Botnet C&C B. Nginx C. Microsoft SQL Server instances
D. Web servers.
Lauren wants to identify all the printers on the subnets she is scanning with nmap. Which of the following nmap commands will not provide her with a list of likely printers?
A. nmap -sS -p 9100,515,631 10.0.10.15/22 -oX printers.txt B. nmap -O 10.0.10.15/22 -oG - | grep printer >> printers.txt C. nmap -sU -p 9100,515,631 10.0.10.15/22 -oX printers.txt
D. nmap -sS -O 10.0.10.15/22 -oG | grep >> printers.txt.
Chris knows that systems have connected to a remote host on TCP ports 1433 and 1434. If he has no other data, what should his best guess be about what the host is?
A. A print server B. A Microsoft SQL server C. A MySQL server
D. A secure web server running on an alternate port.
While conducting a topology scan of a remote web server, Susan notes that the IP addresses returned for the same DNS entry change over time. What has she likely encountered?
A. A route change B. Fast-flux DNS C. A load balancer D. An IP mismatch.
Nihar wants to conduct an nmap scan of a firewalled subnet. Which of the following is not an nmap firewall evasion technique he could use?
A. Fragmenting packets B. Changing packet header flags
C. Spoofing the source IP D. Appending random data.
Which of the following commands will provide Ben with the most information about a host?
A. dig -x [ip address] B. host [ip address] C. nslookup [ip address] D. zonet [ip address].
Fred’s reconnaissance of an organization includes a search of the Censys network search engine. There, he discovers multiple certificates with validity dates as shown here:
Validity
2018-07-07 00:00:00 to 2019-08-11 23:59:59 (400 days, 23:59:59)
2017-07-08 00:00:00 to 2019-08-12 23:59:59 (400 days, 23:59:59)
2018-07-11 00:00:00 to 2019-08-15 23:59:59 (400 days, 23:59:59)
What should Fred record in his reconnaissance notes? A. The certificates expired as expected, showing proper business practice. B. The certificates were expired by the CA, possibly due to nonpayment. C. The system that hosts the certificates may have been compromised.
D. The CA may have been compromised, leading to certificate expiration.
|
