A penetration tester runs the following command:
dig @ dns01.comptia.local axfr comptia.local
If successful, which of the following types of information would be provided? The DNSSEC certificate and CA The DHCP scopes and ranges used on the network The hostnames and IP addresses of internal systems The OS and version of the DNS server.
A company recruited a penetration tester to configure intrusion detection over the wireless network. Which of the following tools would BEST resolve this issue? Aircrack-ng Wireshark Cowpatty Kismet.
While performing an assessment on a web application, a penetration tester notices the web browser creates the following request when clicking on the stock status for an item:
POST /product/stock HTTP/1.0 -
Content-Type: application/x-www-form-urlencoded
Content-Length: 118 -
stockApi=http://stock.shop.com:8080/product/stock/check%3FproductId%3D6%26storeId%3D1
Which of the following types of attacks would the penetration tester most likely try NEXT?
Cross-site scripting Command injection Local file inclusion Server-side request forgery.
When accessing the URL http://192.168.0.1/validate/user.php, a penetration tester obtained the following output: Lack of code signing Incorrect command syntax Insufficient error handling Insecure data transmission.
Which of the following is the MOST secure method for sending the penetration test report to the client? Host it on an online storage system Put it inside a password-protected ZIP file. Transfer it via webmail using an HTTPS connection Use the client's public key.
During a vulnerability scanning phase, a penetration tester wants to execute an Nmap scan using custom NSE scripts stored in the following folder:
/home/user/scripts
Which of the following commands should the penetration tester use to perform this scan?
nmap --resume "not intrusive" nmap --script default,safe nmap --script /home/user/scripts nmap --load /home/user/scripts.
Within a Python script, a line that states print (var) outputs the following:
[{'1' : 'CentOS', '2' : 'Ubuntu'}, {'1' : 'Windows 10', '2' : 'Windows Server 2016'}]
Which of the following objects or data structures is var?
An array A class A dictionary A list.
A penetration tester wrote the following comment in the final report: "Eighty-five percent of the systems tested were found to be prone to unauthorized access from the internet."
Which of the following audiences was this message intended?
Systems administrators C-suite executives Data privacy ombudsman Regulatory officials.
During a code review assessment, a penetration tester finds the following vulnerable code inside one of the web application files:
<% String id = request.getParameter("id"); %>
Employee ID: <%= id %>
Which of the following is the BEST remediation to prevent a vulnerability from being exploited, based on this code?
Parameterized queries Patch application Output encoding HTML sanitization.
Which of the following best describes why a client would hold a lessons-learned meeting with the penetration-testing team? To provide feedback on the report structure and recommend improvements To discuss the findings and dispute any false positives To determine any processes that failed to meet expectations during the assessment To ensure the penetration-testing team destroys all company data that was gathered during the test.
Which of the following factors would a penetration tester MOST likely consider when testing at a location? Determine if visas are required. Ensure all testers can access all sites. Verify the tools being used are legal for use at all sites. Establish the time of the day when a test can occur.
A penetration tester who is performing a physical assessment has achieved physical access to a call center for the assessed company. The tester is able to move freely around the room.
Which of the following attack types is most likely to result in the tester obtaining personal or confidential information quickly?
Dumpster diving Warwalking Vishing Smishing Shoulder surfing.
HOTSPOT
-
A penetration tester is performing reconnaissance for a web application assessment. Upon investigation, the tester reviews the robots.txt file for items of interest.
INSTRUCTIONS
-
Select the tool the penetration tester should use for further investigation.
Select the two entries in the robots.txt file that the penetration tester should recommend for removal.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
mimikatz SQLmap WPScan Brakeman.
In the process of active service enumeration, a penetration tester identifies an SMTP daemon running on one of the target company's servers.
Which of the following actions would best enable the tester to perform phishing in a later stage of the assessment? Test for RFC-defined protocol conformance Attempt to brute force authentication to the service Perform a reverse DNS query and match to the service banner Check for an open relay configuration.
A company recently moved its software development architecture from VMs to containers. The company has asked a penetration tester to determine if the new containers are configured correctly against a DDoS attack.
Which of the following should a tester perform FIRST? Check the strength of the encryption settings. Determine if security tokens are easily available. Run a vulnerability check against the hypervisor. Scan the containers for open ports.
Given the following script:
A while loop A conditional A Boolean operator An arithmetic operator.
A security analyst is conducting an unknown environment test from 192.168.3.3. The analyst wants to limit observation of the penetration tester's activities and lower the probability of detection by intrusion protection and detection systems.
Which of the following Nmap commands should the analyst use to achieve this objective? nmap -F 192.168.5.5 nmap -datalength 2 192.168.5.5 nmap -D 0.5.2.2 192.168.5.5 nmap -scanflags SYNFIN 192.168.5.5.
A penetration tester is validating whether input validation mechanisms have been implemented in a web application.
Which of the following should the tester use to determine whether the application is vulnerable to path traversal attacks? GET /image?filename-..%2f..%2f..%2f..%2f..%2f..%2fetc%2fhosts GET /image?filename=lefitfe;pwd POST /image?filename - POST /image?filename =yhtak;ncat --ssl 192.168.0.1 2222.
A penetration tester learned that when users request password resets, help desk analysts change users' passwords to 123change. The penetration tester decides to brute force an internet-facing webmail to check which users are still using the temporary password. The tester configures the brute-force tool to test usernames found on a text file and the password 123change.
Which of the following techniques is the penetration tester using? Brute-force attack LDAP injection Password spraying Kerberoasting.
A penetration tester is conducting an unknown environment test and gathering additional information that can be used for later stages of an assessment.
Which of the following would most likely produce useful information for additional testing? Public code repositories associated with a developer who previously worked for the target company Public code repositories associated with the target company's organization Private code repositories associated with the target company's organization Private code repositories associated with a developer who previously worked for the target company.
A penetration tester developed the following script to be used during an engagement:
However, when the penetration tester ran the script, the tester received the following message:
socket.gaierror: [Errno -2] Name or service not known
Which of the following changes should the penetration tester implement to fix the script? From:
target = spclet.gethostbyname(sys.argv[0])
To:
target = spclet.gethostbyname(sys.argv[1]) From:
s = socket.socket(socket.AF_INET, socket.SOCK_STEAM)
To:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) From:
import socket,sys
To:
import socket
import sys.
A penetration tester who was exclusively authorized to conduct a physical assessment noticed there were no cameras pointed at the dumpster for the target company. The penetration tester returned at night and collected garbage that contained receipts for recently purchased networking equipment. The models of equipment purchased are vulnerable to attack.
Which of the following is the most likely NEXT step for the penetration tester? Alert the target company of the discovered information Verify the discovered information is correct with the manufacturer. Scan the equipment and verify the findings. Return to the dumpster for more information.
A penetration tester is attempting to get more people from a target company to download and run an executable. Which of the following would be the MOST effective way for the tester to achieve this objective? Dropping USB flash drives around the company campus with the file on it Attaching the file in a phishing SMS that warns users to execute the file or they will be locked out of their accounts Sending a pretext email from the IT department before sending the download instructions later Saving the file in a common folder with a name that encourages people to click it.
While performing the scanning phase of a penetration test, the penetration tester runs the following command:
nmap -n -vv -sV -p- 10.10.10.23-28
After the Nmap scan is finished, the penetration tester notices all hosts seem to be down. Which of the following options should the penetration tester try NEXT? -sU -Pn -sn -sS.
A penetration tester wants to accomplish ARP poisoning as part of an attack. Which of the following tools will the tester MOST likely utilize? Wireshark Netcat Nmap Ettercap.
A penetration tester executes the following Nmap command and obtains the following output: nmap -v -p 25 --script smtp-enum-users remotehost nmap -v --script=mysql-info.nse remotehost nmap --script=smb-brute.nse remotehost nmap -p 3306 --script "http*vuln*" remotehost.
During enumeration, a red team discovered that an external web server was frequented by employees. After compromising the server, which of the following attacks would BEST support compromising company systems? A side-channel attack A command injection attack A watering-hole attack A cross-site scripting attack.
A penetration tester is developing exploits to attack multiple versions of a common software package. The versions have different menus and features, but they have a common log-in screen that the exploit must use. The penetration tester develops code to perform the log-in that can be used by each of the exploits targeted to a specific version.
Which of the following terms is used to describe this common log-in code example? Conditional Library Dictionary Subapplication.
Which of the following tools would be BEST suited to perform a cloud security assessment? OpenVAS Scout Suite Nmap ZAP Nessus.
During the assessment of a client's cloud and on-premises environments, a penetration tester was able to gain ownership of a storage object within the cloud environment using the provided on-premises credentials.
Which of the following BEST describes why the tester was able to gain access? Federation misconfiguration of the container Key mismanagement between the environments IaaS failure at the provider Container listed in the public domain.
A penetration tester wrote the following script on a compromised system: The typical tools could not be used against Windows systems. The configuration required the penetration tester to not utilize additional files The Bash script will provide more thorough output The penetration tester wanted to persist this script to run on reboot.
During an assessment, a penetration tester inspected a log and found a series of thousands of requests coming from a single IP address to the same URL. A few of the requests are listed below: Session hijacking URL manipulation SQL injection Insecure direct object reference.
A security analyst is reviewing WAF logs and notes requests against the corporate website are increasing and starting to impact the performance of the web server. The security analyst queries the logs for requests that triggered an alert on the WAF but were not blocked. Which of the following possible TTP combinations might warrant further investigation? (Choose two.) Requests identified by a threat intelligence service with a bad reputation Requests sent from the same IP address using different user agents Requests blocked by the web server per the input sanitization Failed log-in attempts against the web application Requests sent by NICs with outdated firmware Existence of HTTP/501 status codes generated to the same IP address.
|
