You have already completed the Test before. Hence you can not start it again.
Test is loading...
You must sign in or sign up to start the Test.
You have to finish following quiz, to start this Test:
Your results are here!! for" CompTIA PenTest+ (PT0-001) Practice test 1 "
0 of 65 questions answered correctly
Your time:
Time has elapsed
Your Final Score is : 0
You have attempted : 0
Number of Correct Questions : 0 and scored 0
Number of Incorrect Questions : 0 and Negative marks 0
Average score
Your score
CompTIA PenTest+ (PT0-001)
You have attempted: 0
Number of Correct Questions: 0 and scored 0
Number of Incorrect Questions: 0 and Negative marks 0
You can review your answers by clicking view questions. Important Note : Open Reference Documentation Links in New Tab (Right Click and Open in New Tab).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
Answered
Review
Question 1 of 65
1. Question
You are working as a penetration tester, and a client has recently come to you voicing concern over a large number of companies recently being compromised by remote attackers who are looking for trade secrets. What best describes the types of adversaries that would be looking for trade secrets?
Correct
Advanced persistent threat (APT) is a computer network attack in which a person or group gains unauthorized access to a network and remains undetected for an extended period of time. APTs provide the highest level of threat on the adversary tier list. Threat actors are often rated by their capabilities. Many of the techniques used by advanced persistent threat actors are useful for penetration testers, and vice versa. If your persistence techniques aren’t monitored for or detected by the client’s systems, the findings should include information that can help them design around this potential problem.
Incorrect
Advanced persistent threat (APT) is a computer network attack in which a person or group gains unauthorized access to a network and remains undetected for an extended period of time. APTs provide the highest level of threat on the adversary tier list. Threat actors are often rated by their capabilities. Many of the techniques used by advanced persistent threat actors are useful for penetration testers, and vice versa. If your persistence techniques aren’t monitored for or detected by the client’s systems, the findings should include information that can help them design around this potential problem.
Unattempted
Advanced persistent threat (APT) is a computer network attack in which a person or group gains unauthorized access to a network and remains undetected for an extended period of time. APTs provide the highest level of threat on the adversary tier list. Threat actors are often rated by their capabilities. Many of the techniques used by advanced persistent threat actors are useful for penetration testers, and vice versa. If your persistence techniques aren’t monitored for or detected by the client’s systems, the findings should include information that can help them design around this potential problem.
Question 2 of 65
2. Question
You are working as a penetration tester, and you are conducting a test for a new client. You run the following nmap scan on a computer: nmap -sV 192.168.10.5. The client has indicated that they have disabled Telnet from their environment. However, the nmap scan results show that port 22 is closed and that port 23 as open to SSH. What might this have happened to cause this?
Correct
Network Mapper (nmap) is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap will identify what devices are running on a client’s systems, discover hosts and services that are available, find open ports, and detect security risks. In this scenario, the client did not disable Telnet because port 23 is still open. Telnet is a client-server protocol, based on a reliable connection-oriented transport. Typically, this protocol is used to establish a connection to Transmission Control Protocol (TCP) by using port 23, where a Telnet server application (telnetd) is listening.
Incorrect
Network Mapper (nmap) is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap will identify what devices are running on a client’s systems, discover hosts and services that are available, find open ports, and detect security risks. In this scenario, the client did not disable Telnet because port 23 is still open. Telnet is a client-server protocol, based on a reliable connection-oriented transport. Typically, this protocol is used to establish a connection to Transmission Control Protocol (TCP) by using port 23, where a Telnet server application (telnetd) is listening.
Unattempted
Network Mapper (nmap) is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap will identify what devices are running on a client’s systems, discover hosts and services that are available, find open ports, and detect security risks. In this scenario, the client did not disable Telnet because port 23 is still open. Telnet is a client-server protocol, based on a reliable connection-oriented transport. Typically, this protocol is used to establish a connection to Transmission Control Protocol (TCP) by using port 23, where a Telnet server application (telnetd) is listening.
Question 3 of 65
3. Question
You are working as a penetration tester, and you are conducting a test for a new client. You are looking to start a session hijacking attack against your client’s web application. What information is important to obtain to ensure that your attack will be a success?
Correct
Websites use HTTP cookies to keep sessions over time. If a tester is able to get a copy of the user’s session cookie, then they can use that cookie to impersonate the user’s browser and hijack the authenticated session. Attackers who are able to acquire the session cookie used to authenticate a user’s web session can hijack that session and take charge of the user’s account. Cookies used for authentication should always be securely created and transmitted only over secure, encrypted communications channels.
Incorrect
Websites use HTTP cookies to keep sessions over time. If a tester is able to get a copy of the user’s session cookie, then they can use that cookie to impersonate the user’s browser and hijack the authenticated session. Attackers who are able to acquire the session cookie used to authenticate a user’s web session can hijack that session and take charge of the user’s account. Cookies used for authentication should always be securely created and transmitted only over secure, encrypted communications channels.
Unattempted
Websites use HTTP cookies to keep sessions over time. If a tester is able to get a copy of the user’s session cookie, then they can use that cookie to impersonate the user’s browser and hijack the authenticated session. Attackers who are able to acquire the session cookie used to authenticate a user’s web session can hijack that session and take charge of the user’s account. Cookies used for authentication should always be securely created and transmitted only over secure, encrypted communications channels.
Question 4 of 65
4. Question
You are working as a penetration tester, and you are conducting a test for a new client. You are attempting a physical security assessment, and you want to use an “under-the-door-tool” during the test. Which of the following intrusion techniques should you use?
Correct
Lock bypass is simply that: bypassing locks without picking them. In this scenario, the tester is attempting a physical security assessment with the use of an under-the-door tool, which goes underneath a door and pulls open a door handle from the inside.
Incorrect
Lock bypass is simply that: bypassing locks without picking them. In this scenario, the tester is attempting a physical security assessment with the use of an under-the-door tool, which goes underneath a door and pulls open a door handle from the inside.
Unattempted
Lock bypass is simply that: bypassing locks without picking them. In this scenario, the tester is attempting a physical security assessment with the use of an under-the-door tool, which goes underneath a door and pulls open a door handle from the inside.
Question 5 of 65
5. Question
You are working as a penetration tester, and you are conducting a test for a new client. You plan on using an hping command to send traffic to a remote system. What type of traffic will the remote system see if you use the script hping remoteclient.com -S -V -p 80?
Correct
Hping is a command-line tool that allows testers to generate network traffic. Hping is popular because it allows you to create custom packets. In this scenario, you will be sending TCP SYNs to TCP port 80. The -S switch asks hping to send SYN traffic, the -V switch is verbose mode, and the -p switch indicates the port.
Incorrect
Hping is a command-line tool that allows testers to generate network traffic. Hping is popular because it allows you to create custom packets. In this scenario, you will be sending TCP SYNs to TCP port 80. The -S switch asks hping to send SYN traffic, the -V switch is verbose mode, and the -p switch indicates the port.
Unattempted
Hping is a command-line tool that allows testers to generate network traffic. Hping is popular because it allows you to create custom packets. In this scenario, you will be sending TCP SYNs to TCP port 80. The -S switch asks hping to send SYN traffic, the -V switch is verbose mode, and the -p switch indicates the port.
Question 6 of 65
6. Question
Sami is conducting a black box penetration test against an organization and is gathering vulnerability scanning results for use in his tests. Which one of the following scans is most likely to provide him with helpful information within the bounds of his test?
Correct
A full scan is likely to provide more useful and actionable results because it includes more tests. There is no requirement in the scenario that Sami avoid detection, so a stealth scan is not necessary. However, this is a black box test, so it would not be appropriate for Sami to have access to scans conducted on the internal network.
Incorrect
A full scan is likely to provide more useful and actionable results because it includes more tests. There is no requirement in the scenario that Sami avoid detection, so a stealth scan is not necessary. However, this is a black box test, so it would not be appropriate for Sami to have access to scans conducted on the internal network.
Unattempted
A full scan is likely to provide more useful and actionable results because it includes more tests. There is no requirement in the scenario that Sami avoid detection, so a stealth scan is not necessary. However, this is a black box test, so it would not be appropriate for Sami to have access to scans conducted on the internal network.
Question 7 of 65
7. Question
Sami is creating a list of recommendations that his organization can follow to remediate issues identified during a penetration test. In what phase of the testing process is Sami participating?
Correct
During the final stage of a penetration test, Reporting and Communicating Results, the testers provide mitigation strategies for issues identified during the test.
Incorrect
During the final stage of a penetration test, Reporting and Communicating Results, the testers provide mitigation strategies for issues identified during the test.
Unattempted
During the final stage of a penetration test, Reporting and Communicating Results, the testers provide mitigation strategies for issues identified during the test.
Question 8 of 65
8. Question
Sami wants to enter an organization’s high-security data center. Which of the following techniques is most likely to stop his tailgating attempt?
Correct
A mantrap allows only one individual through at a time, with doors at either end that unlock and open one at a time. It will prevent most piggybacking or tailgating behavior unless employees are willfully negligent.
Incorrect
A mantrap allows only one individual through at a time, with doors at either end that unlock and open one at a time. It will prevent most piggybacking or tailgating behavior unless employees are willfully negligent.
Unattempted
A mantrap allows only one individual through at a time, with doors at either end that unlock and open one at a time. It will prevent most piggybacking or tailgating behavior unless employees are willfully negligent.
Question 9 of 65
9. Question
You are working as a penetration tester, and you are running a penetration test for a new client. You are using your penetration testing toolkit running on personal computer to conduct scans on various network devices. All of a sudden the network goes dark. What possibly happened?
Correct
In this scenario, the IP address of your computer was blacklisted. Blacklisting is part of your client’s defensive practices. Your scans were detected by an intrusion protection system (IPS), and as a result, the IP address used by your computer was entered on a blacklist. Blacklisting works by maintaining a list of applications and other “known” information. In this case, your IP address was used to deny you access to the network.
Incorrect
In this scenario, the IP address of your computer was blacklisted. Blacklisting is part of your client’s defensive practices. Your scans were detected by an intrusion protection system (IPS), and as a result, the IP address used by your computer was entered on a blacklist. Blacklisting works by maintaining a list of applications and other “known” information. In this case, your IP address was used to deny you access to the network.
Unattempted
In this scenario, the IP address of your computer was blacklisted. Blacklisting is part of your client’s defensive practices. Your scans were detected by an intrusion protection system (IPS), and as a result, the IP address used by your computer was entered on a blacklist. Blacklisting works by maintaining a list of applications and other “known” information. In this case, your IP address was used to deny you access to the network.
Question 10 of 65
10. Question
You are a senior penetration tester, and you are working on an upcoming test for a new client. The client has requested a white box assessment. The goal of the test is to see whether you can gain access to confidential customer data that is stored on an internal database server. You have asked the client for architectural diagrams. What information should the client provide you with? Select two options.
Correct
In this scenario, you are conducting a white box assessment. So, when requesting internal architectural diagrams as a part of testing, you should usually be supplied with documentation such as network diagrams and facility maps. You can use this information to help map out the network topology and to locate key infrastructure devices, such as switches, routers, and servers.
Incorrect
In this scenario, you are conducting a white box assessment. So, when requesting internal architectural diagrams as a part of testing, you should usually be supplied with documentation such as network diagrams and facility maps. You can use this information to help map out the network topology and to locate key infrastructure devices, such as switches, routers, and servers.
Unattempted
In this scenario, you are conducting a white box assessment. So, when requesting internal architectural diagrams as a part of testing, you should usually be supplied with documentation such as network diagrams and facility maps. You can use this information to help map out the network topology and to locate key infrastructure devices, such as switches, routers, and servers.
Question 11 of 65
11. Question
Sami wants to deploy a wireless intrusion detection system. Which of the following tools is best suited to that purpose?
Correct
Kismet is specifically designed to act as a wireless IDS in addition to its other wireless packet capture features. WiFite is designed for wireless network auditing, Aircrack provides a variety of attack tools in addition to its capture and injection capabilities for wireless traffic. SnortiFi was made up for this question.
Incorrect
Kismet is specifically designed to act as a wireless IDS in addition to its other wireless packet capture features. WiFite is designed for wireless network auditing, Aircrack provides a variety of attack tools in addition to its capture and injection capabilities for wireless traffic. SnortiFi was made up for this question.
Unattempted
Kismet is specifically designed to act as a wireless IDS in addition to its other wireless packet capture features. WiFite is designed for wireless network auditing, Aircrack provides a variety of attack tools in addition to its capture and injection capabilities for wireless traffic. SnortiFi was made up for this question.
Question 12 of 65
12. Question
Which method of collecting open-source intelligence consists of the collection of published documents, such as Microsoft Office or PDF files, and parsing the information hidden within to reveal usernames, e-mail addresses, or other sensitive data?
Correct
Metadata analysis is the term for collecting open-source intelligence by parsing published documents for information hidden within to reveal usernames, e-mail addresses, or other sensitive data. Other options are incorrect. File scraping, file mining, and file excavation are all meaningless phrases meant to sound like information security terminology, without having a specific meaning within that context. Be wary of answers in this vein during the exam.
Incorrect
Metadata analysis is the term for collecting open-source intelligence by parsing published documents for information hidden within to reveal usernames, e-mail addresses, or other sensitive data. Other options are incorrect. File scraping, file mining, and file excavation are all meaningless phrases meant to sound like information security terminology, without having a specific meaning within that context. Be wary of answers in this vein during the exam.
Unattempted
Metadata analysis is the term for collecting open-source intelligence by parsing published documents for information hidden within to reveal usernames, e-mail addresses, or other sensitive data. Other options are incorrect. File scraping, file mining, and file excavation are all meaningless phrases meant to sound like information security terminology, without having a specific meaning within that context. Be wary of answers in this vein during the exam.
Question 13 of 65
13. Question
You are working as a penetration tester, and you are conducting a test for a new client. You have found a few unquoted service paths during your testing of the client’s network. How can you use these vulnerabilities to your advantage?
Correct
Privilege escalation attacks are frequently categorized into two major types: vertical and horizontal. Vertical escalation attacks focus on testers gaining higher privileges. Horizontal escalation attacks move sideways to other accounts or services that have the same level of privileges. An unquoted service path is a vulnerability in Windows. When a service is started, Windows tries to locate it. Usually, services are well-defined with quotation marks. But, there are times when a service path might contain spaces or are not surrounded by quotation marks. Testers can use the unquoted service paths to escalate privileges.
Incorrect
Privilege escalation attacks are frequently categorized into two major types: vertical and horizontal. Vertical escalation attacks focus on testers gaining higher privileges. Horizontal escalation attacks move sideways to other accounts or services that have the same level of privileges. An unquoted service path is a vulnerability in Windows. When a service is started, Windows tries to locate it. Usually, services are well-defined with quotation marks. But, there are times when a service path might contain spaces or are not surrounded by quotation marks. Testers can use the unquoted service paths to escalate privileges.
Unattempted
Privilege escalation attacks are frequently categorized into two major types: vertical and horizontal. Vertical escalation attacks focus on testers gaining higher privileges. Horizontal escalation attacks move sideways to other accounts or services that have the same level of privileges. An unquoted service path is a vulnerability in Windows. When a service is started, Windows tries to locate it. Usually, services are well-defined with quotation marks. But, there are times when a service path might contain spaces or are not surrounded by quotation marks. Testers can use the unquoted service paths to escalate privileges.
Question 14 of 65
14. Question
While conducting a gray box penetration test for a client. You have identified an internal host with an IP address of 192.168.1.1 as a potential target. You need to use the nmap utility on your laptop to run a SYN port scan of this host. Which commands could you use to do this? Select two options.
Correct
The nmap 192.168.1.1 -sS command causes the nmap utility to conduct a SYN port scan of the specified target system. Likewise, the nmap 192.168.1.1 command also causes the nmap utility to conduct a SYN port scan of the specified target system because a SYN scan is the default used if no other scan type is specified.
Incorrect
The nmap 192.168.1.1 -sS command causes the nmap utility to conduct a SYN port scan of the specified target system. Likewise, the nmap 192.168.1.1 command also causes the nmap utility to conduct a SYN port scan of the specified target system because a SYN scan is the default used if no other scan type is specified.
Unattempted
The nmap 192.168.1.1 -sS command causes the nmap utility to conduct a SYN port scan of the specified target system. Likewise, the nmap 192.168.1.1 command also causes the nmap utility to conduct a SYN port scan of the specified target system because a SYN scan is the default used if no other scan type is specified.
Question 15 of 65
15. Question
You are working as a penetration tester, and you and a colleague are discussing why it is important to maintain confidentiality of any findings you may have when conducting a penetration test. Why should findings be kept confidential?
Correct
Confidentiality controls seek to prevent disclosure attacks. Even though confidentiality agreements (CAs) are legal documents that help to enforce confidential relationships between two parties, this question asks why it is important to maintain the confidentiality of findings. If an attacker were to receive word of findings during a penetration test, they could use those to compromise your client’s network.
Incorrect
Confidentiality controls seek to prevent disclosure attacks. Even though confidentiality agreements (CAs) are legal documents that help to enforce confidential relationships between two parties, this question asks why it is important to maintain the confidentiality of findings. If an attacker were to receive word of findings during a penetration test, they could use those to compromise your client’s network.
Unattempted
Confidentiality controls seek to prevent disclosure attacks. Even though confidentiality agreements (CAs) are legal documents that help to enforce confidential relationships between two parties, this question asks why it is important to maintain the confidentiality of findings. If an attacker were to receive word of findings during a penetration test, they could use those to compromise your client’s network.
Question 16 of 65
16. Question
Dima has been contracted to perform a penetration test against Flamingo, Inc. As part of her penetration test, she has been asked to conduct a phishing campaign and to use the results of that campaign to gain access to Flamingo systems and networks. The scope of the penetration test does not include a physical penetration test, so Dima must work entirely remotely. Dima wants to send a phishing message to employees at the company. She wants to learn the user IDs of various targets in the company and decides to call them using a spoofed VoIP phone number similar to those used inside the company. Once she reaches her targets, she pretends to be an administrative assistant working with one of Flamingo’s senior executives and asks her targets for their email account information. What type of social engineering is this?
Correct
Dima is impersonating an administrative assistant. Interrogation techniques are more aggressive and run the risk of making the target defensive or aware they are being interrogated. Shoulder surfing is the process of looking over a person’s shoulder to acquire information, and administrivia isn’t a penetration testing term.
Incorrect
Dima is impersonating an administrative assistant. Interrogation techniques are more aggressive and run the risk of making the target defensive or aware they are being interrogated. Shoulder surfing is the process of looking over a person’s shoulder to acquire information, and administrivia isn’t a penetration testing term.
Unattempted
Dima is impersonating an administrative assistant. Interrogation techniques are more aggressive and run the risk of making the target defensive or aware they are being interrogated. Shoulder surfing is the process of looking over a person’s shoulder to acquire information, and administrivia isn’t a penetration testing term.
Question 17 of 65
17. Question
As part of your duties in the IT firm you working in, you have been asked to perform a black box penetration test for a medium-sized organization that sells imported motorcycles and ATVs online. In which phase of this assessment will you likely spend most of your time?
Correct
A black box penetration test is called for in this scenario, so you will likely spend most of your time in the information gathering and vulnerability identification phase of the assessment. This is because, by definition, you should have little or no knowledge of the organization or its network prior to running the test.
Incorrect
A black box penetration test is called for in this scenario, so you will likely spend most of your time in the information gathering and vulnerability identification phase of the assessment. This is because, by definition, you should have little or no knowledge of the organization or its network prior to running the test.
Unattempted
A black box penetration test is called for in this scenario, so you will likely spend most of your time in the information gathering and vulnerability identification phase of the assessment. This is because, by definition, you should have little or no knowledge of the organization or its network prior to running the test.
Question 18 of 65
18. Question
Which one of the following options is a PowerShell execution policy that allows the execution of any PowerShell script that you write on the local machine but requires that scripts downloaded from the Internet are signed by a trusted publisher?
Correct
The RemoteSigned policy allows the execution of any PowerShell script that you write on the local machine but requires that scripts downloaded from the Internet are signed by a trusted publisher.
Incorrect
The RemoteSigned policy allows the execution of any PowerShell script that you write on the local machine but requires that scripts downloaded from the Internet are signed by a trusted publisher.
Unattempted
The RemoteSigned policy allows the execution of any PowerShell script that you write on the local machine but requires that scripts downloaded from the Internet are signed by a trusted publisher.
Question 19 of 65
19. Question
Which one of the following values for the confidentiality, integrity, or availability CVSS metric would indicate the potential for total compromise of a system?
Correct
If any of these measures is marked as C, for Complete, it indicates the potential for a complete compromise of the system
Incorrect
If any of these measures is marked as C, for Complete, it indicates the potential for a complete compromise of the system
Unattempted
If any of these measures is marked as C, for Complete, it indicates the potential for a complete compromise of the system
Question 20 of 65
20. Question
You are an expert penetration tester, and you have been hired to test the physical security of a new client’s facility. You have been given freedom to try to penetrate their facility using any method you want as long as it doesn’t damage their property or harm anyone. What type of assessment is the client asking you to conduct?
Correct
In this scenario, the client is asking the tester to conduct a goal-based assessment. Goalsbased assessments are conducted for specific reasons. Some examples include validating a new security design, testing an application or service infrastructure before it enters production, or assessing the security of an organization. A premerger assessment is usually conducted on an organization prior to it merging with another. A compliance-based assessment is done to ensure that an organization is in compliance with government regulations or corporate policies. A supply chain assessment involves testing an organization’s vendors.
Incorrect
In this scenario, the client is asking the tester to conduct a goal-based assessment. Goalsbased assessments are conducted for specific reasons. Some examples include validating a new security design, testing an application or service infrastructure before it enters production, or assessing the security of an organization. A premerger assessment is usually conducted on an organization prior to it merging with another. A compliance-based assessment is done to ensure that an organization is in compliance with government regulations or corporate policies. A supply chain assessment involves testing an organization’s vendors.
Unattempted
In this scenario, the client is asking the tester to conduct a goal-based assessment. Goalsbased assessments are conducted for specific reasons. Some examples include validating a new security design, testing an application or service infrastructure before it enters production, or assessing the security of an organization. A premerger assessment is usually conducted on an organization prior to it merging with another. A compliance-based assessment is done to ensure that an organization is in compliance with government regulations or corporate policies. A supply chain assessment involves testing an organization’s vendors.
Question 21 of 65
21. Question
You are a senior penetration tester, and you have been hired by a new client to conduct a penetration test. The client would like you to test their proprietary design documents. The goal of the test is to bypass security measures and gain unauthorized access to these documents. What type of assessment will you be conducting?
Correct
Red team assessments are typically more targeted than normal penetration tests. The red team acts like an attacker, targeting sensitive data or systems with the goal of acquiring access. Goals-based or objective-based assessments are usually designed to assess the overall security of an organization, and compliance-based assessments are designed to test compliance with specific laws.
Incorrect
Red team assessments are typically more targeted than normal penetration tests. The red team acts like an attacker, targeting sensitive data or systems with the goal of acquiring access. Goals-based or objective-based assessments are usually designed to assess the overall security of an organization, and compliance-based assessments are designed to test compliance with specific laws.
Unattempted
Red team assessments are typically more targeted than normal penetration tests. The red team acts like an attacker, targeting sensitive data or systems with the goal of acquiring access. Goals-based or objective-based assessments are usually designed to assess the overall security of an organization, and compliance-based assessments are designed to test compliance with specific laws.
Question 22 of 65
22. Question
You are working as a penetration tester, and you are conducting a test for a new client. You run the following from an exploited machine: python -c ‘import pty; pty.spawn(“/bin/bash”)’. What action are you performing?
Correct
The pty module lets a penetration tester spawn a pseudoterminal that can fool commands like su into thinking they are being executed in a proper terminal. To upgrade the shell, just run the command shown. su is a Unix command that stands for substitute user. It is used by a computer user to execute commands with the privileges of another user account. When executed, it invokes a shell without changing the current working directory or the user environment.
Incorrect
The pty module lets a penetration tester spawn a pseudoterminal that can fool commands like su into thinking they are being executed in a proper terminal. To upgrade the shell, just run the command shown. su is a Unix command that stands for substitute user. It is used by a computer user to execute commands with the privileges of another user account. When executed, it invokes a shell without changing the current working directory or the user environment.
Unattempted
The pty module lets a penetration tester spawn a pseudoterminal that can fool commands like su into thinking they are being executed in a proper terminal. To upgrade the shell, just run the command shown. su is a Unix command that stands for substitute user. It is used by a computer user to execute commands with the privileges of another user account. When executed, it invokes a shell without changing the current working directory or the user environment.
Question 23 of 65
23. Question
Which of the following options is a term describes a document created to define project-specific activities, deliverables, and timelines based on an existing contract?
Correct
A statement of work covers the working agreement between two parties and is used in addition to an existing contract or master services agreement (MSA). An NDA is a nondisclosure agreement, and the acronym MOD was made up for this question.
Incorrect
A statement of work covers the working agreement between two parties and is used in addition to an existing contract or master services agreement (MSA). An NDA is a nondisclosure agreement, and the acronym MOD was made up for this question.
Unattempted
A statement of work covers the working agreement between two parties and is used in addition to an existing contract or master services agreement (MSA). An NDA is a nondisclosure agreement, and the acronym MOD was made up for this question.
Question 24 of 65
24. Question
Sami wants to look at the advertised routes to his target. What type of service should he look for to do this?
Correct
BGP looking glasses are publicly available services that allow for route inspection. Sami should find a BGP looking glass service and query the routes for his target.
Incorrect
BGP looking glasses are publicly available services that allow for route inspection. Sami should find a BGP looking glass service and query the routes for his target.
Unattempted
BGP looking glasses are publicly available services that allow for route inspection. Sami should find a BGP looking glass service and query the routes for his target.
Question 25 of 65
25. Question
Sami’s organization currently uses password-based authentication and would like to move to multifactor authentication. Which one of the following is an acceptable second factor?
Correct
Passphrases, security questions, and PINs are all examples of knowledge-based authentication and would not provide multifactor authentication when paired with a password, another knowledge-based factor. Smartphone apps are an example of “something you have” and are an acceptable alternative.
Incorrect
Passphrases, security questions, and PINs are all examples of knowledge-based authentication and would not provide multifactor authentication when paired with a password, another knowledge-based factor. Smartphone apps are an example of “something you have” and are an acceptable alternative.
Unattempted
Passphrases, security questions, and PINs are all examples of knowledge-based authentication and would not provide multifactor authentication when paired with a password, another knowledge-based factor. Smartphone apps are an example of “something you have” and are an acceptable alternative.
Question 26 of 65
26. Question
Sami recently got into trouble with a client for using an attack tool during a penetration test that caused a system outage. During what stage of the penetration testing process should Sami and his clients have agreed upon the tools and techniques that he would use during the test?
Correct
During the Planning and Scoping phase, penetration testers and their clients should agree upon the rules of engagement for the test. This should result in a written statement of work that clearly outlines the activities authorized during the penetration test.
Incorrect
During the Planning and Scoping phase, penetration testers and their clients should agree upon the rules of engagement for the test. This should result in a written statement of work that clearly outlines the activities authorized during the penetration test.
Unattempted
During the Planning and Scoping phase, penetration testers and their clients should agree upon the rules of engagement for the test. This should result in a written statement of work that clearly outlines the activities authorized during the penetration test.
Question 27 of 65
27. Question
Which of the following is the process by which large data sets are analyzed to reveal patterns or hidden anomalies?
Correct
Data mining is the process by which large data sets are analyzed to reveal patterns or hidden anomalies. Other options are incorrect because passive and active information gathering are methods of intelligence collection, not analysis. Footprinting is incorrect because it is the process of conducting reconnaissance against computers and information systems during a penetration test with the aim of finding the most efficient methods of attack that will meet the goals of the assessment.
Incorrect
Data mining is the process by which large data sets are analyzed to reveal patterns or hidden anomalies. Other options are incorrect because passive and active information gathering are methods of intelligence collection, not analysis. Footprinting is incorrect because it is the process of conducting reconnaissance against computers and information systems during a penetration test with the aim of finding the most efficient methods of attack that will meet the goals of the assessment.
Unattempted
Data mining is the process by which large data sets are analyzed to reveal patterns or hidden anomalies. Other options are incorrect because passive and active information gathering are methods of intelligence collection, not analysis. Footprinting is incorrect because it is the process of conducting reconnaissance against computers and information systems during a penetration test with the aim of finding the most efficient methods of attack that will meet the goals of the assessment.
Question 28 of 65
28. Question
Which one of the following metrics is not included in the calculation of the CVSS exploitability score?
Correct
The CVSS exploitability score is computed using the access vector, access complexity, and authentication metrics.
Incorrect
The CVSS exploitability score is computed using the access vector, access complexity, and authentication metrics.
Unattempted
The CVSS exploitability score is computed using the access vector, access complexity, and authentication metrics.
Question 29 of 65
29. Question
Sami is conducting an onsite penetration test. The test is a gray box test, and he is permitted onsite but has not been given access to the wired or wireless networks. He knows he needs to gain access to both to make further progress. If Sami wants to set up a false AP, which tool is best suited to his needs?
Correct
Aircrack-NG has fake-AP functionality built in, with tools that will allow Sami to identify valid access points, clone them, disassociate a target system, and then act as a man in the middle for future traffic.
Incorrect
Aircrack-NG has fake-AP functionality built in, with tools that will allow Sami to identify valid access points, clone them, disassociate a target system, and then act as a man in the middle for future traffic.
Unattempted
Aircrack-NG has fake-AP functionality built in, with tools that will allow Sami to identify valid access points, clone them, disassociate a target system, and then act as a man in the middle for future traffic.
Question 30 of 65
30. Question
Dima is an expert penetration tester who wishes to engage in a session hijacking attack. What information is crucial for Dima to obtain to ensure that her attack will be successful?
Correct
Websites use HTTP cookies to maintain sessions over time. If Dima is able to obtain a copy of the user’s session cookie, she can use that cookie to impersonate the user’s browser and hijack the authenticated session
Incorrect
Websites use HTTP cookies to maintain sessions over time. If Dima is able to obtain a copy of the user’s session cookie, she can use that cookie to impersonate the user’s browser and hijack the authenticated session
Unattempted
Websites use HTTP cookies to maintain sessions over time. If Dima is able to obtain a copy of the user’s session cookie, she can use that cookie to impersonate the user’s browser and hijack the authenticated session
Question 31 of 65
31. Question
You are working as a penetration tester, and you are completing a test for a new client. You run the chkconfig –del command at the end of an engagement. Why did you run this command?
Correct
Chkconfig is a tool for managing which run levels a service will run at. Chkconfig can be used to view or change the run level of a service. Using chkconfig –del will set the named service to not run at the current run level and will remove the persistence.
Incorrect
Chkconfig is a tool for managing which run levels a service will run at. Chkconfig can be used to view or change the run level of a service. Using chkconfig –del will set the named service to not run at the current run level and will remove the persistence.
Unattempted
Chkconfig is a tool for managing which run levels a service will run at. Chkconfig can be used to view or change the run level of a service. Using chkconfig –del will set the named service to not run at the current run level and will remove the persistence.
Question 32 of 65
32. Question
Which of the following options is a type of penetration test best focuses the tester’s time and efforts while still providing an approximate view of what a real attacker would see?
Correct
A gray box test is a blend of black box and white box testing. A gray box test usually provides limited information about the target to the penetration testers but does not provide full access, credentials, or configuration information. A gray box test can help focus penetration testers’ time and effort while also providing a more accurate view of what an attacker would actually encounter. In a black box test, the testers are not provided with access to or information about the target environment. Goals-based or objective-based assessments are usually designed to assess the overall security of an organization. A white box test is performed with full knowledge of the underlying network.
Incorrect
A gray box test is a blend of black box and white box testing. A gray box test usually provides limited information about the target to the penetration testers but does not provide full access, credentials, or configuration information. A gray box test can help focus penetration testers’ time and effort while also providing a more accurate view of what an attacker would actually encounter. In a black box test, the testers are not provided with access to or information about the target environment. Goals-based or objective-based assessments are usually designed to assess the overall security of an organization. A white box test is performed with full knowledge of the underlying network.
Unattempted
A gray box test is a blend of black box and white box testing. A gray box test usually provides limited information about the target to the penetration testers but does not provide full access, credentials, or configuration information. A gray box test can help focus penetration testers’ time and effort while also providing a more accurate view of what an attacker would actually encounter. In a black box test, the testers are not provided with access to or information about the target environment. Goals-based or objective-based assessments are usually designed to assess the overall security of an organization. A white box test is performed with full knowledge of the underlying network.
Question 33 of 65
33. Question
Dima recently conducted a phishing attack against a penetration testing target in an attempt to gather credentials that she might use in later attacks. What stage of the penetration testing process is Dima in?
Correct
While Dima is indeed gathering information during a phishing attack, she is conducting an active social engineering attack. This moves beyond the activities of Information Gathering and Vulnerability Identification and moves into the realm of Attacking and Exploiting.
Incorrect
While Dima is indeed gathering information during a phishing attack, she is conducting an active social engineering attack. This moves beyond the activities of Information Gathering and Vulnerability Identification and moves into the realm of Attacking and Exploiting.
Unattempted
While Dima is indeed gathering information during a phishing attack, she is conducting an active social engineering attack. This moves beyond the activities of Information Gathering and Vulnerability Identification and moves into the realm of Attacking and Exploiting.
Question 34 of 65
34. Question
You are working as a penetration tester, and you are conducting a test for a new client. The client has asked you to conduct a test on a web application. You discover that the user login process sends form field data by using the HTTP GET method. To reduce the risk of exposing sensitive data, the HTML form should be sent using which method?
Correct
Forms in HTML can use either method=”POST” or method=”GET” (default) in the
Incorrect
Forms in HTML can use either method=”POST” or method=”GET” (default) in the
Unattempted
Forms in HTML can use either method=”POST” or method=”GET” (default) in the
Question 35 of 65
35. Question
Dima has been tasked with continuing the exploitation process of a Windows 2012 server for which a fellow penetration tester has acquired user-level credentials. She knows that the server is fully patched and does not have exposed vulnerable services. Her goal is to obtain administrative access to the server. Dima wants to conduct an attack that leverages unquoted service paths. Which of the following users is the most desirable to see listed under “Log On As” in the Services control panel?
Correct
Dima should look for a service that runs as system to have the greatest success. Root is not a commonly used username in Windows, poweruser accounts will typically not have the same access that system does, and the service’s own service account will often be very limited.
Incorrect
Dima should look for a service that runs as system to have the greatest success. Root is not a commonly used username in Windows, poweruser accounts will typically not have the same access that system does, and the service’s own service account will often be very limited.
Unattempted
Dima should look for a service that runs as system to have the greatest success. Root is not a commonly used username in Windows, poweruser accounts will typically not have the same access that system does, and the service’s own service account will often be very limited.
Question 36 of 65
36. Question
Assuming no significant changes in a company’s cardholder data environment, how often does PCI DSS require that a merchant accepting credit cards conduct penetration testing?
Correct
PCI DSS requires that organizations conduct both internal and external penetration tests on at least an annual basis. Organizations must also conduct testing after any significant change in the cardholder data environment.
Incorrect
PCI DSS requires that organizations conduct both internal and external penetration tests on at least an annual basis. Organizations must also conduct testing after any significant change in the cardholder data environment.
Unattempted
PCI DSS requires that organizations conduct both internal and external penetration tests on at least an annual basis. Organizations must also conduct testing after any significant change in the cardholder data environment.
Question 37 of 65
37. Question
While Dima is conducting a penetration test, she gains access to a Windows Deployment Services server for her target organization. What critical information can she expect to obtain from the unattended installation files she finds there?
Correct
The unattended installation files include local administrator passwords stored in either plain text or Base-64 form. Dima easily acquire the passwords from those files using Metasploit’s enum_unattend tool or manually if she chooses to.
Incorrect
The unattended installation files include local administrator passwords stored in either plain text or Base-64 form. Dima easily acquire the passwords from those files using Metasploit’s enum_unattend tool or manually if she chooses to.
Unattempted
The unattended installation files include local administrator passwords stored in either plain text or Base-64 form. Dima easily acquire the passwords from those files using Metasploit’s enum_unattend tool or manually if she chooses to.
Question 38 of 65
38. Question
You are working as a penetration tester within your IT firm, and you are putting together the rules of engagement (ROE) for an upcoming test for a new client. The client has requested a white box assessment. This will be an internal test where no third-parties are involved. Which of the following resources would be considered in scope for this testing scenario? Select two options.
Correct
In this scenario, the scope of this engagement is limited to the internal network only. Microsoft Office 365, Google Docs, and Microsoft Azure are all cloud-based services hosted by third parties and are therefore considered out-of-scope. The Active Directory users and the password policies that are defined within Group Policy would be considered in scope
Incorrect
In this scenario, the scope of this engagement is limited to the internal network only. Microsoft Office 365, Google Docs, and Microsoft Azure are all cloud-based services hosted by third parties and are therefore considered out-of-scope. The Active Directory users and the password policies that are defined within Group Policy would be considered in scope
Unattempted
In this scenario, the scope of this engagement is limited to the internal network only. Microsoft Office 365, Google Docs, and Microsoft Azure are all cloud-based services hosted by third parties and are therefore considered out-of-scope. The Active Directory users and the password policies that are defined within Group Policy would be considered in scope
Question 39 of 65
39. Question
Dima wants to use a phishing attack to acquire credentials belonging to the senior leadership of her target. What type of phishing attack should she use?
Correct
Whaling is a specialized form of phishing that targets important leaders and senior staff. If Dima was specifically targeting individuals, it would be spear phishing. Smishing uses SMS messages, and VIPhishing was made up for this question.
Incorrect
Whaling is a specialized form of phishing that targets important leaders and senior staff. If Dima was specifically targeting individuals, it would be spear phishing. Smishing uses SMS messages, and VIPhishing was made up for this question.
Unattempted
Whaling is a specialized form of phishing that targets important leaders and senior staff. If Dima was specifically targeting individuals, it would be spear phishing. Smishing uses SMS messages, and VIPhishing was made up for this question.
Question 40 of 65
40. Question
You are working as a penetration tester, and you are conducting a test for a new client. The client wants you to review a new web application for availability. Which type of attack should the tester utilize?
Correct
A TCP SYN flood (also known as a SYN flood) is a form of denial of service (DoS) attack in which a tester sends a succession of SYN requests to the target’s system in an attempt to consume enough server resources to make the system unresponsive to genuine traffic. This exploits part of the normal TCP three-way handshake and consumes resources on the targeted server and renders it unresponsive.
Incorrect
A TCP SYN flood (also known as a SYN flood) is a form of denial of service (DoS) attack in which a tester sends a succession of SYN requests to the target’s system in an attempt to consume enough server resources to make the system unresponsive to genuine traffic. This exploits part of the normal TCP three-way handshake and consumes resources on the targeted server and renders it unresponsive.
Unattempted
A TCP SYN flood (also known as a SYN flood) is a form of denial of service (DoS) attack in which a tester sends a succession of SYN requests to the target’s system in an attempt to consume enough server resources to make the system unresponsive to genuine traffic. This exploits part of the normal TCP three-way handshake and consumes resources on the targeted server and renders it unresponsive.
Question 41 of 65
41. Question
While conducting a gray box penetration test for a client. You have identified an internal host with an IP address of 192.168.1.1 as a potential target. You need to use the nmap utility on your laptop to run a SYN port scan of this host. Which command should you use to do this?
Correct
The –sS option causes the nmap utility to conduct a SYN port scan of the specified target system
Incorrect
The –sS option causes the nmap utility to conduct a SYN port scan of the specified target system
Unattempted
The –sS option causes the nmap utility to conduct a SYN port scan of the specified target system
Question 42 of 65
42. Question
Sami is conducting an onsite penetration test. The test is a gray box test, and he is permitted onsite but has not been given access to the wired or wireless networks. He knows he needs to gain access to both to make further progress. Which of the following NAC systems would be the easiest for Sami to bypass?
Correct
If the NAC system relies only on MAC filtering, Sami only needs to determine the hardware address of a trusted system. This may be accessible simply by looking at a label on a laptop or desktop, or he may be able to obtain it via social engineering or technical methods
Incorrect
If the NAC system relies only on MAC filtering, Sami only needs to determine the hardware address of a trusted system. This may be accessible simply by looking at a label on a laptop or desktop, or he may be able to obtain it via social engineering or technical methods
Unattempted
If the NAC system relies only on MAC filtering, Sami only needs to determine the hardware address of a trusted system. This may be accessible simply by looking at a label on a laptop or desktop, or he may be able to obtain it via social engineering or technical methods
Question 43 of 65
43. Question
Open-source intelligence (OSINT) collection frameworks are used to effectively manage sources of collected information. Which of the following options best describes open-source intelligence?
Correct
Open-source intelligence is any information or data obtained via publicly available sources that is used to aid or drive decision-making processes. Other options are incorrect because documentation labeled “Confidential” on network shared storage requiring authentication and websites locked behind a company intranet are clearly meant to share knowledge with individuals within the organization with a need to know the information. As such, they are examples of information that would not be discoverable via open-source collection methods. Information gained by source code analysis of free and open-source software (FOSS) is incorrect because the use of the term “open source” in this case is a red herring, referring to its relevance to software rather than information gathering. Be wary for such misleading answers during the exam.
Incorrect
Open-source intelligence is any information or data obtained via publicly available sources that is used to aid or drive decision-making processes. Other options are incorrect because documentation labeled “Confidential” on network shared storage requiring authentication and websites locked behind a company intranet are clearly meant to share knowledge with individuals within the organization with a need to know the information. As such, they are examples of information that would not be discoverable via open-source collection methods. Information gained by source code analysis of free and open-source software (FOSS) is incorrect because the use of the term “open source” in this case is a red herring, referring to its relevance to software rather than information gathering. Be wary for such misleading answers during the exam.
Unattempted
Open-source intelligence is any information or data obtained via publicly available sources that is used to aid or drive decision-making processes. Other options are incorrect because documentation labeled “Confidential” on network shared storage requiring authentication and websites locked behind a company intranet are clearly meant to share knowledge with individuals within the organization with a need to know the information. As such, they are examples of information that would not be discoverable via open-source collection methods. Information gained by source code analysis of free and open-source software (FOSS) is incorrect because the use of the term “open source” in this case is a red herring, referring to its relevance to software rather than information gathering. Be wary for such misleading answers during the exam.
Question 44 of 65
44. Question
Why would an expert penetration tester look for expired certificates as part of an information gathering and enumeration exercise?
Correct
Penetration testers are always on the lookout for indicators of improper maintenance. Lazy or inattentive administrators are more likely to make mistakes that allow penetration testers in!
Incorrect
Penetration testers are always on the lookout for indicators of improper maintenance. Lazy or inattentive administrators are more likely to make mistakes that allow penetration testers in!
Unattempted
Penetration testers are always on the lookout for indicators of improper maintenance. Lazy or inattentive administrators are more likely to make mistakes that allow penetration testers in!
Question 45 of 65
45. Question
Sami is investigating a security incident where the attackers left USB drives containing infected files in the parking lot of an office building. What stage in the Cyber Kill Chain describes this action?
Correct
Distributing infected media (or leaving it in a location where it is likely to be found) is an example of the Delivery phase of the Cyber Kill Chain. The process moves from Delivery into Installation if a user executes the malware on the device.
Incorrect
Distributing infected media (or leaving it in a location where it is likely to be found) is an example of the Delivery phase of the Cyber Kill Chain. The process moves from Delivery into Installation if a user executes the malware on the device.
Unattempted
Distributing infected media (or leaving it in a location where it is likely to be found) is an example of the Delivery phase of the Cyber Kill Chain. The process moves from Delivery into Installation if a user executes the malware on the device.
Question 46 of 65
46. Question
Sami wants to crawl his penetration testing target’s website and then build a wordlist using the data he recovers to help with his password cracking efforts. Which of the following tools should he use?
Correct
The Customer Wordlist Generator, or CeWL, is a tool designed to spider a website and then build a wordlist using the files and web pages that it finds. The wordlist can then be used to help with password cracking.
Incorrect
The Customer Wordlist Generator, or CeWL, is a tool designed to spider a website and then build a wordlist using the files and web pages that it finds. The wordlist can then be used to help with password cracking.
Unattempted
The Customer Wordlist Generator, or CeWL, is a tool designed to spider a website and then build a wordlist using the files and web pages that it finds. The wordlist can then be used to help with password cracking.
Question 47 of 65
47. Question
You are a penetration tester, and you are conducting a test for a new client. You want to use nmap to scan a remote system. You use the following command: nmap 142.78.32.0/24. How many TCP ports will you be scanning?
Correct
Using nmap’s basic functionality is quite simple. Port scanning a system just requires that nmap be installed and that you provide the target system’s hostname or IP address. By default, nmap scans the 1,000 most common ports for both TCP and UDP. However, the full range of ports available to both TCP and UDP services is from 1–65,535. In this scenario, since you did not specify exactly how many ports to scan, it will scan the default of 1,000.
Incorrect
Using nmap’s basic functionality is quite simple. Port scanning a system just requires that nmap be installed and that you provide the target system’s hostname or IP address. By default, nmap scans the 1,000 most common ports for both TCP and UDP. However, the full range of ports available to both TCP and UDP services is from 1–65,535. In this scenario, since you did not specify exactly how many ports to scan, it will scan the default of 1,000.
Unattempted
Using nmap’s basic functionality is quite simple. Port scanning a system just requires that nmap be installed and that you provide the target system’s hostname or IP address. By default, nmap scans the 1,000 most common ports for both TCP and UDP. However, the full range of ports available to both TCP and UDP services is from 1–65,535. In this scenario, since you did not specify exactly how many ports to scan, it will scan the default of 1,000.
Question 48 of 65
48. Question
Sami is examining the logs for his web server and discovers that a user sent input to a web application that contained the string WAITFOR. What type of attack was the user likely attempting?
Correct
The use of the SQL WAITFOR command is a signature characteristic of a timing-based SQL injection attack.
Incorrect
The use of the SQL WAITFOR command is a signature characteristic of a timing-based SQL injection attack.
Unattempted
The use of the SQL WAITFOR command is a signature characteristic of a timing-based SQL injection attack.
Question 49 of 65
49. Question
You and a colleague are discussing different utilities that can be used when performing a penetration test. Which of the following options is a utility that can be used on Windows systems to establish command-line access to the console of a remote Windows system, similar to the older Telnet client?
Correct
PsExec is a command-line tool that lets you execute processes on remote systems and redirect console applications’ output to the local system so that the applications appear to be running locally. It is a lightweight Telnet replacement that allows you to execute processes on other systems.
Incorrect
PsExec is a command-line tool that lets you execute processes on remote systems and redirect console applications’ output to the local system so that the applications appear to be running locally. It is a lightweight Telnet replacement that allows you to execute processes on other systems.
Unattempted
PsExec is a command-line tool that lets you execute processes on remote systems and redirect console applications’ output to the local system so that the applications appear to be running locally. It is a lightweight Telnet replacement that allows you to execute processes on other systems.
Question 50 of 65
50. Question
You are working as a penetration tester, and you have been tasked to try to penetrate a client’s facility. You notice an unlocked side door that was left open by an employee. You gain access into the facility. The client wants to prevent this from happening again and removes the door and puts in a wall. What type of risk response did the client take in this scenario?
Correct
Risk response is the process of controlling identified risks. It is a basic step in any risk management process. Risk response is a planning and decision-making process where the client decides how to deal with each risk. Risk avoidance is the elimination of hazards, activities, and exposures that can negatively affect an organization’s assets. This is scenario, the client used risk avoidance by removing the door and putting up a wall.
Incorrect
Risk response is the process of controlling identified risks. It is a basic step in any risk management process. Risk response is a planning and decision-making process where the client decides how to deal with each risk. Risk avoidance is the elimination of hazards, activities, and exposures that can negatively affect an organization’s assets. This is scenario, the client used risk avoidance by removing the door and putting up a wall.
Unattempted
Risk response is the process of controlling identified risks. It is a basic step in any risk management process. Risk response is a planning and decision-making process where the client decides how to deal with each risk. Risk avoidance is the elimination of hazards, activities, and exposures that can negatively affect an organization’s assets. This is scenario, the client used risk avoidance by removing the door and putting up a wall.
Question 51 of 65
51. Question
Which of the following is not included in the Domain registration information returned on a WHOIS search?
Correct
Although WHOIS domain registration information can be quite detailed, the most one can expect to find concerning geographic location is a physical address. GPS coordinates are not found in a WHOIS query, making this the correct answer. Additionally, note that this information may all ultimately be protected by a WHOIS guard service; for numerous reasons, web administrators may have issues with broadcasting their names, e-mail addresses, and home addresses across the Internet. To account for this, domain registrars will often front their own information in WHOIS information for a domain, with a simple e-mail address to contact in the case of abuse or misuse of a domain they have registered on behalf of a client. This allows action to be taken if a site with privatized WHOIS data is serving malware, engaged in copyright infringement, or other situations where there is a legal or ethical duty to shut down a site or require its alteration. Other options are incorrect. E-mail addresses, fax numbers, and organizational names for the domain administrator are all commonly found in WHOIS domain registry entries.
Incorrect
Although WHOIS domain registration information can be quite detailed, the most one can expect to find concerning geographic location is a physical address. GPS coordinates are not found in a WHOIS query, making this the correct answer. Additionally, note that this information may all ultimately be protected by a WHOIS guard service; for numerous reasons, web administrators may have issues with broadcasting their names, e-mail addresses, and home addresses across the Internet. To account for this, domain registrars will often front their own information in WHOIS information for a domain, with a simple e-mail address to contact in the case of abuse or misuse of a domain they have registered on behalf of a client. This allows action to be taken if a site with privatized WHOIS data is serving malware, engaged in copyright infringement, or other situations where there is a legal or ethical duty to shut down a site or require its alteration. Other options are incorrect. E-mail addresses, fax numbers, and organizational names for the domain administrator are all commonly found in WHOIS domain registry entries.
Unattempted
Although WHOIS domain registration information can be quite detailed, the most one can expect to find concerning geographic location is a physical address. GPS coordinates are not found in a WHOIS query, making this the correct answer. Additionally, note that this information may all ultimately be protected by a WHOIS guard service; for numerous reasons, web administrators may have issues with broadcasting their names, e-mail addresses, and home addresses across the Internet. To account for this, domain registrars will often front their own information in WHOIS information for a domain, with a simple e-mail address to contact in the case of abuse or misuse of a domain they have registered on behalf of a client. This allows action to be taken if a site with privatized WHOIS data is serving malware, engaged in copyright infringement, or other situations where there is a legal or ethical duty to shut down a site or require its alteration. Other options are incorrect. E-mail addresses, fax numbers, and organizational names for the domain administrator are all commonly found in WHOIS domain registry entries.
Question 52 of 65
52. Question
You have just completed a penetration test for a client. During the test, you used a variety of different tools to collect data and conduct exploits. Now you need to aggregate all of the data generated by these tools into a format that is consistent, correlated, and readable. Which of the following options is the process performed?
Correct
When you normalize the data from a penetration test, you aggregate all the data generated by all of the different tools and processes you used during the test and format it such that it is consistent and correlated. The goal is to make it such that the client can read the aggregated data and understand what happened during the test and when.
Incorrect
When you normalize the data from a penetration test, you aggregate all the data generated by all of the different tools and processes you used during the test and format it such that it is consistent and correlated. The goal is to make it such that the client can read the aggregated data and understand what happened during the test and when.
Unattempted
When you normalize the data from a penetration test, you aggregate all the data generated by all of the different tools and processes you used during the test and format it such that it is consistent and correlated. The goal is to make it such that the client can read the aggregated data and understand what happened during the test and when.
Question 53 of 65
53. Question
You are working as a penetration tester, and you are completing a test for a new client. You have successfully exploited an application vulnerability and now need to remove the command history from the Linux session. What command will remove the command history?
Correct
The bash history keeps a record of all commands executed by a tester on the Linux command line. This allows the tester to easily run previously executed commands by using the up and down arrow keys to scroll through the command history file. The main reason for removing command-line history from the Linux terminal is to prevent another user from using the tester’s previous commands. To delete or clear all the entries from bash history, use the history command with the -c option: $ history -c.
Incorrect
The bash history keeps a record of all commands executed by a tester on the Linux command line. This allows the tester to easily run previously executed commands by using the up and down arrow keys to scroll through the command history file. The main reason for removing command-line history from the Linux terminal is to prevent another user from using the tester’s previous commands. To delete or clear all the entries from bash history, use the history command with the -c option: $ history -c.
Unattempted
The bash history keeps a record of all commands executed by a tester on the Linux command line. This allows the tester to easily run previously executed commands by using the up and down arrow keys to scroll through the command history file. The main reason for removing command-line history from the Linux terminal is to prevent another user from using the tester’s previous commands. To delete or clear all the entries from bash history, use the history command with the -c option: $ history -c.
Question 54 of 65
54. Question
Dima is configuring vulnerability scans for a system that is subject to the PCI DSS compliance standard. What is the minimum frequency with which she must conduct scans?
Correct
PCI DSS requires that organizations conduct vulnerability scans on at least a quarterly basis, although many organizations choose to conduct scans much more frequently
Incorrect
PCI DSS requires that organizations conduct vulnerability scans on at least a quarterly basis, although many organizations choose to conduct scans much more frequently
Unattempted
PCI DSS requires that organizations conduct vulnerability scans on at least a quarterly basis, although many organizations choose to conduct scans much more frequently
Question 55 of 65
55. Question
Which of the following options is a type of penetration test that would provide testers with complete visibility into the configuration of a web server without having to compromise the server to gain that information?
Correct
White box testing, also known as “crystal box” or “full knowledge” testing, provides complete access and visibility. Black box testing provides no information, while gray box testing provides limited information. Red box testing is not a common industry term.
Incorrect
White box testing, also known as “crystal box” or “full knowledge” testing, provides complete access and visibility. Black box testing provides no information, while gray box testing provides limited information. Red box testing is not a common industry term.
Unattempted
White box testing, also known as “crystal box” or “full knowledge” testing, provides complete access and visibility. Black box testing provides no information, while gray box testing provides limited information. Red box testing is not a common industry term.
Question 56 of 65
56. Question
You have just completed a penetration test for a client, and you are creating a written report of your findings. You need to make sure the reader understands that you followed the PCI DSS standard while conducting the test. Which of the following options is a part of the report in which you should include this information?
Correct
The final report you write for a penetration test should include a section entitled Methodology. In this section, you describe the penetration testing methodology you used to conduct the test. In this scenario, this would be the appropriate place to indicate that the PCI DSS standard was followed to conduct the test.
Incorrect
The final report you write for a penetration test should include a section entitled Methodology. In this section, you describe the penetration testing methodology you used to conduct the test. In this scenario, this would be the appropriate place to indicate that the PCI DSS standard was followed to conduct the test.
Unattempted
The final report you write for a penetration test should include a section entitled Methodology. In this section, you describe the penetration testing methodology you used to conduct the test. In this scenario, this would be the appropriate place to indicate that the PCI DSS standard was followed to conduct the test.
Question 57 of 65
57. Question
Dima wants to use a web application vulnerability scanner to help map an organization’s web presence and to identify existing vulnerabilities. Which of the following tools is best suited to her needs?
Correct
The Web Application Attack and Audit Framework (w3af) is a web application testing and exploit tool that can spider the site and test applications and other security issues that may exist there. The Paros proxy is an excellent web proxy tool often used by web application testers, but it isn’t a full-fledged testing suite like w3af. CUSpider and other versions of Spider are tools used to find sensitive data on systems, and Patator is a brute-force tool.
Incorrect
The Web Application Attack and Audit Framework (w3af) is a web application testing and exploit tool that can spider the site and test applications and other security issues that may exist there. The Paros proxy is an excellent web proxy tool often used by web application testers, but it isn’t a full-fledged testing suite like w3af. CUSpider and other versions of Spider are tools used to find sensitive data on systems, and Patator is a brute-force tool.
Unattempted
The Web Application Attack and Audit Framework (w3af) is a web application testing and exploit tool that can spider the site and test applications and other security issues that may exist there. The Paros proxy is an excellent web proxy tool often used by web application testers, but it isn’t a full-fledged testing suite like w3af. CUSpider and other versions of Spider are tools used to find sensitive data on systems, and Patator is a brute-force tool.
Question 58 of 65
58. Question
While Sami is performing a physical penetration test, he notices that the exit doors to the data center open automatically as an employee approaches them with a cart. What should he record in his notes?
Correct
Sami should note the presence of an egress sensor. If he can return after hours and cause the sensor to trip from outside the door, he can likely gain access to the data center.
Incorrect
Sami should note the presence of an egress sensor. If he can return after hours and cause the sensor to trip from outside the door, he can likely gain access to the data center.
Unattempted
Sami should note the presence of an egress sensor. If he can return after hours and cause the sensor to trip from outside the door, he can likely gain access to the data center.
Question 59 of 65
59. Question
You are performing a black box penetration test for a medium-sized organization that sells imported motorcycles and ATVs through its online storefront. You need to discover who owns the organization’s domain. Which of the following options is tool in your penetration testing toolkit should you use?
Correct
The whois command can be used to gather information from public records about who owns a particular domain.
Incorrect
The whois command can be used to gather information from public records about who owns a particular domain.
Unattempted
The whois command can be used to gather information from public records about who owns a particular domain.
Question 60 of 65
60. Question
While performing a gray box penetration test for a medium-sized organization. You have used reconnaissance techniques to identify a help desk employee and a payroll employee. You craft an email to the payroll employee that appears to come from the help desk employee directing the payroll employee to reset her password. When she clicks the link provided in the email, she is redirected to your own website where her credentials are captured to a text file. What kind of exploit did you use?
Correct
A spear phishing attack was used in this scenario because the malicious email was specifically crafted for a specific employee. A generic phishing attack, on the other hand, would have been sent indiscriminately to a large group of employees within the organization.
Incorrect
A spear phishing attack was used in this scenario because the malicious email was specifically crafted for a specific employee. A generic phishing attack, on the other hand, would have been sent indiscriminately to a large group of employees within the organization.
Unattempted
A spear phishing attack was used in this scenario because the malicious email was specifically crafted for a specific employee. A generic phishing attack, on the other hand, would have been sent indiscriminately to a large group of employees within the organization.
Question 61 of 65
61. Question
Dima is conducting a penetration test and is trying to gain access to a user account. Which of the following is a good source for obtaining user account credentials?
Correct
Penetration testers may use a wide variety of sources when seeking to gain access to individual user accounts. These may include conducting social engineering attacks against individual users, obtaining password dumps from previously compromised sites, obtaining default account lists, and conducting password cracking attacks.
Incorrect
Penetration testers may use a wide variety of sources when seeking to gain access to individual user accounts. These may include conducting social engineering attacks against individual users, obtaining password dumps from previously compromised sites, obtaining default account lists, and conducting password cracking attacks.
Unattempted
Penetration testers may use a wide variety of sources when seeking to gain access to individual user accounts. These may include conducting social engineering attacks against individual users, obtaining password dumps from previously compromised sites, obtaining default account lists, and conducting password cracking attacks.
Question 62 of 65
62. Question
You are performing a black box penetration test for a medium-sized organization that sells imported clothing through its online storefront. You need to discover which IP addresses are associated with the organization’s domain. Which of the following options is a tool in your penetration testing toolkit should you use?
Correct
The nslookup command is included with most operating systems, including Windows and Linux, and can be used to resolve an organization’s domain name into its associated IP addresses.
Incorrect
The nslookup command is included with most operating systems, including Windows and Linux, and can be used to resolve an organization’s domain name into its associated IP addresses.
Unattempted
The nslookup command is included with most operating systems, including Windows and Linux, and can be used to resolve an organization’s domain name into its associated IP addresses.
Question 63 of 65
63. Question
You are working as a senior penetration tester, and you are putting together the terms of a penetration test that you will be conducting for a new client. Which of the following is an appropriate method to secure legal permission to conduct the test?
Correct
Before conducting a penetration test, you must get written permission from the senior management of the client’s organization to start the test. It is not acceptable to get permission verbally or by email. It is also not acceptable to obtain permission from the IT staff.
Incorrect
Before conducting a penetration test, you must get written permission from the senior management of the client’s organization to start the test. It is not acceptable to get permission verbally or by email. It is also not acceptable to obtain permission from the IT staff.
Unattempted
Before conducting a penetration test, you must get written permission from the senior management of the client’s organization to start the test. It is not acceptable to get permission verbally or by email. It is also not acceptable to obtain permission from the IT staff.
Question 64 of 65
64. Question
You are a senior penetration tester, and you have heard about an attacker who carried out an attack against a government contractor in a neighboring country. The goal of the attack was to gain access through the contractor to the opposing country’s government network infrastructure. The attacker is being backed by the attacker’s own government. What type of threat actor is being described in this scenario?
Correct
A nation state threat actor has been given the “go ahead” to hack. They work for a government to disrupt or compromise target governments, organizations, or individuals to gain access to valuable data or intelligence and can create incidents that have international significance. A script kiddie is an individual who carries out an attack using code written by more advanced hackers. A hacktivist usually attacks targets to make a political statement. An organized crime threat actor is a group of cybercriminals whose goal is financial gain.
Incorrect
A nation state threat actor has been given the “go ahead” to hack. They work for a government to disrupt or compromise target governments, organizations, or individuals to gain access to valuable data or intelligence and can create incidents that have international significance. A script kiddie is an individual who carries out an attack using code written by more advanced hackers. A hacktivist usually attacks targets to make a political statement. An organized crime threat actor is a group of cybercriminals whose goal is financial gain.
Unattempted
A nation state threat actor has been given the “go ahead” to hack. They work for a government to disrupt or compromise target governments, organizations, or individuals to gain access to valuable data or intelligence and can create incidents that have international significance. A script kiddie is an individual who carries out an attack using code written by more advanced hackers. A hacktivist usually attacks targets to make a political statement. An organized crime threat actor is a group of cybercriminals whose goal is financial gain.
Question 65 of 65
65. Question
Sami is conducting a penetration test and is targeting a database server. Which one of the following tools would best assist him in detecting vulnerabilities on that server?
Correct
Sqlmap is a dedicated database vulnerability scanner and is the most appropriate tool for use in this scenario. Sami might discover the same vulnerabilities using the generalpurpose Nessus or OpenVAS scanners, but they are not dedicated database vulnerability scanning tools. Nikto is a web application vulnerability scanner.
Incorrect
Sqlmap is a dedicated database vulnerability scanner and is the most appropriate tool for use in this scenario. Sami might discover the same vulnerabilities using the generalpurpose Nessus or OpenVAS scanners, but they are not dedicated database vulnerability scanning tools. Nikto is a web application vulnerability scanner.
Unattempted
Sqlmap is a dedicated database vulnerability scanner and is the most appropriate tool for use in this scenario. Sami might discover the same vulnerabilities using the generalpurpose Nessus or OpenVAS scanners, but they are not dedicated database vulnerability scanning tools. Nikto is a web application vulnerability scanner.
X
Use Page numbers below to navigate to other practice tests