Test B CompTIA pentest+ PT0-002

An Nmap network scan has found five open ports with identified services. Which of the following tools should a penetration tester use NEXT to determine if any vulnerabilities with associated exploits exist on the open ports?. OpenVAS. Drozer. Burp Suite. OWASP ZAP.

A CentOS computer was exploited during a penetration test. During initial reconnaissance, the penetration tester discovered that port 25 was open on an internal Sendmail server. To remain stealthy, the tester ran the following command from the attack machine: ssh root@10.10.1.1 -L5555:10.10.1.2:25 Which of the following would be the BEST command to use for further progress into the targeted network?. nc 10.10.1.2. ssh 10.10.1.2. nc 127.0.0.1 5555. ssh 127.0.0.1 5555.

A penetration tester utilized Nmap to scan host 64.13.134.52 and received the following results: Telnet. HTTP. SMTP. DNS. NTP. SNMP.

Which of the following expressions in Python increase a variable val by one? (Choose two.). val++. +val. val=(val+1). ++val. val=val++. val+=1.

An assessor wants to run an Nmap scan as quietly as possible. Which of the following commands will give the LEAST chance of detection?. nmap "T3 192.168.0.1. nmap "P0 192.168.0.1. nmap "T0 192.168.0.1. nmap "A 192.168.0.1.

A penetration tester wrote the following script to be used in one engagement: Look for open ports. Listen for a reverse shell. Attempt to flood open ports. Create an encrypted tunnel.

A final penetration test report has been submitted to the board for review and accepted. The report has three findings rated high. Which of the following should be the NEXT step?. Perform a new penetration test. Remediate the findings. Provide the list of common vulnerabilities and exposures. Broaden the scope of the penetration test.

Which of the following situations would require a penetration tester to notify the emergency contact for the engagement?. The team exploits a critical server within the organization. The team exfiltrates PII or credit card data from the organization. The team loses access to the network remotely. The team discovers another actor on a system on the network.

During an engagement, a penetration tester found the following list of strings inside a file: Dictionary attack. Rainbow table attack. Brute-force attack. Credential-stuffing attack.

A penetration tester ran a simple Python-based scanner. The following is a snippet of the code: sock.settimeout(20) on line 7 caused each next socket to be created every 20 milliseconds. *range(1, 1025) on line 1 populated the portList list in numerical order. Line 6 uses socket.SOCK_STREAM instead of socket.SOCK_DGRAM. The remoteSvr variable has neither been type-hinted nor initialized.

A penetration tester is conducting an authorized, physical penetration test to attempt to enter a client's building during non-business hours. Which of the following are MOST important for the penetration tester to have during the test? (Choose two.). A handheld RF spectrum analyzer. A mask and personal protective equipment. Caution tape for marking off insecure areas. A dedicated point of contact at the client. The paperwork documenting the engagement. Knowledge of the building's normal business hours.

A penetration tester receives the following results from an Nmap scan: CentOS. Arch Linux. Windows Server. Ubuntu.

A penetration tester would like to obtain FTP credentials by deploying a workstation as an on-path attack between the target and the server that has the FTP protocol. Which of the following methods would be the BEST to accomplish this objective?. Wait for the next login and perform a downgrade attack on the server. Capture traffic using Wireshark. Perform a brute-force attack over the server. Use an FTP exploit against the server.

Appending string values onto another string is called: compilation. connection. concatenation. conjunction.

A consultant is reviewing the following output after reports of intermittent connectivity issues: A device on the network has an IP address in the wrong subnet. A multicast session was initiated using the wrong multicast group. An ARP flooding attack is using the broadcast address to perform DDoS. A device on the network has poisoned the ARP cache.

Which of the following web-application security risks are part of the OWASP Top 10 v2017? (Choose two.). Buffer overflows. Cross-site scripting. Race-condition attacks. Zero-day attacks. Injection flaws. Ransomware attacks.

The results of an Nmap scan are as follows: This device may be vulnerable to the Heartbleed bug due to the way transactions over TCP/22 handle heartbeat extension packets, allowing attackers to obtain sensitive information from process memory. This device is most likely a gateway with in-band management services. This device is most likely a proxy server forwarding requests over TCP/443. This device may be vulnerable to remote code execution because of a buffer overflow vulnerability in the method used to extract DNS names from packets prior to DNSSEC validation.

When preparing for an engagement with an enterprise organization, which of the following is one of the MOST important items to develop fully prior to beginning the penetration testing activities?. Clarify the statement of work. Obtain an asset inventory from the client. Interview all stakeholders. Identify all third parties involved.

A penetration tester is reviewing the following SOW prior to engaging with a client. `Network diagrams, logical and physical asset inventory, and employees' names are to be treated as client confidential. Upon completion of the engagement, the penetration tester will submit findings to the client's Chief Information Security Officer (CISO) via encrypted protocols and subsequently dispose of all findings by erasing them in a secure manner.` Based on the information in the SOW, which of the following behaviors would be considered unethical? (Choose two.). Utilizing proprietary penetration-testing tools that are not available to the public or to the client for auditing and inspection. Utilizing public-key cryptography to ensure findings are delivered to the CISO upon completion of the engagement. Failing to share with the client critical vulnerabilities that exist within the client architecture to appease the client's senior leadership team. Seeking help with the engagement in underground hacker forums by sharing the client's public IP address. Using a software-based erase tool to wipe the client's findings from the penetration tester's laptop. Retaining the SOW within the penetration tester's company for future use so the sales team can plan future engagements.

A penetration tester downloaded the following Perl script that can be used to identify vulnerabilities in network switches. However, the script is not working properly. Change line 2 to $ip= 10.192.168.254;. Remove lines 3, 5, and 6. Remove line 6. Move all the lines below line 7 to the top of the script.

A penetration tester finds a PHP script used by a web application in an unprotected internal source code repository. After reviewing the code, the tester identifies the following: Hydra and crunch. Netcat and cURL. Burp Suite and DIRB. Nmap and OWASP ZAP.

A penetration tester has obtained root access to a Linux-based file server and would like to maintain persistence after reboot. Which of the following techniques would BEST support this objective?. Create a one-shot system service to establish a reverse shell. Obtain /etc/shadow and brute force the root password. Run the nc "e /bin/sh <...> command. Move laterally to create a user account on LDAP.

A penetration tester is conducting a penetration test. The tester obtains a root-level shell on a Linux server and discovers the following data in a file named password.txt in the /home/svsacct directory: U3VQZXIkM2NyZXQhCg== Which of the following commands should the tester use NEXT to decode the contents of the file?. echo U3VQZXIkM2NyZXQhCg== | base64 "d. tar zxvf password.txt. hydra "l svsacct "p U3VQZXIkM2NyZXQhCg== ssh://192.168.1.0/24. john --wordlist /usr/share/seclists/rockyou.txt password.txt.

A company has recruited a penetration tester to conduct a vulnerability scan over the network. The test is confirmed to be on a known environment. Which of the following would be the BEST option to identify a system properly prior to performing the assessment?. Asset inventory. DNS records. Web-application scan. Full scan.

A security firm has been hired to perform an external penetration test against a company. The only information the firm received was the company name. Which of the following passive reconnaissance approaches would be MOST likely to yield positive initial results?. Specially craft and deploy phishing emails to key company leaders. Run a vulnerability scan against the company's external website. Runtime the company's vendor/supply chain. Scrape web presences and social-networking sites.

A security firm is discussing the results of a penetration test with the client. Based on the findings, the client wants to focus the remaining time on a critical network segment. Which of the following BEST describes the action taking place?. Maximizing the likelihood of finding vulnerabilities. Reprioritizing the goals/objectives. Eliminating the potential for false positives. Reducing the risk to the client environment.

Which of the following tools would be BEST suited to perform a manual web application security assessment? (Choose two.). OWASP ZAP. Nmap. Nessus. BeEF. Hydra. Burp Suite.

Running a vulnerability scanner on a hybrid network segment that includes general IT servers and industrial control systems: will reveal vulnerabilities in the Modbus protocol. may cause unintended failures in control systems. may reduce the true positive rate of findings. will create a denial-of-service condition on the IP networks.

Which of the following provides a matrix of common tactics and techniques uses by attackers along with recommended mitigations?. NIST SP 800-53. OWASP Top 10. MITRE ATT&CK framework. PTES technical guidelines.

A security engineer identified a new server on the network and wants to scan the host to determine if it is running an approved version of Linux and a patched version of Apache. Which of the following commands will accomplish this task?. nmap –f –sV –p80 192.168.1.20. nmap –sS –sL –p80 192.168.1.20. nmap –A –T4 –p80 192.168.1.20. nmap –O –v –p80 192.168.1.20.

A mail service company has hired a penetration tester to conduct an enumeration of all user accounts on an SMTP server to identify whether previous staff member accounts are still active. Which of the following commands should be used to accomplish the goal?. VRFY and EXPN. VRFY and TURN. EXPN and TURN. RCPT TO and VRFY.

A penetration tester is evaluating a company's network perimeter. The tester has received limited information about defensive controls or countermeasures, and limited internal knowledge of the testing exists. Which of the following should be the FIRST step to plan the reconnaissance activities?. Launch an external scan of netblocks. Check WHOIS and netblock records for the company. Use DNS lookups and dig to determine the external hosts. Conduct a ping sweep of the company's netblocks.

A penetration tester captured the following traffic during a web-application test: Decode the authorization header using UTF-8. Decrypt the authorization header using bcrypt. Decode the authorization header using Base64. Decrypt the authorization header using AES.

A penetration tester was hired to perform a physical security assessment of an organization's office. After monitoring the environment for a few hours, the penetration tester notices that some employees go to lunch in a restaurant nearby and leave their belongings unattended on the table while getting food. Which of the following techniques would MOST likely be used to get legitimate access into the organization's building without raising too many alerts?. Tailgating. Dumpster diving. Shoulder surfing. Badge cloning.

A penetration tester wants to find hidden information in documents available on the web at a particular domain. Which of the following should the penetration tester use?. Netcraft. CentralOps. Responder. FOCA.

A penetration tester has gained access to the Chief Executive Officer's (CEO's) internal, corporate email. The next objective is to gain access to the network. Which of the following methods will MOST likely work?. Try to obtain the private key used for S/MIME from the CEO's account. Send an email from the CEO's account, requesting a new account. Move laterally from the mail server to the domain controller. Attempt to escalate privileges on the mail server to gain root access.

A penetration tester needs to perform a vulnerability scan against a web server. Which of the following tools is the tester MOST likely to choose?. Nmap. Nikto. Cain and Abel. Ethercap.

A company has hired a penetration tester to deploy and set up a rogue access point on the network. Which of the following is the BEST tool to use to accomplish this goal?. Wireshark. Aircrack-ng. Kismet. Wifite.

A penetration tester has been given an assignment to attack a series of targets in the 192.168.1.0/24 range, triggering as few alarms and countermeasures as possible. Which of the following Nmap scan syntaxes would BEST accomplish this objective?. nmap -sT -vvv -O 192.168.1.2/24 -PO. nmap -sV 192.168.1.2/24 -PO. nmap -sA -v -O 192.168.1.2/24. nmap -sS -O 192.168.1.2/24 -T1.

A penetration tester is testing a new version of a mobile application in a sandbox environment. To intercept and decrypt the traffic between the application and the external API, the tester has created a private root CA and issued a certificate from it. Even though the tester installed the root CA into the trusted stone of the smartphone used for the tests, the application shows an error indicating a certificate mismatch and does not connect to the server. Which of the following is the MOST likely reason for the error?. TCP port 443 is not open on the firewall. The API server is using SSL instead of TLS. The tester is using an outdated version of the application. The application has the API certificate pinned.

A software company has hired a penetration tester to perform a penetration test on a database server. The tester has been given a variety of tools used by the company's privacy policy. Which of the following would be the BEST to use to find vulnerabilities on this server?. OpenVAS. Nikto. SQLmap. Nessus.

A company is concerned that its cloud service provider is not adequately protecting the VMs housing its software development. The VMs are housed in a datacenter, with other companies sharing physical resources. Which of the following attack types is MOST concerning to the company?. Data flooding. Session riding. Cybersquatting. Side channel.

Which of the following concepts defines the specific set of steps and approaches that are conducted during a penetration test?. Scope details. Findings. Methodology. Statement of work.

A private investigation firm is requesting a penetration test to determine the likelihood that attackers can gain access to mobile devices and then exfiltrate data from those devices. Which of the following is a social-engineering method that, if successful, would MOST likely enable both objectives?. Send an SMS with a spoofed service number including a link to download a malicious application. Exploit a vulnerability in the MDM and create a new account and device profile. Perform vishing on the IT help desk to gather a list of approved device IMEIs for masquerading. Infest a website that is often used by employees with malware targeted toward x86 architectures.

A penetration tester ran a ping `"A command during an unknown environment test, and it returned a 128 TTL packet. Which of the following OSs would MOST likely return a packet of this type?. Windows. Apple. Linux. Android.

A physical penetration tester needs to get inside an organization's office and collect sensitive information without acting suspiciously or being noticed by the security guards. The tester has observed that the company's ticket gate does not scan the badges, and employees leave their badges on the table while going to the restroom. Which of the following techniques can the tester use to gain physical access to the office? (Choose two.). Shoulder surfing. Call spoofing. Badge stealing. Tailgating. Dumpster diving. Email phishing.

A penetration tester conducted an assessment on a web server. The logs from this session show the following: Clickjacking. Session hijacking. Parameter pollution. Cookie hijacking. Cross-site scripting.

A new security firm is onboarding its first client. The client only allowed testing over the weekend and needed the results Monday morning. However, the assessment team was not able to access the environment as expected until Monday. Which of the following should the security company have acquired BEFORE the start of the assessment?. A signed statement of work. The correct user accounts and associated passwords. The expected time frame of the assessment. The proper emergency contacts for the client.

An Nmap scan of a network switch reveals the following: Encrypted passwords. System-hardening techniques. Multifactor authentication. Network segmentation.

A penetration tester has obtained shell access to a Windows host and wants to run a specially crafted binary for later execution using the ymic.exe process call create function. Which of the following OS or filesystem mechanisms is MOST likely to support this objective?. Alternate data streams. PowerShell modules. MP4 steganography. ProcMon.

A penetration tester, who is doing an assessment, discovers an administrator has been exfiltrating proprietary company information. The administrator offers to pay the tester to keep quiet. Which of the following is the BEST action for the tester to take?. Check the scoping document to determine if exfiltration is within scope. Stop the penetration test. Escalate the issue. Include the discovery and interaction in the daily report.

A Chief Information Security Officer wants to evaluate the security of the company's e-commerce application. Which of the following tools should a penetration tester use FIRST to obtain relevant information from the application without triggering alarms?. SQLmap. DirBuster. w3af. OWASP ZAP.

Which of the following documents must be signed between the penetration tester and the client to govern how any provided information is managed before, during, and after the engagement?. MSA. NDA. SOW. ROE.

A penetration tester runs a scan against a server and obtains the following output: ftp 192.168.53.23. smbclient \\\\WEB3\\IPC$ -I 192.168.53.23 -U guest. ncrack -u Administrator -P 15worst_passwords.txt -p rdp 192.168.53.23. curl -X TRACE https://192.168.53.23:8443/index.aspx.

A penetration tester needs to upload the results of a port scan to a centralized security tool. Which of the following commands would allow the tester to save the results in an interchangeable format?. nmap -iL results 192.168.0.10-100. nmap 192.168.0.10-100 -O > results. nmap -A 192.168.0.10-100 -oX results. nmap 192.168.0.10-100 | grep "results".

During a penetration-testing engagement, a consultant performs reconnaissance of a client to identify potential targets for a phishing campaign. Which of the following would allow the consultant to retrieve email addresses for technical and billing contacts quickly, without triggering any of the client's cybersecurity tools? (Choose two.). Scraping social media sites. Using the WHOIS lookup tool. Crawling the client's website. Phishing company employees. Utilizing DNS lookup tools. Conducting wardriving near the client facility.

During a penetration test, the domain names, IP ranges, hosts, and applications are defined in the: SOW. SLA. ROE. NDA.

A tester who is performing a penetration test on a website receives the following output: Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /var/www/search.php on line 62 Which of the following commands can be used to further attack the website?. <script>var adr = '../evil.php?test=' + escape(document.cookie);</script>. ../../../../../../../../../../etc/passwd. /var/www/html/index.php;whoami. 1 UNION SELECT 1, DATABASE (), 3 --.

A penetration tester has established an on-path position between a target host and local network services but has not been able to establish an on-path position between the target host and the Internet. Regardless, the tester would like to subtly redirect HTTP connections to a spoofed server IP. Which of the following methods would BEST support the objective?. Gain access to the target host and implant malware specially crafted for this purpose. Exploit the local DNS server and add/update the zone records with a spoofed A record. Use the Scapy utility to overwrite name resolution fields in the DNS query response. Proxy HTTP connections from the target host to that of the spoofed host.

Which of the following types of information would MOST likely be included in an application security assessment report addressed to developers? (Choose two.). Use of non-optimized sort functions. Poor input sanitization. Null pointer dereferences. Non-compliance with code style guide. Use of deprecated Javadoc tags. A cydomatic complexity score of 3.

A penetration tester has found indicators that a privileged user's password might be the same on 30 different Linux systems. Which of the following tools can help the tester identify the number of systems on which the password can be used?. Hydra. John the Ripper. Cain and Abel. Medusa.

A penetration tester recently completed a review of the security of a core network device within a corporate environment. The key findings are as follows: ✑ The following request was intercepted going to the network device: GET /login HTTP/1.1 - Host: 10.50.100.16 - User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 - Accept-Language: en-US,en;q=0.5 - Connection: keep-alive - Authorization: Basic WU9VUilOQU1FOnNlY3JldHBhc3N3b3jk ✑ Network management interfaces are available on the production network. ✑ An Nmap scan retuned the following: Port State Service Version 22/tcp open ssh Cisco SSH 1.25 (protocol 2.0 80/tcp open http Cisco IOS http config |_https-title: Did not follow redirect to https://10.50.100.16 443/tcp open https Cisco IOS https config Which of the following would be BEST to add to the recommendations section of the final report? (Choose two.). Enforce enhanced password complexity requirements. Disable or upgrade SSH daemon. Disable HTTP/301 redirect configuration. Create an out-of-band network for management. Implement a better method for authentication. Eliminate network management and control interfaces.

A penetration tester was able to compromise a server and escalate privileges. Which of the following should the tester perform AFTER concluding the activities on the specified target? (Choose two.). Remove the logs from the server. Restore the server backup. Disable the running services. Remove any tools or scripts that were installed. Delete any created credentials. Reboot the target server.

A penetration tester is reviewing the following DNS reconnaissance results for comptia.org from dig: ... ;; ANSWER SECTION comptia.org. 3569 IN MX comptia.org-mail.protection.outlook.com. comptia.org. 3569 IN A 3.219.13.186. comptia.org. 3569 IN NS ns1.comptia.org. comptia.org. 3569 IN SOA haven. administrator.comptia.org. comptia.org. 3569 IN MX new.mx0.comptia.org. comptia.org. 3569 IN MX new.mx1.comptia.org. Which of the following potential issues can the penetration tester identify based on this output?. At least one of the records is out of scope. There is a duplicate MX record. The NS record is not within the appropriate domain. The SOA records outside the comptia.org domain.

A consultant just performed a SYN scan of all the open ports on a remote host and now needs to remotely identify the type of services that are running on the host. Which of the following is an active reconnaissance tool that would be BEST to use to accomplish this task?. tcpdump. Snort. Nmap. Netstat. Fuzzer.

Deconfliction is necessary when the penetration test: determines that proprietary information is being stored in cleartext. occurs during the monthly vulnerability scanning. uncovers indicators of prior compromise over the course of the assessment. proceeds in parallel with a criminal digital forensic investigation.

A penetration tester wants to test a list of common passwords against the SSH daemon on a network device. Which of the following tools would be BEST to use for this purpose?. Hashcat. Mimikatz. Patator. John the Ripper.

PCI DSS requires which of the following as part of the penetration-testing process?. The penetration tester must have cybersecurity certifications. The network must be segmented. Only externally facing systems should be tested. The assessment must be performed during non-working hours.

A penetration tester completed an assessment, removed all artifacts and accounts created during the test, and presented the findings to the client. Which of the following happens NEXT?. The penetration tester conducts a retest. The penetration tester deletes all scripts from the client machines. The client applies patches to the systems. The client clears system logs generated during the test.

A penetration tester is examining a Class C network to identify active systems quickly. Which of the following commands should the penetration tester use?. nmap -sn 192.168.0.1/16. nmap -sn 192.168.0.1-254. nmap -sn 192.168.0.1 192.168.0.1.254. nmap -sN 192.168.0.0/24.

A penetration tester wants to validate the effectiveness of a DLP product by attempting exfiltration of data using email attachments. Which of the following techniques should the tester select to accomplish this task?. Steganography. Metadata removal. Encryption. Encode64.

A penetration tester received a 16-bit network block that was scoped for an assessment. During the assessment, the tester realized no hosts were active in the provided block of IPs and reported this to the company. The company then provided an updated block of IPs to the tester. Which of the following would be the most appropriate NEXT step?. Terminate the contract. Update the ROE with new signatures. Scan the 8-bit block to map additional missed hosts. Continue the assessment.

A penetration tester has completed an analysis of the various software products produced by the company under assessment. The tester found that over the past several years the company has been including vulnerable third-party modules in multiple products, even though the quality of the organic code being developed is very good. Which of the following recommendations should the penetration tester include in the report?. Add a dependency checker into the tool chain. Perform routine static and dynamic analysis of committed code. Validate API security settings before deployment. Perform fuzz testing of compiled binaries.

A penetration tester needs to access a building that is guarded by locked gates, a security team, and cameras. Which of the following is a technique the tester can use to gain access to the IT framework without being detected?. Pick a lock. Disable the cameras remotely. Impersonate a package delivery worker. Send a phishing email.

A penetration tester is assessing a wireless network. Although monitoring the correct channel and SSID, the tester is unable to capture a handshake between the clients and the AP. Which of the following attacks is the MOST effective to allow the penetration tester to capture a handshake?. Key reinstallation. Deauthentication. Evil twin. Replay.

During routine monitoring, a security analyst identified the following enterprise network traffic: Packet capture output: 66.187.224.210 set up a DNS hijack with 192.168.12.21. 192.168.12.21 made a TCP connection to 66.187.224.210. 192.168.12.21 made a TCP connection to 209.132.177.50. 209.132.177.50 set up a TCP reset attack to 192.168.12.21.

A penetration tester discovers an anonymous FTP server that is sharing the C:\drive. Which of the following is the BEST exploit?. Place a batch script in the startup folder for all users. Change a service binary location path to point to the tester's own payload. Escalate the tester's privileges to SYSTEM using the at.exe command. Download, modify, and reupload a compromised registry to obtain code execution.

The attacking machine is on the same LAN segment as the target host during an internal penetration test. Which of the following commands will BEST enable the attacker to conduct host delivery and write the discovery to files without returning results of the attack machine?. nmap -sn -n -exclude 10.1.1.15 10.1.1.0/24 -oA target_txt. nmap -iR 10 -n -oX out.xml | grep "Nmap" | cut -d "" -f5 > live-hosts.txt. nmap -Pn -sV -O -iL target.txt -oA target_text_Service. nmap -sS -Pn -n -iL target.txt -oA target_txtl.

A customer adds a requirement to the scope of a penetration test that states activities can only occur during normal business hours. Which of the following BEST describes why this would be necessary?. To meet PCI DSS testing requirements. For testing of the customer's SLA with the ISP. Because of concerns regarding bandwidth limitations. To ensure someone is available if something goes wrong.

An assessor wants to use Nmap to help map out a stateful firewall rule set. Which of the following scans will the assessor MOST likely run?. nmap -sA 192.168.0.1/24. nmap -sS 192.168.0.1/24. nmap -oG 192.168.0.1/24. nmap 192.168.0.1/24.

During the scoping phase of an assessment, a client requested that any remote code exploits discovered during testing would be reported immediately so the vulnerability could be fixed as soon as possible. The penetration tester did not agree with this request, and after testing began, the tester discovered a vulnerability and gained internal access to the system. Additionally, this scenario led to a loss of confidential credit card data and a hole in the system. At the end of the test, the penetration tester willfully failed to report this information and left the vulnerability in place. A few months later, the client was breached and credit card data was stolen. After being notified about the breach, which of the following steps should the company take NEXT?. Deny that the vulnerability existed. Investigate the penetration tester. Accept that the client was right. Fire the penetration tester.

A penetration tester is contracted to attack an oil rig network to look for vulnerabilities. While conducting the assessment, the support organization of the rig reported issues connecting to corporate applications and upstream services for data acquisitions. Which of the following is the MOST likely culprit?. Patch installations. Successful exploits. Application failures. Bandwidth limitations.

A penetration tester has identified several newly released CVEs on a VoIP call manager. The scanning tool the tester used determined the possible presence of the CVEs based off the number of the service. Which of the following methods would BEST support validation of the possible findings. Manually check the version number of the VoIP service against the CVE release. Test with proof-of-concept code from an exploit database on a non-production system. Review SIP traffic from an on-path position to look for indicators of compromise. Execute an nmap -sV scan against the service.

The results of an Nmap scan are as follows: Active Directory domain controller. IoT/embedded device. Exposed RDP. Print queue.

Which of the following are the MOST important items for prioritizing fixes that should be included in the final report for a penetration test? (Choose two.). The CVSS score of the finding. The network location of the vulnerable device. The vulnerability identifier. The client acceptance form. The name of the person who found the flaw. The tool used to find the issue.

A company that requires minimal disruption to its daily activities needs a penetration tester to perform information gathering around the company's web presence. Which of the following would the tester find MOST helpful in the initial information-gathering steps? (Choose two.). MX records. Zone transfers. DNS forward and reverse lookups. Internet search engines. Externally facing open ports. Shodan results.