Question 1

A penetration tester executes the following commands:   Which of the following is a local host vulnerability that the attacker is exploiting?

Accepted Answer

A)  Insecure file permissions 
B)  Application whitelisting 
C)  Shell escape 
D)  Writable service 
A)  Insecure file permissions 
B)  Application whitelisting 
C)  Shell escape 
D)  Writable service

Question 2

A penetration tester is performing initial intelligence gathering on some remote hosts prior to conducting a vulnerability scan. The tester runs the following command: nmap -p 192.168.1.1, 192.168.1.2, 192.168.1.3 -sV -o --max-rate 2 192.168.1.130 Which of the following BEST describes why multiple IP addresses are specified?

Accepted Answer

A)  The network is subnetted as a/25 or greater, and the tester needed to access hosts on two different subnets. 
B)  The tester is trying to perform a more stealthy scan by including several bogus addresses. 
C)  The scanning machine has several interfaces to balance the scan request across at the specified rate. 
D)  A discovery scan is run on the first set of addresses, whereas a deeper, more aggressive scan is run against the latter host. 
A)  The network is subnetted as a/25 or greater, and the tester needed to access hosts on two different subnets. 
B)  The tester is trying to perform a more stealthy scan by including several bogus addresses. 
C)  The scanning machine has several interfaces to balance the scan request across at the specified rate. 
D)  A discovery scan is run on the first set of addresses, whereas a deeper, more aggressive scan is run against the latter host.

Question 3

A penetration tester is performing initial intelligence gathering on some remote hosts prior to conducting a vulnerability scan. The tester runs the following command: nmap -D 192.168.1.1, 192.168.1.2, 192.168.1.3 -sV -o --max-rate 2 192.168.1.130 Which of the following BEST describes why multiple IP addresses are specified?

Accepted Answer

A)  The network is subnetted as a/25 or greater, and the tester needed to access hosts on two different subnets. 
B)  The tester is trying to perform a more stealthy scan by including several bogus addresses. 
C)  The scanning machine has several interfaces to balance the scan request across at the specified rate. 
D)  A discovery scan is run on the first set of addresses, whereas a deeper, more aggressive scan is run against the latter host. 
A)  The network is subnetted as a/25 or greater, and the tester needed to access hosts on two different subnets. 
B)  The tester is trying to perform a more stealthy scan by including several bogus addresses. 
C)  The scanning machine has several interfaces to balance the scan request across at the specified rate. 
D)  A discovery scan is run on the first set of addresses, whereas a deeper, more aggressive scan is run against the latter host.

Question 4

A client has requested an external network penetration test for compliance purposes. During discussion between the client and the penetration tester, the client expresses unwillingness to add the penetration tester's source IP addresses to the client's IPS whitelist for the duration of the test. Which of the following is the BEST argument as to why the penetration tester's source IP addresses should be whitelisted?

Accepted Answer

A)  Whitelisting prevents a possible inadvertent DoS attack against the IPS and supporting log-monitoring systems. 
B)  Penetration testing of third-party IPS systems often requires additional documentation and authorizations; potentially delaying the time-sensitive test. 
C)  IPS whitelisting rules require frequent updates to stay current, constantly developing vulnerabilities and newly discovered weaknesses. 
D)  Testing should focus on the discovery of possible security issues across all in-scope systems, not on determining the relative effectiveness of active defenses such as an IPS. 
A)  Whitelisting prevents a possible inadvertent DoS attack against the IPS and supporting log-monitoring systems. 
B)  Penetration testing of third-party IPS systems often requires additional documentation and authorizations; potentially delaying the time-sensitive test. 
C)  IPS whitelisting rules require frequent updates to stay current, constantly developing vulnerabilities and newly discovered weaknesses. 
D)  Testing should focus on the discovery of possible security issues across all in-scope systems, not on determining the relative effectiveness of active defenses such as an IPS.

Question 5

A penetration tester is performing a code review. Which of the following testing techniques is being performed?

Accepted Answer

A)  Dynamic analysis 
B)  Fuzzing analysis 
C)  Static analysis 
D)  Run-time analysis 
A)  Dynamic analysis 
B)  Fuzzing analysis 
C)  Static analysis 
D)  Run-time analysis

Question 6

A penetration tester runs the following on a machine:   Which of the following will be returned?

Accepted Answer

A)  1 
B)  3 
C)  5 
D)  6 
A)  1 
B)  3 
C)  5 
D)  6

Question 7

Which of the following would be the BEST for performing passive reconnaissance on a target's external domain?

Accepted Answer

A)  Peach 
B)  CeWL 
C)  OpenVAS 
D)  Shodan 
A)  Peach 
B)  CeWL 
C)  OpenVAS 
D)  Shodan

Question 8

A company hires a penetration tester to determine if there are any vulnerabilities in its new VPN concentrator installation with an external IP of 100.170.60.5. Which of the following commands will test if the VPN is available?

Accepted Answer

A)  fpipe.exe -1 8080 -r 80 100.170.60.5 
B)  ike-scan -A -t 1 --sourceip=apoof_ip 100.170.60.5 
C)  nmap -sS -A -f 100.170.60.5 
D)  nc 100.170.60.5 8080 /bin/sh 
A)  fpipe.exe -1 8080 -r 80 100.170.60.5 
B)  ike-scan -A -t 1 --sourceip=apoof_ip 100.170.60.5 
C)  nmap -sS -A -f 100.170.60.5 
D)  nc 100.170.60.5 8080 /bin/sh

Question 9

A consultant is performing a social engineering attack against a client. The consultant was able to collect a number of usernames and passwords using a phishing campaign. The consultant is given credentials to log on to various employees email accounts. Given the findings, which of the following should the consultant recommend be implemented?

Accepted Answer

A)  Strong password policy 
B)  Password encryption 
C)  Email system hardening 
D)  Two-factor authentication 
A)  Strong password policy 
B)  Password encryption 
C)  Email system hardening 
D)  Two-factor authentication

Question 10

While trying to maintain persistence on a Windows system with limited privileges, which of the following registry keys should the tester use?

Accepted Answer

A)  HKEY_CLASSES_ROOT 
B)  HKEY_LOCAL_MACHINE 
C)  HKEY_CURRENT_USER 
D)  HKEY_CURRENT_CONFIG 
A)  HKEY_CLASSES_ROOT 
B)  HKEY_LOCAL_MACHINE 
C)  HKEY_CURRENT_USER 
D)  HKEY_CURRENT_CONFIG

Question 11

A penetration tester is scanning a network for SSH and has a list of provided targets. Which of the following Nmap commands should the tester use?

Accepted Answer

A)  nmap -p 22 -iL targets 
B)  nmap -p 22 -sL targets 
C)  nmap -p 22 -oG targets 
D)  nmap -p 22 -oA targets 
A)  nmap -p 22 -iL targets 
B)  nmap -p 22 -sL targets 
C)  nmap -p 22 -oG targets 
D)  nmap -p 22 -oA targets

Question 12

A penetration tester has obtained access to an IP network subnet that contains ICS equipment intercommunication. Which of the following attacks is MOST likely to succeed in creating a physical effect?

Accepted Answer

A)  DNS cache poisoning 
B)  Record and replay 
C)  Supervisory server SMB 
D)  Blind SQL injection 
A)  DNS cache poisoning 
B)  Record and replay 
C)  Supervisory server SMB 
D)  Blind SQL injection

Question 13

A penetration tester observes that several high-numbered ports are listening on a public web server. However, the system owner says the application only uses port 443. Which of the following would be BEST to recommend?

Accepted Answer

A)  Transition the application to another port. 
B)  Filter port 443 to specific IP addresses. 
C)  Implement a web application firewall. 
D)  Disable unneeded services. 
A)  Transition the application to another port. 
B)  Filter port 443 to specific IP addresses. 
C)  Implement a web application firewall. 
D)  Disable unneeded services.

Question 14

During a penetration test, a tester identifies traditional antivirus running on the exploited server. Which of the following techniques would BEST ensure persistence in a post-exploitation phase?

Accepted Answer

A)  Shell binary placed in C:\windows	emp 
B)  Modified daemons 
C)  New user creation 
D)  Backdoored executables 
A)  Shell binary placed in C:\windows	emp 
B)  Modified daemons 
C)  New user creation 
D)  Backdoored executables

Question 15

A penetration tester is connected to a client's local network and wants to passively identify cleartext protocols and potentially sensitive data being communicated across the network. Which of the following is the BEST approach to take?

Accepted Answer

A)  Run a network vulnerability scan. 
B)  Run a stress test. 
C)  Run an MITM attack. 
D)  Run a port scan. 
A)  Run a network vulnerability scan. 
B)  Run a stress test. 
C)  Run an MITM attack. 
D)  Run a port scan.

Question 16

A client asks a penetration tester to add more addresses to a test currently in progress. Which of the following would define the target list?

Accepted Answer

A)  Rules of engagement 
B)  Mater services agreement 
C)  Statement of work 
D)  End-user license agreement 
A)  Rules of engagement 
B)  Mater services agreement 
C)  Statement of work 
D)  End-user license agreement

Question 17

A penetration tester used an ASP.NET web shell to gain access to a web application, which allowed the tester to pivot in the corporate network. Which of the following is the MOST important follow-up activity to complete after the tester delivers the report?

Accepted Answer

A)  Removing shells 
B)  Obtaining client acceptance 
C)  Removing tester-created credentials 
D)  Documenting lessons learned 
E)  Presenting attestation of findings 
A)  Removing shells 
B)  Obtaining client acceptance 
C)  Removing tester-created credentials 
D)  Documenting lessons learned 
E)  Presenting attestation of findings

Question 18

Consumer-based IoT devices are often less secure than systems built for traditional desktop computers. Which of the following BEST describes the reasoning for this?

Accepted Answer

A)  Manufacturers developing IoT devices are less concerned with security. 
B)  It is difficult for administrators to implement the same security standards across the board. 
C)  IoT systems often lack the hardware power required by more secure solutions. 
D)  Regulatory authorities often have lower security requirements for IoT systems. 
A)  Manufacturers developing IoT devices are less concerned with security. 
B)  It is difficult for administrators to implement the same security standards across the board. 
C)  IoT systems often lack the hardware power required by more secure solutions. 
D)  Regulatory authorities often have lower security requirements for IoT systems.

Question 19

Which of the following properties of the penetration testing engagement agreement will have the LARGEST impact on observing and testing production systems at their highest loads?

Accepted Answer

A)  Creating a scope of the critical production systems 
B)  Setting a schedule of testing access times 
C)  Establishing a white-box testing engagement 
D)  Having management sign off on intrusive testing 
A)  Creating a scope of the critical production systems 
B)  Setting a schedule of testing access times 
C)  Establishing a white-box testing engagement 
D)  Having management sign off on intrusive testing

Question 20

A company contracted a firm specializing in penetration testing to assess the security of a core business application. The company provided the firm with a copy of the Java bytecode. Which of the following steps must the firm take before it can run a static code analyzer?

Accepted Answer

A)  Run the application through a dynamic code analyzer. 
B)  Employ a fuzzing utility. 
C)  Decompile the application. 
D)  Check memory allocations. 
A)  Run the application through a dynamic code analyzer. 
B)  Employ a fuzzing utility. 
C)  Decompile the application. 
D)  Check memory allocations.

A penetration tester executes the following commands: Which of the following is a local host vulnerability that the attacker is exploiting?

A penetration tester is performing a code review. Which of the following testing techniques is being performed?

A penetration tester runs the following on a machine: Which of the following will be returned?

Which of the following would be the BEST for performing passive reconnaissance on a target's external domain?

A company hires a penetration tester to determine if there are any vulnerabilities in its new VPN concentrator installation with an external IP of 100.170.60.5. Which of the following commands will test if the VPN is available?

While trying to maintain persistence on a Windows system with limited privileges, which of the following registry keys should the tester use?

A penetration tester is scanning a network for SSH and has a list of provided targets. Which of the following Nmap commands should the tester use?

A penetration tester has obtained access to an IP network subnet that contains ICS equipment intercommunication. Which of the following attacks is MOST likely to succeed in creating a physical effect?

A penetration tester observes that several high-numbered ports are listening on a public web server. However, the system owner says the application only uses port 443. Which of the following would be BEST to recommend?

During a penetration test, a tester identifies traditional antivirus running on the exploited server. Which of the following techniques would BEST ensure persistence in a post-exploitation phase?

A penetration tester is connected to a client's local network and wants to passively identify cleartext protocols and potentially sensitive data being communicated across the network. Which of the following is the BEST approach to take?

A client asks a penetration tester to add more addresses to a test currently in progress. Which of the following would define the target list?

A penetration tester used an ASP.NET web shell to gain access to a web application, which allowed the tester to pivot in the corporate network. Which of the following is the MOST important follow-up activity to complete after the tester delivers the report?

Consumer-based IoT devices are often less secure than systems built for traditional desktop computers. Which of the following BEST describes the reasoning for this?

Which of the following properties of the penetration testing engagement agreement will have the LARGEST impact on observing and testing production systems at their highest loads?

A company contracted a firm specializing in penetration testing to assess the security of a core business application. The company provided the firm with a copy of the Java bytecode. Which of the following steps must the firm take before it can run a static code analyzer?

CompTIA A+ Certification Exam: Core 1

CompTIA A+ Certification Exam: Core 2

CompTIA Advanced Security Practitioner (CASP+) CAS-003

CompTIA Advanced Security Practitioner (CASP+) CAS-004

CompTIA Cloud Essentials+

CompTIA CySA+ Certification Exam (CS0-002)

CompTIA Cloud+ (CV0-002)

CompTIA Cloud+

CompTIA IT Fundamentals

CompTIA Network+

CompTIA Project+

CompTIA Server+

CompTIA Server+ Certification Exam

CompTIA Security+

CompTIA Security+ 2021

CompTIA CTT+ Essentials

CompTIA Linux+

Filters

Exam 12: CompTIA PenTest+ Certification Exam

A penetration tester executes the following commands: Which of the following is a local host vulnerability that the attacker is exploiting?

A penetration tester is performing a code review. Which of the following testing techniques is being performed?

A penetration tester runs the following on a machine: Which of the following will be returned?

Which of the following would be the BEST for performing passive reconnaissance on a target's external domain?

A company hires a penetration tester to determine if there are any vulnerabilities in its new VPN concentrator installation with an external IP of 100.170.60.5. Which of the following commands will test if the VPN is available?

While trying to maintain persistence on a Windows system with limited privileges, which of the following registry keys should the tester use?

A penetration tester is scanning a network for SSH and has a list of provided targets. Which of the following Nmap commands should the tester use?

A penetration tester has obtained access to an IP network subnet that contains ICS equipment intercommunication. Which of the following attacks is MOST likely to succeed in creating a physical effect?

A penetration tester observes that several high-numbered ports are listening on a public web server. However, the system owner says the application only uses port 443. Which of the following would be BEST to recommend?

During a penetration test, a tester identifies traditional antivirus running on the exploited server. Which of the following techniques would BEST ensure persistence in a post-exploitation phase?

A penetration tester is connected to a client's local network and wants to passively identify cleartext protocols and potentially sensitive data being communicated across the network. Which of the following is the BEST approach to take?

A client asks a penetration tester to add more addresses to a test currently in progress. Which of the following would define the target list?

A penetration tester used an ASP.NET web shell to gain access to a web application, which allowed the tester to pivot in the corporate network. Which of the following is the MOST important follow-up activity to complete after the tester delivers the report?

Consumer-based IoT devices are often less secure than systems built for traditional desktop computers. Which of the following BEST describes the reasoning for this?

Which of the following properties of the penetration testing engagement agreement will have the LARGEST impact on observing and testing production systems at their highest loads?

A company contracted a firm specializing in penetration testing to assess the security of a core business application. The company provided the firm with a copy of the Java bytecode. Which of the following steps must the firm take before it can run a static code analyzer?

CompTIA A+ Certification Exam: Core 1

CompTIA A+ Certification Exam: Core 2

CompTIA Advanced Security Practitioner (CASP+) CAS-003

CompTIA Advanced Security Practitioner (CASP+) CAS-004

CompTIA Cloud Essentials+

CompTIA CySA+ Certification Exam (CS0-002)

CompTIA Cloud+ (CV0-002)

CompTIA Cloud+

CompTIA IT Fundamentals

CompTIA Network+

CompTIA Project+

CompTIA Server+

CompTIA Server+ Certification Exam

CompTIA Security+

CompTIA Security+ 2021

CompTIA CTT+ Essentials

CompTIA Linux+

Filters