Question 1

During an internal penetration test, several multicast and broadcast name resolution requests are observed traversing the network. Which of the following tools could be used to impersonate network resources and collect authentication requests?

Accepted Answer

A)   Ettercap
B)   Tcpdump
C)   Responder
D)   Medusa C

Question 2

After a recent penetration test, a company has a finding regarding the use of dictionary and seasonal passwords by its employees. Which of the following is the BEST control to remediate the use of common dictionary terms?

Accepted Answer

A)   Expand the password length from seven to 14 characters.
B)   Implement password history restrictions.
C)   Configure password filters/
D)   Disable the accounts after five incorrect attempts.
E)   Decrease the password expiration window. A

Question 3

A software development team recently migrated to new application software on the on-premises environment. Penetration test findings show that multiple vulnerabilities exist. If a penetration tester does not have access to a live or test environment, a test might be better to create the same environment on the VM. Which of the following is MOST important for confirmation?

Accepted Answer

A)   Unsecure service and protocol configuration
B)   Running SMB and SMTP service
C)   Weak password complexity and user account
D)   Misconfiguration A

Question 4

A penetration tester is checking a script to determine why some basic math errors are persisting. The expected result was the program outputting "True".  Given the output from the console above, which of the following explains how to correct the errors in the script? (Choose two.)

Accepted Answer

A)   Change 'fi' to 'Endlf'.
B)   Remove the 'let' in front of 'dest=5+5'.
C)   Change the '=' to '-eq'.
D)   Change 'source' and 'dest' to "$source" and "$dest".
E)   Change 'else' to 'elif'.

Question 5

Which of the following commands will allow a tester to enumerate potential unquoted service paths on a host?

Accepted Answer

A)   wmic environment get name, variablevalue, username | findstr /i "Path" | findstr /i "Service"
B)   wmic service get /format:hform > c:	emp\services.html
C)   wmic startup get caption, location, command |findstr /i "service" |findstr /v /i "%"
D)   wmic service get name, displayname, pathname, startmode |findstr /i "auto" |findstr /i /v "c:\windows\" |findstr /i /v """

Question 6

A client has voiced concern about the number of companies being breached by remote attackers, who are looking for trade secrets. Which of the following BEST describes the type of adversaries this would identify?

Accepted Answer

A)   Script kiddies
B)   APT actors
C)   Insider threats
D)   Hacktivist groups

Question 7

A company planned for and secured the budget to hire a consultant to perform a web application penetration test. Upon discovering vulnerabilities, the company asked the consultant to perform the following tasks: Code review Updates to firewall settings Which of the following has occurred in this situation?

Accepted Answer

A)   Scope creep
B)   Post-mortem review
C)   Risk acceptance
D)   Threat prevention

Question 8

Joe, an attacker, intends to transfer funds discreetly from a victim's account to his own. Which of the following URLs can he use to accomplish this attack?

Accepted Answer

A)   https://testbank.com/BankingApp/ACH.aspx?CustID=435345&accountType=F&action-ACHTransfer&senderID=654846¬ify=False&creditaccount='OR 1=1 AND select username from testbank.custinfo where username like 'Joe'?&amount=200
B)   1=1 AND select username from testbank.custinfo where username like 'Joe' &amount=200
C)   https://testbank.com/BankingApp/ACH.aspx?CustID=435345&accountType=F&action-ACHTransfer&senderID=654846¬ify=True&creditaccount='OR 1=1 AND select username from testbank.custinfo where username like 'Joe' ?&amount=200
D)   https://testbank.com/BankingApp/ACH.aspx?CustID=435345&accountType=F&action-ACHTransfer&senderID=654846¬ify=True&creditaccount='AND

Question 9

At the information gathering stage, a penetration tester is trying to passively identify the technology running on a client's website. Which of the following approached should the penetration tester take?

Accepted Answer

A)   Run a spider scan in Burp Suite.
B)   Use web aggregators such as BuiltWith and Netcraft
C)   Run a web scraper and pull the website's content.
D)   Use Nmap to fingerprint the website's technology.

Question 10

Which of the following is an example of a spear phishing attack?

Accepted Answer

A)   Targeting an executive with an SMS attack
B)   Targeting a specific team with an email attack
C)   Targeting random users with a USB key drop
D)   Targeting an organization with a watering hole attack

Question 11

A penetration tester wants to check manually if a "ghost" vulnerability exists in a system. Which of the following methods is the correct way to validate the vulnerability?

Accepted Answer

A)   Download the GHOST file to a Linux system and compile   gcc -o GHOST   test i:   ./GHOST
B)   Download the GHOST file to a Windows system and compile    gcc -o GHOST GHOST.c    gcc -o GHOST GHOST.c
C)   ./GHOST
D)      gcc -o GHOST gcc -o GHOST

Question 12

An assessor begins an internal security test of the Windows domain internal.comptia.net . The assessor is given network access via DHCP, but is not given any network maps or target IP addresses. Which of the following commands can the assessor use to find any likely Windows domain controllers?

Accepted Answer

A)   dig -q any _kerberos._tcp.internal.comptia.net
B)   dig -q any _lanman._tcp.internal.comptia.net
C)   dig -q any _ntlm._tcp.internal.comptia.net
D)   dig -q any _smtp._tcp.internal.comptia.net

Question 13

A penetration tester reviews the scan results of a web application. Which of the following vulnerabilities is MOST critical and should be prioritized for exploitation?

Accepted Answer

A)   Stored XSS
B)   Fill path disclosure
C)   Expired certificate
D)   Clickjacking

Question 14

Joe, a penetration tester, is asked to assess a company's physical security by gaining access to its corporate office. Joe is looking for a method that will enable him to enter the building during business hours or when there are no employees on-site. Which of the following would be the MOST effective in accomplishing this?

Accepted Answer

A)   Badge cloning
B)   Lock picking
C)   Tailgating
D)   Piggybacking

Question 15

A penetration tester has a full shell to a domain controller and wants to discover any user account that has not authenticated to the domain in 21 days. Which of the following commands would BEST accomplish this?

Accepted Answer

A)   dsrm -users "DN=company.com; OU=hq CN=users"
B)   dsuser -name -account -limit 3
C)   dsquery user -inactive 3
D)   dsquery -o -rdn -limit 21

Question 16

A client has scheduled a wireless penetration test. Which of the following describes the scoping target information MOST likely needed before testing can begin?

Accepted Answer

A)   The physical location and network ESSIDs to be tested
B)   The number of wireless devices owned by the client
C)   The client's preferred wireless access point vendor
D)   The bands and frequencies used by the client's devices

Question 17

A security analyst was provided with a detailed penetration report, which was performed against the organization's DMZ environment. It was noted on the report that a finding has a CVSS base score of 10.0. Which of the following levels of difficulty would be required to exploit this vulnerability?

Accepted Answer

A)   Very difficult; perimeter systems are usually behind a firewall.
B)   Somewhat difficult; would require significant processing power to exploit.
C)   Trivial; little effort is required to exploit this finding.
D)   Impossible; external hosts are hardened to protect against attacks.

Question 18

A penetration tester wants to script out a way to discover all the RPTR records for a range of IP addresses. Which of the following is the MOST efficient to utilize?

Accepted Answer

A)   nmap -p 53 -oG dnslist.txt | cut -d ":" -f 4
B)   nslookup -ns 8.8.8.8 
C)   for x in {1...254}; do dig -x 192.168.$x.$x; done
D)   dig -r > echo "8.8.8.8" >> /etc/resolv.conf

Question 19

A penetration tester observes that the content security policy header is missing during a web application penetration test. Which of the following techniques would the penetration tester MOST likely perform?

Accepted Answer

A)   Command injection attack
B)   Clickjacking attack
C)   Directory traversal attack
D)   Remote file inclusion attack

Question 20

During a penetration test, a tester runs a phishing campaign and receives a shell from an internal PC running Windows 10 OS. The tester wants to perform credential harvesting with Mimikatz. Which of the following registry changes would allow for credential caching in memory?

Accepted Answer

A)   reg add HKLM\System\ControlSet002\Control\SecurityProviders\WDigest /v userLogoCredential /t REG_DWORD /d 0
B)   reg add HKCU\System\CurrentControlSet\Control\SecurityProviders\WDigest /v userLogoCredential /t REG_DWORD /d 1
C)   reg add HKLM\Software\CurrentControlSet\Control\SecurityProviders\WDigest /v userLogoCredential /t REG_DWORD /d 1
D)   reg add HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest /v userLogoCredential /t REG_DWORD /d 1

Exam 12: CompTIA PenTest+ Certification Exam