Question 1

A tester has determined that null sessions are enabled on a domain controller. Which of the following attacks can be performed to leverage this vulnerability?

Accepted Answer

A)  RID cycling to enumerate users and groups 
B)  Pass the hash to relay credentials 
C)  Password brute forcing to log into the host 
D)  Session hijacking to impersonate a system account

Question 2

A security assessor is attempting to craft specialized XML files to test the security of the parsing functions during ingest into a Windows application. Before beginning to test the application, which of the following should the assessor request from the organization?

Accepted Answer

A)  Sample SOAP messages 
B)  The REST API documentation 
C)  A protocol fuzzing utility 
D)  An applicable XSD file

Question 3

A senior employee received a suspicious email from another executive requesting an urgent wire transfer. Which of the following types of attacks is likely occurring?

Accepted Answer

A)  Spear phishing 
B)  Business email compromise 
C)  Vishing 
D)  Whaling

Question 4

Joe, an attacker, intends to transfer funds discreetly from a victim's account to his own. Which of the following URLs can he use to accomplish this attack?

Accepted Answer

A)  https://testbank.com/BankingApp/ACH.aspx?CustID=435345&accountType=F&action-ACHTransfer&senderID=654846¬ify=False&creditaccount='OR 1=1 AND select username from testbank.custinfo where username like 'Joe'?&amount=200 
B)  https://testbank.com/BankingApp/ACH.aspx?CustID=435345&accountType=F&action-ACHTransfer&senderID=654846¬ify=False&creditaccount='OR 1=1 AND select username from testbank.custinfo where username like 'Joe' &amount=200 
C)  https://testbank.com/BankingApp/ACH.aspx?CustID=435345&accountType=F&action-ACHTransfer&senderID=654846¬ify=True&creditaccount='OR 1=1 AND select username from testbank.custinfo where username like 'Joe' ?&amount=200 
D)  https://testbank.com/BankingApp/ACH.aspx?CustID=435345&accountType=F&action-ACHTransfer&senderID=654846¬ify=True&creditaccount='AND 1=1 AND select username from testbank.custinfo where username like 'Joe' ?&amount=200

Question 5

A client is asking a penetration tester to evaluate a new web application for availability. Which of the following types of attacks should the tester use?

Accepted Answer

A)  TCP SYN flood 
B)  SQL injection 
C)  XSS 
D)  XMAS scan

Question 6

Which of the following are MOST important when planning for an engagement? (Select TWO).

Accepted Answer

A)  Goals/objectives 
B)  Architectural diagrams 
C)  Tolerance to impact 
D)  Storage time for a report 
E)  Company policies

Question 7

A penetration tester is reviewing a Zigbee implementation for security issues. Which of the following device types is the tester MOST likely testing?

Accepted Answer

A)  Router 
B)  IoT 
C)  WAF 
D)  PoS

Question 8

In which of the following scenarios would a tester perform a Kerberoasting attack?

Accepted Answer

A)  The tester has compromised a Windows device and dumps the LSA secrets. 
B)  The tester needs to retrieve the SAM database and crack the password hashes. 
C)  The tester has compromised a limited-privilege user and needs to target other accounts for lateral movement. 
D)  The tester has compromised an account and needs to dump hashes and plaintext passwords from the system.

Question 9

Which of the following can be used to perform online password attacks against RDP?

Accepted Answer

A)  Hashcat 
B)  John the Ripper 
C)  Aircrack-ng 
D)  Ncrack

Question 10

A penetration tester has successfully deployed an evil twin and is starting to see some victim traffic. The next step the penetration tester wants to take is to capture all the victim web traffic unencrypted. Which of the following would BEST meet this goal?

Accepted Answer

A)  Perform an HTTP downgrade attack. 
B)  Harvest the user credentials to decrypt traffic. 
C)  Perform an MITM attack. 
D)  Implement a CA attack by impersonating trusted CAs.

Question 11

A client's systems administrator requests a copy of the report from the penetration tester, but the systems administrator is not listed as a point of contact or signatory. Which of the following is the penetration tester's BEST course of action?

Accepted Answer

A)  Send the report since the systems administrator will be in charge of implementing the fixes. 
B)  Send the report and carbon copy the point of contact/signatory for visibility. 
C)  Reply and explain to the systems administrator that proper authorization is needed to provide the report. 
D)  Forward the request to the point of contact/signatory for authorization.

Question 12

A consultant is attempting to harvest credentials from unsecure network protocols in use by the organization. Which of the following commands should the consultant use?

Accepted Answer

A)  tcpdump 
B)  john 
C)  hashcat 
D)  nc

Question 13

Which of the following vulnerabilities are MOST likely to be false positives when reported by an automated scanner on a static HTML web page? (Choose two.)

Accepted Answer

A)  Missing secure flag for a sensitive cookie 
B)  Reflected cross-site scripting 
C)  Enabled directory listing 
D)  Insecure HTTP methods allowed 
E)  Unencrypted transfer of sensitive data
F) Command injection
G) Disclosure of internal system information
H) Support of weak cipher suites

Question 14

A penetration tester is preparing to conduct API testing. Which of the following would be MOST helpful in preparing for this engagement?

Accepted Answer

A)  Nikto 
B)  WAR 
C)  W3AF 
D)  Swagger

Question 15

A penetration tester successfully exploits a DMZ server that appears to be listening on an outbound port. The penetration tester wishes to forward that traffic back to a device. Which of the following are the BEST tools to use for this purpose? (Choose two.)

Accepted Answer

A)  Tcpdump 
B)  Nmap 
C)  Wireshark 
D)  SSH 
E)  Netcat
F) Cain and Abel

Question 16

The following command is run on a Linux file system: chmod 4111 /usr/bin/sudo Which of the following issues may be exploited now?

Accepted Answer

A)  Kernel vulnerabilities 
B)  Sticky bits 
C)  Unquoted service path 
D)  Misconfigured sudo

Question 17

A penetration tester discovers an anonymous FTP server that is sharing the C:\drive. Which of the following is the BEST exploit?

Accepted Answer

A)  Place a batch script in the startup folder for all users. 
B)  Change a service binary location path to point to the tester's own payload. 
C)  Escalate the tester's privileges to SYSTEM using the at.exe command. Escalate the tester's privileges to SYSTEM using the at.exe command. 
D)  Download, modify, and reupload a compromised registry to obtain code execution.

Question 18

Which of the following BEST describes some significant security weaknesses with an ICS, such as those used in electrical utility facilities, natural gas facilities, dams, and nuclear facilities?

Accepted Answer

A)  ICS vendors are slow to implement adequate security controls. 
B)  ICS staff are not adequately trained to perform basic duties. 
C)  There is a scarcity of replacement equipment for critical devices. 
D)  There is a lack of compliance for ICS facilities.

Question 19

A penetration tester has been asked to conduct OS fingering with Nmap using a company-provided text file that contains a list of IP addresses. Which of the following are needed to conduct this scan? (Choose two.).

Accepted Answer

A)  -O 
B)  -iL 
C)  -V 
D)  -sS 
E)  oN
F) -oX

Question 20

A penetration tester successfully exploits a system, receiving a reverse shell. Which of the following is a Meterpreter command that is used to harvest locally stored credentials?

Accepted Answer

A)  background 
B)  hashdump 
C)  session 
D)  getuid 
E)  psexec

Exam 12: CompTIA PenTest+ Certification Exam