CompTIA PenTest+ (PT0-001) Practice Certifications Exams (Jason Dion 4 of 6) Flashcards
Which of the following secure coding best practices ensures special characters like , /, and ‘ are not accepted from the user via a web form? A.Session management B.Input validation C.Error handling D.Output encoding
B.Input validation
Explanation:
OBJ-5.3: Input validation is performed to ensure only properly formed data is entering the workflow in an information system, preventing malformed data from persisting in the database and triggering a malfunction of various downstream components. Input validation should happen as early as possible in the data flow, preferably as soon as the data is received from the user. Improper error handling can introduce various security problems where detailed internal error messages such as stack traces, database dumps, and error codes are displayed to an attacker. The session management implementation defines the exchange mechanism that will be used between the user and the web application to share and continuously exchange the session ID. Output encoding involves translating special characters into some different but equivalent form that is no longer dangerous in the target interpreter, for example, translating the < character into the < string when writing to an HTML page.
An employee contacts the service desk because they cannot open an attachment they receive in their email. The service desk agent conducts a screen sharing session with the user and investigates the issue. The agent notices that the attached file is named Invoice1043.pdf, and a black pop-up window appears and then disappears quickly when the attachment was double-clicked. Which of the following is most likely causing this issue?
A.The user doesnt have a PDF reader installed on their computer
B.The attachment is using a double file extension to mask its identity
C.The file contains an embedded link to a malicious website
D.The email is a form of spam and should be deleted
B.The attachment is using a double file extension to mask its identity
Explanation:
OBJ-2.4: The message contains a file attachment hoping that the user will execute or open it. The attachment’s nature might be disguised by formatting tricks such as using a double file extension, such as Invoice1043.pdf.exe, where the user only sees the first extension since .exe is a known file type in Windows. This would explain the black popup window that appears and then disappeared, especially if the exe file was running a command-line tool. This file is most likely not a PDF, so there is no need for a PDF reader. Additionally, most modern web browsers, such as Chrome and Edge, can open PDF files by default for the user. The file would not contain an embedded link since an embedded link is another popular attack vector that embeds a link to a malicious site within the email body, not within the file. This email is likely not spam and would be better categorized as a phishing attempt instead.
A penetration tester wants to build a workstation that will be used to brute force hash digests. Which of the following is the BEST option to ensure sufficient power and speed to crack them? A.Multi-core CPU B.Dedicated GPU C.Integrated GPU D.7200-RPM HDD
B.Dedicated GPU
Explanation:
OBJ-4.2: Dedicated GPUs are designed to conduct complex mathematical functions extremely quickly. If you want to build a system to perform cracking of a password, hash, or encryption algorithm, it is important to have a high-speed, dedicated GPU. The reason to use a GPU instead of a CPU for password cracking is that it is much faster for this mathematically intensive type of work. Cracking passwords, hashes, and encryption is a lot like mining cryptocurrency in that using dedicated GPUs will give you the best performance.
Consider the following REGEX search string:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).
(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).
(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).
(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Which of the following strings would NOT be included in the output of this search? A.205.255.255.001 B.37.259.129.207 C.1.2.3.4 D.001.02.3.40
B.37.259.129.207
Explanation:
OBJ-4.4: The \b delimiter indicates that we are looking for whole words for the complete string. The REGEX is made up of four identical repeating strings, (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).”. For now, let us refer to these octets, such as the ones used in internet protocol version 4 addresses. Each octet will allow the combination of 25[0-5] OR (|) 2[0-4][9-] OR numbers 00-99 is preceded by (?) a 0 or 1, or just a single number followed by a “.”. Since the period is treated as a special character in a REGEX operator, the escape character () is required to enable the symbol to act as a dot or period in the output. This sequence repeats four times, allowing for all variations of normal IP addresses to be entered for values 0-255. Since 259 is outside the range of 255, this is rejected. More specifically, character strings starting with 25 must end with a number between 0 and 5 (25[0-5]). Therefore, 259 would be rejected. Now, on exam day, if you received a question like this, you can try to figure out the pattern as explained above, or you can take the logical shortcut. The logical shortcut is to look at the answer first and see that they all look like IP addresses. Remember, grep and REGEX are used by a cybersecurity analyst to search logs for indicators of compromise (like an IP address), so don’t be afraid to take a logical guess if you need to conserve time during your exam. So, which one isn’t a valid IP address? Clearly, 37.259.129.107 is not a valid IP address, so if you had to guess as to what wouldn’t be an output of this complex-looking command, you should guess that one!
Your company has just hired a contractor to attempt to exploit a weakness in your network to identify all their vulnerabilities. This person has been permitting to perform these actions and only conduct their actions within the contract's scope of work. Which of the following will be conducted by the contractor? A.Penetration testing B.Social engineering C.Hactivism D.Vulnerability scanning
A.Penetration testing
Explanation;
OBJ-1.3: Penetration testing is the practice of testing a computer system, network, or web application to find security vulnerabilities that an attacker could exploit. Penetration testers only do this with permission of the organization that owns the system, network, or web application and within the bounds of their scope of work. The person will not attempt to exploit a weakness during vulnerability scanning. Social engineering may be used as part of a penetration test, but it does not adequately describe the scenario provided. Hacktivism is when someone is hacking an organization without permission based on their own morals and values.
A facility would like to verify each individual’s identity before allowing access to its server room and datacenter. Additionally, the building should ensure that users do not tailgate behind other users. What solution would BEST meet these requirements?
A.Implement a biometric reader at the datacenter entrance and require passage through a mantrap
B.Implement a security guard at the facility entrace and a keypad at the data center entrance
C.Implement a CCTV camera and a proximity reader at the data center entrance
D>Implement a biometric reader at the facility entrace and a proximity card at the data center entrace
A.Implement a biometric reader at the datacenter entrance and require passage through a mantrap
Explanation:
OBJ-5.3: A biometric reader would read the employee’s fingerprints. A mantrap is most often used in physical security to separate non-secure areas from secure areas and prevent unauthorized access.
What is the proper threat classification for a security breach that employs brute-force methods to compromise, degrade, or destroy systems? A.Attrition B.Improper usage C.Impersonation D.Losss or theft of equipment
A.Attrition
Explanation:
OBJ-2.4: Attrition attacks employ brute-force methods to compromise, degrade, or destroy systems, networks, or services. An impersonation attack occurs when the attacker gains control of an employee’s account and uses it to convince other employees to perform fraudulent actions. Improper usage occurs when an employee or other authorized user utilizes the systems or networks not as intended or designed. The loss or theft of equipment usually relates to a smartphone, tablet, or laptop is lost or stolen, and then the data on it becomes compromised.
Your company has been contracted to develop an Android mobile application for a major bank. You have been asked to verify the security of the Java function’s source code below:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
int verifyAdmin(String password) {
if (password.equals("mR7HCS14@31")) {
return 0;
}
return 1;
}
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Which of the following vulnerabilities exist in this application’s authentication function based solely on the source code provided?
A.The function is vulnerable to a buffer overflow attack
B.The function is vulnerable to an SQL injection attack
C.THe function is using parameterized queries
D.The function is using hard-coded credentials to verify the password entered by the user
D.The function is using hard-coded credentials to verify the password entered by the user
Explanation
OBJ-3.4: The function uses hard-coded credentials in the function, which is an insecure practice that can lead to compromise. The password for the application is shown in the source code as mR7HCS14@31. Even if this was obfuscated using encoding or encryption, it is a terrible security practice to include hard-coded credentials in the application since an attacker can reverse-engineer them. In this case, it could be used to rob the bank or its customers! There is no evidence of a SQL injection or buffer overflow attack vulnerability based on the code being shown. In fact, this code doesn’t even show any SQL or ability to connect to an SQL database. We cannot see the variable initiation in this code, either, so we cannot determine if it is vulnerable to a buffer overflow attack. Finally, a parameterized query is a security feature, not a vulnerability, and this source code does not show any evidence of parameterized queries being used.
You have been contracted to conduct a compliance-based assessment for an organization. What is the MOST important thing for you to understand?
A.The organizations industry
B.The organizations tolerance to impact
C.The organizations policies
D.The organizations architectural diagrams
A.The organizations industry
Explanation:
OBJ-1.4: The organization’s industry is the most important thing to consider and understand when conducting a compliance-based assessment. Compliance-based assessments are government or industry required assessments based on a particular compliance framework. For example, if you are conducting an assessment of a credit card processor, then PCI-DSS would be important to consider. If you are assessing a federal government IT system, then you should consider FEDRAMP. If you are conducting an assessment of a military or military contractor network, you should consider the DISA STIG for those systems.
A company has implemented the capability to send all log files to a central location by utilizing an encrypted channel. The log files are sent to this location to be reviewed. A recent exploit has caused the company’s encryption to become insecure. What would be required to resolve the exploit?
A.Configure the firewall to block port 22
B.Utilize an FTP service
C.Send all log files through SMTP
D.Install recommended updates
D.Install recommended updates
Explanation:
OBJ-5.3: If the encryption is insecure, then we must look for encryption software updates or patches. If they are available, we must install them.
You have been hired to conduct a compliance-based, external network penetration test for an organization. During the engagement planning, you determined that the client has an IPS protecting their network. You have requested to have your source IP whitelisted in the IPS during the engagement. The client states that they do not want to whitelist your source IP. Which of the following should you tell the client?
A.The organization cannot rely solely on the IPS because its signatures need to be constantly updated to prevent vulnerabilities and exploitation
B.Whitelisting the source IP is required since a third-party developed the IPS and therefore, would need to approve the penetration test if the IP is note whitelisted
C.Whitelsiting the source IP will allow us to focus on the discovery of security issues within your system instead of relying solely on the effectiveness of the IPS
C.Whitelisting the source IP is necessary to prevent flooding the IPS and Syslog server with false positives
D.Whitelisting the source IP is necessary to prevent flooding the IPS and Syslog server with false positives during the engagement
C.Whitelisting the source IP is necessary to prevent flooding the IPS and Syslog server with false positives
Explanation:
OBJ-1.4: If the source IP is not whitelisted, the penetration tester will have to waste a lot of time and resources trying to bypass it to test the rest of the systems in the exam’s scope. Instead, the source IP should be whitelisted. The final report should indicate which vulnerabilities found would be a lower risk due to the IPS already installed as a mitigating control.
Which of the following lateral movement techniques provides an HTTP Simple Access Object Protocol (SOAP) standard for specific remote management services on Windows systems? A.PsExec B.Scheduled tasks C.WMI D.WinRM
D.WinRM
Explanation:
OBJ-3.7: Windows Remote Management (WinRM) is a technology that provides an HTTP Simple Object Access Protocol (SOAP) standard for specific remote management services on Windows systems. These remote management services enable you to issue commands to remote systems without using an interactive shell.
Which of the following is the leading cause for cross-site scripting, SQL injection, and XML injection attacks? A.Directory traversals B.Faulty input validation C.Output encoding D.File inclusions
B.Faulty input validation
Explanation:
OBJ-5.3: A primary vector for attacking applications is to exploit faulty input validation. The input could include user data entered into a form or URL, passed by another application or link. This is heavily exploited by cross-site scripting, SQL injection, and XML injection attacks. Directory traversal is the practice of accessing a file from a location that the user is unauthorized to access. The attacker does this by ordering an application to backtrack through the directory path to read or execute a file in a parent directory. In a file inclusion attack, the attacker adds a file to a web app or website’s running process. The file is either constructed to be malicious or manipulated to serve the attacker’s malicious purposes. Cross-site scripting (XSS) is one of the most powerful input validation exploits. XSS involves a trusted site, a client browsing the trusted site, and the attacker’s site.
You are working as part of a DevSecOps team at Dion Training on a new practice exam web application. You need to conduct static analysis of the code as part of your software assurance responsibilities. Which of the following tools should you utilize? A.APK Studio B.YASCA C.Hydra D.FOCA
B.YASCA
Explanation:
OBJ-4.2: YASCA (Yet Another Source Code Analyzer) is an open-source software assurance static test (SAST) program that inspects the source code for security vulnerabilities, code quality, and performance. FOCA, Hydra, and APK studio are not categorized as SAST tools. FOCA (Fingerprinting and Organization with Collected Archives) is a network infrastructure mapping tool that analyzes metadata from many file types to enumerate users, folders, software and OS information, and other information. Hydra is a free network login password cracking tool that is included with Kali Linux. It supports several authentication protocols. APK Studio is a cross-platform IDE for reverse engineering Android applications.
During a penetration test, which of the following should you perform if your goal is to conduct a successful smishing attack?
A.Send targetd emails with a malicious attachment to the sales team
B.Send a text message with a malicious link to the organizations executives
C.Send a targeted email with a malicious attachment to the organizations CEO
D.Call the CTOs assistant using a pretext to gather information about their schedule
B.Send a text message with a malicious link to the organizations executives
Explanation
OBJ-3.1: Smishing (SMS phishing) is a phishing attack in which the attacker entices their victim through SMS text messages. If the messages are sent by text message, then the attack is considered smishing.
You are reviewing the logs in your IDS and see that entries were showing SYN packets received from a remote host targeting each port on your web server from 1 to 1024. Which of the following MOST likely occurred?
A.SYN Flood
B.UDP Probe
C.Remote host cannot find the right service port
D.Port scan
D.Port scan
Explanation
OBJ-3.2: Based on the description provided, this is most likely a port scan. Using a tool like nmap, an attacker can create an SYN scan across every port in a range against the desired target. A port scan or SYN scan may trigger an alert in your IDS. While scanners support more stealthy scans, default scans may connect to each port sequentially. The other options are incorrect because a remote host will typically connect to only a single port associated with a service. An SYN flood normally sends many SYNs to a single system. Still, it doesn’t send them to unused ports, and a UDP probe will not send SYN packets.
A small business network was recently infected by a piece of malware from a USB drive that copied sensitive data from a computer, infected the system, and then spread across the network by infecting other systems. Which of the following actions could have prevented this type of attack from occurring?
A.Enabling full disk encryption
B.Disabling AutoRun on the computer
C.Replacing the default credentials on the system
D.Enforcing the use of complex passwords
B.Disabling AutoRun on the computer
Explanation
OBJ-5.3: The Windows AutoRun feature is turned on by default on most Windows versions, allowing programs to run from an external device as soon as it is attached to a computer. Malware can exploit the AutoRun feature and allow it to spread its payload from your external USB device to a computer. For this reason, users should disable the AutoRun feature.
What technique is most effective in determining whether or not increasing end-user security training would benefit the organization during your technical assessment of their network? A.Network sniffing B.Application security testing C.Social Engineering D.Vulnerability scanning
C.Social Engineering
Explanation
OBJ-3.1: Social engineering refers to the psychological manipulation of people into performing actions or divulging confidential information. During your technical assessment, utilizing social engineering techniques such as phishing or pharming can help you determine if additional end-user security training should be included in the organization. The other three options focus solely on technical controls. Therefore adding end-user training would not affect these technology options.
Which of the following phase of a penetration test are not usually conducted by a real attacker? A.Reconnaissance B.Gaining access C.Reporting D.Covering tracks
C.Reporting
Explanation:
OBJ-1.1: While a penetration test closely mirrors the same attack process used by a real attacker, the reporting phase is used only by penetration testers. The reporting phase is where the information gathered during testing and analysis is shared with stakeholders. Normally, this includes the vulnerabilities detected, vulnerabilities exploited, sensitive data accessed, length of access maintained, and recommendations for remediation.
Your company failed a recent security audit. The IT Directory has issued a new policy dictating that all workstations must be locked when not in use for more than 2 minutes. A password must be entered before booting up the operating system, and that the hard drive is fully encrypted. You have been asked to configure the corporate workstations to enforce these new security measures. Which THREE of the following should you configure FIRST? A.Enable a UEFI password B.Enable BitLocker C.Require multifactor authentication D.Enable strong passwords E.Enable a screen lock F.Require the use smart cards
A.Enable a UEFI password B.Enable BitLocker E.Enable a screen lock Explanation OBJ-5.3: These requirements can be met by enabling BitLocker to encrypt the hard drive, enable a UEFI password to require a password to be entered before booting an operating system, and enabling a screen lock that turns on after 2 minutes of inactivity.
Jason is conducting a penetration test against Dion Training’s Windows-based network. He wants to laterally move to another host and execute an exploit he previously trick a user into downloading to the C:\Windows\temp directory on the workstation with an IP of 192.168.1.50. He types the following into his terminal:
-=-=-=-=-=-=-
PS C:\Users\jason> $obj = [activator]::CreateInstance([type]::GetTypeFromProgID(“MMC20.Application”,”192. 168.1.50”))
Based on these commands, what type of post-exploitation lateral movement did Jason utilize? A.Scheduled tasks B.PsExec C.RPC/DCOM D.WMIC
C.RPC/DCOM
Explanation
OBJ-3.7: Remote Procedure Call (RPC) enables inter-process communication between local and remote processes on Windows. Distributed Component Object Model (DCOM) enables the communication between software components over a network. DCOM applications use RPC as a transport mechanism for client requests. Flaws in DCOM can enable you to execute code on a remote system by assuming user privileges. For example, a DCOM application commonly used to initiate lateral movement is MMC20.Application. This enables users to execute Microsoft Management Console (MMC) snap-in operations on a Windows computer. The MMC20.application includes an ExecuteShellCommand() method that allows for a command’s remote execution using a remote computer’s shell. In this example, the first command told PowerShell on Jason’s machine to select the MMMC snap-in on the remote computer with the IP address of 192.168.1.50. The second command then started the exploit on the remote system with a null current working directory, null parameters passed to the exploit.exe command and started it with a window state of 7. Ultimately, this would launch the exploit.exe program on the remote machine using the local administrator account.
Fail To Pass Systems has just been the victim of another embarrassing data breach. Their database administrator needed to work from home this weekend, so he downloaded the corporate database to his work laptop. On his way home, he left the laptop in an Uber, and a few days later, the data was posted on the internet. Which of the following mitigations would have provided the greatest protection against this data breach?
A.Require data masking for any information stored in the datastore
B.Require data at rest encryption on all endpoints
C.Require a VPN to be utilized for all telework employees
D.Require all new employees to sign an NDA
B.Require data at rest encryption on all endpoints
Explanation
OBJ-5.3: The greatest protection against this data breach would have been to require data at rest encryption on all endpoints, including this laptop. If the laptop were encrypted, the data would not have been readable by others, even if it was lost or stolen. While requiring a VPN for all telework employees is a good idea, it would not have prevented this data breach since the laptop’s loss caused it. Even if a VPN had been used, the same data breach would have still occurred if the employee copied the database to the machine. Remember on exam day that many options are good security practices, but you must select the option that solves the issue or problem in the question being asked. Similarly, data masking and NDAs are useful techniques, but they would not have solved this particular data breach.
You have just concluded a two-month engagement that targeted Dion Training’s network. You have a detailed list of findings and have prepared your report for the company. Which of the following reasons explains why you must keep your report confidential and secure?
A.The findings contain privileged information about their customers
B.The findings could be used by attackers to exploit the clients systems
C.The findings included may contain company intellectual property
D.The findings could hurt the companys reputation if disclosed
B.The findings could be used by attackers to exploit the clients systems
Explanation
OBJ-5.1: To further reinforce the SOW, NDA, and any other legal documentation in effect, the client is likely to include confidentiality provisions within the engagement plan. This ensures that the information discovered during the penetration test is shared only with the appropriate entities. For example, if a penetration tester finds a major code injection vulnerability in the company’s public-facing website, the organization may require them to keep this information confidential to minimize the risk of it being exploited by an attacker.
You are working at the service desk and just received the following email from an end-user who believes it is suspicious:
From: user@diontraining.com
To: abuse@diontraining.com
Subject: You won a free iPhone!
You have won a brand new iPhone!
Just click the following link to provide your address so we can ship it out to you this afternoon: (http://www.freephone.io:8080/winner.php)
*******
How should you classify this email? A.Spearphishing B.Malware C.Phishing D.SPoofing
C.Phishing
Explanation
OBJ-3.1: This is an example of a phishing campaign. Phishing refers to obtaining user authentication or financial information through a fraudulent request for information. Phishing is specifically associated with emailing users with a link to a faked site (or some other malware that steals the information they use to try to authenticate). Spear phishing is an email or electronic communications scam targeted towards a specific individual, organization, or business. In this example, the specific user wasn’t clearly targeted by their name or by their association with a particular store, company, or website.
Which of the following is the MOST important thing to receive from the client during the planning for an engagement? A.Password policies B.Goals and Objectives C.SOAP project files D.Architectural diagrams
B.Goals and Objectives
Explanation
OBJ-1.3: When planning an engagement, it is crucial to understand the client’s goals and objectives. Basically, they need to answer the question, “What do I hope to achieve by conducting this penetration test?” This will allow you to better plan the engagement within the boundaries you and the client agree upon. For example, are they conducting the penetration test due to regulatory or compliance requirements? Are they trying to determine if a social engineering campaign would trick their employees? Are they trying to determine if their patch management program is effective? Each of these objectives has different methods that would be used in the engagement.
While conducting a security test to ensure that information about your company’s web server is protected from inadvertent disclosure, you request an HTML file from the webserver and receive the following output:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- HTTP/1.1 404 Object Not Found Server: Microsoft-IIS/6.0 Date: Tuesday, 5 Sep 2017 1034:12 GMT Content-Type: text/html Content-Length: 132
There is no web site configured at this address.
This page is a placeholder until construction begins.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Which of the following actions should you take to remediate this vulnerability
A.Set “PerProcessLogging” to 1 in ther URLScan.ini configuration file
B.Set “VerifyNormalization” to 1 in the URLScan.ini in configuration file
C.Set “EnableLogging” to 1 in the URLScan.ini configuration file
D.Set “RemoveServerHeader” to 1 in the URLScan.ini configuration
D.Set “RemoveServerHeader” to 1 in the URLScan.ini configuration
Explanation
OBJ-3.5: This output is an example of banner grabbing being conducted against your web server. To prevent valuable information from being sent in the response, you should configure the “RemoveServerHeader” in the Microsoft IIS configuration file (URLScan.ini). If you set “RemoveServerHeader” to 1, UrlScan will remove the server header on all responses, and the value of AlternateServerName will be ignored. If you set “EnableLogging” to 1, UrlScan will log its actions in a file called UrlScan.log that will be created in the same directory that contains UrlScan.dll. If you set “PerProcessLogging” to 1, UrlScan will append the process ID of the IIS process that is hosting UrlScan.dll to the log file name; for example, UrlScan.1234.log. If you set “VerifyNormalization” to 1, UrlScan verifies the URL’s normalization and will defend against canonicalization attacks, where a URL contains a double encoded string in the URL. Please note, this question may seem beyond the scope of the exam. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s complete content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess, and move on!
You are working as part of a penetration team that is assessing the security of a java-based practice exam application for Dion Training. You want to perform static code analysis on the application, but you don’t have the source code. Luckily, you were able to download a copy of the Java bytecode. Which of the following techniques should you utilize to get the bytecode ready for running through a static code analysis tool?
A.Decompile the application with JAD
B.Use Peach to conduct fuzzing
C.Brute force the source code using Hydra
D.Use a bugger like GDB to reverse engineer it
A.Decompile the application with JAD
Explanation
OBJ-4.2: To conduct a static analysis, you need to have the source code. Since the company didn’t provide it, you can use the Java bytecode (binary) and a decompiler to create the source code. JAD is a Java Application Decompiler. Brute forcing the application with hydra wouldn’t provide you the source code. It would only provide a password. Debuggers can be useful, but they will return bytecode level information and not source code. Peach is a great fuzzing tool, but fuzzing is a dynamic technique and not a static one.
Jason is conducting a physical penetration test against a company. His objective is to enter the server room that is protected by a lock using a fingerprint reader. Jason attempts to use his finger to open the lock several times without success. He then turns his finger 45 degrees to the left, and the lock authenticates him. What is MOST likely the reason the lock opened?
A.The crossover error rate is turned towards false positives
B.The crossover error rate is tuned toward true negatives
C.The biometric lock is set to fail open after five invalid attempts
D>The biometric lock is set to fail closed after five invalid attemps
A.The crossover error rate is turned towards false positives
Explanation
OBJ-2.4: A biometric lock is difficult to bypass unless the installer incorrectly configures it. If the biometric lock has a high false acceptance rate, it will allow unauthorized people to open the door. The crossover error rate (CER) is the point where the false acceptance and false rejection rates are equal. When charted on a graph, this point can lean more towards accepting false positives or rejecting true positives. If it leans more towards accepting false positives, the sensitivity has decreased to allow less frustration for its users.
Which of the following tools is used to cross-compile code on a Kali Linux machine to run on a Windows client? A.Metasploit B.APK Studio C.Ollydbg D.MSFVenom
D.MSFVenom
Explanation
OBJ-4.2: MSFvenom is a combination of Msfpayload and Msfencode, putting both of these tools into a single Framework instance. This tool allows a Kali Linux user to cross-compile code as an executable for a Windows client or Android device. MSFvenom is part of the Metasploit framework.
DeepScan supports data-flow analysis and understands the execution flow of a program. It allows you to see possible security flaws without executing the code. Which of the following types of tools would DeepScan be classified as? A.Decompiler B.Fault injector C.Static code analyzer D.Fuzzer
C.Static code analyzer
Explanation
OBJ-4.2: DeepScan is an example of a static code analysis tool. It inspects the code for possible errors and issues without actually running the code. Fuzzing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program through a fuzzer. A decompiler is a computer program that takes an executable file as input and attempts to create a high-level source file that can be recompiled successfully. Fault injection is a testing technique that aids in understanding how a system behaves when stressed in unusual ways. A fuzzer, decompiler, and fault injector are all dynamic analysis tools because they require the program being tested and run for analysis.
Which of the following tools is used by a penetration tester to conduct open-source intelligence (OSINT)? A.Empire B.Maltego C.Nessus D.AirCrack-NG
B.Maltego
Explanation
OBJ-4.2: Maltego is an OSINT tool that is used to gather information from public resources. It has a graphical user interface (GUI) that visualizes the information gathered to help a penetration tester make logical connections between the different data sets collected.
A recently hired security employee at a bank was asked to perform daily scans of the bank's intranet to look for unauthorized devices. The new employee decides to create a script that scans the network for unauthorized devices every morning at 2:00 am. Which programming language would work best to create this script? A.PHP B.ASP.NET C.Python D.C#
C.Python
Explanation
OBJ-4.4: Python is a commonly used scripting language used in cybersecurity. PHP is used as a scripting language for web applications. C# and ASP.NET are both compiled languages, not scripting languages.
What kind of attack is an example of IP spoofing? A.ARP Poisoning B.Man-in-the-middle C.Cross-site scripting D.SQL Injections
B.Man-in-the-middle
Explanation
OBJ-3.2: The man-in-the-middle attack intercepts communications between two systems. For example, in an HTTP transaction, the target is the TCP connection between client and server. Using different techniques, the attacker splits the original TCP connection into 2 new connections, one between the client and the attacker and the other between the attacker and the server. This often uses IP spoofing to trick a victim into connecting to the attack. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. A man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other. ARP Poisoning, also known as ARP Spoofing, is a type of cyber attack carried out over a Local Area Network (LAN) that involves sending malicious ARP packets to a default gateway on a LAN to change the pairings in its IP to MAC address table. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user.
What type of threat actor is highly funded and often backed by nation-states? A.Insider Threat B.Hacktivist C.Script Kiddies D.APT
D.APT
Explanation
OBJ-1.3: Advanced Persistent Threats are a group of hackers with great capability and intent. Nation-states and other large organizations often fund them to conduct highly covert hacks over a long period of time for political or economic gain. Script kiddies are people who use existing computer scripts or code to hack into computers, lacking the expertise to write their own. An insider threat is a malicious threat to an organization from people within the organization, such as employees, former employees, contractors, or business associates, who have inside information concerning the organization’s security practices, data, and computer systems. A hacktivist is someone who uses hacking to bring about political and social change.
