Exam Study Questions Flashcards
(96 cards)
A tester who is performing a penetration test on a website receives the following output:
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /var/www/search.php on line 62
Which of the following commands can be used to further attack the website?
A.
var adr = '../evil.php?test=' + escape(document.cookie);
B. ../../../../../../../../../../etc/passwd
C. /var/www/html/index.php;whoami
D. 1 UNION SELECT 1, DATABASE (), 3 –
D. 1 UNION SELECT 1, DATABASE (), 3 –
A penetration tester has established an on-path position between a target host and local network services but has not been able to establish an on-path position between the target host and the Internet. Regardless, the tester would like to subtly redirect HTTP connections to a spoofed server IP. Which of the following methods would BEST support the objective?
A. Gain access to the target host and implant malware specially crafted for this purpose.
B. Exploit the local DNS server and add/update the zone records with a spoofed A record.
C. Use the Scapy utility to overwrite name resolution fields in the DNS query response.
D. Proxy HTTP connections from the target host to that of the spoofed host.
D. Proxy HTTP connections from the target host to that of the spoofed host.
Which of the following types of information would MOST likely be included in an application security assessment report addressed to developers? (Choose two.)
A. Use of non-optimized sort functions
B. Poor input sanitization
C. Null pointer dereferences
D. Non-compliance with code style guide
E. Use of deprecated Javadoc tags
F. A cydomatic complexity score of 3
B. Poor input sanitization
C. Null pointer dereferences
A penetration tester has found indicators that a privileged user’s password might be the same on 30 different Linux systems. Which of the following tools can help the tester identify the number of systems on which the password can be used?
A. Hydra
B. John the Ripper
C. Cain and Abel
D. Medusa
D. Medusa
A penetration tester was able to compromise a server and escalate privileges. Which of the following should the tester perform AFTER concluding the activities on the specified target? (Choose two.)
A. Remove the logs from the server.
B. Restore the server backup.
C. Disable the running services.
D. Remove any tools or scripts that were installed.
E. Delete any created credentials.
F. Reboot the target server.
C. Disable the running services.
E. Delete any created credentials.
A penetration tester is reviewing the following DNS reconnaissance results for comptia.org from dig:
…
;; ANSWER SECTION
comptia.org. 3569 IN MX comptia.org-mail.protection.outlook.com. comptia.org. 3569 IN A 3.219.13.186. comptia.org. 3569 IN NS ns1.comptia.org. comptia.org. 3569 IN SOA haven. administrator.comptia.org. comptia.org. 3569 IN MX new.mx0.comptia.org. comptia.org. 3569 IN MX new.mx1.comptia.org.
Which of the following potential issues can the penetration tester identify based on this output?
A. At least one of the records is out of scope.
B. There is a duplicate MX record.
C. The NS record is not within the appropriate domain.
D. The SOA records outside the comptia.org domain.
A. At least one of the records is out of scope.
A consultant just performed a SYN scan of all the open ports on a remote host and now needs to remotely identify the type of services that are running on the host. Which of the following is an active reconnaissance tool that would be BEST to use to accomplish this task?
A. tcpdump
B. Snort
C. Nmap
D. Netstat
E. Fuzzer
C. Nmap
Deconfliction is necessary when the penetration test:
A. determines that proprietary information is being stored in cleartext.
B. occurs during the monthly vulnerability scanning.
C. uncovers indicators of prior compromise over the course of the assessment.
D. proceeds in parallel with a criminal digital forensic investigation.
C. uncovers indicators of prior compromise over the course of the assessment.
A penetration tester wants to test a list of common passwords against the SSH daemon on a network device. Which of the following tools would be BEST to use for this purpose?
A. Hashcat
B. Mimikatz
C. Patator
D. John the Ripper
C. Patator
PCI DSS requires which of the following as part of the penetration-testing process?
A. The penetration tester must have cybersecurity certifications.
B. The network must be segmented.
C. Only externally facing systems should be tested.
D. The assessment must be performed during non-working hours.
B. The network must be segmented.
A penetration tester completed an assessment, removed all artifacts and accounts created during the test, and presented the findings to the client. Which of the following happens NEXT?
A. The penetration tester conducts a retest.
B. The penetration tester deletes all scripts from the client machines.
C. The client applies patches to the systems.
D. The client clears system logs generated during the test.
C. The client applies patches to the systems.
A penetration tester is examining a Class C network to identify active systems quickly. Which of the following commands should the penetration tester use?
A. nmap -sn 192.168.0.1/16
B. nmap -sn 192.168.0.1-254
C. nmap -sn 192.168.0.1 192.168.0.1.254
D. nmap -sN 192.168.0.0/24
B. nmap -sn 192.168.0.1-254
A penetration tester wants to validate the effectiveness of a DLP product by attempting exfiltration of data using email attachments. Which of the following techniques should the tester select to accomplish this task?
A. Steganography
B. Metadata removal
C. Encryption
D. Encode64
A. Steganography
A penetration tester received a 16-bit network block that was scoped for an assessment. During the assessment, the tester realized no hosts were active in the provided block of IPs and reported this to the company. The company then provided an updated block of IPs to the tester. Which of the following would be the most appropriate NEXT step?
A. Terminate the contract.
B. Update the ROE with new signatures.
C. Scan the 8-bit block to map additional missed hosts.
D. Continue the assessment.
B. Update the ROE with new signatures.
A penetration tester has completed an analysis of the various software products produced by the company under assessment. The tester found that over the past several years the company has been including vulnerable third-party modules in multiple products, even though the quality of the organic code being developed is very good. Which of the following recommendations should the penetration tester include in the report?
A. Add a dependency checker into the tool chain.
B. Perform routine static and dynamic analysis of committed code.
C. Validate API security settings before deployment.
D. Perform fuzz testing of compiled binaries.
A. Add a dependency checker into the tool chain.
A penetration tester needs to access a building that is guarded by locked gates, a security team, and cameras. Which of the following is a technique the tester can use to gain access to the IT framework without being detected?
A. Pick a lock.
B. Disable the cameras remotely.
C. Impersonate a package delivery worker.
D. Send a phishing email.
D. Send a phishing email.
A penetration tester is assessing a wireless network. Although monitoring the correct channel and SSID, the tester is unable to capture a handshake between the clients and the AP. Which of the following attacks is the MOST effective to allow the penetration tester to capture a handshake?
A. Key reinstallation
B. Deauthentication
C. Evil twin
D. Replay
B. Deauthentication
A company that requires minimal disruption to its daily activities needs a penetration tester to perform information gathering around the company’s web presence.
Which of the following would the tester find MOST helpful in the initial information-gathering steps? (Choose two.)
A. MX records
B. Zone transfers
C. DNS forward and reverse lookups
D. Internet search engines
E. Externally facing open ports
F. Shodan results
D. Internet search engines
F. Shodan results
The attacking machine is on the same LAN segment as the target host during an internal penetration test. Which of the following commands will BEST enable the attacker to conduct host delivery and write the discovery to files without returning results of the attack machine?
A. nmap -sn -n -exclude 10.1.1.15 10.1.1.0/24 -oA target_txt
B. nmap -iR 10 -n -oX out.xml | grep “Nmap” | cut -d “” -f5 > live-hosts.txt
C. nmap -Pn -sV -O -iL target.txt -oA target_text_Service
D. nmap -sS -Pn -n -iL target.txt -oA target_txtl
A. nmap -sn -n -exclude 10.1.1.15 10.1.1.0/24 -oA target_txt
A customer adds a requirement to the scope of a penetration test that states activities can only occur during normal business hours. Which of the following BEST describes why this would be necessary?
A. To meet PCI DSS testing requirements
B. For testing of the customer’s SLA with the ISP
C. Because of concerns regarding bandwidth limitations
D. To ensure someone is available if something goes wrong
D. To ensure someone is available if something goes wrong
An assessor wants to use Nmap to help map out a stateful firewall rule set. Which of the following scans will the assessor MOST likely run?
A. nmap -sA 192.168.0.1/24
B. nmap -sS 192.168.0.1/24
C. nmap -oG 192.168.0.1/24
D. nmap 192.168.0.1/24
B. nmap -sS 192.168.0.1/24
During the scoping phase of an assessment, a client requested that any remote code exploits discovered during testing would be reported immediately so the vulnerability could be fixed as soon as possible. The penetration tester did not agree with this request, and after testing began, the tester discovered a vulnerability and gained internal access to the system. Additionally, this scenario led to a loss of confidential credit card data and a hole in the system. At the end of the test, the penetration tester willfully failed to report this information and left the vulnerability in place. A few months later, the client was breached and credit card data was stolen. After being notified about the breach, which of the following steps should the company take NEXT?
A. Deny that the vulnerability existed
B. Investigate the penetration tester.
C. Accept that the client was right.
D. Fire the penetration tester.
B. Investigate the penetration tester.
A penetration tester is contracted to attack an oil rig network to look for vulnerabilities. While conducting the assessment, the support organization of the rig reported issues connecting to corporate applications and upstream services for data acquisitions. Which of the following is the MOST likely culprit?
A. Patch installations
B. Successful exploits
C. Application failures
D. Bandwidth limitations
D. Bandwidth limitations
A penetration tester has identified several newly released CVEs on a VoIP call manager. The scanning tool the tester used determined the possible presence of the CVEs based off the number of the service. Which of the following methods would BEST support validation of the possible findings?
A. Manually check the version number of the VoIP service against the CVE release.
B. Test with proof-of-concept code from an exploit database on a non-production system.
C. Review SIP traffic from an on-path position to look for indicators of compromise.
D. Execute an nmap -sV scan against the service.
A. Manually check the version number of the VoIP service against the CVE release.