A penetration tester has run multiple vulnerability scans against a target system. Which of the following would be unique to a credentialed scan?

A. Exploits for vulnerabilities found

B. Detailed service configurations

C. Unpatched third-party software

D. Weak access control configurations

When negotiating a penetration testing contract with a prospective client, which of the following disclaimers should be included in order to mitigate liability in case of a future breach of the client's systems?

A. The proposed mitigations and remediations in the final report do not include a cost-benefit analysis.

B. The NDA protects the consulting firm from future liabilities in the event of a breach.

C. The assessment reviewed the cyber key terrain and most critical assets of the client’s network.

D. The penetration test is based on the state of the system and its configuration at the time of assessment.

A vulnerability scan report shows what appears to be evidence of a memory disclosure vulnerability on one of the target hosts. The administrator claims the system is patched and the evidence is a false positive. Which of the following is the BEST method for a tester to confirm the vulnerability exists?

A. Manually run publicly available exploit code.

B. Confirm via evidence of the updated version number.

C. Run the vulnerability scanner again.

D. Perform dynamic analysis on the vulnerable service.

Consumer-based IoT devices are often less secure than systems built for traditional desktop computers. Which of the following BEST describes the reasoning for this?

A. Manufacturers developing IoT devices are less concerned with security.

B. It is difficult for administrators to implement the same security standards across the board.

C. IoT systems often lack the hardware power required by more secure solutions.

D. Regulatory authorities often have lower security requirements for IoT systems.

A MITM attack is being planned. The first step is to get information flowing through a controlled device. Which of the following should be used to accomplish this?

A. Repeating

B. War driving

C. Evil twin

D. Bluejacking

E. Replay attack

A penetration tester needs to provide the code used to exploit a DNS server in the final report. In which of the following parts of the report should the penetration tester place the code?

A. Executive summary

B. Remediation

C. Conclusion

D. Technical summary

Which of the following tools would a penetration tester leverage to conduct OSINT? (Select TWO).

A. Shodan

B. SET

C. BeEF

D. Wireshark

E. Maltego

F. Dynamo

At the information gathering stage, a penetration tester is trying to passively identify the technology running on a client's website. Which of the following approached should the penetration tester take?

A. Run a spider scan in Burp Suite.

B. Use web aggregators such as BuiltWith and Netcraft

C. Run a web scraper and pull the website’s content.

D. Use Nmap to fingerprint the website’s technology.

A systems security engineer is preparing to conduct a security assessment of some new applications. The applications were provided to the engineer as a set that contains only JAR files. Which of the following would be the MOST detailed method to gather information on the inner workings of these applications?

A. Launch the applications and use dynamic software analysis tools, including fuzz testing.

B. Use a static code analyzer on the JAR files to look for code quality deficiencies.

C. Decompile the applications to approximate source code and then conduct a manual review.

D. Review the details and extensions of the certificate used to digitally sign the code and the application.

In which of the following scenarios would a tester perform a Kerberoasting attack?

A. The tester has compromised a Windows device and dumps the LSA secrets.

B. The tester needs to retrieve the SAM database and crack the password hashes.

C. The tester has compromised a limited-privilege user and needs to target other accounts for lateral movement.

D. The tester has compromised an account and needs to dump hashes and plaintext passwords from the system.

A penetration tester wants to check manually if a `ghost` vulnerability exists in a system. Which of the following methods is the correct way to validate the vulnerability?

A. Download the GHOST file to a Linux system and compile gcc ג€”o GHOST test i: ./GHOST

B. Download the GHOST file to a Windows system and compile gcc ג€”o GHOST GHOST.c test i: ./GHOST

C. Download the GHOST file to a Linux system and compile gcc ג€”o GHOST GHOST.c test i: ./GHOST

D. Download the GHOST file to a Windows system and compile gcc ג€”o GHOST test i: ./GHOST

A client needs to be PCI compliant and has external-facing web servers. Which of the following CVSS vulnerability scores would automatically bring the client out of compliance standards such as PCI 3.x?

A. 2.9

B. 3.0

C. 4.0

D. 5.9

A penetration tester successfully exploits a system, receiving a reverse shell. Which of the following is a Meterpreter command that is used to harvest locally stored credentials?

A. background

B. hashdump

C. session

D. getuid

E. psexec

A software development team recently migrated to new application software on the on-premises environment. Penetration test findings show that multiple vulnerabilities exist. If a penetration tester does not have access to a live or test environment, a test might be better to create the same environment on the VM.
Which of the following is MOST important for confirmation?

A. Unsecure service and protocol configuration

B. Running SMB and SMTP service

C. Weak password complexity and user account

D. Misconfiguration

At the beginning of a penetration test, the tester finds a file that includes employee data, such as email addresses, work phone numbers, computers names, and office locations. The file is hosted on a public web server. Which of the following BEST describes the technique that was used to obtain this information?

A. Enumeration of services

B. OSINT gathering

C. Port scanning

D. Social engineering

A penetration tester has gained access to a marketing employee's device. The penetration tester wants to ensure that if the access is discovered, control of the device can be regained. Which of the following actions should the penetration tester use to maintain persistence to the device? (Select TWO.)

A. Place an entry in HKLMSoftwareMicrosoftCurrentVersionRun to call au57d.ps1.

B. Place an entry in C:windowssystem32driversetchosts for 12.17.20.10 badcomptia.com.

C. Place a script in C:users%usernamelocalappdataroamingtempau57d.ps1.

D. Create a fake service in Windows called RTAudio to execute manually.

E. Place an entry for RTAudio in HKLMCurrentControlSetServicesRTAudio.

F. Create a schedule task to call C:windowssystem32driversetchosts.

A penetration tester is performing a remote internal penetration test by connecting to the testing system from the Internet via a reverse SSH tunnel. The testing system has been placed on a general user subnet with an IP address of 192.168.1.13 and a gateway of 192.168.1.1. Immediately after running the command below, the penetration tester's SSH connection to the testing platform drops:
 
Which of the following ettercap commands should the penetration tester use in the future to perform ARP spoofing while maintaining a reliable connection?

A. # sudo ettercap ג€”Tq ג€”w output.cap ג€”M ARP /192.168.1.0/ /192.168.1.255/

B. # proxychains ettercap ג€”Tq ג€”w output.cap ג€”M ARP /192.168.1.13/ /192.168.1.1/

C. # ettercap ג€”Tq ג€”w output.cap ג€”M ARP 00:00:00:00:00:00//80 FF:FF:FF:FF:FF:FF//80

D. # ettercap ג€”ג€”safe-mode ג€”Tq ג€”w output.cap ג€”M ARP /192.168.1.2ג€”255/ /192.168.1.13/

E. # ettercap ג€”Tq ג€”w output.cap ג€”M ARP /192.168.1.2ג€”12;192.168.1.14ג€”255/ /192.168.1.1/

A company requested a penetration tester review the security of an in-house developed Android application. The penetration tester received an APK file to support the assessment. The penetration tester wants to run SAST on the APK file. Which of the following preparatory steps must the penetration tester do FIRST? (Select
TWO).

A. Convert to JAR.

B. Decompile.

C. Cross-compile the application.

D. Convert JAR files to DEX.

E. Re-sign the APK.

F. Attach to ADB.

A company has engaged a penetration tester to perform an assessment for an application that resides in the company's DMZ. Prior to conducting testing, in which of the following solutions should the penetration tester's IP address be whitelisted?

A. WAF

B. HIDS

C. NIDS

D. DLP

Which of the following actions BEST matches a script kiddie's threat actor?

A. Exfiltrate network diagrams to perform lateral movement.

B. Steal credit cards from the database and sell them in the deep web.

C. Install a rootkit to maintain access to the corporate network.

D. Deface the website of a company in search of retribution.

A penetration tester has a full shell to a domain controller and wants to discover any user account that has not authenticated to the domain in 21 days. Which of the following commands would BEST accomplish this?

A. dsrm -users ג€DN=company.com; OU=hq CN=usersג€

B. dsuser -name -account -limit 3

C. dsquery user -inactive 3

D. dsquery -o -rdn -limit 21

A consultant is attempting to harvest credentials from unsecure network protocols in use by the organization. Which of the following commands should the consultant use?

A. tcpdump

B. john

C. hashcat

D. nc

Which of the following are MOST important when planning for an engagement? (Select TWO).

A. Goals/objectives

B. Architectural diagrams

C. Tolerance to impact

D. Storage time for a report

E. Company policies

A penetration tester used an ASP.NET web shell to gain access to a web application, which allowed the tester to pivot in the corporate network. Which of the following is the MOST important follow-up activity to complete after the tester delivers the report?

A. Removing shells

B. Obtaining client acceptance

C. Removing tester-created credentials

D. Documenting lessons learned

E. Presenting attestation of findings

A penetration tester is in the process of writing a report that outlines the overall level of risk to operations. In which of the following areas of the report should the penetration tester put this?

A. Appendices

B. Executive summary

C. Technical summary

D. Main body

Which of the following can be used to perform online password attacks against RDP?

A. Hashcat

B. John the Ripper

C. Aircrack-ng

D. Ncrack

A company contracted a firm specializing in penetration testing to assess the security of a core business application. The company provided the firm with a copy of the Java bytecode. Which of the following steps must the firm take before it can run a static code analyzer?

A. Run the application through a dynamic code analyzer.

B. Employ a fuzzing utility.

C. Decompile the application.

D. Check memory allocations.

During a physical security review, a detailed penetration testing report was obtained, which was issued to a security analyst and then discarded in the trash. The report contains validated critical risk exposures. Which of the following processes would BEST protect this information from being disclosed in the future?

A. Restrict access to physical copies to authorized personnel only.

B. Ensure corporate policies include guidance on the proper handling of sensitive information.

C. Require only electronic copies of all documents to be maintained.

D. Install surveillance cameras near all garbage disposal areas.

A company's corporate policies state that employees are able to scan any global network as long as it is done within working hours. Government laws prohibit unauthorized scanning. Which of the following should an employee abide by?

A. Company policies must be followed in this situation.

B. Laws supersede corporate policies.

C. Industry standards regarding scanning should be followed.

D. The employee must obtain written approval from the company’s Chief Information Security Officer (CISO) prior to scanning.

A penetration tester was able to retrieve the initial VPN user domain credentials by phishing a member of the IT department. Afterward, the penetration tester obtained hashes over the VPN and easily cracked them using a dictionary attack. Which of the following remediation steps should be recommended? (Select
THREE).

A. Mandate all employees take security awareness training.

B. Implement two-factor authentication for remote access.

C. Install an intrusion prevention system.

D. Increase password complexity requirements.

E. Install a security information event monitoring solution.

F. Prevent members of the IT department from interactively logging in as administrators.

G. Upgrade the cipher suite used for the VPN solution.

Which of the following has a direct and significant impact on the budget of the security assessment?

A. Scoping

B. Scheduling

C. Compliance requirement

D. Target risk

A client has requested an external network penetration test for compliance purposes. During discussion between the client and the penetration tester, the client expresses unwillingness to add the penetration tester's source IP addresses to the client's IPS whitelist for the duration of the test. Which of the following is the
BEST argument as to why the penetration tester's source IP addresses should be whitelisted?

A. Whitelisting prevents a possible inadvertent DoS attack against the IPS and supporting log-monitoring systems.

B. Penetration testing of third-party IPS systems often requires additional documentation and authorizations; potentially delaying the time-sensitive test.

C. IPS whitelisting rules require frequent updates to stay current, constantly developing vulnerabilities and newly discovered weaknesses.

D. Testing should focus on the discovery of possible security issues across all in-scope systems, not on determining the relative effectiveness of active defenses such as an IPS.

A penetration tester wants to launch a graphic console window from a remotely compromised host with IP 10.0.0.20 and display the terminal on the local computer with IP 192.168.1.10. Which of the following would accomplish this task?

A. From the remote computer, run the following commands: export XHOST 192.168.1.10:0.0 xhost+ Terminal

B. From the local computer, run the following command: ssh -L4444:127.0.0.1:6000 -X user@10.0.0.20 xterm

C. From the remote computer, run the following command: ssh -R6000:127.0.0.1:4444 -p 6000 user@192.168.1.10 ג€xhost+; xtermג€

D. From the local computer, run the following command: nc -l -p 6000 Then, from the remote computer, run the following command: xterm | nc 192.168.1.10 6000

Which of the following vulnerabilities are MOST likely to be false positives when reported by an automated scanner on a static HTML web page? (Choose two.)

A. Missing secure flag for a sensitive cookie

B. Reflected cross-site scripting

C. Enabled directory listing

D. Insecure HTTP methods allowed

E. Unencrypted transfer of sensitive data

F. Command injection

G. Disclosure of internal system information

H. Support of weak cipher suites

During a penetration test, a tester identifies traditional antivirus running on the exploited server. Which of the following techniques would BEST ensure persistence in a post-exploitation phase?

A. Shell binary placed in C:windowstemp

B. Modified daemons

C. New user creation

D. Backdoored executables

If a security consultant comes across a password hash that resembles the following: b117525b345470c29ca3d8ae0b556ba8
Which of the following formats is the correct hash type?

A. Kerberos

B. NetNTLMv1

C. NTLM

D. SHA-1

Which of the following BEST describes some significant security weaknesses with an ICS, such as those used in electrical utility facilities, natural gas facilities, dams, and nuclear facilities?

A. ICS vendors are slow to implement adequate security controls.

B. ICS staff are not adequately trained to perform basic duties.

C. There is a scarcity of replacement equipment for critical devices.

D. There is a lack of compliance for ICS facilities.

A penetration tester is performing ARP spoofing against a switch. Which of the following should the penetration tester spoof to get the MOST information?

A. MAC address of the client

B. MAC address of the domain controller

C. MAC address of the web server

D. MAC address of the gateway

When performing compliance-based assessments, which of the following is the MOST important key consideration?

A. Additional rate

B. Company policy

C. Impact tolerance

D. Industry type

A penetration tester is testing a web application and is logged in as a lower-privileged user. The tester runs arbitrary JavaScript within an application, which sends an XMLHttpRequest, resulting in exploiting features to which only an administrator should have access. Which of the following controls would BEST mitigate the vulnerability?

A. Implement authorization checks.

B. Sanitize all the user input.

C. Prevent directory traversal.

D. Add client-side security controls

A penetration tester directly connects to an internal network. Which of the following exploits would work BEST for quick lateral movement within an internal network?

A. Crack password hashes in /etc/shadow for network authentication.

B. Launch dictionary attacks on RDP.

C. Conduct a whaling campaign.

D. Poison LLMNR and NBNS requests.

A penetration tester is attempting to open a socket in a bash script but receives errors when running it. The current state of the relevant line in the script is as follows:
 
Which of the following lines of code would correct the issue upon substitution?

A. open 0/dev/tcp/${HOST}:${PORT}

B. exec 0</dev/tcp/${HOST}/${PORT}

C. exec 0</dev/tcp/$[HOST]:$[PORT]

D. exec 3/dev/tcp/${HOST}/${PORT}

E. open 3</dev/tcp/${HOST}/${PORT}

F. open 3</dev/tcp/$[HOST]/$[PORT]

A client has scheduled a wireless penetration test. Which of the following describes the scoping target information MOST likely needed before testing can begin?

A. The physical location and network ESSIDs to be tested

B. The number of wireless devices owned by the client

C. The client’s preferred wireless access point vendor

D. The bands and frequencies used by the client’s devices

A penetration tester is performing a wireless penetration test. Which of the following are some vulnerabilities that might allow the penetration tester to easily and quickly access a WPA2-protected access point?

A. Deauthentication attacks against an access point can allow an opportunity to capture the four-way handshake, which can be used to obtain and crack the encrypted password.

B. Injection of customized ARP packets can generate many initialization vectors quickly, making it faster to crack the password, which can then be used to connect to the WPA2-protected access point.

C. Weak implementations of the WEP can allow pin numbers to be guessed quickly, which can then be used to retrieve the password, which can then be used to connect to the WEP-protected access point.

D. Rainbow tables contain all possible password combinations, which can be used to perform a brute-force password attack to retrieve the password, which can then be used to connect to the WPA2-protected access point.

A penetration tester has successfully deployed an evil twin and is starting to see some victim traffic. The next step the penetration tester wants to take is to capture all the victim web traffic unencrypted. Which of the following would BEST meet this goal?

A. Perform an HTTP downgrade attack.

B. Harvest the user credentials to decrypt traffic.

C. Perform an MITM attack.

D. Implement a CA attack by impersonating trusted CAs.

In which of the following components is an exploited vulnerability MOST likely to affect multiple running application containers at once?

A. Common libraries

B. Configuration files

C. Sandbox escape

D. ASLR bypass

An engineer, who is conducting a penetration test for a web application, discovers the user login process sends from field data using the HTTP GET method. To mitigate the risk of exposing sensitive information, the form should be sent using an:

A. HTTP POST method.

B. HTTP OPTIONS method.

C. HTTP PUT method.

D. HTTP TRACE method.

A file contains several hashes. Which of the following can be used in a pass-the-hash attack?

A. NTLMv2

B. Kerberos

C. NTLMv1

D. LMv2

E. NTLM

A security analyst was provided with a detailed penetration report, which was performed against the organization's DMZ environment. It was noted on the report that a finding has a CVSS base score of 10.0. Which of the following levels of difficulty would be required to exploit this vulnerability?

A. Very difficult; perimeter systems are usually behind a firewall.

B. Somewhat difficult; would require significant processing power to exploit.

C. Trivial; little effort is required to exploit this finding.

D. Impossible; external hosts are hardened to protect against attacks.

A penetration tester is required to perform OSINT on staff at a target company after completing the infrastructure aspect. Which of the following would be the
BEST step for penetration?

A. Obtain staff information by calling the company and using social engineering techniques.

B. Visit the client and use impersonation to obtain information from staff.

C. Send spoofed emails to staff to see if staff will respond with sensitive information.

D. Search the internet for information on staff such as social networking sites.