A penetration tester who is performing a physical assessment has achieved physical access to a call center for the assessed company. The tester is able to move freely around the room.
Which of the following attack types is most likely to result in the tester obtaining personal or confidential information quickly?

A. Dumpster diving

B. Warwalking

C. Vishing

D. Smishing

E. Shoulder surfing

Performing a penetration test against an environment with SCADA devices brings an additional safety risk because the:

A. devices produce more heat and consume more power.

B. devices are obsolete and are no longer available for replacement.

C. protocols are more difficult to understand.

D. devices may cause physical world effects.

In the process of active service enumeration, a penetration tester identifies an SMTP daemon running on one of the target company's servers.
Which of the following actions would best enable the tester to perform phishing in a later stage of the assessment?

A. Test for RFC-defined protocol conformance.

B. Attempt to brute force authentication to the service.

C. Perform a reverse DNS query and match to the service banner.

D. Check for an open relay configuration.

A software company has hired a penetration tester to perform a penetration test on a database server. The tester has been given a variety of tools used by the company's privacy policy. Which of the following would be the BEST to use to find vulnerabilities on this server?

A. OpenVAS

B. Nikto

C. SQLmap

D. Nessus

A penetration tester requested, without express authorization, that a CVE number be assigned for a new vulnerability found on an internal client application. Which of the following did the penetration tester most likely breach?

A. ROE

B. SLA

C. NDA

D. SOW

A penetration tester gains access to a system and establishes persistence, and then run the following commands:
 
Which of the following actions is the tester MOST likely performing?

A. Redirecting Bash history to /dev/null

B. Making a copy of the user’s Bash history to further enumeration

C. Covering tracks by clearing the Bash history

D. Making decoy files on the system to confuse incident responders

A penetration tester successfully performed an exploit on a host and was able to hop from VLAN 100 to VLAN 200. VLAN 200 contains servers that perform financial transactions, and the penetration tester now wants the local interface of the attacker machine to have a static ARP entry in the local cache. The attacker machine has the following:
IP Address: 192.168.1.63 -
Physical Address: 60-36-dd-a6-c5-33
Which of the following commands would the penetration tester MOST likely use in order to establish a static ARP entry successfully?

A. tcpdump -i eth01 arp and arp[6:2] == 2

B. arp -s 192.168.1.63 60-36-DD-A6-C5-33

C. ipconfig /all findstr /v 00-00-00 | findstr Physical

D. route add 192.168.1.63 mask 255.255.255.255.0 192.168.1.1

A CentOS computer was exploited during a penetration test. During initial reconnaissance, the penetration tester discovered that port 25 was open on an internal
Sendmail server. To remain stealthy, the tester ran the following command from the attack machine:
 
Which of the following would be the BEST command to use for further progress into the targeted network?

A. nc 10.10.1.2

B. ssh 10.10.1.2

C. nc 127.0.0.1 5555

D. ssh 127.0.0.1 5555

A company's Chief Executive Officer has created a secondary home office and is concerned that the WiFi service being used is vulnerable to an attack. A penetration tester is hired to test the security of the WiFi's router.
Which of the following is MOST vulnerable to a brute-force attack?

A. WPS

B. WPA2-EAP

C. WPA-TKIP

D. WPA2-PSK

A penetration tester was able to compromise a server and escalate privileges. Which of the following should the tester perform AFTER concluding the activities on the specified target? (Choose two.)

A. Remove the logs from the server.

B. Restore the server backup.

C. Disable the running services.

D. Remove any tools or scripts that were installed.

E. Delete any created credentials.

F. Reboot the target server.

A penetration tester finds a PHP script used by a web application in an unprotected internal source code repository. After reviewing the code, the tester identifies the following:
 
Which of the following combinations of tools would the penetration tester use to exploit this script?

A. Hydra and crunch

B. Netcat and cURL

C. Burp Suite and DIRB

D. Nmap and OWASP ZAP

Which of the following are the MOST important items for prioritizing fixes that should be included in the final report for a penetration test? (Choose two.)

A. The CVSS score of the finding

B. The network location of the vulnerable device

C. The vulnerability identifier

D. The client acceptance form

E. The name of the person who found the flaw

F. The tool used to find the issue

A penetration tester successfully infiltrated the targeted web server and created credentials with administrative privileges. After conducting data exfiltration, which of the following should be the tester’s NEXT step?

A. Determine what data is available on the web server.

B. Change or delete the logs.

C. Log out and migrate to a new session.

D. Log in as the new user.

A penetration tester was able to gain access successfully to a Windows workstation on a mobile client's laptop.
Which of the following can be used to ensure the tester is able to maintain access to the system?

A. schtasks /create /sc /ONSTART /tr C:Temp|WindowsUpdate.exe

B. wmic startup get caption,command

C. crontab -l; echo ג€@reboot sleep 200 && ncat -lvp 4242 -e /bin/bashג€) | crontab 2>/dev/null

D. sudo useradd -ou 0 -g 0 user

A company recruited a penetration tester to brute force an SSH password on a server. The tester would like to use THC Hydra to perform the attack and remember the use of the -t option. Which of the following should be considered when using this option?

A. The number of connects in parallel per target

B. The number of task connects in parallel overall

C. The waiting time for a response between connects per threads

D. If the output shows log-ins and passwords for each attempt

For a penetration test engagement, a security engineer decides to impersonate the IT help desk. The security engineer sends a phishing email containing an urgent request for users to change their passwords and a link to https://example.com/index.html. The engineer has designed the attack so that once the users enter the credentials, the index.html page takes the credentials and then forwards them to another server that the security engineer is controlling. Given the following information:
 
Which of the following lines of code should the security engineer add to make the attack successful?

A. window.location.= ‘https://evilcorp.com’

B. crossDomain: true

C. geturlparameter (‘username’)

D. redirectUrl = ‘https://example.com’

Which of the following is the MOST important information to have on a penetration testing report that is written for the developers?

A. Executive summary

B. Remediation

C. Methodology

D. Metrics and measures

A penetration tester joins the assessment team in the middle of the assessment. The client has asked the team, both verbally and in the scoping document, not to test the production networks. However, the new tester is not aware of this request and proceeds to perform exploits in the production environment. Which of the following would have MOST effectively prevented this misunderstanding?

A. Prohibiting exploitation in the production environment

B. Requiring all testers to review the scoping document carefully

C. Never assessing the production networks

D. Prohibiting testers from joining the team during the assessment

A penetration tester wants to validate the effectiveness of a DLP product by attempting exfiltration of data using email attachments. Which of the following techniques should the tester select to accomplish this task?

A. Steganography

B. Metadata removal

C. Encryption

D. Encode64

An assessment has been completed, and all reports and evidence have been turned over to the client. Which of the following should be done NEXT to ensure the confidentiality of the client's information?

A. Follow the established data retention and destruction process.

B. Report any findings to regulatory oversight groups.

C. Publish the findings after the client reviews the report.

D. Encrypt and store any client information for future analysis.

Which of the following factors would a penetration tester MOST likely consider when testing at a location?

A. Determine if visas are required.

B. Ensure all testers can access all sites.

C. Verify the tools being used are legal for use at all sites.

D. Establish the time of the day when a test can occur.

A penetration tester wants to test a list of common passwords against the SSH daemon on a network device. Which of the following tools would be BEST to use for this purpose?

A. Hashcat

B. Mimikatz

C. Patator

D. John the Ripper

A Chief Information Security Officer wants a penetration tester to evaluate whether a recently installed firewall is protecting a subnetwork on which many decades- old legacy systems are connected. The penetration tester decides to run an OS discovery and a full port scan to identify all the systems and any potential vulnerability. Which of the following should the penetration tester consider BEFORE running a scan?

A. The timing of the scan

B. The bandwidth limitations

C. The inventory of assets and versions

D. The type of scan

A company is concerned that its cloud service provider is not adequately protecting the VMs housing its software development. The VMs are housed in a datacenter, with other companies sharing physical resources. Which of the following attack types is MOST concerning to the company?

A. Data flooding

B. Session riding

C. Cybersquatting

D. Side channel

A penetration tester conducted an assessment on a web server. The logs from this session show the following:
 
Which of the following attacks is being attempted?

A. Clickjacking

B. Session hijacking

C. Parameter pollution

D. Cookie hijacking

E. Cross-site scripting

A penetration tester discovers during a recent test that an employee in the accounting department had been making changes to a payment system and redirecting money into a personal bank account. The penetration test was immediately stopped. Which of the following would be the BEST recommendation to discourage this type of activity in the future?

A. Enforce mandatory employee vacations.

B. Implement multifactor authentication.

C. Install video surveillance equipment in the office.

D. Encrypt passwords for bank account information.

Penetration-testing activities have concluded, and the initial findings have been reviewed with the client. Which of the following best describes the NEXT step in the engagement?

A. Performing a live demonstration of the results to the system administrators

B. Scheduling of follow-up actions and retesting

C. Attestation of findings and delivery of the report

D. Review of the lessons during the engagement

A penetration tester is trying to restrict searches on Google to a specific domain. Which of the following commands should the penetration tester consider?

A. inurl:

B. link:

C. site:

D. intitle:

A security analyst is conducting an unknown environment test from 192.168.3.3. The analyst wants to limit observation of the penetration tester's activities and lower the probability of detection by intrusion protection and detection systems.
Which of the following Nmap commands should the analyst use to achieve this objective?

A. nmap -F 192.168.5.5

B. nmap -datalength 2 192.168.5.5

C. nmap -D 0.5.2.2 192.168.5.5

D. nmap -scanflags SYNFIN 192.168.5.5

In an unprotected network file repository, a penetration tester discovers a text file containing usernames and passwords in cleartext and a spreadsheet containing data for 50 employees, including full names, roles, and serial numbers. The tester realizes some of the passwords in the text file follow the format:

A. Create a custom password dictionary as preparation for password spray testing.

B. Recommend using a password manager/vault instead of text files to store passwords securely.

C. Recommend configuring password complexity rules in all the systems and applications.

D. Create a TPM-backed sealed storage location within which the unprotected file repository can be reported.

A penetration tester is conducting a penetration test and discovers a vulnerability on a web server that is owned by the client. Exploiting the vulnerability allows the tester to open a reverse shell. Enumerating the server for privilege escalation, the tester discovers the following:
 
Which of the following should the penetration tester do NEXT?

A. Close the reverse shell the tester is using.

B. Note this finding for inclusion in the final report.

C. Investigate the high numbered port connections.

D. Contact the client immediately.

A penetration tester gains access to a system and is able to migrate to a user process:
 
Given the output above, which of the following actions is the penetration tester performing? (Choose two.)

A. Redirecting output from a file to a remote system

B. Building a scheduled task for execution

C. Mapping a share to a remote system

D. Executing a file on the remote system

E. Creating a new process on all domain systems

F. Setting up a reverse shell from a remote system

G. Adding an additional IP address on the compromised system

A penetration tester recently performed a social-engineering attack in which the tester found an employee of the target company at a local coffee shop and over time built a relationship with the employee. On the employee's birthday, the tester gave the employee an external hard drive as a gift.
Which of the following social-engineering attacks was the tester utilizing?

A. Phishing

B. Tailgating

C. Baiting

D. Shoulder surfing

A penetration tester has completed an analysis of the various software products produced by the company under assessment. The tester found that over the past several years the company has been including vulnerable third-party modules in multiple products, even though the quality of the organic code being developed is very good. Which of the following recommendations should the penetration tester include in the report?

A. Add a dependency checker into the tool chain.

B. Perform routine static and dynamic analysis of committed code.

C. Validate API security settings before deployment.

D. Perform fuzz testing of compiled binaries.

A red-team tester has been contracted to emulate the threat posed by a malicious insider on a company's network, with the constrained objective of gaining access to sensitive personnel files. During the assessment, the red-team tester identifies an artifact indicating possible prior compromise within the target environment. Which of the following actions should the tester take?

A. Perform forensic analysis to isolate the means of compromise and determine attribution.

B. Incorporate the newly identified method of compromise into the red team’s approach.

C. Create a detailed document of findings before continuing with the assessment.

D. Halt the assessment and follow the reporting procedures as outlined in the contract.

A penetration tester conducted a discovery scan that generated the following:
 
Which of the following commands generated the results above and will transform them into a list of active hosts for further analysis?

A. nmap –oG list.txt 192.168.0.1-254 | sort

B. nmap –sn 192.168.0.1-254 | grep “Nmap scan” | awk ‘{print $5}’

C. nmap ––open 192.168.0.1-254 | uniq | sed ‘s/Nmap//2’ > file.txt

D. nmap –O 192.168.0.1-254 | cut –f

A penetration tester who is doing a security assessment discovers that a critical vulnerability is being actively exploited by cybercriminals.
Which of the following should the tester do NEXT?

A. Reach out to the primary point of contact.

B. Try to take down the attackers.

C. Call law enforcement officials immediately.

D. Collect the proper evidence and add to the final report.

A client would like to have a penetration test performed that leverages a continuously updated TTPs framework and covers a wide variety of enterprise systems and networks. Which of the following methodologies should be used to BEST meet the client's expectations?

A. OWASP Top 10

B. MITRE ATT&CK framework

C. NIST Cybersecurity Framework

D. The Diamond Model of Intrusion Analysis

A penetration tester is assessing a wireless network. Although monitoring the correct channel and SSID, the tester is unable to capture a handshake between the clients and the AP. Which of the following attacks is the MOST effective to allow the penetration tester to capture a handshake?

A. Key reinstallation

B. Deauthentication

C. Evil twin

D. Replay

A physical penetration tester needs to get inside an organization's office and collect sensitive information without acting suspiciously or being noticed by the security guards. The tester has observed that the company's ticket gate does not scan the badges, and employees leave their badges on the table while going to the restroom. Which of the following techniques can the tester use to gain physical access to the office? (Choose two.)

A. Shoulder surfing

B. Call spoofing

C. Badge stealing

D. Tailgating

E. Dumpster diving

F. Email phishing

A penetration tester ran a ping `"A command during an unknown environment test, and it returned a 128 TTL packet. Which of the following OSs would MOST likely return a packet of this type?

A. Windows

B. Apple

C. Linux

D. Android

A company recruited a penetration tester to configure intrusion detection over the wireless network. Which of the following tools would BEST resolve this issue?

A. Aircrack-ng

B. Wireshark

C. Cowpatty

D. Kismet

The delivery of a penetration test within an organization requires defining specific parameters regarding the nature and types of exercises that can be conducted and when they can be conducted. Which of the following BEST identifies this concept?

A. Statement of work

B. Program scope

C. Non-disclosure agreement

D. Rules of engagement

Which of the following documents would be the most helpful in determining who is at fault for a temporary outage that occurred during a penetration test?

A. Non-disclosure agreement

B. Business associate agreement

C. Assessment scope and methodologies

D. Executive summary

A penetration tester fuzzes an internal server looking for hidden services and applications and obtains the following output:
 
Which of the following is the MOST likely explanation for the output?

A. The tester is not using a valid SSL certificate.

B. The admin directory cannot be fuzzed because it is forbidden.

C. The admin, test, and db directories redirect to the log-in page.

D. The robots.txt file has six entries in it.

A red team gained access to the internal network of a client during an engagement and used the Responder tool to capture important data.
Which of the following was captured by the testing team?

A. Multiple handshakes

B. IP addresses

C. Encrypted file transfers

D. User hashes sent over SMB

A company requires that all hypervisors have the latest available patches installed. Which of the following would BEST explain the reason why this policy is in place?

A. To provide protection against host OS vulnerabilities

B. To reduce the probability of a VM escape attack

C. To fix any misconfigurations of the hypervisor

D. To enable all features of the hypervisor

During an assessment, a penetration tester manages to exploit an LFI vulnerability and browse the web log for a target Apache server. Which of the following steps would the penetration tester most likely try NEXT to further exploit the web server? (Choose two.)

A. Cross-site scripting

B. Server-side request forgery

C. SQL injection

D. Log poisoning

E. Cross-site request forgery

F. Command injection

Which of the following can be used to store alphanumeric data that can be fed into scripts or programs as input to penetration-testing tools?

A. Dictionary

B. Directory

C. Symlink

D. Catalog

E. For-loop

While performing the scanning phase of a penetration test, the penetration tester runs the following command:
nmap -n -vv -sV -p- 10.10.10.23-28
After the Nmap scan is finished, the penetration tester notices all hosts seem to be down. Which of the following options should the penetration tester try NEXT?

A. -sU

B. -Pn

C. -sn

D. -sS