CompTIA PenTest+ (PT0-002) — Complete Study Guide

Which penetration testing tool is often used first in an engagement and can quickly find hosts on a network, listening network ports, services on identified hosts, and a wide variety of other target information and enumeration details?

There are many reasons organizations choose to perform vulnerability scanning on their information technology assets. Meeting obligations for PCI DSS would be an example of which of the following purposes for conducting vulnerability scans?

During a port scan of a particular target host IP address, TCP port 22 was found to be open. Which of the following types of attacks would an ethical hacker choose to attempt against this host's listening TCP port 22?

Ethical hackers can make use of port and network scanning tools in order to perform tasks like host discovery and identification of open ports on target systems. Which of the following tools is most suited for these tasks?

In which of the following ways are Microsoft Windows virtual machines different from Linux virtual machines?

When comparing the requirements set forth in both the GDPR and PCI-DSS, which of the following statements describes a key difference in how the requirements are stated?

One of the most basic programming concepts is the assignment to a location or object within a program of a value that can be modified, changed, or otherwise used throughout the program. What are the values that are stored within software code called?

The Metasploit Framework, an exploit framework commonly used by ethical hackers and malicious attackers alike, gives exploits a "rank." What does the rank indicate about an exploit?

Which of the following attacks is not an example of an authentication attack against a vulnerable web application or site?

Penetration testers use which of the following techniques to identify and catalog lists of target details, such as hosting IP addresses and open network ports, often obtained by using active reconnaissance tools?

A SCADA device on an IP network that controls the flow of fluid to and from a manufacturing assembly line is only accessible remotely for administrative access on TCP port 22. What type of attack should ethical hackers attempt against this machine?

A social engineer for an ethical hacking company has performed reconnaissance and has located an entrance to a target facility that is protected only by a security badge reader and a revolving mantrap type of entry barrier. Which of the following tools or techniques would defeat this physical security measure without alerting security personnel?

Once a penetration test is completed and a formal report has been delivered to the client, which of the following activities typically signifies that the client has received each of the required deliverables outlined in the original statement of work?

During a pen test, an ethical hacker seeks to perform an attack that is not considered an "On-Path" attack. They want to demonstrate to their target how an attacker can exploit a server on the organization's DMZ or a cloud service from outside the organization's network. Which of the following methods meets the pen tester's objective as an attack that could be performed external to the target's network and not "On-Path" between the tester and the target system?

Which of the following attacks can be used on a local area network to "trick" hosts into sending traffic through a malicious system instead of the LAN's default gateway? This attack is achieved by manipulating the default gateway's MAC address to that of malicious MAC address within the temporary layer 2 to layer 3 mapping table on the target's operating system.

Which of the following types of vulnerability scans can return privileged system or network information to a pen tester by using the user account and corresponding password to connect and assess a target machine?

Which of the following attacks is an example of a specific attack exploiting directory traversal vulnerabilities on a server that allows execution of files located on a second system?

Which of the following results is not a potential consequence of ethical hackers not adhering to all documents and work agreements such as the Scope of Work and Rules of Engagement?

A threat actor is primarily different from an ethical hacker in which of the following ways?

Passive reconnaissance of a target organization is often the first phase of a penetration test. Why might passive reconnaissance be considered critical to the success of the next phases of a pen test?

Which of the following OWASP Top 10 Web Application Vulnerabilities can potentially expose personally identifiable information that is improperly stored or cached in a web browser or other local disk path? This issue could be especially concerning if a user accesses a banking web application from a public access workstation.

An ethical hacker used Nessus during an engagement and determined that one system was vulnerable to CVE-2013-2566. If not immediately familiar with this vulnerability, what would be the best course of action for the ethical hacker to perform next?

Students learning ethical hacking will benefit from using a penetration testing lab in all but which of the following ways?

An ethical hacker has been hired to identify vulnerabilities and attempt to exploit them on a customer's AWS platform. Which of the following tools is most suited for creating and performing exploits against AWS targets?

Which type of penetration test provides the ethical hackers with full knowledge of the target, including network diagrams, IP address ranges, and operating systems, and may most closely resemble how "real-world" attackers might conduct cyberattacks?

A good social engineer will understand the psychology behind what drives and motivates targets to perform an action that the engineer is attempting to get the target to complete. A social engineer emails a help desk technician working for the target, posing as a company executive and requesting an immediate change to an account so that the executive can accomplish a task with an impending deadline. Which human traits or motivations are being played upon in this scenario?

A penetration tester uses Nmap to scan a range of target IP addresses given by the client and specified in the testing agreement as allowable for testing. The tester determines that the target systems each have TCP ports 80 and 443 open, as indicated by a TCP Connect scan. Based on these results, what can the pen tester infer?

Penetration testers will use tools such as Tenable's Nessus to conduct vulnerability assessments and scans. What is the purpose of conducting a vulnerability scan with Nessus?

When sharing results of a penetration test with clients, numeric data from various sources will be available for inclusion in the report. Since this data is typically generated by different applications and systems, what process will be important to use in order to set and map source data to a common and relevant scale for the customer to best understand?

At the completion of a penetration test, ethical hackers should specify post-engagement cleanup activities and perform them in a timely manner. Which of the following activities is an example of post-engagement cleanup?

An ethical hacker engaged in social engineering will attempt to "set the stage," or develop a backstory to provide legitimacy to their attempt at social engineering a victim or target organization. What is the process of creating a believable scenario, character, or persona for use in the social engineering attack called?

At the completion of a successful physical penetration test of an organization, the client was presented with evidence of multiple ways in which the pen testers were able to gain access to secure locations within a target facility. The client was recommended to install controls such as man traps, bollards, and video surveillance. These are examples of which of the following types of remediation and mitigation controls?

The following is an example from the textbook of an algorithm for the procurement of the ingredients needed to make a BLT sandwich. This example is written in a common way that represents in human readable form what a program will do once coded in a programming language. What is this human readable format called?

Which of the following types of information is not typically disclosed about a target by using a WHOIS tool?

It is important for ethical hackers to possess a basic understanding of common scripting and programming languages used in pen testing. Some programming languages require source code to be compiled to machine code before it will execute. Scripting languages that are processed line by line via the appropriate language interpreter running on a system are more commonly used in pen testing. The CompTIA PenTest+ exam objectives focus on interpreted or scripting languages. Which of the following languages is not considered a scripting language?

An ethical hacker working on assessing the security of a client's wireless network has created an access point with an SSID that is identical or very close to the SSID that the client employs on their network. The pen tester's goal is to attract legitimate users to connect to their AP and then perform additional network attacks such as MITM or credential harvesting. What is the name for this type of wireless attack?

Enumeration is the process of querying targets for potentially useful details. This information is used to further help the pen tester select which services and systems to examine for potential vulnerabilities to exploit. Which of the following tools will provide ethical hackers with enumeration details obtained from targeting Linux hosts?

Which of the following vulnerabilities is not one of the OWASP Top 10 Web Application Vulnerabilities exploitable via injection techniques [OWASP A1]?

A penetration tester will choose targets on which to perform vulnerability scanning by looking at which of the following sources of information or documents?

Which peer-reviewed penetration testing framework or methodology provides "test cases that result in verified facts" and can test operational security of physical locations, human interactions, and all forms of communications?

A penetration tester who has successfully exploited a target server containing proprietary manufacturing blueprints and trade secrets might attempt to do what with that sensitive data?

Using a vulnerability scanning tool, an ethical hacker determined that a target Windows system was vulnerable to the well-known EternalBlue exploit. Which of the following ready-to-use attack tools can be used to exploit the target?

A manufacturing company headquartered in Munich, Germany is required to comply with which of the following European Union (EU) data and privacy mandates, touted by the EU as "the toughest privacy and security law in the world" and originally adopted in 2016?

When learning ethical hacking, what is a primary advantage of creating a virtualized penetration testing lab over using traditional standalone computers for each lab host?

An important component of the final penetration test report is a table, or a similar figure, that explains the risk rating of discovered vulnerabilities. What is the risk rating methodology formula for calculating the risk rating of a particular vulnerability?

A communication trigger is an event that requires specific and immediate communication between the pen testers and an appropriate stakeholder. Which of the following communication triggers could present a significant concern uncovered during a pen test?

A penetration tester hired to assess the virtualization resources, infrastructure, and virtual machines discovered a vulnerability in the operating system of one virtual machine on a client's production hypervisor. The exploit of the vulnerability allowed the pen tester to communicate directly with the hardware of the hypervisor itself. What is this serious type of flaw called?

Pen testers use scripting languages frequently during their activities. What is an example of automating pen testing activity using scripts?

During a penetration test, timely or immediate communication between the ethical hackers and the client is critical in certain circumstances. Which of the following examples would require time sensitive communication with the client?

A penetration tester seeks to discover vulnerabilities in an organization's system before they can be:

A pen testing group has been hired to attempt to gain access to a target organization's internal network. However, they are not allowed to attempt to enter or gain access to the facility itself. Which of the following types of attacks might accomplish the goal of network access without requiring physical access to the target's building?

A virtual appliance is a VM that has been preconfigured and is commonly distributed in which of the following file formats?

One purpose of vulnerability assessments is to locate flaws that are contained within the software or hardware of the target organization's information technology and systems. Once a penetration tester identifies software vulnerabilities, where should they search to find an indexed list of the details related to specific vulnerabilities?

What is the primary difference between the well-known cybersecurity model of the CIA triad and the lesser-known DAD triad?

Which of the following legal documents, considered the "key document" in a pen testing agreement between a client and penetration tester, typically contains specific and detailed information on the scope and plan of testing?

Which of the following software tools is used to discover targets, services running on remote hosts, and potential vulnerabilities?

Ethical hackers use techniques such as clearing log files and removing exploit tools to avoid being detected or leaving evidence of a breach. What are these artifacts commonly called?

Which of the following mobile applications would pen testers use if they want to test to determine whether traffic sent to and received from the application is vulnerable to on-path eavesdropping of the communications?

What is a capture of a virtual machine's current state and configuration called?

Many penetration testers are well versed in the use of Bash scripting. Which of the following factors explains why Bash scripting is so widely used?

While potentially illegal under the American FCC and Canadian CRTC, what type of attack can create a DoS scenario by flooding specific wireless channels in order to prevent legitimate users from successfully conducting communications on the same channel or radio spectrum?

Attackers may leverage cloud services that store temporary credentials associated with infrastructure services, such as those controlling access to storage. Other vendors store running VM details, including operating systems, target names, and network interfaces configurations. This information, if obtained by an ethical hacker, can play a part in information gathering for following up on cloud pen-testing activities. Where is this information commonly stored on cloud service providers?

Which of the following legal agreements, commonly entered into between a penetration tester and a client, restricts the ability of information obtained during a pen test, such as vulnerability details or proprietary information, from being shared with parties not specifically outlined in the agreement?

An ethical hacking organization has been hired to do an analysis of the wireless network assets of a company's three-block-long corporate campus. The organization wants to determine whether their WiFi networks can be "seen" by passersby using freely available tools. Which of the following applications in Kali Linux is best suited to perform wardriving, allowing the pen testers to catalog a list of visible SSIDs and their hardware details and capabilities when run in proximity to the organization's campus locations?

James is using a tool to crawl a website for useful information. Another term used to describe this activity is what?

You receive an email stating that you must change your Apple TV password, but you don't have an Apple TV subscription. What social engineering attack may have just been attempted?

Trish is monitoring traffic and notices that hundreds of authentication requests are being sent to port 22 of a particular computer. What type of attack might be taking place?

During a penetration test, Colette has bypassed the receptionist desk in the check-in area to locate the MDF of the organization. Which phase of the penetration testing process is Colette currently in?

What document should clearly spell out the details regarding the retention and destruction of data created during pen testing?

Which of the following can be used to choose targets for a pen-test attack?

Your pen-testing client uses a Windows Active Directory domain to control all their Windows desktop computers. Which of the following tools can you use with PowerSploit to exfiltrate Kerberos credentials from the Windows operating system?

Jimbo opens several ports on a compromised system to ensure persistence. He has opened ports 3389, 5900, 22, and 23. Which port is utilized by the VNC desktop application?

What keyword is used in JavaScript to define a function?

Which of the following passive reconnaissance tools is most useful for gathering open-source intelligence in the first phase of a pen test?

Which of the following reconnaissance tools is most likely to be detected by a target's defenses when used by ethical hackers as part of a pen test?

Organizations that use cloud services to host web resources and serve large numbers of user accounts can be targeted by attackers performing credential reuse and credential spraying attacks. The likelihood of successful attacks against user accounts is most greatly decreased by implementing which of the following interventions?

A penetration test report should address each vulnerability discovered individually and include the risk rating calculated for the client. If a business impact analysis is to be included within the scope of the pen test, what would this contain?

Mobile devices such as smartphones and tablets are subject to their own unique set of vulnerabilities. Due to the overwhelming number of smartphone apps and the constantly evolving ways to receive digital communications on a smart device, what is one well-known, platform-independent method that is often employed against smartphone users by ethical hackers as the precursor to other actions?

During an active penetration test, the pen testers discover indication of an active data breach in progress. This scenario requires immediate communication to an emergency contact at the organization. Who would be the most appropriate contact for reporting an active breach?

Which of the following terms refers to the stage of ethical hacking where pen testers employ a variety of tools and tactics to maintain access to a target after exploitation?

What category of network attacks can overwhelm or break applications, network protocols, or communication links in order to prevent legitimate users from accessing resources that should be readily available?

The Rules of Engagement (ROE) govern what the penetration tester can and cannot do during a pen test, including all but:

An ethical hacker received a list of the usernames and passwords of employees at a target organization. These were obtained when some employees responded to a "phishing" email with their credentials during training exercises conducted by the target organization's information security department. The CSO wants the pen tester to confirm that these employees are no longer using their exposed usernames and passwords. Which of the following applications is most suited to use these credentials as part of a password spraying attack against the target's authentication and application servers?

Having successfully exploited a target authentication server, what type of sensitive information can tools such as John the Ripper and Mimikatz be used to expose?

Penetration testers may be asked to perform assessments on operational technology or specialized systems that are used in a plethora of environments and for an expansive and growing set of purposes. These may be referred to by acronyms that describe a specific purpose, such as SCADA, IIoT, ICS, or may be termed embedded systems. Which of the following common security issues are these specialty systems not vulnerable to?

What type of attack could potentially allow a pen tester to plant or install malware directly into a target organization's computer without the use of an internet-based or network-based attack?

Which of the following virtual machines in the pen testing lab will primarily function in the attacker role?

The code sample below from the textbook is a simple loop written in Python. names = ["Bob", "Jamal", "Sasha"] for x in names: print(x) What would be the result of running this code?

Using tools that are native to the operating system to conduct exploits is an example of which of the following types of exploit techniques?

Some typical requirements desired for career opportunities in ethical hacking may include all but which of the following experiences or achievements?

A social engineering team seeks to obtain passwords to critical internal code repositories at a target organization. The team creates well-crafted email messages persuading entry-level development staff to open attachments with credential harvesting malware. By targeting this select group of employees at the target organization, which of the following tactics are the pen testers attempting?

An ethical hacker was able to obtain an administrative user's credentials via a social engineering email message. The hacker used those credentials to log in with root access to a DNS server. The attacker found they can pivot directly to other DNS servers through SSH without needing to enter a username and password and are able to pivot further and explore the network systems. What is the most likely reason for this scenario?

Which of the following potential application injection statements has the potential to execute operating system commands on a vulnerable remote system?

Which command option allows a user to display the full Internet protocol configuration for a Linux VM?

While performing data gathering for a pen-testing engagement, you discover that the client has a lot of European customers. Which of the following would you consult to check what rules govern the personal information of citizens from the European Union when that information is stored in the United States?

If threat actors can steal session authentication cookies, they can use them to impersonate the user and gain access to the web server and the resources that the user was authorized to access. What type of attack is this? Choose two.

After completion of a vulnerability scan and identifying several critical items, Dwight wants to see if a threat actor would be able to take advantage of the vulnerability through an automated tool. Which database could he utilize to find out if information on an exploit exists?

A structured approach to identifying and ranking potential threats to a system defines which term?

Which of the following cloud tools can be used against AWS for exploits such as privilege escalation, backdoors, IAM modifications, and executing code remotely?

Andy is utilizing the first server he was able to compromise to launch new attacks on other systems of the same network. Which term defines the activity that Andy is accomplishing?

Which type of application test tool can be used by software developers and pen testers to analyze running code in a stop-and-start fashion?

Normally one of the first documents to be signed, an NDA determines what confidential information, if any, is or is not to be disclosed to parties outside of the agreement. Examples of information that may not be disclosed include which of the following?

The main groups involved in a penetration test will include the red and blue teams. Other stakeholders that may be involved include all the following except whom?

A social engineer is searching for useful printed security information that may have been discarded or left unprotected. What type of physical attack are they performing?

What is the interactive Python shell also called?

Vulnerability scanners, like other software, need to be maintained and updated. Nessus and other tools may be automated to maintain their plugins through repositories known as what?

Alternatives to the Oracle VirtualBox application include all of the following except:

Which of the following commands can be used from a Kali Linux terminal session to determine if your attack computer is Bluetooth capable?

A pen tester is performing onsite pen tests at a client's location. When they plug their laptop into a known good switch, they are failing to get an IP address. They suspect that client security devices are blocking their laptop so they contact the client's IT department to see if this can be fixed. What communication activity is being performed?

Paulie just received a .pcap file for analysis from the pentest team. Which application should Paulie use to open this file?

Which of the following is not an 802.11 transmission standard that you might find on a WAP?

An ethical hacker has been assigned to break into a target organization's 802.11 wireless network infrastructure using any available tools and techniques. Which of the following toolsets is most likely to have success in attacking 802.11 wireless networks using multiple techniques and methods?

What Windows command displays useful IP configuration information such as the IP address assigned to a network interface?

What is Metasploitable2?

Approximately how many devices worldwide currently run Windows 10?

Kali Linux is widely used by pen testers because it's free and comes with many pen-testing tools already installed.

What is an OVA?

What percentage of computers still run Windows 7?

When did Windows 7 reach the end of its life?

What kinds of pen-testing activities can you perform against the DVWA target? (Choose all that apply)

Which two of the following commands reveal IP address information on a Linux machine?

How can a Windows Server be made into a domain controller?

What is VirtualBox?

Which of the following is a free, globally accessible service that offers comprehensive and current cybersecurity threat information detailing threat activities, techniques, and models?

What document is a legally enforceable agreement between pen testers and clients that states that any confidential or sensitive information disclosed by the client to the pen tester, or discovered during pen testing, will not be disclosed to parties outside of the agreement?

Obtaining authorized permission to attack from an organization automatically provides permission to attack any resources that may be hosted by third-party service providers.

Which of the following is not a DPO responsibility?

What document is a contractual agreement between two or more parties, where one party is the customer and the other a service provider, and outlines the services to be provided to the customer?

Before any hands-on pen-testing activities take place, the entire pen-testing engagement must be carefully and completely planned.

What documented part of pen-test planning defines the dos and don'ts, such as the types of tests that are being performed and the types of tests that are disallowed?

What document is a contractual agreement between two or more parties that covers details such as scope, deliverables, price and payment schedule, project schedule, change management handling rules, locations of work, and liability disclaimers?

Nmap is a globally recognized pen-testing tool that pen testers are allowed to use without restriction.

Which of the following are examples of regulatory compliances standards? (Choose all that apply)

Data security and privacy rights are requirements of which compliance standard?

In the event of a data breach, how long does an organization have to report the breach according to GDPR requirements?

What is governance?

Which of the following are Internet search engines that can be used to find security issues for all types of devices that are connected to the Internet?

Tokens acquired either by intercepting network traffic or scraping websites could be used for authentication purposes during pen testing.

What type of information can be included in document metadata?

Which of the following terms describe the act of eavesdropping on network communication for the purpose of information gathering?

Which of the following tools cannot be used for DNS information gathering?

What is web scraping?

If you are gathering intelligence from information and items that a target organization has thrown out, what are you doing?

Which of the following is not another term for information gathering?

People, including technical and administrative contacts, can be targets for pen testing.

theHarvester is a command-line tool that can be used to discover email addresses.

How is DNS information useful in pen testing?

CVE and CWE websites are good sources of vulnerability intelligence.

Which nmap flag is used to perform ping sweeps?

Which of the following can be used as detection avoidance techniques?

Passive techniques don't directly engage targets but instead gather openly shared information from other sources.

What is social media scraping?

Which nmap flag is used to adjust scan timing?

What is OSINT?

PwnedorNot is a hacking website where hackers share password dumps.

Which of the following vulnerability scanning tools can do more than just scan web applications?

What is the purpose of bandwidth considerations during vulnerability scanning?

Some vulnerability scan results can also specify exploit frameworks that can be used against the vulnerability.

What are some of the reasons vulnerability scanning is executed?

The process of entering random data into all the input fields of applications to make sure input is validated is known as which of the following?

If a vulnerability discovered is particularly tricky to exploit, requiring Mr. Robot-level skills, what AC value should it be assigned?

The CIA triad is an important consideration during vulnerability testing.

Vulnerability scanning can impact target systems detrimentally, so steps should be taken to mitigate this impact.

Which application testing methodology requires access to the source code?

What type of vulnerability scan includes login information in its configuration?

What organization provides the "Ten Most Critical Web Application Security Risks" paper?

Which of the following CVSS base scores would map to medium severity vulnerabilities?

What is an application container?

What does a CVSS AV metric value P mean?

Before attempting to exploit a vulnerability, you should always check the statement of work and rules of engagement to make sure the target is in scope.

Which of the following exploit types can be used remotely against a target?

Which of the following is an example of nontechnical post exploitation?

The SMB protocol can be exploited using hash replay techniques.

The PowerSploit framework can be used against targets running the Linux operating system.

Metasploit can be used to gain access to targets and upload exploit payloads to them.

Using a compromised target to discover and compromise other targets is known as which of the following?

What are some of the ways of building a list of valid user accounts?

What command can be used to list available exploits in the Metasploit Framework?

Which of the following cannot be used for password brute-force attacks?

Enumerating application and operating system versions can help with exploitation.

BloodHound can be used to query domain controllers and gather Active Directory information.

Increasing the permissions that an attacker's shell environment has is known as which of the following?

Completely deleting logs files to avoid being detected is a suggested evasion tactic.

What is fileless malware?

Which of the following are ways to achieve persistence? Choose all that apply.

Which of the following are network access control mechanisms?

Because Kerberos uses an elaborate and secure ticket granting system to control access to resources, it cannot be exploited.

Before attempting a network attack, you should always check the scope and rules of engagement to make sure the target and the attack type are in scope.

Which of the following can be used for SMB attacks?

What is a DoS attack?

VLAN hopping corrupts layer 2 frame tagging rules to circumvent security and access previously inaccessible LANs.

What is an on-path/MITM attack?

If a device cannot determine an IP address by asking a DNS server or checking its DNS cache, what method might it try next?

FTP communications are unencrypted, so attacks using tools such as Wireshark might be able to intercept unencrypted passwords.

MAC addresses are burned into wired and wireless network cards and therefore cannot be spoofed.

Using several exploits together to accomplish a goal is known as which of the following?

What is ARP poisoning?

What can the Responder tool be used for?

Which of the following CANNOT be used for SSH brute-force attacks?

IoT devices can be vulnerable to DNS spoofing attacks.

Telnet can be used for SMTP attacks.

What are some ways of choosing targets for attack?

Which of the following can threat actors use as a bridge to access secure enterprise networks? Choose all that apply.

What is an SSID?

What is WPS?

What are some ways of choosing targets for wireless attacks? Choose all that apply.

Which of the following are vulnerabilities known to affect mobile devices? Choose all that apply.

What is a BLE attack?

Which of the following are wireless network attack tools? Choose all that apply.

What type of wireless attack attempts to force systems to disconnect from an AP?

What is an evil twin?

Mobile devices are prone to which of the following types of attacks? Choose all that apply.

The WPA3 protocol is so secure that it is impossible to exploit.

Successful Bluetooth attacks can result in which of the following? Choose all that apply.

What is a supplicant?

What is Kismet?

What is IIoT?

Before attempting a wireless network attack, you should always check the scope and rules of engagement to make sure the target and the attack type are in scope.

NFC has such a short range that it is impossible to hack.

When examining the log file for a web server, you observe an entry that contains the following: https://www.someshoppingsite.com/orderform.php?redirect=http%3a//www.threatactor.com/stealyourpassword.htm What type of attack is this?

The automated process of scanning a server to discover directories, files, and possibly subdomains is known as which of the following?

What is fuzzing?

Which of the following types of application testing tools can be used to modify web application traffic for the purpose of performing on-path/MITM attacks?

Which organization provides the "Ten Most Critical Web Application Security Risks" paper?

Session hijacking attacks often use stolen cookies.

Which type of attack uses a compromised website that the user is authenticated with to send fake requests to another website that the user is also authenticated with?

Which secure coding practices can help to mitigate SQL injection attacks? Choose two.

What type of attack targets Microsoft Active Directory?

What type of attack is commonly used against web applications in an attempt to extract information from its database? Choose all that apply.

Which of the following are authorization attacks? Choose all that apply.

When examining the log file for a web server, you observe some entries that contain the characters 1' or 1=1 #. What might this indicate?

What type of attack is a "pass-the-ticket" attack?

Which of the following tools can be used to intercept JavaScript responses from mobile devices and inject custom code?

Mobile devices are prone to which of the following types of attacks? Choose all that apply.

Cross-site scripting attacks cannot permanently alter the pages of a website.

What type of attack is being attempted with the following URL: https://mysite.com/cgi-bin/getFile.pl?doc=/bin/ls|

Which of the following can be used to determine if a computer you are remotely connected to is a virtual machine? Choose all that apply.

What is a SAM database?

What cloud attack is a form of distributed denial-of-service that targets content delivery networks and load distribution systems?

Which of the following are nonoperating system-specific exploits that can be used to attack hosts? Choose all that apply.

Which of the following two commands reveal distribution and version information, useful when attempting Linux Kernel exploits? Choose two.

Which of the following is used to virtualize and isolate applications?

Mimikatz can be used to exploit Windows NTLM credential hashes.

Which of the following can be used for attacking hosts remotely? Choose all that apply.

Which of the following commands will find files that have the SUID bit turned on (1)?

Which of the following Linux tools can be used to acquire credentials from a Windows system? Choose all that apply.

What type of attack might use a command of this format? aws s3 ls s3://<somebucket> --region <region>

What cloud attack targets shared resources on a cloud server?

Which term describes the compromise of a cloud account, allowing pen testers to assume control of that account for their own purposes?

What does it mean if the SUID bit is turned on (1) in an executable file's permission setting?

What is it called when a virtual machine is used to attack its host computer and perhaps other VMs on that host?

What is an LSA secret?

What does the sudo command do?

What cloud attack redirects victims to a threat actor's cloud-based VMs and services?

Why is SSH useful in remote host attacks? Choose all that apply.

What type of phishing attack uses phone calls?

What type of website-based attack infects a legitimate website with malware hoping to infect employees of a targeted organization?

It is always illegal to pick locks during pen testing.

Social engineering is never performed in person.

What is BeEF?

Which of the following are person-to-person social engineering methods? Choose all that apply.

What social engineering term is used to describe peeking at an activity a victim is performing in an attempt to see what they are doing and gather information?

What social engineering tool uses "hooks" to gain control over web browsers on a victim's computer?

What term describes a threat actor manipulating a person with the intent to trick that person into doing something that will compromise their personal security or the security of the organization they work for?

Before performing pen-testing physical attacks you should alert the appropriate stakeholders and contacts.

What is it called if a pen tester gains entry to a building or room by sneaking in behind someone who has just opened a secure door?

Tapping a filed key into a lock in an attempt to open it is known as which of the following?

Which social engineering term refers to questioning a person before you impersonate them?

Gathering information from a targeted facility by discovering unprotected or discarded items is known as which of the following?

Which type of pen testing exploits human vulnerabilities in order to gain access to sensitive information and actionable intelligence?

Which of the following tools can be used for VoIP-based social engineering attacks? Choose all that apply.

What type of social engineering attack uses some form of messaging technology to send unsolicited nefarious messages to targeted victims?

Which principle of the psychology of social engineering is being used if the victim believes the situation is critical and needs to be fixed immediately?

Which principle of the psychology of social engineering is being used if the victim believes the threat actor has the right and power to ask the victim to perform the desired action?

What is a pretext for an approach?

Pieces of evidence discovered during pen testing that indicate that a security breach may have already occurred are called which of the following? Choose all that apply.

Newly discovered information may necessitate a change in the scope, work, and goals of the pen-testing engagement.

Which stage of pen testing returns the client's systems to the state they were in before pen testing began?

Which type of controls are standard procedures for various activities that are implemented to improve the security of individual personnel?

Which of the following is not a communication trigger?

Which type of control uses security intelligence in software or hardware solutions to detect and remediate security threats?

Which type of control prevents threat actors from gaining access to or damaging a facility and its infrastructure?

Which section of a pen-testing report should contain bulk data and lengthy code listings?

Which of the following are other reasons for communication? Choose all that apply.

Which of the following are important contacts for a well-defined communication path? Choose all that apply.

Multiplying impact by probability equals which of the following?

Choosing a set scale and mapping the data from relevant sources to this chosen scale is known as which of the following?

Which type of control uses formalized processes and policies to help improve an organization's security?

Which of the following are common pen-testing findings? Choose all that apply.

When a penetration-testing engagement is complete, the pen-test team should follow the directions in the statement of work and destroy or retain the appropriate data.

During pen testing, active two-way communication between the pen testing team and stakeholders should occur regularly and in real time whenever required.

An organization's SOC may be a suitable emergency contact.

Which section of a pen-testing report is written for C-suite executives?

If the pen-testing engagement, or parts of it, were executed for regulatory or compliance reasons, what might the client need?

Which of the following are remediation control categories? Choose all that apply.

What are the three looping mechanisms in JavaScript? Choose all that apply.

What is the result of running the following C program? main() { int a = 2; if (a = 1) printf("I made a mistake!"); else printf("I did it correctly!"); }

Most programming languages enable programmers to perform which of the following actions? Choose all that apply.

A C program must contain which of the following?

A missing parenthesis or brace might cause a compiler or interpreter to return which of the following?

In C, which looping function performs an action first and then tests to see whether the action should continue to occur?

Using the following Perl code, how many times will "This is easy..." be displayed onscreen? for ($count=1; $count <= 5; $count++) { print "This is easy..."; }

Which of the following statements has the highest risk of creating an infinite loop?

In object-oriented programming, classes are defined as the structures that hold data and functions.

An algorithm is defined as which of the following?

Before writing a program, many programmers outline it first by using which of the following?

To add comments to a Perl or Python script, you use which of the following symbols?

Which of the following is the Win32 API function for verifying the file system on a Windows computer?

Which of the following HTML tags is used to create a hyperlink to a remote website?

What is the purpose of the “*” character in front of the lst variable in the following print function? Print(*lst)

What is the purpose of the “\” character in the following function? …findall(r’(192\.168))

What does the “os” in the function call os.system("nmap 10.0.0.1") refer to?

In Python, what does the character “#” do?

Python is specific to which OS?

For a Bash script to be executed from the Terminal, what line needs to be the first line of the script?

Select the Bash Boolean logical operator. [Choose all that apply]

Select the Bash Comparison operator.

Select two Linux file editors. [Choose two that apply]

What is the output of the following PowerShell Script: $newvar = "Hello" Write-Host $newvar[1] String index 1 = second character: H (0), e (1), l (2), l (3), o (4)

What Windows tool can be used to create an encrypted drive for Pentest report storage?

What reference can be used to detail the sections of a penetration test report?

What method can be used to prevent SQL Injection?

Which section of the report is written for the C-suite audience?

What key factors separate ethical and unethical hackers? [Choose all that apply]

Which Department of Commerce organization provides technology measurement and standards?

A company admin is using the same password for both their user and admin accounts. What security weakness is this demonstrating?

Where do you configure OpenVAS to email a PDF report after each scan?

How is a GPO implemented through the network? [Choose all that apply]

Why set a minimum password age?

Windows and Linux operating systems do not store user passwords in plaintext. Instead, they are stored in a hashed format. What locations or databases do Windows and Linux operating systems store user password hashes? [Choose all that apply]

Which tool is best for offline password cracking?

The Windows SAM Database stores local usernames and password hashes. What format can the SAM Database use to store hashes? [Choose all that apply]

For a cloned website to appear authentic, a penetration tester can register a domain that could be confused easily with the legitimate website. What is this technique called?

Wordlists are comprised of plain text passwords and are used by password cracking tools. Select the wordlist used in this module to crack the SAM Database hash, which was discovered.

What program can be used to intercept requests from a client to a server?

Which tool can be used to conduct a brute force attack on a login page?

Describe the SQLi Always True Method.

At the end of an SQLi string, a colleague writes “-- “. Why is this done?

Describe SQLmap.

A user is forced to use a cookie from an attacker's session and log onto their account. What type of attack is ongoing?

When does the DVWA web server provide a cookie to a client?

A user’s cookie is stolen and used by an attacker to participate in the user’s session. What type of attack is ongoing?

Why does the DVWA web server provide a cookie to a client? [Choose all that apply]

What is the result of entering the following into the Wireshark display filter: ip.dst==10.0.0.254

Which of the following Penetration testing tools can be used to conduct a web application scan?

How does BeEF identify a hooked browser?

A senior penetration tester on the team has tasked you with creating a malicious executable payload for delivery to a Windows machine. Which framework is most appropriate to complete this task with?

Which of the following scanning modes are available on the OWASP ZAP Application? [Choose all that apply]

The ‘ test character is used to test for which vulnerability?

In a post-exploitation environment, an attacker identifies credential reuse in different services on the network. The attacker then moves from a user’s email account to a domain level account with the same credentials. What type of privilege escalation is this?

In a post-exploitation environment, Active Directory misconfigurations allow a user to be placed into the Domain Admins group and inherits the rights of the group. What type of privilege escalation is this?

Which tool would allow an attacker to hide a file in a picture for exfiltration?

In PowerShell, what actions are required to clear the terminal history?

What Bloodhound-python script option is used to specify the target IP Address?

Which NMAP scans are initiated with the -A switch? [Choose all that apply]

Some NMAP options require elevated privileges to conduct. Which of the following NMAP commands can be initiated by a non-root user?

What is the major distinguishing factor between a -sT and a -sS scan?

Your NMAP does not return any results. You believe there is something in the network that is blocking the NMPA alive check. What switch will omit the host alive check and assume all scanned IP Addresses are available?

Which of the following protocols is connectionless?

Free and Open Source Software (FOSS) can be used without a subscription or licensing fee. Which of the following are open-source softwares? [Choose all that apply]

Why is it important to update Feed Status prior to conducting a GVM vulnerability scan?

During the lab, Wireshark was used to monitor the vulnerability scan. What information was provided in the Wireshark Info column output?

A Full and fast GVM vulnerability scan on an enterprise network may take how long to complete?

How should GVM vulnerability scan results be protected?

Which statement about Passive Reconniassance is MOST correct?

TheHarvester is a tool that can uncover email addresses and hosts/IP addresses, among other things, from a target domain. What use can an ethical hacker make of an email address returned by theHarvester? [Choose all that apply]

Both theHarvester and FOCA tools allow the manual entry of a project identifying key to be added to their search parameters. This key will allow the return of more results from the searches. What is the name of this key?

What port is the WHOIS protocol assigned to?

True or False: Based on the PLABinc Statement of Work and Scope, your penetration test will include a physical security assessment as well as a technical assessment.

The following robots.txt file is discovered during Active Reconnaissance. User-agent: BingBot Allow: /*html$ Disallow: /passwords/ Select the following TRUE statements about the robots.txt file [Choose TWO that apply].

A network mapper aggressive detection scan comprises of several smaller scans. Select the individual scans associated with the -A scan. [Choose all that apply]

Nikto is an open-source scanner that was designed to scan which target?

Which network device is best suited to prevent a DDoS attack? Choose the BEST answer.

Select the best example of metadata.

You are analyzing the output of a command line scan. The output describes the services running on open target ports. Which tool was used to conduct this scan?

Which attack framework is organized in a linear fashion, meaning that one attack step leads directly to the next; inferring that if a defender is able to block a step in the framework, the attack will be stopped?

In a Linux command line, you require a utility that searches plain text data sets for defined regular expression strings. Which command line tool will you choose?

What organization manages the National Vulnerability Database (NVD) repository?

Which database is a catalog of known security threats?

Which NIST Special Publication serves as the technical guide for information system testing and assessment?

During the scoping process, which of the following will the ROE specify?

Tools like John the Ripper are typically used during which phase of the penetration testing process?

The cyber kill chain describes maintaining access via installation of which item?

Which tool enables capture and analysis of wireless network traffic?

Virtual installation source typically uses what type of file extension?

Which command-line utility shows detailed configuration for network adapters?

Which service is responsible for relaying outbound email?

Which configuration option should be enabled to reduce spam in Axigen?

What must the user do before issuing CTRL+ALT+DELETE in VirtualBox?

What concept ensures alignment of security initiatives with business goals?

The PCI DSS standard is managed by which body?

How many total requirements make up PCI DSS?

What is the primary responsibility of the Data Protection Officer (GDPR)?

Which compliance framework safeguards investors via accurate financial reporting?

What can be inferred about the integrity and authenticity of a message with a digital signature?

Which data types are included in cryptographic tools?

Which statement best explains the role of an RA or CA?

Which two methods verify if a certificate has been revoked?

Best practices to secure the root CA?

Which entities can receive digital certificates?

Which trust models show complete mutual confidence among parties?

What key management considerations should Marisol keep in mind?

What happens when encrypted and unencrypted data are combined in transit?

Which statements justify using IPSec over TLS (or vice versa)?

What type of threat is a popup demanding payment from a fake authority?

Why is ransomware so dangerous?

Key similarity/difference between keyloggers and spyware?

What type of malware is most likely present when antivirus detects nothing?

Compromised systems executing commands from social media posts are called what?

Why would an attacker install a backdoor?

Altering a return address to redirect execution to malicious code is what attack?

Which components are impacted by infrastructure vulnerabilities in a web app?

Similarities/differences between CSRF and SSRF?

Security measures to prevent interception of sensitive data in browsing?

Why are mobile devices increasingly targeted?

Why did an attacker fail to withdraw cash using a found card?

Risks introduced by jailbreaking/rooting a device?

How to prevent loss of personal data in COPE devices?

Which tool enables remote mobile app installation?

What mechanism enforces geographic operation restrictions for apps?

Why is RTOS advantageous in SoC systems?

Cryptographic constraints for embedded systems?

Modifying registry keys via exploited executable represents what?

Why might an organization mandate dead code in applications?

CH-1 The National Institute of Standards and Technology (NIST) publishes Special Publications (SPs) to help IT professionals and organizations develop procedures for managing and securing information systems. Which NIST Special Publication serves as the technical guide for information system testing and assessment?

CH-1 The Rules of Engagement (ROE) outline specific guidelines and parameters for a cybersecurity assessment. During the scoping process, which of the following will the ROE specify?

CH-1 Alex has just used a password-cracking tool such as John the Ripper to recover passwords from a client's network. Tools like John the Ripper are typically used during which phase of the penetration testing process?

CH-1 The cyber kill chain describes the need for an intruder to maintain access to the target. This activity can be ensured by installation of which of the following items?

CH-1 Which tool enables a penetration tester to capture and analyze wireless network traffic — including collecting handshake data that can be used to crack the network key?

CH-2 When preparing to deploy an operating system within a virtual environment, the installation media must be mounted using a digital replica of the original disc rather than physical hardware. This virtual installation source typically uses what type of file extension?

CH-2 On a Windows workstation, an administrator wants to view detailed configuration data for the system's network adapter, including assigned IP addresses and gateway settings. Which command-line utility would provide this information?

CH-2 During the setup of a mail server in a penetration testing environment, multiple protocols are configured to handle the sending and receiving of messages across domains. Which specific service is responsible for relaying outbound email toward its intended recipient system?

CH-2 Jordan and Priya are reviewing their Axigen mail server setup for a class lab. Jordan notes that users' inboxes are filling up with unsolicited messages. Priya suggests activating a server feature that temporarily delays or blocks messages from unrecognized senders to reduce spam. Which configuration option should they enable in Axigen?

CH-2 While working inside a VirtualBox guest system, a user attempts to send the standard CTRL+ALT+DELETE command but finds it does not affect the virtual machine. What action must the user perform before successfully issuing this key sequence within the VM environment?

CH-3 In the context of cybersecurity governance, what concept focuses on making sure that an organization's security initiatives and operational practices remain consistent with its overall mission and strategic business objectives?

CH-3 The PCI DSS framework establishes requirements for securing payment card transactions and protecting cardholder data. Oversight and maintenance of this standard are managed by which governing body within the payment industry?

CH-3 Within the structure of the Payment Card Industry Data Security Standard (PCI DSS), security objectives are organized into a specific number of core requirements that guide compliance efforts. How many total requirements make up this framework?

CH-3 Under the GDPR framework, organizations must designate a Data Protection Officer to help ensure compliance with data privacy laws. What is the primary responsibility of this role within the organization?

CH-3 When conducting a penetration test, evaluating whether an organization adheres to regulatory requirements can be challenging. Which compliance framework was specifically created to safeguard investors by enforcing accurate financial reporting and preventing fraudulent practices?

CH-4 Amir employs an asymmetric encryption method to transmit a message and attach a digital signature for verification. What can be inferred about the integrity and authenticity of the message based on this approach?

CH-4 When examining a digital signature or a digital certificate, certain pieces of information are typically included to verify authenticity and integrity. Which two types of data are you most likely to encounter in these cryptographic tools?

CH-4 In a public key infrastructure, various entities such as a Registration Authority (RA), a Certificate Authority (CA), or an intermediate CA perform distinct functions. Which statement best explains the responsibilities of one of these entities in managing digital certificates?

CH-4 In a public key infrastructure, it is important to verify whether a digital certificate is still trustworthy. Which two methods are commonly used to determine if a certificate has been revoked?

CH-4 As an administrator responsible for both the root and intermediate certificate authorities in a large organization, you need to implement measures to protect the root CA from compromise. What actions are considered best practices to ensure the security of the root CA?

CH-4 Digital certificates can be issued to various types of entities to establish trust and enable secure communications. Which of the following are valid recipients of digital certificates? Select all that apply.

CH-4 In a public key infrastructure scenario, three parties have complete mutual knowledge and confidence in one another. Which two trust models could accurately represent this type of relationship?

CH-4 Marisol implemented a key management policy at her organization that incorporates both hardware and software solutions. Which two considerations should she keep in mind regarding potential challenges or limitations of this approach?

CH-4 Diego is tasked with securing data while it moves across a network. However, the encryption approach he is considering will wrap encrypted content together with unencrypted data. What potential risk or consequence could arise from this configuration?

CH-4 Charlie, a manager, wants to implement TLS because he thinks it is easier to configure. However, Perry recommends using IPSec instead. Which of the following statements could be used to justify implementing one over the other? Select two.

CH-5 While visiting a website, a user encounters a popup claiming to be from a government authority, alleging that their computer is linked to illegal activity and demanding an online payment via credit card. Attempts to close the message fail. What type of cyber threat is the user most likely facing?

CH-5 Ransomware is often regarded as one of the most dangerous types of malware. Which two factors contribute most to its severity and impact on organizations?

CH-5 Considering malicious software that targets user activity, which statement accurately describes a key similarity or difference between keyloggers and spyware?

CH-5 Monique downloads a version of PowerShell claiming enhanced features beyond the default installation. Soon after, her system begins to behave erratically, yet the anti-malware software reports nothing unusual. What type of malware is most likely present on her computer?

CH-5 A company discovers that several of its computers are executing malicious commands obtained from posts on social media platforms. Each of the compromised systems in this situation would be classified as a ________.

CH-5 An attacker successfully places a backdoor on a target system. Which two purposes are most likely motivating this action, considering typical goals of persistent unauthorized access?

CH-5 An attacker alters the return address of a running application so that control is redirected to malicious code they have injected into memory. What type of attack does this scenario describe?

CH-5 A flaw is discovered in the infrastructure supporting a web application. Which three components are most likely to be impacted by this type of vulnerability?

CH-5 Which of the following statements accurately describe similarities or differences between a CSRF and a SSRF attack? Select three.

CH-5 Which two security measures can be implemented to reduce the risk of sensitive data being intercepted during a user's web browsing session?

CH-6 What factor has contributed most to increased attention from malicious actors targeting mobile devices in recent years?

CH-6 An elderly individual withdraws cash from an automated teller machine at a bus terminal while talking on their mobile phone and forgets to take their bank card. A malicious observer notes the card and its attached PIN. Hours later, after the individual has boarded a bus, the attacker attempts to withdraw money but fails. What most likely prevented the attacker from successfully completing the transaction?

CH-6 When a user jailbreaks an Apple iOS device or roots an Android device, they gain the ability to install applications from unofficial sources. What types of security risks can this activity introduce to the device and its data?

CH-6 A company employs the Corporate-Owned, Personally Enabled (COPE) model for its mobile devices. Every six months, outdated sales data is removed from the devices, but occasionally users submit help desk requests to recover personal data that was unintentionally deleted. What measures could be implemented to prevent this type of problem?

CH-6 Sofia is meeting with a client when she notices that an internally developed application is no longer present on her mobile device. She contacts the corporate IT office, and the app is installed remotely. Which type of tool most likely enabled this remote installation?

CH-6 For security purposes, an application is configured so that it can only operate within approximately one kilometer of a designated secure facility. What mechanism is being employed to enforce this geographic restriction?

CH-6 Which of the following statements best explain why it is advantageous to use a real-time operating system (RTOS) in a system on a chip (SoC)?

CH-6 Regarding embedded systems and specialized devices, certain limitations and considerations affect how cryptography can be applied. Which two statements accurately reflect these security constraints and cryptographic challenges?

CH-6 A malicious actor exploits a flaw in an unpatched application to run a vulnerable executable, which they then leverage to modify Windows registry keys. Which two types of attacks does this activity most likely represent?

CH-6 Lena, a software developer, is working for a company that mandates the inclusion of dead code in applications. What are two possible reasons the organization might enforce this policy?