NEW QUESTION 1
During a penetration test, you gain access to a system with a limited user interface. This machine appears to have access to an isolated network that you would like to port scan.
INSTRUCTIONS
Analyze the code segments to determine which sections are needed to complete a port scanning script. Drag the appropriate elements into the correct locations to complete the script.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

• A. Yes
• B. Not Mastered

Answer: A

NEW QUESTION 2
Which of the following assessment methods is MOST likely to cause harm to an ICS environment?

• A. Active scanning
• B. Ping sweep
• C. Protocol reversing
• D. Packet analysis

Answer: A

NEW QUESTION 3
A penetration tester performs the following command: curl –I –http2 https://www.comptia.org
Which of the following snippets of output will the tester MOST likely receive?

• A. Option A
• B. Option B
• C. Option C
• D. Option D

Answer: A

NEW QUESTION 4
During an assessment, a penetration tester gathered OSINT for one of the IT systems administrators from the target company and managed to obtain valuable information, including corporate email addresses. Which of the following techniques should the penetration tester perform NEXT?

• A. Badge cloning
• B. Watering-hole attack
• C. Impersonation
• D. Spear phishing

Answer: D

Explanation:
Spear phishing is a type of targeted attack where the attacker sends emails that appear to come from a legitimate source, often a company or someone familiar to the target, with the goal of tricking the target into clicking on a malicious link or providing sensitive information. In this case, the penetration tester has already gathered OSINT on the IT system administrator, so they can use this information to craft a highly targeted spear phishing attack to try and gain access to the target system.

NEW QUESTION 5
A security firm is discussing the results of a penetration test with the client. Based on the findings, the client wants to focus the remaining time on a critical network segment. Which of the following BEST describes the action taking place?

• A. Maximizing the likelihood of finding vulnerabilities
• B. Reprioritizing the goals/objectives
• C. Eliminating the potential for false positives
• D. Reducing the risk to the client environment

Answer: B

Explanation:
Goal Reprioritization Have the goals of the assessment changed? Has any new information been found that might affect the goal or desired end state? I would also agree with A, because by goal reprioritization you are more likely to find vulnerabilities in this specific segment of critical network, but it is a side effect of goal reprioritization.

NEW QUESTION 6
A penetration tester exploited a vulnerability on a server and remotely ran a payload to gain a shell. However, a connection was not established, and no errors were shown on the payload execution. The penetration tester suspected that a network device, like an IPS or next-generation firewall, was dropping the connection. Which of the following payloads are MOST likely to establish a shell successfully?

• A. windows/x64/meterpreter/reverse_tcp
• B. windows/x64/meterpreter/reverse_http
• C. windows/x64/shell_reverse_tcp
• D. windows/x64/powershell_reverse_tcp
• E. windows/x64/meterpreter/reverse_https

Answer: B

Explanation:
These two payloads are most likely to establish a shell successfully because they use HTTP or HTTPS protocols, which are commonly allowed by network devices and can bypass firewall rules or IPS signatures. The other payloads use TCP protocols, which are more likely to be blocked or detected by network devices.

NEW QUESTION 7
A security company has been contracted to perform a scoped insider-threat assessment to try to gain access to the human resources server that houses PII and salary data. The penetration testers have been given an internal network starting position.
Which of the following actions, if performed, would be ethical within the scope of the assessment?

• A. Exploiting a configuration weakness in the SQL database
• B. Intercepting outbound TLS traffic
• C. Gaining access to hosts by injecting malware into the enterprise-wide update server
• D. Leveraging a vulnerability on the internal CA to issue fraudulent client certificates
• E. Establishing and maintaining persistence on the domain controller

Answer: B

NEW QUESTION 8
A penetration tester was able to compromise a web server and move laterally into a Linux web server. The tester now wants to determine the identity of the last user who signed in to the web server. Which of the following log files will show this activity?

• A. /var/log/messages
• B. /var/log/last_user
• C. /var/log/user_log
• D. /var/log/lastlog

Answer: D

Explanation:
The /var/log/lastlog file is a log file that stores information about the last user to sign in to the server. This file stores information such as the username, IP address, and timestamp of the last user to sign in to the server. It can be used by a penetration tester to determine the identity of the last user who signed in to the web server, which can be helpful in identifying the user who may have set up the backdoors and other malicious activities.

NEW QUESTION 9
A penetration tester has obtained shell access to a Windows host and wants to run a specially crafted binary for later execution using the wmic.exe process call create function. Which of the following OS or filesystem mechanisms is MOST likely to support this objective?

• A. Alternate data streams
• B. PowerShell modules
• C. MP4 steganography
• D. PsExec

Answer: A

Explanation:
Alternate data streams (ADS) are a feature of the NTFS file system that allows storing additional data in a file without affecting its size, name, or functionality. ADS can be used to hide or embed data or executable code in a file, such as a specially crafted binary for later execution. ADS can be created or accessed using various tool or commands, such as the command prompt, PowerShell, or Sysinternals12. For example, the following command can create an ADS named secret.exe in a file named test.txt and run it using wmic.exe process call create function: type secret.exe > test.txt:secret.exe & wmic process call create "cmd.exe /c test.txt:secret.exe"

NEW QUESTION 10
A company uses a cloud provider with shared network bandwidth to host a web application on dedicated servers. The company's contact with the cloud provider prevents any activities that would interfere with the cloud provider's other customers. When engaging with a penetration-testing company to test the application, which of the following should the company avoid?

• A. Crawling the web application's URLs looking for vulnerabilities
• B. Fingerprinting all the IP addresses of the application's servers
• C. Brute forcing the application's passwords
• D. Sending many web requests per second to test DDoS protection

Answer: D

NEW QUESTION 11
A penetration tester who is working remotely is conducting a penetration test using a wireless connection. Which of the following is the BEST way to provide confidentiality for the client while using this connection?

• A. Configure wireless access to use a AAA server.
• B. Use random MAC addresses on the penetration testing distribution.
• C. Install a host-based firewall on the penetration testing distribution.
• D. Connect to the penetration testing company's VPS using a VPN.

Answer: D

Explanation:
The best way to provide confidentiality for the client while using a wireless connection is to connect to the penetration testing company’s VPS using a VPN. This will encrypt the traffic between the penetration tester and the VPS, and prevent any eavesdropping or interception by third parties. A VPN will also allow the penetration tester to access the client’s network securely and bypass any firewall or network restrictions.

NEW QUESTION 12
A penetration tester wrote the following Bash script to brute force a local service password:
..ting as expected. Which of the following changes should the penetration tester make to get the script to work?

• A. ..echo "The correct password is $p" && break) ho "The correct password is $p" I| break
• B. .echo "The correct password is $p" && break) o "The correct password is $p" I break
• C. echo "The correct password is Sp" && break) echo "The correct password is $p" && break)
• D. . { echo "The correct password is $p" && break ) With
• E. ( echo "The correct password is $p" && break )

Answer: B

Explanation:
CeWL is a tool that can be used to crawl a website and build a wordlist using the data recovered to crack the password on the website. CeWL stands for Custom Word List generator, and it is a Ruby script that spiders a given website up to a specified depth and returns a list of words that can be used for password cracking or other purposes. CeWL can also generate wordlists based on metadata, email addresses, author names, or external links found on the website. CeWL can help a penetration tester create customized wordlists that are tailored to the target website and increase the chances of success for password cracking attacks. DirBuster is a tool that can be used to brute force directories and files names on web servers. w3af is a tool that can be used to scan web applications for vulnerabilities and exploits. Patator is a tool that can be used to perform brute force attacks against various protocols and services.

NEW QUESTION 13
A penetration tester gains access to a web server and notices a large number of devices in the system ARP table. Upon scanning the web server, the tester determines that many of the devices are user ...ch of the following should be included in the recommendations for remediation?

• A. training program on proper access to the web server
• B. patch-management program for the web server.
• C. the web server in a screened subnet
• D. Implement endpoint protection on the workstations

Answer: D

Explanation:
The penetration tester should recommend implementing endpoint protection on the workstations, which is a security measure that involves installing software or hardware on devices that connect to a network to protect them from threats such as malware, ransomware, phishing, or unauthorized access. Endpoint protection can include antivirus software, firewalls, encryption tools, VPNs, or device management systems. Endpoint protection can help prevent user workstations from being compromised by attackers who have gained access to the web server or other devices on the network. The other options are not valid recommendations for remediation based on the discovery that many of the devices are user workstations. Changing passwords that were created before this code update is not relevant to this issue, as it refers to a different scenario involving password hashing and salting. Keeping hashes created by both methods for compatibility is not relevant to this issue, as it refers to a different scenario involving password hashing and salting. Moving the web server in a screened subnet is not relevant to this issue, as it refers to a different scenario involving network segmentation and isolation.

NEW QUESTION 14
A client would like to have a penetration test performed that leverages a continuously updated TTPs framework and covers a wide variety of enterprise systems and networks. Which of the following methodologies should be used to BEST meet the client's expectations?

• A. OWASP Top 10
• B. MITRE ATT&CK framework
• C. NIST Cybersecurity Framework
• D. The Diamond Model of Intrusion Analysis

Answer: B

Explanation:
The MITRE ATT&CK framework is a methodology that should be used to best meet the client’s expectations. The MITRE ATT&CK framework is a knowledge base of adversary tactics, techniques, and procedures (TTPs) that are continuously updated based on real-world observations. The framework covers a wide variety of enterprise systems and networks, such as Windows, Linux, macOS, cloud, mobile, and network devices. The framework can help the penetration tester to emulate realistic threats and identify gaps in defenses.

NEW QUESTION 15
Which of the following should a penetration tester do NEXT after identifying that an application being tested has already been compromised with malware?

• A. Analyze the malware to see what it does.
• B. Collect the proper evidence and then remove the malware.
• C. Do a root-cause analysis to find out how the malware got in.
• D. Remove the malware immediately.
• E. Stop the assessment and inform the emergency contact.

Answer: E

Explanation:
Stopping the assessment and informing the emergency contact is the best thing to do next after identifying that an application being tested has already been compromised with malware. This is because continuing the assessment might interfere with an ongoing investigation or compromise evidence collection. The emergency contact is the person designated by the client who should be notified in case of any critical issues or incidents during the penetration testing engagement.

NEW QUESTION 16
A penetration tester is testing a new version of a mobile application in a sandbox environment. To intercept and decrypt the traffic between the application and the external API, the tester has created a private root CA and issued a certificate from it. Even though the tester installed the root CA into the trusted stone of the smartphone used for the tests, the application shows an error indicating a certificate mismatch and does not connect to the server. Which of the following is the
MOST likely reason for the error?

• A. TCP port 443 is not open on the firewall
• B. The API server is using SSL instead of TLS
• C. The tester is using an outdated version of the application
• D. The application has the API certificate pinned.

Answer: D

NEW QUESTION 17
For a penetration test engagement, a security engineer decides to impersonate the IT help desk. The security engineer sends a phishing email containing an urgent request for users to change their passwords and a link to https://example.com/index.html. The engineer has designed the attack so that once the users enter the credentials, the index.html page takes the credentials and then forwards them to another server that the security engineer is controlling. Given the following information:

Which of the following lines of code should the security engineer add to make the attack successful?

• A. window.location.= 'https://evilcorp.com'
• B. crossDomain: true
• C. geturlparameter ('username')
• D. redirectUrl = 'https://example.com'

Answer: B

NEW QUESTION 18
......