NEW QUESTION 1
A penetration tester runs the unshadow command on a machine. Which of the following tools will the tester most likely use NEXT?

• A. John the Ripper
• B. Hydra
• C. Mimikatz
• D. Cain and Abel

Answer: A

NEW QUESTION 2
During an engagement, a penetration tester found the following list of strings inside a file:

Which of the following is the BEST technique to determine the known plaintext of the strings?

• A. Dictionary attack
• B. Rainbow table attack
• C. Brute-force attack
• D. Credential-stuffing attack

Answer: B

NEW QUESTION 3
A company is concerned that its cloud service provider is not adequately protecting the VMs housing its software development. The VMs are housed in a datacenter with other companies sharing physical resources. Which of the following attack types is MOST concerning to the company?

• A. Data flooding
• B. Session riding
• C. Cybersquatting
• D. Side channel

Answer: D

Explanation:
https://www.techtarget.com/searchsecurity/definition/side-channel-attack#:~:text=Side%2Dchannel%20attacks%

NEW QUESTION 4
A mail service company has hired a penetration tester to conduct an enumeration of all user accounts on an SMTP server to identify whether previous staff member accounts are still active. Which of the following commands should be used to accomplish the goal?

• A. VRFY and EXPN
• B. VRFY and TURN
• C. EXPN and TURN
• D. RCPT TO and VRFY

Answer: A

Explanation:
The VRFY and EXPN commands can be used to enumerate user accounts on an SMTP server, as they are used to verify the existence of users or mailing lists. VRFY (verify) asks the server to confirm that a given user name or address is valid. EXPN (expand) asks the server to expand a mailing list into its individual members. These commands can be used by a penetration tester to identify valid user names or e-mail addresses on the target SMTP server.

NEW QUESTION 5
A penetration tester created the following script to use in an engagement:

However, the tester is receiving the following error when trying to run the script:

Which of the following is the reason for the error?

• A. The sys variable was not defined.
• B. The argv variable was not defined.
• C. The sys module was not imported.
• D. The argv module was not imported.

Answer: C

Explanation:
The sys module is a built-in module in Python that provides access to system-specific parameters and functions, such as command-line arguments, standard input/output, and exit status. The sys module must be imported before it can be used in a script, otherwise an error will occur. The script uses the sys.argv variable, which is a list that contains the command-line arguments passed to the script. However, the script does not import the sys module at the beginning, which causes the error “NameError: name ‘sys’ is not defined”. To fix this error, the script should include the statement “import sys” at the top. The other options are not valid reasons for the error.

NEW QUESTION 6
A penetration tester is starting an assessment but only has publicly available information about the target company. The client is aware of this exercise and is preparing for the test.
Which of the following describes the scope of the assessment?

• A. Partially known environment testing
• B. Known environment testing
• C. Unknown environment testing
• D. Physical environment testing

Answer: C

NEW QUESTION 7
A penetration tester conducted a discovery scan that generated the following:

Which of the following commands generated the results above and will transform them into a list of active hosts for further analysis?

• A. nmap –oG list.txt 192.168.0.1-254 , sort
• B. nmap –sn 192.168.0.1-254 , grep “Nmap scan” | awk ‘{print S5}’
• C. nmap –-open 192.168.0.1-254, uniq
• D. nmap –o 192.168.0.1-254, cut –f 2

Answer: B

Explanation:
the NMAP flag (-sn) which is for host discovery and returns that kind of NMAP output. And the AWK command selects column 5 ({print $5}) which obviously carries the returned IP of the host in the NMAP output.
This command will generate the results shown in the image and transform them into a list of active hosts for further analysis. The command consists of three parts:
nmap -sn 192.168.0.1-254: This part uses nmap, a network scanning tool, to perform a ping scan (-sn) on the IP range 192.168.0.1-254, which means sending ICMP echo requests to each IP address and checking if they respond.
grep “Nmap scan”: This part uses grep, a text filtering tool, to search for the string “Nmap scan” in the output of the previous part and display only the matching lines. This will filter out the lines that show the start and end time of the scan and only show the lines that indicate the status of each host.
awk ‘{print $5}’: This part uses awk, a text processing tool, to print the fifth field ($5) of each line in the output of the previous part. This will extract only the IP addresses of each host and display them as a list.
The final output will look something like this: 192.168.0.1 192.168.0.12 192.168.0.17 192.168.0.34

NEW QUESTION 8
During a penetration test, the domain names, IP ranges, hosts, and applications are defined in the:

• A. SOW.
• B. SLA.
• C. ROE.
• D. NDA

Answer: C

Explanation:
https://mainnerve.com/what-are-rules-of-engagement-in-pen-testing/#:~:text=The%20ROE%20includes%20the

NEW QUESTION 9
During a penetration-testing engagement, a consultant performs reconnaissance of a client to identify potential targets for a phishing campaign. Which of the following would allow the consultant to retrieve email addresses for technical and billing contacts quickly, without triggering any of the client’s cybersecurity tools? (Choose two.)

• A. Scraping social media sites
• B. Using the WHOIS lookup tool
• C. Crawling the client’s website
• D. Phishing company employees
• E. Utilizing DNS lookup tools
• F. Conducting wardriving near the client facility

Answer: AC

Explanation:
Technical and billing addresses are usually posted on company websites and company social media sites for the their clients to access. The WHOIS lookup will only avail info for the company registrant, an abuse email contact, etc but it may not contain details for billing addresses.

NEW QUESTION 10
A penetration tester gains access to a system and establishes persistence, and then runs the following commands:
cat /dev/null > temp
touch –r .bash_history temp mv temp .bash_history
Which of the following actions is the tester MOST likely performing?

• A. Redirecting Bash history to /dev/null
• B. Making a copy of the user's Bash history for further enumeration
• C. Covering tracks by clearing the Bash history
• D. Making decoy files on the system to confuse incident responders

Answer: C

Explanation:
The commands are used to clear the Bash history file of the current user, which records the commands entered in the terminal. The first command redirects /dev/null (a special file that discards any data written to it) to temp, which creates an empty file named temp. The second command changes the timestamp of temp to match that of .bash_history (the hidden file that stores the Bash history). The third command renames temp to .b ash_history, which overwrites the original file with an empty one. This effectively erases any trace of the commands executed by the user.

NEW QUESTION 11
A company’s Chief Executive Officer has created a secondary home office and is concerned that the WiFi service being used is vulnerable to an attack. A penetration tester is hired to test the security of the WiFi’s router.
Which of the following is MOST vulnerable to a brute-force attack?

• A. WPS
• B. WPA2-EAP
• C. WPA-TKIP
• D. WPA2-PSK

Answer: A

NEW QUESTION 12
Which of the following is the MOST effective person to validate results from a penetration test?

• A. Third party
• B. Team leader
• C. Chief Information Officer
• D. Client

Answer: B

NEW QUESTION 13
A penetration tester found several critical SQL injection vulnerabilities during an assessment of a client's system. The tester would like to suggest mitigation to the client as soon as possible.
Which of the following remediation techniques would be the BEST to recommend? (Choose two.)

• A. Closing open services
• B. Encryption users' passwords
• C. Randomizing users' credentials
• D. Users' input validation
• E. Parameterized queries
• F. Output encoding

Answer: DE

Explanation:
SQL injection is a type of attack that exploits a vulnerability in a web application that allows an attacker to execute malicious SQL statements on a database server. SQL injection can result in data theft, data corruption, authentication bypass, or command execution. To mitigate SQL injection vulnerabilities, the following remediation techniques are recommended:
Users’ input validation: This involves checking and sanitizing the user input before passing it to the database server. Input validation can prevent malicious or unexpected input from reaching the database server and causing harm. Input validation can be done by using whitelists, blacklists, regular expressions, or escaping mechanisms.
Parameterized queries: This involves using placeholders or parameters for user input instead of concatenating it with the SQL statement. Parameterized queries can separate the user input from the SQL logic and prevent it from being interpreted as part of the SQL statement. Parameterized queries can be implemented by using prepared statements, stored procedures, or frameworks that support them. The other options are not relevant or effective remediation techniques for SQL injection vulnerabilities.

NEW QUESTION 14
Which of the following OSSTM testing methodologies should be used to test under the worst conditions?

• A. Tandem
• B. Reversal
• C. Semi-authorized
• D. Known environment

Answer: D

Explanation:
The OSSTM testing methodology that should be used to test under the worst conditions is known
environment, which is a testing approach that assumes that the tester has full knowledge of the target system or network, such as its architecture, configuration, vulnerabilities, or defenses. A known environment testing can simulate a worst-case scenario, where an attacker has gained access to sensitive information or insider knowledge about the target, and can exploit it to launch more sophisticated or targeted attacks. A known environment testing can also help identify the most critical or high-risk areas of the target, and provide recommendations for improving its security posture. The other options are not OSSTM testing methodologies that should be used to test under the worst conditions. Tandem is a testing approach that involves two testers working together on the same target, one as an attacker and one as a defender, to simulate a realistic attack scenario and evaluate the effectiveness of the defense mechanisms. Reversal is a testing approach that involves switching roles between the tester and the client, where the tester acts as a defender and the client acts as an attacker, to assess the security awareness and skills of the client. Semi-authorized is a testing approach that involves giving partial or limited authorization or access to the tester, such as a user account or a network segment, to simulate an attack scenario where an attacker has compromised a legitimate user or device.

NEW QUESTION 15
Penetration tester has discovered an unknown Linux 64-bit executable binary. Which of the following tools would be BEST to use to analyze this issue?

• A. Peach
• B. WinDbg
• C. GDB
• D. OllyDbg

Answer: C

Explanation:
OLLYDBG, WinDBG, and IDA are all debugging tools that support Windows environments. GDB is a Linuxspecific debugging tool.
GDB is a tool that can be used to analyze and debug executable binaries, especially on Linux systems. GDB can disassemble, decompile, set breakpoints, examine memory, modify registers, and perform other operations on binaries. GDB can help a penetration tester understand the functionality, behavior, and vulnerabilities of an unknown binary. Peach is a tool that can be used to perform fuzzing, which is a technique of sending malformed or random data to a target to trigger errors or crashes. WinDbg and OllyDbg are tools that can be used to analyze and debug executable binaries, but they are mainly designed for Windows systems.

NEW QUESTION 16
In the process of active service enumeration, a penetration tester identifies an SMTP daemon running on one of the target company’s servers. Which of the following actions would BEST enable the tester to perform phishing in a later stage of the assessment?

• A. Test for RFC-defined protocol conformance.
• B. Attempt to brute force authentication to the service.
• C. Perform a reverse DNS query and match to the service banner.
• D. Check for an open relay configuration.

Answer: D

Explanation:
SMTP is a protocol associated with mail servers. Therefore, for a penetration tester, an open relay configuration can be exploited to launch phishing attacks.

NEW QUESTION 17
A penetration tester was conducting a penetration test and discovered the network traffic was no longer reaching the client’s IP address. The tester later discovered the SOC had used sinkholing on the penetration tester’s IP address. Which of the following BEST describes what happened?

• A. The penetration tester was testing the wrong assets
• B. The planning process failed to ensure all teams were notified
• C. The client was not ready for the assessment to start
• D. The penetration tester had incorrect contact information

Answer: B

Explanation:
Sinkholing is a technique used by security teams to redirect malicious or unwanted network traffic to a controlled destination, such as a black hole or a honeypot. This can help prevent or mitigate attacks, analyze malware behavior, or isolate infected hosts. If the SOC used sinkholing on the penetration tester’s IP address, it means that they detected the tester’s activity and blocked it from reaching the client’s network. This indicates that the planning process failed to ensure all teams were notified about the penetration testing engagement, which could have avoided this situation.

NEW QUESTION 18
......