NEW QUESTION 1
A penetration tester writes the following script:

Which of the following objectives is the tester attempting to achieve?

• A. Determine active hosts on the network.
• B. Set the TTL of ping packets for stealth.
• C. Fill the ARP table of the networked devices.
• D. Scan the system on the most used ports.

Answer: A

Explanation:
The tester is attempting to determine active hosts on the network by writing a script that pings a range of IP addresses. Ping is a network utility that sends ICMP echo request packets to a host and waits for ICMP echo reply packets. Ping can be used to test whether a host is reachable or not by measuring its response time. The script uses a for loop to iterate over a range of IP addresses from 192.168.1.1 to 192.168.1.254 and pings each one using the ping command with -c 1 option, which specifies one packet per address.

NEW QUESTION 2
A penetration tester conducted a vulnerability scan against a client’s critical servers and found the following:

Which of the following would be a recommendation for remediation?

• A. Deploy a user training program
• B. Implement a patch management plan
• C. Utilize the secure software development life cycle
• D. Configure access controls on each of the servers

Answer: B

NEW QUESTION 3
A penetration tester initiated the transfer of a large data set to verify a proof-of-concept attack as permitted by the ROE. The tester noticed the client's data included PII, which is out of scope, and immediately stopped the transfer. Which of the following MOST likely explains the penetration tester's decision?

• A. The tester had the situational awareness to stop the transfer.
• B. The tester found evidence of prior compromise within the data set.
• C. The tester completed the assigned part of the assessment workflow.
• D. The tester reached the end of the assessment time frame.

Answer: A

Explanation:
Situational awareness is the ability to perceive and understand the environment and events around oneself, and to act accordingly. The penetration tester demonstrated situational awareness by stopping the transfer of PII, which was out of scope and could have violated the ROE or legal and ethical principles. The other options are not relevant to the situation or the decision of the penetration tester.

NEW QUESTION 4
Which of the following expressions in Python increase a variable val by one (Choose two.)

• A. val++
• B. +val
• C. val=(val+1)
• D. ++val
• E. val=val++
• F. val+=1

Answer: CF

Explanation:
In Python, there are two ways to increase a variable by one: using the assignment operator (=) with an arithmetic expression, or using the augmented assignment operator (+=). The expressions val=(val+1) and val+=1 both achieve this goal. The expressions val++ and ++val are not valid in Python, as there is no increment operator. The expressions +val and val=val++ do not change the value of val2.
https://pythonguides.com/increment-and-decrement-operators-in-python/

NEW QUESTION 5
A penetration tester has gained access to the Chief Executive Officer's (CEO's) internal, corporate email. The next objective is to gain access to the network.
Which of the following methods will MOST likely work?

• A. Try to obtain the private key used for S/MIME from the CEO's account.
• B. Send an email from the CEO's account, requesting a new account.
• C. Move laterally from the mail server to the domain controller.
• D. Attempt to escalate privileges on the mail server to gain root access.

Answer: D

NEW QUESTION 6
A penetration tester is looking for vulnerabilities within a company's web application that are in scope. The penetration tester discovers a login page and enters the following string in a field:
1;SELECT Username, Password FROM Users;
Which of the following injection attacks is the penetration tester using?

• A. Blind SQL
• B. Boolean SQL
• C. Stacked queries
• D. Error-based

Answer: C

Explanation:
The penetration tester is using a type of injection attack called stacked queries, which means appending multiple SQL statements separated by semicolons in a single input field. This can allow the penetration tester to execute arbitrary SQL commands on the database server, such as selecting username and password from users table.

NEW QUESTION 7
A final penetration test report has been submitted to the board for review and accepted. The report has three findings rated high. Which of the following should be the NEXT step?

• A. Perform a new penetration test.
• B. Remediate the findings.
• C. Provide the list of common vulnerabilities and exposures.
• D. Broaden the scope of the penetration test.

Answer: B

NEW QUESTION 8
Which of the following situations would require a penetration tester to notify the emergency contact for the engagement?

• A. The team exploits a critical server within the organization.
• B. The team exfiltrates PII or credit card data from the organization.
• C. The team loses access to the network remotely.
• D. The team discovers another actor on a system on the network.

Answer: D

NEW QUESTION 9
Deconfliction is necessary when the penetration test:

• A. determines that proprietary information is being stored in cleartext.
• B. occurs during the monthly vulnerability scanning.
• C. uncovers indicators of prior compromise over the course of the assessment.
• D. proceeds in parallel with a criminal digital forensic investigation.

Answer: C

Explanation:
This will then enable the PenTest to continue so that additional issues can be found, exploited, and analyzed.

NEW QUESTION 10
A penetration tester needs to perform a test on a finance system that is PCI DSS v3.2.1 compliant. Which of the following is the MINIMUM frequency to complete the scan of the system?

• A. Weekly
• B. Monthly
• C. Quarterly
• D. Annually

Answer: C

Explanation:
Quarterly is the minimum frequency to complete the scan of the system that is PCI DSS v3.2.1 compliant, according to Requirement 11.2.2 of the standard1. PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards that applies to any organization that processes, stores, or transmits credit card information. Requirement 11.2.2 states that organizations must perform internal vulnerability scans at least quarterly and after any significant change in the network.
https://www.pcicomplianceguide.org/faq/#25
PCI DSS requires quarterly vulnerability/penetration tests, not weekly.

NEW QUESTION 11
You are a penetration tester running port scans on a server. INSTRUCTIONS
Part 1: Given the output, construct the command that was used to generate this output from the available options.
Part 2: Once the command is appropriately constructed, use the given output to identify the potential attack vectors that should be investigated further.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

• A. Yes
• B. Not Mastered

Answer: A

NEW QUESTION 12
A tester who is performing a penetration test on a website receives the following output:
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /var/www/search.php on line 62
Which of the following commands can be used to further attack the website?

• A. <script>var adr= ‘../evil.php?test=’ + escape(document.cookie);</script>
• B. ../../../../../../../../../../etc/passwd
• C. /var/www/html/index.php;whoami
• D. 1 UNION SELECT 1, DATABASE(),3-

Answer: D

NEW QUESTION 13
Which of the following documents is agreed upon by all parties associated with the penetration-testing engagement and defines the scope, contacts, costs, duration, and deliverables?

• A. SOW
• B. SLA
• C. MSA
• D. NDA

Answer: A

Explanation:
The document that is agreed upon by all parties associated with the penetration-testing engagement and defines the scope, contacts, costs, duration, and deliverables is the SOW (Statement of Work). The SOW is a formal document that describes the objectives, expectations, and responsibilities of the penetration-testing project2. The SOW should be clear, concise, and comprehensive to avoid any ambiguity or misunderstanding.

NEW QUESTION 14
A penetration tester is evaluating a company's network perimeter. The tester has received limited information about defensive controls or countermeasures, and limited internal knowledge of the testing exists. Which of the following should be the FIRST step to plan the reconnaissance activities?

• A. Launch an external scan of netblocks.
• B. Check WHOIS and netblock records for the company.
• C. Use DNS lookups and dig to determine the external hosts.
• D. Conduct a ping sweep of the company's netblocks.

Answer: C

NEW QUESTION 15
A company is concerned that its cloud VM is vulnerable to a cyberattack and proprietary data may be stolen. A penetration tester determines a vulnerability does exist and exploits the vulnerability by adding a fake VM instance to the IaaS component of the client's VM. Which of the following cloud attacks did the penetration tester MOST likely implement?

• A. Direct-to-origin
• B. Cross-site scripting
• C. Malware injection
• D. Credential harvesting

Answer: C

Explanation:
Malware injection is the most likely cloud attack that the penetration tester implemented, as it involves adding a fake VM instance to the IaaS component of the client’s VM. Malware injection is a type of attack that exploits vulnerabilities in cloud services or applications to inject malicious code or data into them. The injected malware can then compromise or control the cloud resources or data.

NEW QUESTION 16
A penetration tester has established an on-path attack position and must now specially craft a DNS query response to be sent back to a target host. Which of the following utilities would BEST support this objective?

• A. Socat
• B. tcpdump
• C. Scapy
• D. dig

Answer: C

Explanation:
https://thepacketgeek.com/scapy/building-network-tools/part-09/

NEW QUESTION 17
A penetration tester wrote the following comment in the final report: "Eighty-five percent of the systems tested were found to be prone to unauthorized access from the internet." Which of the following audiences was this message intended?

• A. Systems administrators
• B. C-suite executives
• C. Data privacy ombudsman
• D. Regulatory officials

Answer: B

Explanation:
The comment in the final report was intended for C-suite executives, which are senior-level managers or leaders in an organization, such as the chief executive officer (CEO), chief financial officer (CFO), or chief information officer (CIO). C-suite executives are typically interested in high-level summaries or overviews of the penetration test results, such as the percentage of systems affected by a certain vulnerability or risk, the potential impact or cost of a breach, or the recommended actions or priorities for remediation. C-suite executives may not have the technical background or expertise to understand detailed or technical information about the penetration test, such as specific vulnerabilities, exploits, tools, or techniques. The comment in the final report provides a high-level summary of the penetration test result that is relevant and understandable for C-suite executives. The other audiences are not likely to be interested in this comment. Systems administrators are technical staff who are responsible for installing, configuring, maintaining, and securing systems and networks. They would be more interested in detailed or technical information about the penetration test, such as specific vulnerabilities, exploits, tools, or techniques. Data privacy ombudsman is a person who acts as an independent mediator between individuals and organizations regarding data privacy issues or complaints. They would be more interested in information about how the penetration test complied with data privacy laws and regulations, such as GDPR or CCPA. Regulatory officials are authorities who enforce compliance with laws and regulations related to a specific industry or sector, such as finance, health care, or energy. They would be more interested in information about how the penetration test complied with industry-specific standards and frameworks, such as PCI-DSS, HIPAA, or NERC-CIP.

NEW QUESTION 18
......