CompTIA PenTest+ Practice Questions & Answers Solved 100%

Which of the following types of information is protected by rules in the United States that specify the minimum frequency of vulnerability scanning required for devices that process it? A) Insurance records B) medical records C) credit card data D) SSNs E) drivers license numbers - ACorrect Answer: credit card data Explanation: The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes. The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council. As part of PCI DSS compliance, organizations must conduct internal and external scans at prescribed intervals on any devices or systems that process credit card data. HIPAA protects medical and insurance records, but this law doesn't define a frequency for vulnerability scanning requirements. Driver's license numbers are considered PII, but again, there is no defined frequency scanning requirement regarding protecting PII under law, regulation, or rule. Dave's Consulting Group was just hired to conduct an engagement against an online training organization located in Germany. Which of the following laws should a penetration tester review before conducting this engagement to ensure the security and confidentiality of the student information processed by the company? A) DPPA B) CCPA C) GLBA D) GDPR E) HIPAA - ACorrect Answer: GDPR Explanation: The General Data Protection Regulation (GDPR) is a regulation created in the European Union that creates provisions and requirements to protect the personal data of European Union (EU) citizens. Transfers of personal data outside the EU Single Market are restricted unless protected by like-for-like regulations, such as the US's Privacy Shield requirements. The Health Insurance Portability and Accountability Act (HIPAA) is a privacy rule that establishes national standards to protect the privacy of individuals' medical records. The Driver's Privacy Protection Act (DPPA) governs the privacy and disclosure of personal information gathered by state Departments of Motor Vehicles. The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to ensure the security and confidentiality of client information and take steps to keep customer information secure. Your organization is preparing for its required quarterly PCI DSS external vulnerability scan. Who is authorized to perform this scan? A) anyone B) only an approved scanning vendor C) any qualified individual D) only employees of the company - ACorrect Answer: only an approved scanning vendor Explanation: The Payment Card Industry Data Security Standard (PCI-DSS) is a prescriptive framework. It is not a law but a formal policy created by the credit card industry that organizations must follow to accept credit and bank cards for payment. Quarterly required external vulnerability scans must be run by a PCI-DSS approved scanning vendor (ASV). This question may seem beyond the scope of the exam. Still, the objectives allow for "other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered" in the objectives' bulletized lists. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination's content. Therefore, questions like this are fair game on test day. That said, your goal isn't to score 100% on the exam; it is to pass it. Don't let questions like this throw you off on test day. If you aren't sure, take your best guess and move on! Which of the following penetration testing methodologies or frameworks was developed by business professionals as a best practice guide for conducting penetration tests? A) OSSTMM B) PTES C) ISSAF D) OTG - ACorrect Answer: PTES Explanation: The Penetration Testing Execution Standard (PTES) was developed by business professionals as a best practice guide for conducting penetration testing. The PTES contains seven main sections that are used to provide a comprehensive overview of the proper structure of a complete penetration test. The Open Web Application Security Project (OWASP) is an organization aimed at increasing awareness of web security and provides a framework for testing during each phase of the software development process. The OWASP Testing Guide (OTG) provides different steps for the testing process and outlines the importance of assessing the entire organization, including the people, processes, and technology, during a penetration test. The Open Source Security Testing Methodology Manual (OSSTMM) was developed by the Institute for Security and Open Methodologies (ISECOM) and it outlines every area of an organization that needs testing and how to conduct the relevant tests. The Information Systems Security Assessment Framework (ISSAF) is an open-source resource available to cybersecurity professionals. The ISSAF is comprised of documents that relate to penetration testing, such as guidelines on business continuity and disaster recovery along with legal and regulatory compliance. Matt is creating a scoping worksheet for an upcoming penetration test for his organization. Which of the following techniques is NOT usually included in a penetration test? A) physical penetration tests B) social engineering C) reverse engineering D) passive reconnaissance E) DoS attacks - ACorrect Answer: DoS attacks Explanation: A denial-of-service or DoS attack isn't usually included as part of a penetration test. This type of attack contains too much risk for an organization to allow it to be included in an assessment's scope. Social engineering, physical penetration attempts, and reverse engineering are all commonly included in a penetration test's scope. A penetration tester must limit the invasiveness of their assessment to the specific scope of the penetration test. A penetration tester needs to perform a test on a finance system that is PCI DSS v3.2.1 compliant. Which of the following is the MINIMUM frequency to complete the scan of the system? A) Monthly B) Annually C) Weekly D) Quarterly - ACorrect Answer: Quarterly Which of the following penetration testing methodologies is focused on testing web applications and the people, processes, and technology that support them? A) OTG B) PTES C) ISSAF D) OSSTMM - ACorrect Answer: OTG Explanation: The Open Web Application Security Project (OWASP) is an organization aimed at increasing awareness of web security and provides a framework for testing during each phase of the software development process. The OWASP Testing Guide (OTG) provides different steps for the testing process and outlines the importance of assessing the entire organization, including the people, processes, and technology, during a penetration test. The Penetration Testing Execution Standard (PTES) was developed by business professionals as a best practice guide for conducting penetration testing. The PTES contains seven main sections that are used to provide a comprehensive overview of the proper structure of a complete penetration test. The Open Source Security Testing Methodology Manual (OSSTMM) was developed by the Institute for Security and Open Methodologies (ISECOM) and it outlines every area of an organization that needs testing and how to conduct the relevant tests. The Information Systems Security Assessment Framework (ISSAF) is an open-source resource available to cybersecurity professionals. The ISSAF is comprised of documents that relate to penetration testing, such as guidelines on business continuity and disaster recovery along with legal and regulatory compliance. When preparing for an engagement with an enterprise organization, which of the following is one of the MOST important items to develop fully prior to beginning the penetration testing activities? A) Obtain an asset inventory from the client. B) Interview all stakeholders. C) Identify all third parties involved. D) Clarify the statement of work. - ACorrect Answer: Clarify the statement of work. Which of the following penetration testing methodologies or frameworks is an open-source collection of documents that outlines every area of an organization that needs to undergo testing, as well as provides details on how those tests should be conducted? A) PTES B) OWASP testing guide C) NIST D) OSSTMM E) ISSAF - ACorrect Answer: OSSTMM Explanation: The Open Source Security Testing Methodology Manual (OSSTMM) was developed by the Institute for Security and Open Methodologies (ISECOM) and it outlines every area of an organization that needs testing and how to conduct the relevant tests. The Penetration Testing Execution Standard (PTES) was developed by business professionals as a best practice guide for conducting penetration testing. The PTES contains seven main sections that are used to provide a comprehensive overview of the proper structure of a complete penetration test. The Open Web Application Security Project (OWASP) is an organization aimed at increasing awareness of web security and provides a framework for testing during each phase of the software development process. The OWASP Testing Guide (OTG) provides different steps for the testing process and outlines the importance of assessing the entire organization, including the people, processes, and technology, during a penetration test. The Information Systems Security Assessment Framework (ISSAF) is an open-source resource available to cybersecurity professionals. The ISSAF is comprised of documents that relate to penetration testing, such as guidelines on business continuity and disaster recovery along with legal and regulatory compliance. You are preparing for an upcoming penetration test. You want to begin your reconnaissance but need to validate the scope of the IP addresses and the times of day you can scan the network. Which of the following documents should you refer to find these details? A) RFP B) NDA C) ROE D) MSA - ACorrect Answer: ROE Explanation: The rules of engagement (ROE) contain the timeline, location, temporal restrictions, transparency of testing, and test boundaries for the penetration test. Therefore, if you look at the temporal restrictions portion of the ROE, you will see what times of day you can perform your scans and exploits. If you reference the test boundaries section, it should contain what types of scanning and exploits are allowed to be used and which systems are and are not in the scope of the assessment. Generally, the MSA provides for the core legal provisions governing a services engagement and a statement of work (or SOW), representing a child agreement to the MSA, will scope and define the project specifications, deliverables, assumptions, fees or other specific aspects of the project. You have been contracted to conduct a compliance-based assessment for an organization. What is the MOST important thing for you to understand? A) the organization's policies B) the organization's industry C) the organization's risk tolerance D) the organization's architecture drawings - ACorrect Answer: the organization's industry Explanation: The organization's industry is the most important thing to consider and understand when conducting a compliance-based assessment. Compliance-based assessments are government or industry-required assessments based on a particular compliance framework. For example, if you are conducting an assessment of a credit card processor, then PCI-DSS would be important to consider. If you are assessing a federal government IT system, then you should consider FEDRAMP. If you are conducting an assessment of a military or military contractor network, you should consider the DISA STIG for those systems. You have been contracted to conduct a wireless penetration test for a corporate client. Which of the following should be documented and agreed upon in the scoping documents before you begin your assessment? A) the frequencies of the WAPs and devices used by the client B) make and model of the wireless access points used by the clients C) the number of WAPs and devices used by the client D) network diagrams with SSIDs of the WAPs used by the client - ACorrect Answer: the frequencies of the WAPs and devices used by the client Explanation: To ensure you are not accidentally targeting another organization's wireless infrastructure during your penetration test, you should have the frequencies of the wireless access points and devices used by the client documented in the scoping documents. This would include whether your clients use Wireless A, B, G, N, AC, or AX and if they are using the 2.4 GHz or 5.0 GHz spectrum for their communications. Often, this scoping document will also include the SSID names to ensure the penetration tester is assessing the wireless network owned by the organization and not someone else's by mistake. A penetration tester is reviewing the following SOW prior to engaging with a client: `Network diagrams, logical and physical asset inventory, and employees' names are to be treated as client confidential. Upon completion of the engagement, the penetration tester will submit findings to the client's Chief Information Security Officer (CISO) via encrypted protocols and subsequently dispose of all findings by erasing them in a secure manner.` Based on the information in the SOW, which of the following behaviors would be considered unethical? (Choose two.) A) Using a software-based erase tool to wipe the client's findings from the penetration tester's laptop B) Seeking help with the engagement in underground hacker forums by sharing the client's public IP address C) Utilizing public-key cryptography to ensure findings are delivered to the CISO upon completion of the engagement D) Retaining the SOW within the penetration tester's company for future use so the sales team can plan future engagements E) Failing to share with the client critical vulnerabilities that exist within the client architecture to appease the client's senior leadership team - ACorrect Answers Failing to share with the client critical vulnerabilities that exist within the client architecture to appease the client's senior leadership team Seeking help with the engagement in underground hacker forums by sharing the client's public IP address Which of the following documents describes specific activities, deliverables, and schedules for a penetration tester? A) MSA B) MOU C) NDA D) SOW - ACorrect Answer: SOW During a penetration test, you identify evidence of a possible large-scale data breach. Based on the indicators of compromise you discovered, you believe that the attackers were able to successfully exfiltrate the personal information and social security numbers of the company's customers from their database server. What action should you perform NEXT? A) immediately stop activities on the database server, notify the company's primary contact, and add your findings to the daily status report B) immediately stop all pen testing activity, inform the company's rimary contact, and report any IoC's you have found C) Immediately stop all pen testing activities, patch the database server to protect it against further exploitation, and report your findings to the company D) complete the day's work and inform client at the daily startup meeting - ACorrect Answer: immediately stop all pen testing activity, inform the company's rimary contact, and report any IoC's you have found Explanation: As a penetration tester, you should immediately stop any penetration testing activities upon identifying a breach or other criminal activity. The penetration tester should contact the company's emergency point of contact provided in the scoping documents and wait for further guidance. The penetration tester should not continue any work as this could make it more difficult for the network defenders to identify the true source of the breach or criminal activity. The penetration testers should never take it upon themselves to patch a server during an engagement. Safe Systems has just become the latest victim in a large-scale data breach by an APT. Your initial investigation confirms a massive exfiltration of customer data has occurred. Which of the following actions do you recommend to the CEO of Safe Systems in handling this data breach? A) conduct a hack-back to retrieve the stolen data B) provide a statement to the press that Safe Systems takes security seriously C) purchase cyber insurance and backdate the logs and files to before the date coverage started D) notify affected customers within 72 hours of the discovery of the breach - ACorrect Answer: notify affected customers within 72 hours of the discovery of the breach Explanation: Generally speaking, most laws require notification within 72 hours, such as the GDPR. All other options are either unethical, constitute insurance fraud, or are illegal. Conducting a hack-back is considered illegal, and once data has been taken, it is nearly impossible to steal it back as the attacker probably has a backup of it. Providing an incorrect statement to the press is unethical, and if your company is caught lying about the extent of the breach, it could further hurt your reputation. Purchasing a cyber insurance policy and altering the log file dates to make it look like the attack occurred after buying the policy would be insurance fraud. This is unethical and illegal. Your company explicitly obtains permission from its customers to use their email address as an account identifier in its CRM. Max, who works at the marketing department in the company's German headquarters, just emailed all their customers to let them know about a new sales promotion this weekend. Which of the following privacy violations has occurred, if any? A) there was no violation because the email was sent securely using the CRM B) there was a violation since the customer did not give explicit consent to receive marketing emails C) there was a violation since data minimization policies were not followed properly D) the was no privacy violation because Max is a corporate employee and he only used email addresses - ACorrect Answer: there was a violation since the customer did not give explicit consent to receive marketing emails Explanation: According to the European Union's General Data Protection Regulation (GDPR), personal data collected can only be used for the exact purpose in which explicit consent was obtained. To use email addresses for marketing purposes, separate explicit consent should have been obtained. Since the company operates in Germany, it must follow the GDPR privacy standard. Even if a company doesn't operate within the European Union, its customers might be European Union citizens, and therefore the company should still optional follow the GDPR guidelines. While data minimization is a good internal policy to utilize, not following it doesn't equate to a privacy violation or breach. Data minimization is the principle that data should only be processed and stored, if necessary, to perform the purpose for which it is collected. The option concerning the customer relationship management (CRM) tool is a distractor since the issue is using the data in ways that were not consented to by the customer, not which system the email was sent through. A privacy violation can occur when corporate employees view data if those employees do not have a need to know, a valid business requirement to use the data, or consent from the customer to use the data for a specific purpose (as was the case in this scenario). You have been hired to conduct an external PCI-DSS audit of a merchant that processes under 20,000 credit card transactions per year. Which level would this merchant be categorized as? A) 3 B) 2 C) 0 D) 4 E) 1 - ACorrect Answer: 4 Explanation: This is a level 4 merchant. Under the PCI-DSS compliance rules, a merchant who is categorized as a level 2, level 3, or level 4 must have an external auditor conduct an annual audit or submit documentation of a self-test proving they took active steps to secure their credit card processing infrastructure. Level 1 is a large merchant with over 6,000,000 transactions per year. Level 2 is a merchant with 1,000,000 to 5,999,999 transactions per year. Level 3 is a merchant with 20,000 to 1,000,000 transactions per year. Level 4 is a small merchant with under 20,000 transactions per year. Which of the following provides a matrix of common tactics and techniques used by attackers along with recommended mitigations? A) OWASP Top 10 B) PTES technical guidelines C) NIST SP 800-53 D) MITRE ATT&CK framework - ACorrect Answer: MITRE ATT&CK framework A penetration tester exploited a unique flaw on a recent penetration test of a bank. After the test was completed, the tester posted information about the exploit online along with the IP addresses of the exploited machines. Which of the following documents could hold the penetration tester accountable for this action? A) SLA B) NDA C) ROE D) MSA - ACorrect Answer: NDA Which of the following types of agreements is used to document the commitment between a provider and client in terms of quality and availability? A) NDA B) SLA C) AUP D) MOU - ACorrect Answer: SLA Explanation: A service level agreement (SLA) is a documented commitment between a service provider and a client, where the quality, availability, and responsibilities are agreed upon by both parties. A non-disclosure agreement (NDA) is a documented agreement between two parties that define what data is considered confidential and cannot be shared outside of that relationship. An NDA is used to protect an organization's intellectual property. An acceptable use policy (AUP) is a set of rules applied by the owner, creator, or administrator of a network, website, or service, that restrict how the network, website, or system may be used and sets guidelines as to how it should be used. A memorandum of understanding (MOU) is a non-binding agreement between two or more organizations to detail what common actions they intend to take. An organization is currently accepting bids for a contract that will involve penetration testing and reporting. The organization is asking all bidders to provide proof of previous penetration testing and reporting experience. One contractor decides to print out a few reports from some previous penetration tests that they performed. What could have occurred as a result of this contractor's actions? A) the contractor will get hired because of the quality of previous pen test reports B) the organization will wan to use the sample reports for all bidders on the contract C) the contractor gets paid a higher fee for showing excellent prior work D) inadvertent exposure of vulnerabilities found at other companies - ACorrect Answer: inadvertent exposure of vulnerabilities found at other companies Explanation: Pentesters should never disclose any information from previous penetration tests to anyone outside of the assessed organization since this could expose the vulnerability found. This non-disclosure is usually outlined in the original contract and scope of work. If the contractor wishes to provide a sample report, then the report should be created specifically for the contract and only include information from a sample/test network, not a previous customer's assessment. This could also be in breach of the NDA between the pentester and the organization, as well. John is a cybersecurity consultant that wants to sell his services to an organization. In preparation for his first meeting with the client, John wants to conduct a vulnerability scan of their network to show the client how much they need his services. What is the most significant issue with John conducting this scan of the organization's network? A) the IP range of the client systems is unknown by John B) He doesn't know what OS's and applications are in use C) the client's infrastructure design is unknown to John D) he doesn't have permission to perform the scan - ACorrect Answer: he doesn't have permission to perform the scan Explanation: All options listed are an issue, but the most significant issue is that John does not have the client's permission to perform the scan. A vulnerability scan may be construed as a form of reconnaissance, penetration testing, or even an attack on the organization's systems. A cybersecurity analyst should never conduct a vulnerability scan on another organization's network without explicit written permission. In some countries, a vulnerability scan against an organization's network without their permission is considered a cybercrime and could result in jail time for the consultant. A company that developers embedded software for the automobile industry has hired a penetration-testing team to evaluate the security of its products prior to delivery. The penetration-testing team has stated its intent to subcontract to a reverse-engineering team capable of analyzing binaries to develop proof-of-concept exploits. The software company has requested additional background investigations on the reverse-engineering team prior to approval of the subcontract. Which of the following concerns would BEST support the software company's request? A) The reverse-engineering team may use closed-source or other non-public information feeds for its analysis. B) The reverse-engineering team may not instill safety protocols sufficient for the automobile industry. C) The reverse-engineering team will be given access to source code for analysis. D) The reverse-engineering team may have a history of selling exploits to third parties. - ACorrect Answer: The reverse-engineering team may have a history of selling exploits to third parties. A client wants a security assessment company to perform a penetration test against its hot site. The purpose of the test is to determine the effectiveness of the defenses that protect against disruptions to business continuity. Which of the following is the MOST important action to take before starting this type of assessment? A) Determine if the failover environment relies on resources not owned by the client. B) Establish communication and escalation procedures with the client. C) Verify the client has granted network access to the hot site. D) Ensure the client has signed the SOW. - ACorrect Answer: Determine if the failover environment relies on resources not owned by the client. You are a penetration tester hired by an organization that wants you to conduct a risk assessment of their perimeter network. The company-provided of Engagement states that you must do all penetration testing from an external IP address without any prior knowledge of the internal IT system architecture. What kind of penetration test will you perform? A) unknown environment B) semi-trusted environment C) transparent environment D) known environment E) partially known environment - ACorrect Answer: unknown environment Explanation: An unknown environment penetration test requires no previous information and usually takes the approach of an uninformed attacker. The penetration tester has no prior information about the target system or network in an unknown environment penetration test. These tests provide a realistic scenario for testing the defenses, but they can be costlier and more time-consuming to conduct as the tester is examining a system from an outsider's perspective. A partially known environment tester has the user's access and knowledge levels, potentially with elevated privileges on a system. These partially known environment penetration testers typically have some knowledge of a network's internals, potentially including design and architecture documentation and an account internal to the network. A known environment test is known by several different names, including clear-box, open-box, auxiliary, or logic-driven testing. It falls on the opposite end of the spectrum from an unknown environment test because the penetration testers have full access to source code, architecture documentation, and so forth. A known environment penetration tester can also perform static code analysis, so familiarity with source code analyzers, debuggers, and similar tools are necessary for this type of testing. A semi-trusted environment test is made up term and is used as a distractor in this question. This tool uses modules to customize its search functionality. Modules include using whois, PGP key searches, DNS record enumerators, and social media profile associations. A) SET B) Metagoofil C) recon-ng D) FOCA E) theHarvester - ACorrect Answer: recon-ng Explanation: See You are currently conducting passive reconnaissance in preparation for an upcoming penetration test against B. You want to identify any domain names also covered by the organization's digital certificate to include in your assessment. Which of the following should you review to determine any other domains that can use the same digital certificate? A) SAN B) CRL C) D) CSR - ACorrect Answer: SAN Explanation: Subject alternative name (SAN) is a field in a digital certificate that allows a host to be identified by multiple host names or domain names. Certificates that use a SAN are referred to as a multi-domain certificate. A certificate signing request (CSR) is a Base64 ASCII file generated on the device that needs a certificate and contains information that the certificate authority needs to create the certificate. The certificate revocation list (CRL) is a list of digital certificates that have been revoked before their expiration date and are now considered invalid. A file tells search engine crawlers which URLs the crawler should index and access on your site. You are currently conducting passive reconnaissance in preparation for an upcoming penetration test against B. You want to identify any web pages that contain the term "password" hosted by . Which of the following Google hacking queries should you use? A) password inurl: B) password inanchor: C) password link: D) password site: - ACorrect Answer: password site: Explanation: The site modifier is used to search only the specified website for results that contain the search term. For example, password site: would return only results for the word password on pages located on the webite. The inurl modifier is used to search for any pages whose URLs include the term specified and have the search term anywhere on the page. For example, password inurl: would return only page results whose URLs include the text "" and have the text "password" somewhere on the page. The link modifier is used to search for any pages that link to the website provided and have the search term anywhere on the page. For example, password link: would return only page results that link to B website and have the text "password" anywhere on the page. The inanchor modifier is used to search for any pages whose anchor text includes the specified term and has the search term provider somewhere on the page. For example, password inanchor: would return only page results that contain in the anchor text and have the search term "password" anywhere on the page. A cybersecurity analyst is attempting to perform an active reconnaissance technique to audit their company's security controls. Which DNS assessment technique would be classified as active? A) a whois query B) a zone transfer C) using Maltego D) DNS forward or reverse lookup - ACorrect Answer: a zone transfer Explanation: DNS zone transfer, also sometimes known by the inducing DNS query type AXFR, is a DNS transaction type. It is one of the many mechanisms available for administrators to replicate DNS databases across a set of DNS servers. DNS zone transfers are an active technique. Performing a whois query is a passive reconnaissance technique that performs a query of the databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system, but is also used for a wider range of other information. Performing DNS forward and reverse lookups is an active technique that allows the resolution of names to IP addresses and IP addresses to names. This can be conducted as a passive technique. Maltego is used for open-source intelligence and forensics. It focuses on providing a library for data discovery from open sources and visualizing that information in a graph format suitable for link analysis and data mining. It collects this information passively since it can acquire the information from whois lookup servers, a DNS lookup tool using public DNS servers, or even emails and hostnames one can acquire from theHarvester. Given the following file output: User-agent:* Disallow: /author/ Disallow: / - Disallow: /wp-admin - Disallow: /page/ During which of the following activities was this output MOST likely obtained? A) Domain enumeration B) Website scraping C) URL enumeration D) Website cloning - ACorrect Answer: Website scraping Explanation: The file output you see here is from a file. A file is a set of instructions for bots. This file is included in the source files of most websites. R files are mostly intended for managing the activities of good bots like web crawlers, since bad bots aren't likely to follow the instructions. Website cloning refers to the copying or modification of an existing website design or script to create a new website. Domain enumeration can be described as the process of using one domain name and finding all its subdomains and hosts (sometimes also referred to as "subdomain enumeration") Of the following ports identified as OPEN on an external nmap scan of your organization, which one represents the most significant security risk to your organization? A) 53 B) 123 C) 23 D) 22 E) 443 - ACorrect Answer: 23 Explanation: Port 23 is used by telnet and is not considered secure because it sends all of its data in cleartext, including authentication data like usernames and passwords. As an analyst, you should recommend that telnet be disabled and blocked from use. The other open ports are SSH (port 22), DNS (port 53), NTP (port 123), and HTTPS (port 443). An attacker uses the nslookup interactive mode to locate information on a Domain Name Service (DNS) server. What command should they type to display the DNS records associated with the email servers? A) request type=mx B) request type=smtp C) set type=mx D) set type=email - ACorrect Answer: set type=mx Explanation: The "set type=mx" tells nslookup only to query the mx (or mail exchange) records from a DNS server and display them to the screen. There is no "request type=" command within nslookup, so both of those options are incorrect. There is also no email type within DNS, already making that a wrong answer. in the CLI: nslookup, enter, set type=mx, enter, You are currently conducting passive reconnaissance in preparation for an upcoming penetration test against B. You are reviewing the DNS records for the company and are trying to identify which third-party hosted services they may be using. Which of the following DNS records should you analyze to identify any human-readable records, domain verifications, and domain authentications A) HS B) SRV C) MX D) TXT - ACorrect Answer: TXT Explanation: Text (TXT) records are used to provide information about a resource such as a server, network, or service human-readable form. They often contain domain verification and domain authentications for third-party tools that can send information on behalf of a domain name. Mail Exchange (MX) records are used to provide the mail server that accepts email messages for a particular domain. Nameserver (NS) records are used to list the authoritative DNS server for a particular domain. Service (SRV) records are used to provide host and port information on services such as voice over IP (VoIP) and instant messaging (IM) applications. A penetration tester is emulating an insider threat during an engagement. The penetration tester was given access to a regular user account and a basic Windows 10 client on the network. The penetration tester did not receive any network diagrams, maps, or target IP address. Their goal is to identify any possible Windows domain controllers on the domain. Which of the following commands should they use from the command prompt to achieve their goal? Select all that apply. A) nslookup -type=any_ntlm._ B) nslookup -type=any_ldap._ C) nslookup -type=any_lanman._ D) nslookup -type=any_kerberos._ E) nslookup -type=any_smtp._ - ACorrect Answers nslookup -type=any_ldap._ nslookup -type=any_kerberos._ Explanation: There are several methods for locating Domain Controllers, depending on what you know about the environment you are using. If you are using a Windows client, you can use the nslookup command. You need to specify which protocol you are searching for in the name. Since we are trying to identify domain controllers, we need to look for Kerberos and LDAP-based protocols on the domain. If you were using a Linux client, you could run a similar command syntax using dig. You have been asked to determine if B's web server is vulnerable to a recently discovered attack on an older version of SSH. Which technique should you use to determine the current version of SSH running on their web server? A) banner grab B) passive scan C) protocol analysis D) vulnerability scan - ACorrect Answer: banner grab Explanation: Banner grabbing is conducted by actively connecting to the server using telnet or netcat and collecting the web server's response. This banner usually contains the server's operating system and the version number of the service (SSH) being run. This is the fastest and easiest way to determine the SSH version being run on this web server. While it is possible to use a vulnerability scanner, protocol analyzer, or to conduct a passive scan to determine the SSH version, these are more time-consuming and not fully accurate methods to determine the version being run. After issuing the command "telnet 80" and connecting to the server, what command conducts the banner grab? A) HEAD /HTTP/1.1 B) PUT /HTTP/1.1 C) HEAD /HTTP/2.0 D) PUT /HTTP/2.0 - ACorrect Answer: HEAD /HTTP/1.1 Explanation: To conduct a banner grab using telnet, you first must connect to the server using "telnet webserver 80". Once the connection establishes, you will receive a blank prompt, and you then issue the command "HEAD / HTTP/1.1". It requests the document header from the server and provides information such as the server software version and the server's operating system. From a technical point of view, one of the most significant features that distinguishes HTTP/1.1 and HTTP/2 is the binary framing layer, which can be thought of as a part of the application layer in the internet protocol stack. As opposed to HTTP/1.1, which keeps all requests and responses in plain text format, HTTP/2 uses the binary framing layer to encapsulate all messages in binary format, while still maintaining HTTP semantics, such as verbs, methods, and headers. The HTTP PUT request method creates a new resource or replaces a representation of the target resource with the request payload. Which type of method is used to collect information during the passive reconnaissance? A) APR requests and responses B) reviewing public repositories C) social engineering D) network traffic sniffing - ACorrect Answer: reviewing public repositories Explanation: Passive reconnaissance focuses on collecting information that is widely and openly available from publicly available sources. While network traffic sniffing is considered passive, gaining access to the network to place a sniffer in a good network tap location would not be considered passive. Of the choices provided, publicly accessible sources are the best answer to choose. Collecting API requests and responses would involve a penetration tester sending data to a given server and analyzing the responses received, which is considered an active reconnaissance method. Social engineering is also an active reconnaissance technique that uses deception to trick a user into providing information to an attacker or penetration tester. What is the following command doing? wget -q -S A) Website cloning B) Google hacking C) Website scraping D) Banner grabbing E) Vulnerability scanning - ACorrect Answer: Banner grabbing Explanation: Banner grabbing is a technique used during reconnaissance to gather information about network hosts and the services running on open ports. Common banner grabbing tools include wget, netcat, telnet, and others. Search engine analysis (also known as Google hacking) is a method of using crafted search engine parameters to find hidden details and information about a target website. Vulnerability scanning is a program that is designed to assess computers, networks, or applications for known weaknesses. Website crawling is a technique that uses a bot to systematically browse a website to find every webpage and resource on the site. Which of the following techniques listed below are not appropriate to use during a passive reconnaissance exercise against a specific target company? A) Banner grabbing B) whois lookups C) registrar checks D) BGP looking glass usage - ACorrect Answer: Banner grabbing Explanation: Banner grabbing requires a connection to the host to grab the banner successfully. This is an active reconnaissance activity. All other options are considered passive processes and typically use information retrieved from third parties that do not directly connect to an organization's remote host. A company that requires minimal disruption to its daily activities needs a penetration tester to perform information gathering around the company's web presence. Which of the following would the tester find MOST helpful in the initial information-gathering steps? (Choose two.) A) DNS forward and reverse lookups B) Shodan results C) Internet search engines D) Zone transfers E) IP addresses and subdomains - ACorrect Answers Zone transfers IP addresses and subdomains Explanation: The DNS is broken up into many different zones. These zones differentiate between distinctly managed areas in the DNS namespace. A DNS zone is a portion of the DNS namespace that is managed by a specific organization or administrator. A DNS zone file is a plain text file stored in a DNS server that contains an actual representation of the zone and contains all the records for every domain within the zone. Zone transfer will give you all the DNS info for a company's domains and subdomains as opposed to doing individual DNS lookups. Having IP addresses allows the pentester to narrow their focus while looking for open web services and applications that may or may not have an associated DNS record for web site. DNS forward and reverse lookups require you have IPs and FQDN's to lookup. Likewise, to get the best results from Shodan, you need at least some IP addresses / URLs to start your exploration. Internet searches, even with Google Hacking, are useful but will likely return much more information not related to your specific goal in this question. A coworker is conducting open-source intelligence gathering for an upcoming penetration test against B. You look over their shoulder and see them enter the following URL, A) returns only files hosted at B) finds sites related to C) returns only Excel spreadsheets D) all search filters are deactivated E) excludeds Excel spreadsheets - ACorrect Answers returns only files hosted at returns only Excel spreadsheets Explanation: The above example searches for files with the name "password" in them (q=password) and (+) have a filetype equal to xls (filetype%3Axls, %3A is the hex-code for ':') and (+) limits the results to files hosted on (site%3A) and (&) disables personalization (pws=0) and (&) deactivates the directory filtering function (filter=p). If you wanted to exclude Microsoft Excel spreadsheets, this would be done by typing -filetype%3Axls as part of the search query. To find related websites or pages, you would include the "related:" term to the query. To deactivate all filters from the search, the "filter=0" should be used. To deactivate the directory filtering function, the "filter=p" is used. Note: encoding such as %3A is important to learn and we will discuss more later in the semester. You are conducting reconnaissance against for an upcoming engagement. Last week, you read a press release on their website that mentioned a new security infrastructure being deployed soon, but you cannot remember the exact date for the deployment. You tried to navigate back to the press release on their website, but it seems to have been taken down. Which of the following can you use to find a copy of the press release? (Select TWO) A) use a website archive like to find a copy of the press release B) use a standard cache search like cache:https// C) use a network sniffer to capture API requests and responses from the site D) conduct a website crawl of to find a hidden document - ACorrect Answers use a standard cache search like cache:https// use a website archive like to find a copy of the press release Explanation: To obtain older website information, you can use a standard cache search or a website archive. A standard cache search will produce a recent view of the website, but if the document you need has been removed for a long time this will be ineffective. Website archives like (home of the Wayback Machine) create cached and archived copies of billions of web pages going back decades. A network sniffer to capture API requests and responses is a form of active reconnaissance but it would not be useful in finding a specific webpage like the press release in this scenario. Conducting a website crawl can find hidden documents that are not indexed by search engines, but it will not find a document that has been removed or taken offline. Check out An attacker uses the nslookup interactive mode to locate information on a Domain Name Service (DNS). What command should they type to request the appropriate records for only the name servers? A) set type=ns B) locate type=ns C) request type=ns D) transfer type=ns - ACorrect Answer: set type=ns Explanation: The nslookup command is used to query the Domain Name System to obtain the mapping between a domain name and an IP address or to view other DNS records. The "set type=ns" tells nslookup only reports information on name servers. If you used "set type=mx" instead, you would receive information only about mail exchange servers. Open a terminal and man nslookup... A penetration tester hired by a bank began searching for the bank's IP ranges by performing lookups on the bank's DNS servers, reading news articles online about the bank, monitoring what times the bank's employees came into and left work, searching job postings (with a special focus on the bank's information technology jobs), and even searching the corporate office of the bank's dumpster. Based on this description, what portion of the penetration test is being conducted? A) passive information gathering B) threat intelligence C) active information gathering D) information reporting E) vulnerability assessment - ACorrect Answer: passive information gathering Explanation: Passive information gathering consists of numerous activities where the penetration tester gathers open-source or publicly available information without the organization under investigation being aware that the information has been accessed. Instead, active information gathering starts to probe the organization using DNS Enumeration, Port Scanning, and OS Fingerprinting techniques. Vulnerability assessments are another form of active information gathering. Information reporting occurs after the penetration test is complete, and it involves writing a final report with the results, vulnerabilities, and lessons learned during the assessment. You need to gather information on a target website such as subdomain names, employee names, email addresses, and PGP key entries listed somewhere on the target's publicly available websites. Which of the following tools would you most likely use? A) FOCA B) Metagoofil C) theHarvester D) Shodan E) TinEye - ACorrect Answer: theHarvester Explanation: FOCA (Fingerprinting Organisations with Collected Archives) is a tool used mainly to find metadata and hidden information in the documents its scans. These documents may be on web pages and can be downloaded and analyzed with FOCA. It is capable of analyzing a wide variety of documents, with the most common being Microsoft Office, Open Office, or PDF files, although it also analyzes Adobe InDesign or SVG files, for instance. These documents are searched for using three possible search engines: Google, Bing, and DuckDuckGo. The sum of the results from the three engines amounts to a lot of documents. It is also possible to add local files to extract the EXIF information from graphic files, and a complete analysis of the information discovered through the URL is conducted even before downloading the file. With all data extracted from all files, FOCA matches information in an attempt to identify which documents have been created by the same team and what servers and clients may be inferred from them. Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf,doc,xls,ppt,docx,pptx,xlsx) belonging to a target company. Metagoofil will perform a search in Google to identify and download the documents to local disk. Your team lead tells you that on the next engagement, he wants you to use a web exploration framework written in Python that enables database interaction, command completion, and interactive help. Which of the following tools is she referring to? A) BEeF B) Shodan C) ZAP D) theHarvester E) recon-ng - ACorrect Answer: recon-ng Explanation: Shodan is a search engine that lets users search for various types of servers connected to the internet using a variety of filters. Some have also described it as a search engine of service banners, which are metadata that the server sends back to the client Recon-ng is a full-featured Web Reconnaissance framework written in Python. Complete with independent modules, database interaction, built in convenience functions, interactive help, and command completion, Recon-ng provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly. BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser. Amid growing concerns about web-born attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context. The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox. theHarvester package contains a tool for gathering subdomain names, e-mail addresses, virtual hosts, open ports/ banners, and employee names from different public sources (search engines, pgp key servers). You need a search engine that will let you search for various types of servers and services connected to the Internet. Which tool, of the following, are you likely to use? A) SET B) theHarvester C) recon-ng D) DirBuster E) Shodan - ACorrect Answer: Shodan Explanation: DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these. However tools of this nature are often as only good as the directory and file list they come with. A different approach was taken to generating this. The list was generated from scratch, by crawling the Internet and collecting the directory and files that are actually used by developers! DirBuster comes a total of 9 different lists, this makes DirBuster extremely effective at finding those hidden files and directories. And if that was not enough DirBuster also has the option to perform a pure brute force, which leaves the hidden directories and files nowhere to hide.