Question 1

A client needs to be PCI compliant and has external-facing web servers. Which of the following CVSS vulnerability scores would automatically bring the client out of compliance standards such as PCI 3.x?

Accepted Answer

A CVSS score of 4.0 or higher is considered a critical vulnerability and would automatically bring a client out of compliance with PCI 3.x standards.

Question 2

While performing privilege escalation on a Windows 7 workstation, a penetration tester identifies a service that imports a DLL by name rather than an absolute path. To exploit this vulnerability, which of the following criteria must be met?

Accepted Answer

Weak folder permissions of a directory in the DLL search path allow an attacker to place a malicious DLL in a location where the service will load it, leading to privilege escalation.

Question 3

A client's systems administrator requests a copy of the report from the penetration tester, but the systems administrator is not listed as a point of contact or signatory. Which of the following is the penetration tester's BEST course of action?

Accepted Answer

The penetration tester should reply and explain to the systems administrator that proper authorization is needed to provide the report. This is because the systems administrator is not listed as a point of contact or signatory, and therefore does not have the authority to receive the report.

Question 4

A consultant is attempting to harvest credentials from unsecure network protocols in use by the organization. Which of the following commands should the consultant use?

Accepted Answer

Tcpdump is a command-line packet analyzer tool that can capture and display the traffic passing through a network, which can be used to identify unsecure protocols and potentially harvest credentials.

Question 5

A penetration tester has gained access to a marketing employee's device. The penetration tester wants to ensure that if the access is discovered, control of the device can be regained. Which of the following actions should the penetration tester use to maintain persistence to the device? (Select TWO.)

Accepted Answer

The answer of A penetration tester has gained access to...

Question 6

A penetration tester is performing a black-box test of a client web application, and the scan host is unable to access it. The client has sent screenshots showing the system is functioning correctly. Which of the following is MOST likely the issue?

Accepted Answer

The answer of A penetration tester is performing a black-box...

Question 7

A penetration tester is performing a remote internal penetration test by connecting to the testing system from the Internet via a reverse SSH tunnel. The testing system has been placed on a general user subnet with an IP address of 192.168.1.13 and a gateway of 192.168.1.1. Immediately after running the command below, the penetration tester's SSH connection to the testing platform drops:  Which of the following ettercap commands should the penetration tester use in the future to perform ARP spoofing while maintaining a reliable connection?

Accepted Answer

The answer of A penetration tester is performing a remote...

Question 8

Which of the following can be used to perform online password attacks against RDP?

Accepted Answer

Ncrack is a network authentication cracking tool that can be used to perform online password attacks against various protocols, including RDP.

Question 9

At the information gathering stage, a penetration tester is trying to passively identify the technology running on a client's website. Which of the following approached should the penetration tester take?

Accepted Answer

The answer of At the information gathering stage, a penetration...

Question 10

Which of the following is the reason why a penetration tester would run the chkconfig --del servicename command at the end of an engagement?

Accepted Answer

The command "chkconfig --del servicename" is used to remove a service from the startup configuration, effectively removing any persistence that might have been set up for that service.

Question 11

A penetration tester observes that several high-numbered ports are listening on a public web server. However, the system owner says the application only uses port 443. Which of the following would be BEST to recommend?

Accepted Answer

Disabling unneeded services will close the high-numbered ports that are unnecessarily open, reducing the attack surface and aligning with the system owner's claim that only port 443 is needed.

Question 12

Which of the following BEST describes some significant security weaknesses with an ICS, such as those used in electrical utility facilities, natural gas facilities, dams, and nuclear facilities?

Accepted Answer

The answer of Which of the following BEST describes some...

Question 13

A penetration tester is planning to conduct a distributed dictionary attack on a government domain against the login portal. The tester will leverage multiple proxies to mask the origin IPs of the attack. Which of the following threat actors will be emulated?

Accepted Answer

APT (Advanced Persistent Threat) actors are known for using distributed dictionary attacks and multiple proxies to mask their origin IPs.

Question 14

A security consultant is trying to attack a device with a previously identified user account.  Which of the following types of attacks is being executed?

Accepted Answer

The answer of A security consultant is trying to attack...

Question 15

A penetration tester is assessing the security of a web form for a client and enters ";id" in one of the fields. The penetration tester observes the following response:  Based on the response, which of the following vulnerabilities exists?

Accepted Answer

The answer of A penetration tester is assessing the security...

Question 16

A penetration tester ran an Nmap scan against a target and received the following output:  Which of the following commands would be best for the penetration tester to execute NEXT to discover any weaknesses or vulnerabilities?

Accepted Answer

The answer of A penetration tester ran an Nmap scan...

Question 17

A penetration tester is performing a wireless penetration test. Which of the following are some vulnerabilities that might allow the penetration tester to easily and quickly access a WPA2-protected access point?

Accepted Answer

The answer of A penetration tester is performing a wireless...

Question 18

A penetration tester was able to enter an SQL injection command into a text box and gain access to the information store on the database. Which of the following is the BEST recommendation that would mitigate the vulnerability?

Accepted Answer

The answer of A penetration tester was able to enter...

Question 19

A penetration tester used an ASP.NET web shell to gain access to a web application, which allowed the tester to pivot in the corporate network. Which of the following is the MOST important follow-up activity to complete after the tester delivers the report?

Accepted Answer

The answer of A penetration tester used an ASP.NET web...

Question 20

A penetration tester is reviewing a Zigbee implementation for security issues. Which of the following device types is the tester MOST likely testing?

Accepted Answer

Zigbee is a wireless communication protocol used in IoT devices. Routers are devices that forward data packets between networks. Therefore, the tester is most likely testing a Zigbee router.

Exam 12: CompTIA PenTest+ Certification Exam