PenTest+ Practice Questions

Black-box test

Which kind of penetration test is used by a tester who starts with very little information?

Target audience

When determining the scope of a pen test, what should be determined due to varying sizes, missions, and operations?

Understanding the target audience and their budget

What can help determine a better engagement that most efficiently and effectively meets the objectives?

Required resources

What will lead to determining the scope and associated cost of a pen test?

Compliance-based assessments

What type of assessments provide checklists for testers to use, ensuring appropriate devices will be scanned at the appropriate level?

Responsible disclosure

Which of the following would be a characteristic of an ethical hacker?

Ransomware

Which of the following terms describes an attack in which the end user's system hard drive or files are encrypted with a key known only to the attacker?

Hacktivist

Which type of threat actor operates with a political or social purpose to embarrass or financially affect the victim?

White-box test

Which type of penetration test would provide the tester with information such as network diagrams and credentials?

IoT devices

The Mirai botnet is primarily made up of which type of devices?

Internet access

Which is not a typical requirement for a penetration testing lab environment?

Using multiple tools of the same kind

Which of the following is a good method for validating the findings of a penetration test?

OSSTMM

What penetration testing methodology was created by Pete Herzog?

PCI penetration testing guidance

Which penetration testing methodology was created for the purpose of providing a minimum level of security requirements for handling credit card information?

Black-box test

Your company needs to determine if the security posture of its computing environment is sufficient for the level of exposure it receives. You determine that you will need to have a penetration test completed on the environment. You would like the testing to be done from the perspective of an external attacker. Which type of penetration test would be best?

Ransomware

In 2017 a number of attacks resulted in the end users' data being encrypted and/or stolen and then held by the attacker for payment. Which type of attack is this?

Ethical Hacker

A person who hacks into a computer network in order to test or evaluate its security, rather than with malicious or criminal intent is considered a(n) __________.

Malicious intent

The main difference between an ethical hacker and a nonethical hacker is that a nonethical hacker has ________.

Organized crime

Which type of threat actor would have the primary intent of monetary gain?

Web application test

Your company has an Internet-facing website that is critical to its daily business. Which type of penetration test would you prioritize?

OWASP Testing Project

Which penetration testing methodology is focused on web application penetration testing?

Black-box test

You are hired to complete a penetration test. The customer gives you only a domain name and IP address as the target information. Which type of penetration test are is the customer asking you to perform?

Insider threat

You are performing a penetration test for a customer. You identify a client machine that is downloading the contents of the customer database, which stores the customer's intellectual property. You then identify an employee who is exporting the data to a USB drive. Which type of threat actor is this likely to be?

Social engineering testing

A potential customer is looking to test the security of its network. One of the customer's primary concerns is the security awareness of its employees. Which type of test would you recommend that the company perform as part of the penetration test?

Rules of engagement

Which of the following documents includes the penetration testing timeline?

Selecting targets by running Nmap or a similar scanner

Which of the following is not an element of pre-engagement tasks?

The base group represents the intrinsic characteristics of a vulnerability that are constant over time and do not depend on a user-specific environment.

Which of the following is true about the base group of CVSS?

A Swagger document

You can obtain several support resources from an organization that hired you to perform a penetration test. Which of the following is an example?

The contract is one of the most important documents in your engagement. It specifies the terms of the agreement and how you will get paid, and it provides clear documentation of the services that will be performed.

The document should be very specific, easy to understand, and without ambiguities. Any ambiguities will likely lead to customer dissatisfaction and friction.

Legal advice (by a lawyer) is always recommended for any contract.

Which of the following are true about a penetration testing engagement contract? (Select all that apply.)

The SOW defines confidential material, which is knowledge and information that should not be disclosed and should be kept confidential by both parties.

Which of the following is not true about the statement of work (SOW)?

When there is poor change management in the penetration testing engagement

In which of the following circumstances might you encounter scope creep?

Goals-based (objectives-based) assessments

Compliance-based assessments

Which of the following are types of penetration testing assessments? (Select all that apply.)

HIPAA

Which of the following is not an example of regulations or regulatory bodies applicable to the financial sector?

PCI DSS must be adopted by any organization that transmits, processes, or stores payment card data or directly or indirectly affects the security of cardholder data.

Which of the following statements is true?

safeguarding electronic protected health information

The HIPAA Security Rule is focused on __________________.

The amount and type of risk that an organization is prepared to pursue, retain, or take

What is risk appetite?

Risk acceptance

__________ indicates that the organization is willing to accept the level of risk associated with a given activity or process.

Gray

A ________-box test is a test in which the penetration tester is given some information about the target but not all information.

Red team

Which of the following is a group of cybersecurity experts and penetration testers that are hired by an organization to mimic a real threat actor?

Blue team

Which of the following is a corporate security team that defends the organization against cybersecurity threats (such as the security operation center analysts, computer incident response teams [CSIRTs], and information security [InfoSec] teams)?

Scope creep

A penetration testing firm has not properly identified what technical and nontechnical elements will be required for a penetration test. The scope has increased, and the firm finds itself in a bad situation with a customer, as it may not have time to complete all the tests that were advertised. Which of the following terms best describes this situation?

SOW

Which of the following documents includes elements such as the scope of the work to be performed, the location of the work, and the payment schedule?

API

REST and SOAP are examples of ____________ standards and technologies.

Disclaimer

You can create a document or include text in a contract, an SOW, or your final report specifying that you conducted the penetration testing on the applications and systems that existed as of a clearly stated date. This is an example of which of the following?

Reconnaissance

When an attacker is planning a course of action to gain access to a target, what is the initial phase the attacker performs?

Services

When performing reconnaissance on a network, you determine which devices are alive. What would be the next thing you would want to enumerate on the live devices?

DNSRecon

Which of the following tools is primarily used to enumerate domain information?

Active reconnaissance

Which type of reconnaissance would involve using tools that send network probes directly at a target device?

Passive

Which type of reconnaissance would be used when it is imperative that the target not be able to detect your activity?

Filtered

When running an Nmap SYN scan, what will be the Nmap result if ports on the target device do not respond?

-sT

Which of the following Nmap options would you use to perform a TCP connect scan?

-sF

Which of the following Nmap options would you want to try if your SYN scans were being identified by network filters?

Recon-ng

Which of the following tools is a framework used for active open source intelligence gathering?

Open source intelligence

Which method of information gathering uses publicly available information sources to collect and analyze information about a target?

hackertarget

Which Recon-ng module can be used to gather subdomains for a target?

Compliance scan

Which of the following vulnerability scan types would you recommend for a company that is concerned with complying with HIPAA?

Authenticated scan

Which type of vulnerability scan would require the scanner to log in to the target system and run privileged-level commands to gather results?

SYN

An Nmap _________scan is also known as a "half-open" scan because it doesn't open a full TCP connection.

TCP

An Nmap _______ scan uses the underlying operating systems networking mechanisms and is typically very noisy.

smb-eunm-users.nse

The Nmap __________ script uses MSRPC to enumerate valid account information about the target.

Scapy

The _______ tool can be used to enumerate information about targets by using packet-crafting commands.

Domain

________ enumeration can be accomplished using various tools or simply using Google searches with site: method.

Passive

___________ reconnaissance is a method of information gathering in which the attacker uses techniques that are not likely to be detected by the target.

Packet crafting

__________________ is the method of enumeration used by the Scapy tool.

-sS

You are running an Nmap port scan, and it is being blocked by a network filter. Which of the following options could you try to avoid the filters?

TCP FIN received

You are running an Nmap TCP FIN scan against a target device. The result of the scan indicates that port 80 is filtered. What response was likely received from the target that led to Nmap making this determination?

Compliance

A _______ vulnerability scan would typically be focused on a specific set of requirements.

Phishing

Which of the following is the term for an attacker presenting to a user a link or an attachment that looks like a valid, trusted resource?

Pharming can be done by exploiting a buffer overflow using Windows PowerShell.

Which of the following is not true about pharming?

Malvertising

Which of the following refers to the act of incorporating malicious ads on trusted websites, which results in users' browsers being inadvertently redirected to sites hosting malware?

Spear phishing is phishing attempts that are constructed in a very specific way and directly targeted to specific individuals or companies.

Which of the following is true about spear phishing?

SMS phishing

Which of the following is an example of a social engineering attack that is not related to email?

Voice phishing is also referred to as "vishing."

Which of the following is true about voice phishing?

Whaling is similar to phishing and spear phishing; however, this type of attack is targeted at high-profile business executives and key individuals within a corporation.

Which of the following is true about whaling?

An interrogator pays attention to the victim's posture, body language, skin color, and eye movement.

Which of the following is true about interrogation?

Scarcity can be used to create a feeling of urgency in a decision-making context. It is possible to use specific language in an interaction to present a sense of urgency and manipulate the victim.

Which of the following is true about social engineering motivation techniques?

Shoulder surfing

Which of the following involves obtaining information such as personally identifiable information (PII), passwords, and other confidential data by looking at someone's laptop, desktop, or mobile device screen?

USB key drop attacks are not effective anymore.

Which of the following is not true about USB key drop attacks?

A phishing campaign using whaling

Which of the following is not a motivation technique used by social engineers?

Pretexting or impersonation involves presenting yourself as someone else in order to gain access to information.

Which of the following is true about pretexting?

Spear phishing

____________ is phishing attempts that are constructed in a very specific way and directly targeted to specific individuals or companies.

Malvertising

In a _________ attack, a user visits a legitimate website and clicks on a malicious ad. Then the user is redirected to a malicious site and downloads malware.

Whaling is similar to phishing and spear phishing.

Which of the following is true?

An interrogator cannot use closed-ended questions to gain more control of the conversation.

Which of the following is not true about elicitation and interrogation?

Layer Multi-Name Resolution (LLMNR)

Which of the following is not a name-to-IP address resolution technology or protocol?

TCP port 445: NetBIOS Session Service protocol, used for sharing files between different operating system

Which of the following port descriptions is not correct?

Poisons

A common vulnerability in LLMNR involves an attacker spoofing an authoritative source for name resolution on a victim system by responding to LLMNR traffic over UDP port 5355 and NBT-NS traffic over UDP port 137. The attacker ________ the LLMNR service to manipulate the victim's system.

EternalBlue

Which of the following is a popular SMB exploit that has been used in ransomware?

DNS cache poisoning involves manipulating the DNS resolver cache by injecting corrupted DNS data. This is done to force the DNS server to send the wrong IP address to the victim, redirecting the victim to the attacker's system.

Which of the following describes a DNS cache poisoning attack?

SNMPv2c uses two authenticating credentials: The first is a public community string to view the configuration or to obtain the health status of the device, and the second is a private community string to configure the managed device. SNMPv3 authenticates SNMP users by using usernames and passwords and can protect confidentiality. SNMPv2 does not provide any confidentiality protection.

Which of the following is one of the differences between SNMPv2c and SNMPv3?

Perform man-in-the-middle (MITM) attacks

ARP spoofing can be used to do which of the following?

Evil twin

Which of the following best describes an attack in which the threat actor creates a rogue access point and configures it exactly the same as the existing wireless network?

War driving

Which of the following is a methodology attackers use to find wireless access points wherever they may be?

WEP keys exists in two sizes: 40-bit (5-byte) and 104-bit (13-byte) keys. In addition, WEP uses a 24-bit IV, which is prepended to the PSK. When you configure a wireless infrastructure device with WEP, the IVs are sent in the clear.

Which of the following is true about WEP?

KRACK

Which of the following is an attack against the WPA and WPA2 protocols?

KARMA is a man-in-the-middle attack that involves creating a rogue AP and allowing an attacker to intercept wireless traffic.

Which of the following describes a KARMA attack?

Open SMTP relays

Which of the following can be abused to send spoofed emails, spam, phishing, and other email-related scams?

Pass-the-hash

Because password hashes cannot be reversed, instead of trying to figure out a user's password, what type of attack can be used to log in to another client or server?

Mimikatz

Which of the following is a tool that many penetration testers, attackers, and even malware use for retrieving password hashes from memory and also as a useful post-exploitation tool?

Empire

Which of the following is a popular tool that can be used to perform golden ticket and many other types of attacks?