Question 1
Which of the following should a penetration tester attack to gain control of the state in the HTTP protocol after the user is logged in?
A. HTTPS communication
B. Public and private keys
C. Password encryption
D. Sessions and cookies
Question 2
A penetration tester exploited a unique flaw on a recent penetration test of a bank. After the test was completed, the tester posted information about the exploit online along with the IP addresses of the exploited machines. Which of the following documents could hold the penetration tester accountable for this action?
A. ROE
B. SLA
C. MSA
D. NDA
Question 3
A penetration tester conducted a vulnerability scan against a client's critical servers and found the following:
| Host name | Ispan | OS | Security uspandates |
| addc01.local | 10.1.1.20 | Windows Server 2012 | KB4581001, KB4585587, KB4586007 |
| addc02.local | 10.1.1.21 | Windows Server 2012 | KB4586007 |
| dnsint.local | 10.1.1.22 | Windows Server 2012 | KB4581001, KB4585587, KB4586007, KB4586010 |
| wwwint.local | 10.1.1.23 | Windows Server 2012 | KB4581001 |
Which of the following would be a recommendation for remediation?
A. Deploy a user training program.
B. Implement a patch management plan.
C. Utilize the secure software development life cycle.
D. Configure access controls on each of the servers.
Question 4
A client requires all penetration testers to sign an NDA before beginning an assessment. Which of the following explains the reason why the client would require this?
A. To establish the rules of engagement for the assessment
B. To establish a proper communication channel during the assessment
C. To protect information that may be disclosed during the assessment
D. To acknowledge the assessment deliverables
Question 5
A penetration tester discovers a system that appears to be exfiltrating data and reports it to the management team. Further investigation reveals malware artifacts have been residing on the host for some time. Which of the following BEST describes what the tester discovered?
A. A system software bug
B. Critical system vulnerabilities
C. Indicators of prior compromise
D. Malicious database login attempts
Question 6
A penetration tester who is performing a physical assessment of a company's security practices notices the company does not have any shredders inside the office building. Which of the following techniques would be BEST to use to gain confidential information?
A. Badge cloning
B. Dumpster diving
C. Tailgating
D. Shoulder surfing
Question 7
A penetration-testing team is conducting a physical penetration test to gain entry to a building. Which of the following is the reason why the penetration testers should carry copies of the engagement documents with them?
A. As backup in case the original documents are lost
B. To guide them through the building entrances
C. To validate the billing information with the client
D. As proof in case they are discovered
Question 8
A penetration tester ran an Nmap scan and received the following results:
Host script results:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143 (EternalBlue)
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
Which of the following tools is BEST suited to exploit and validate the vulnerability on the server?
A. Metasploit
B. RouterSploit
C. SQLmap
D. JexBoss
Question 9
A penetration tester uses dirbuster on a website and discovers a directory called wp-includes. Which of the following is the BEST tool the penetration tester could use to further enumerate the website?
A. Nikto
B. WPScan
C. Nessus
D. Searchsploit
Question 10
Which of the following is the BEST recommendation for preventing SQL injection attacks?
A. Output encoding
B. Parameterized queries
C. URL encoding
D. Input validation
Question 1) D. Sessions and Cookies
Question 2) D. NDA
Question 3) B. Implement a patch management plan
Question 4) C. To protect information that may be disclosed during the assessment
Question 5) C. Indicators of prior compromise
Question 6) B. Dumpster diving
Question 7) D. As proof in case they are discovered
Question 8) A. Metasploit
Question 9) B. WPScan
Question 10) B. Parameterized queries