PenTest UPDATED Actual Exam Questions and CORRECT Answers
1 view 0 purchase
Course
PenTest
Institution
PenTest
PenTest UPDATED Actual Exam
Questions and CORRECT Answers
Mika runs the following Nmap scan:
Nmap -sU -sT -p 1-65535
What information will she receive? - CORRECT ANSWER- Vulnerability scanner. UDP
scan. TCP connect/full connect scan, meaning the user can't create raw packets for a SYN
sca...
PenTest UPDATED Actual Exam
Questions and CORRECT Answers
Mika runs the following Nmap scan:
Nmap -sU -sT -p 1-65535 example.com
What information will she receive? - CORRECT ANSWER- ✔✔Vulnerability scanner. UDP
scan. TCP connect/full connect scan, meaning the user can't create raw packets for a SYN
scan or is scanning an IPv6 network. Results for ports 1-65535.
What technique is being used in the following command:
Host -t axfr domain.com dns1.domain.com - CORRECT ANSWER- ✔✔Zone Transfer. The
axfr flag indicates a zone transfer in both dig and host utilities.
After running an Nmap scan of a system, Lauren discovers that TCP ports 139, 443, and 3389
are open. What operating system is she most likely to discover running on the system? -
CORRECT ANSWER- ✔✔Windows. Port 3389 is Remote Desktop Protocol (RDP).
Charles runs an Nmap scan using the following command:
Nmap -sT -sV -T2 -p 1-65535 example.com
After watching the scan run for over two hours, he realizes that he needs to optimize the scan
.Which of the following is not a useful way to speed up his scan? - CORRECT ANSWER-
✔✔Only scanning via UDP will not miss any TCP connections. Setting the scan to faster
timing (3 or faster), changing from a TCP connect scan to a TCP SYN scan, or limiting the
number of ports tested are all valid ways to speed up a scan.
Karen identifies TCP port 8080 and 8443 open on a remote system during a port scan. What
tool is her best option to manually validate the services running on these ports? - CORRECT
ANSWER- ✔✔A web browser. Many system administrators move services from their
common service ports to alternate ports and 808 and 8443 are likely alternate HTTP (TCP 80)
and HTTPS (TCP 443) server ports, and she will use a web browser to connect to those ports
to check them.
Angela recovered a PNG image during the early intelligence-gathering phase of a penetration
test and wants to examine it for useful metadata. What tool could she most successfully use to
do this? - CORRECT ANSWER- ✔✔Exiftool is designed to pull metadata from images and
other files.
,Duran an Nmap scan, Casey uses the -o flag. The scan identifies the host as follows:
Running Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
What can she determine from this information? - CORRECT ANSWER- ✔✔OS
identification in Nmap is based on a variety of response attributes. In this case, Nmap's best
guess is that the remote host is running a Linux 2.6.9-2.6.33 kernel, but it cannot be more
specific.
What is the full range of ports that a UDP service can run on? - CORRECT ANSWER- ✔✔1-
65,535
Steve is working from an unprivileged user account that was obtained as part of a penetration
test. He has discovered that the host he is on has Nmap installed and wants to scan other hosts
in his subnet to identify potential targets as part of a pivot attempt. What Nmap flag is he
likely to have to use to successfully scan hosts from this account? - CORRECT ANSWER-
✔✔-sT the TCP connect scan is often used when an un-privileged account is the tester's only
option.
Which of the following tools provides information about a domain's registrar and physical
location? - CORRECT ANSWER- ✔✔Whois provides information that can include the
organiztion's physical address, registrar, contact information, and other details.
Chris runs an Nmap scan of 10.10.0.0/16 network that his employer uses as an internal
network range for the entire organization. If he uses the -T0 flag, what issue is he likely to
encounter? - CORRECT ANSWER- ✔✔The -T flag in Nmap is used to set scan timing.
Timing setting range from 0 (paranoid) to 5 (insane). By default, it operates at 3, or normal.
With timing set to a very slow speed, Chris will run his scan for a very, very long time on a
/16 network.
Which of the following Nmap output formats is unlikely to be useful for a penetration tester?
- CORRECT ANSWER- ✔✔The Script Kiddie output format that Nmap supports is entirely
for fun-you should never have a practical need to use the -os flag for an actual penetration
test.
,During an early phase of his penetration test, Mike recovers a binary executable file he wants
to quickly analyze for useful information. Which of the following tools will quickly give him
a view of potentially useful information in the binary? - CORRECT ANSWER- ✔✔The
Strings command parses a file for strings of text and outputs them. It is often useful for
analyzing binary files, since you can quickly check for useful information with a single quick
command-line too.
Jack is conducting a penetration test for a customer in Japan. What NIC is he most likely to
need to check for information about his client's networks? - CORRECT ANSWER-
✔✔APNIC (Asian Pacific Network Interface Card)
Charles uses the following hping command to send traffic to a remote system.
Hping remotesite.com -S -V -p 80
What type of traffic will the remote system see? - CORRECT ANSWER- ✔✔TCP SYNs to
TCP port 80. Charles has issued a command that asks hping to send SYN traffic (-s) in
verbose mode (-v) to remotesite.com on port 80.
After running an SNMP sweep, Greg finds that he didn't receive any results. If he knows
there are no network protection devices in place and that there are devices that should
respond to SNMP queries, what problem does he most likely have? - CORRECT ANSWER-
✔✔Most modern SNMP deployments use a non-default community string. If Greg does not
have the correct community string, he will not receive the information he is looking for.
What does a result of *** mean during a traceroute? - CORRECT ANSWER- ✔✔No
response to the query, perhaps a timout, but traffic going through.
Rick wants to look at advertised routes to his target. What type of service should he look for
to do this? - CORRECT ANSWER- ✔✔A BGP looking glass
Why would a penetration tester look for expired certificates as part of an information-
gathering and enumeration exercise? - CORRECT ANSWER- ✔✔They indicate services
may not be properly updated or managed.
John has gained access to a system that he wants to use to gather more information about
other hosts in its local subnet. He wants to perform a a port scan but can not install other tools
to do so. Which of the following tools is not usable as a port scanner? - CORRECT
ANSWER- ✔✔ExifTool
, Ryan is conducting a penetration test and is targeting a database server. Which one of the
following tools would best assist him in detecting vulnerabilities on that server? - CORRECT
ANSWER- ✔✔Sqlmap is a dedicated database vulnerability scanner and is the most
appropriate tool for use in this scenario.
Gary is conducting a black box penetration test against an organization and is being provided
with the results of vulnerability scans that the organization already ran for use in his tests.
Which one of the following scans is most likely to provide him with helpful information
within the bounds of his test? - CORRECT ANSWER- ✔✔Full external scan. This is a black
box test, so it would not be appropriate for Gary to have access to scans conducted on the
internal network.
What tool can white box penetration testers use to help identify the systems present on a
network prior to conducting vulnerability scans? - CORRECT ANSWER- ✔✔Asset
Inventory
Tonya is configuring vulnerability scans for a system that is subject to the PCI DSS
compliance standard. What is the minimum frequency with which she must conduct scans? -
CORRECT ANSWER- ✔✔Quarterly
Which of the following is not an example of a vulnerability scanning tool? - CORRECT
ANSWER- ✔✔Snort
Which of the following technologies, when used within an organization, is the LEAST likely
to interfere with vulnerability scanning results achieved by external penetration testers? -
CORRECT ANSWER- ✔✔Encryption
Renee is configuring her vulnerability management solution to perform credentialed scans of
servers on her network. What type of account should she provide to the scanner? -
CORRECT ANSWER- ✔✔Credentialed scans only require read-only access to target servers.
Renee should follow the principle of least privilege and limit the access available to the
scanner.
Jason is writing a report about a potential security vulnerability in a software product and
wishes to use standardized product names to ensure that other security analysts understand
the report. Which SCAP component can Jason turn to for assistance? - CORRECT
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller MGRADES. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $9.99. You're not tied to anything after your purchase.
