Question 21
A penetration tester completed a vulnerability scan against a web server and identified a single but severe vulnerability.
Which of the following is the BEST way to ensure this is a true positive?
A. Run another scanner to compare.
B. Perform a manual test on the server.
C. Check the results on the scanner.
D. Look for the vulnerability online.
Question 22
A penetration tester has been given eight business hours to gain access to a client's financial system.
Which of the following techniques will have the HIGHEST likelihood of success?
A. Attempting to tailgate an employee who is going into the client's workplace
B. Dropping a malicious USB key with the company's logo in the parking lot
C. Using a brute-force attack against the external perimeter to gain a foothold
D. Performing spear phishing against employees by posing as senior management
Question 23
A company's Chief Executive Officer has created a secondary home office and is concerned that the WiFi service being used is vulnerable to an attack. A penetration tester is hired to test the security of the WiFi's router.
Which of the following is MOST vulnerable to a brute-force attack?
A. WPS
B. WPA2-EAP
C. WPA-TKIP
D. WPA2-PSK
Question 24
A penetration tester writes the following script:
Which of the following objectives is the tester attempting to achieve?
A. Determine active hosts on the network.
B. Set the TTL of ping packets for stealth.
C. Fill the ARP table of the networked devices.
D. Scan the system on the most used ports.
Question 25
A penetration tester ran the following commands on a Windows server:
Which of the following should the tester do AFTER delivering the final report?
A. Delete the scheduled batch job.
B. Close the reverse shell connection.
C. Downgrade the svsaccount permissions.
D. Remove the tester-created credentials.
Question 26
A penetration tester has established an on-path attack position and must now specially craft a DNS query response to be sent back to a target host.
Which of the following utilities would BEST support this objective?
A. Socat
B. tcpdump
C. Scapy
D. dig
Question 27
A penetration tester is starting an assessment but only has publicly available information about the target company. The client is aware of this exercise and is preparing for the test.
Which of the following describes the scope of the assessment?
A. Partially known environment testing
B. Known environment testing
C. Unknown environment testing
D. Physical environment testing
Question 28
The following line-numbered Python code snippet is being used in reconnaissance:
Which of the following line numbers from the script MOST likely contributed to the script triggering a `probable port scan` alert in the organization's IDS?
A. Line 01
B. Line 02
C. Line 07
D. Line 08
E. Line 12
Question 29
A consulting company is completing the ROE during scoping.
Which of the following should be included in the ROE?
A. Cost of the assessment
B. Report distribution
C. Testing restrictions
D. Liability
Question 30
A new client hired a penetration-testing company for a month-long contract for various security assessments against the client's new service. The client is expecting to make the new service publicly available shortly after the assessment is complete and is planning to fix any findings, except for critical issues, after the service is made public. The client wants a simple report structure and does not want to receive daily findings.
Which of the following is most important for the penetration tester to define FIRST?
A. Establish the format required by the client.
B. Establish the threshold of risk to escalate to the client immediately.
C. Establish the method of potential false positives.
D. Establish the preferred day of the week for reporting.
