The must-have test prep for the new CompTIA PenTest+ certification CompTIA PenTest+ is an intermediate-level cybersecurity certification that assesses second-generation penetration testing, vulnerability assessment, and vulnerability-management skills. These cognitive and hands-on skills are required worldwide to responsibly perform assessments of IT systems, identify weaknesses, manage the vulnerabilities, and determine if existing cybersecurity practices deviate from accepted practices, configurations and policies. * Five unique 160-question practice tests * Tests cover the five CompTIA PenTest+ objective domains * Two additional 100-question practice exams * A total of 1000 practice test questions This book helps you gain the confidence you need for taking the CompTIA PenTest+ Exam PT0-001. The practice test questions prepare you for test success.
Ebooka przeczytasz w aplikacjach Legimi na:
Liczba stron: 673
Senior Acquisitions Editor: Kenyon Brown
Development Editor: Adaobi Obi Tulton
Technical Editor: S. Russ Christy
Production Editor: Amy Odum
Copy Editor: Kim Wimpsett
Editorial Manager: Pete Gaughan
Production Manager: Kathleen Wisor
Executive Editor: Jim Minatel
Proofreader: Kathryn Duggan
Indexer: Ted Laux
Project Coordinator, Cover: Brent Savage
Cover Designer: Wiley
Cover Image: © Jeremy Woodhouse/Getty Images, Inc.
Copyright © 2019 by John Wiley & Sons, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 978-1-119-54284-1 ISBN: 978-1-119-54289-6 (ebk.) ISBN: 978-1-119-54285-8 (ebk)
Manufactured in the United States of America
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.
For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.
Library of Congress Control Number: 019938095
TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. CompTIA and PenTest+ are trademarks or registered trademarks of The Computing Technology Industry Association, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.
10 9 8 7 6 5 4 3 2 1
This book is dedicated to my husband, William Panek, and to my daughters,Alexandria and Paige. Thank you all for your love and support. I love youall more than anything!—CMP
I would like to thank my husband and best friend, Will, because without him I would not be where I am today—thank you! I would also like to express my love to my two daughters, Alexandria and Paige, who have always shown nothing but love and support. Thank you all!
The authors would like to thank everyone on our Sybex team, especially our development editor, Adaobi Obi Tulton, who helped make this the best book possible, and S. Russell Christy, who is the technical editor. It’s always important to have the very best technical guru supporting you. We want to thank Amy Odum, who was our production editor and Kim Wimpsett, copyeditor.
Special thanks goes out to our acquisitions editor, Kenyon Brown. Finally, we also want to thank everyone else behind the scenes who helped make this book possible. We thank you all for your hard work and dedication.
Crystal Panek holds the following certifications: MCP, MCP+I, MCSA, MCSA+ Security and Messaging, MCSE-NT (3.51 & 4.0), MCSE 2000, 2003, 2012/2012 R2, 2016, MCSE+Security and Messaging, MCDBA, MCTS, MCITP.
For many years she trained as a contract instructor teaching at such places as MicroC, Stellacon Corporation and the University of New Hampshire. She then became the vice-president for a large IT training company and for 15 years she developed training materials and courseware to help thousands of students get through their certification exams. She currently works on a contract basis creating courseware for several large IT training facilities.
She currently resides in New Hampshire with her husband and two daughters. In her spare time, she likes to camp, hike, shoot trap and skeet, golf, bowl, and snowmobile.
S. Russell Christy is a technical trainer from Memphis, Tennessee, covering a wide variety of products specializing in computer maintenance and network and security; Microsoft Office applications; and web and print design. For over 20 years he has deployed new desktops and operating systems, servers, network hardware and software, while simultaneously troubleshooting various hardware and software issues.
Mr. Christy holds a bachelor's degree in business administration from the University of Memphis. He has additionally gained industry certifications in CompTIA A+, CompTIA Network+, CompTIA Server+, CompTIA Security+, CompTIA CySA+, Cisco CCNA CyberOps, MTA Windows Server Administration Fundamentals, Network Fundamentals, Security Fundamentals, and Windows OS Fundamentals, and Adobe Education Trainer.
About the Author
About the Technical Editor
Chapter 1 Planning and Scoping Penetration Tests
Chapter 2 Information Gathering and Vulnerability Identification
Chapter 3 Attacks and Exploits
Chapter 4 Penetration Testing Tools
Chapter 5 Reporting and Communication
Chapter 6 Practice Exam 1
Chapter 7 Practice Exam 2
Appendix Answers and Explanations
Chapter 1: Planning and Scoping Penetration Tests
Chapter 2: Information Gathering and Vulnerability Identification
Chapter 3: Attacks and Exploits
Chapter 4: Penetration Testing Tools
Chapter 5: Reporting and Communication
Chapter 6: Practice Exam 1
Chapter 7: Practice Exam 2
End User License Agreement
Table of Contents
CompTIA PenTest+ Practice Tests: Exam PT0-001 is a companion to the CompTIA PenTest+ Study Guide: Exam PT0-001. This book will help you test your knowledge before you take the PenTest+ exam. We have provided you with over 1,000 questions that cover the concepts of the CompTIA PenTest+ certification exam objectives. This book will help prepare you to take the CompTIA PenTest+ (PT0-001) exam.
Use this book as a guide to help you determine what you need to focus more on prior to taking the actual exam.
Before you attempt to take the PenTest+ exam, you should already be a practicing security practitioner. CompTIA suggests that test-takers should have an intermediate-level skill level based on their cybersecurity pathway. You should also be familiar with some of the tools and techniques that are covered in this book.
CompTIA is a nonprofit trade organization that offers certification in a variety of Information Technology areas. The certifications range from the A+ exam which is the skills needed to become a PC support technician to more advanced certifications like the CompTIA Advanced Security Practitioner (CASP). With the ever increasing number of cyberattacks and new connected devices, the need for skilled cybersecurity professionals is rapidly growing. The CompTIA Cybersecurity Career Pathway will help IT professionals achieve cybersecurity mastery.
The CompTIA CySA+ and CompTIA PenTest+ exams are considered to be more advanced exams and are intended for professionals with hands-on experience who also possess the knowledge covered by the previous exams from the Career Pathway.
CompTIA certifications are ISO and ANSI accredited, and are used within a multitude of industries as a gauge of an individual’s technical skills and knowledge.
CompTIA certifications help individuals create outstanding careers in the Information Technology field and allows companies to have knowledgeable and well-trained employees. In this day and age, certifications are deemed very important in the IT world. Employers that are looking to hire or promote need to make sure that the candidate has the skills needed for the position and certification offers proof of those skills.
The CompTIA PenTest+ is for cybersecurity professionals whose job deals with penetration testing and vulnerability management.
Here is a list of a few positions that utilize the CompTIA PenTest+:
Security analyst (II)
Vulnerability assessment analyst
Network security operations
Application security vulnerability
On July 31, 2018, CompTIA launched the PenTest+ certification. This cybersecurity certification is designed for IT professionals who need to identify, exploit, report and manage vulnerabilities on a network.
The CompTIA PenTest+ exam is the only penetration testing exam given at a Pearson VUE testing center that includes both performance-based questions and multiple-choice questions in order to ensure that the candidates have the skills and knowledge necessary to perform tasks on systems.
The PenTest+ exam is unique in that it requires candidates to demonstrate their hands-on ability and knowledge to test devices in traditional desktops and servers as well as new environments such as the cloud and mobile.
After completing the PenTest+ exam successful candidates will have the skills required to customize and perform assessments and to efficiently report any findings. Candidates will also be able to communicate and recommend strategies to improve the overall state of IT security for a network.
The PenTest+ exam is designed to be a vendor-neutral certification for penetration testers. It is designed to measure current penetration testing, vulnerability assessment, and vulnerability management skills focusing on network resiliency testing. Successful candidates will prove their ability plan and scope assessments, know how to handle legal and compliance requirements, and to perform vulnerability scanning and penetration testing activities using a range of tools and techniques, as well as then analyzing the results.
This book is broken down into the following exam objectives:
: Planning and Scoping
: Information Gathering and Vulnerability Identification
: Attacks and Exploits
: Penetration Testing Tools
: Reporting and Communication
These five areas include a range of subtopics, from scoping penetration tests to performing host enumeration and exploits.
CompTIA recommends that candidates have three or four years of information security–related experience before taking this exam. While there are no required prerequisites, CompTIA recommends that candidates have already taken the Security+ exam or have equivalent experience. The exam costs $349 USD.
More information regarding the PenTest+ exam and how to take it can be found at: https://certification.comptia.org/certifications/pentest.
Once you are prepared to take the exam, you can visit the CompTIA website to purchase your exam voucher:
Once you have your voucher number you will need to contact Pearson VUE. CompTIA has partnered with Pearson VUE which has testing center locations worldwide. To locate the nearest testing center to you and to schedule your exam go to: https://home.pearsonvue .com/comptia.
Pearson VUE requires that candidates sign into their system in order to schedule exams. If you have an account, just sign in. If you do not have an account, you will need to create one.
On the day of the exam make sure to take two forms of identification and make sure to show up earlier than the exam start time to give yourself enough time to sign in. Remember that you will not be able to bring in any notes, electronic devices or other materials in with you. Either please leave them in your vehicle or the testing center will have a secure location for you to store your belongings.
Once you have completed the exam, you will know your score immediately. The testing center will hand you a copy of your score report and sign you out of the testing center. You should maintain your copy of the score report along with your exam registration records and the email address you used to register for the exam.
CompTIA certifications must be renewed periodically. To renew your certification, you must either pass the most current version of the exam, earn a qualifying higher-level CompTIA or industry certification, or complete sufficient continuing education activities to earn enough Continuing Education Units (CEUs) to renew it. At the time this book was written, if using CEUs to renew the PenTest+ certification, it would cost you 60 CEUs.
CompTIA provides additional information on renewals at:
When you sign up to renew your certification, you will be asked to agree to the Continuing Education (CE) program’s Code of Ethics, pay your renewal fee, and to submit the materials required for your chosen renewal method.
This book is organized into seven chapters.
: Planning and Scoping
: Information Gathering and Vulnerability Identification
: Attacks and Exploits
: Penetration Testing Tools
: Reporting and Communication
: Practice Exam 1
: Practice Exam 2
Each chapter covers an exam objective with a variety of questions that can help you test your understanding of the PenTest+ exam objectives. The final two chapters are practice exams that can act as timed practice exams to help determine if you are ready to take the PenTest+ exam.
We recommend taking the practice exams to help identify where you may need to spend more time studying.
As you work through some of the questions in this book, you may encounter tools and technology that you are unfamiliar with. If you find that you are having difficulties, we recommend spending some extra time with books and materials that will help you delve deeper into the subject of interest. This will help fill in any gaps and help you be more prepared to take the exam.
This book has been written to cover PenTest+ exam objectives. The table below lists the domains measured by this exam and the extent to which they are represented.
Percentage of Exam
1.0 Planning and Scoping
2.0 Information Gathering and Vulnerability Identification
3.0 Attacks and Exploits
4.0 Penetration Testing Tools
5.0 Reporting and Communication
The following objective map for the CompTIA PenTest+ certification exam will enable you to find where each objective is covered in the book.
1.0 Planning and Scoping
1.1 Explain the importance of planning for an engagement.
Understanding the target audience, Rules of Engagement, Communication escalation path, Resources and requirements, Confidentiality of findings, Known vs. Unknown, Budget, Impact analysis and remediation timelines, Disclaimers, Point-in-time assessment, Comprehensiveness, Technical constraints, Support resource, Web Services Description Language/Web Application Description Language (WSDL/WADL), Simple Object Access Protocol (SOAP) project file, Software Development Kit (SDK) documentation, Swagger document, XML Schema Document (XSD), Sample application requests, Architectural diagrams
1.2 Explain key legal concepts.
Contracts, Statement of Work (SOW), Master Service Agreement (MSA), Non-Disclosure Agreement (NDA), Environmental differences, Export restrictions, Local and national government restrictions, Corporate policies, Written authorization, Obtain signature from proper signing authority, Third-party provider authorization when necessary
1.3 Explain the importance of scoping an engagement properly.
Types of assessment, goals-based/objectives-based, compliance-based, red team, special scoping considerations, premerger, supply chain, target selection, targets, internal, on-site vs. off-site, external, first-party vs. third-party hosted, physical users, service set identifier (SSID), applications, considerations, white-listed vs. black-listed, security exceptions, intrusion prevention system/web application firewall (IPS/WAF) whitelist, network access control (NAC), certificate pinning, company’s policies, strategy, black box vs. White box vs. Gray box, risk acceptance, tolerance to impact, scheduling, scope creep, threat actors, adversary tier, advanced persistent threat (APT), script kiddies, hacktivist, insider threat, capabilities, intent, threat models
1.4 Explain the key aspects of compliance-based assessments.
Compliance-based assessments, limitations and caveats, Rules to complete assessment, password policies, data isolation, key management, limitations, limited network access, limited storage access, clearly defined objectives, based on regulations
2.0 Information Gathering and Vulnerability Identification
2.1 Given a scenario, conduct information gathering using appropriate techniques.
Scanning, enumeration, hosts, networks, domains, users, groups, network shares, web pages, applications, services, tokens, social networking sites, packet crafting, packet inspection, fingerprinting, cryptography, certificate inspection, eavesdropping, radio frequency (RF) communication monitoring, sniffing, wired, wireless, decompilation, debugging, open-source intelligence gathering, sources of research, computer emergency response team (cert), national institute of standards and technology (NIST), japan computer emergency response team (JPCERT), common attack patterns enumeration classification (CAPEC), full disclosure, common vulnerabilities exposures (CVE), common weakness enumeration (CWE)
2.2 Given a scenario, perform a vulnerability scan.
Credentialed vs. noncredentialed, types of scans, discovery scan, full scan, stealth scan, Compliance scan, Container security, application scan, dynamic vs. static analysis, Considerations of vulnerability scanning, time to run scans, Protocols used, Network topology, Bandwidth limitations, query throttling, fragile systems/nontraditional assets
2.3 Given a scenario, analyze vulnerability scan results.
Asset categorization, adjudication, false positives, prioritization of vulnerabilities, common themes, vulnerabilities, observations, lack of best practices
2.4 Explain the process of leveraging information to prepare for exploitation.
Map vulnerabilities to potential exploits, prioritize activities in preparation for penetration test, describe common techniques
to complete attack, cross-compiling code, exploit modification, exploit chaining, proof-of-concept development (exploit development), social engineering, credential brute forcing, dictionary attacks, rainbow tables, deception
2.5 Explain weaknesses related to specialized systems.
Industrial control systems (ICS), supervisory control and data acquisition (SCADA), mobile, internet of things (IOT), embedded, point-of-sale system, biometrics, application containers, real-time operating system (RTOS)
3.0 Attacks and Exploits
3.1 Compare and contrast social engineering attacks.
Phishing, spear phishing, short message service (SMS) phishing, voice phishing, whaling, elicitation, business email compromise, interrogation, impersonation, shoulder surfing, universal serial bus (USB) key drop, motivation techniques, authority, scarcity, social proof, urgency, likeness, fear
3.2 Given a scenario, exploit network-based vulnerabilities.
Name resolution exploits, network basic input/output system (NETBIOS) name service, link-local multicast name resolution (LLMNr), server message block (SMB) exploits, simple network management protocol (SNMP) exploits, simple mail transfer protocol (SMTP) exploits, file transfer protocol (FTP) exploits, domain name service (DNS) cache poisoning, pass the hash, man-in-the-middle, address resolution protocol (ARP) spoofing, replay, relay, secure sockets layer (SSL) stripping, downgrade, denial of service (DOS)/stress test, network access control (NAC) bypass, virtual local area network (VLAN) hopping
3.3 Given a scenario, exploit wireless and RF-based vulnerabilities.
Evil twin, karma attack, downgrade attack, deauthentication attacks, fragmentation attacks, credential harvesting, Wi-Fi protected setup (WPS) implementation weakness, bluejacking, bluesnarfing, radio frequent id (RFID) cloning, jamming, repeating
3.4 Given a scenario, exploit application-based vulnerabilities.
Injections, structured query language (SQL), hypertext markup language (HTML), command, code, authentication, credential brute forcing, session hijacking, redirect, default credentials, weak credentials, kerberos exploits, authorization, parameter pollution, insecure direct object reference, cross-site scripting (XSS), stored/persistent, reflected, document object model (DOM), cross-site request forgery (CSRF/XSRF), clickjacking, security misconfiguration, directory traversal, cookie manipulation, file inclusion, local, remote, unsecure code practices, comments in source code, lack of error handling, overly verbose error handling, hard-coded credentials, race conditions, unauthorized use of functions/unprotected application programming interface (API), hidden elements, sensitive information in the document object model (DOM), lack of code signing
3.5 Given a scenario, exploit local host vulnerabilities.
Operating system (OS) vulnerabilities, windows, mac operating system (OS), Linux, Android, iPhone operating system (iOS), unsecure service and protocol configurations, privilege escalation, Linux-specific, set user id/set group id (SUID/SGID) programs, unsecure sudo, ret2libc, sticky bits, windows-specific, cpassword, clear text credentials in lightweight directory access protocol (LDAP), kerberoasting, credentials in local security authority subsystem service (LSASS), unattended installation, security account manager (SAM) database, dynamic link library (DLL) hijacking, exploitable services, unquoted service paths, writable services, unsecure file/folder permissions, keylogger, scheduled tasks, kernel exploits, default account settings, sandbox escape, shell upgrade, virtual machine (VM), container, physical device security, cold boot attack, joint test action group (JTAG) debug, serial console
3.6 Summarize physical security attacks related to facilities.
Piggybacking/tailgating, fence jumping, Dumpster diving, lock picking, lock bypass, egress sensor, badge cloning
3.7 Given a scenario, perform post-exploitation techniques.
Lateral movement, remote procedure call/ distributed component object model (RPC/DCOM), PsExec, Windows management instrumentation (WMI), scheduled tasks, PowerShell (PS) remoting/WinRM, server message block (SMB), remote desktop protocol (RDP), Apple remote desktop, virtual network connection (VNC), X-server forwarding, Telnet, secure shell (SSH), remote shell (RSH)/Rlogin, persistence, scheduled jobs, scheduled tasks, daemons, back doors, trojan, new user creation, covering your tracks
4.0 Penetration Testing Tools
4.1 Given a scenario, use Nmap to conduct information gathering exercises.
Synchronize (SYN) scan (-sS) vs. full connect scan (-sT), Port selection (-p), Service identification (-sV), OS fingerprinting (-O, disabling ping (-Pn), target input file (-iL), timing (-T), output parameters, -oA (all), -oN (normal), -oG (greppable/searchable), -oX (XML output)
4.2 Compare and contrast various use cases of tools.
Use cases, reconnaissance, enumeration, vulnerability scanning, credential attacks, offline password cracking, brute-forcing services, persistence, configuration compliance, evasion, decompilation, forensics, debugging, software assurance, fuzzing, static application security testing (SAST), dynamic application security testing (DAST), tools, scanners, Nikto, OpenVAS, SQLmap, Nessus, credential testing tools, Hashcat, Medusa, Hydra, CeWL, John the Ripper, Cain and Abel, Mimikatz, Patator, Dirbuster, Web Application Attack and Audit Framework (W3AF), debuggers, OLLYDBG, immunity debugger, GNU Project Debugger (GDB), WinDBG, IDA, software assurance, findbugs/findsecbugs, Peach, AFL, SonarQube, YASCA, open source intelligence (OSINT), whois, nslookup, foca, TheHarvester, Shodan, Maltego, Recon-NG, Censys, Wireless, Aircrack-NG, Kismet, WiFite, Web proxies, OWASP ZAP, Burp Suite, Social Engineering Tools (SET), Browser Exploitation Framework (BeEF), remote access tools, secure shell (SSH), NCAT, NETCAT, proxychains, networking tools, Wireshark, Hping, mobile tools, Drozer, APKX, APK studio, MISC, searchsploit, powersploit, responder, impacket, empire, metasploit framework
4.3 Given a scenario, analyze tool output or data related to a penetration test.
Password cracking, pass the hash, setting up a bind shell, setting a reverse shell, proxying a connection, uploading a web shell, injections
4.4 Given a scenario, analyze a basic script (limited to Bash, Python, Ruby, and PowerShell).
Logic, looping, flow control, input/output (I/O), file vs. terminal vs. network, substitutions, variables, common operations, string operations, comparisons, error handling, arrays, encoding/decoding
5.0 Reporting and Communication
5.1 Given a scenario, use report writing and handling best practices.
Normalization of data, written report of findings and remediation, executive summary, methodology, findings and remediation, metrics and measures, risk rating, conclusion, risk appetite, storage time for report, secure handling and disposition of reports
5.2 Explain post-report delivery activities.
Post-engagement cleanup, removing shells, removing tester-related credentials, removing tools, client acceptance, lessons learned, follow-up actions/retest, attestation of findings
5.3 Given a scenario, recommend mitigation strategies for discovered vulnerabilities.
solutions, people, process, technology, findings, shared local administrator credentials, weak password complexity, plain text passwords, no multifactor authentication, Structured Query Language (SQL) injection, unnecessary open services, remediation, randomize credentials/ local administrator password solution (LAPS), minimum password requirements/password filters, encrypt the passwords, implement multifactor authentication, sanitize user input/parameterize queries, system hardening
5.4 Explain the importance of communication during the penetration testing process.
Communication path, communication triggers, critical findings, stages, indicators of prior compromise, reasons for communication, situational awareness, de-escalation, de-confliction, goal reprioritization
THE PENTEST+ EXAM TOPICS COVERED IN THIS CHAPTER INCLUDE:
Domain 1: Planning and Scoping
1.1 Explain the importance of planning for an engagement.
Understanding the target audience
Rules of engagement
Communication escalation path
Resources and requirements
Confidentiality of findings
Known vs. unknown
Impact analysis and remediation timelines
SOAP project file
Sample application requests
1.2 Explain key legal concepts.
Local and national government restrictions
Obtain signature from proper signing authority
Third-party provider authorization when necessary
1.3 Explain the importance of scoping an engagement properly.
Types of assessments
Special scoping considerations
On-site vs. off-site
First-party vs. third-party hosted
White-listed vs. black-listed
Black box vs. white box vs. gray box
Tolerance to impact
1.4 Explain the key aspects of compliance-based assessments.
Compliance-based assessments, limitations, and caveats
Rules to complete assessment
Limited network access
Limited storage access
Clearly defined objectives based on regulations
You have been asked to perform a penetration test for a medium-sized organization that sells after-market motorcycle parts online. What is the first task you should complete?Research the organization’s product offerings.Determine the budget available for the test.Identify the scope of the test.Gain authorization to perform the test.
A consultant has been hired to perform a penetration test for an organization. The target of the test is the organization’s proprietary design documents. The aim is to circumvent security measures and gain unauthorized access to these documents. What type of assessment is being conducted in this scenario?Objective-based assessmentGoal-based assessmentCompliance-based assessmentRed team assessment
A consultant has been hired to perform a penetration test for an organization in the healthcare industry. The target of the test is a public-facing self-service website that users can access to view their health records. The aim is to circumvent security measures and gain unauthorized access to this information. What type of assessment is being conducted in this scenario?Objective-based assessmentGray box assessmentCompliance-based assessmentWhite box assessment
A consultant has been hired to perform a penetration test for an organization in the healthcare industry. The target of the test is a public-facing self-service website that users can access to view their health records. The penetration tester has been given full knowledge of the organization’s underlying network. What type of test is being conducted in this example?Goal-based assessmentBlack box assessmentObjective-based assessmentWhite box assessment
In which type of penetration test does the tester have a limited amount of information about the target environment but is not granted full access?Gray box assessmentBlack box assessmentCompliance-based assessmentWhite box assessment
Which type of penetration test best replicates the perspective of a real-world attacker?Gray box assessmentBlack box assessmentObjective-based assessmentWhite box assessment
A consultant has been hired by an organization to perform a penetration test. The target of the test is the organization’s HR database application. The tester has been given a desk, a computer connected to the organization’s network, and a network diagram. However, the tester has not been given any authentication credentials. What type of test is being conducted in this scenario?Compliance-based assessmentBlack box assessmentGray box assessmentWhite box assessment
A consultant has been hired by an organization to perform a penetration test. The target of the test is the organization’s e-commerce website. The tester, located in a different city, will utilize several different penetration testing tools to analyze the site and attack it. The tester does not have any information about the site or any authentication credentials. What type of test is being conducted in this scenario?White box assessmentBlack box assessmentObjective-based assessmentGray box assessment
A consultant has been hired by an organization to perform a penetration test. The target of the test is the organization’s internal firewalls. The tester has been given a desk, a computer connected to the organization’s network, and a network diagram. The tester has also been given authentication credentials with a fairly high level of access. What type of test is being conducted in this scenario?Gray box assessmentBlack box assessmentGoals-based assessmentWhite box assessment
Which type of penetration test best focuses the tester’s time and efforts while still providing an approximate view of what a real attacker would see?Gray box assessmentBlack box assessmentGoals-based assessmentWhite box assessment
An attacker downloads the Low Orbit Ion Cannon from the Internet and then uses it to conduct a denial-of-service attack against a former employer’s website. What kind of attacker is this?Script kiddieHacktivistOrganized crimeNation-state
An attacker carries out an attack against a government contractor in a neighboring country, with the goal of gaining access through the contractor to the rival country’s governmental network infrastructure. The government of the attacker’s own country is directing and funding the attack. What type of threat actor is this?Script kiddieHacktivistOrganized crimeNation-state
A group of hackers located in a former Soviet-bloc nation have banded together and released a ransomware app on the Internet. Their goal is to extort money in the form of crypto currency from their victims. What kind of attacker is this?Malicious insiderHacktivistOrganized crimeNation-state
An attacker who is a passionate advocate for brine shrimp attacks and defaces the website of a company that harvests brine shrimp and sells them as fish food. What type of attacker is this?Script kiddieHacktivistOrganized crimeNation-state
An employee has just received a very negative performance review from his manager. The employee feels the review was biased and the poor rating unjustified. In retaliation, the employee accesses confidential employee compensation information from an HR database server and posts it anonymously on Glassdoor. What kind of attacker is this?Script kiddieHacktivistOrganized crimeMalicious insider
Which of the following attackers are most likely to be able to carry out an advanced persistent threat (APT)? (Choose two.)Malicious insiderScript kiddieHacktivistOrganized crimeNation-state
Which of the following entities are most likely to become the target of an advanced persistent threat (APT)? (Choose two.)A government contractorA website offering lessons on search engine optimization (SEO)A multinational bankA dental practiceA community college
Which threat actor is most likely to be motivated by a political cause?Malicious insiderHacktivistOrganized crimeScript kiddie
Which threat actor is most likely to be motivated by a desire to gain attention?Malicious insiderScript kiddieOrganized crimeNation-state
Which type of penetration test usually provides the most thorough assessment in the least amount of time?Gray box assessmentBlack box assessmentGoals-based assessmentWhite box assessment
You are performing research that will be used to define the scope of a penetration test that your company will perform for a client. What information must be included in your research? (Choose two.)Why is the test being performed?When was the last time a test was performed?What were the results of the last test performed?To whom should invoices be sent?Who is the target audience for the test?
You are documenting the rules of engagement (ROE) for an upcoming penetration test. Which elements must be included? (Choose two.)A timeline for the engagementA review of laws that specifically govern the targetA list of similar organizations that you have assessed in the pastA list of the target’s competitorsA detailed map of the target’s network
You are documenting the rules of engagement (ROE) for an upcoming penetration test. Which elements should you make sure to include? (Choose two.)Detailed billing proceduresA list of out-of-scope systemsA list of in-scope systemsAn approved process for notifying the target’s competitors about the engagementArbitration procedures for resolving disputes between you and the client
You are documenting the rules of engagement (ROE) for an upcoming penetration test. Which elements should be considered? (Choose two.)A list of IP addresses assigned to the systems you will use to conduct the testHow you will communicate the results of the test with the targetA list of penetration testing tools you will use during the testA list of references from past clients for whom you have conducted penetration testsA list of behaviors that are not allowed on the part of the target during the test
You are defining the rules of engagement (ROE) for an upcoming penetration test. During this process, you have defined off-limit times when you should not attack the target, a list of in-scope and out-of-scope systems, and data-handling requirements for the information you gather during the test. You also phoned one of the help-desk technicians at the target site and received verbal permission to conduct the test. You recorded the technician’s name and the date in the ROE document. What did you do incorrectly in this scenario?For privacy reasons, you should not have identified the internal technician by name in the ROE document.Including “off-limits” times reduces the accuracy of the test.The ROE should include written permission from senior management.All systems should be potential targets during the test.The target should not know how you are storing the information gathered during the test.
You are defining the rules of engagement (ROE) for an upcoming penetration test. This will be a white box assessment. You have specified that the target may not employ shunning or blacklisting during the test. You have specified that the target must provide you with internal access to the network, a network map, and authentication credentials. You have also specified that applications provided by a SaaS service provider are off-limits during the test. What did you do incorrectly in this scenario?The target should be allowed to use whatever means it chooses to defend itself.Having detailed information about the internal network invalidates the results of the test.All network resources should be subject to testing, including cloud-based resources.Nothing. The ROE has been defined appropriately.
You are defining the rules of engagement (ROE) for an upcoming penetration test. This will be a black box assessment. The client has specified that they do not want the test to be conducted during peak times of the day, so you added “timeout” time frames to the document when testing will be suspended. You have specified that no communications will occur between you and the client until the end of the test when you submit your final test results. You have also specified that the target must provide you with internal access to the network, a network map, and authentication credentials. What did you do incorrectly in this scenario?Having detailed information about the internal network invalidates the results of the test.Pausing the assessment during peak times invalidates the results of the test.Communications between the testers and the client should occur at regular intervals throughout the test.Nothing. The ROE has been defined appropriately.
You own a small penetration testing consulting firm. You are worried that a client may sue you months or years after penetration testing is complete if their network is compromised by an exploit that didn’t exist when the test was conducted. What should you do?Insist that clients sign a nondisclosure agreement (NDA) prior to the test.Include a disclaimer in the agreement indicating that the results are valid only at the point in time when the test was performed.Include an arbitration clause in the agreement to prevent a lawsuit.Insist that clients sign a statement of work (SOW) prior to the test.
You own a small penetration testing consulting firm. You are worried that a client who requests a black box assessment may sue you after penetration testing is complete if their network is compromised by an exploit. What should you do?Insist that clients sign a purchase order prior to the test.Insist that clients sign a master services agreement (MSA) prior to the test.Include a disclaimer in the agreement indicating that the test methodology can impact the comprehensiveness of the test.Refuse to perform black box tests.
You are defining the rules of engagement (ROE) for an upcoming penetration test. You are working on the problem resolution section of the document. Which elements should be included in this section? (Choose two.)Clearly defined problem escalation proceduresA timeline for the engagementIn-scope systems, applications, and service providersOut-of-scope systems, applications, and service providersAcknowledgment that penetration testing carries inherent risks
You work at a penetration testing consulting firm. An organization that you have not worked with previously calls and asks you to perform a black box assessment of its network. You agree on a price and scope over the phone. After quickly designing the test on paper, you begin execution later that afternoon. Was this test conducted properly?Yes, proper penetration test planning and scoping procedures were followed.No, new clients should be properly vetted before beginning an assessment.No, a master service agreement (MSA) should be signed before testing begins.No, the rules of engagement (ROE) for the test should be documented and signed by both parties.
You are arranging the terms of a penetration test with a new client. Which of the following is an appropriate way to secure legal permission to conduct the test?Ask a member of senior management via email for permission to perform the test.Ask a member of the IT staff over the phone for permission to perform the test.Ask a member of the IT staff to sign a document granting you permission to perform the test.Ask a member of senior management to sign a document granting you permission to perform the test.
Which type of penetration test best simulates an outsider attack?Black boxGray boxWhite boxBlue box
You need to conduct a penetration test for a client that best assesses the target organization’s vulnerability to a malicious insider who has the network privileges of an average employee. Which type of test should you perform?Gray boxWhite boxBlack boxRed box
Which type of penetration test requires the most time and money to conduct?White boxGray boxBlack boxGreen box
A penetration tester uses a typical employee email account to send a phishing email exploit to managers and executives within the target organization. The goal is to see how many actually fall for the exploit and click the link in the message. What kind of penetration test is being performed in this scenario?Black boxGray boxWhite boxRed box
You work for a penetration testing firm. A client calls and asks you to perform an exhaustive test that deeply probes their infrastructure for vulnerabilities. What kind of test should you recommend?Gray boxWhite boxBlack boxBlue box
You are defining the rules of engagement (ROE) for an upcoming penetration test. This will be a white box assessment. This will be an internal test. No third parties may be involved. Which of the following resources could be considered in-scope for the assessment? (Choose two.)Active Directory usersPassword policies defined within Group PolicyMicrosoft Office 365 cloud applicationsGoogle DocsMicrosoft Azure web servers
What is the most important step in the penetration testing planning and scoping process?Obtaining written authorization from the clientWriting the rules of engagement (ROE)Selecting a testing methodologyDefining in-scope and out-of-scope systems, applications, and service providers
Which of the following is a formal document that defines exactly what will be done during a penetration test?Master service agreement (MSA)Nondisclosure agreement (NDA)Statement of work (SOW)Purchase order (PO)
You work for a penetration testing firm. You go to dinner with a potential client. To demonstrate your organization’s technical expertise with penetration testing, you list several of your other clients by name and describe in detail various problems your assessments discovered at each one. Which of the following was violated when you did this?Statement of work (SOW)Nondisclosure agreement (NDA)Master service agreement (MSA)Purchase order (PO)
You work for a penetration testing firm. A potential client called about your services. After reviewing what your organization can do, the client decides to schedule a single black box test. If they are happy with the results, they may consider future tests. Which of the following will you likely ask the client to sign first?Purchase order (PO)Nondisclosure agreement (NDA)Master service agreement (MSA)Statement of work (SOW)
Which of the following is a contract where both parties agree to most of the terms that will govern future agreements?Master service agreement (MSA)Nondisclosure agreement (NDA)Statement of work (SOW)Purchase order (PO)
You have been recently hired by a security firm to conduct penetration tests on clients. Which agreements will your new employer most likely ask you to sign as a condition of employment? (Choose two.)Master service agreement (MSA)Nondisclosure agreement (NDA)Statement of work (SOW)Purchase order (PO)Noncompete agreement
Your penetration testing consulting firm has been negotiating a contract with the U.S. federal government to run penetration tests against some of its systems. Which agreements will you be asked to sign instead of a statement of work (SOW)? (Choose two.)Statement of objective (SOO)Performance work statement (PWS)Noncompete agreementPurchase order (PO)
You are defining the scope of an upcoming penetration test. Your client’s offices are located in a large office complex with many other tenants. The client has asked you to include the organization’s network in the test. Which parameters should be identified as in-scope? (Choose two.)The IP addresses of public-facing web services owned by neighboring tenantsThe IP address of perimeter security devices owned by neighboring tenantsWireless SSIDs used by neighboring tenantsWireless SSIDs used by the clientIP address ranges used on the client’s internal network
You have recently concluded a penetration test for a client, and now need to write up your final conclusions. What should you do?Rely on your memory of what happened during the test to create the report.Analyze the testers’ written log files.Ask your fellow testers to email you the top three issues they discovered during the test.Ask your client’s IT staff to email you the top three issues they noticed during the test.
A client has hired you to test the physical security of their facility. They have given you free rein to try to penetrate their facility using whatever method you want as long as it doesn’t harm anyone or damage the property. What type of assessment is being conducted in this scenario?Goal-basedPre-mergerCompliance-basedSupply chain
One of your clients accepts credit cards from customers and uses its internal network and servers to process payments. The credit card companies each specify that the client must undergo regular penetration testing to ensure that its password policies, data isolation policies, access controls, and key management mechanisms adequately protect consumer credit card data. What type of assessment is required in this scenario?Goal-basedCompliance-basedSupply chainRed team
One of your clients was recently purchased by a large multinational organization. Before the purchase can be finalized, your client must be subjected to an extensive penetration test. What kind of assessment is required in this scenario?Objective-basedPre-mergerCompliance-basedSupply chain
An organization’s network was recently hacked. The attackers first compromised the weak security used by one of the organization’s contractors. Then they used the contractor’s authentication credentials to gain access to the organization itself. Which type of penetration assessment could have prevented this?Objective-basedPre-mergerGoal-basedSupply chain
You work on the security team for a large organization. Your team has been tasked with conducting an internal penetration test to verify whether your organization’s IT staff can adequately defend against it. What type of assessment is being used in this scenario?Goal-basedCompliance-basedSupply chainRed team
Which of the following tiers of adversaries ranks threat actors, generally speaking, from least threatening to most threatening?Script kiddie, hacktivist, malicious insider, organized crime, nation-stateScript kiddie, malicious insider, hacktivist, organized crime, nation-stateHacktivist, script kiddie, malicious insider, nation-state, organized crimeNation-state, organized crime, malicious insider, hacktivist, script kiddie
One of your clients is a public advocacy group. Some of its political stances are very unpopular with several fringe activists, and they are concerned that a hacktivist may try to hijack their public-facing website. They have asked you to run a penetration test using the same tools and techniques that a typical hacktivist would have the technical aptitude and funds to use. What process has occurred in this scenario?Due diligenceRisk acceptanceThreat modelingScope creep
You are meeting with a new client to scope out the parameters of a future penetration test. During the course of the discussion, you ask the client if they are willing to accept the fact that a penetration test could cause service disruptions within their organization. The client responds affirmatively. What process has occurred in this scenario?Risk acceptanceDue diligenceThreat modelingRisk transfer
You are running a penetration test for a client. The original test calls for you to test the security of one of the client’s remote branch offices. The client called today and indicated that they are concerned about the security readiness of a second branch office. They insisted that you expand the penetration test to include this second site. What process occurred in this scenario?Due diligenceRisk acceptanceThreat modelingScope creep
A client has asked you to run a white box penetration test. Her organization has offices in the United Kingdom, Saudi Arabia, Pakistan, and Hong Kong. You load your penetration testing toolkit onto your laptop and travel to each office to run the assessment on-site. What did you do incorrectly in this scenario?It may be illegal to transport some penetration testing software and hardware internationally.A laptop doesn’t have sufficient computing power to effectively run a penetration test.Travel costs can be reduced by running the assessment remotely from the tester’s home location.Nothing. You did everything correctly.
A client has asked you to run a white box penetration test. Her organization has offices in the United States, Indonesia, Thailand, and Singapore. To avoid international transportation of your penetration testing software, you upload it to your Google Drive account. Then you travel to each site, download the software, and run it locally on your laptop. Did you handle your penetration testing software appropriately in this scenario?Yes, using Google Drive to access the software internationally shields you from prosecution.No, most foreign nations block access to Google Drive.No, it is legal to transport most penetration testing software into these countries.No, it is illegal to transport most penetration testing software internationally using the Internet.
You are asked to perform a penetration test for an organization with offices located in New York City, Los Angeles, and Fargo. Which cybersecurity laws and regulations do you need to check as you scope the assessment?U.S. federal cybersecurity lawState cybersecurity laws in New York, California, and North DakotaLocal cybersecurity laws in each physical locationInterpol regulations
A client has asked you to run a white box penetration test. The goal is to assess the security of their web-based applications. These applications leverage the Simple Object Access Protocol (SOAP). During the scoping process, you determine that it would be helpful if you had access to the organization’s internal documentation for these applications. Which of the following should you ask your client for?Web Services Description Language (WSDL) documentationSoftware Development Kit (SDK) documentationWeb Application Description Language (WADL) documentationApplication Programming Interface (API) documentation
A client has asked you to run a white box penetration test. The goal is to assess the security of their web-based applications. These applications are based on Representational State Transfer (REST) architecture. During the scoping process, you determine that it would be helpful if you had access to the organization’s internal documentation for these applications. Which of the following should you ask your client for?Web Services Description Language (WSDL) documentationSoftware Development Kit (SDK) documentationWeb Application Description Language (WADL) documentationApplication Programming Interface (API) documentation
A client has asked you to run a white box penetration test. The goal is to assess the security of several PC applications that were written in-house using the C++ programming language. These applications are used on a day-to-day basis by employees to manage orders, inventory, and payouts. During the scoping process, you determine that it would be helpful if you had access to the organization’s internal software development documentation for these applications. Which of the following should you ask your client for? (Choose two.)Simple Object Access Protocol (SOAP) documentationSoftware Development Kit (SDK) documentationWeb Application Description Language (WADL) documentationApplication Programming Interface (API) documentation
You are scoping a black box penetration test for a client. The goal is to see whether you can gain access to the information stored on an internal database server. Which information should the client provide you with prior to starting the test?Architectural diagramsSwagger documentXSDNetwork diagrams
You are scoping a white box penetration test for a client. The goal is to see whether you can gain access to confidential research data stored on an internal database server. You want to target an internally developed data collection application that the client’s end users use on a daily basis to catalog and store information in the database. Which information should the client provide you with prior to starting the test?Architectural diagramsSample requestsXSDAll of the above
You are scoping a white box penetration test for a client. The goal is to see whether you can gain access to confidential customer data stored on an internal database server. You have asked the client for architectural diagrams. Which information should the client provide you with? (Choose two.)Swagger documentSimple Object Access Protocol (SOAP) documentationNetwork diagramsXSDFacility maps
You are scoping a white box penetration test for a client. The goal is to see whether you can gain access to confidential research data stored on an internal database server. To facilitate this, you have requested that the client provide you with access to applications that end users use to generate sample application requests. Which specific applications should be included in the request? (Choose two.)An in-house developed desktop application used to access the information stored in the databaseMicrosoft Word, which end users use on a daily basis to compose documents stored in the databaseMicrosoft Excel, which end users use on a daily basis to compose spreadsheets stored in the databaseAn in-house developed web application used to generate reports using the information stored in the databaseAdobe Photoshop, which end users use on a daily basis to edit graphic files stored in the database
You want to generate sample application requests for an in-house developed web application that a client’s users use every day to complete their day-to-day tasks. How should this be done?Enter exactly the same data into the web application that end users enter.Enter data that is similar to the data that end users enter into the application.Enter completely unexpected data into the application.Ask the system administrator to generate the samples for you.
Which of the following is a messaging protocol specification that defines how structured information can be exchanged between web applications and is created from WSDL files?SOAPXSDWADLSwagger
Which of the following is an open source framework designed to help developers design, build, document, and test Representational State Transfer (REST) web services?SOAPXSDWSDLSwagger
Which of the following protocols is the Representational State Transfer (REST) web application architecture based on?FTPHTTPSMBLDAP
Which of the following is an XML-based interface definition language used to describe the functionality offered by a Simple Object Access Protocol (SOAP) server?Web Service Description Language (WSDL)Web Application Description Language (WADL)Representational State Transfer (REST)Swagger
Which of the following architectures is used to provide an XML-based description of HTTP-based web services running on a web application server and is commonly used with Representational State Transfer (REST) web applications?Simple Object Access Protocol (SOAP)Web Application Description Language (WADL)Representational State Transfer (REST)Swagger
Which of the following is a World Wide Web Consortium (W3C) specification that identifies how to define elements within an XML document?SOAPXSDRESTWSDL
You are scoping a white box penetration test for a client. The goal is to see whether you can gain access to confidential research data stored on an internal database server. You want to target an internally developed data collection application that the client’s end users use on a daily basis to catalog and store information in the database. Which information should the client provide you with prior to starting the test?Configuration filesData flow diagramsSoftware development kit (SDK) documentationAll of the above
You are scoping a white box penetration test for a client. The goal is to see whether you can gain access to sensitive patient data stored on an internal database server. What should the client do prior to starting the test? (Choose two.)Blacklist the testers’ user accounts in their intrusion protection system (IPS).Whitelist the testers’ user accounts in their intrusion protection system (IPS).Configure network firewalls to function in fail-open mode.Configure security exceptions that allow the penetration testers’ systems to bypass network access controls (NAC).Configure network firewalls to function in fail-close mode.
You are scoping a black box penetration test for a client. The goal is to see whether you can gain access to sensitive financial data stored on an internal database server. What should the client do prior to starting the test?Create internal user accounts for the testers that have the same level of privileges as a typical employee.Whitelist the testers’ user accounts in their web application firewall (WAF).Configure certificate pinning.Configure security exceptions that allow the penetration testers’ systems to bypass network access controls (NAC).None of the above.
You are scoping a white box penetration test for a client. The client has implemented network access controls (NAC) with IPSec to prevent devices that are out of compliance with company policies from connecting to the secure internal network. Because you are conducting a white box test, your testers’ systems need to bypass NAC and be granted direct access to internal secure network. What should the client do to accomplish this?Configure certificate pinning.Connect their computers to a switch port that is on the secure internal network.Configure a NAC exception for each system.Temporarily disable NAC.
During a penetration test, an unmonitored side door was left ajar by an employee, which the tester then used to gain physical access to the client’s facility. To keep this from happening again, the client completely removes the door and its frame from the building and fills the space with concrete. Which type of risk response is described in this scenario?AvoidanceTransferenceMitigationAcceptance
During a penetration test, an unmonitored side door was left ajar by an employee, which the tester then used to gain physical access to the client’s facility. To keep this from happening again, the client places a security guard in the hallway and instructs her to prevent unauthorized access. Which type of risk response is described in this scenario?AvoidanceTransferenceMitigationAcceptance
Tysiące ebooków i audiobooków
Ich liczba ciągle rośnie, a Ty masz gwarancję niezmiennej ceny.
Napisali o nas:
Nowy sposób na e-księgarnię
Czytelnicy nie wierzą
Legimi idzie na całość
Projekt Legimi wielkim wydarzeniem
Spotify for ebooks