A mail service company has hired a penetration tester to conduct an enumeration of all user accounts on an SMTP server to identify whether previous staff member accounts are still active. Which of the following commands should be used to accomplish the goal?

A. VRFY and EXPN
B. VRFY and TURN
C. EXPN and TURN
D. RCPT TO and VRFY

A security engineer identified a new server on the network and wants to scan the host to determine if it is running an approved version of Linux and a patched version of Apache. Which of the following commands will accomplish this task?

A. nmap f sV p80 192.168.1.20
B. nmap sS sL p80 192.168.1.20
C. nmap A T4 p80 192.168.1.20
D. nmap O v p80 192.168.1.20

Which of the following provides a matrix of common tactics and techniques uses by attackers along with recommended mitigations?

A. NIST SP 800-53
B. OWASP Top 10
C. MITRE ATT&CK framework
D. PTES technical guidelines

Running a vulnerability scanner on a hybrid network segment that includes general IT servers and industrial control systems:

A. will reveal vulnerabilities in the Modbus protocol
B. may cause unintended failures in control systems
C. may reduce the true positive rate of findings
D. will create a denial-of-service condition on the IP networks

Which of the following tools would be BEST suited to perform a manual web application security assessment? (Choose two.)

A. OWASP ZAP
B. Nmap
C. Nessus
D. BeEF
E. Hydra
F. Burp Suite

A security firm is discussing the results of a penetration test with the client. Based on the findings, the client wants to focus the remaining time on a critical network segment. Which of the following BEST describes the action taking place?

A. Maximizing the likelihood of finding vulnerabilities
B. Reprioritizing the goals/objectives
C. Eliminating the potential for false positives
D. Reducing the risk to the client environment

A security firm has been hired to perform an external penetration test against a company. The only information the firm received was the company name. Which of the following passive reconnaissance approaches would be MOST likely to yield positive initial results?

A. Specially craft and deploy phishing emails to key company leaders.
B. Run a vulnerability scan against the company's external website.
C. Runtime the company's vendor/supply chain.
D. Scrape web presences and social-networking sites.

A company has recruited a penetration tester to conduct a vulnerability scan over the network. The test is confirmed to be on a known environment. Which of the following would be the BEST option to identify a system properly prior to performing the assessment?

A. Asset inventory
B. DNS records
C. Web-application scan
D. Full scan

A penetration tester is conducting a penetration test. The tester obtains a root-level shell on a Linux server and discovers the following data in a file named password.txt in the /home/svsacct directory:
U3VQZXIkM2NyZXQhCg==
Which of the following commands should the tester use NEXT to decode the contents of the file?

A. echo U3VQZXIkM2NyZXQhCg== | base64 d
B. tar zxvf password.txt
C. hydra l svsacct p U3VQZXIkM2NyZXQhCg== ssh://192.168.1.0/24
D. john –wordlist /usr/share/seclists/rockyou.txt password.txt

A penetration tester has obtained root access to a Linux-based file server and would like to maintain persistence after reboot. Which of the following techniques would BEST support this objective?

A. Create a one-shot system service to establish a reverse shell
B. Obtain /etc/shadow and brute force the root password.
C. Run the nc e /bin/sh <…> command
D. Move laterally to create a user account on LDAP