Information Gathering and Vulnerability Scanning

During a vulnerability scan, a penetration tester notices that the scanner is repeatedly attempting to exploit a service, causing the service to crash and generating misleading findings. Which of the following scan configurations would BEST help the tester avoid this issue while still identifying potential vulnerabilities?

A penetration tester is performing reconnaissance on a target organization and uses Shodan to find internet-facing devices. Which of the following is the BEST use case for Shodan in this context?

During the reconnaissance phase, a penetration tester wants to map out the target's DNS infrastructure without directly interacting with the target's servers. Which of the following techniques BEST achieves this?

A penetration tester is conducting passive reconnaissance on a target organization. Which of the following techniques would provide the MOST useful information about internal network architecture without directly interacting with the target's systems?

A penetration tester is using a vulnerability scanner to assess an internal network. The scanner reports a critical vulnerability in a custom web application, but manual verification shows the application is not vulnerable. Which of the following is the MOST likely cause of this false positive?

A penetration tester is conducting an internal network scan and wants to minimize the chance of detection by the target's intrusion detection system (IDS). Which Nmap timing template is the MOST appropriate for this goal?

A penetration tester is using a vulnerability scanner on a web application and notices that many findings are false positives caused by the scanner sending oversized payloads that the application truncates or rejects. Which scanner configuration change would MOST effectively reduce false positives in this scenario?

During the reconnaissance phase, a penetration tester wants to identify subdomains of a target domain without making direct requests to the target's own DNS servers. Which technique would be BEST for this purpose?

During a penetration test, a vulnerability scanner reports a critical SQL injection vulnerability in a web application. However, manual testing shows that the parameter is not injectable due to proper parameterized queries. Which of the following is the MOST likely cause of this false positive?

During reconnaissance, a penetration tester discovers a public GitHub repository belonging to the target organization. The repository contains internal project names, server IP addresses, and code comments with database credentials. Which reconnaissance technique does this represent?

A penetration tester wants to discover email addresses associated with a target domain (example.com) without sending any network packets to the target's systems. Which technique is BEST suited for this?

A penetration tester wants to perform a network scan that minimizes the chance of detection by an intrusion detection system (IDS). Which Nmap timing template is MOST appropriate?

A penetration tester is conducting passive reconnaissance against a target domain. The tester wants to discover all subdomains associated with the domain without making any direct DNS queries to the target's authoritative servers. Which technique is BEST suited for this purpose?

A penetration tester wants to enumerate user accounts and SMB shares from a Windows machine without authenticating. Which tool is specifically designed for this purpose and is commonly used in Linux penetration testing distributions?

A penetration tester is performing reconnaissance on a target organization. The tester wants to discover the internal IP address scheme used by the company without making any direct connections to the company's network. Which technique is MOST effective for this purpose?

A vulnerability scanner reports a reflected XSS vulnerability in a web application. Manual testing confirms that the application HTML-encodes all user input in the response. Which scanner misconfiguration is MOST likely causing this false positive?

A penetration tester is conducting passive reconnaissance on a target organization. The tester wants to identify the technologies and frameworks used by the target's web application without making any requests to the target's servers. Which resource is BEST suited for this task?

A penetration tester receives an Nmap scan report showing that port 445/TCP is open on a target Windows host. The tester wants to determine if the host is vulnerable to EternalBlue (MS17-010) without triggering an alert. Which Nmap NSE script is most appropriate to use?

During passive reconnaissance, a penetration tester wants to compile a list of valid employee email addresses for a target company to be used in a future phishing campaign. Which technique is LEAST likely to be detected by the target or its security controls?

A penetration tester is tasked with discovering all publicly accessible Amazon S3 buckets that belong to a target company. Which technique is MOST effective for this purpose?

A penetration tester is performing passive reconnaissance against a target domain. Which of the following resources can be used to gather information about the target without directly sending packets to the target's network? (Select two.) (Choose 2.)

A penetration tester is using Nmap to scan a target web server. The tester only wants to see which of the top 100 ports are open, but wants to minimize network traffic and time. Which Nmap command is most appropriate?

A penetration tester is conducting passive reconnaissance on a target organization. Which technique can be used to discover subdomains of the target's domain without sending any packets to the target's network?

A penetration tester wants to quickly identify which of the top 100 common ports are open on a target system, while minimizing network traffic and scan time. Which Nmap command is most appropriate?

A penetration tester wants to passively gather information about a target's technology stack, including web server software and frameworks. Which resource is best suited for this task without sending any packets to the target?

A penetration tester is performing active reconnaissance on a target network. The tester wants to identify all live hosts in the 192.168.1.0/24 subnet and determine which ones have port 80 open. Which technique is most efficient for this task?

A penetration tester is using a vulnerability scanner to assess a web application. The scanner reports a 'SQL Injection' finding with a high confidence level. However, manual verification of the same payload does not trigger the vulnerability in a browser. Which of the following is the most likely reason for this discrepancy?

A penetration tester wants to discover subdomains of a target domain without sending any packets directly to the target's network. Which resource is most effective for this purpose?

A penetration tester is performing internal reconnaissance. The tester discovers that the internal DNS server allows recursive queries from the tester's machine. Which technique can the tester use to enumerate internal hosts and network ranges?

A penetration tester is performing passive reconnaissance to discover email addresses associated with a target domain. The tester wants to avoid sending any packets directly to the target's infrastructure. Which tool is most appropriate for this task?

A penetration tester runs a vulnerability scanner against a web server and receives a high-confidence alert that the server is vulnerable to Heartbleed (CVE-2014-0160). The tester manually verifies using an OpenSSL command and finds that the server is patched. Which of the following is the most likely cause of this false positive?

A penetration tester wants to identify hosts on a network that are running web servers on any TCP port, including non-standard ports. Which Nmap command is most efficient for this task?

A penetration tester has compromised a Windows domain-joined workstation and needs to identify all domain controllers and their IP addresses without triggering detection mechanisms. Which technique is most likely to avoid raising alerts?

A penetration tester is analyzing the results of a vulnerability scan against a web application. The scanner reports a potential SQL injection vulnerability in a login form parameter. However, manual testing with the same payload does not produce any error messages or changes in behavior. Which of the following is the most likely reason for the false positive?

A penetration tester is performing internal reconnaissance on a Windows Active Directory environment. The tester has a low-privileged domain user account. Which of the following techniques is most likely to help identify all domain controllers and their IP addresses without generating excessive network traffic or alerts?

A penetration tester is conducting passive reconnaissance on a target organization. The tester wants to identify all publicly accessible cloud storage buckets that might belong to the target without directly interacting with the target's infrastructure. Which of the following techniques would be most effective for this purpose?

A penetration tester is performing internal reconnaissance on a network that uses IPv6. The tester wants to discover alive hosts and their IPv6 addresses without sending many packets. Which technique is most effective for this purpose?

A penetration tester is conducting a vulnerability scan of a web application that uses a custom API framework. The scanner reports several potential SQL injection vulnerabilities, but manual testing confirms they are false positives. The tester suspects the scanner is misinterpreting input validation. Which of the following is the most likely reason for these false positives?

A penetration tester wants to perform DNS brute-force enumeration to discover subdomains of a target domain. Which tool is specifically designed for this purpose?

A penetration tester is conducting an internal network scan and wants to minimize the chance of being detected by an intrusion detection system (IDS). Which TCP scan type is most likely to evade detection?

A penetration tester is performing passive reconnaissance on a target organization. The tester wants to identify internal IP address ranges used by the organization without interacting directly with their network. Which of the following techniques would be most effective for this purpose?

During a reconnaissance phase, a penetration tester is using a tool to enumerate NetBIOS names on a target internal network. The tester issues the command 'nbtstat -A 192.168.1.100' on a Windows machine. What type of information is the tester most likely trying to obtain?

A penetration tester wants to discover all subdomains of a target domain without directly querying the target's DNS servers to avoid detection. Which technique is most appropriate?

During an internal penetration test, a tester is trying to identify live hosts on a network segment. The tester wants to avoid generating a high volume of traffic or alerts. Which scanning technique is most appropriate for this task?

A penetration tester is conducting passive reconnaissance on a target organization using Google dorking. The tester wants to find PDF documents that may contain usernames and passwords. Which Google search query is most appropriate for this task?

A penetration tester wants to identify the web server software and version used by a target organization without sending any packets to the target's infrastructure. Which of the following techniques is most effective for this purpose?

A penetration tester wants to identify all publicly accessible Amazon S3 buckets that belong to a specific organization. Which technique is most effective for passive reconnaissance?

A penetration tester is performing internal reconnaissance from a compromised host and wants to map the local network without sending any packets. Which technique is most suitable?

A penetration tester is performing active reconnaissance on a target network. The tester sends TCP SYN packets to a range of ports on a target host. Only a few ports respond with SYN-ACK packets. What does this indicate?

A penetration tester wants to identify the operating system of a remote host without sending any traffic to the target network. Which of the following techniques is most effective for this purpose?

A penetration tester is performing a vulnerability scan on a target network. The tester uses Nmap with the default NSE scripts against a web server. The scan report shows several 'http-vuln-cve2017-5638' findings. What does this indicate?

A penetration tester is tasked with performing vulnerability scanning on a target organization that uses a web application firewall (WAF) and an intrusion prevention system (IPS). The tester wants to avoid being blocked while still gathering comprehensive data. Which scanning approach is most effective?

A penetration tester wants to identify all subdomains for a target domain using only public records. Which technique is most effective for this purpose?

A penetration tester is using theHarvester tool to gather email addresses and subdomains for a target domain. Which source is theHarvester commonly configured to use for passive reconnaissance?

A penetration tester is performing a vulnerability scan on a web server that uses HTTPS. The tester wants to identify the server's SSL/TLS configuration weaknesses without overwhelming the server. Which Nmap command is most appropriate?

A penetration tester is performing passive reconnaissance on a target organization. The tester wants to gather information about the target's technology stack, including web server software and frameworks, without directly interacting with the target systems. Which technique is most effective?

A penetration tester is using theHarvester tool to gather information about a target domain. The tester wants to collect email addresses and subdomains from public search engines and PGP key servers. Which source is theHarvester commonly configured to use for this passive reconnaissance?

A penetration tester has been given access to a network tap on a client's internal network. The tester wants to perform initial reconnaissance by identifying all live hosts and their operating systems without sending any packets that could be detected. Which technique is most appropriate?

A vulnerability scanner reports an unauthenticated critical finding on an internal server. Manual testing shows the vulnerable package is present, but the vulnerable service is disabled and not reachable. How should the tester report this?

A penetration tester is performing passive reconnaissance on a target organization. Which of the following activities would be considered passive reconnaissance?