The SecOps Group CCPenX-AWS - Certified Cloud Pentesting eXpert-AWS (CCPenX-AWS) Certification Exam
Question #1 (Topic: demo questions)
How would you enumerate subdomains for a given AWS application domain?
Correct Answer: A
Explanation:
1. Use a subdomain wordlist with subfinder or amass:
1. Use a subdomain wordlist with subfinder or amass:
subfinder -d example.com -o subs.txt
2. Validate with dnsx: dnsx -l subs.txt -a -resp
3. Use Google/Bing dorking for additional subdomain discovery.
4. Check for AWS-specific naming like dev.example.com.s3.amazonaws.com
5. Test discovered subdomains for active services or exposed APIs.
Question #2 (Topic: demo questions)
Describe how to crawl and spider an AWS-hosted application to enumerate all reachable endpoints and
parameterized pages.
Correct Answer: A
Explanation:
1. Use Burp Suite → Target → Site Map to crawl automatically.
1. Use Burp Suite → Target → Site Map to crawl automatically.
2. Or run: gospider -s https://example.com -o spider_output/
3. Parse the output for URLs, JS endpoints, and hidden paths.
4. Look for API endpoints and potential S3 links or tokens.
5. Feed discovered endpoints into fuzzers or scanners.
Question #3 (Topic: demo questions)
How would you perform content discovery on a web server hosted in AWS to find hidden files and
directories?
Correct Answer: A
Explanation:
1. Use ffuf or dirsearch:
1. Use ffuf or dirsearch:
ffuf -u https://example.com/FUZZ -w /usr/share/wordlists/dirb/common.txt
2. Analyze the HTTP response codes for valid directories (e.g., 200/403).
3. Modify extensions: add .php, .bak, .zip, etc.
4. Add -e flag in ffuf for extension fuzzing: -e .php,.html,.bak
5. Explore valid paths manually or with tools like Burp Suite.
Question #4 (Topic: demo questions)
You need to perform a reverse DNS lookup on an IP you found in a previous scan. How do you determine
the domain or hostname associated with it?
Correct Answer: A
Explanation:
1. Open a terminal.
1. Open a terminal.
2. Use the command: host 203.0.113.45
3. Alternatively, run: dig -x 203.0.113.45
4. If PTR record exists, it will return the associated domain.
5. Use the resolved domain for further DNS or HTTP-based recon.
Question #5 (Topic: demo questions)
You are assessing an AWS-hosted web application. How would you perform a DNS lookup to gather
basic information about the target domain using command-line tools?
Correct Answer: A
Explanation:
1. Open a terminal.