PT0-002: CompTIA PenTest+ Certification Exam Topic 2
Question #: 61
Topic #: 1
Which of the following tools would be MOST useful in collecting vendor and other security-relevant information for IoT devices to support passive reconnaissance?
A. Shodan
B. Nmap
C. WebScarab-NG
D. Nessus
Selected Answer: A
Question #: 62
Topic #: 1
Which of the following should a penetration tester consider FIRST when engaging in a penetration test in a cloud environment?
A. Whether the cloud service provider allows the penetration tester to test the environment
B. Whether the specific cloud services are being used by the application
C. The geographical location where the cloud services are running
D. Whether the country where the cloud service is based has any impeding laws
Selected Answer: A
Question #: 63
Topic #: 1
HOTSPOT –
You are a security analyst tasked with hardening a web server. You have been given a list of HTTP payloads that were flagged as malicious.
INSTRUCTION –
Giving the following attack signatures, determine the attack type, and then identify the associated remediation to prevent the attack in the future.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
Hot Area:
Question #: 64
Topic #: 1
A penetration tester runs the unshadow command on a machine.
Which of the following tools will the tester most likely use NEXT?
A. John the Ripper
B. Hydra
C. Mimikatz
D. Cain and Abel
Selected Answer: C
Question #: 65
Topic #: 1
A penetration tester obtained the following results after scanning a web server using the dirb utility:
Which of the following elements is MOST likely to contain useful information for the penetration tester?
A. index.html
B. about
C. info
D. home.html
Selected Answer: B
Question #: 66
Topic #: 1
A company has hired a penetration tester to deploy and set up a rogue access point on the network.
Which of the following is the BEST tool to use to accomplish this goal?
A. Wireshark
B. Aircrack-ng
C. Kismet
D. Wifite
Selected Answer: B
Question #: 67
Topic #: 1
A penetration tester was able to gain access successfully to a Windows workstation on a mobile client’s laptop.
Which of the following can be used to ensure the tester is able to maintain access to the system?
A. schtasks /create /sc /ONSTART /tr C:\Temp|WindowsUpdate.exe
B. wmic startup get caption,command
C. crontab -l; echo ג€@reboot sleep 200 && ncat -lvp 4242 -e /bin/bashג€) | crontab 2>/dev/null
D. sudo useradd -ou 0 -g 0 user
Selected Answer: A
Question #: 68
Topic #: 1
A company hired a penetration-testing team to review the cyber-physical systems in a manufacturing plant. The team immediately discovered the supervisory systems and PLCs are both connected to the company intranet.
Which of the following assumptions, if made by the penetration-testing team, is MOST likely to be valid?
A. PLCs will not act upon commands injected over the network.
B. Supervisors and controllers are on a separate virtual network by default.
C. Controllers will not validate the origin of commands.
D. Supervisory systems will detect a malicious injection of code/commands.
Selected Answer: C
Question #: 69
Topic #: 1
A penetration tester downloaded a Java application file from a compromised web server and identifies how to invoke it by looking at the following log:
Which of the following is the order of steps the penetration tester needs to follow to validate whether the Java application uses encryption over sockets?
A. Run an application vulnerability scan and then identify the TCP ports used by the application.
B. Run the application attached to a debugger and then review the application’s log.
C. Disassemble the binary code and then identify the break points.
D. Start a packet capture with Wireshark and then run the application.
Selected Answer: D
Question #: 70
Topic #: 1
When planning a penetration-testing effort, clearly expressing the rules surrounding the optimal time of day for test execution is important because:
A. security compliance regulations or laws may be violated.
B. testing can make detecting actual APT more challenging.
C. testing adds to the workload of defensive cyber- and threat-hunting teams.
D. business and network operations may be impacted.
Selected Answer: D
Question #: 71
Topic #: 1
A company uses a cloud provider with shared network bandwidth to host a web application on dedicated servers. The company’s contact with the cloud provider prevents any activities that would interfere with the cloud provider’s other customers. When engaging with a penetration-testing company to test the application, which of the following should the company avoid?
A. Crawling the web application’s URLs looking for vulnerabilities
B. Fingerprinting all the IP addresses of the application’s servers
C. Brute forcing the application’s passwords
D. Sending many web requests per second to test DDoS protection
Selected Answer: D
Question #: 72
Topic #: 1
A penetration tester is cleaning up and covering tracks at the conclusion of a penetration test. Which of the following should the tester be sure to remove from the system? (Choose two.)
A. Spawned shells
B. Created user accounts
C. Server logs
D. Administrator accounts
E. Reboot system
F. ARP cache
Selected Answer: AB
Question #: 73
Topic #: 1
A software company has hired a security consultant to assess the security of the company’s software development practices. The consultant opts to begin reconnaissance by performing fuzzing on a software binary. Which of the following vulnerabilities is the security consultant MOST likely to identify?
A. Weak authentication schemes
B. Credentials stored in strings
C. Buffer overflows
D. Non-optimized resource management
Selected Answer: C
Question #: 74
Topic #: 1
A penetration tester has prepared the following phishing email for an upcoming penetration test:
Which of the following is the penetration tester using MOST to influence phishing targets to click on the link?
A. Familiarity and likeness
B. Authority and urgency
C. Scarcity and fear
D. Social proof and greed
Selected Answer: B
Question #: 75
Topic #: 1
During a penetration test, a tester is able to change values in the URL from example.com/login.php?id=5 to example.com/login.php?id=10 and gain access to a web application. Which of the following vulnerabilities has the penetration tester exploited?
A. Command injection
B. Broken authentication
C. Direct object reference
D. Cross-site scripting
Selected Answer: C
Question #: 76
Topic #: 1
Which of the following situations would MOST likely warrant revalidation of a previous security assessment?
A. After detection of a breach
B. After a merger or an acquisition
C. When an organization updates its network firewall configurations
D. When most of the vulnerabilities have been remediated
Selected Answer: A
Question #: 77
Topic #: 1
A penetration tester gains access to a system and is able to migrate to a user process:
Given the output above, which of the following actions is the penetration tester performing? (Choose two.)
A. Redirecting output from a file to a remote system
B. Building a scheduled task for execution
C. Mapping a share to a remote system
D. Executing a file on the remote system
E. Creating a new process on all domain systems
F. Setting up a reverse shell from a remote system
G. Adding an additional IP address on the compromised system
Selected Answer: CD
Question #: 78
Topic #: 1
After gaining access to a previous system, a penetration tester runs an Nmap scan against a network with the following results:
The tester then runs the following command from the previous exploited system, which fails:
Which of the following explains the reason why the command failed?
A. The tester input the incorrect IP address.
B. The command requires the ג€”port 135 option.
C. An account for RDP does not exist on the server.
D. PowerShell requires administrative privilege.
Selected Answer: A
Question #: 79
Topic #: 1
Which of the following assessment methods is MOST likely to cause harm to an ICS environment?
A. Active scanning
B. Ping sweep
C. Protocol reversing
D. Packet analysis
Selected Answer: A
Question #: 80
Topic #: 1
During a penetration test, a tester is in close proximity to a corporate mobile device belonging to a network administrator that is broadcasting Bluetooth frames.
Which of the following is an example of a Bluesnarfing attack that the penetration tester can perform?
A. Sniff and then crack the WPS PIN on an associated WiFi device.
B. Dump the user address book on the device.
C. Break a connection between two Bluetooth devices.
D. Transmit text messages to the device.
Selected Answer: B
Question #: 81
Topic #: 1
Penetration-testing activities have concluded, and the initial findings have been reviewed with the client. Which of the following best describes the NEXT step in the engagement?
A. Acceptance by the client and sign-off on the final report
B. Scheduling of follow-up actions and retesting
C. Attestation of findings and delivery of the report
D. Review of the lessons during the engagement
Selected Answer: C
Question #: 82
Topic #: 1
A penetration tester discovers a web server that is within the scope of the engagement has already been compromised with a backdoor. Which of the following should the penetration tester do NEXT?
A. Forensically acquire the backdoor Trojan and perform attribution.
B. Utilize the backdoor in support of the engagement.
C. Continue the engagement and include the backdoor finding in the final report.
D. Inform the customer immediately about the backdoor.
Selected Answer: D
Question #: 83
Topic #: 1
Which of the following would a company’s hunt team be MOST interested in seeing in a final report?
A. Executive summary
B. Attack TTPs
C. Methodology
D. Scope details
Selected Answer: B
Question #: 84
Topic #: 1
A Chief Information Security Officer wants a penetration tester to evaluate whether a recently installed firewall is protecting a subnetwork on which many decades- old legacy systems are connected. The penetration tester decides to run an OS discovery and a full port scan to identify all the systems and any potential vulnerability. Which of the following should the penetration tester consider BEFORE running a scan?
A. The timing of the scan
B. The bandwidth limitations
C. The inventory of assets and versions
D. The type of scan
Selected Answer: B
Question #: 85
Topic #: 1
Which of the following provides an exploitation suite with payload modules that cover the broadest range of target system types?
A. Nessus
B. Metasploit
C. Burp Suite
D. Ethercap
Selected Answer: B
Question #: 86
Topic #: 1
A security professional wants to test an IoT device by sending an invalid packet to a proprietary service listening on TCP port 3011. Which of the following would allow the security professional to easily and programmatically manipulate the TCP header length and checksum using arbitrary numbers and to observe how the proprietary service responds?
A. Nmap
B. tcpdump
C. Scapy
D. hping3
Selected Answer: C
Question #: 87
Topic #: 1
Which of the following should a penetration tester do NEXT after identifying that an application being tested has already been compromised with malware?
A. Analyze the malware to see what it does.
B. Collect the proper evidence and then remove the malware.
C. Do a root-cause analysis to find out how the malware got in.
D. Remove the malware immediately.
E. Stop the assessment and inform the emergency contact.
Selected Answer: E
Question #: 88
Topic #: 1
A penetration tester who is conducting a vulnerability assessment discovers that ICMP is disabled on a network segment. Which of the following could be used for a denial-of-service attack on the network segment?
A. Smurf
B. Ping flood
C. Fraggle
D. Ping of death
Selected Answer: C
Question #: 89
Topic #: 1
A penetration tester writes the following script:
Which of the following is the tester performing?
A. Searching for service vulnerabilities
B. Trying to recover a lost bind shell
C. Building a reverse shell listening on specified ports
D. Scanning a network for specific open ports
Selected Answer: D
Question #: 90
Topic #: 1
An Nmap network scan has found five open ports with identified services. Which of the following tools should a penetration tester use NEXT to determine if any vulnerabilities with associated exploits exist on the open ports?
A. OpenVAS
B. Drozer
C. Burp Suite
D. OWASP ZAP
Selected Answer: A
Question #: 91
Topic #: 1
A CentOS computer was exploited during a penetration test. During initial reconnaissance, the penetration tester discovered that port 25 was open on an internal
Sendmail server. To remain stealthy, the tester ran the following command from the attack machine:
Which of the following would be the BEST command to use for further progress into the targeted network?
A. nc 10.10.1.2
B. ssh 10.10.1.2
C. nc 127.0.0.1 5555
D. ssh 127.0.0.1 5555
Selected Answer: C
Question #: 92
Topic #: 1
A penetration tester utilized Nmap to scan host 64.13.134.52 and received the following results:
Based on the output, which of the following services are MOST likely to be exploited? (Choose two.)
A. Telnet
B. HTTP
C. SMTP
D. DNS
E. NTP
F. SNMP
Selected Answer: BD
Question #: 93
Topic #: 1
Which of the following expressions in Python increase a variable val by one? (Choose two.)
A. val++
B. +val
C. val=(val+1)
D. ++val
E. val=val++
F. val+=1
Selected Answer: CF
Question #: 94
Topic #: 1
An assessor wants to run an Nmap scan as quietly as possible. Which of the following commands will give the LEAST chance of detection?
A. nmap ג€”T3 192.168.0.1
B. nmap ג€”P0 192.168.0.1
C. nmap ג€”T0 192.168.0.1
D. nmap ג€”A 192.168.0.1
Selected Answer: C
Question #: 95
Topic #: 1
A penetration tester wrote the following script to be used in one engagement:
Which of the following actions will this script perform?
A. Look for open ports.
B. Listen for a reverse shell.
C. Attempt to flood open ports.
D. Create an encrypted tunnel.
Selected Answer: A
Question #: 96
Topic #: 1
A final penetration test report has been submitted to the board for review and accepted. The report has three findings rated high. Which of the following should be the NEXT step?
A. Perform a new penetration test.
B. Remediate the findings.
C. Provide the list of common vulnerabilities and exposures.
D. Broaden the scope of the penetration test.
Selected Answer: B
Question #: 97
Topic #: 1
Which of the following situations would require a penetration tester to notify the emergency contact for the engagement?
A. The team exploits a critical server within the organization.
B. The team exfiltrates PII or credit card data from the organization.
C. The team loses access to the network remotely.
D. The team discovers another actor on a system on the network.
Selected Answer: D
Question #: 98
Topic #: 1
During an engagement, a penetration tester found the following list of strings inside a file:
Which of the following is the BEST technique to determine the known plaintext of the strings?
A. Dictionary attack
B. Rainbow table attack
C. Brute-force attack
D. Credential-stuffing attack
Selected Answer: B
Question #: 99
Topic #: 1
A penetration tester ran a simple Python-based scanner. The following is a snippet of the code:
Which of the following BEST describes why this script triggered a `probable port scan` alert in the organization’s IDS?
A. sock.settimeout(20) on line 7 caused each next socket to be created every 20 milliseconds.
B. *range(1, 1025) on line 1 populated the portList list in numerical order.
C. Line 6 uses socket.SOCK_STREAM instead of socket.SOCK_DGRAM
D. The remoteSvr variable has neither been type-hinted nor initialized.
Selected Answer: B
Question #: 100
Topic #: 1
A penetration tester is conducting an authorized, physical penetration test to attempt to enter a client’s building during non-business hours. Which of the following are MOST important for the penetration tester to have during the test? (Choose two.)
A. A handheld RF spectrum analyzer
B. A mask and personal protective equipment
C. Caution tape for marking off insecure areas
D. A dedicated point of contact at the client
E. The paperwork documenting the engagement
F. Knowledge of the building’s normal business hours
Selected Answer: DE
Question #: 101
Topic #: 1
A penetration tester receives the following results from an Nmap scan:
Which of the following OSs is the target MOST likely running?
A. CentOS
B. Arch Linux
C. Windows Server
D. Ubuntu
Selected Answer: D
Question #: 102
Topic #: 1
A penetration tester would like to obtain FTP credentials by deploying a workstation as an on-path attack between the target and the server that has the FTP protocol. Which of the following methods would be the BEST to accomplish this objective?
A. Wait for the next login and perform a downgrade attack on the server.
B. Capture traffic using Wireshark.
C. Perform a brute-force attack over the server.
D. Use an FTP exploit against the server.
Selected Answer: B
Question #: 103
Topic #: 1
Appending string values onto another string is called:
A. compilation
B. connection
C. concatenation
D. conjunction
Selected Answer: C
Question #: 104
Topic #: 1
A consultant is reviewing the following output after reports of intermittent connectivity issues:
Which of the following is MOST likely to be reported by the consultant?
A. A device on the network has an IP address in the wrong subnet.
B. A multicast session was initiated using the wrong multicast group.
C. An ARP flooding attack is using the broadcast address to perform DDoS.
D. A device on the network has poisoned the ARP cache.
Selected Answer: D
Question #: 105
Topic #: 1
Which of the following web-application security risks are part of the OWASP Top 10 v2017? (Choose two.)
A. Buffer overflows
B. Cross-site scripting
C. Race-condition attacks
D. Zero-day attacks
E. Injection flaws
F. Ransomware attacks
Selected Answer: BE
Question #: 106
Topic #: 1
The results of an Nmap scan are as follows:
Which of the following would be the BEST conclusion about this device?
A. This device may be vulnerable to the Heartbleed bug due to the way transactions over TCP/22 handle heartbeat extension packets, allowing attackers to obtain sensitive information from process memory.
B. This device is most likely a gateway with in-band management services.
C. This device is most likely a proxy server forwarding requests over TCP/443.
D. This device may be vulnerable to remote code execution because of a buffer overflow vulnerability in the method used to extract DNS names from packets prior to DNSSEC validation.
Selected Answer: B
Question #: 107
Topic #: 1
When preparing for an engagement with an enterprise organization, which of the following is one of the MOST important items to develop fully prior to beginning the penetration testing activities?
A. Clarify the statement of work
B. Obtain an asset inventory from the client
C. Interview all stakeholders
D. Identify all third parties involved.
Selected Answer: A
Question #: 108
Topic #: 1
A penetration tester is reviewing the following SOW prior to engaging with a client.
`Network diagrams, logical and physical asset inventory, and employees’ names are to be treated as client confidential. Upon completion of the engagement, the penetration tester will submit findings to the client’s Chief Information Security Officer (CISO) via encrypted protocols and subsequently dispose of all findings by erasing them in a secure manner.`
Based on the information in the SOW, which of the following behaviors would be considered unethical? (Choose two.)
A. Utilizing proprietary penetration-testing tools that are not available to the public or to the client for auditing and inspection
B. Utilizing public-key cryptography to ensure findings are delivered to the CISO upon completion of the engagement.
C. Failing to share with the client critical vulnerabilities that exist within the client architecture to appease the client’s senior leadership team.
D. Seeking help with the engagement in underground hacker forums by sharing the client’s public IP address
E. Using a software-based erase tool to wipe the client’s findings from the penetration tester’s laptop.
F. Retaining the SOW within the penetration tester’s company for future use so the sales team can plan future engagements
Selected Answer: CD
Question #: 109
Topic #: 1
A penetration tester downloaded the following Perl script that can be used to identify vulnerabilities in network switches. However, the script is not working properly.
Which of the following changes should the tester apply to make the script work as intended?
A. Change line 2 to $ip= 10.192.168.254
B. Remove lines 3, 5, and 6.
C. Remove line 6.
D. Move all the lines below line 7 to the top of the script.
Selected Answer: B
Question #: 110
Topic #: 1
A penetration tester finds a PHP script used by a web application in an unprotected internal source code repository. After reviewing the code, the tester identifies the following:
Which of the following combinations of tools would the penetration tester use to exploit this script?
A. Hydra and crunch
B. Netcat and cURL
C. Burp Suite and DIRB
D. Nmap and OWASP ZAP
Selected Answer: B
Question #: 111
Topic #: 1
A penetration tester has obtained root access to a Linux-based file server and would like to maintain persistence after reboot. Which of the following techniques would BEST support this objective?
A. Create a one-shot system service to establish a reverse shell
B. Obtain /etc/shadow and brute force the root password.
C. Run the nc ג€”e /bin/sh <ג€¦> command
D. Move laterally to create a user account on LDAP
Selected Answer: A
Question #: 112
Topic #: 1
A penetration tester is conducting a penetration test. The tester obtains a root-level shell on a Linux server and discovers the following data in a file named password.txt in the /home/svsacct directory:
U3VQZXIkM2NyZXQhCg==
Which of the following commands should the tester use NEXT to decode the contents of the file?
A. echo U3VQZXIkM2NyZXQhCg== | base64 ג€”d
B. tar zxvf password.txt
C. hydra ג€”l svsacct ג€”p U3VQZXIkM2NyZXQhCg== ssh://192.168.1.0/24
D. john –wordlist /usr/share/seclists/rockyou.txt password.txt
Selected Answer: A
Question #: 113
Topic #: 1
A company has recruited a penetration tester to conduct a vulnerability scan over the network. The test is confirmed to be on a known environment. Which of the following would be the BEST option to identify a system properly prior to performing the assessment?
A. Asset inventory
B. DNS records
C. Web-application scan
D. Full scan
Selected Answer: A
Question #: 114
Topic #: 1
A security firm has been hired to perform an external penetration test against a company. The only information the firm received was the company name. Which of the following passive reconnaissance approaches would be MOST likely to yield positive initial results?
A. Specially craft and deploy phishing emails to key company leaders.
B. Run a vulnerability scan against the company’s external website.
C. Runtime the company’s vendor/supply chain.
D. Scrape web presences and social-networking sites.
Selected Answer: D
Question #: 115
Topic #: 1
A security firm is discussing the results of a penetration test with the client. Based on the findings, the client wants to focus the remaining time on a critical network segment. Which of the following BEST describes the action taking place?
A. Maximizing the likelihood of finding vulnerabilities
B. Reprioritizing the goals/objectives
C. Eliminating the potential for false positives
D. Reducing the risk to the client environment
Selected Answer: B
Question #: 116
Topic #: 1
Which of the following tools would be BEST suited to perform a manual web application security assessment? (Choose two.)
A. OWASP ZAP
B. Nmap
C. Nessus
D. BeEF
E. Hydra
F. Burp Suite
Selected Answer: AF
Question #: 117
Topic #: 1
Running a vulnerability scanner on a hybrid network segment that includes general IT servers and industrial control systems:
A. will reveal vulnerabilities in the Modbus protocol
B. may cause unintended failures in control systems
C. may reduce the true positive rate of findings
D. will create a denial-of-service condition on the IP networks
Selected Answer: B
Question #: 118
Topic #: 1
Which of the following provides a matrix of common tactics and techniques uses by attackers along with recommended mitigations?
A. NIST SP 800-53
B. OWASP Top 10
C. MITRE ATT&CK framework
D. PTES technical guidelines
Selected Answer: C
Question #: 119
Topic #: 1
A security engineer identified a new server on the network and wants to scan the host to determine if it is running an approved version of Linux and a patched version of Apache. Which of the following commands will accomplish this task?
A. nmap ג€”f ג€”sV ג€”p80 192.168.1.20
B. nmap ג€”sS ג€”sL ג€”p80 192.168.1.20
C. nmap ג€”A ג€”T4 ג€”p80 192.168.1.20
D. nmap ג€”O ג€”v ג€”p80 192.168.1.20
Selected Answer: C
Question #: 120
Topic #: 1
A mail service company has hired a penetration tester to conduct an enumeration of all user accounts on an SMTP server to identify whether previous staff member accounts are still active. Which of the following commands should be used to accomplish the goal?
A. VRFY and EXPN
B. VRFY and TURN
C. EXPN and TURN
D. RCPT TO and VRFY
Selected Answer: D
