PT0-002: CompTIA PenTest+ Certification Exam Topic 3
Question #: 121
Topic #: 1
A penetration tester is evaluating a company’s network perimeter. The tester has received limited information about defensive controls or countermeasures, and limited internal knowledge of the testing exists. Which of the following should be the FIRST step to plan the reconnaissance activities?
A. Launch an external scan of netblocks.
B. Check WHOIS and netblock records for the company.
C. Use DNS lookups and dig to determine the external hosts.
D. Conduct a ping sweep of the company’s netblocks.
Selected Answer: B
Question #: 122
Topic #: 1
A penetration tester captured the following traffic during a web-application test:
Which of the following methods should the tester use to visualize the authorization information being transmitted?
A. Decode the authorization header using UTF-8.
B. Decrypt the authorization header using bcrypt.
C. Decode the authorization header using Base64.
D. Decrypt the authorization header using AES.
Selected Answer: C
Question #: 123
Topic #: 1
A penetration tester was hired to perform a physical security assessment of an organization’s office. After monitoring the environment for a few hours, the penetration tester notices that some employees go to lunch in a restaurant nearby and leave their belongings unattended on the table while getting food. Which of the following techniques would MOST likely be used to get legitimate access into the organization’s building without raising too many alerts?
A. Tailgating
B. Dumpster diving
C. Shoulder surfing
D. Badge cloning
Selected Answer: D
Question #: 124
Topic #: 1
A penetration tester wants to find hidden information in documents available on the web at a particular domain. Which of the following should the penetration tester use?
A. Netcraft
B. CentralOps
C. Responder
D. FOCA
Selected Answer: D
Question #: 125
Topic #: 1
A penetration tester has gained access to the Chief Executive Officer’s (CEO’s) internal, corporate email. The next objective is to gain access to the network.
Which of the following methods will MOST likely work?
A. Try to obtain the private key used for S/MIME from the CEO’s account.
B. Send an email from the CEO’s account, requesting a new account.
C. Move laterally from the mail server to the domain controller.
D. Attempt to escalate privileges on the mail server to gain root access.
Selected Answer: B
Question #: 126
Topic #: 1
A penetration tester needs to perform a vulnerability scan against a web server. Which of the following tools is the tester MOST likely to choose?
A. Nmap
B. Nikto
C. Cain and Abel
D. Ethercap
Selected Answer: B
Question #: 127
Topic #: 1
A company has hired a penetration tester to deploy and set up a rogue access point on the network. Which of the following is the BEST tool to use to accomplish this goal?
A. Wireshark
B. Aircrack-ng
C. Kismet
D. Wifite
Selected Answer: B
Question #: 128
Topic #: 1
A penetration tester has been given an assignment to attack a series of targets in the 192.168.1.0/24 range, triggering as few alarms and countermeasures as possible. Which of the following Nmap scan syntaxes would BEST accomplish this objective?
A. nmap ג€”sT ג€”vvv ג€”O 192.168.1.0/24 ג€”PO
B. nmap ג€”sV 192.168.1.0/24 ג€”PO
C. nmap ג€”sA ג€”v ג€”O 192.168.1.0/24
D. nmap ג€”sS ג€”O 192.168.1.0/24 ג€”T1
Selected Answer: C
Question #: 129
Topic #: 1
A penetration tester is testing a new version of a mobile application in a sandbox environment. To intercept and decrypt the traffic between the application and the external API, the tester has created a private root CA and issued a certificate from it. Even though the tester installed the root CA into the trusted stone of the smartphone used for the tests, the application shows an error indicating a certificate mismatch and does not connect to the server. Which of the following is the
MOST likely reason for the error?
A. TCP port 443 is not open on the firewall
B. The API server is using SSL instead of TLS
C. The tester is using an outdated version of the application
D. The application has the API certificate pinned.
Selected Answer: D
Question #: 130
Topic #: 1
A software company has hired a penetration tester to perform a penetration test on a database server. The tester has been given a variety of tools used by the company’s privacy policy. Which of the following would be the BEST to use to find vulnerabilities on this server?
A. OpenVAS
B. Nikto
C. SQLmap
D. Nessus
Selected Answer: C
Question #: 131
Topic #: 1
A company is concerned that its cloud service provider is not adequately protecting the VMs housing its software development. The VMs are housed in a datacenter, with other companies sharing physical resources. Which of the following attack types is MOST concerning to the company?
A. Data flooding
B. Session riding
C. Cybersquatting
D. Side channel
Selected Answer: D
Question #: 132
Topic #: 1
Which of the following concepts defines the specific set of steps and approaches that are conducted during a penetration test?
A. Scope details
B. Findings
C. Methodology
D. Statement of work
Selected Answer: C
Question #: 133
Topic #: 1
A private investigation firm is requesting a penetration test to determine the likelihood that attackers can gain access to mobile devices and then exfiltrate data from those devices. Which of the following is a social-engineering method that, if successful, would MOST likely enable both objectives?
A. Send an SMS with a spoofed service number including a link to download a malicious application.
B. Exploit a vulnerability in the MDM and create a new account and device profile.
C. Perform vishing on the IT help desk to gather a list of approved device IMEIs for masquerading.
D. Infest a website that is often used by employees with malware targeted toward x86 architectures.
Selected Answer: A
Question #: 134
Topic #: 1
A penetration tester ran a ping `”A command during an unknown environment test, and it returned a 128 TTL packet. Which of the following OSs would MOST likely return a packet of this type?
A. Windows
B. Apple
C. Linux
D. Android
Selected Answer: A
Question #: 135
Topic #: 1
A physical penetration tester needs to get inside an organization’s office and collect sensitive information without acting suspiciously or being noticed by the security guards. The tester has observed that the company’s ticket gate does not scan the badges, and employees leave their badges on the table while going to the restroom. Which of the following techniques can the tester use to gain physical access to the office? (Choose two.)
A. Shoulder surfing
B. Call spoofing
C. Badge stealing
D. Tailgating
E. Dumpster diving
F. Email phishing
Selected Answer: CD
Question #: 136
Topic #: 1
A penetration tester conducted an assessment on a web server. The logs from this session show the following:
Which of the following attacks is being attempted?
A. Clickjacking
B. Session hijacking
C. Parameter pollution
D. Cookie hijacking
E. Cross-site scripting
Selected Answer: C
Question #: 137
Topic #: 1
A new security firm is onboarding its first client. The client only allowed testing over the weekend and needed the results Monday morning. However, the assessment team was not able to access the environment as expected until Monday. Which of the following should the security company have acquired BEFORE the start of the assessment?
A. A signed statement of work
B. The correct user accounts and associated passwords
C. The expected time frame of the assessment
D. The proper emergency contacts for the client
Selected Answer: D
Question #: 138
Topic #: 1
An Nmap scan of a network switch reveals the following:
Which of the following technical controls will most likely be the FIRST recommendation for this device?
A. Encrypted passwords
B. System-hardening techniques
C. Multifactor authentication
D. Network segmentation
Selected Answer: B
Question #: 139
Topic #: 1
A penetration tester has obtained shell access to a Windows host and wants to run a specially crafted binary for later execution using the ymic.exe process call create function. Which of the following OS or filesystem mechanisms is MOST likely to support this objective?
A. Alternate data streams
B. PowerShell modules
C. MP4 steganography
D. ProcMon
Selected Answer: B
Question #: 140
Topic #: 1
A penetration tester, who is doing an assessment, discovers an administrator has been exfiltrating proprietary company information. The administrator offers to pay the tester to keep quiet. Which of the following is the BEST action for the tester to take?
A. Check the scoping document to determine if exfiltration is within scope.
B. Stop the penetration test.
C. Escalate the issue.
D. Include the discovery and interaction in the daily report.
Selected Answer: B
Question #: 141
Topic #: 1
A Chief Information Security Officer wants to evaluate the security of the company’s e-commerce application. Which of the following tools should a penetration tester use FIRST to obtain relevant information from the application without triggering alarms?
A. SQLmap
B. DirBuster
C. w3af
D. OWASP ZAP
Selected Answer: D
Question #: 142
Topic #: 1
Which of the following documents must be signed between the penetration tester and the client to govern how any provided information is managed before, during, and after the engagement?
A. MSA
B. NDA
C. SOW
D. ROE
Selected Answer: B
Question #: 143
Topic #: 1
A penetration tester runs a scan against a server and obtains the following output:
Which of the following command sequences should the penetration tester try NEXT?
A. ftp 192.168.53.23
B. smbclient \\\\WEB3\\IPC$ -I 192.168.53.23 -U guest
C. ncrack -u Administrator -P 15worst_passwords.txt -p rdp 192.168.53.23
D. curl -X TRACE https://192.168.53.23:8443/index.aspx
Selected Answer: A
Question #: 144
Topic #: 1
A penetration tester needs to upload the results of a port scan to a centralized security tool. Which of the following commands would allow the tester to save the results in an interchangeable format?
A. nmap -iL results 192.168.0.10-100
B. nmap 192.168.0.10-100 -O > results
C. nmap -A 192.168.0.10-100 -oX results
D. nmap 192.168.0.10-100 | grep “results”
Selected Answer: C
Question #: 145
Topic #: 1
During a penetration-testing engagement, a consultant performs reconnaissance of a client to identify potential targets for a phishing campaign. Which of the following would allow the consultant to retrieve email addresses for technical and billing contacts quickly, without triggering any of the client’s cybersecurity tools?
(Choose two.)
A. Scraping social media sites
B. Using the WHOIS lookup tool
C. Crawling the client’s website
D. Phishing company employees
E. Utilizing DNS lookup tools
F. Conducting wardriving near the client facility
Selected Answer: BC
Question #: 146
Topic #: 1
During a penetration test, the domain names, IP ranges, hosts, and applications are defined in the:
A. SOW.
B. SLA.
C. ROE.
D. NDA
Selected Answer: C
Question #: 147
Topic #: 1
A tester who is performing a penetration test on a website receives the following output:
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /var/www/search.php on line 62
Which of the following commands can be used to further attack the website?
A.
B. ../../../../../../../../../../etc/passwd
C. /var/www/html/index.php;whoami
D. 1 UNION SELECT 1, DATABASE (), 3 —
Selected Answer: D
Question #: 148
Topic #: 1
A penetration tester has established an on-path position between a target host and local network services but has not been able to establish an on-path position between the target host and the Internet. Regardless, the tester would like to subtly redirect HTTP connections to a spoofed server IP. Which of the following methods would BEST support the objective?
A. Gain access to the target host and implant malware specially crafted for this purpose.
B. Exploit the local DNS server and add/update the zone records with a spoofed A record.
C. Use the Scapy utility to overwrite name resolution fields in the DNS query response.
D. Proxy HTTP connections from the target host to that of the spoofed host.
Selected Answer: B
Question #: 149
Topic #: 1
Which of the following types of information would MOST likely be included in an application security assessment report addressed to developers? (Choose two.)
A. Use of non-optimized sort functions
B. Poor input sanitization
C. Null pointer dereferences
D. Non-compliance with code style guide
E. Use of deprecated Javadoc tags
F. A cydomatic complexity score of 3
Selected Answer: BC
Question #: 150
Topic #: 1
A penetration tester has found indicators that a privileged user’s password might be the same on 30 different Linux systems. Which of the following tools can help the tester identify the number of systems on which the password can be used?
A. Hydra
B. John the Ripper
C. Cain and Abel
D. Medusa
Selected Answer: A
Question #: 151
Topic #: 1
A penetration tester recently completed a review of the security of a core network device within a corporate environment. The key findings are as follows:
✑ The following request was intercepted going to the network device:
GET /login HTTP/1.1 –
Host: 10.50.100.16 –
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0)
Gecko/20100101 Firefox/31.0 –
Accept-Language: en-US,en;q=0.5 –
Connection: keep-alive –
Authorization: Basic WU9VUilOQU1FOnNlY3JldHBhc3N3b3jk
✑ Network management interfaces are available on the production network.
✑ An Nmap scan retuned the following:
Port State Service Version
22/tcp open ssh Cisco SSH 1.25 (protocol 2.0
80/tcp open http Cisco IOS http config
|_https-title: Did not follow redirect to https://10.50.100.16
443/tcp open https Cisco IOS https config
Which of the following would be BEST to add to the recommendations section of the final report? (Choose two.)
A. Enforce enhanced password complexity requirements.
B. Disable or upgrade SSH daemon.
C. Disable HTTP/301 redirect configuration.
D. Create an out-of-band network for management.
E. Implement a better method for authentication.
F. Eliminate network management and control interfaces.
Selected Answer: CD
Question #: 152
Topic #: 1
A penetration tester was able to compromise a server and escalate privileges. Which of the following should the tester perform AFTER concluding the activities on the specified target? (Choose two.)
A. Remove the logs from the server.
B. Restore the server backup.
C. Disable the running services.
D. Remove any tools or scripts that were installed.
E. Delete any created credentials.
F. Reboot the target server.
Selected Answer: DE
Question #: 153
Topic #: 1
A penetration tester is reviewing the following DNS reconnaissance results for comptia.org from dig:
…
;; ANSWER SECTION
comptia.org. 3569 IN MX comptia.org-mail.protection.outlook.com. comptia.org. 3569 IN A 3.219.13.186. comptia.org. 3569 IN NS ns1.comptia.org. comptia.org. 3569 IN SOA haven. administrator.comptia.org. comptia.org. 3569 IN MX new.mx0.comptia.org. comptia.org. 3569 IN MX new.mx1.comptia.org.
Which of the following potential issues can the penetration tester identify based on this output?
A. At least one of the records is out of scope.
B. There is a duplicate MX record.
C. The NS record is not within the appropriate domain.
D. The SOA records outside the comptia.org domain.
Selected Answer: A
Question #: 154
Topic #: 1
A consultant just performed a SYN scan of all the open ports on a remote host and now needs to remotely identify the type of services that are running on the host. Which of the following is an active reconnaissance tool that would be BEST to use to accomplish this task?
A. tcpdump
B. Snort
C. Nmap
D. Netstat
E. Fuzzer
Selected Answer: C
Question #: 155
Topic #: 1
Deconfliction is necessary when the penetration test:
A. determines that proprietary information is being stored in cleartext.
B. occurs during the monthly vulnerability scanning.
C. uncovers indicators of prior compromise over the course of the assessment.
D. proceeds in parallel with a criminal digital forensic investigation.
Selected Answer: C
Question #: 156
Topic #: 1
A penetration tester wants to test a list of common passwords against the SSH daemon on a network device. Which of the following tools would be BEST to use for this purpose?
A. Hashcat
B. Mimikatz
C. Patator
D. John the Ripper
Selected Answer: C
Question #: 157
Topic #: 1
PCI DSS requires which of the following as part of the penetration-testing process?
A. The penetration tester must have cybersecurity certifications.
B. The network must be segmented.
C. Only externally facing systems should be tested.
D. The assessment must be performed during non-working hours.
Selected Answer: B
Question #: 158
Topic #: 1
A penetration tester completed an assessment, removed all artifacts and accounts created during the test, and presented the findings to the client. Which of the following happens NEXT?
A. The penetration tester conducts a retest.
B. The penetration tester deletes all scripts from the client machines.
C. The client applies patches to the systems.
D. The client clears system logs generated during the test.
Selected Answer: C
Question #: 159
Topic #: 1
A penetration tester is examining a Class C network to identify active systems quickly. Which of the following commands should the penetration tester use?
A. nmap -sn 192.168.0.1/16
B. nmap -sn 192.168.0.1-254
C. nmap -sn 192.168.0.1 192.168.0.1.254
D. nmap -sN 192.168.0.0/24
Selected Answer: B
Question #: 160
Topic #: 1
A penetration tester wants to validate the effectiveness of a DLP product by attempting exfiltration of data using email attachments. Which of the following techniques should the tester select to accomplish this task?
A. Steganography
B. Metadata removal
C. Encryption
D. Encode64
Selected Answer: B
Question #: 161
Topic #: 1
A penetration tester received a 16-bit network block that was scoped for an assessment. During the assessment, the tester realized no hosts were active in the provided block of IPs and reported this to the company. The company then provided an updated block of IPs to the tester. Which of the following would be the most appropriate NEXT step?
A. Terminate the contract.
B. Update the ROE with new signatures.
C. Scan the 8-bit block to map additional missed hosts.
D. Continue the assessment.
Selected Answer: B
Question #: 162
Topic #: 1
A penetration tester has completed an analysis of the various software products produced by the company under assessment. The tester found that over the past several years the company has been including vulnerable third-party modules in multiple products, even though the quality of the organic code being developed is very good. Which of the following recommendations should the penetration tester include in the report?
A. Add a dependency checker into the tool chain.
B. Perform routine static and dynamic analysis of committed code.
C. Validate API security settings before deployment.
D. Perform fuzz testing of compiled binaries.
Selected Answer: A
Question #: 163
Topic #: 1
A penetration tester needs to access a building that is guarded by locked gates, a security team, and cameras. Which of the following is a technique the tester can use to gain access to the IT framework without being detected?
A. Pick a lock.
B. Disable the cameras remotely.
C. Impersonate a package delivery worker.
D. Send a phishing email.
Selected Answer: C
Question #: 164
Topic #: 1
A penetration tester is assessing a wireless network. Although monitoring the correct channel and SSID, the tester is unable to capture a handshake between the clients and the AP. Which of the following attacks is the MOST effective to allow the penetration tester to capture a handshake?
A. Key reinstallation
B. Deauthentication
C. Evil twin
D. Replay
Selected Answer: B
Question #: 165
Topic #: 1
A penetration tester has gained access to part of an internal network and wants to exploit on a different network segment. Using Scapy, the tester runs the following command:
Which of the following represents what the penetration tester is attempting to accomplish?
A. DNS cache poisoning
B. MAC spoofing
C. ARP poisoning
D. Double-tagging attack
Selected Answer: D
Question #: 166
Topic #: 1
A company that requires minimal disruption to its daily activities needs a penetration tester to perform information gathering around the company’s web presence.
Which of the following would the tester find MOST helpful in the initial information-gathering steps? (Choose two.)
A. MX records
B. Zone transfers
C. DNS forward and reverse lookups
D. Internet search engines
E. Externally facing open ports
F. Shodan results
Selected Answer: DF
Question #: 167
Topic #: 1
The attacking machine is on the same LAN segment as the target host during an internal penetration test. Which of the following commands will BEST enable the attacker to conduct host delivery and write the discovery to files without returning results of the attack machine?
A. nmap -sn -n -exclude 10.1.1.15 10.1.1.0/24 -oA target_txt
B. nmap -iR 10 -n -oX out.xml | grep “Nmap” | cut -d “” -f5 > live-hosts.txt
C. nmap -Pn -sV -O -iL target.txt -oA target_text_Service
D. nmap -sS -Pn -n -iL target.txt -oA target_txtl
Selected Answer: A
Question #: 168
Topic #: 1
SIMULATION –
Using the output, identify potential attack vectors that should be further investigated.
Question #: 169
Topic #: 1
A customer adds a requirement to the scope of a penetration test that states activities can only occur during normal business hours. Which of the following BEST describes why this would be necessary?
A. To meet PCI DSS testing requirements
B. For testing of the customer’s SLA with the ISP
C. Because of concerns regarding bandwidth limitations
D. To ensure someone is available if something goes wrong
Selected Answer: D
Question #: 170
Topic #: 1
An assessor wants to use Nmap to help map out a stateful firewall rule set. Which of the following scans will the assessor MOST likely run?
A. nmap -sA 192.168.0.1/24
B. nmap -sS 192.168.0.1/24
C. nmap -oG 192.168.0.1/24
D. nmap 192.168.0.1/24
Selected Answer: A
Question #: 171
Topic #: 1
During the scoping phase of an assessment, a client requested that any remote code exploits discovered during testing would be reported immediately so the vulnerability could be fixed as soon as possible. The penetration tester did not agree with this request, and after testing began, the tester discovered a vulnerability and gained internal access to the system. Additionally, this scenario led to a loss of confidential credit card data and a hole in the system. At the end of the test, the penetration tester willfully failed to report this information and left the vulnerability in place. A few months later, the client was breached and credit card data was stolen. After being notified about the breach, which of the following steps should the company take NEXT?
A. Deny that the vulnerability existed
B. Investigate the penetration tester.
C. Accept that the client was right.
D. Fire the penetration tester.
Selected Answer: B
Question #: 172
Topic #: 1
A penetration tester is contracted to attack an oil rig network to look for vulnerabilities. While conducting the assessment, the support organization of the rig reported issues connecting to corporate applications and upstream services for data acquisitions. Which of the following is the MOST likely culprit?
A. Patch installations
B. Successful exploits
C. Application failures
D. Bandwidth limitations
Selected Answer: D
Question #: 173
Topic #: 1
A penetration tester has identified several newly released CVEs on a VoIP call manager. The scanning tool the tester used determined the possible presence of the CVEs based off the number of the service. Which of the following methods would BEST support validation of the possible findings?
A. Manually check the version number of the VoIP service against the CVE release.
B. Test with proof-of-concept code from an exploit database on a non-production system.
C. Review SIP traffic from an on-path position to look for indicators of compromise.
D. Execute an nmap -sV scan against the service.
Selected Answer: A
Question #: 174
Topic #: 1
The results of an Nmap scan are as follows:
Which of the following device types will MOST likely have a similar response?
A. Active Directory domain controller
B. IoT/embedded device
C. Exposed RDP
D. Print queue
Selected Answer: B
Question #: 175
Topic #: 1
Which of the following are the MOST important items for prioritizing fixes that should be included in the final report for a penetration test? (Choose two.)
A. The CVSS score of the finding
B. The network location of the vulnerable device
C. The vulnerability identifier
D. The client acceptance form
E. The name of the person who found the flaw
F. The tool used to find the issue
Selected Answer: AC
Question #: 176
Topic #: 1
User credentials were captured from a database during an assessment and cracked using rainbow tables Based on the ease of compromise, which of the following algorithms was MOST likely used to store the passwords in the database?
A. MD5
B. bcrypt
C. SHA-1
D. PBKDF2
Selected Answer: A
Question #: 177
Topic #: 1
A penetration tester is testing a web application that is hosted by a public cloud provider. The tester is able to query the provider’s metadata and get the credentials used by the instance to authenticate itself. Which of the following vulnerabilities has the tester exploited?
A. Cross-site request forgery
B. Server-side request forgery
C. Remote file inclusion
D. Local code inclusion
Selected Answer: B
Question #: 178
Topic #: 1
A penetration tester was contracted to test a proprietary application for buffer overflow vulnerabilities. Which of the following tools would be BEST suited for this task?
A. GDB
B. Burp Suite
C. SearchSpliot
D. Netcat
Selected Answer: A
Question #: 179
Topic #: 1
Which of the following would assist a penetration tester the MOST when evaluating the susceptibility of top-level executives to social engineering attacks?
A. Scraping social media for personal details
B. Registering domain names that are similar to the target company’s
C. Identifying technical contacts at the company
D. Crawling the company’s website for company information
Selected Answer: A
Question #: 180
Topic #: 1
A penetration tester is testing a new API for the company’s existing services and is preparing the following script:
Which of the following would the test discover?
A. Default web configurations
B. Open web ports on a host
C. Supported HTTP methods
D. Listening web servers in a domain
Selected Answer: C
