CompTIA CompTIA Certifications PT0-002 Questions & Answers

• Question 121:

  Given the following Nmap scan command:

  [root@kali ~]# nmap 192.168.0 .* -- exclude 192.168.0.101

  

  Which of the following is the total number of servers that Nmap will attempt to scan?

  A. 1

  B. 101

  C. 255

  D. 256

  Correct Answer: C

  The Nmap scan command given will scan all the hosts in the 192.168.0.0/24 subnet, except for the one with the IP address 192.168.0.101. The subnet has 256 possible hosts, but one of them is excluded, so the total number of servers that

  Nmap will attempt to scan is 255.

  References:

  Nmap Commands - 17 Basic Commands for Linux Network, Section: Scan Multiple Hosts, Subsection: Excluding Hosts from Search Nmap Cheat Sheet 2023: All the Commands and More, Section: Target Specification, Subsection: -exclude

• Question 122:

  A penetration tester who is working remotely is conducting a penetration test using a wireless connection. Which of the following is the BEST way to provide confidentiality for the client while using this connection?

  A. Configure wireless access to use a AAA server.

  B. Use random MAC addresses on the penetration testing distribution.

  C. Install a host-based firewall on the penetration testing distribution.

  D. Connect to the penetration testing company's VPS using a VPN.

  Correct Answer: D

  The best way to provide confidentiality for the client while using a wireless connection is to connect to the penetration testing company's VPS using a VPN. This will encrypt the traffic between the penetration tester and the VPS, and prevent any eavesdropping or interception by third parties. A VPN will also allow the penetration tester to access the client's network securely and bypass any firewall or network restrictions.

• Question 123:

  A customer adds a requirement to the scope of a penetration test that states activities can only occur during normal business hours. Which of the following BEST describes why this would be necessary?

  A. To meet PCI DSS testing requirements

  B. For testing of the customer's SLA with the ISP

  C. Because of concerns regarding bandwidth limitations

  D. To ensure someone is available if something goes wrong

  Correct Answer: D

• Question 124:

  A penetration tester finds a PHP script used by a web application in an unprotected internal source code repository. After reviewing the code, the tester identifies the following:

  

  Which of the following combinations of tools would the penetration tester use to exploit this script?

  A. Hydra and crunch

  B. Netcat and cURL

  C. Burp Suite and DIRB

  D. Nmap and OWASP ZAP

  Correct Answer: B

• Question 125:

  A penetration tester has prepared the following phishing email for an upcoming penetration test:

  

  Which of the following is the penetration tester using MOST to influence phishing targets to click on the link?

  A. Familiarity and likeness

  B. Authority and urgency

  C. Scarcity and fear

  D. Social proof and greed

  Correct Answer: B

• Question 126:

  The output from a penetration testing tool shows 100 hosts contained findings due to improper patch management. Which of the following did the penetration tester perform?

  A. A vulnerability scan

  B. A WHOIS lookup

  C. A packet capture

  D. An Nmap scan

  Correct Answer: A

  A vulnerability scan is a type of penetration testing tool that is used to scan a network for vulnerabilities. A vulnerability scan can detect misconfigurations, missing patches, and other security issues that could be exploited by attackers. In this case, the output shows that 100 hosts had findings due to improper patch management, which means that the tester performed a vulnerability scan.

• Question 127:

  Which of the following documents describes specific activities, deliverables, and schedules for a penetration tester?

  A. NDA

  B. MSA

  C. SOW

  D. MOU

  Correct Answer: C

  As mentioned in question 1, the SOW describes the specific activities, deliverables, and schedules for a penetration tester. The other documents are not relevant for this purpose. An NDA is a non-disclosure agreement that protects the confidentiality of the client's information. An MSA is a master service agreement that defines the general terms and conditions of a business relationship. An MOU is a memorandum of understanding that expresses a common intention or agreement between parties.

• Question 128:

  A penetration tester runs the following command:

  dig @ dns01.comptia.local axfr comptia.local

  Which of the following types of information would be provided?

  A. The DNSSEC certificate and CA

  B. The DHCP scopes and ranges used on the network

  C. The hostnames and IP addresses of internal systems

  D. The OS and version of the DNS server

  Correct Answer: C

  The command dig @ns1.comptia.local axfr comptia.local is a command that performs a DNS zone transfer, which is a process of copying the entire DNS database or zone file from a primary DNS server to a secondary DNS server. A DNS zone file contains records that map domain names to IP addresses and other information, such as mail servers, name servers, or aliases. A DNS zone transfer can provide useful information for enumeration, such as the hostnames and IP addresses of internal systems, which can help identify potential targets or vulnerabilities. A DNS zone transfer can be performed by using tools such as dig, which is a tool that can query DNS servers and obtain information about domain names, such as IP addresses, mail servers, name servers, or other records1. The other options are not types of information that would be provided by a DNS zone transfer. The DNSSEC certificate and CA are not part of the DNS zone file, but rather part of the DNSSEC protocol, which is an extension of the DNS protocol that provides authentication and integrity for DNS data. The DHCP scopes and ranges used on the network are not part of the DNS zone file, but rather part of the DHCP protocol, which is a protocol that assigns dynamic IP addresses and other configuration parameters to devices on a network. The OS and version of the DNS server are not part of the DNS zone file, but rather part of the OS fingerprinting technique, which is a technique that identifies the OS and version of a remote system by analyzing its responses to network probes.

• Question 129:

  A penetration tester opened a shell on a laptop at a client's office but is unable to pivot because of restrictive ACLs on the wireless subnet. The tester is also aware that all laptop users have a hard-wired connection available at their desks. Which of the following is the BEST method available to pivot and gain additional access to the network?

  A. Set up a captive portal with embedded malicious code.

  B. Capture handshakes from wireless clients to crack.

  C. Span deauthentication packets to the wireless clients.

  D. Set up another access point and perform an evil twin attack.

  Correct Answer: C

  The best method available to pivot and gain additional access to the network is to span deauthentication packets to the wireless clients. This will cause them to disconnect from their wireless access point and reconnect using their hard-wired connection, which may have less restrictive ACLs. The penetration tester can then capture their traffic or attempt to compromise their systems.

• Question 130:

  A penetration tester is conducting an Nmap scan and wants to scan for ports without establishing a connection. The tester also wants to find version data information for services running on Projects. Which of the following Nmap commands should the tester use?

  A. ..nmap -sU -sV -T4 -F target.company.com

  B. ..nmap -sS -sV -F target.company.com

  C. ..nmap -sT -v -T5 target.company.com

  D. ..nmap -sX -sC target.company.com

  Correct Answer: B

  The Nmap command that the tester should use to scan for ports without establishing a connection and to find version data information for services running on open ports is nmap -sS -sV -F target.company.com. This command has the following options: -sS performs a TCP SYN scan, which is a scan technique that sends TCP packets with the SYN flag set to the target ports and analyzes the responses. A TCP SYN scan does not establish a full TCP connection, as it only completes the first step of the three-way handshake. A TCP SYN scan can stealthily scan for open ports without alerting the target system or application. -sV performs version detection, which is a feature that probes open ports to determine the service and version information of the applications running on them. Version detection can provide useful information for identifying vulnerabilities or exploits that affect specific versions of services or applications. -F performs a fast scan, which is a scan option that only scans the 100 most common ports according to the nmap-services file. A fast scan can speed up the scan process by avoiding scanning less likely or less interesting ports. target.company.com specifies the domain name of the target system or network to be scanned. The other options are not valid Nmap commands that meet the requirements of the question. Option A performs a UDP scan (-sU), which is a scan technique that sends UDP packets to the target ports and analyzes the responses. A UDP scan can scan for open ports that use UDP protocol, such as DNS, SNMP, or DHCP. However, a UDP scan does establish a connection with the target system or application, unlike a TCP SYN scan. Option C performs a TCP connect scan (sT), which is a scan technique that sends TCP packets with the SYN flag set to the target ports and completes the three-way handshake with an ACK packet if a SYN/ACK packet is received. A TCP connect scan can scan for open ports that use TCP protocol, such as HTTP, FTP, or SSH. However, a TCP connect scan does establish a full TCP connection with the target system or application, unlike a TCP SYN scan. Option D performs an Xmas scan (-sX), which is a scan technique that sends TCP packets with the FIN, PSH, and URG flags set to the target ports and analyzes the responses. An Xmas scan can stealthily scan for open ports without alerting the target system or application, similar to a TCP SYN scan. However, option D does not perform version detection (-sV), which is one of the requirements of the question.