CompTIA CompTIA Certifications PT0-002 Questions & Answers

• Question 151:

  Which of the following is most important to include in the final report of a static application- security test that was written with a team of application developers as the intended audience?

  A. Executive summary of the penetration-testing methods used

  B. Bill of materials including supplies, subcontracts, and costs incurred during assessment

  C. Quantitative impact assessments given a successful software compromise

  D. Code context for instances of unsafe typecasting operations

  Correct Answer: D

  A static application-security test (SAST) is a type of software testing that analyzes the source code, bytecode or binary code of an application for potential vulnerabilities, such as injection flaws, cross-site scripting, buffer overflows and insecure data handling. A SAST report should provide the application developers with detailed information about the location, severity and impact of the identified vulnerabilities, as well as recommendations for remediation. One of the most important elements to include in a SAST report is the code context for each vulnerability, which shows the relevant code snippets where the issue occurs, as well as the data flow and control flow paths that lead to the vulnerability. This helps the developers understand the root cause of the problem and how to fix it. Code context is especially important for instances of unsafe typecasting operations, which are a common source of security weaknesses in applications. Typecasting is the process of converting one data type to another, such as from an integer to a string. Unsafe typecasting occurs when the conversion is done without proper validation or sanitization, which can lead to unexpected behavior, memory corruption, data loss or code execution. For example, in C/C++, casting a pointer to an incompatible type can result in undefined behavior or buffer overflows. Therefore, a SAST report should include the code context for instances of unsafe typecasting operations, so that the developers can review and correct them.

• Question 152:

  A penetration tester completed a vulnerability scan against a web server and identified a single but severe vulnerability.

  Which of the following is the BEST way to ensure this is a true positive?

  A. Run another scanner to compare.

  B. Perform a manual test on the server.

  C. Check the results on the scanner.

  D. Look for the vulnerability online.

  Correct Answer: B

• Question 153:

  Running a vulnerability scanner on a hybrid network segment that includes general IT servers and industrial control systems:

  A. will reveal vulnerabilities in the Modbus protocol.

  B. may cause unintended failures in control systems.

  C. may reduce the true positive rate of findings.

  D. will create a denial-of-service condition on the IP networks.

  Correct Answer: B

  Reference: https://www.hsdl.org/?viewanddid=7262

• Question 154:

  Which of the following documents is agreed upon by all parties associated with the penetration-testing engagement and defines the scope, contacts, costs, duration, and deliverables?

  A. SOW

  B. SLA

  C. MSA

  D. NDA

  Correct Answer: A

  The document that is agreed upon by all parties associated with the penetration-testing engagement and defines the scope, contacts, costs, duration, and deliverables is the SOW (Statement of Work). The SOW is a formal document that describes the objectives, expectations, and responsibilities of the penetration-testing project2. The SOW should be clear, concise, and comprehensive to avoid any ambiguity or misunderstanding.

• Question 155:

  A penetration tester is assessing a wireless network. Although monitoring the correct channel and SSID, the tester is unable to capture a handshake between the clients and the AP. Which of the following attacks is the MOST effective to allow the penetration tester to capture a handshake?

  A. Key reinstallation

  B. Deauthentication

  C. Evil twin

  D. Replay

  Correct Answer: B

  Deauth will make the client connect again

• Question 156:

  Within a Python script, a line that states print (var) outputs the following:

  [{'1' : 'CentOS', '2' : 'Ubuntu'), {'1' : 'Windows 10', '2' : 'Windows Server 2016'}]

  Which of the following objects or data structures is var ?

  A. An array

  B. A class

  C. A dictionary

  D. A list

  Correct Answer: D

  A list is a data structure in Python that can store multiple values of different types in a sequential order. A list is created by enclosing the values in square brackets [ ] and separating them by commas. A list can also contain other lists as its elements, creating a nested or multidimensional list. The output of the print (var) statement shows that var is a list that contains two elements, each of which is another list with two key-value pairs. The key-value pairs are enclosed in curly braces { }, which indicate that they are dictionaries, another data structure in Python that maps keys to values. Therefore, var is a list of dictionaries.

• Question 157:

  A penetration tester is scanning a corporate lab network for potentially vulnerable services. Which of the following Nmap commands will return vulnerable ports that might be interesting to a potential attacker?

  A. nmap192.168.1.1-5–PU22-25,80

  B. nmap192.168.1.1-5–PA22-25,80

  C. nmap192.168.1.1-5–PS22-25,80

  D. nmap192.168.1.1-5–Ss22-25,80

  Correct Answer: C

  PS/PA/PU/PY are host discovery flags which use TCP SYN/ACK, UDP or SCTP discovery respectively. And since the ports in the options are mostly used by TCP protocols, then it's either the PS or PA flag. But since we need to know if the ports are live, sending SYN packet is a better alternative. Hence, I choose PS in this case. The nmap -PS22-25,80 192.168.1.1-5 command will return vulnerable ports that might be interesting to a potential attacker, as it will perform a TCP SYN scan on ports 22, 23, 24, 25, and 80 of the target hosts. A TCP SYN scan is a stealthy technique that sends a SYN packet to each port and waits for a response. If the response is a SYN/ACK packet, it means the port is open and listening for connections. If the response is a RST packet, it means the port is closed and not accepting connections. If there is no response, it means the port is filtered by a firewall or IDS1.

• Question 158:

  A penetration tester received a 16-bit network block that was scoped for an assessment. During the assessment, the tester realized no hosts were active in the provided block of IPs and reported this to the company. The company then provided an updated block of IPs to the tester. Which of the following would be the most appropriate NEXT step?

  A. Terminate the contract.

  B. Update the ROE with new signatures. Most Voted

  C. Scan the 8-bit block to map additional missed hosts.

  D. Continue the assessment.

  Correct Answer: B

• Question 159:

  A compliance-based penetration test is primarily concerned with:

  A. obtaining Pll from the protected network.

  B. bypassing protection on edge devices.

  C. determining the efficacy of a specific set of security standards.

  D. obtaining specific information from the protected network.

  Correct Answer: C

• Question 160:

  A penetration tester is evaluating a company's network perimeter. The tester has received limited information about defensive controls or countermeasures, and limited internal knowledge of the testing exists. Which of the following should be the FIRST step to plan the reconnaissance activities?

  A. Launch an external scan of netblocks.

  B. Check WHOIS and netblock records for the company.

  C. Use DNS lookups and dig to determine the external hosts.

  D. Conduct a ping sweep of the company's netblocks.

  Correct Answer: C