CompTIA CompTIA Certifications PT0-002 Questions & Answers

• Question 161:

  Which of the following tools would BEST allow a penetration tester to capture wireless handshakes to reveal a Wi-Fi password from a Windows machine?

  A. Wireshark

  B. EAPHammer

  C. Kismet

  D. Aircrack-ng

  Correct Answer: D

  The BEST tool to capture wireless handshakes to reveal a Wi-Fi password from a Windows machine is Aircrack-ng. Aircrack-ng is a suite of tools used to assess the security of wireless networks. It starts by capturing wireless network packets [1], then attempts to crack the network password by analyzing them [1]. Aircrack-ng supports FMS, PTW, and other attack types, and can also be used to generate keystreams for WEP and WPA-PSK encryption. It is capable of running on Windows, Linux, and Mac OS X. The BEST tool to capture wireless handshakes to reveal a Wi-Fi password from a Windows machine is Aircrack-ng. Aircrack-ng is a suite of tools used to assess the security of wireless networks. It starts by capturing wireless network packets [1], then attempts to crack the network password by analyzing them [1]. Aircrack-ng supports FMS, PTW, and other attack types, and can also be used to generate keystreams for WEP and WPAPSK encryption. It is capable of running on Windows, Linux, and Mac OS X.

• Question 162:

  A penetration tester captured the following traffic during a web-application test:

  

  Which of the following methods should the tester use to visualize the authorization information being transmitted?

  A. Decode the authorization header using UTF-8.

  B. Decrypt the authorization header using bcrypt.

  C. Decode the authorization header using Base64.

  D. Decrypt the authorization header using AES.

  Correct Answer: C

• Question 163:

  A penetration tester is conducting an authorized, physical penetration test to attempt to enter a client's building during non-business hours. Which of the following are MOST important for the penetration tester to have during the test? (Choose two.)

  A. A handheld RF spectrum analyzer

  B. A mask and personal protective equipment

  C. Caution tape for marking off insecure areas

  D. A dedicated point of contact at the client

  E. The paperwork documenting the engagement

  F. Knowledge of the building's normal business hours

  Correct Answer: DE

  Always carry the contact information and any documents stating that you are approved to do this.

• Question 164:

  A penetration tester who is conducting a web-application test discovers a clickjacking vulnerability associated with a login page to financial data. Which of the following should the tester do with this information to make this a successful exploit?

  A. Perform XSS.

  B. Conduct a watering-hole attack.

  C. Use BeEF.

  D. Use browser autopwn.

  Correct Answer: B

  A clickjacking vulnerability allows an attacker to trick a user into clicking on a hidden element on a web page, such as a login button or a link. A watering-hole attack is a technique where the attacker compromises a website that is frequently visited by the target users, and injects malicious code or content into the website. The attacker can then use the clickjacking vulnerability to redirect the users to a malicious website or perform unauthorized actions on their behalf.

  A. Perform XSS. This is incorrect. XSS (cross-site scripting) is a vulnerability where an attacker injects malicious scripts into a web page that are executed by the browser of the victim. XSS can be used to steal cookies, session tokens, or

  other sensitive information, but it is not directly related to clickjacking.

  C. Use BeEF. This is incorrect. BeEF (Browser Exploitation Framework) is a tool that allows an attacker to exploit various browser vulnerabilities and take control of the browser of the victim. BeEF can be used to launch clickjacking attacks,

  but it is not the only way to do so.

  D. Use browser autopwn. This is incorrect. Browser autopwn is a feature of Metasploit that automatically exploits browser vulnerabilities and delivers a payload to the victim's system. Browser autopwn can be used to compromise the browser

  of the victim, but it is not directly related to clickjacking.

  References:

  1: OWASP Foundation, "Clickjacking", https://owasp.org/www- community/attacks/Clickjacking

  2: PortSwigger, "What is clickjacking? Tutorial and Examples", https://portswigger.net/web-security/clickjacking

  4: Akto, "Clickjacking: Understanding vulnerability, attacks and prevention", https://www.akto.io/blog/clickjacking-understanding-vulnerability-attacks-and- prevention

• Question 165:

  When preparing for an engagement with an enterprise organization, which of the following is one of the MOST important items to develop fully prior to beginning the penetration testing activities?

  A. Clarify the statement of work.

  B. Obtain an asset inventory from the client.

  C. Interview all stakeholders.

  D. Identify all third parties involved.

  Correct Answer: A

  Clarifying the statement of work is one of the most important items to develop fully prior to beginning the penetration testing activities, as it defines the scope, objectives, deliverables, and expectations of the engagement. The statement of work is a formal document that outlines the agreement between the penetration tester and the client and serves as a reference for both parties throughout the engagement. It should include details such as the type, duration, and frequency of testing, the target systems and networks, the authorized methods and tools, the reporting format and schedule, and any legal or ethical considerations.

• Question 166:

  During an engagement, a penetration tester found the following list of strings inside a file: Which of the following is the BEST technique to determine the known plaintext of the strings?

  

  A. Dictionary attack

  B. Rainbow table attack

  C. Brute-force attack

  D. Credential-stuffing attack

  Correct Answer: B

• Question 167:

  A company hired a penetration-testing team to review the cyber-physical systems in a manufacturing plant. The team immediately discovered the supervisory systems and PLCs are both connected to the company intranet. Which of the following assumptions, if made by the penetration-testing team, is MOST likely to be valid?

  A. PLCs will not act upon commands injected over the network.

  B. Supervisors and controllers are on a separate virtual network by default.

  C. Controllers will not validate the origin of commands.

  D. Supervisory systems will detect a malicious injection of code/commands.

  Correct Answer: C

  PLCs are programmable logic controllers that execute logic operations on input signals from sensors and output signals to actuators. They are often connected to supervisory systems that provide human-machine interfaces and data acquisition functions. If both systems are connected to the company intranet, they are exposed to potential attacks from internal or external adversaries. A valid assumption is that controllers will not validate the origin of commands, meaning that an attacker can send malicious commands to manipulate or sabotage the industrial process. The other assumptions are not valid because they contradict the facts or common practices.

• Question 168:

  Penetration tester is developing exploits to attack multiple versions of a common software package. The versions have different menus and )ut.. they have a common log-in screen that the exploit must use. The penetration tester develops code to perform the log-in that can be each of the exploits targeted to a specific version. Which of the following terms is used to describe this common log-in code example?

  A. Conditional

  B. Library

  C. Dictionary

  D. Sub application

  Correct Answer: B

  The term that is used to describe the common log-in code example is library, which is a collection of reusable code or functions that can be imported or called by other programs or scripts. A library can help simplify or modularize the code development process by providing common or frequently used functionality that can be shared across different programs or scripts. In this case, the penetration tester develops a library of code to perform the log-in that can be imported or called by each of the exploits targeted to a specific version of the software package. The other options are not valid terms that describe the common log-in code example. Conditional is a programming construct that executes a block of code based on a logical condition or expression, such as if-else statements. Dictionary is a data structure that stores key-value pairs, where each key is associated with a value, such as a Python dictionary. Sub application is not a standard programming term, but it may refer to an application that runs within another application, such as a web application.

• Question 169:

  A penetration tester successfully performed an exploit on a host and was able to hop from VLAN 100 to VLAN 200. VLAN 200 contains servers that perform financial transactions, and the penetration tester now wants the local interface of the attacker machine to have a static ARP entry in the local cache. The attacker machine has the following:

  IP Address: 192.168.1.63

  Physical Address: 60-36-dd-a6-c5-33

  Which of the following commands would the penetration tester MOST likely use in order to establish a static ARP entry successfully?

  A. tcpdump -i eth01 arp and arp[6:2] == 2

  B. arp -s 192.168.1.63 60-36-DD-A6-C5-33

  C. ipconfig /all findstr /v 00-00-00 | findstr Physical

  D. route add 192.168.1.63 mask 255.255.255.255.0 192.168.1.1

  Correct Answer: B

  The arp command is used to manipulate or display the Address Resolution Protocol (ARP) cache, which is a table that maps IP addresses to physical addresses (MAC addresses) on a network. The -s option is used to add a static ARP entry to the cache, which means that it will not expire or be overwritten by dynamic ARP entries. The syntax for adding a static ARP entry is arp -s . Therefore, the command arp -s 192.168.1.63 60-36-DD-A6-C5-33 would add a static ARP entry for the IP address 192.168.1.63 and the physical address 60-36-DD-A6-C5-33 to the local cache of the attacker machine. This would allow the attacker machine to communicate with the target machine without relying on ARP requests or replies. The other commands are not valid or useful for establishing a static ARP entry.

• Question 170:

  A penetration tester is testing a new version of a mobile application in a sandbox environment. To intercept and decrypt the traffic between the application and the external API, the tester has created a private root CA and issued a certificate from it. Even though the tester installed the root CA into the trusted stone of the smartphone used for the tests, the application shows an error indicating a certificate mismatch and does not connect to the server. Which of the following is the MOST likely reason for the error?

  A. TCP port 443 is not open on the firewall

  B. The API server is using SSL instead of TLS

  C. The tester is using an outdated version of the application

  D. The application has the API certificate pinned.

  Correct Answer: D

  This is the most likely reason for the error because the application is unable to validate the certificate issued by the tester's private root CA. Certificate pinning is a process where an application compares the certificate presented by the server with a predefined set of certificates and only accepts connections if the presented certificate is one of the predefined certificates. This means that the application will reject any certificate that is not in the predefined set, even if it is valid.