CompTIA CompTIA Certifications PT0-002 Questions & Answers

• Question 241:

  During a penetration test, a tester is in close proximity to a corporate mobile device belonging to a network administrator that is broadcasting Bluetooth frames.

  Which of the following is an example of a Bluesnarfing attack that the penetration tester can perform?

  A. Sniff and then crack the WPS PIN on an associated WiFi device.

  B. Dump the user address book on the device.

  C. Break a connection between two Bluetooth devices.

  D. Transmit text messages to the device.

  Correct Answer: B

  Bluesnarfing is the unauthorized access of information from a wireless device through a Bluetooth connection, often between phones, desktops, laptops, and PDAs. This allows access to calendars, contact lists, emails and text messages, and on some phones, users can copy pictures and private videos.

• Question 242:

  A penetration tester wrote the following Bash script to brute force a local service password:

  ..ting as expected.

  Which of the following changes should the penetration tester make to get the script to work?

  A. ..e cho "The correct password is $p" andand break) ho "The correct password is $p" I| break

  B. .e cho "The correct password is $p" andand break)

  o "The correct password is $p" I break

  C. e cho "The correct password is Sp" andand break) echo "The correct password is $p" andand break)

  D. . { echo "The correct password is $p" andand break ) With

  E. ( echo "The correct password is $p" andand break )

  Correct Answer: B

  CeWL is a tool that can be used to crawl a website and build a wordlist using the data recovered to crack the password on the website. CeWL stands for Custom Word List generator, and it is a Ruby script that spiders a given website up to a specified depth and returns a list of words that can be used for password cracking or other purposes. CeWL can also generate wordlists based on metadata, email addresses, author names, or external links found on the website. CeWL can help a penetration tester create customized wordlists that are tailored to the target website and increase the chances of success for password cracking attacks. DirBuster is a tool that can be used to brute force directories and files names on web servers. w3af is a tool that can be used to scan web applications for vulnerabilities and exploits. Patator is a tool that can be used to perform brute force attacks against various protocols and services.

• Question 243:

  A company has hired a penetration tester to deploy and set up a rogue access point on the network.

  Which of the following is the BEST tool to use to accomplish this goal?

  A. Wireshark

  B. Aircrack-ng

  C. Kismet

  D. Wifite

  Correct Answer: B

  Reference: https://null-byte.wonderhowto.com/how-to/hack-wi-fi-stealing-wi-fi-passwords- with-evil-twin-attack-0183880/

  https://thecybersecurityman.com/2018/08/11/creating-an-evil-twin-or-fake-access-point- using-aircrack-ng-and-dnsmasq-part-2-the-attack/

• Question 244:

  A penetration tester is conducting an engagement against an internet-facing web application and planning a phishing campaign. Which of the following is the BEST passive method of obtaining the technical contacts for the website?

  A. WHOIS domain lookup

  B. Job listing and recruitment ads

  C. SSL certificate information

  D. Public data breach dumps

  Correct Answer: A

  The BEST passive method of obtaining the technical contacts for the website would be a WHOIS domain lookup. WHOIS is a protocol that provides information about registered domain names, such as the registration date, registrant's name and contact information, and the name servers assigned to the domain. By performing a WHOIS lookup, the penetration tester can obtain the contact information of the website's technical staff, which can be used to craft a convincing phishing email.

• Question 245:

  A consultant is reviewing the following output after reports of intermittent connectivity issues:

  (192.168.1.1) at 0a:d1:fa:b1:01:67 on en0 ifscope [ethernet]

  (192.168.1.12) at 34:a4:be:09:44:f4 on en0 ifscope [ethernet]

  (192.168.1.17) at 92:60:29:12:ac:d2 on en0 ifscope [ethernet]

  (192.168.1.34) at 88:de:a9:12:ce:fb on en0 ifscope [ethernet]

  (192.168.1.136) at 0a:d1:fa:b1:01:67 on en0 ifscope [ethernet]

  (192.168.1.255) at ff:ff:ff:ff:ff:ff on en0 ifscope [ethernet]

  (224.0.0.251) at 01:02:5e:7f:ff:fa on en0 ifscope permanent [ethernet]

  (239.255.255.250) at ff:ff:ff:ff:ff:ff on en0 ifscope permanent [ethernet]

  Which of the following is MOST likely to be reported by the consultant?

  A. A device on the network has an IP address in the wrong subnet.

  B. A multicast session was initiated using the wrong multicast group.

  C. An ARP flooding attack is using the broadcast address to perform DDoS.

  D. A device on the network has poisoned the ARP cache.

  Correct Answer: D

  The gateway for the network (192.168.1.1) is at 0a:d1:fa:b1:01:67, and then, another machine (192.168.1.136) also claims to be on the same MAC address. With this on the same network, intermittent connectivity will be inevitable as along as

  the gateway remains unreachable on the IP known by the others machines on the network, and given that the new machine claiming to be the gateway has not been configured to route traffic. The output shows an ARP table that contains

  entries for IP addresses and their corresponding MAC addresses on a local network interface (en0). ARP stands for Address Resolution Protocol and is used to map IP addresses to MAC addresses on a network.

  However, one entry in the table is suspicious:

  ? (192.168.1.136) at 0a:d1:fa:b1:01:67 on en0 ifscope [ethernet] This entry has the same MAC address as another entry:

  ? (192.168.1.1) at 0a:d1:fa:b1:01:67 on en0 ifscope [ethernet] This indicates that a device on the network has poisoned the ARP cache by sending false ARP replies that associate its MAC address with multiple IP addresses, including

  192.168.1.136 and 192.168.1.1 (which is likely the gateway address). This allows the device to intercept or redirect traffic intended for those IP addresses.

• Question 246:

  A company recruited a penetration tester to configure wireless IDS over the network. Which of the following tools would BEST test the effectiveness of the wireless IDS solutions?

  A. Aircrack-ng

  B. Wireshark

  C. Wifite

  D. Kismet

  Correct Answer: A

  Aircrack-ng is a suite of tools that allows the penetration tester to test the effectiveness of the wireless IDS solutions by performing various attacks on wireless networks, such as cracking WEP and WPA keys, capturing and injecting packets, deauthenticating clients, or creating fake access points. Aircrack-ng can also generate different types of traffic and signatures that can trigger the wireless IDS alerts or responses, such as ARP requests, EAPOL frames, or beacon frames.

  Reference: https://purplesec.us/perform-wireless-penetration-test/

• Question 247:

  A penetration tester has obtained root access to a Linux-based file server and would like to maintain persistence after reboot. Which of the following techniques would BEST support this objective?

  A. Create a one-shot system service to establish a reverse shell.

  B. Obtain /etc/shadow and brute force the root password.

  C. Run the nc -e /bin/sh <...> command.

  D. Move laterally to create a user account on LDAP

  Correct Answer: A

  https://hosakacorp.net/p/systemd-user.html

  Creating a one-shot system service to establish a reverse shell is a technique that would best support maintaining persistence after reboot on a Linux-based file server. A system service is a program that runs in the background and performs various tasks without user interaction. A one-shot system service is a type of service that runs only once and then exits. A reverse shell is a type of shell that connects back to an attacker-controlled machine and allows remote command execution. By creating a one-shot system service that runs a reverse shell script at boot time, the penetration tester can ensure persistent access to the file server even after reboot.

• Question 248:

  Given the following code:

  

  Which of the following data structures is systems?

  A. A tuple

  B. A tree

  C. An array

  D. A dictionary

  Correct Answer: D

  A dictionary is a data structure in Python that stores key-value pairs, where each key is associated with a value. A dictionary is created by enclosing the key-value pairs in curly braces and separating them by commas. A dictionary can be accessed by using the keys as indexes or by using methods such as keys(), values(), or items(). In the code, systems is a dictionary that has four key-value pairs, each representing an IP address and its corresponding operating system. A tuple is a data structure in Python that stores an ordered sequence of immutable values, enclosed in parentheses and separated by commas. A tree is a data structure that consists of nodes connected by edges, forming a hierarchical structure with a root node and leaf nodes. An array is a data structure that stores a collection of elements of the same type in a contiguous memory location.

• Question 249:

  Which of the following protocols or technologies would provide in-transit confidentiality protection for emailing the final security assessment report?

  A. S/MIME

  B. FTPS

  C. DNSSEC

  D. AS2

  Correct Answer: A

  S/MIME stands for Secure/Multipurpose Internet Mail Extensions and is a standard for encrypting and signing email messages. It uses public key cryptography to ensure the confidentiality, integrity, and authenticity of email communications. FTPS is a protocol for transferring files securely over SSL/TLS, but it is not used for emailing. DNSSEC is a protocol for securing DNS records, but it does not protect email content. AS2 is a protocol for exchanging business documents over HTTP/S, but it is not used for emailing.

  Reference: https://searchsecurity.techtarget.com/answer/What-are-the-most-important- email-security- protocols

• Question 250:

  An assessment has been completed, and all reports and evidence have been turned over to the client. Which of the following should be done NEXT to ensure the confidentiality of the client's information?

  A. Follow the established data retention and destruction process

  B. Report any findings to regulatory oversight groups

  C. Publish the findings after the client reviews the report

  D. Encrypt and store any client information for future analysis

  Correct Answer: D

  After completing an assessment and providing the report and evidence to the client, it is important to follow the established data retention and destruction process to ensure the confidentiality of the client's information. This process typically involves securely deleting or destroying any data collected during the assessment that is no longer needed, and securely storing any data that needs to be retained. This helps to prevent unauthorized access to the client's information and protects the client's confidentiality. Reporting any findings to regulatory oversight groups may be necessary in some cases, but it should be done only with the client's permission and in accordance with any relevant legal requirements. Publishing the findings before the client has reviewed the report is also not recommended, as it may breach the client's confidentiality and damage their reputation. Encrypting and storing client information for future analysis is also not recommended unless it is necessary and in compliance with any legal or ethical requirements.