CompTIA CompTIA Certifications PT0-002 Questions & Answers

• Question 251:

  Which of the following documents describes activities that are prohibited during a scheduled penetration test?

  A. MSA

  B. NDA

  C. ROE

  D. SLA

  Correct Answer: C

  The document that describes activities that are prohibited during a scheduled penetration test is ROE, which stands for rules of engagement. ROE is a document that defines the scope, objectives, methods, limitations, and expectations of a penetration test. ROE can specify what activities are allowed or prohibited during the penetration test, such as which targets, systems, networks, or services can be tested or attacked, which tools, techniques, or exploits can be used or avoided, which times or dates can be scheduled or excluded, or which impacts or risks can be accepted or mitigated. ROE can help ensure that the penetration test is conducted in a legal, ethical, and professional manner, and that it does not cause any harm or damage to the client or third parties. The other options are not documents that describe activities that are prohibited during a scheduled penetration test. MSA stands for master service agreement, which is a document that defines the general terms and conditions of a contractual relationship between two parties, such as the scope of work, payment terms, warranties, liabilities, or dispute resolution. NDA stands for non-disclosure agreement, which is a document that defines the confidential information that is shared between two parties during a business relationship, such as trade secrets, intellectual property, or customer data. SLA stands for service level agreement, which is a document that defines the quality and performance standards of a service provided by one party to another party, such as availability, reliability, responsiveness, or security.

• Question 252:

  Performing a penetration test against an environment with SCADA devices brings additional safety risk because the:

  A. devices produce more heat and consume more power.

  B. devices are obsolete and are no longer available for replacement.

  C. protocols are more difficult to understand.

  D. devices may cause physical world effects.

  Correct Answer: D

  "A significant issue identified by Wiberg is that using active network scanners, such as Nmap, presents a weakness when attempting port recognition or service detection on SCADA devices. Wiberg states that active tools such as Nmap can use unusual TCP segment data to try and find available ports. Furthermore, they can open a massive amount of connections with a specific SCADA device but then fail to close them gracefully." And since SCADA and ICS devices are designed and implemented with little attention having been paid to the operational security of these devices and their ability to handle errors or unexpected events, the presence idle open connections may result into errors that cannot be handled by the devices. Reference: https://www.hindawi.com/journals/scn/2018/3794603/

• Question 253:

  In Python socket programming, SOCK_DGRAM type is:

  A. reliable.

  B. matrixed.

  C. connectionless.

  D. slower.

  Correct Answer: C

  In Python socket programming, SOCK_DGRAM type is connectionless. This means that the socket does not establish a reliable connection between the sender and the receiver, and does not guarantee that the packets will arrive in order or without errors. SOCK_DGRAM type is used for UDP (User Datagram Protocol) sockets, which are faster and simpler than TCP (Transmission Control Protocol) sockets3.

• Question 254:

  A penetration tester conducts an Nmap scan against a target and receives the following results:

  

  Which of the following should the tester use to redirect the scanning tools using TCP port 1080 on the target?

  A. Nessus

  B. ProxyChains

  C. OWASPZAP

  D. Empire

  Correct Answer: B

  Reference: https://www.codeproject.com/Tips/634228/How-to-Use-Proxychains- Forwarding-Ports

• Question 255:

  During a code review assessment, a penetration tester finds the following vulnerable code inside one of the web application files:

  <% String id = request.getParameter("id"); %>

  Employee ID: <%= id %>

  Which of the following is the best remediation to prevent a vulnerability from being exploited, based on this code?

  A. Parameterized queries

  B. Patch application

  C. Output encoding

  Correct Answer: C

  Output encoding is a technique that prevents cross-site scripting (XSS) attacks by encoding the user input before displaying it on the web page. This way, any malicious scripts or HTML tags are rendered harmless and cannot execute on the browser. Output encoding is recommended by the OWASP Top 10 as a defense against XSS1. In this case, the vulnerable code is using a scriptlet to display the employee ID without any validation or encoding, which could allow an attacker to inject malicious code through the id parameter. Output encoding would prevent this by escaping any special characters in the id parameter. References: The Official CompTIA PenTest+ Student Guide (Exam PT0-002) eBook, Chapter 4, Section 4.2.1: Cross-site Scripting; Best PenTest+ certification study resources and training materials, Section 1: Cross-site Scripting (XSS) Attack; OWASP Top 10 2021, A7: Cross-site Scripting (XSS).

• Question 256:

  A security company has been contracted to perform a scoped insider-threat assessment to try to gain access to the human resources server that houses PII and salary data. The penetration testers have been given an internal network starting position.

  Which of the following actions, if performed, would be ethical within the scope of the assessment?

  A. Exploiting a configuration weakness in the SQL database

  B. Intercepting outbound TLS traffic

  C. Gaining access to hosts by injecting malware into the enterprise-wide update server

  D. Leveraging a vulnerability on the internal CA to issue fraudulent client certificates

  E. Establishing and maintaining persistence on the domain controller

  Correct Answer: B

• Question 257:

  A penetration tester is starting an assessment but only has publicly available information about the target company. The client is aware of this exercise and is preparing for the test. Which of the following describes the scope of the assessment?

  A. Partially known environment testing

  B. Known environment testing

  C. Unknown environment testing

  D. Physical environment testing

  Correct Answer: C

• Question 258:

  Which of the following concepts defines the specific set of steps and approaches that are conducted during a penetration test?

  A. Scope details

  B. Findings

  C. Methodology

  D. Statement of work

  Correct Answer: C

• Question 259:

  A penetration tester has gained access to part of an internal network and wants to exploit on a different network segment. Using Scapy, the tester runs the following command:

  

  Which of the following represents what the penetration tester is attempting to accomplish?

  A. DNS cache poisoning

  B. MAC spoofing

  C. ARP poisoning

  D. Double-tagging attack

  Correct Answer: D

  https://scapy.readthedocs.io/en/latest/usage.html

• Question 260:

  A penetration tester is looking for a vulnerability that enables attackers to open doors via a specialized TCP service that is used for a physical access control system. The service exists on more than 100 different hosts, so the tester would like to automate the assessment. Identification requires the penetration tester to: Have a full TCP connection Send a "hello" payload Walt for a response Send a string of characters longer than 16 bytes

  Which of the following approaches would BEST support the objective?

  A. Run nmap –Pn –sV –script vuln .

  B. Employ an OpenVAS simple scan against the TCP port of the host.

  C. Create a script in the Lua language and use it with NSE.

  D. Perform a credentialed scan with Nessus.

  Correct Answer: C

  The Nmap Scripting Engine (NSE) is one of Nmap's most powerful and flexible features. It allows users to write (and share) simple scripts (using the Lua programming language ) to automate a wide variety of networking tasks. https:// nmap.org

  Creating a script in the Lua language and using it with NSE would best support the objective of finding a vulnerability that enables attackers to open doors via a specialized TCP service that is used for a physical access control system. NSE (Nmap Scripting Engine) is a feature of Nmap that allows users to write and run scripts to automate tasks or perform advanced scans. Lua is a scripting language that NSE supports and can be used to create custom scripts for Nmap.