CompTIA CompTIA Certifications PT0-002 Questions & Answers

• Question 271:

  A consulting company is completing the ROE during scoping.

  Which of the following should be included in the ROE?

  A. Cost ofthe assessment

  B. Report distribution

  C. Testing restrictions

  D. Liability

  Correct Answer: B

• Question 272:

  A security firm is discussing the results of a penetration test with the client. Based on the findings, the client wants to focus the remaining time on a critical network segment. Which of the following BEST describes the action taking place?

  A. Maximizing the likelihood of finding vulnerabilities

  B. Reprioritizing the goals/objectives

  C. Eliminating the potential for false positives

  D. Reducing the risk to the client environment

  Correct Answer: B

  Goal Reprioritization Have the goals of the assessment changed? Has any new information been found that might affect the goal or desired end state? I would also agree with A, because by goal reprioritization you are more likely to find vulnerabilities in this specific segment of critical network, but it is a side effect of goal reprioritization.

• Question 273:

  A penetration tester gains access to a system and establishes persistence, and then runs the following commands:

  cat /dev/null > temp

  touch -r .bash_history temp

  mv temp .bash_history

  Which of the following actions is the tester MOST likely performing?

  A. Redirecting Bash history to /dev/null

  B. Making a copy of the user's Bash history for further enumeration

  C. Covering tracks by clearing the Bash history

  D. Making decoy files on the system to confuse incident responders

  Correct Answer: C

  The commands are used to clear the Bash history file of the current user, which records the commands entered in the terminal. The first command redirects /dev/null (a special file that discards any data written to it) to temp, which creates an empty file named temp. The second command changes the timestamp of temp to match that of .bash_history (the hidden file that stores the Bash history). The third command renames temp to .bash_history, which overwrites the original file with an empty one. This effectively erases any trace of the commands executed by the user.

  Reference: https://null-byte.wonderhowto.com/how-to/clear-logs-bash-history-hacked-linux- systems-cover- your-tracks-remain-undetected-0244768/

• Question 274:

  A penetration tester discovers during a recent test that an employee in the accounting department has been making changes to a payment system and redirecting money into a personal bank account. The penetration test was immediately stopped. Which of the following would be the BEST recommendation to prevent this type of activity in the future?

  A. Enforce mandatory employee vacations

  B. Implement multifactor authentication

  C. Install video surveillance equipment in the office

  D. Encrypt passwords for bank account information

  Correct Answer: A

  If the employee already works in the accounting department, MFA will not stop their actions because they'll already have access by virtue of their job. Enforcing mandatory employee vacations is the best recommendation to prevent this type of activity in the future, as it will make it harder for an employee to conceal fraudulent transactions or unauthorized changes to a payment system. Mandatory employee vacations are a form of internal control that requires employees to take time off from work periodically and have their duties performed by someone else. This can help detect errors, irregularities, or frauds committed by employees who might otherwise have exclusive access or control over certain processes or systems.

• Question 275:

  A penetration tester is testing input validation on a search form that was discovered on a website. Which of the following characters is the BEST option to test the website for vulnerabilities?

  A. Comma

  B. Double dash

  C. Single quote

  D. Semicolon

  Correct Answer: C

  A single quote (') is a common character used to test for SQL injection vulnerabilities, which occur when user input is directly passed to a database query. A single quote can terminate a string literal and allow an attacker to inject malicious SQL commands. For example, if the search form uses the query SELECT * FROM products WHERE name LIKE `%user_input%', then entering a single quote as user input would result in an error or unexpected behavior

• Question 276:

  A penetration tester wants to find hidden information in documents available on the web at a particular domain. Which of the following should the penetration tester use?

  A. Netcraft

  B. CentralOps

  C. Responder

  D. FOCA

  Correct Answer: D

  https://kalilinuxtutorials.com/foca-metadata-hidden-documents/ FOCA (Fingerprinting Organizations with Collected Archives) is a tool that is used to find hidden information in documents available on the web. It can be used to extract metadata from documents such as PDF, Microsoft Office, OpenOffice, and others. The metadata can include information such as the author, creation date, and software used to create the document. FOCA can also extract information from the document's properties such as the title, keywords, and comments. This tool can also identify specific keywords and patterns in the document and can be useful in identifying sensitive information that may have been inadvertently left in the document.

• Question 277:

  Which of the following is the MOST effective person to validate results from a penetration test?

  A. Third party

  B. Team leader

  C. Chief Information Officer

  D. Client

  Correct Answer: B

• Question 278:

  A penetration tester ran a simple Python-based scanner. The following is a snippet of the code: Which of the following BEST describes why this script triggered a `probable port scan` alert in the organization's IDS?

  

  A. sock.settimeout(20) on line 7 caused each next socket to be created every 20 milliseconds.

  B. *range(1, 1025) on line 1 populated the portList list in numerical order.

  C. Line 6 uses socket.SOCK_STREAM instead of socket.SOCK_DGRAM

  D. The remoteSvr variable has neither been type-hinted nor initialized.

  Correct Answer: B

  Port randomization is widely used in port scanners. By default, Nmap randomizes the scanned port order (except that certain commonly accessible ports are moved near the beginning for efficiency reasons) https://nmap.org/book/man-portspecification.html

• Question 279:

  During an assessment, a penetration tester manages to exploit an LFI vulnerability and browse the web log for a target Apache server. Which of the following steps would the penetration tester most likely try NEXT to further exploit the web server? (Choose two.)

  A. Cross-site scripting

  B. Server-side request forgery

  C. SQL injection

  D. Log poisoning

  E. Cross-site request forgery

  F. Command injection

  Correct Answer: DF

  Local File Inclusion (LFI) is a web vulnerability that allows an attacker to include files on a server through the web browser. This can expose sensitive information or lead to remote code execution.

  Some possible next steps that a penetration tester can try after exploiting an LFI vulnerability are:

  Log poisoning: This involves injecting malicious code into the web server's log files and then including them via LFI to execute the code34. PHP wrappers: These are special streams that can be used to manipulate files or data via LFI. For

  example, php://input can be used to pass arbitrary data to an LFI script, or php://filter can be used to encode or decode files5.

• Question 280:

  A penetration tester recently completed a review of the security of a core network device within a corporate environment. The key findings are as follows: The following request was intercepted going to the network device: GET /login HTTP/1.1 Host: 10.50.100.16 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Accept-Language: en-US,en;q=0.5 Connection: keep-alive Authorization: Basic WU9VUilOQU1FOnNlY3JldHBhc3N3b3jk Network management interfaces are available on the production network. An Nmap scan returned the following:

  

  Which of the following would be BEST to add to the recommendations section of the final report? (Choose two.)

  A. Enforce enhanced password complexity requirements.

  B. Disable or upgrade SSH daemon.

  C. Disable HTTP/301 redirect configuration.

  D. Create an out-of-band network for management.

  E. Implement a better method for authentication.

  F. Eliminate network management and control interfaces.

  Correct Answer: DE

  The key findings indicate that the network device is vulnerable to several attacks, such as sniffing, brute-forcing, or exploiting the SSH daemon. To prevent these attacks, the best recommendations are to create an out-of-band network for management, which means a separate network that is not accessible from the production network, and to implement a better method for authentication, such as SSH keys or certificates. The other options are not as effective or relevant.