CompTIA CompTIA Certifications PT0-002 Questions & Answers

• Question 291:

  Penetration tester who was exclusively authorized to conduct a physical assessment noticed there were no cameras pointed at the dumpster for company. The penetration tester returned at night and collected garbage that contained receipts for recently purchased networking :. The models of equipment purchased are vulnerable to attack. Which of the following is the most likely next step for the penetration?

  A. Alert the target company of the discovered information.

  B. Verify the discovered information is correct with the manufacturer.

  C. Scan the equipment and verify the findings.

  D. Return to the dumpster for more information.

  Correct Answer: C

  The most likely next step for the penetration tester is to scan the equipment and verify the findings, which is a process of using tools or techniques to probe or test the target equipment for vulnerabilities or weaknesses that can be exploited. Scanning and verifying the findings can help the penetration tester confirm that the models of equipment purchased are vulnerable to attack, and identify the specific vulnerabilities or exploits that affect them. Scanning and verifying the findings can also help the penetration tester prepare for the next steps of the assessment, such as exploiting or reporting the vulnerabilities. Scanning and verifying the findings can be done by using tools such as Nmap, which can scan hosts and networks for ports, services, versions, OS, or other information1, or Metasploit, which can exploit hosts and networks using various payloads or modules2. The other options are not likely next steps for the penetration tester. Alerting the target company of the discovered information is not a next step, but rather a final step, that involves reporting the findings and recommendations to the client after completing the assessment. Verifying the discovered information with the manufacturer is not a next step, as it may not provide accurate or reliable information about the vulnerabilities or exploits that affect the equipment, and it may also alert the manufacturer or the client of the assessment. Returning to the dumpster for more information is not a next step, as it may not yield any more useful or relevant information than what was already collected from the receipts.

• Question 292:

  Which of the following should a penetration tester attack to gain control of the state in the HTTP protocol after the user is logged in?

  A. HTTPS communication

  B. Public and private keys

  C. Password encryption

  D. Sessions and cookies

  Correct Answer: D

• Question 293:

  After compromising a system, a penetration tester wants more information in order to decide what actions to take next. The tester runs the following commands:

  

  Which of the following attacks is the penetration tester most likely trying to perform?

  A. Metadata service attack

  B. Container escape techniques

  C. Credential harvesting

  D. Resource exhaustion

  Correct Answer: A

  The penetration tester is most likely trying to perform a metadata service attack, which is an attack that exploits a vulnerability in the metadata service of a cloud provider. The metadata service is a service that provides information about the cloud instance, such as its IP address, hostname, credentials, user data, or role permissions. The metadata service can be accessed from within the cloud instance by using a special IP address, such as 169.254.169.254 for AWS, Azure, and GCP. The commands that the penetration tester runs are curl commands, which are used to transfer data from or to a server. The curl commands are requesting data from the metadata service IP address with different paths, such as / latest/meta-data/iam/security-credentials/ and /latest/user-data/. These paths can reveal sensitive information about the cloud instance, such as its IAM role credentials or user data scripts. The penetration tester may use this information to escalate privileges, access other resources, or perform other actions on the cloud environment. The other options are not likely attacks that the penetration tester is trying to perform.

• Question 294:

  During a client engagement, a penetration tester runs the following Nmap command and obtains the following output:

  nmap -sV -- script ssl-enum-ciphers -p 443 remotehost

  | TLS_ECDHE_ECDSA_WITH_RC4_128_SHA

  | TLS_ECDHE_RSA_WITH_RC4_128_SHA

  TLS_RSA_WITH_RC4_128_SHA (rsa 2048)

  TLS_RSA_WITH_RC4_128_MD5 (rsa 2048)

  Which of the following should the penetration tester include in the report?

  A. Old, insecure ciphers are in use.

  B. The 3DES algorithm should be deprecated.

  C. 2,048-bit symmetric keys are incompatible with MD5.

  D. This server should be upgraded to TLS 1.2.

  Correct Answer: A

  The output of the Nmap command shows that the remote host supports RC4 ciphers, which are considered weak and vulnerable to several attacks, such as the BEAST and the RC4 NOMORE attacks. RC4 ciphers should not be used in modern TLS implementations, and they are not supported by TLS 1.3. Therefore, the penetration tester should include this finding in the report and recommend disabling RC4 ciphers on the server.

• Question 295:

  Which of the following are the MOST important items to include in the final report for a penetration test? (Choose two.)

  A. The CVSS score of the finding

  B. The network location of the vulnerable device

  C. The vulnerability identifier

  D. The client acceptance form

  E. The name of the person who found the flaw

  F. The tool used to find the issue

  Correct Answer: CF

• Question 296:

  A penetration tester conducted an assessment on a web server. The logs from this session show the following: http://www.thecompanydomain.com/servicestatus.php?serviceID=892andserviceID=892 ` ; DROP TABLE SERVICES; -Which of the following attacks is being attempted?

  A. Clickjacking

  B. Session hijacking

  C. Parameter pollution

  D. Cookie hijacking

  E. Cross-site scripting

  Correct Answer: C

• Question 297:

  Which of the following is the most secure method for sending the penetration test report to the client?

  A. Sending the penetration test report on an online storage system.

  B. Sending the penetration test report inside a password-protected ZIP file.

  C. Sending the penetration test report via webmail using an HTTPS connection.

  D. Encrypting the penetration test report with the client's public key and sending it via email.

  Correct Answer: D

  This is the most secure method for sending the penetration test report to the client because it ensures that only the client can decrypt and read the report using their private key. Encrypting the report with the client's public key prevents anyone else from accessing the report, even if they intercept or compromise the email. The other methods are not as secure because they rely on weaker or no encryption, or they expose the report to third-party services that may not be trustworthy or compliant.

• Question 298:

  A penetration tester has completed an analysis of the various software products produced by the company under assessment. The tester found that over the past several years the company has been including vulnerable third-party modules in multiple products, even though the quality of the organic code being developed is very good. Which of the following recommendations should the penetration tester include in the report?

  A. Add a dependency checker into the tool chain.

  B. Perform routine static and dynamic analysis of committed code.

  C. Validate API security settings before deployment.

  D. Perform fuzz testing of compiled binaries.

  Correct Answer: A

  Adding a dependency checker into the tool chain is the best recommendation for the company that has been including vulnerable third-party modules in multiple products. A dependency checker is a tool that analyzes the dependencies of a software project and identifies any known vulnerabilities or outdated versions. This can help the developers to update or replace the vulnerable modules before deploying the products.

• Question 299:

  During the assessment of a client's cloud and on-premises environments, a penetration tester was able to gain ownership of a storage object within the cloud environment using the provided on-premises credentials. Which of the following best describes why the tester was able to gain access?

  A. Federation misconfiguration of the container

  B. Key mismanagement between the environments

  C. laaS failure at the provider

  D. Container listed in the public domain

  Correct Answer: A

  The best explanation for why the tester was able to gain access to the storage object within the cloud environment using the on-premises credentials is federation misconfiguration of the container. Federation is a process that allows users to access multiple systems or services with a single set of credentials, by using a trusted third-party service that authenticates and authorizes the users. Federation can enable seamless integration between cloud and on-premises environments, but it can also introduce security risks if not configured properly. Federation misconfiguration of the container can allow an attacker to access the storage object with the on-premises credentials, if the container trusts the on-premises identity provider without verifying its identity or scope. The other options are not valid explanations for why the tester was able to gain access to the storage object within the cloud environment using the on-premises credentials. Key mismanagement between the environments is not relevant to this issue, as it refers to a different scenario involving encryption keys or access keys that are used to protect or access data or resources in cloud or on-premises environments. IaaS failure at the provider is not relevant to this issue, as it refers to a different scenario involving infrastructure as a service (IaaS), which is a cloud service model that provides virtualized computing resources over the internet. Container listed in the public domain is not relevant to this issue, as it refers to a different scenario involving container visibility or accessibility from public networks or users.

• Question 300:

  A penetration tester has identified several newly released CVEs on a VoIP call manager. The scanning tool the tester used determined the possible presence of the CVEs based off the version number of the service. Which of the following methods would BEST support validation of the possible findings?

  A. Manually check the version number of the VoIP service against the CVE release

  B. Test with proof-of-concept code from an exploit database

  C. Review SIP traffic from an on-path position to look for indicators of compromise

  D. Utilize an nmap -sV scan against the service

  Correct Answer: B

  Testing with proof-of-concept code from an exploit database is the best method to support validation of the possible findings, as it will demonstrate whether the CVEs are actually exploitable on the target VoIP call manager. Proof-of-concept code is a piece of software or script that shows how an attacker can exploit a vulnerability in a system or application. An exploit database is a repository of publicly available exploits, such as Exploit Database or Metasploit. Reference: https://dokumen.pub/hacking-exposed-unified-communications-amp-voip- security-secrets-amp- solutions-2nd-edition-9780071798778-0071798773- 9780071798761-0071798765.html