CompTIA CompTIA Certifications PT0-002 Questions & Answers

• Question 311:

  The attacking machine is on the same LAN segment as the target host during an internal penetration test. Which of the following commands will BEST enable the attacker to conduct host delivery and write the discovery to files without returning results of the attack machine?

  A. nmap snn exclude 10.1.1.15 10.1.1.0/24 oA target_txt

  B. nmap iR10oX out.xml | grep Nmap | cut d "f5 > live-hosts.txt

  C. nmap PnsV OiL target.txt A target_text_Service

  D. nmap sSPn n iL target.txt A target_txtl

  Correct Answer: A

  According to the Official CompTIA PenTest+ Self-Paced Study Guide1, the correct answer is A. nmap -sn -n -exclude 10.1.1.15 10.1.1.0/24 -oA target_txt. This command will perform a ping scan (-sn) without reverse DNS resolution (-n) on the IP range 10.1.1.0/24, excluding the attack machine's IP address (10.1.1.15) from the scan (- exclude). It will also output the results in three formats (normal, grepable and XML) with a base name of target_txt (-oA).

• Question 312:

  A penetration tester was able to gather MD5 hashes from a server and crack the hashes easily with rainbow tables.

  Which of the following should be included as a recommendation in the remediation report?

  A. Stronger algorithmic requirements

  B. Access controls on the server

  C. Encryption on the user passwords

  D. A patch management program

  Correct Answer: A

• Question 313:

  A penetration tester has been given eight business hours to gain access to a client's financial system. Which of the following techniques will have the highest likelihood of success?

  A. Attempting to tailgate an employee going into the client's workplace

  B. Dropping a malicious USB key with the company's logo in the parking lot

  C. Using a brute-force attack against the external perimeter to gain a foothold

  D. Performing spear phishing against employees by posing as senior management

  Correct Answer: D

• Question 314:

  Which of the following would a company's hunt team be MOST interested in seeing in a final report?

  A. Executive summary

  B. Attack TTPs

  C. Methodology

  D. Scope details

  Correct Answer: B

• Question 315:

  A new client hired a penetration-testing company for a month-long contract for various security assessments against the client's new service. The client is expecting to make the new service publicly available shortly after the assessment is complete and is planning to fix any findings, except for critical issues, after the service is made public. The client wants a simple report structure and does not want to receive daily findings.

  Which of the following is most important for the penetration tester to define FIRST?

  A. Establish the format required by the client.

  B. Establish the threshold of risk to escalate to the client immediately.

  C. Establish the method of potential false positives.

  D. Establish the preferred day of the week for reporting.

  Correct Answer: B

• Question 316:

  A company uses a cloud provider with shared network bandwidth to host a web application on dedicated servers. The company's contact with the cloud provider prevents any activities that would interfere with the cloud provider's other customers. When engaging with a penetration-testing company to test the application, which of the following should the company avoid?

  A. Crawling the web application's URLs looking for vulnerabilities

  B. Fingerprinting all the IP addresses of the application's servers

  C. Brute forcing the application's passwords

  D. Sending many web requests per second to test DDoS protection

  Correct Answer: D

• Question 317:

  A penetration tester wants to scan a target network without being detected by the client's IDS. Which of the following scans is MOST likely to avoid detection?

  A. nmap –p0 –T0 –sS 192.168.1.10

  B. nmap –sA –sV --host-timeout 60 192.168.1.10

  C. nmap –f --badsum 192.168.1.10

  D. nmap –A –n 192.168.1.10

  Correct Answer: C

• Question 318:

  The results of an Nmap scan are as follows:

  

  Which of the following would be the BEST conclusion about this device?

  A. This device may be vulnerable to the Heartbleed bug due to the way transactions over TCP/22 handle heartbeat extension packets, allowing attackers to obtain sensitive information from process memory.

  B. This device is most likely a gateway with in-band management services.

  C. This device is most likely a proxy server forwarding requests over TCP/443.

  D. This device may be vulnerable to remote code execution because of a butter overflow vulnerability in the method used to extract DNS names from packets prior to DNSSEC validation.

  Correct Answer: B

  The heart bleed bug is an open ssl bug which does not affect SSH

  Ref: https://www.sos-berlin.com/en/news-heartbleed-bug-does-not-affect-jobscheduler-or-ssh

• Question 319:

  During an assessment, a penetration tester obtains a list of 30 email addresses by crawling the target company's website and then creates a list of possible usernames based on the email address format. Which of the following types of attacks would MOST likely be used to avoid account lockout?

  A. Mask

  B. Rainbow

  C. Dictionary

  D. Password spraying

  Correct Answer: D

  Password spraying is a type of password guessing attack that involves trying one or a few common passwords against many usernames or accounts. Password spraying can avoid account lockout policies that limit the number of failed login attempts per account by spreading out the attempts over time and across different accounts. Password spraying can also increase the chances of success by using passwords that are likely to be used by many users, such as default passwords, seasonal passwords, or company names. Mask is a type of password cracking attack that involves using a mask or a pattern to generate passwords based on known or guessed characteristics of the password, such as length, case, or symbols. Rainbow is a technique of storing precomputed hashes of passwords in a table that can be used to quickly crack passwords by looking up the hashes. Dictionary is a type of password cracking attack that involves using a wordlist or a dictionary of common or likely passwords to try against an account.

• Question 320:

  A company recently moved its software development architecture from VMs to containers. The company has asked a penetration tester to determine if the new containers are configured correctly against a DDoS attack. Which of the following should a tester perform first?

  A. Test the strength of the encryption settings.

  B. Determine if security tokens are easily available.

  C. Perform a vulnerability check against the hypervisor.

  D. .Scan the containers for open ports.

  Correct Answer: D

  The first step that a tester should perform to determine if the new containers are configured correctly against a DDoS attack is to scan the containers for open ports. Open ports are entry points for network communication and can expose services or applications that may be vulnerable to DDoS attacks. Scanning the containers for open ports can help the tester identify which services or applications are running on the containers, and which ones may need to be secured or disabled to prevent DDoS attacks. Scanning the containers for open ports can also help the tester discover any unauthorized or malicious services or applications that may have been installed on the containers by previous attackers or compromised containers. Scanning the containers for open ports can be done by using tools such as Nmap, which can perform network scanning and enumeration by sending packets to hosts and analyzing their responses1. The other options are not the first steps that a tester should perform to determine if the new containers are configured correctly against a DDoS attack. Testing the strength of the encryption settings is not relevant to DDoS attacks, as encryption does not prevent or mitigate DDoS attacks, but rather protects data confidentiality and integrity. Determining if security tokens are easily available is not relevant to DDoS attacks, as security tokens are used for authentication and authorization, not for preventing or mitigating DDoS attacks. Performing a vulnerability check against the hypervisor is not relevant to DDoS attacks, as the hypervisor is not directly exposed to network traffic, but rather manages the virtual machines or containers that run on it.