CompTIA CompTIA Certifications PT0-002 Questions & Answers

• Question 331:

  A red-team tester has been contracted to emulate the threat posed by a malicious insider on a company's network, with the constrained objective of gaining access to sensitive personnel files. During the assessment, the red-team tester identifies an artifact indicating possible prior compromise within the target environment.

  Which of the following actions should the tester take?

  A. Perform forensic analysis to isolate the means of compromise and determine attribution.

  B. Incorporate the newly identified method of compromise into the red team's approach.

  C. Create a detailed document of findings before continuing with the assessment.

  D. Halt the assessment and follow the reporting procedures as outlined in the contract.

  Correct Answer: D

  Halting the assessment and following the reporting procedures as outlined in the contract is the best action to take after identifying that an application being tested has already been compromised with malware. This is because continuing the assessment might interfere with an ongoing investigation or compromise evidence collection. The reporting procedures are part of the contract that specifies how to handle any critical issues or incidents during the penetration testing engagement. They should include details such as who to contact, what information to provide, and what steps to follow.

• Question 332:

  A penetration tester has found indicators that a privileged user's password might be the same on 30 different Linux systems. Which of the following tools can help the tester identify the number of systems on which the password can be used?

  A. Hydra

  B. John the Ripper

  C. Cain and Abel

  D. Medusa

  Correct Answer: D

  Both Hydra and Medusa can be used for that same purpose:

  THC Hydra is a brute-force cracking tool for remote authentication services. It supports many protocols, including telnet, FTP, LDAP, SSH, SNMP, and others.

  Medusa is a Parallel, Modular and Speedy method for brute-force which issued for remote authentication. Following are the applications and protocols like modular design, Thread based parallel testing and flexible user input and protocols are

  AFP, CVS, FTP, HTTP, IMAP etc.

• Question 333:

  Given the following script:

  

  Which of the following BEST characterizes the function performed by lines 5 and 6?

  A. Retrieves the start-of-authority information for the zone on DNS server 10.10.10.10

  B. Performs a single DNS query for www.comptia.org and prints the raw data output

  C. Loops through variable b to count the results returned for the DNS query and prints that count to screen

  D. Prints each DNS query result already stored in variable b

  Correct Answer: D

  The script is using the scapy library to perform a DNS query for www.comptia.org and store the response in variable b. Lines 5 and 6 are using a for loop to iterate over each answer in variable b and print its summary to the screen. This can help the penetration tester to view the DNS records returned by the query.

• Question 334:

  A penetration tester discovered that a client uses cloud mail as the company's email system. During the penetration test, the tester set up a fake cloud mail login page and sent all company employees an email that stated their inboxes were full and directed them to the fake login page to remedy the issue. Which of the following BEST describes this attack?

  A. Credential harvesting

  B. Privilege escalation

  C. Password spraying

  D. Domain record abuse

  Correct Answer: A

  Credential harvesting is a type of attack that aims to collect usernames and passwords from unsuspecting users by tricking them into entering their credentials on a fake or spoofed website. Credential harvesting can be done by using phishing emails that lure users to click on malicious links or attachments that redirect them to the fake website. The fake website may look identical or similar to the legitimate one, but it will capture and store the user's credentials for later use by the attacker. In this case, the penetration tester set up a fake cloud mail login page and sent phishing emails to all company employees to harvest their credentials.

• Question 335:

  A penetration tester runs the following command:

  nmap -p- -A 10.0.1.10

  Given the execution of this command, which of the following quantities of ports will Nmap scan?

  A. 1,000

  B. 1,024

  C. 10,000

  D. 65,535

  Correct Answer: D

  The nmap command with the -p- flag scans all ports from 1 to 65535 on the target host. The -A flag enables OS detection, version detection, script scanning, and traceroute. Therefore, the command will scan 65,535 ports on the host

  10.0.1.10 and perform additional analysis on the open ports.

• Question 336:

  A new security firm is onboarding its first client. The client only allowed testing over the weekend and needed the results Monday morning. However, the assessment team was not able to access the environment as expected until Monday. Which of the following should the security company have acquired BEFORE the start of the assessment?

  A. A signed statement of work

  B. The correct user accounts and associated passwords

  C. The expected time frame of the assessment

  D. The proper emergency contacts for the client

  Correct Answer: A

  According to the CompTIA PenTest+ Study Guide, Exam PT0-0021, a statement of work (SOW) is a document that defines the scope, objectives, deliverables, and terms of a penetration testing project. It is a formal agreement between the

  service provider and the client that specifies what is expected from both parties, including the timeline, budget, resources, and responsibilities. A SOW is essential for any penetration testing engagement, as it helps to avoid

  misunderstandings, conflicts, and legal issues. The CompTIA PenTest+ Study Guide also provides an example of a SOW template that covers the following sections1:

  Project overview: A brief summary of the project's purpose, scope, objectives, and deliverables.

  Project scope: A detailed description of the target system, network, or application that will be tested, including the boundaries, exclusions, and assumptions. Project objectives: A clear statement of the expected outcomes and benefits of the

  project, such as identifying vulnerabilities, improving security posture, or complying with regulations.

  Project deliverables: A list of the tangible products or services that will be provided by the service provider to the client, such as reports, recommendations, or remediation plans.

  Project timeline: A schedule of the project's milestones and deadlines, such as kickoff meeting, testing phase, reporting phase, or closure meeting. Project budget: A breakdown of the project's costs and expenses, such as labor hours, travel

  expenses, tools, or licenses.

  Project resources: A specification of the project's human and technical resources, such as team members, roles, responsibilities, skills, or equipment. Project terms and conditions: A statement of the project's legal and contractual aspects,

  such as confidentiality, liability, warranty, or dispute resolution. The CompTIA PenTest+ Study Guide also explains why having a SOW is important before starting an assessment1:

  It establishes a clear and mutual understanding of the project's scope and expectations between the service provider and the client. It provides a basis for measuring the project's progress and performance against the agreed-upon objectives

  and deliverables.

  It protects both parties from potential risks or disputes that may arise during or after the project.

• Question 337:

  A penetration tester obtained the following results after scanning a web server using the dirb utility:

  ...

  GENERATED WORDS: 4612

  ---- Scanning URL: http://10.2.10.13/ ---

  +

  http://10.2.10.13/about (CODE:200|SIZE:1520)

  +

  http://10.2.10.13/home.html (CODE:200|SIZE:214)

  +

  http://10.2.10.13/index.html (CODE:200|SIZE:214)

  +

  http://10.2.10.13/info (CODE:200|SIZE:214)

  ...

  DOWNLOADED: 4612 ?FOUND: 4

  Which of the following elements is MOST likely to contain useful information for the penetration tester?

  A. index.html

  B. about

  C. info

  D. home.html

  Correct Answer: B

  The element /about is most likely to contain useful information for the penetration tester, as it may reveal details about the website's owner, purpose, history, contact information, etc. This information can be used for further reconnaissance, social engineering, or identifying potential vulnerabilities.

• Question 338:

  A penetration tester wrote the following comment in the final report: "Eighty-five percent of the systems tested were found to be prone to unauthorized access from the internet." Which of the following audiences was this message intended?

  A. Systems administrators

  B. C-suite executives

  C. Data privacy ombudsman

  D. Regulatory officials

  Correct Answer: B

  The comment in the final report was intended for C-suite executives, which are senior-level managers or leaders in an organization, such as the chief executive officer (CEO), chief financial officer (CFO), or chief information officer (CIO). C-suite executives are typically interested in high-level summaries or overviews of the penetration test results, such as the percentage of systems affected by a certain vulnerability or risk, the potential impact or cost of a breach, or the recommended actions or priorities for remediation. C-suite executives may not have the technical background or expertise to understand detailed or technical information about the penetration test, such as specific vulnerabilities, exploits, tools, or techniques. The comment in the final report provides a high-level summary of the penetration test result that is relevant and understandable for C-suite executives. The other audiences are not likely to be interested in this comment. Systems administrators are technical staff who are responsible for installing, configuring, maintaining, and securing systems and networks. They would be more interested in detailed or technical information about the penetration test, such as specific vulnerabilities, exploits, tools, or techniques. Data privacy ombudsman is a person who acts as an independent mediator between individuals and organizations regarding data privacy issues or complaints. They would be more interested in information about how the penetration test complied with data privacy laws and regulations, such as GDPR or CCPA. Regulatory officials are authorities who enforce compliance with laws and regulations related to a specific industry or sector, such as finance, health care, or energy. They would be more interested in information about how the penetration test complied with industry-specific standards and frameworks, such as PCI-DSS, HIPAA, or NERC-CIP.

• Question 339:

  Company.com has hired a penetration tester to conduct a phishing test. The tester wants to set up a fake log-in page and harvest credentials when target employees click on links in a phishing email. Which of the following commands would best help the tester determine which cloud email provider the log-in page needs to mimic?

  A. dig company.com MX

  B. whois company.com

  C. cur1 www.company.com

  D. dig company.com A

  Correct Answer: A

  The dig command is a tool that can be used to query DNS servers and obtain information about domain names, such as IP addresses, mail servers, name servers, or other records. The MX option specifies that the query is for mail exchange records, which are records that indicate the mail servers responsible for accepting email messages for a domain. Therefore, the command dig company.com MX would best help the tester determine which cloud email provider the log-in page needs to mimic by showing the mail servers for company.com. For example, if the output shows something like company-com.mail.protection.outlook.com, then it means that company.com uses Microsoft Outlook as its cloud email provider. The other commands are not as useful for determining the cloud email provider. The whois command is a tool that can be used to query domain name registration information, such as the owner, registrar, or expiration date of a domain. The curl command is a tool that can be used to transfer data from or to a server using various protocols, such as HTTP, FTP, or SMTP. The dig command with the A option specifies that the query is for address records, which are records that map domain names to IP addresses.

• Question 340:

  A security professional wants to test an IoT device by sending an invalid packet to a proprietary service listening on TCP port 3011. Which of the following would allow the security professional to easily and programmatically manipulate the TCP header length and checksum using arbitrary numbers and to observe how the proprietary service responds?

  A. Nmap

  B. tcpdump

  C. Scapy

  D. hping3

  Correct Answer: C

  https://0xbharath.github.io/art-of-packet-crafting-with- scapy/scapy/creating_packets/index.html

  https://scapy.readthedocs.io/en/latest/introduction.html#about-scapy

  Scapy is a powerful and interactive packet manipulation tool that allows the security professional to easily and programmatically manipulate the TCP header length and checksum using arbitrary numbers and to observe how the proprietary service responds. Scapy can craft, send, receive, and analyze packets of various protocols, such as TCP, UDP, ICMP, or IP. Scapy can also modify any field of any layer of a packet, such as the TCP header length and checksum, which are used to indicate the size and integrity of the TCP segment. Scapy can also display the response packets from the target system, which can reveal how the proprietary service handles the invalid packet.