CompTIA CompTIA Certifications PT0-002 Questions & Answers

• Question 341:

  For a penetration test engagement, a security engineer decides to impersonate the IT help desk. The security engineer sends a phishing email containing an urgent request for users to change their passwords and a link to https:// example.com/index.html. The engineer has designed the attack so that once the users enter the credentials, the index.html page takes the credentials and then forwards them to another server that the security engineer is controlling. Given the following information:

  

  Which of the following lines of code should the security engineer add to make the attack successful?

  A. window.location.= 'https://evilcorp.com'

  B. crossDomain: true

  C. geturlparameter ('username')

  D. redirectUrl = 'https://example.com'

  Correct Answer: B

• Question 342:

  After gaining access to a Linux system with a non-privileged account, a penetration tester identifies the following file:

  

  Which of the following actions should the tester perform FIRST?

  A. Change the file permissions.

  B. Use privilege escalation.

  C. Cover tracks.

  D. Start a reverse shell.

  Correct Answer: B

  The file .scripts/daily_log_backup.sh has permissions set to 777, meaning that anyone can read, write, or execute the file. Since it's owned by the root user and the penetration tester has access to the system with a non-privileged account, this could be a potential avenue for privilege escalation. In a penetration test, after finding such a file, the tester would likely want to explore it and see if it can be leveraged to gain higher privileges. This is often done by inserting malicious code or commands into the script if it's being executed with higher privileges, such as root in this case.

• Question 343:

  A penetration tester is attempting to get more people from a target company to download and run an executable. Which of the following would be the.. :tive way for the tester to achieve this objective?

  A. Dropping USB flash drives around the company campus with the file on it

  B. Attaching the file in a phishing SMS that warns users to execute the file or they will be locked out of their accounts

  C. Sending a pretext email from the IT department before sending the download instructions later

  D. Saving the file in a common folder with a name that encourages people to click it

  Correct Answer: C

  The most effective way for the tester to achieve this objective is to send a pretext email from the IT department before sending the download instructions later. A pretext email is an email that uses deception or impersonation to trick users into believing that it is from a legitimate source or authority, such as the IT department. A pretext email can be used to establish trust or rapport with the users, and then persuade them to perform an action or provide information that benefits the attacker. In this case, the tester can send a pretext email from the IT department that informs users about an important update or maintenance task that requires them to download and run an executable file later. The tester can then send another email with the download instructions and attach or link to the malicious executable file. The users may be more likely to follow these instructions if they have received a prior email from the IT department that prepared them for this action. The other options are not as effective ways for the tester to achieve this objective. Dropping USB flash drives around the company campus with the file on it may not reach many users, as they may not find or pick up the USB flash drives, or they may be suspicious of their origin or content.

• Question 344:

  A large client wants a penetration tester to scan for devices within its network that are Internet facing. The client is specifically looking for Cisco devices with no authentication requirements. Which of the following settings in Shodan would meet the client's requirements?

  A. "cisco-ios" "admin+1234"

  B. "cisco-ios" "no-password"

  C. "cisco-ios" "default-passwords"

  D. "cisco-ios" "last-modified"

  Correct Answer: B

• Question 345:

  During enumeration, a red team discovered that an external web server was frequented by employees. After compromising the server, which of the following attacks would best support ------------company systems?

  A. Aside-channel attack

  B. A command injection attack

  C. A watering-hole attack

  D. A cross-site scripting attack

  Correct Answer: C

  The best attack that would support compromising company systems after compromising an external web server frequented by employees is a watering-hole attack, which is an attack that involves compromising a website that is visited by a specific group of users, such as employees of a target company, and injecting malicious code or content into the website that can infect or exploit the users' devices when they visit the website. A watering-hole attack can allow an attacker to compromise company systems by targeting their employees who frequent the external web server, and taking advantage of their trust or habit of visiting the website. A watering-hole attack can be performed by using tools such as BeEF, which is a tool that can hook web browsers and execute commands on them2. The other options are not likely attacks that would support compromising company systems after compromising an external web server frequented by employees. A side- channel attack is an attack that involves exploiting physical characteristics or implementation flaws of a system or device, such as power consumption, electromagnetic radiation, timing, or sound, to extract sensitive information or bypass security mechanisms. A command injection attack is an attack that exploits a vulnerability in a system or application that allows an attacker to execute arbitrary commands on the underlying OS or shell. A cross-site scripting attack is an attack that exploits a vulnerability in a web application that allows an attacker to inject malicious scripts into web pages that are viewed by other users.

• Question 346:

  A security firm is discussing the results of a penetration test with a client. Based on the findings, the client wants to focus the remaining time on a critical network segment. Which of the following best describes the action taking place?

  A. Maximizing the likelihood of finding vulnerabilities

  B. Reprioritizing the goals/objectives

  C. Eliminating the potential for false positives

  D. Reducing the risk to the client environment

  Correct Answer: B

  The action of shifting the focus of a penetration test to a specific critical network segment based on the findings during the engagement best aligns with B. Reprioritizing the goals/objectives. because as the client is choosing to change the focus of the testing to a particular area based on the findings. It reflects an adjustment of the original plan or goals to better suit the current understanding of the system's security posture.

• Question 347:

  A company obtained permission for a vulnerability scan from its cloud service provider and now wants to test the security of its hosted data.

  Which of the following should the tester verify FIRST to assess this risk?

  A. Whether sensitive client data is publicly accessible

  B. Whether the connection between the cloud and the client is secure

  C. Whether the client's employees are trained properly to use the platform

  D. Whether the cloud applications were developed using a secure SDLC

  Correct Answer: A

• Question 348:

  A penetration tester was brute forcing an internal web server and ran a command that produced the following output:

  

  However, when the penetration tester tried to browse the URL http://172.16.100.10:3000/profile, a blank page was displayed. Which of the following is the MOST likely reason for the lack of output?

  A. The HTTP port is not open on the firewall.

  B. The tester did not run sudo before the command.

  C. The web server is using HTTPS instead of HTTP.

  D. This URI returned a server error.

  Correct Answer: A

• Question 349:

  A penetration tester is using the following script: Which of the following BEST describes the purpose of this script?

  

  A. To determine if a web server's date/time function is susceptible to attack

  B. To determine if a web server's time zone has been misconfigured

  C. To determine the difference between local and server time

  D. To determine and display the round-trip time of HTTP requests

  Correct Answer: C

• Question 350:

  Which of the following is the activity that is typically required the MOST during the post-engagement cleanup phase?

  A. Removing shells

  B. Launching new attacks

  C. Documenting vulnerabilities

  D. Requesting payment

  Correct Answer: A