CompTIA CompTIA Certifications PT0-002 Questions & Answers

• Question 31:

  Which of the following should be included in scope documentation?

  A. Service accounts

  B. Tester experience

  C. Disclaimer

  D. Number of tests

  Correct Answer: C

  A disclaimer is a statement that limits the liability of the penetration tester and the client in case of any unintended consequences or damages caused by the testing activities. It should be included in the scope documentation to clarify the roles and responsibilities of both parties and to avoid any legal disputes or misunderstandings. Service accounts, tester experience, and number of tests are not essential elements of the scope documentation, although they may be relevant for other aspects of the penetration testing process. References: The Official CompTIA PenTest+ Study Guide (Exam PT0-002), Chapter 1: Planning and Scoping Penetration Tests1; The Official CompTIA PenTest+ Student Guide (Exam PT0002), Lesson 1: Planning and Scoping Penetration Tests2; What is the Scope of a Penetration Test?3

• Question 32:

  A Chief Information Security Officer wants to evaluate the security of the company's e- commerce application. Which of the following tools should a penetration tester use FIRST to obtain relevant information from the application without triggering alarms?

  A. SQLmap

  B. DirBuster

  C. w3af

  D. OWASP ZAP

  Correct Answer: C

  W3AF, the Web Application Attack and Audit Framework, is an open source web application security scanner that includes directory and filename bruteforcing in its list of capabilities.

• Question 33:

  A red team gained access to the internal network of a client during an engagement and used the Responder tool to capture important data. Which of the following was captured by the testing team?

  A. Multiple handshakes

  B. IP addresses

  C. Encrypted file transfers

  D. User hashes sent over SMB

  Correct Answer: B

• Question 34:

  A red team completed an engagement and provided the following example in the report to describe how the team gained access to a web server:

  x' OR role LIKE '%admin%

  Which of the following should be recommended to remediate this vulnerability?

  A. Multifactor authentication

  B. Encrypted communications

  C. Secure software development life cycle

  D. Parameterized queries

  Correct Answer: D

  The best recommendation to remediate this vulnerability is to use parameterized queries in the web application. Parameterized queries are a way of preventing SQL injection attacks by separating the SQL statements from the user input. This way, the user input is treated as a literal value and not as part of the SQL statement. For example, instead of using x' OR role LIKE '%admin%, the user input would be passed as a parameter to a prepared statement that would check if it matches any value in the database.

• Question 35:

  A penetration tester is contracted to attack an oil rig network to look for vulnerabilities. While conducting the assessment, the support organization of the rig reported issues connecting to corporate applications and upstream services for data acquisitions. Which of the following is the MOST likely culprit?

  A. Patch installations

  B. Successful exploits

  C. Application failures

  D. Bandwidth limitations

  Correct Answer: B

  Successful exploits could cause network disruptions, service outages, or data corruption, which could affect the connectivity and functionality of the oil rig network. Patch installations, application failures, and bandwidth limitations are less likely to be related to the penetration testing activities.

• Question 36:

  A penetration tester runs a scan against a server and obtains the following output: 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 03-12-20 09:23AM 331 index.aspx | ftp-syst: 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2012 Std 3389/tcp open ssl/ms-wbt-server | rdp-ntlm-info: | Target Name: WEB3 | NetBIOS_Computer_Name: WEB3 | Product_Version: 6.3.9600 |_ System_Time: 2021-01-15T11:32:06+00:00 8443/tcp open http Microsoft IIS httpd 8.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/8.5 |_http-title: IIS Windows Server Which of the following command sequences should the penetration tester try NEXT?

  A. ftp 192.168.53.23

  B. smbclient \\\\WEB3\\IPC$ -I 192.168.53.23 –U guest

  C. ncrack –u Administrator –P 15worst_passwords.txt –p rdp 192.168.53.23

  D. curl –X TRACE https://192.168.53.23:8443/index.aspx

  E. nmap –-script vuln –sV 192.168.53.23

  Correct Answer: A

• Question 37:

  A penetration tester is able to use a command injection vulnerability in a web application to get a reverse shell on a system After running a few commands, the tester runs the following:

  python -c 'import pty; pty.spawn("/bin/bash")'

  Which of the following actions Is the penetration tester performing?

  A. Privilege escalation

  B. Upgrading the shell

  C. Writing a script for persistence

  D. Building a bind shell

  Correct Answer: B

  The penetration tester is performing an action called upgrading the shell, which means improving the functionality and interactivity of the shell. By running the python command, the penetration tester is spawning a new bash shell that has features such as tab completion, command history, and job control. This can help the penetration tester to execute commands more easily and efficiently.

• Question 38:

  A penetration tester downloaded a Java application file from a compromised web server and identifies how to invoke it by looking at the following log:

  

  Which of the following is the order of steps the penetration tester needs to follow to validate whether the Java application uses encryption over sockets?

  A. Run an application vulnerability scan and then identify the TCP ports used by the application.

  B. Run the application attached to a debugger and then review the application's log.

  C. Disassemble the binary code and then identify the break points.

  D. Start a packet capture with Wireshark and then run the application.

  Correct Answer: D

• Question 39:

  A penetration tester logs in as a user in the cloud environment of a company. Which of the following Pacu modules will enable the tester to determine the level of access of the existing user?

  A. iam_enum_permissions

  B. iam_privesc_scan

  C. iam_backdoor_assume_role

  D. iam_bruteforce_permissions

  Correct Answer: A

  The iam_enum_permissions module will enable the tester to determine the level of access of the existing user in the cloud environment of a company, as it will list all permissions associated with an IAM user3. IAM (Identity and Access Management) is a service that enables users to manage access and permissions for AWS resources. Pacu is a tool that can be used to perform penetration testing on AWS environments4. Reference: https://essay.utwente.nl/76955/1/Szabo_MSc_EEMCS.pdf (37)

• Question 40:

  A penetration tester learned that when users request password resets, help desk analysts change users' passwords to 123change. The penetration tester decides to brute force an internet-facing webmail to check which users are still using the temporary password. The tester configures the brute-force tool to test usernames found on a text file and the... Which of the following techniques is the penetration tester using?

  A. Password brute force attack

  B. SQL injection

  C. Password spraying

  D. Kerberoasting

  Correct Answer: A

  The penetration tester is using a password brute force attack, which is a type of password guessing attack that involves trying many possible combinations of passwords against a single username or account. A password brute force attack can be effective when the password is known to be weak, simple, or predictable, such as a default or temporary password. In this case, the penetration tester knows that the help desk analysts change users' passwords to 123change when they request password resets, and decides to brute force the webmail with this password and a list of usernames. A password brute force attack can be done by using tools such as Hydra, which can perform parallelized login attacks against various protocols and services1. The other options are not techniques that the penetration tester is using. SQL injection is a type of attack that exploits a vulnerability in a web application that allows an attacker to execute malicious SQL statements on a database server. Password spraying is a type of password guessing attack that involves trying one or a few common passwords against many usernames or accounts. Kerberoasting is a type of attack that exploits a vulnerability in the Kerberos authentication protocol that allows an attacker to request and crack service tickets for service accounts with weak passwords.