CompTIA CompTIA Certifications PT0-002 Questions & Answers

• Question 51:

  Which of the following types of information should be included when writing the remediation section of a penetration test report to be viewed by the systems administrator and technical staff?

  A. A quick description of the vulnerability and a high-level control to fix it

  B. Information regarding the business impact if compromised

  C. The executive summary and information regarding the testing company

  D. The rules of engagement from the assessment

  Correct Answer: A

  The systems administrator and the technical stuff would be more interested in the technical aspect of the findings

• Question 52:

  During a web application test, a penetration tester was able to navigate to https://company.com and view all links on the web page. After manually reviewing the pages, the tester used a web scanner to automate the search for vulnerabilities. When returning to the web application, the following message appeared in the browser:

  unauthorized to view this page.

  Which of the following BEST explains what occurred?

  A. The SSL certificates were invalid.

  B. The tester IP was blocked.

  C. The scanner crashed the system.

  D. The web page was not found.

  Correct Answer: B

  The most likely explanation for what occurred is that the tester IP was blocked by the web server. The web server may have detected the web scanner as a malicious or suspicious activity and blocked the tester's IP address from accessing the web application. This could result in an unauthorized to view this page message in the browser.

• Question 53:

  A penetration tester has gained access to the Chief Executive Officer's (CEO's) internal, corporate email. The next objective is to gain access to the network. Which of the following methods will MOST likely work?

  A. Try to obtain the private key used for S/MIME from the CEO's account.

  B. Send an email from the CEO's account, requesting a new account.

  C. Move laterally from the mail server to the domain controller.

  D. Attempt to escalate privileges on the mail server to gain root access.

  Correct Answer: D

• Question 54:

  The following line-numbered Python code snippet is being used in reconnaissance:

  

  Which of the following line numbers from the script MOST likely contributed to the script triggering a "probable port scan" alert in the organization's IDS?

  A. Line 01

  B. Line 02

  C. Line 07

  D. Line 08

  Correct Answer: D

• Question 55:

  A penetration tester ran a ping -A command during an unknown environment test, and it returned a 128 TTL packet. Which of the following OSs would MOST likely return a packet of this type?

  A. Windows

  B. Apple

  C. Linux

  D. Android

  Correct Answer: A

  The ping -A command sends an ICMP echo request with a specified TTL value and displays the response. The TTL value indicates how many hops the packet can traverse before being discarded. Different OSs have different default TTL values for their packets. Windows uses 128, Apple uses 64, Linux uses 64 or 255, and Android uses 64. Therefore, a packet with a TTL of 128 is most likely from a Windows OS.

  Reference: https://www.freecodecamp.org/news/how-to-identify-basic-internet-problems- with-ping/

• Question 56:

  During the reconnaissance phase, a penetration tester obtains the following output: Reply from 192.168.1.23: bytes=32 time<54ms TTL=128 Reply from 192.168.1.23: bytes=32 time<53ms TTL=128 Reply from 192.168.1.23: bytes=32 time<60ms TTL=128 Reply from 192.168.1.23: bytes=32 time<51ms TTL=128 Which of the following operating systems is MOST likely installed on the host?

  A. Linux

  B. NetBSD

  C. Windows

  D. macOS

  Correct Answer: C

  The output shows the result of a ping command, which sends packets to a host and receives replies. The ping command can be used to determine if a host is alive and reachable on the network. One of the information that the ping command displays is the Time to Live (TTL) value, which indicates how many hops a packet can travel before it is discarded. The TTL value can also be used to guess the operating system of the host, as different operating systems have different default TTL values. In this case, the TTL value is 128, which is the default value for Windows operating systems. Linux and macOS have a default TTL value of 64, while NetBSD has a default TTL value of 255.

• Question 57:

  A security analyst needs to perform a scan for SMB port 445 over a/16 network. Which of the following commands would be the BEST option when stealth is not a concern and the task is time sensitive?

  A. Nmap -s 445 -Pn -T5 172.21.0.0/16

  B. Nmap -p 445 -n -T4 -open 172.21.0.0/16

  C. Nmap -sV --script=smb* 172.21.0.0/16

  D. Nmap -p 445 -max -sT 172. 21.0.0/16

  Correct Answer: B

  Nmap is a tool that can perform network scanning and enumeration by sending packets to hosts and analyzing their responses. The command Nmap -p 445 -n - T4 -open 172.21.0.0/16 would scan for SMB port 445 over a /16 network with

  the following options:

  -p 445 specifies the port number to scan.

  -n disables DNS resolution, which can speed up the scan by avoiding unnecessary queries.

  -T4 sets the timing template to aggressive, which increases the speed of the scan by sending packets faster and waiting less for responses.

  -Open only shows hosts that have open ports, which can reduce the output and focus on relevant results. The other commands are not optimal for scanning SMB port 445 over a /16 network when stealth is not a concern and the task is time

  sensitive.

• Question 58:

  A penetration tester wants to test a list of common passwords against the SSH daemon on a network device. Which of the following tools would be BEST to use for this purpose?

  A. Hashcat

  B. Mimikatz

  C. Patator

  D. John the Ripper

  Correct Answer: C

  https://www.kali.org/tools/patator/

• Question 59:

  Which of the following types of assessments MOST likely focuses on vulnerabilities with the objective to access specific data?

  A. An unknown-environment assessment

  B. A known-environment assessment

  C. A red-team assessment

  D. A compliance-based assessment

  Correct Answer: C

  A red-team assessment is a type of penetration testing that simulates a real- world attack scenario with the goal of accessing specific data or systems. A red-team assessment is different from an unknown-environment assessment, which does not have a predefined objective and focuses on discovering as much information as possible about the target. A known-environment assessment is a type of penetration testing that involves cooperation and communication with the target organization, and may not focus on specific data or systems. A compliance-based assessment is a type of penetration testing that aims to meet certain regulatory or industry standards, and may not focus on specific data or systems.

• Question 60:

  While performing the scanning phase of a penetration test, the penetration tester runs the following command:

  nmap -n -vv -sV -p- 10.10.10.23-28

  ip scan is finished, the penetration tester notices all hosts seem to be down. Which of the following options should the penetration tester try next?

  A. -su

  B. -pn

  C. -sn

  D. -ss

  Correct Answer: B

  The command nmap -v -sV -p- 10.10.10.23-28 is a command that performs a port scan using nmap, which is a tool that can perform network scanning and enumeration by sending packets to hosts and analyzing their responses1. The command has the following options: -v enables verbose mode, which increases the amount of information displayed by nmap -sV enables version detection, which attempts to determine the version and service of the open ports -p- specifies that all ports from 1 to 65535 should be scanned 10.10.10.23-28 specifies the range of IP addresses to be scanned The command does not have any option for host discovery, which is a process that determines which hosts are alive or reachable on a network by sending probes such as ICMP echo requests, TCP SYN packets, or ACK packets. Host discovery can help speed up the scan by avoiding scanning hosts that are down or do not respond. However, some hosts may be configured to block or ignore host discovery probes, which can cause nmap to report them as down even if they are up. To avoid this problem, the penetration tester should use the -Pn option, which skips host discovery and assumes that all hosts are up. This option can force nmap to scan all hosts regardless of their response to host discovery probes, and may reveal some hosts that were previously missed. The other options are not valid options that the penetration tester should try next. The -su option does not exist in nmap, and would cause an error. The -sn option performs a ping scan and lists hosts that respond, but it does not scan any ports or services, which is not useful for the penetration test. The -ss option does not exist in nmap, and would cause an error.