CompTIA CompTIA Certifications PT0-002 Questions & Answers

• Question 81:

  A penetration-testing team is conducting a physical penetration test to gain entry to a building. Which of the following is the reason why the penetration testers should carry copies of the engagement documents with them?

  A. As backup in case the original documents are lost

  B. To guide them through the building entrances

  C. To validate the billing information with the client

  D. As proof in case they are discovered

  Correct Answer: D

  The penetration testers should carry copies of the engagement documents with them as proof in case they are discovered by security guards, employees, or law enforcement officials. The engagement documents should include the scope, objectives, authorization, and contact information of the penetration testing team and the client. This will help avoid any legal or ethical issues that may arise from trespassing, breaking and entering, or unauthorized access. The other options are not valid reasons for carrying the engagement documents with them.

  Reference: https://hub.packtpub.com/penetration-testing-rules-of-engagement/

• Question 82:

  An assessor wants to run an Nmap scan as quietly as possible. Which of the following commands will give the LEAST chance of detection?

  A. nmap -"T3 192.168.0.1

  B. nmap - "P0 192.168.0.1

  C. nmap - T0 192.168.0.1

  D. nmap - A 192.168.0.1

  Correct Answer: C

• Question 83:

  A penetration tester attempted a DNS poisoning attack. After the attempt, no traffic was seen from the target machine. Which of the following MOST likely caused the attack to fail?

  A. The injection was too slow.

  B. The DNS information was incorrect.

  C. The DNS cache was not refreshed.

  D. The client did not receive a trusted response.

  Correct Answer: C

  A DNS poisoning attack is an attack that exploits a vulnerability in the DNS protocol or system to redirect traffic from legitimate websites to malicious ones. A DNS poisoning attack works by injecting false DNS records into a DNS server or resolver's cache, which is a temporary storage of DNS information. However, if the DNS cache was not refreshed, then the attack would fail, as the target machine would still use the old and valid DNS records from its cache. The other options are not likely causes of the attack failure.

• Question 84:

  During the scoping phase of an assessment, a client requested that any remote code exploits discovered during testing would be reported immediately so the vulnerability could be fixed as soon as possible. The penetration tester did not agree with this request, and after testing began, the tester discovered a vulnerability and gained internal access to the system. Additionally, this scenario led to a loss of confidential credit card data and a hole in the system. At the end of the test, the penetration tester willfully failed to report this information and left the vulnerability in place. A few months later, the client was breached and credit card data was stolen. After being notified about the breach, which of the following steps should the company take NEXT?

  A. Deny that the vulnerability existed

  B. Investigate the penetration tester.

  C. Accept that the client was right.

  D. Fire the penetration tester.

  Correct Answer: B

  The penetration tester violated the client's request and the code of ethics by not reporting the vulnerability immediately and leaving it in place. This could have contributed to the breach and the data loss. The company should investigate the penetration tester's actions and motives, and hold them accountable for any negligence or malpractice.

• Question 85:

  A penetration tester received a .pcap file to look for credentials to use in an engagement. Which of the following tools should the tester utilize to open and read the .pcap file?

  A. Nmap

  B. Wireshark

  C. Metasploit

  D. Netcat

  Correct Answer: B

• Question 86:

  A penetration tester is reviewing the following SOW prior to engaging with a client:

  "Network diagrams, logical and physical asset inventory, and employees' names are to be treated as client confidential. Upon completion of the engagement, the penetration tester will submit findings to the client's Chief Information Security

  Officer (CISO) via encrypted protocols and subsequently dispose of all findings by erasing them in a secure manner."

  Based on the information in the SOW, which of the following behaviors would be considered unethical? (Choose two.)

  A. Utilizing proprietary penetration-testing tools that are not available to the public or to the client for auditing and inspection

  B. Utilizing public-key cryptography to ensure findings are delivered to the CISO upon completion of the engagement

  C. Failing to share with the client critical vulnerabilities that exist within the client architecture to appease the client's senior leadership team

  D. Seeking help with the engagement in underground hacker forums by sharing the client's public IP address

  E. Using a software-based erase tool to wipe the client's findings from the penetration tester's laptop

  F. Retaining the SOW within the penetration tester's company for future use so the sales team can plan future engagements

  Correct Answer: CD

  These two behaviors would be considered unethical because they violate the principles of honesty, integrity, and confidentiality that penetration testers should adhere to. Failing to share critical vulnerabilities with the client would be dishonest and unprofessional, as it would compromise the quality and value of the assessment and potentially expose the client to greater risks. Seeking help in underground hacker forums by sharing the client's public IP address would be a breach of confidentiality and trust, as it would expose the client's identity and information to malicious actors who may exploit them.

• Question 87:

  A penetration tester is explaining the MITRE ATTandCK framework to a company's chief legal counsel. Which of the following would the tester MOST likely describe as a benefit of the framework?

  A. Understanding the tactics of a security intrusion can help disrupt them.

  B. Scripts that are part of the framework can be imported directly into SIEM tools.

  C. The methodology can be used to estimate the cost of an incident better.

  D. The framework is static and ensures stability of a security program overtime.

  Correct Answer: A

  Reference: https://attack.mitre.org/

• Question 88:

  A penetration tester has extracted password hashes from the lsass.exe memory process. Which of the following should the tester perform NEXT to pass the hash and provide persistence with the newly acquired credentials?

  A. Use Patator to pass the hash and Responder for persistence.

  B. Use Hashcat to pass the hash and Empire for persistence.

  C. Use a bind shell to pass the hash and WMI for persistence.

  D. Use Mimikatz to pass the hash and PsExec for persistence.

  Correct Answer: D

  Mimikatz is a credential hacking tool that can be used to extract logon passwords from the LSASS process and pass them to other systems. Once the tester has the hashes, they can then use PsExec, a command-line utility from Sysinternals, to pass the hash to the remote system and authenticate with the new credentials. This provides the tester with persistence on the system, allowing them to access it even after a reboot. "A penetration tester who has extracted password hashes from the lsass.exe memory process can use various tools to pass the hash and gain access to other systems using the same credentials. One tool commonly used for this purpose is Mimikatz, which can extract plaintext passwords from memory or provide a pass-the-hash capability. After gaining access to a system, the tester can use various tools for persistence, such as PsExec or WMI." (CompTIA PenTest+ Study Guide, p. 186)

• Question 89:

  A penetration tester executes the following Nmap command and obtains the following output:

  

  Which of the following commands would best help the penetration tester discover an exploitable service?

  A. nmap -v -p 25 -- soript smtp-enum-users remotehost

  B. nmap -v -- script=mysql-info.nse remotehost

  C. nmap --ocript=omb-brute.noe remotehoat

  D. nmap -p 3306 -- script "http*vuln*" remotehost

  Correct Answer: B

  The Nmap command in the question scans all ports on the remote host and identifies the services and versions running on them. The output shows that port 3306 is open and running MariaDB, which is a fork of MySQL. Therefore, the best command to discover an exploitable service would be to use the mysql-info.nse script, which gathers information about the MySQL server, such as the version, user accounts, databases, and configuration variables. The other commands are either misspelled, irrelevant, or too broad for the task. References: Best PenTest+ certification study resources and training materials, CompTIA PenTest+ PT0-002 Cert Guide, 101 Labs -- CompTIA PenTest+: Hands-on Labs for the PT0-002 Exam

• Question 90:

  A penetration tester is looking for vulnerabilities within a company's web application that are in scope. The penetration tester discovers a login page and enters the following string in a field:

  1;SELECT Username, Password FROM Users;

  Which of the following injection attacks is the penetration tester using?

  A. Blind SQL

  B. Boolean SQL

  C. Stacked queries

  D. Error-based

  Correct Answer: C

  The penetration tester is using a type of injection attack called stacked queries, which means appending multiple SQL statements separated by semicolons in a single input field. This can allow the penetration tester to execute arbitrary SQL commands on the database server, such as selecting username and password from users table.