PT0-001 : CompTIA PenTest+ Certification Exam : Part 05

  1. A penetration tester successfully exploits a DMZ server that appears to be listening on an outbound port. The penetration tester wishes to forward that traffic back to a device. Which of the following are the BEST tools to use for this purpose? (Choose two.)

    • Tcpdump
    • Nmap
    • Wireshark
    • SSH
    • Netcat
    • Cain and Abel
  2. An assessor begins an internal security test of the Windows domain internal.comptia.net. The assessor is given network access via DHCP, but is not given any network maps or target IP addresses. Which of the following commands can the assessor use to find any likely Windows domain controllers?

    • dig -q any _kerberos._tcp.internal.comptia.net
    • dig -q any _lanman._tcp.internal.comptia.net
    • dig -q any _ntlm._tcp.internal.comptia.net
    • dig -q any _smtp._tcp.internal.comptia.net
  3. Click the exhibit button.

    PT0-001 Part 05 Q03 012
    PT0-001 Part 05 Q03 012

    Given the Nikto vulnerability, scan output shown in the exhibit, which of the following exploitation techniques might be used to exploit the target system? (Choose two.)

    • Arbitrary code execution
    • Session hijacking
    • SQL injection
    • Login credential brute-forcing
    • Cross-site request forgery
  4. A penetration tester notices that the X-Frame-Options header on a web application is not set. Which of the following would a malicious actor do to exploit this configuration setting?

    • Use path modification to escape the application’s framework.
    • Create a frame that overlays the application.
    • Inject a malicious iframe containing JavaScript.
    • Pass an iframe attribute that is malicious.
  5. A penetration test was performed by an on-staff junior technician. During the test, the technician discovered the web application could disclose an SQL table with user account and password information. Which of the following is the MOST effective way to notify management of this finding and its importance?

    • Document the findings with an executive summary, recommendations, and screenshots of the web application disclosure.
    • Connect to the SQL server using this information and change the password to one or two non-critical accounts to demonstrate a proof–of-concept to management.
    • Notify the development team of the discovery and suggest that input validation be implemented with a professional penetration testing company.
    • Request that management create an RFP to begin a formal engagement with a professional penetration testing company.
  6. A company performed an annual penetration test of its environment. In addition to several new findings, all of the previously identified findings persisted on the latest report. Which of the following is the MOST likely reason?

    • Infrastructure is being replaced with similar hardware and software.
    • Systems administrators are applying the wrong patches.
    • The organization is not taking action to remediate identified findings.
    • The penetration testing tools were misconfigured.
  7. Joe, a penetration tester, is asked to assess a company’s physical security by gaining access to its corporate office. Joe is looking for a method that will enable him to enter the building during business hours or when there are no employees on-site. Which of the following would be the MOST effective in accomplishing this?

    • Badge cloning
    • Lock picking
    • Tailgating
    • Piggybacking
  8. In which of the following components is an exploited vulnerability MOST likely to affect multiple running application containers at once?

    • Common libraries
    • Configuration files
    • Sandbox escape
    • ASLR bypass
  9. A client asks a penetration tester to add more addresses to a test currently in progress. Which of the following would define the target list?

    • Rules of engagement
    • Mater services agreement
    • Statement of work
    • End-user license agreement
  10. Which of the following BEST explains why it is important to maintain confidentially of any identified findings when performing a penetration test?

    • Penetration test findings often contain company intellectual property
    • Penetration test findings could lead to consumer dissatisfaction if made public.
    • Penetration test findings are legal documents containing privileged information.
    • Penetration test findings can assist an attacker in compromising a system.
  11. The following command is run on a Linux file system:

    chmod 4111 /usr/bin/sudo

    Which of the following issues may be exploited now?

    • Kernel vulnerabilities
    • Sticky bits
    • Unquoted service path
    • Misconfigured sudo
  12. Given the following script:

    PT0-001 Part 05 Q12 013
    PT0-001 Part 05 Q12 013

    Which of the following BEST describes the purpose of this script?

    • Log collection
    • Event collection
    • Keystroke monitoring
    • Debug message collection
  13. A consultant wants to scan all the TCP ports on an identified device. Which of the following Nmap switches will complete this task?

    • -p-
    • -p ALL
    • -p 1-65534
    • -port 1-65534
  14. Which of the following vulnerabilities are MOST likely to be false positives when reported by an automated scanner on a static HTML web page? (Choose two.)

    • Missing secure flag for a sensitive cookie
    • Reflected cross-site scripting
    • Enabled directory listing
    • Insecure HTTP methods allowed
    • Unencrypted transfer of sensitive data
    • Command injection
    • Disclosure of internal system information
    • Support of weak cipher suites
  15. A software development team recently migrated to new application software on the on-premises environment. Penetration test findings show that multiple vulnerabilities exist. If a penetration tester does not have access to a live or test environment, a test might be better to create the same environment on the VM. Which of the following is MOST important for confirmation?

    • Unsecure service and protocol configuration
    • Running SMB and SMTP service
    • Weak password complexity and user account
    • Misconfiguration
  16. A tester has captured a NetNTLMv2 hash using Responder. Which of the following commands will allow the tester to crack the hash using a mask attack?

    • hashcat -m 5600 -r rules/bestG4.rule hash.txt wordlist.txt
    • hashcat -m 5600 hash.txt
    • hashcat -m 5600 -a 3 hash.txt ?a?a?a?a?a?a?a?a
    • hashcat -m 5600 -o results.text hash.txt wordlist.txt
  17. A penetration tester has been asked to conduct a penetration test on a REST-based web service. Which of the following items is required?

    • The latest vulnerability scan results
    • A list of sample application requests
    • An up-to-date list of possible exploits
    • A list of sample test accounts
  18. A penetration tester is checking a script to determine why some basic math errors are persisting. The expected result was the program outputting “True”.

    PT0-001 Part 05 Q18 014
    PT0-001 Part 05 Q18 014

    Given the output from the console above, which of the following explains how to correct the errors in the script? (Choose two.)

    • Change ‘fi’ to ‘Endlf’.
    • Remove the ‘let’ in front of ‘dest=5+5’.
    • Change the ‘=’ to ‘-eq’.
    • Change ‘source’ and ‘dest’ to “$source” and “$dest”.
    • Change ‘else’ to ‘elif’.
  19. After performing a security assessment for a firm, the client was found to have been billed for the time the client’s test environment was unavailable. The client claims to have been billed unfairly. Which of the following documents would MOST likely be able to provide guidance in such a situation?

    • SOW
    • NDA
    • EULA
    • BPA
  20. When performing compliance-based assessments, which of the following is the MOST important key consideration?

    • Additional rate
    • Company policy
    • Impact tolerance
    • Industry type