Last Updated on July 9, 2021 by InfraExam

PT0-001 : CompTIA PenTest+ Certification Exam : Part 07

  1. A penetration tester, who is not on the client’s network. is using Nmap to scan the network for hosts that are in scope. The penetration tester is not receiving any response on the command:

    nmap 100.100/1/0-125

    Which of the following commands would be BEST to return results?

    • nmap -Pn -sT
    • nmap -sF -p
    • nmap -sV -oA output 100.100.10-125
    • nmap -T4
  2. For which of the following reasons does a penetration tester need to have a customer’s point-of-contact information available at all times? (Choose three.)

    • To report indicators of compromise
    • To report findings that cannot be exploited
    • To report critical findings
    • To report the latest published exploits
    • To update payment information
    • To report a server that becomes unresponsive
    • To update the statement of work
    • To report a cracked password
  3. Joe, a penetration tester, has received basic account credentials and logged into a Windows system. To escalate his privilege, from which of the following places is he using Mimikatz to pull credentials?

    • LSASS
    • SAM database
    • Active Directory
    • Registry
  4. A tester has determined that null sessions are enabled on a domain controller. Which of the following attacks can be performed to leverage this vulnerability?

    • RID cycling to enumerate users and groups
    • Pass the hash to relay credentials
    • Password brute forcing to log into the host
    • Session hijacking to impersonate a system account
  5. A client is asking a penetration tester to evaluate a new web application for availability. Which of the following types of attacks should the tester use?

    • TCP SYN flood
    • SQL injection
    • XSS
    • XMAS scan
  6. A penetration tester runs the following from a compromised ‘python -c ‘import pty;pty.spawn (“/bin/bash”) ’. Which of the following actions are the tester taking?

    • Removing the Bash history
    • Upgrading the shell
    • Creating a sandbox
    • Capturing credentials
  7. A vulnerability scan identifies that an SSL certificate does not match the hostname; however, the client disputes the finding. Which of the following techniques can the penetration tester perform to adjudicate the validity of the findings?

    • Ensure the scanner can make outbound DNS requests.
    • Ensure the scanner is configured to perform ARP resolution.
    • Ensure the scanner is configured to analyze IP hosts.
    • Ensure the scanner has the proper plug -ins loaded.
  8. A penetration tester is attempting to capture a handshake between a client and an access point by monitoring a WPA2-PSK secured wireless network. The tester is monitoring the correct channel for the identified network, but has been unsuccessful in capturing a handshake. Given the scenario, which of the following attacks would BEST assist the tester in obtaining this handshake?

    • Karma attack
    • Deauthentication attack
    • Fragmentation attack
    • SSDI broadcast flood
  9. Which of the following is the purpose of an NDA?

    • Outlines the terms of confidentiality between both parties
    • Outlines the boundaries of which systems are authorized for testing
    • Outlines the requirements of technical testing that are allowed
    • Outlines the detailed configuration of the network
  10. A penetration tester has run multiple vulnerability scans against a target system. Which of the following would be unique to a credentialed scan?

    • Exploits for vulnerabilities found
    • Detailed service configurations
    • Unpatched third-party software
    • Weak access control configurations
  11. A penetration tester has been asked to conduct OS fingering with Nmap using a company-provided text file that contains a list of IP addresses. Which of the following are needed to conduct this scan? (Choose two.)

    • -O
    • -iL
    • -sV
    • -sS
    • -oN
    • -oX
  12. After establishing a shell on a target system, Joe, a penetration tester is aware that his actions have not been detected. He now wants to maintain persistent access to the machine. Which of the following methods would be MOST easily detected?

    • Run a zero-day exploit.
    • Create a new domain user with a known password.
    • Modify a known boot time service to instantiate a call back.
    • Obtain cleartext credentials of the compromised user.
  13. A consultant is performing a social engineering attack against a client. The consultant was able to collect a number of usernames and passwords using a phishing campaign. The consultant is given credentials to log on to various employees email accounts. Given the findings, which of the following should the consultant recommend be implemented?

    • Strong password policy
    • Password encryption
    • Email system hardening
    • Two-factor authentication
  14. A penetration tester wants to check manually if a “ghost” vulnerability exists in a system. Which of the following methods is the correct way to validate the vulnerability?

    • Download the GHOST file to a Linux system and compile
      gcc -o GHOST
      test i:
    • Download the GHOST file to a Windows system and compile
      gcc -o GHOST GHOST.c
      test i:
    • Download the GHOST file to a Linux system and compile
      gcc -o GHOST GHOST.c
      test i:
    • Download the GHOST file to a Windows system and compile
      gcc -o GHOST
      test i:
  15. A company has engaged a penetration tester to perform an assessment for an application that resides in the company’s DMZ. Prior to conducting testing, in which of the following solutions should the penetration tester’s IP address be whitelisted?

    • WAF
    • HIDS
    • NIDS
    • DLP
  16. A penetration tester has compromised a host. Which of the following would be the correct syntax to create a Netcat listener on the device?

    • nc -lvp 4444 /bin/bash
    • nc -vp 4444 /bin/bash
    • nc -p 4444 /bin/bash
    • nc -lp 4444 –e /bin/bash
  17. During post-exploitation, a tester identifies that only system binaries will pass an egress filter and store a file with the following command:

    c: \creditcards.db>c:\winit\system32\calc.exe:creditcards.db

    Which of the following file system vulnerabilities does this command take advantage of?

    • Hierarchical file system
    • Alternate data streams
    • Backdoor success
    • Extended file system
  18. A penetration tester has performed a vulnerability scan of a specific host that contains a valuable database and has identified the following vulnerabilities:

    – XSS
    – HTTP DELETE method allowed
    – SQL injection
    – Vulnerable to CSRF

    To which of the following should the tester give the HIGHEST priority?

    • SQL injection
    • HTTP DELETE method allowed
    • Vulnerable to CSRF
    • XSS
  19. A security guard observes an individual entering the building after scanning a badge. The facility has a strict badge-in and badge-out requirement with a turnstile. The security guard then audits the badge system and finds two log entries for the badge in question within the last 30 minutes. Which of the following has MOST likely occurred?

    • The badge was cloned.
    • The physical access control server is malfunctioning.
    • The system reached the crossover error rate.
    • The employee lost the badge.