March Sale Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70special

CompTIA PT0-001 CompTIA PenTest+ Exam Exam Practice Test

Page: 1 / 29
Total 294 questions

CompTIA PenTest+ Exam Questions and Answers

Testing Engine

  • Product Type: Testing Engine
$36  $119.99

PDF Study Guide

  • Product Type: PDF Study Guide
$31.5  $104.99
Question 1

A penetration tester has run multiple vulnerability scans against a target system. Which of the following would be unique to a credentialed scan?

Options:

A.

Exploits for vulnerabilities found

B.

Detailed service configurations

C.

Unpatched third-party software

D.

Weak access control configurations

Question 2

After successfully capturing administrator credentials to a remote Windows machine, a penetration tester attempts to access the system using PSExec but is denied permission. Which of the following shares must be accessible for a successful PSExec connection?

Options:

A.

IPCS and C$

B.

C$ and ADMINS

C.

SERVICES and ADMINS

D.

ADMINS and IPCS

Question 3

A company planned for and secured the budget to hire a consultant to perform a web application penetration test. Upon discovered vulnerabilities, the company asked the consultant to perform the following tasks:

• Code review

• Updates to firewall setting

Options:

A.

Scope creep

B.

Post-mortem review

C.

Risk acceptance

D.

Threat prevention

Question 4

A penetration tester is performing an annual security assessment for a repeat client The tester finds indicators of previous compromise Which of the following would be the most logical steps to follow NEXT?

Options:

A.

Report the incident to the tester's immediate manager and follow up with the client immediately

B.

Report the incident to the clients Chief Information Security Officer (CISO) immediately and alter the terms of engagement accordingly

C.

Report the incident to the client's legal department and then follow up with the client's security operations team

D.

Make note of the anomaly, continue with the penetration testing and detail it in the final report

Question 5

Which of the following BEST describes some significant security weaknesses with an ICS, such as those used

in electrical utility facilities, natural gas facilities, dams, and nuclear facilities?

Options:

A.

ICS vendors are slow to implement adequate security controls.

B.

ICS staff are not adequately trained to perform basic duties.

C.

There is a scarcity of replacement equipment for critical devices.

D.

There is a lack of compliance for ICS facilities.

Question 6

An attacker receives a DHCP address and notices the hostname was populated in the corporate DNS server. Which of the following BEST describes how the attacker can use this information?

Options:

A.

VLAN hopping

B.

DCSync operation

C.

Setting custom SRV records

D.

WPAD attack

Question 7

A penetration tester has discovered through automated scanning that a Tomcat server allows for the use of

default credentials. Using default credentials, the tester is able to upload WAR files to the server. Which of the

following is the MOST likely post-exploitation step?

Options:

A.

Upload a customized /etc/shadow file.

B.

Monitor network traffic

C.

Connect via SSH using default credentials.

D.

Install web shell on the server.

Question 8

A penetration tester has a full shell to a domain controller and wants to discover any user account that has not authenticated to the domain in 21 days. Which of the following commands would BEST accomplish this?

Options:

A.

dsrm -users "DN=compony.com; OU=hq CN=usera"

B.

dsuser -name -account -limit 3

C.

dsquery uaer -inactive 3

D.

dsquery -o -rein -limit 21

Question 9

A penetration tester needs to provide the code used to exploit a DNS server in the final report. In which of the

following parts of the report should the penetration tester place the code?

Options:

A.

Executive summary

B.

Remediation

C.

Conclusion

D.

Technical summary

Question 10

A penetration tester locates a few unquoted service paths during an engagement. Which of the following can the tester attempt to do with these?

Options:

A.

Attempt to crack the service account passwords.

B.

Attempt DLL hijacking attacks.

C.

Attempt to locate weak file and folder permissions.

D.

Attempt privilege escalation attacks.

Question 11

A penetration tester has compromised a host. Which of the following would be the correct syntax to create a Netcat listener on the device?

Options:

A.

nc -lvp 4444 /bin/bash

B.

nc -vp 4444 /bin/bash

C.

nc -p 4444 /bin/bash

D.

nc -lp 4444 –e /bin/bash

Question 12

A penetration tester notices that the X-Frame-Optjons header on a web application is not set. Which of the following would a malicious actor do to exploit this configuration setting?

Options:

A.

Use path modification to escape the application's framework.

B.

Create a frame that overlays the application.

C.

Inject a malicious iframe containing JavaScript.

D.

Pass an iframe attribute that is malicious.

Question 13

A security guard observes an individual entering the building after scanning a badge. The facility has a strict badge-in and badge-out requirement with a turnstile. The security guard then audits the badge system and finds two log entries for the badge in QUESTION NO: within the last 30 minutes. Which of the following has MOST likely occurred?

Options:

A.

The badge was cloned.

B.

The physical access control server is malfunctioning.

C.

The system reached the crossover error rate.

D.

The employee lost the badge.

Question 14

If a security consultant comes across a password hash that resembles the following

b117 525b3454 7Oc29ca3dBaeOb556ba8

Which of the following formats is the correct hash type?

Options:

A.

Kerberos

B.

NetNTLMvl

C.

NTLM

D.

SHA-1

Question 15

A penetration tester has performed a vulnerability scan of a specific host that contains a valuable database and has identified the following vulnerabilities:

  • XSS
  • HTTP DELETE method allowed
  • SQL injection
  • Vulnerable to CSRF

To which of the following should the tester give the HIGHEST priority?

Options:

A.

SQL injection

B.

HTTP DELETE method allowed

C.

Vulnerable to CSRF

D.

XSS

Question 16

A penetration tester has been asked to conduct a penetration test on a REST-based web service. Which of the following items is required?

Options:

A.

The latest vulnerability scan results

B.

A list of sample application requests

C.

An up-to-date list of possible exploits

D.

A list of sample test accounts

Question 17

A penetration tester was able to retrieve the initial VPN user domain credentials by phishing a member of the IT department. Afterward, the penetration tester obtained hashes over the VPN and easily cracked them using a dictionary attack Which of the following remediation steps should be recommended? (Select THREE)

Options:

A.

Mandate all employees take security awareness training

B.

Implement two-factor authentication for remote access

C.

Install an intrusion prevention system

D.

Increase password complexity requirements

E.

Install a security information event monitoring solution.

F.

Prevent members of the IT department from interactively logging in as administrators

G.

Upgrade the cipher suite used for the VPN solution

Question 18

A penetration tester successfully exploits a DM2 server that appears to be listening on an outbound port The penetration tester wishes to forward that traffic back to a device Which of the following are the BEST tools to use few this purpose? (Select TWO)

Options:

A.

Tcpdump

B.

Nmap

C.

Wiresrtark

D.

SSH

E.

Netcat

F.

Cain and Abel

Question 19

A web application scanner reports that a website is susceptible to clickjacking. Which of the following techniques would BEST prove exploitability?

Options:

A.

Redirect the user with a CSRF.

B.

Launch the website in an iFRAME.

C.

Pull server headers.

D.

Capture and replay a session ID.

Question 20

A vulnerability scan is run against a domain hosing a banking application that accepts connections over MTTPS and HTTP protocols Given the following results:

• SSU3 supported

• HSTS not enforced

• Application uses weak ciphers

• Vulnerable to clickjacking

Which of the following should be ranked with the HIGHEST risk?

Options:

A.

SSLv3 supported

B.

HSTS not enforced

C.

Application uses week ophers

D.

Vulnerable to clickjacking

Question 21

A penetration tester is reviewing the following output from a wireless sniffer:

Which of the following can be extrapolated from the above information?

Options:

A.

Hardware vendor

B.

Channel interference

C.

Usernames

D.

Key strength

Question 22

A penetration tester is required to report installed shells on compromised systems. Which of the following is the reason?

Options:

A.

To allow another security consultant access to the shell

B.

To allow the developer to troubleshoot the vulnerability

C.

To allow the systems administrator to perform the cleanup

D.

To allow the systems administrator to write a rule on the WAF

Question 23

During a vulnerability assessment, the security consultant finds an XP legacy system that is running a critical

business function. Which of the following mitigations is BEST for the consultant to conduct?

Options:

A.

Update to the latest Microsoft Windows OS.

B.

Put the machine behind the WAF.

C.

Segment the machine from the main network.

D.

Disconnect the machine.

Question 24

A penetration tester attempts to perform a UDP port scan against a remote target using an Nmap tool installed onto a non-Kali Linux image. For some reason, the UDP scan falls to start. Which of the following would MOST likely help to resolve the issue?

Options:

A.

Install the latest version of the tool.

B.

Review local iptables for existing drop rules.

C.

Relaunch the tool with elevated privileges.

D.

Enable both IPv4 and IPv6 forwarding.

Question 25

A security consultant finds a folder in "C VProgram Files" that has writable permission from an unprivileged user account Which of the following can be used to gam higher privileges?

Options:

A.

Retrieving the SAM database

B.

Kerberoasting

C.

Retrieving credentials in LSASS

D.

DLL hijacking

E.

VM sandbox escape

Question 26

When conducting reconnaissance against a target, which of the following should be used to avoid directory communicating with the target?

Options:

A.

Nmap tool

B.

Maltego community edition

C.

Nessus vulnerability scanner

D.

OpenVAS

E.

Melasploit

Question 27

A client has voiced concern about the number of companies being branched by remote attackers, who are looking for trade secrets. Which of following BEST describes the types of adversaries this would identify?

Options:

A.

Script kiddies

B.

APT actors

C.

Insider threats

D.

Hacktrvist groups

Question 28

An attacker uses SET to make a copy of a company's cloud-hosted web mail portal and sends an email m to obtain the CEO s login credentials Which of the following types of attacks is this an example of?

Options:

A.

Elicitation attack

B.

Impersonation attack

C.

Spear phishing attack

D.

Drive-by download attack

Question 29

A vulnerability scan identifies that an SSL certificate does not match the hostname; however, the client disputes the finding. Which of the following techniques can the penetration tester perform to adjudicate the validity of the findings?

Options:

A.

Ensure the scanner can make outbound DNS requests.

B.

Ensure the scanner is configured to perform ARP resolution.

C.

Ensure the scanner is configured to analyze IP hosts.

D.

Ensure the scanner has the proper plug -ins loaded.

Question 30

An attacker is attempting to gain unauthorized access to a WiR network that uses WPA2-PSK Which of the following attack vectors would the attacker MOST likely use?

Options:

A.

Capture a three-way handshake and crack it

B.

Capture a mobile device and crack its encryption

C.

Create a rogue wireless access point

D.

Capture a four-way handshake and crack it

Question 31

Given the following Python script:

Which of the following actions will it perform?

Options:

A.

ARP spoofing

B.

Port scanner

C.

Reverse shell

D.

Banner grabbing

Question 32

After a recent penetration test, a company has a finding regarding the use of dictionary and seasonal passwords by its employees. Which of the following is the BEST control to remediate the use of common dictionary terms?

Options:

A.

Expand the password length from seven to 14 characters

B.

Implement password history restrictions

C.

Configure password filters

D.

Disable the accounts after five incorrect attempts

E.

Decrease the password expiration window

Question 33

The results of a basic compliance scan show a subset of assets on a network. This data differs from what is shown on the network architecture diagram, which was supplied at the beginning of the test. Which of the following are the MOST likely causes for this difference? (Select TWO)

Options:

A.

Storage access

B.

Limited network access

C.

Misconfigured DHCP server

D.

Incorrect credentials

E.

Network access controls

Question 34

While performing privilege escalation on a Windows 7 workstation, a penetration tester identifies a service that

imports a DLL by name rather than an absolute path. To exploit this vulnerability, which of the following criteria

must be met?

Options:

A.

Permissions not disabled in the DLL

B.

Weak folder permissions of a directory in the DLL search path

C.

Write permissions in the C:\Windows\System32\imports directory

D.

DLL not cryptographically signed by the vendor

Question 35

Place each of the following passwords in order of complexity from least complex (1) to most complex (4), based on the character sets represented Each password may be used only once

Options:

Question 36

Joe, an attacker, intends to transfer funds discreetly from a victim’s account to his own. Which of the following URLs can he use to accomplish this attack?

Options:

A.

https://testbank.com/BankingApp/ACH.aspx?CustID=435345 &accountType=F&action-ACHTransfer&senderID=654846¬ify=False&creditaccount=’OR 1=1 AND select username from testbank.custinfo where username like ‘Joe’−&amount=200

B.

https://testbank.com/BankingApp/ACH.aspx?CustID=435345 &accountType=F&action-ACHTransfer&senderID=654846¬ify=False&creditaccount=’OR 1=1 AND select username from testbank.custinfo where username like ‘Joe’ &amount=200

C.

https://testbank.com/BankingApp/ACH.aspx?CustID=435345 &accountType=F&action-ACHTransfer&senderID=654846¬ify=True&creditaccount=’OR 1=1 AND select username from testbank.custinfo where username like ‘Joe’ −&amount=200

D.

https://testbank.com/BankingApp/ACH.aspx?CustID=435345 &accountType=F&action-ACHTransfer&senderID=654846¬ify=True&creditaccount=’AND 1=1 AND select username from testbank.custinfo where username like ‘Joe’ −&amount=200

Question 37

Which of the following attacks is commonly combined with cross-site scripting for session hijacking?

Options:

A.

CSRF

B.

Clickjacking

C.

SQLI

D.

RFI

Question 38

A penetration tester is performing a validation scan after an organization remediated a vulnerability on port 443 The penetration tester observes the following output:

Which of the following has MOST likely occurred?

Options:

A.

The scan results were a false positive.

B.

The IPS is blocking traffic to port 443

C.

A mismatched firewall rule is blocking 443.

D.

The organization moved services to port 8443

Question 39

A penetration tester is performing a code review. Which of the following testing techniques is being performed?

Options:

A.

Dynamic analysis

B.

Fuzzing analysis

C.

Static analysis

D.

Run-time analysis

Question 40

A penetration tester is assessing the security of a web form for a client and enters “;id” in one of the fields.

The penetration tester observes the following response:

Based on the response, which of the following vulnerabilities exists?

Options:

A.

SQL injection

B.

Session hijacking

C.

Command injection

D.

XSS/XSRF

Question 41

An attacker performed a MITM attack against a mobile application. The attacker is attempting to manipulate

the application’s network traffic via a proxy tool. The attacker only sees limited traffic as cleartext. The

application log files indicate secure SSL/TLS connections are failing. Which of the following is MOST likely

preventing proxying of all traffic?

Options:

A.

Misconfigured routes

B.

Certificate pinning

C.

Strong cipher suites

D.

Closed ports

Question 42

A software developer wants to test the code of an application for vulnerabilities. Which of the following

processes should the software developer perform?

Options:

A.

Vulnerability scan

B.

Dynamic scan

C.

Static scan

D.

Compliance scan

Question 43

When communicating the findings of a network vulnerability scan to a client's IT department which of the following metrics BEST prioritize the severity of the findings? (Select TWO)

Options:

A.

Threat map statistics

B.

CVSS scores

C.

Versions of affected software

D.

Media coverage prevalence

E.

Impact criticality

F.

Ease of remediation

Question 44

During an engagement an unsecure direct object reference vulnerability was discovered that allows the extraction of highly sensitive PII. The tester is required to extract and then exfil the information from a web application with identifiers 1 through 1000 inclusive. When running the following script, an error is encountered:

Which of the following lines of code is causing the problem?

Options:

A.

url = “https://www.comptia.org?id=”

B.

req = requests.get(url)

C.

if req.status ==200:

D.

url += i

Page: 1 / 29
Total 294 questions