Independence Day Special Limited Time 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 1b2718643m

PT0-001 Exam Dumps - CompTIA PenTest+ Exam

Question # 4

A penetration tester executed a vulnerability scan against a publicly accessible host and found a web server that is vulnerable to the DROWN attack. Assuming this web server is using the IP address 127.212.31.17, which of the following should the tester use to verify a false positive?

A.

Openssl s_client -tls1_2 -connect 127.212.31.17:443

B.

Openssl s_client -ss12 -connect 127.212.31.17:443

C.

Openssl s_client -ss13 -connect 127.212.31.17:443

D.

Openssl s_server -tls1_2 -connect 127.212.31.17:443

Full Access
Question # 5

A penetration tester runs the following on a machine:

Which of the following will be returned?

A.

1

B.

3

C.

5

D.

6

Full Access
Question # 6

During post-exploitation, a tester identifies that only system binaries will pass an egress filter and store a file with the following command:

c: \creditcards.db>c:\winit\system32\calc.exe:creditcards.db

Which of the following file system vulnerabilities does this command take advantage of?

A.

Hierarchical file system

B.

Alternate data streams

C.

Backdoor success

D.

Extended file system

Full Access
Question # 7

A system security engineer is preparing to conduct a security assessment of some new applications. The applications were provided to the engineer as a set that contains only JAR files. Which of the following would be the MOST detailed method to gather information on the inner working of these applications?

A.

Launch the applications and use dynamic software analysis tools, including fuzz testing

B.

Use a static code analyzer on the JAR filet to look for code Quality deficiencies

C.

Decompile the applications to approximate source code and then conduct a manual review

D.

Review the details and extensions of the certificate used to digitally sign the code and the application

Full Access
Question # 8

A penetration test was performed by an on-staff junior technician. During the test, the technician discovered the web application could disclose an SQL table with user account and password information. Which of the following is the MOST effective way to notify management of this finding and its importance?

A.

Document the findings with an executive summary, recommendations, and screenshots of the web application disclosure.

B.

Connect to the SQL server using this information and change the password to one or two non-critical accounts to demonstrate a proof--of-concept to management.

C.

Notify the development team of the discovery and suggest that input validation be implemented with a professional penetration testing company.

D.

Request that management create an RFP to begin a formal engagement with a professional penetration testing company.

Full Access
Question # 9

At the beginning of a penetration test, the tester finds a file that includes employee data, such as email addresses, work phone numbers, computers names, and office locations. The file is hosted on a public web server. Which of the following BEST describes the technique that was used to obtain this information?

A.

Enumeration of services

B.

OSINT gathering

C.

Port scanning

D.

Social engineering

Full Access
Question # 10

A security consultant found a SCADA device in one of the VLANs in scope. Which of the following actions would BEST create a potentially destructive outcome against device?

A.

Launch an SNMP password brute force attack against the device.

B.

Lunch a Nessus vulnerability scan against the device.

C.

Launch a DNS cache poisoning attack against the device.

D.

Launch an SMB exploit against the device.

Full Access
Question # 11

A client gives a penetration tester a /8 network range to scan during a week-long engagement. Which of the following tools would BEST complete this task quickly?

A.

Massscan

B.

Nmap

C.

Angry IP scanner

D.

Unicorn scan

Full Access
Question # 12

A penetration tester is required to perform OSINT on staff at a target company after completing the infrastructure aspect. Which of the following would be the BEST step for the penetration tester to take?

A.

Obtain staff information by calling the company and using social engineering techniques.

B.

Visit the client and use impersonation to obtain information from staff.

C.

Send spoofed emails to staff to see if staff will respond with sensitive information.

D.

Search the Internet for information on staff such as social networking sites.

Full Access
Question # 13

A penetration tester discovers SNMP on some targets. Which of the following should the penetration tester try FIRST?

A.

Sniff SNMP traffic.

B.

Use default credentials.

C.

Upload a new config file.

D.

Conduct a MITM.

Full Access
Question # 14

A penetration tester wants to launch a graphic console window from a remotely compromised host with IP 10.0.0.20 and display the terminal on the local computer with IP 192.168.1.10. Which of the following would accomplish this task?

A.

From the remote computer, run the following commands:

Export IHOST 192.168.1.10:0.0

xhost+

Terminal

B.

From the local computer, run the following command

ssh -L4444 : 127.0.01:6000 -% users@10.0.0.20 xterm

C.

From the local computer, run the following command

ssh -r6000 : 127.0.01:4444 -p 6000 users@192.168.1.10 “xhost+; xterm”

D.

From the local computer, run the following command

Nc -1 -p 6000

Then, from the remote computer, run the following command

Xterm | nc 192.168.1.10 6000

Full Access
Question # 15

Given the following Python script:

Which of the following actions will it perform?

A.

ARP spoofing

B.

Port scanner

C.

Reverse shell

D.

Banner grabbing

Full Access
Question # 16

Which of the following BEST describes why an MSA is helpful?

A.

It contractually binds both parties to not disclose vulnerabilities.

B.

It reduces potential for scope creep.

C.

It clarifies the business arrangement by agreeing to specific terms.

D.

It defines the timelines for the penetration test.

Full Access
Question # 17

A penetration tester is asked to scope an external engagement. Which of the following would be a valid target?

A.

104.45.98.126

B.

169.254. 67.23

C.

172.16.67.145

D.

192.168.47.231

Full Access
Question # 18

After a recent penetration test, a company has a finding regarding the use of dictionary and seasonal passwords by its employees. Which of the following is the BEST control to remediate the use of common dictionary terms?

A.

Expand the password length from seven to 14 characters

B.

Implement password history restrictions

C.

Configure password filters

D.

Disable the accounts after five incorrect attempts

E.

Decrease the password expiration window

Full Access
Question # 19

A penetration tester is utilizing social media to gather information about employees at a company. The tester has created a list of popular words used in employee profile s. For which of the following types of attack would this information be used?

A.

Exploit chaining

B.

Session hijacking

C.

Dictionary

D.

Karma

Full Access
Question # 20

During an engagement an unsecure direct object reference vulnerability was discovered that allows the extraction of highly sensitive PII. The tester is required to extract and then exfil the information from a web application with identifiers 1 through 1000 inclusive. When running the following script, an error is encountered:

Which of the following lines of code is causing the problem?

A.

url = “https://www.comptia.org?id=”

B.

req = requests.get(url)

C.

if req.status ==200:

D.

url += i

Full Access
Question # 21

Which of Ihe following commands would allow a penetration tester to access a private network from the Internet in Metasploit?

A.

set rhost 192.168.1.10

B.

run autoroute -a 192.168.1.0/24

C.

db_nm«p -iL /tmp/privatehoots . txt

D.

use auxiliary/servet/aocka^a

Full Access
Question # 22

A security guard observes an individual entering the building after scanning a badge. The facility has a strict badge-in and badge-out requirement with a turnstile. The security guard then audits the badge system and finds two log entries for the badge in QUESTION NO: within the last 30 minutes. Which of the following has MOST likely occurred?

A.

The badge was cloned.

B.

The physical access control server is malfunctioning.

C.

The system reached the crossover error rate.

D.

The employee lost the badge.

Full Access
Question # 23

A penetration tester is attempting to capture a handshake between a client and an access point by monitoring a WPA2-PSK secured wireless network. The tester is monitoring the correct channel for the identified network, but has been unsuccessful in capturing a handshake. Given the scenario, which of the following attacks would BEST assist the tester in obtaining this handshake?

A.

Karma attack

B.

Deauthentication attack

C.

Fragmentation attack

D.

SSDI broadcast flood

Full Access
Question # 24

When considering threat actor scoping prior to an engagement, which of the following characteristics makes an APT challenging to emulate?

A.

Development of custom zero-day exploits and tools

B.

Leveraging the dark net for non-attribution

C.

Tenacity and efficacy of social engineering attacks

D.

Amount of bandwidth available for DoS attacks

Full Access
Question # 25

A penetration tester has been asked to conduct a penetration test on a REST-based web service. Which of the following items is required?

A.

The latest vulnerability scan results

B.

A list of sample application requests

C.

An up-to-date list of possible exploits

D.

A list of sample test accounts

Full Access
Question # 26

A penetration testet is attempting to capture a handshake between a client and an access point by monitoring a WPA2-PSK secured wireless network The (ester is monitoring the correct channel tor the identified network but has been unsuccessful in capturing a handshake Given this scenario, which of the following attacks would BEST assist the tester in obtaining this handshake?

A.

Karma attack

B.

Deauthentication attack

C.

Fragmentation attack

D.

SSID broadcast flood

Full Access
Question # 27

Which of the following situations would cause a penetration tester to communicate with a system owner/client during the course of a test? (Select TWO)

A.

The tester discovers personally identifiable data on the system

B.

The system shows evidence of prior unauthorized compromise

C.

The system shows a lack of hardening throughout

D.

The system becomes unavailable following an attempted exploit

E.

The tester discovers a finding on an out-of-scope system

Full Access
Question # 28

A penetration tester entered the following information into the browser URL:

https://www.example.com/login.php?file=../../../../../../../etc/passwd

The server responded with the data contained in the server's sensitive data file. Which of the following types of vulnerabilities is MOST likely being exploited?

A.

Weak credentials

B.

Race conditions

C.

Directory traversal

D.

Command injection

Full Access
Question # 29

A vulnerability scan report shows what appears to be evidence of a memory disclosure vulnerability on one of

the target hosts. The administrator claims the system is patched and the evidence is a false positive. Which of

the following is the BEST method for a tester to confirm the vulnerability exists?

A.

Manually run publicly available exploit code.

B.

Confirm via evidence of the updated version number.

C.

Run the vulnerability scanner again.

D.

Perform dynamic analysis on the vulnerable service.

Full Access
Question # 30

A constant wants to scan all the TCP Pots on an identified device. Which of the following Nmap switches will complete this task?

A.

-p-

B.

-p ALX,

C.

-p 1-65534

D.

-port 1-65534

Full Access
Question # 31

While engaging clients for a penetration test from highly regulated industries, which of the following is usually the MOST important to the clients from a business perspective?

A.

Letter of engagement and attestation of findings

B.

NDA and MSA

C.

SOW and final report

D.

Risk summary and executive summary

Full Access
Question # 32

A penetration testing company is performing a penetration test against Company A. Company A has provided the IP address range 10.0.0.0/24 as its in-scope network range. During the information gathering phase, the penetration tester is asked to conduct active information-gathering techniques. Which of the following is the BEST tool to use for active information gathering?

A.

hping3

B.

theHarvester

C.

tcpdump

D.

Nmap

Full Access
Question # 33

Which of the following commands will allow a tester to enumerate potential unquoted services paths on a host?

A.

wmic environment get name, variablevalue, username / findstr /i “Path” | findstr /i “service”

B.

wmic service get /format:hform > c:\temp\services.html

C.

wmic startup get caption, location, command | findstr /i “service” | findstr /v /i “%”

D.

D. wmic service get name, displayname, patchname, startmode | findstr /i “auto” | findstr /i /v “c:\windows\\” | findstr /i /v “””

Full Access
Question # 34

Place each of the following passwords in order of complexity from least complex (1) to most complex (4), based on the character sets represented Each password may be used only once

Full Access
Question # 35

A penetration tester needs to provide the code used to exploit a DNS server in the final report. In which of the

following parts of the report should the penetration tester place the code?

A.

Executive summary

B.

Remediation

C.

Conclusion

D.

Technical summary

Full Access
Question # 36

A company requested a penetration tester review the security of an in-house-developed Android application. The penetration tester received an APK file to support the assessment. The penetration tester wants to run SAST on the APK file. Which of the following preparatory steps must the penetration tester do FIRST? (Select TWO)

A.

Convert to JAR

B.

Decompile

C.

Cross-compile the application

D.

Convert JAR files to DEX

E.

Re-sign the APK

F.

Attach to ADB

Full Access
Question # 37

A penetration tester reported the following vulnerabilities:

Which of the following is the correct order to rate the vulnerabilities from critical to low considering the MOST immediate impact?

A.

Unrestricted file upload, stored XSS, SQL injection, verbose server headers

B.

SQL injection, unrestricted file upload, stored XSS, verbose server headers

C.

Verbose server headers, unrestricted file upload, stored XSS, SQL injection

D.

Stored XSS, SQL injection, unrestricted file upload, verbose server headers

Full Access
Question # 38

During an internal network penetration test the tester is able to compromise a Windows system and recover the NTLM hash for a local wrltsrnAdrain account Attempting to recover the plaintext password by cracking the hash has proved to be unsuccessful, and the tester has decided to try a pass-the-hash attack to see if the credentials are reused on other in-scope systems Using the Medusa tool the tester attempts to authenticate to a list of systems, including the originally compromised host, with no success Given the output below:

Which of the following Medusa commands would potentially provide better results?

A.

#medusa -h hosts.txt -U usera.txt -P hashes, txt -M smbnt. -m GROP:LOCAL -O out.txt -m PASS:HASH

B.

#medusa -H hosts.txt -U users, txt -P hashes, txt -M smbnt -m PASS:HASH -o out. txt

C.

#medusa -H hosts.txt -u WrkStnAdmin -p aa3b435b51404eeaa3b435b51404ee:4e63c1b137e274dda214154b349fe316 -M smbnt -m GROUP:DOMAIN -o out.txt

D.

#medusa -H hosts.txt -C creds.txt -M mssq1 -m GROUP: DOMAIN -o out.txt

Full Access
Question # 39

At the information gathering stage, a penetration tester is trying to passively identify the technology running on

a client’s website. Which of the following approached should the penetration tester take?

A.

Run a spider scan in Burp Suite.

B.

Use web aggregators such as BuiltWith and Netcraft

C.

Run a web scraper and pull the website’s content.

D.

Use Nmap to fingerprint the website’s technology.

Full Access
Question # 40

A penetration tester has gained access to a marketing employee's device. The penetration tester wants to

ensure that if the access is discovered, control of the device can be regained. Which of the following actions

should the penetration tester use to maintain persistence to the device? (Select TWO.)

A.

Place an entry in HKLM\Software\Microsoft\CurrentVersion\Run to call au57d.ps1.

B.

Place an entry in C:\windows\system32\drivers\etc\hosts for 12.17.20.10 badcomptia.com.

C.

Place a script in C:\users\%username\local\appdata\roaming\temp\au57d.ps1.

D.

Create a fake service in Windows called RTAudio to execute manually.

E.

Place an entry for RTAudio in HKLM\CurrentControlSet\Services\RTAudio.

F.

Create a schedule task to call C:\windows\system32\drivers\etc\hosts.

Full Access
Question # 41

A penetration tester has successfully exploited an application vulnerability and wants to remove the command history from the Linux session. Which of the following will accomplish this successfully?

A.

history --remove

B.

cat history I clear

C.

rm -f ./history

D.

history -c

Full Access
Question # 42

A penetration tester wants to target NETBIOS name service. Which of the following is the most likely command to exploit the NETBIOS name service?

A.

arPspoof

B.

nmap

C.

responder

D.

burpsuite

Full Access
Question # 43

An SMB server was discovered on the network, and the penetration tester wants to see if the server it vulnerable. Which of the following is a relevant approach to test this?

A.

Null sessions

B.

Xmas scan

C.

ICMP flood

D.

SYN flood

Full Access
Question # 44

Which of the following is an important stakeholder to notify when penetration testing has begun?

A.

System owner

B.

Remediation manager

C.

Compliance assessor

D.

Patching team

Full Access