PT0-002 Exam Q&A PDF

Summary

This document contains cybersecurity exam questions and answers, focusing on penetration testing concepts and tools. It covers topics like commands, vulnerabilities, and security assessment.

Full Transcript

QUESTION 132 Which of the following commands will allow a penetration tester to permit a shell script to be executed by the file owner? A. chmod u+x script.sh B. chmod u+e script.sh C. chmod o+e script.sh D. chmod o+x script.sh Answer: A Explanation: https://newbedev.com/c...

QUESTION 132 Which of the following commands will allow a penetration tester to permit a shell script to be executed by the file owner? A. chmod u+x script.sh B. chmod u+e script.sh C. chmod o+e script.sh D. chmod o+x script.sh Answer: A Explanation: https://newbedev.com/chmod-u-x-versus-chmod-x QUESTION 133 A compliance-based penetration test is primarily concerned with: A. obtaining PII from the protected network. B. bypassing protection on edge devices. C. determining the efficacy of a specific set of security standards. D. obtaining specific information from the protected network. Answer: C QUESTION 134 counsel. Which of the following would the tester MOST likely describe as a benefit of the framework? A. Understanding the tactics of a security intrusion can help disrupt them. B. Scripts that are part of the framework can be imported directly into SIEM tools. C. The methodology can be used to estimate the cost of an incident better. D. The framework is static and ensures stability of a security program over time. Answer: A Explanation: Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 62 https://www.lead2pass.com https://attack.mitre.org/ QUESTION 135 A company has hired a penetration tester to deploy and set up a rogue access point on the network. Which of the following is the BEST tool to use to accomplish this goal? A. Wireshark B. Aircrack-ng C. Kismet D. Wifite Answer: B Explanation: The othe options are basically sniffers and cannot be used to create a rogue AP/evil twin. Aircrack-ng. This program is a suite of wireless penetration testing tools, including airbase-ng, aircrack-ng, airdecap-ng, airdecloak-ng, airdrop-ng, aireplay-ng, airmon-ng, airodump-ng, and much more. QUESTION 136 A company obtained permission for a vulnerability scan from its cloud service provider and now wants to test the security of its hosted data. Which of the following should the tester verify FIRST to assess this risk? A. Whether sensitive client data is publicly accessible B. Whether the connection between the cloud and the client is secure C. D. Whether the cloud applications were developed using a secure SDLC Answer: A Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 63 https://www.lead2pass.com QUESTION 137 A Chief Information Security Officer wants a penetration tester to evaluate the security awareness Which of the following tools can help the tester achieve this goal? A. Metasploit B. Hydra C. SET D. WPScan Answer: C Explanation: Social Engineering Toolkit is a way to test your employees security awareness. QUESTION 138 Which of the following is the MOST common vulnerability associated with IoT devices that are directly connected to the Internet? A. Unsupported operating systems B. Susceptibility to DDoS attacks C. Inability to network D. The existence of default passwords Answer: D Explanation: The IoT provides a unique opportunity for manufacturers to build devices with the ability to communicate and perform specialized functions. However, because of the lack of rigorous testing, many devices have several insecure defaults that come preconfigured, such as the username and password. In many cases, the manufacturer has hard-coded these credentials and made them very difficult or impossible to remove. This can be dangerous, as once a malicious actor knows the type of device that is in use, they can then research the default username and password online. As a result, the team should research the default credentials for each IoT product you target during the PenTest. QUESTION 139 Which of the following describes the reason why a penetration tester would run the command sdelete mimikatz. * on a Windows server that the tester compromised? A. To remove hash-cracking registry entries B. To remove the tester-created Mimikatz account C. To remove tools from the server D. To remove a reverse shell from the system Answer: C Explanation: SDelete is a command line utility that takes a number of options. In any given use, it allows you to delete one or more files and/or directories, or to cleanse the free space on a logical disk. SDelete accepts wild card characters as part of the directory or file specifier. Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 64 https://www.lead2pass.com QUESTION 140 A penetration tester was brute forcing an internal web server and ran a command that produced the following output: However, when the penetration tester tried to browse the URL http://172.16.100.10:3000/profile, a blank page was displayed. Which of the following is the MOST likely reason for the lack of output? A. The HTTP port is not open on the firewall. B. The tester did not run sudo before the command. C. The web server is using HTTPS instead of HTTP. D. This URI returned a server error. Answer: D Explanation: If the firewall was blocking the port than none of the web directories would have successful (200 codes) the 500 code is a server side error code meaning the correct answer is D. QUESTION 141 An Nmap scan shows open ports on web servers and databases. A penetration tester decides to run WPScan and SQLmap to identify vulnerabilities and additional information about those systems. Which of the following is the penetration tester trying to accomplish? Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 65 https://www.lead2pass.com A. Uncover potential criminal activity based on the evidence gathered. B. Identify all the vulnerabilities in the environment. C. Limit invasiveness based on scope. D. Maintain confidentiality of the findings. Answer: C QUESTION 142 A company hired a penetration tester to do a social-engineering test against its employees. tester has learned the complete phone catalog was published there a few months ago. numbers? A. Web archive B. GitHub C. File metadata D. Underground forums Answer: A QUESTION 143 A penetration tester completed a vulnerability scan against a web server and identified a single but severe vulnerability. Which of the following is the BEST way to ensure this is a true positive? A. Run another scanner to compare. B. Perform a manual test on the server. C. Check the results on the scanner. D. Look for the vulnerability online. Answer: B QUESTION 144 the WiFi service being used is vulnerable to an attack. A penetration tester is hired to test the Which of the following is MOST vulnerable to a brute-force attack? A. WPS B. WPA2-EAP C. WPA-TKIP D. WPA2-PSK Answer: A Explanation: Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 66 https://www.lead2pass.com The problem with WPS is that the WPS - enabled router is vulnerable to having the WPS cracked due to the fact that the pin was originally designed as two 4-pin blocks. It is much quicker to crack two 4-pin blocks than it is one 8-pin block. It has been found that hackers can brute force each of the two 4-digit blocks within hours and then use the PIN to connect to the WPA or WPA2 protected network. QUESTION 145 A penetration tester ran the following commands on a Windows server: Which of the following should the tester do AFTER delivering the final report? A. Delete the scheduled batch job. B. Close the reverse shell connection. C. Downgrade the svsaccount permissions. D. Remove the tester-created credentials. Answer: D Explanation: svsaccount was created and then added to Administrators; this appended into the batchjob. Runas is like sudo. QUESTION 146 A penetration tester is starting an assessment but only has publicly available information about the target company. The client is aware of this exercise and is preparing for the test. Which of the following describes the scope of the assessment? A. Partially known environment testing B. Known environment testing C. Unknown environment testing D. Physical environment testing Answer: C QUESTION 147 The following line-numbered Python code snippet is being used in reconnaissance: Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 67 https://www.lead2pass.com Which of the following line numbers from the script MOST likely contributed to the script triggering a `probable port scan` alert in the organization's IDS? A. Line 01 B. Line 02 C. Line 07 D. Line 08 E. Line 12 Answer: D Explanation: 0.01 s is a super short and unusual setting for a timeout. QUESTION 148 A consulting company is completing the ROE during scoping. Which of the following should be included in the ROE? A. Cost of the assessment B. Report distribution C. Testing restrictions D. Liability Answer: C Explanation: The Rules of Engagement, or ROE, are meant to list out the specifics of your penetration testing project to ensure that both the client and the engineers working on a project know exactly what is being testing, when its being tested, and how its being tested. QUESTION 149 A new client hired a penetration-testing company for a month-long contract for various security publicly available shortly after the assessment is complete and is planning to fix any findings, except for critical issues, after the service is made public. The client wants a simple report structure and does not want to receive daily findings. Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 68 https://www.lead2pass.com Which of the following is most important for the penetration tester to define FIRST? A. Establish the format required by the client. B. Establish the threshold of risk to escalate to the client immediately. C. Establish the method of potential false positives. D. Establish the preferred day of the week for reporting. Answer: B QUESTION 150 A penetration tester has been hired to perform a physical penetration test to gain access to a guest network, and multiple security cameras connected to the Internet. Which of the following tools or techniques would BEST support additional reconnaissance? A. Wardriving B. Shodan C. Recon-ng D. Aircrack-ng Answer: C Explanation: Third-party information sources and tools support passive intelligence gathering. Open-source intelligence gathering relies on a broad range of tools and services. These include search engines like Shodan and Censys, automated information-gathering tools like theHarvester, Recon-ng, Maltego, and FOCA, and databases and information stores like WHOIS records, public records, social media, and other information sources. QUESTION 151 A penetration tester conducts an Nmap scan against a target and receives the following results: Which of the following should the tester use to redirect the scanning tools using TCP port 1080 on the target? A. Nessus B. ProxyChains C. OWASP ZAP D. Empire Answer: B Explanation: https://www.codeproject.com/Tips/634228/How-to-Use-Proxychains-Forwarding-Ports QUESTION 152 Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 69 https://www.lead2pass.com A penetration tester received a.pcap file to look for credentials to use in an engagement. Which of the following tools should the tester utilize to open and read the.pcap file? A. Nmap B. Wireshark C. Metasploit D. Netcat Answer: B Explanation: The.pcap file extension is mainly associated with Wireshark; a program used for analyzing networks..pcap files are data files created using the program and they contain the packet data of a network. These files are mainly used in analyzing the network characteristics of a certain data. These files also contribute to successfully controlling traffic of a certain network since they are being monitored by the program. QUESTION 153 A penetration tester has been given an assignment to attack a series of targets in the 192.168.1.0/24 range, triggering as few alarms and countermeasures as possible. Which of the following Nmap scan syntaxes would BEST accomplish this objective? A. nmap -sT -vvv -O 192.168.1.2/24 -PO B. nmap -sV 192.168.1.2/24 -PO C. nmap -sA -v -O 192.168.1.2/24 D. nmap -sS -O 192.168.1.2/24 -T1 Answer: D Explanation: https://nmap.org/book/man-port-scanning-techniques.html QUESTION 154 A penetration tester has gained access to a network device that has a previously unknown IP range on an interface. Further research determines this is an always-on VPN tunnel to a third- party supplier. Which of the following is the BEST action for the penetration tester to take? A. Utilize the tunnel as a means of pivoting to other internal devices. B. Disregard the IP range, as it is out of scope. Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 70 https://www.lead2pass.com C. Stop the assessment and inform the emergency contact. D. Scan the IP range for additional systems to exploit. Answer: C Explanation: Critical findings The first communication trigger is known as critical findings. A critical finding occurs when, during a pentest, you come across a critical or major vulnerability in a system that has the customer wide open to an attack. In this case you do not want to wait to communicate this important finding to the customer in the final report; you should stop the pentest immediately and talk to the stakeholder about the critical finding and determine how you are to proceed. QUESTION 155 A penetration tester recently performed a social-engineering attack in which the tester found an employee of the target company at a local coffee shop and over time built a relationship with the d drive as a gift. Which of the following social-engineering attacks was the tester utilizing? A. Phishing B. Tailgating C. Baiting D. Shoulder surfing Answer: C Explanation: https://phoenixnap.com/blog/what-is-social-engineering-types-of- QUESTION 156 A security company has been contracted to perform a scoped insider-threat assessment to try to Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 71 https://www.lead2pass.com gain access to the human resources server that houses PII and salary data. The penetration testers have been given an internal network starting position. Which of the following actions, if performed, would be ethical within the scope of the assessment? A. Exploiting a configuration weakness in the SQL database B. Intercepting outbound TLS traffic C. Gaining access to hosts by injecting malware into the enterprise-wide update server D. Leveraging a vulnerability on the internal CA to issue fraudulent client certificates E. Establishing and maintaining persistence on the domain controller Answer: A QUESTION 157 A penetration tester is able to capture the NTLM challenge-response traffic between a client and a server. Which of the following can be done with the pcap to gain access to the server? A. Perform vertical privilege escalation. B. Replay the captured traffic to the server to recreate the session. C. Use John the Ripper to crack the password. D. Utilize a pass-the-hash attack. Answer: B QUESTION 158 Which of the following protocols or technologies would in-transit confidentially protection for emailing the final security assessment report? A. S/MIME B. FTPS C. DNSSEC D. AS2 Answer: A QUESTION 159 A penetration tester was able to gather MD5 hashes from a server and crack the hashes easily with rainbow tables. Which of the following should be included as a recommendation in the remediation report? A. Stronger algorithmic requirements B. Access controls on the server C. Encryption on the user passwords D. A patch management program Answer: A Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 72 https://www.lead2pass.com QUESTION 160 A penetration tester found the following valid URL while doing a manual assessment of a web application: http://www.example.com/product.php?id=123987. Which of the following automated tools would be best to use NEXT to try to identify a vulnerability in this URL? A. SQLmap B. Nessus C. Nikto D. DirBuster Answer: C Explanation: Nikto is an open-source web application vulnerability scanner. When you run it against a website or web application, Nikto performs a number of tests to determine if the web application is vulnerable to different types of attacks. QUESTION 161 A penetration tester is attempting to discover live hosts on a subnet quickly. Which of the following commands will perform a ping scan? A. nmap -sn 10.12.1.0/24 B. nmap -sV -A 10.12.1.0/24 C. nmap -Pn 10.12.1.0/24 D. nmap -sT -p- 10.12.1.0/24 Answer: A Explanation: Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 73 https://www.lead2pass.com https://www.tecmint.com/find-live-hosts-ip-addresses-on-linux-network/ QUESTION 162 Which of the following tools would be MOST useful in collecting vendor and other security- relevant information for IoT devices to support passive reconnaissance? A. Shodan B. Nmap C. WebScarab-NG D. Nessus Answer: A Explanation: Shodan is a search engine that collects information about systems connected to the Internet, such as servers and Internet of things (IoT) devices. QUESTION 163 A penetration tester downloaded a Java application file from a compromised web server and identifies how to invoke it by looking at the following log: Which of the following is the order of steps the penetration tester needs to follow to validate whether the Java application uses encryption over sockets? A. Run an application vulnerability scan and then identify the TCP ports used by the application. B. Run the application attached to a debugger and then review the application's log. C. Disassemble the binary code and then identify the break points. D. Start a packet capture with Wireshark and then run the application. Answer: D QUESTION 164 When planning a penetration-testing effort, clearly expressing the rules surrounding the optimal time of day for test execution is important because: A. security compliance regulations or laws may be violated. B. testing can make detecting actual APT more challenging. C. testing adds to the workload of defensive cyber- and threat-hunting teams. D. business and network operations may be impacted. Answer: D QUESTION 165 A company uses a cloud provider with shared network bandwidth to host a web application on dedicated servers. The company's contact with the cloud provider prevents any activities that Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 74 https://www.lead2pass.com would interfere with the cloud provider's other customers. When engaging with a penetration- testing company to test the application, which of the following should the company avoid? A. Crawling the web application's URLs looking for vulnerabilities B. Fingerprinting all the IP addresses of the application's servers C. Brute forcing the application's passwords D. Sending many web requests per second to test DDoS protection Answer: D QUESTION 166 A penetration tester is cleaning up and covering tracks at the conclusion of a penetration test. Which of the following should the tester be sure to remove from the system? (Choose two.) A. Spawned shells B. Created user accounts C. Server logs D. Administrator accounts E. Reboot system F. ARP cache Answer: AB Explanation: Removing shells: Remove any shell programs installed when performing the pentest. Removing tester-created credentials: Be sure to remove any user accounts created during the pentest. This includes backdoor accounts. were used to aid in the exploitation of systems. QUESTION 167 A software company has hired a security consultant to assess the security of the company's software development practices. The consultant opts to begin reconnaissance by performing fuzzing on a software binary. Which of the following vulnerabilities is the security consultant MOST likely to identify? A. Weak authentication schemes B. Credentials stored in strings C. Buffer overflows D. Non-optimized resource management Answer: C Explanation: Fuzzing introduces unexpected inputs into a system and watches to see if the system has any negative reactions to the inputs that indicate security, performance, or quality gaps or issues. QUESTION 168 A penetration tester has prepared the following phishing email for an upcoming penetration test: Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 75 https://www.lead2pass.com Which of the following is the penetration tester using MOST to influence phishing targets to click on the link? A. Familiarity and likeness B. Authority and urgency C. Scarcity and fear D. Social proof and greed Answer: B QUESTION 169 During a penetration test, a tester is able to change values in the URL from example.com/login.php?id=5 to example.com/login.php?id=10 and gain access to a web application. Which of the following vulnerabilities has the penetration tester exploited? A. Command injection B. Broken authentication C. Direct object reference D. Cross-site scripting Answer: C Explanation: Insecure direct object reference (IDOR) is a vulnerability where the developer of the application does not implement authorization features to verify that someone accessing data on the site is allowed to access that data. QUESTION 170 Which of the following situations would MOST likely warrant revalidation of a previous security assessment? A. After detection of a breach B. After a merger or an acquisition C. When an organization updates its network firewall configurations D. When most of the vulnerabilities have been remediated Answer: D Explanation: After the customer follows those recommended remediation steps, the customer may want to have those systems retested in order to validate that the remediation steps worked. Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 76 https://www.lead2pass.com QUESTION 171 A penetration tester gains access to a system and is able to migrate to a user process: Given the output above, which of the following actions is the penetration tester performing? (Choose two.) A. Redirecting output from a file to a remote system B. Building a scheduled task for execution C. Mapping a share to a remote system D. Executing a file on the remote system E. Creating a new process on all domain systems F. Setting up a reverse shell from a remote system G. Adding an additional IP address on the compromised system Answer: CD Explanation: The "net use" command is a Command Prompt command used to connect to, remove, and configure connections to shared resources, like mapped drives and network printers. WMIC.exe is a built-in Microsoft program that allows command-line access to the Windows Management Instrumentation. Using this tool, administrators can query the operating system for detailed information about installed hardware and Windows settings, run management tasks, and even execute other programs or commands. QUESTION 172 After gaining access to a previous system, a penetration tester runs an Nmap scan against a network with the following results: The tester then runs the following command from the previous exploited system, which fails: Which of the following explains the reason why the command failed? A. The tester input the incorrect IP address. Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 77 https://www.lead2pass.com B. The command requires the port 135 option. C. An account for RDP does not exist on the server. D. PowerShell requires administrative privilege. Answer: A Explanation: Enter-Pssession uses 5985 as the default port. QUESTION 173 Which of the following assessment methods is MOST likely to cause harm to an ICS environment? A. Active scanning B. Ping sweep C. Protocol reversing D. Packet analysis Answer: A Explanation: Industrial control systems (ICSs), SCADA, and Industrial Internet of Things devices are used to manage factories, utilities, and a wide range of other industrial devices. They require special care when testing due to the potential for harm to business processes and other infrastructure if they are disrupted. QUESTION 174 During a penetration test, a tester is in close proximity to a corporate mobile device belonging to a network administrator that is broadcasting Bluetooth frames. Which of the following is an example of a Bluesnarfing attack that the penetration tester can perform? A. Sniff and then crack the WPS PIN on an associated WiFi device. B. Dump the user address book on the device. C. Break a connection between two Bluetooth devices. D. Transmit text messages to the device. Answer: B Explanation: Bluesnarfing: A Bluetooth attack that allows the hacker to exploit the Bluetooth device and copy data off the device. For example, the QUESTION 175 Which of the following would a company's hunt team be MOST interested in seeing in a final report? A. Executive summary B. Attack TTPs C. Methodology D. Scope details Answer: B Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 78 https://www.lead2pass.com QUESTION 176 A Chief Information Security Officer wants a penetration tester to evaluate whether a recently installed firewall is protecting a subnetwork on which many decades- old legacy systems are connected. The penetration tester decides to run an OS discovery and a full port scan to identify all the systems and any potential vulnerability. Which of the following should the penetration tester consider BEFORE running a scan? A. The timing of the scan B. The bandwidth limitations C. The inventory of assets and versions D. The type of scan Answer: D Explanation: Testing a firewall to see what ports are open not penetrating the firewall. Use ack or fin scan. QUESTION 177 Which of the following provides an exploitation suite with payload modules that cover the broadest range of target system types? A. Nessus B. Metasploit C. Burp Suite D. Ethercap Answer: B QUESTION 178 A penetration tester writes the following script: Which of the following is the tester performing? A. Searching for service vulnerabilities B. Trying to recover a lost bind shell C. Building a reverse shell listening on specified ports D. Scanning a network for specific open ports Answer: D Explanation: -z zero-I/O mode [used for scanning] Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 79 https://www.lead2pass.com -v verbose example output of script: 10.0.0.1: inverse host lookup failed: Unknown host (UNKNOWN) [10.0.0.1] 22 (ssh) open (UNKNOWN) [10.0.0.1] 23 (telnet) : Connection timed out https://unix.stackexchange.com/questions/589561/what-is-nc-z-used-for QUESTION 179 A CentOS computer was exploited during a penetration test. During initial reconnaissance, the penetration tester discovered that port 25 was open on an internal Sendmail server. To remain stealthy, the tester ran the following command from the attack machine: Which of the following would be the BEST command to use for further progress into the targeted network? A. nc 10.10.1.2 B. ssh 10.10.1.2 C. nc 127.0.0.1 5555 D. ssh 127.0.0.1 5555 Answer: C Explanation: Port 25 from the remote host is forwarded to local port 5555 (to IP: 10.10.1.2). So if you have forwarded the port to yourself, it means you can access it by connecting to 127.0.0.1 or 10.10.1.2. Next part of the pentester task is to determine what service is opened on 25 or what communication is sent on internal service. Quickest way to do this is to use netcat. A - port 5555 is not specified B - port 5555 is not specified, why would you ssh to smtp port with sendmail server? C - correct, netc D - if there is no ssh connection on port 25 it is useless as above in B. Syntax is wrong, to specify port on ssh you need to use -p. QUESTION 180 A penetration tester utilized Nmap to scan host 64.13.134.52 and received the following results: Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 80 https://www.lead2pass.com Based on the output, which of the following services are MOST likely to be exploited? (Choose two.) A. Telnet B. HTTP C. SMTP D. DNS E. NTP F. SNMP Answer: BD Explanation: 22,53 and 80 are opened. Only DNS and HTTP are mentioned in answers. QUESTION 181 An assessor wants to run an Nmap scan as quietly as possible. Which of the following commands will give the LEAST chance of detection? A. nmap -T3 192.168.0.1 B. nmap -P0 192.168.0.1 C. nmap -T0 192.168.0.1 D. nmap -A 192.168.0.1 Answer: C Explanation: -T0 Paranoid: Very slow, used for IDS evasion -T1 Sneaky: Quite slow, used for IDS evasion -T2 Polite: Slows down to consume less bandwidth, runs ~10 times slower than default -T3 Normal: Default, a dynamic timing model based on target responsiveness -T4 Aggressive: Assumes a fast and reliable network and may overwhelm targets -T5 Insane: Very aggressive; will likely overwhelm targets or miss open ports QUESTION 182 A final penetration test report has been submitted to the board for review and accepted. The report has three findings rated high. Which of the following should be the NEXT step? Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 81 https://www.lead2pass.com A. Perform a new penetration test. B. Remediate the findings. C. Provide the list of common vulnerabilities and exposures. D. Broaden the scope of the penetration test. Answer: B QUESTION 183 Which of the following situations would require a penetration tester to notify the emergency contact for the engagement? A. The team exploits a critical server within the organization. B. The team exfiltrates PII or credit card data from the organization. C. The team loses access to the network remotely. D. The team discovers another actor on a system on the network. Answer: D QUESTION 184 During an engagement, a penetration tester found the following list of strings inside a file: Which of the following is the BEST technique to determine the known plaintext of the strings? A. Dictionary attack B. Rainbow table attack C. Brute-force attack D. Credential-stuffing attack Answer: B Explanation: You use a rainbow table for hashes. Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 82 https://www.lead2pass.com QUESTION 185 A penetration tester ran a simple Python-based scanner. The following is a snippet of the code: Which of the following BEST describes why this script triggered a `probable port scan` alert in the organization's IDS? A. sock.settimeout(20) on line 7 caused each next socket to be created every 20 milliseconds. B. *range(1, 1025) on line 1 populated the portList list in numerical order. C. Line 6 uses socket.SOCK_STREAM instead of socket.SOCK_DGRAM D. The remoteSvr variable has neither been type-hinted nor initialized. Answer: B Explanation: Port randomization is widely used in port scanners. By default, Nmap randomizes the scanned port order (except that certain commonly accessible ports are moved near the beginning for efficiency reasons) https://nmap.org/book/man-port-specification.html QUESTION 186 A penetration tester is conducting an authorized, physical penetration test to attempt to enter a client's building during non-business hours. Which of the following are MOST important for the penetration tester to have during the test? (Choose two.) A. A handheld RF spectrum analyzer B. A mask and personal protective equipment C. Caution tape for marking off insecure areas D. A dedicated point of contact at the client E. The paperwork documenting the engagement F. Knowledge of the building's normal business hours Answer: DE Explanation: Always carry the contact information and any documents stating that you are approved to do this. QUESTION 187 A penetration tester receives the following results from an Nmap scan: Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 83 https://www.lead2pass.com Which of the following OSs is the target MOST likely running? A. CentOS B. Arch Linux C. Windows Server D. Ubuntu Answer: C QUESTION 188 A penetration tester downloaded the following Perl script that can be used to identify vulnerabilities in network switches. However, the script is not working properly. Which of the following changes should the tester apply to make the script work as intended? A. Change line 2 to $ip= 10.192.168.254; B. Remove lines 3, 5, and 6. C. Remove line 6. D. Move all the lines below line 7 to the top of the script. Answer: B QUESTION 189 A penetration tester finds a PHP script used by a web application in an unprotected internal source code repository. After reviewing the code, the tester identifies the following: Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 84 https://www.lead2pass.com Which of the following combinations of tools would the penetration tester use to exploit this script? A. Hydra and crunch B. Netcat and cURL C. Burp Suite and DIRB D. Nmap and OWASP ZAP Answer: B QUESTION 190 A penetration tester is conducting a penetration test. The tester obtains a root-level shell on a Linux server and discovers the following data in a file named password.txt in the /home/svsacct directory: U3VQZXIkM2NyZXQhCg== Which of the following commands should the tester use NEXT to decode the contents of the file? A. echo U3VQZXIkM2NyZXQhCg== | base64 -d B. tar zxvf password.txt C. hydra -l svsacct -p U3VQZXIkM2NyZXQhCg== ssh://192.168.1.0/24 D. john --wordlist /usr/share/seclists/rockyou.txt password.txt Answer: A QUESTION 191 A company has recruited a penetration tester to conduct a vulnerability scan over the network. The test is confirmed to be on a known environment. Which of the following would be the BEST option to identify a system properly prior to performing the assessment? A. Asset inventory B. DNS records C. Web-application scan D. Full scan Answer: A QUESTION 192 A security firm has been hired to perform an external penetration test against a company. The only information the firm received was the company name. Which of the following passive reconnaissance approaches would be MOST likely to yield positive initial results? A. Specially craft and deploy phishing emails to key company leaders. B. Run a vulnerability scan against the company's external website. Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 85 https://www.lead2pass.com C. Runtime the company's vendor/supply chain. D. Scrape web presences and social-networking sites. Answer: C QUESTION 193 A security firm is discussing the results of a penetration test with the client. Based on the findings, the client wants to focus the remaining time on a critical network segment. Which of the following BEST describes the action taking place? A. Maximizing the likelihood of finding vulnerabilities B. Reprioritizing the goals/objectives C. Eliminating the potential for false positives D. Reducing the risk to the client environment Answer: A QUESTION 194 Which of the following tools would be BEST suited to perform a manual web application security assessment? (Choose two.) A. OWASP ZAP B. Nmap C. Nessus D. BeEF E. Hydra F. Burp Suite Answer: AF QUESTION 195 A penetration tester is evaluating a company's network perimeter. The tester has received limited information about defensive controls or countermeasures, and limited internal knowledge of the testing exists. Which of the following should be the FIRST step to plan the reconnaissance activities? A. Launch an external scan of netblocks. B. Check WHOIS and netblock records for the company. C. Use DNS lookups and dig to determine the external hosts. D. Conduct a ping sweep of the company's netblocks. Answer: C QUESTION 196 A penetration tester captured the following traffic during a web-application test: Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 86 https://www.lead2pass.com Which of the following methods should the tester use to visualize the authorization information being transmitted? A. Decode the authorization header using UTF-8. B. Decrypt the authorization header using bcrypt. C. Decode the authorization header using Base64. D. Decrypt the authorization header using AES. Answer: C QUESTION 197 A penetration tester was hired to perform a physical security assessment of an organization's office. After monitoring the environment for a few hours, the penetration tester notices that some employees go to lunch in a restaurant nearby and leave their belongings unattended on the table while getting food. Which of the following techniques would MOST likely be used to get legitimate access into the organization's building without raising too many alerts? A. Tailgating B. Dumpster diving C. Shoulder surfing D. Badge cloning Answer: D QUESTION 198 A penetration tester wants to find hidden information in documents available on the web at a particular domain. Which of the following should the penetration tester use? A. Netcraft B. CentralOps C. Responder D. FOCA Answer: D Explanation: https://kalilinuxtutorials.com/foca-metadata-hidden-documents/ Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 87 https://www.lead2pass.com QUESTION 199 A penetration tester has gained access to the Chief Executive Officer's (CEO's) internal, corporate email. The next objective is to gain access to the network. Which of the following methods will MOST likely work? A. Try to obtain the private key used for S/MIME from the CEO's account. B. Send an email from the CEO's account, requesting a new account. C. Move laterally from the mail server to the domain controller. D. Attempt to escalate privileges on the mail server to gain root access. Answer: D QUESTION 200 A penetration tester needs to perform a vulnerability scan against a web server. Which of the following tools is the tester MOST likely to choose? A. Nmap B. Nikto C. Cain and Abel D. Ethercap Answer: B Explanation: https://hackertarget.com/nikto-website-scanner/ QUESTION 201 A penetration tester is testing a new version of a mobile application in a sandbox environment. To intercept and decrypt the traffic between the application and the external API, the tester has created a private root CA and issued a certificate from it. Even though the tester installed the root CA into the trusted stone of the smartphone used for the tests, the application shows an error indicating a certificate mismatch and does not connect to the server. Which of the following is the MOST likely reason for the error? A. TCP port 443 is not open on the firewall B. The API server is using SSL instead of TLS C. The tester is using an outdated version of the application D. The application has the API certificate pinned. Answer: D QUESTION 202 Which of the following concepts defines the specific set of steps and approaches that are conducted during a penetration test? A. Scope details B. Findings C. Methodology D. Statement of work Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 88 https://www.lead2pass.com Answer: C Explanation: The methodology section of the report outlines the types of testing performed during the penetration test, the steps taken during each phase, and how the attacks were carried out (this is known as the attack narrative). The methodology section also discusses the process used to identify and rate the risks for each vulnerability found and what tools were used by the pentesters. QUESTION 203 A private investigation firm is requesting a penetration test to determine the likelihood that attackers can gain access to mobile devices and then exfiltrate data from those devices. Which of the following is a social-engineering method that, if successful, would MOST likely enable both objectives? A. Send an SMS with a spoofed service number including a link to download a malicious application. B. Exploit a vulnerability in the MDM and create a new account and device profile. C. Perform vishing on the IT help desk to gather a list of approved device IMEIs for masquerading. D. Infest a website that is often used by employees with malware targeted toward x86 architectures. Answer: A QUESTION 204 A physical penetration tester needs to get inside an organization's office and collect sensitive information without acting suspiciously or being noticed by the security guards. The tester has observed that the company's ticket gate does not scan the badges, and employees leave their badges on the table while going to the restroom. Which of the following techniques can the tester use to gain physical access to the office? (Choose two.) A. Shoulder surfing B. Call spoofing C. Badge stealing D. Tailgating E. Dumpster diving F. Email phishing Answer: CD QUESTION 205 An Nmap scan of a network switch reveals the following: Which of the following technical controls will most likely be the FIRST recommendation for this Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 89 https://www.lead2pass.com device? A. Encrypted passwords B. System-hardening techniques C. Multifactor authentication D. Network segmentation Answer: B QUESTION 206 A penetration tester, who is doing an assessment, discovers an administrator has been exfiltrating proprietary company information. The administrator offers to pay the tester to keep quiet. Which of the following is the BEST action for the tester to take? A. Check the scoping document to determine if exfiltration is within scope. B. Stop the penetration test. C. Escalate the issue. D. Include the discovery and interaction in the daily report. Answer: D QUESTION 207 A Chief Information Security Officer wants to evaluate the security of the company's e-commerce application. Which of the following tools should a penetration tester use FIRST to obtain relevant information from the application without triggering alarms? A. SQLmap B. DirBuster C. w3af D. OWASP ZAP Answer: C Explanation: W3AF, the Web Application Attack and Audit Framework, is an open source web application security scanner that includes directory and filename brute forcing in its list of capabilities. QUESTION 208 Which of the following documents must be signed between the penetration tester and the client to govern how any provided information is managed before, during, and after the engagement? A. MSA B. NDA C. SOW D. ROE Answer: B QUESTION 209 A penetration tester needs to upload the results of a port scan to a centralized security tool. Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 90 https://www.lead2pass.com Which of the following commands would allow the tester to save the results in an interchangeable format? A. nmap -iL results 192.168.0.10-100 B. nmap 192.168.0.10-100 -O > results C. nmap -A 192.168.0.10-100 -oX results D. nmap 192.168.0.10-100 | grep "results" Answer: D Explanation: Grep is interchangable format. -oX is XML format. QUESTION 210 During a penetration test, the domain names, IP ranges, hosts, and applications are defined in the: A. SOW. B. SLA. C. ROE. D. NDA Answer: C Explanation: RoE is the right answer, as The statement of work (SOW), this is a description of the work being performed, includes the timeline for the project, and contains a breakdown of the cost for the project. QUESTION 211 A penetration tester has established an on-path position between a target host and local network services but has not been able to establish an on-path position between the target host and the Internet. Regardless, the tester would like to subtly redirect HTTP connections to a spoofed server IP. Which of the following methods would BEST support the objective? A. Gain access to the target host and implant malware specially crafted for this purpose. B. Exploit the local DNS server and add/update the zone records with a spoofed A record. C. Use the Scapy utility to overwrite name resolution fields in the DNS query response. D. Proxy HTTP connections from the target host to that of the spoofed host. Answer: B QUESTION 212 hich of the following types of information would MOST likely be included in an application security assessment report addressed to developers? (Choose two.) A. Use of non-optimized sort functions B. Poor input sanitization C. Null pointer dereferences D. Non-compliance with code style guide E. Use of deprecated Javadoc tags F. A cydomatic complexity score of 3 Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 91 https://www.lead2pass.com Answer: BC QUESTION 213 A penetration tester has found indicators that a privileged user's password might be the same on 30 different Linux systems. Which of the following tools can help the tester identify the number of systems on which the password can be used? A. Hydra B. John the Ripper C. Cain and Abel D. Medusa Answer: A QUESTION 214 A penetration tester was able to compromise a server and escalate privileges. Which of the following should the tester perform AFTER concluding the activities on the specified target? (Choose two.) A. Remove the logs from the server. B. Restore the server backup. C. Disable the running services. D. Remove any tools or scripts that were installed. E. Delete any created credentials. F. Reboot the target server. Answer: DE QUESTION 215 A penetration tester is reviewing the following DNS reconnaissance results for comptia.org from dig:... ;; ANSWER SECTION comptia.org. 3569 IN MX comptia.org-mail.protection.outlook.com. comptia.org. 3569 IN A 3.219.13.186. comptia.org. 3569 IN NS ns1.comptia.org. comptia.org. 3569 IN SOA haven. administrator.comptia.org. comptia.org. 3569 IN MX new.mx0.comptia.org. comptia.org. 3569 IN MX new.mx1.comptia.org. Which of the following potential issues can the penetration tester identify based on this output? A. At least one of the records is out of scope. B. There is a duplicate MX record. C. The NS record is not within the appropriate domain. D. The SOA records outside the comptia.org domain. Answer: A QUESTION 216 Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 92 https://www.lead2pass.com A consultant just performed a SYN scan of all the open ports on a remote host and now needs to remotely identify the type of services that are running on the host. Which of the following is an active reconnaissance tool that would be BEST to use to accomplish this task? A. tcpdump B. Snort C. Nmap D. Netstat E. Fuzzer Answer: C QUESTION 217 Deconfliction is necessary when the penetration test: A. determines that proprietary information is being stored in cleartext. B. occurs during the monthly vulnerability scanning. C. uncovers indicators of prior compromise over the course of the assessment. D. proceeds in parallel with a criminal digital forensic investigation. Answer: C Explanation: deconfliction - The process of distinguishing pentest artifacts from artifacts of an actual compromise or other activity to help resolve contradictory conclusions or responses. QUESTION 218 A penetration tester wants to test a list of common passwords against the SSH daemon on a network device. Which of the following tools would be BEST to use for this purpose? A. Hashcat B. Mimikatz C. Patator D. John the Ripper Answer: A Explanation: Core Attack Methods Dictionary attack - -a 0) Combinator attack - concatenating words from multiple wordlists (-a 1) QUESTION 219 PCI DSS requires which of the following as part of the penetration-testing process? A. The penetration tester must have cybersecurity certifications. B. The network must be segmented. C. Only externally facing systems should be tested. D. The assessment must be performed during non-working hours. Answer: B Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 93 https://www.lead2pass.com Explanation: PCI DSS most certainly requires segmentation. PCI DSS Requirement 11.3.4 requires penetration testing to validate that segmentation controls and methods are operational, effective, and isolate all out-of-scope systems from systems in the CDE. 2.2.3 Testing Segmentation Controls The intent of segmentation is to prevent out-of-scope systems from being able to communicate with systems in the CDE or impact the security of the CDE. When properly implemented, a segmented (out-ofscope) system component could not impact the security of the CDE, even if an attacker obtained control. QUESTION 220 A penetration tester completed an assessment, removed all artifacts and accounts created during the test, and presented the findings to the client. Which of the following happens NEXT? A. The penetration tester conducts a retest. B. The penetration tester deletes all scripts from the client machines. C. The client applies patches to the systems. D. The client clears system logs generated during the test. Answer: C QUESTION 221 A penetration tester is examining a Class C network to identify active systems quickly. Which of the following commands should the penetration tester use? A. nmap -sn 192.168.0.1/16 B. nmap -sn 192.168.0.1-254 C. nmap -sn 192.168.0.1 192.168.0.1.254 D. nmap -sN 192.168.0.0/24 Answer: B QUESTION 222 A penetration tester wants to validate the effectiveness of a DLP product by attempting exfiltration of data using email attachments. Which of the following techniques should the tester select to accomplish this task? A. Steganography B. Metadata removal C. Encryption D. Encode64 Answer: B QUESTION 223 A penetration tester received a 16-bit network block that was scoped for an assessment. During the assessment, the tester realized no hosts were active in the provided block of IPs and reported this to the company. The company then provided an updated block of IPs to the tester. Which of the following would be the most appropriate NEXT step? Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 94 https://www.lead2pass.com A. Terminate the contract. B. Update the ROE with new signatures. C. Scan the 8-bit block to map additional missed hosts. D. Continue the assessment. Answer: B QUESTION 224 A penetration tester needs to access a building that is guarded by locked gates, a security team, and cameras. Which of the following is a technique the tester can use to gain access to the IT framework without being detected? A. Pick a lock. B. Disable the cameras remotely. C. Impersonate a package delivery worker. D. Send a phishing email. Answer: C QUESTION 225 A penetration tester is assessing a wireless network. Although monitoring the correct channel and SSID, the tester is unable to capture a handshake between the clients and the AP. Which of the following attacks is the MOST effective to allow the penetration tester to capture a handshake? A. Key reinstallation B. Deauthentication C. Evil twin D. Replay Answer: B Explanation: Capturing handshakes is often part of a deauthentication attack. If you can capture handshakes, you can then attempt to crack the passphrase and derive keys from that effort. QUESTION 226 A penetration tester has gained access to part of an internal network and wants to exploit on a different network segment. Using Scapy, the tester runs the following command: Which of the following represents what the penetration tester is attempting to accomplish? A. DNS cache poisoning B. MAC spoofing C. ARP poisoning D. Double-tagging attack Answer: D Explanation: Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 95 https://www.lead2pass.com Double-tagging, a method of VLAN hopping. https://scapy.readthedocs.io/en/latest/usage.html QUESTION 227 The attacking machine is on the same LAN segment as the target host during an internal penetration test. Which of the following commands will BEST enable the attacker to conduct host delivery and write the discovery to files without returning results of the attack machine? A. nmap -sn -n -exclude 10.1.1.15 10.1.1.0/24 -oA target_txt B. nmap -iR 10 -n -oX out.xml | grep "Nmap" | cut -d " " -f5 > live-hosts.txt C. nmap -Pn -sV -O -iL target.txt -oA target_text_Service D. nmap -sS -Pn -n -iL target.txt -oA target_txtl Answer: A QUESTION 228 SIMULATION Using the output, identify potential attack vectors that should be further investigated. Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 96 https://www.lead2pass.com Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 97 https://www.lead2pass.com Answer: 1: Null session enumeration Weak SMB file permissions - Fragmentation attack - Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 98 https://www.lead2pass.com 2: nmap -sV -p 1-1023 192.168.2.2 3: #!/usr/bin/python export $PORTS = 21,22 for $PORT in $PORTS: try: s.connect((ip, port)) print("%s:%s "" OPEN" % (ip, port)) except socket.timeout print("%:%s "" TIMEOUT" % (ip, port)) except socket.error as e: print("%:%s "" CLOSED" % (ip, port)) finally s.close() port_scan(sys.argv, ports) QUESTION 229 A customer adds a requirement to the scope of a penetration test that states activities can only occur during normal business hours. Which of the following BEST describes why this would be necessary? A. To meet PCI DSS testing requirements B. For testing of the customer's SLA with the ISP C. Because of concerns regarding bandwidth limitations D. To ensure someone is available if something goes wrong Answer: D QUESTION 230 An assessor wants to use Nmap to help map out a stateful firewall rule set. Which of the following scans will the assessor MOST likely run? A. nmap -sA 192.168.0.1/24 B. nmap -sS 192.168.0.1/24 C. nmap -oG 192.168.0.1/24 D. nmap 192.168.0.1/24 Answer: A Explanation: The - sA flag is used to conduct a TCP ACK scan and is most frequently used to test firewall rulesets. QUESTION 231 A penetration tester is contracted to attack an oil rig network to look for vulnerabilities. While conducting the assessment, the support organization of the rig reported issues connecting to corporate applications and upstream services for data acquisitions. Which of the following is the MOST likely culprit? A. Patch installations Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 99 https://www.lead2pass.com B. Successful exploits C. Application failures D. Bandwidth limitations Answer: D Explanation: It states during the testing it occurred. It doesn't indicate to mean that exploited anything. Both ingress and egress traffic were affected which means to me that bandwidth was an issue. QUESTION 232 The results of an Nmap scan are as follows: Which of the following device types will MOST likely have a similar response? A. Active Directory domain controller B. IoT/embedded device C. Exposed RDP D. Print queue Answer: B QUESTION 233 Which of the following are the MOST important items for prioritizing fixes that should be included in the final report for a penetration test? (Choose two.) A. The CVSS score of the finding B. The network location of the vulnerable device C. The vulnerability identifier D. The client acceptance form E. The name of the person who found the flaw F. The tool used to find the issue Answer: BC QUESTION 234 Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 100 https://www.lead2pass.com A penetration tester was contracted to test a proprietary application for buffer overflow vulnerabilities. Which of the following tools would be BEST suited for this task? A. GDB B. Burp Suite C. SearchSpliot D. Netcat Answer: A QUESTION 235 Which of the following would assist a penetration tester the MOST when evaluating the susceptibility of top-level executives to social engineering attacks? A. Scraping social media for personal details B. Registering domain names that are similar to the target company's C. Identifying technical contacts at the company D. Crawling the company's website for company information Answer: A QUESTION 236 A penetration tester is testing a new API for the company's existing services and is preparing the following script: Which of the following would the test discover? A. Default web configurations B. Open web ports on a host C. Supported HTTP methods D. Listening web servers in a domain Answer: C QUESTION 237 During the scoping phase of an assessment, a client requested that any remote code exploits discovered during testing would be reported immediately so the vulnerability could be fixed as soon as possible. The penetration tester did not agree with this request, and after testing began, the tester discovered a vulnerability and gained internal access to the system. Additionally, this scenario led to a loss of confidential credit card data and a hole in the system. At the end of the test, the penetration tester willfully failed to report this information and left the vulnerability in place. A few months later, the client was breached and credit card data was stolen. After being notified about the breach, which of the following steps should the company take NEXT? A. Deny that the vulnerability existed Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 101 https://www.lead2pass.com B. Investigate the penetration tester. C. Accept that the client was right. D. Fire the penetration tester. Answer: B QUESTION 238 Given the following script: Which of the following BEST characterizes the function performed by lines 5 and 6? A. Retrieves the start-of-authority information for the zone on DNS server 10.10.10.10 B. Performs a single DNS query for www.comptia.org and prints the raw data output C. Loops through variable b to count the results returned for the DNS query and prints that count to screen D. Prints each DNS query result already stored in variable b Answer: D QUESTION 239 A penetration-testing team needs to test the security of electronic records in a company's office. Per the terms of engagement, the penetration test is to be conducted after hours and should not include circumventing the alarm or performing destructive entry. During outside reconnaissance, the team sees an open door from an adjoining building. Which of the following would be allowed under the terms of the engagement? A. Prying the lock open on the records room B. Climbing in an open window of the adjoining building C. Presenting a false employee ID to the night guard D. Obstructing the motion sensors in the hallway of the records room Answer: B QUESTION 240 A penetration tester who is working remotely is conducting a penetration test using a wireless connection. Which of the following is the BEST way to provide confidentiality for the client while Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 102 https://www.lead2pass.com using this connection? A. Configure wireless access to use a AAA server. B. Use random MAC addresses on the penetration testing distribution. C. Install a host-based firewall on the penetration testing distribution. D. Connect to the penetration testing company's VPS using a VPN. Answer: D QUESTION 241 A penetration tester is able to use a command injection vulnerability in a web application to get a reverse shell on a system After running a few commands, the tester runs the following: python -c 'import pty; pty.spawn("/bin/bash")' Which of the following actions Is the penetration tester performing? A. Privilege escalation B. Upgrading the shell C. Writing a script for persistence D. Building a bind shell Answer: B QUESTION 242 A penetration tester opened a shell on a laptop at a client's office but is unable to pivot because of restrictive ACLs on the wireless subnet. The tester is also aware that all laptop users have a hard-wired connection available at their desks. Which of the following is the BEST method available to pivot and gain additional access to the network? A. Set up a captive portal with embedded malicious code. B. Capture handshakes from wireless clients to crack. C. Span deauthentication packets to the wireless clients. D. Set up another access point and perform an evil twin attack. Answer: C QUESTION 243 A tester who is performing a penetration test discovers an older firewall that is known to have serious vulnerabilities to remote attacks but is not part of the original list of IP addresses for the engagement. Which of the following is the BEST option for the tester to take? A. Segment the firewall from the cloud. B. Scan the firewall for vulnerabilities. C. Notify the client about the firewall. D. Apply patches to the firewall. Answer: C Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 103 https://www.lead2pass.com QUESTION 244 A penetration tester is looking for vulnerabilities within a company's web application that are in scope. The penetration tester discovers a login page and enters the following string in a field: 1;SELECT Username, Password FROM Users; Which of the following injection attacks is the penetration tester using? A. Blind SQL B. Boolean SQL C. Stacked queries D. Error-based Answer: A QUESTION 245 Which of the following can be used to store alphanumeric data that can be fed into scripts or programs as input to penetration-testing tools? A. Dictionary B. Directory C. Symlink D. Catalog E. For-loop Answer: QUESTION 246 A penetration tester is trying to restrict searches on Google to a specific domain. Which of the following commands should the penetration tester consider? A. inurl: B. link: C. site: D. intitle: Answer: C QUESTION 247 A client would like to have a penetration test performed that leverages a continuously updated TTPs framework and covers a wide variety of enterprise systems and networks. Which of the following methodologies should be used to BEST meet the client's expectations? A. OWASP Top 10 B. MITRE ATT&CK framework C. NIST Cybersecurity Framework D. The Diamond Model of Intrusion Analysis Answer: B Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 104 https://www.lead2pass.com QUESTION 248 During a web application test, a penetration tester was able to navigate to https://company.com and view all links on the web page. After manually reviewing the pages, the tester used a web scanner to automate the search for vulnerabilities. When returning to the web application, the following message appeared in the browser: unauthorized to view this page. Which of the following BEST explains what occurred? A. The SSL certificates were invalid. B. The tester IP was blocked. C. The scanner crashed the system. D. The web page was not found. Answer: B QUESTION 249 A red team completed an engagement and provided the following example in the report to describe how the team gained access to a web server: x' OR role LIKE '%admin% Which of the following should be recommended to remediate this vulnerability? A. Multifactor authentication B. Encrypted communications C. Secure software development life cycle D. Parameterized queries Answer: D QUESTION 250 The following output is from reconnaissance on a public-facing banking website: Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 105 https://www.lead2pass.com Based on these results, which of the following attacks is MOST likely to succeed? A. A birthday attack on 64-bit ciphers (Sweet32) B. An attack that breaks RC4 encryption C. An attack on a session ticket extension (Ticketbleed) D. A Heartbleed attack Answer: B QUESTION 251 Which of the following documents is agreed upon by all parties associated with the penetration- testing engagement and defines the scope, contacts, costs, duration, and deliverables? A. SOW B. SLA C. MSA D. NDA Answer: A QUESTION 252 In Python socket programming, SOCK_DGRAM type is: A. reliable. B. matrixed. Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 106 https://www.lead2pass.com C. connectionless. D. slower. Answer: C Explanation: Connectionless due to the Datagram portion mentioned so that would mean its using UDP. QUESTION 253 Which of the following is the MOST important information to have on a penetration testing report that is written for the developers? A. Executive summary B. Remediation C. Methodology D. Metrics and measures Answer: C Explanation: The audience for this section of the report consists of the technical staff and developers who will be reviewing your results and taking actions based on your findings. QUESTION 254 After gaining access to a Linux system with a non-privileged account, a penetration tester identifies the following file: Which of the following actions should the tester perform FIRST? A. Change the file permissions. B. Use privilege escalation. C. Cover tracks. D. Start a reverse shell. Answer: B QUESTION 255 Which of the following types of assessments MOST likely focuses on vulnerabilities with the objective to access specific data? A. An unknown-environment assessment B. A known-environment assessment C. A red-team assessment D. A compliance-based assessment Answer: B Explanation: A known environment test is often more complete, because testers can get to every system, service, or other target that is in scope and will have credentials and other materials that will allow them to be tested. Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 107 https://www.lead2pass.com QUESTION 256 A penetration tester initiated the transfer of a large data set to verify a proof-of-concept attack as permitted by the ROE. The tester noticed the client's data included PII, which is out of scope, and immediately stopped the transfer. Which of the following MOST likely explains the penetration tester's decision? A. The tester had the situational awareness to stop the transfer. B. The tester found evidence of prior compromise within the data set. C. The tester completed the assigned part of the assessment workflow. D. The tester reached the end of the assessment time frame. Answer: A QUESTION 257 A penetration tester exploited a vulnerability on a server and remotely ran a payload to gain a shell. However, a connection was not established, and no errors were shown on the payload execution. The penetration tester suspected that a network device, like an IPS or next-generation firewall, was dropping the connection. Which of the following payloads are MOST likely to establish a shell successfully? A. windows/x64/meterpreter/reverse_tcp B. windows/x64/meterpreter/reverse_http C. windows/x64/shell_reverse_tcp D. windows/x64/powershell_reverse_tcp E. windows/x64/meterpreter/reverse_https Answer: A Explanation: A reverse tcp connection is usually used to bypass firewall restrictions on open ports. A firewall usually blocks incoming connections on open ports, but does not block outgoing traffic. windows/meterpreter/reverse_tcp allows you to remotely control the file system, sniff, keylog, hashdump, perform network pivoting, control the webcam and microphone, etc. QUESTION 258 A penetration tester has been hired to examine a website for flaws. During one of the time windows for testing, a network engineer notices a flood of GET requests to the web server, reducing the website's response time by 80%. The network engineer contacts the penetration tester to determine if these GET requests are part of the test. Which of the following BEST describes the purpose of checking with the penetration tester? A. Situational awareness B. Rescheduling C. DDoS defense D. Deconfliction Answer: D QUESTION 259 Which of the following is the BEST resource for obtaining payloads against specific network Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 108 https://www.lead2pass.com infrastructure products? A. Exploit-DB B. Metasploit C. Shodan D. Retina Answer: A QUESTION 260 A penetration tester gives the following command to a systems administrator to execute on one of the target servers: rm -f /var/www/html/G679h32gYu.php Which of the following BEST explains why the penetration tester wants this command executed? A. To trick the systems administrator into installing a rootkit B. To close down a reverse shell C. To remove a web shell after the penetration test D. To delete credentials the tester created Answer: C QUESTION 261 The following PowerShell snippet was extracted from a log of an attacker machine: Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 109 https://www.lead2pass.com A penetration tester would like to identify the presence of an array. Which of the following line numbers would define the array? A. Line 8 B. Line 13 C. Line 19 D. Line 20 Answer: A QUESTION 262 A company provided the following network scope for a penetration test: Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 110 https://www.lead2pass.com - 169.137.1.0/24 - 221.10.1.0/24 - 149.14.1.0/24 A penetration tester discovered a remote command injection on IP address 149.14.1.24 and exploited the system. Later, the tester learned that this particular IP address belongs to a third party. Which of the following stakeholders is responsible for this mistake? A. The company that requested the penetration test B. The penetration testing company C. The target host's owner D. The penetration tester E. The subcontractor supporting the test Answer: A QUESTION 263 In an unprotected network file repository, a penetration tester discovers a text file containing usernames and passwords in cleartext and a spreadsheet containing data for 50 employees, including full names, roles, and serial numbers. The tester realizes some of the passwords in the text file follow the format:. Which of the following would be the best action for the tester to take NEXT with this information? A. Create a custom password dictionary as preparation for password spray testing. B. Recommend using a password manager/vault instead of text files to store passwords securely. C. Recommend configuring password complexity rules in all the systems and applications. D. Create a TPM-backed sealed storage location within which the unprotected file repository can be reported. Answer: B QUESTION 264 During the reconnaissance phase, a penetration tester obtains the following output: Reply from 192.168.1.23: bytes=32 time

Use Quizgecko on...
Browser
Browser