PT0-002 Exam Q&A (Pages 64-End) PDF

Summary

This document contains a selection of past exam questions related to penetration testing and cybersecurity from a source called Lead2pass.

Full Transcript

QUESTION 132
Which of the following commands will allow a penetration tester to permit a shell script to be
executed by the file owner?

A. chmod u+x script.sh
B. chmod u+e script.sh
C. chmod o+e script.sh
D. chmod o+x script.sh

Answer: A
Explanation:

https://newbedev.com/chmod-u-x-versus-chmod-x

QUESTION 133
A compliance-based penetration test is primarily concerned with:

A. obtaining PII from the protected network.
B. bypassing protection on edge devices.
C. determining the efficacy of a specific set of security standards.
D. obtaining specific information from the protected network.

Answer: C

QUESTION 134

counsel.

Which of the following would the tester MOST likely describe as a benefit of the framework?

A. Understanding the tactics of a security intrusion can help disrupt them.
B. Scripts that are part of the framework can be imported directly into SIEM tools.
C. The methodology can be used to estimate the cost of an incident better.
D. The framework is static and ensures stability of a security program over time.

Answer: A
Explanation:

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 62
https://www.lead2pass.com
https://attack.mitre.org/

QUESTION 135
A company has hired a penetration tester to deploy and set up a rogue access point on the
network.

Which of the following is the BEST tool to use to accomplish this goal?

A. Wireshark
B. Aircrack-ng
C. Kismet
D. Wifite

Answer: B
Explanation:
The othe options are basically sniffers and cannot be used to create a rogue AP/evil twin.
Aircrack-ng. This program is a suite of wireless penetration testing tools, including airbase-ng,
aircrack-ng, airdecap-ng, airdecloak-ng, airdrop-ng, aireplay-ng, airmon-ng, airodump-ng, and
much more.

QUESTION 136
A company obtained permission for a vulnerability scan from its cloud service provider and now
wants to test the security of its hosted data.

Which of the following should the tester verify FIRST to assess this risk?

A. Whether sensitive client data is publicly accessible
B. Whether the connection between the cloud and the client is secure
C.
D. Whether the cloud applications were developed using a secure SDLC

Answer: A

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 63
https://www.lead2pass.com
QUESTION 137
A Chief Information Security Officer wants a penetration tester to evaluate the security awareness

Which of the following tools can help the tester achieve this goal?

A. Metasploit
B. Hydra
C. SET
D. WPScan

Answer: C
Explanation:
Social Engineering Toolkit is a way to test your employees security awareness.

QUESTION 138
Which of the following is the MOST common vulnerability associated with IoT devices that are
directly connected to the Internet?

A. Unsupported operating systems
B. Susceptibility to DDoS attacks
C. Inability to network
D. The existence of default passwords

Answer: D
Explanation:
The IoT provides a unique opportunity for manufacturers to build devices with the ability to
communicate and perform specialized functions. However, because of the lack of rigorous
testing, many devices have several insecure defaults that come preconfigured, such as the
username and password. In many cases, the manufacturer has hard-coded these credentials and
made them very difficult or impossible to remove. This can be dangerous, as once a malicious
actor knows the type of device that is in use, they can then research the default username and
password online. As a result, the team should research the default credentials for each IoT
product you target during the PenTest.

QUESTION 139
Which of the following describes the reason why a penetration tester would run the command
sdelete mimikatz. * on a Windows server that the tester compromised?

A. To remove hash-cracking registry entries
B. To remove the tester-created Mimikatz account
C. To remove tools from the server
D. To remove a reverse shell from the system

Answer: C
Explanation:
SDelete is a command line utility that takes a number of options. In any given use, it allows you to
delete one or more files and/or directories, or to cleanse the free space on a logical disk. SDelete
accepts wild card characters as part of the directory or file specifier.

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 64
https://www.lead2pass.com
QUESTION 140
A penetration tester was brute forcing an internal web server and ran a command that produced
the following output:

However, when the penetration tester tried to browse the URL http://172.16.100.10:3000/profile, a
blank page was displayed.

Which of the following is the MOST likely reason for the lack of output?

A. The HTTP port is not open on the firewall.
B. The tester did not run sudo before the command.
C. The web server is using HTTPS instead of HTTP.
D. This URI returned a server error.

Answer: D
Explanation:
If the firewall was blocking the port than none of the web directories would have successful (200
codes) the 500 code is a server side error code meaning the correct answer is D.

QUESTION 141
An Nmap scan shows open ports on web servers and databases. A penetration tester decides to
run WPScan and SQLmap to identify vulnerabilities and additional information about those
systems.

Which of the following is the penetration tester trying to accomplish?

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 65
https://www.lead2pass.com
A. Uncover potential criminal activity based on the evidence gathered.
B. Identify all the vulnerabilities in the environment.
C. Limit invasiveness based on scope.
D. Maintain confidentiality of the findings.

Answer: C

QUESTION 142
A company hired a penetration tester to do a social-engineering test against its employees.

tester has learned the complete phone catalog was published there a few months ago.

numbers?

A. Web archive
B. GitHub
C. File metadata
D. Underground forums

Answer: A

QUESTION 143
A penetration tester completed a vulnerability scan against a web server and identified a single
but severe vulnerability.

Which of the following is the BEST way to ensure this is a true positive?

A. Run another scanner to compare.
B. Perform a manual test on the server.
C. Check the results on the scanner.
D. Look for the vulnerability online.

Answer: B

QUESTION 144

the WiFi service being used is vulnerable to an attack. A penetration tester is hired to test the

Which of the following is MOST vulnerable to a brute-force attack?

A. WPS
B. WPA2-EAP
C. WPA-TKIP
D. WPA2-PSK

Answer: A
Explanation:

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 66
https://www.lead2pass.com
The problem with WPS is that the WPS - enabled router is vulnerable to having the WPS cracked
due to the fact that the pin was originally designed as two 4-pin blocks. It is much quicker to crack
two 4-pin blocks than it is one 8-pin block. It has been found that hackers can brute force each of
the two 4-digit blocks within hours and then use the PIN to connect to the WPA or WPA2
protected network.

QUESTION 145
A penetration tester ran the following commands on a Windows server:

Which of the following should the tester do AFTER delivering the final report?

A. Delete the scheduled batch job.
B. Close the reverse shell connection.
C. Downgrade the svsaccount permissions.
D. Remove the tester-created credentials.

Answer: D
Explanation:
svsaccount was created and then added to Administrators; this appended into the batchjob.
Runas is like sudo.

QUESTION 146
A penetration tester is starting an assessment but only has publicly available information about
the target company. The client is aware of this exercise and is preparing for the test.

Which of the following describes the scope of the assessment?

A. Partially known environment testing
B. Known environment testing
C. Unknown environment testing
D. Physical environment testing

Answer: C

QUESTION 147
The following line-numbered Python code snippet is being used in reconnaissance:

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 67
https://www.lead2pass.com
Which of the following line numbers from the script MOST likely contributed to the script triggering
a `probable port scan` alert in the organization's IDS?

A. Line 01
B. Line 02
C. Line 07
D. Line 08
E. Line 12

Answer: D
Explanation:
0.01 s is a super short and unusual setting for a timeout.

QUESTION 148
A consulting company is completing the ROE during scoping.

Which of the following should be included in the ROE?

A. Cost of the assessment
B. Report distribution
C. Testing restrictions
D. Liability

Answer: C
Explanation:
The Rules of Engagement, or ROE, are meant to list out the specifics of your penetration testing
project to ensure that both the client and the engineers working on a project know exactly what is
being testing, when its being tested, and how its being tested.

QUESTION 149
A new client hired a penetration-testing company for a month-long contract for various security

publicly available shortly after the assessment is complete and is planning to fix any findings,
except for critical issues, after the service is made public. The client wants a simple report
structure and does not want to receive daily findings.

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 68
https://www.lead2pass.com
Which of the following is most important for the penetration tester to define FIRST?

A. Establish the format required by the client.
B. Establish the threshold of risk to escalate to the client immediately.
C. Establish the method of potential false positives.
D. Establish the preferred day of the week for reporting.

Answer: B

QUESTION 150
A penetration tester has been hired to perform a physical penetration test to gain access to a

guest network, and multiple security cameras connected to the Internet.

Which of the following tools or techniques would BEST support additional reconnaissance?

A. Wardriving
B. Shodan
C. Recon-ng
D. Aircrack-ng

Answer: C
Explanation:
Third-party information sources and tools support passive intelligence gathering. Open-source
intelligence gathering relies on a broad range of tools and services. These include search
engines like Shodan and Censys, automated information-gathering tools like theHarvester,
Recon-ng, Maltego, and FOCA, and databases and information stores like WHOIS records,
public records, social media, and other information sources.

QUESTION 151
A penetration tester conducts an Nmap scan against a target and receives the following results:

Which of the following should the tester use to redirect the scanning tools using TCP port 1080 on
the target?

A. Nessus
B. ProxyChains
C. OWASP ZAP
D. Empire

Answer: B
Explanation:
https://www.codeproject.com/Tips/634228/How-to-Use-Proxychains-Forwarding-Ports

QUESTION 152

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 69
https://www.lead2pass.com
A penetration tester received a.pcap file to look for credentials to use in an engagement.

Which of the following tools should the tester utilize to open and read the.pcap file?

A. Nmap
B. Wireshark
C. Metasploit
D. Netcat

Answer: B
Explanation:
The.pcap file extension is mainly associated with Wireshark; a program used for analyzing
networks..pcap files are data files created using the program and they contain the packet data of
a network. These files are mainly used in analyzing the network characteristics of a certain data.
These files also contribute to successfully controlling traffic of a certain network since they are
being monitored by the program.

QUESTION 153
A penetration tester has been given an assignment to attack a series of targets in the
192.168.1.0/24 range, triggering as few alarms and countermeasures as possible.

Which of the following Nmap scan syntaxes would BEST accomplish this objective?

A. nmap -sT -vvv -O 192.168.1.2/24 -PO
B. nmap -sV 192.168.1.2/24 -PO
C. nmap -sA -v -O 192.168.1.2/24
D. nmap -sS -O 192.168.1.2/24 -T1

Answer: D
Explanation:

https://nmap.org/book/man-port-scanning-techniques.html

QUESTION 154
A penetration tester has gained access to a network device that has a previously unknown IP
range on an interface. Further research determines this is an always-on VPN tunnel to a third-
party supplier.

Which of the following is the BEST action for the penetration tester to take?

A. Utilize the tunnel as a means of pivoting to other internal devices.
B. Disregard the IP range, as it is out of scope.

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 70
https://www.lead2pass.com
C. Stop the assessment and inform the emergency contact.
D. Scan the IP range for additional systems to exploit.

Answer: C
Explanation:
Critical findings
The first communication trigger is known as critical findings. A critical finding occurs when, during
a pentest, you come across a critical or major vulnerability in a system that has the customer
wide open to an attack. In this case you do not want to wait to communicate this important finding
to the customer in the final report; you should stop the pentest immediately and talk to the
stakeholder about the critical finding and determine how you are to proceed.

QUESTION 155
A penetration tester recently performed a social-engineering attack in which the tester found an
employee of the target company at a local coffee shop and over time built a relationship with the
d drive as a
gift.

Which of the following social-engineering attacks was the tester utilizing?

A. Phishing
B. Tailgating
C. Baiting
D. Shoulder surfing

Answer: C
Explanation:

https://phoenixnap.com/blog/what-is-social-engineering-types-of-

QUESTION 156
A security company has been contracted to perform a scoped insider-threat assessment to try to

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 71
https://www.lead2pass.com
gain access to the human resources server that houses PII and salary data. The penetration
testers have been given an internal network starting position.

Which of the following actions, if performed, would be ethical within the scope of the assessment?

A. Exploiting a configuration weakness in the SQL database
B. Intercepting outbound TLS traffic
C. Gaining access to hosts by injecting malware into the enterprise-wide update server
D. Leveraging a vulnerability on the internal CA to issue fraudulent client certificates
E. Establishing and maintaining persistence on the domain controller

Answer: A

QUESTION 157
A penetration tester is able to capture the NTLM challenge-response traffic between a client and
a server.

Which of the following can be done with the pcap to gain access to the server?

A. Perform vertical privilege escalation.
B. Replay the captured traffic to the server to recreate the session.
C. Use John the Ripper to crack the password.
D. Utilize a pass-the-hash attack.

Answer: B

QUESTION 158
Which of the following protocols or technologies would in-transit confidentially protection for
emailing the final security assessment report?

A. S/MIME
B. FTPS
C. DNSSEC
D. AS2

Answer: A

QUESTION 159
A penetration tester was able to gather MD5 hashes from a server and crack the hashes easily
with rainbow tables.

Which of the following should be included as a recommendation in the remediation report?

A. Stronger algorithmic requirements
B. Access controls on the server
C. Encryption on the user passwords
D. A patch management program

Answer: A

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 72
https://www.lead2pass.com
QUESTION 160
A penetration tester found the following valid URL while doing a manual assessment of a web
application: http://www.example.com/product.php?id=123987.

Which of the following automated tools would be best to use NEXT to try to identify a vulnerability
in this URL?

A. SQLmap
B. Nessus
C. Nikto
D. DirBuster

Answer: C
Explanation:
Nikto is an open-source web application vulnerability scanner. When you run it against a website
or web application, Nikto performs a number of tests to determine if the web application is
vulnerable to different types of attacks.

QUESTION 161
A penetration tester is attempting to discover live hosts on a subnet quickly.

Which of the following commands will perform a ping scan?

A. nmap -sn 10.12.1.0/24
B. nmap -sV -A 10.12.1.0/24
C. nmap -Pn 10.12.1.0/24
D. nmap -sT -p- 10.12.1.0/24

Answer: A
Explanation:

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 73
https://www.lead2pass.com
https://www.tecmint.com/find-live-hosts-ip-addresses-on-linux-network/

QUESTION 162
Which of the following tools would be MOST useful in collecting vendor and other security-
relevant information for IoT devices to support passive reconnaissance?

A. Shodan
B. Nmap
C. WebScarab-NG
D. Nessus

Answer: A
Explanation:
Shodan is a search engine that collects information about systems connected to the Internet,
such as servers and Internet of things (IoT) devices.

QUESTION 163
A penetration tester downloaded a Java application file from a compromised web server and
identifies how to invoke it by looking at the following log:

Which of the following is the order of steps the penetration tester needs to follow to validate
whether the Java application uses encryption over sockets?

A. Run an application vulnerability scan and then identify the TCP ports used by the application.
B. Run the application attached to a debugger and then review the application's log.
C. Disassemble the binary code and then identify the break points.
D. Start a packet capture with Wireshark and then run the application.

Answer: D

QUESTION 164
When planning a penetration-testing effort, clearly expressing the rules surrounding the optimal
time of day for test execution is important because:

A. security compliance regulations or laws may be violated.
B. testing can make detecting actual APT more challenging.
C. testing adds to the workload of defensive cyber- and threat-hunting teams.
D. business and network operations may be impacted.

Answer: D

QUESTION 165
A company uses a cloud provider with shared network bandwidth to host a web application on
dedicated servers. The company's contact with the cloud provider prevents any activities that

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 74
https://www.lead2pass.com
would interfere with the cloud provider's other customers. When engaging with a penetration-
testing company to test the application, which of the following should the company avoid?

A. Crawling the web application's URLs looking for vulnerabilities
B. Fingerprinting all the IP addresses of the application's servers
C. Brute forcing the application's passwords
D. Sending many web requests per second to test DDoS protection

Answer: D

QUESTION 166
A penetration tester is cleaning up and covering tracks at the conclusion of a penetration test.
Which of the following should the tester be sure to remove from the system? (Choose two.)

A. Spawned shells
B. Created user accounts
C. Server logs
D. Administrator accounts
E. Reboot system
F. ARP cache

Answer: AB
Explanation:
Removing shells: Remove any shell programs installed when performing the pentest.
Removing tester-created credentials: Be sure to remove any user accounts created during the
pentest. This includes backdoor accounts.

were used to aid in the exploitation of systems.

QUESTION 167
A software company has hired a security consultant to assess the security of the company's
software development practices. The consultant opts to begin reconnaissance by performing
fuzzing on a software binary. Which of the following vulnerabilities is the security consultant
MOST likely to identify?

A. Weak authentication schemes
B. Credentials stored in strings
C. Buffer overflows
D. Non-optimized resource management

Answer: C
Explanation:
Fuzzing introduces unexpected inputs into a system and watches to see if the system has any
negative reactions to the inputs that indicate security, performance, or quality gaps or issues.

QUESTION 168
A penetration tester has prepared the following phishing email for an upcoming penetration test:

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 75
https://www.lead2pass.com
Which of the following is the penetration tester using MOST to influence phishing targets to click
on the link?

A. Familiarity and likeness
B. Authority and urgency
C. Scarcity and fear
D. Social proof and greed

Answer: B

QUESTION 169
During a penetration test, a tester is able to change values in the URL from
example.com/login.php?id=5 to example.com/login.php?id=10 and gain access to a web
application. Which of the following vulnerabilities has the penetration tester exploited?

A. Command injection
B. Broken authentication
C. Direct object reference
D. Cross-site scripting

Answer: C
Explanation:
Insecure direct object reference (IDOR) is a vulnerability where the developer of the application
does not implement authorization features to verify that someone accessing data on the site is
allowed to access that data.

QUESTION 170
Which of the following situations would MOST likely warrant revalidation of a previous security
assessment?

A. After detection of a breach
B. After a merger or an acquisition
C. When an organization updates its network firewall configurations
D. When most of the vulnerabilities have been remediated

Answer: D
Explanation:
After the customer follows those recommended remediation steps, the customer may want to
have those systems retested in order to validate that the remediation steps worked.

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 76
https://www.lead2pass.com
QUESTION 171
A penetration tester gains access to a system and is able to migrate to a user process:

Given the output above, which of the following actions is the penetration tester performing?
(Choose two.)

A. Redirecting output from a file to a remote system
B. Building a scheduled task for execution
C. Mapping a share to a remote system
D. Executing a file on the remote system
E. Creating a new process on all domain systems
F. Setting up a reverse shell from a remote system
G. Adding an additional IP address on the compromised system

Answer: CD
Explanation:
The "net use" command is a Command Prompt command used to connect to, remove, and
configure connections to shared resources, like mapped drives and network printers.
WMIC.exe is a built-in Microsoft program that allows command-line access to the Windows
Management Instrumentation. Using this tool, administrators can query the operating system for
detailed information about installed hardware and Windows settings, run management tasks, and
even execute other programs or commands.

QUESTION 172
After gaining access to a previous system, a penetration tester runs an Nmap scan against a
network with the following results:

The tester then runs the following command from the previous exploited system, which fails:

Which of the following explains the reason why the command failed?

A. The tester input the incorrect IP address.

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 77
https://www.lead2pass.com
B. The command requires the port 135 option.
C. An account for RDP does not exist on the server.
D. PowerShell requires administrative privilege.

Answer: A
Explanation:
Enter-Pssession uses 5985 as the default port.

QUESTION 173
Which of the following assessment methods is MOST likely to cause harm to an ICS
environment?

A. Active scanning
B. Ping sweep
C. Protocol reversing
D. Packet analysis

Answer: A
Explanation:
Industrial control systems (ICSs), SCADA, and Industrial Internet of Things devices are used to
manage factories, utilities, and a wide range of other industrial devices. They require special care
when testing due to the potential for harm to business processes and other infrastructure if they
are disrupted.

QUESTION 174
During a penetration test, a tester is in close proximity to a corporate mobile device belonging to a
network administrator that is broadcasting Bluetooth frames.
Which of the following is an example of a Bluesnarfing attack that the penetration tester can
perform?

A. Sniff and then crack the WPS PIN on an associated WiFi device.
B. Dump the user address book on the device.
C. Break a connection between two Bluetooth devices.
D. Transmit text messages to the device.

Answer: B
Explanation:
Bluesnarfing: A Bluetooth attack that allows the hacker to exploit the Bluetooth device and copy
data off the device. For example, the

QUESTION 175
Which of the following would a company's hunt team be MOST interested in seeing in a final
report?

A. Executive summary
B. Attack TTPs
C. Methodology
D. Scope details

Answer: B

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 78
https://www.lead2pass.com
QUESTION 176
A Chief Information Security Officer wants a penetration tester to evaluate whether a recently
installed firewall is protecting a subnetwork on which many decades- old legacy systems are
connected. The penetration tester decides to run an OS discovery and a full port scan to identify
all the systems and any potential vulnerability. Which of the following should the penetration
tester consider BEFORE running a scan?

A. The timing of the scan
B. The bandwidth limitations
C. The inventory of assets and versions
D. The type of scan

Answer: D
Explanation:
Testing a firewall to see what ports are open not penetrating the firewall. Use ack or fin scan.

QUESTION 177
Which of the following provides an exploitation suite with payload modules that cover the
broadest range of target system types?

A. Nessus
B. Metasploit
C. Burp Suite
D. Ethercap

Answer: B

QUESTION 178
A penetration tester writes the following script:

Which of the following is the tester performing?

A. Searching for service vulnerabilities
B. Trying to recover a lost bind shell
C. Building a reverse shell listening on specified ports
D. Scanning a network for specific open ports

Answer: D
Explanation:
-z zero-I/O mode [used for scanning]

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 79
https://www.lead2pass.com
-v verbose
example output of script:
10.0.0.1: inverse host lookup failed: Unknown host
(UNKNOWN) [10.0.0.1] 22 (ssh) open
(UNKNOWN) [10.0.0.1] 23 (telnet) : Connection timed out

https://unix.stackexchange.com/questions/589561/what-is-nc-z-used-for

QUESTION 179
A CentOS computer was exploited during a penetration test. During initial reconnaissance, the
penetration tester discovered that port 25 was open on an internal Sendmail server. To remain
stealthy, the tester ran the following command from the attack machine:

Which of the following would be the BEST command to use for further progress into the targeted
network?

A. nc 10.10.1.2
B. ssh 10.10.1.2
C. nc 127.0.0.1 5555
D. ssh 127.0.0.1 5555

Answer: C
Explanation:
Port 25 from the remote host is forwarded to local port 5555 (to IP: 10.10.1.2). So if you have
forwarded the port to yourself, it means you can access it by connecting to 127.0.0.1 or 10.10.1.2.
Next part of the pentester task is to determine what service is opened on 25 or what
communication is sent on internal service. Quickest way to do this is to use netcat.
A - port 5555 is not specified
B - port 5555 is not specified, why would you ssh to smtp port with sendmail server?
C - correct, netc
D - if there is no ssh connection on port 25 it is useless as above in B. Syntax is wrong, to specify
port on ssh you need to use -p.

QUESTION 180
A penetration tester utilized Nmap to scan host 64.13.134.52 and received the following results:

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 80
https://www.lead2pass.com
Based on the output, which of the following services are MOST likely to be exploited? (Choose
two.)

A. Telnet
B. HTTP
C. SMTP
D. DNS
E. NTP
F. SNMP

Answer: BD
Explanation:
22,53 and 80 are opened. Only DNS and HTTP are mentioned in answers.

QUESTION 181
An assessor wants to run an Nmap scan as quietly as possible.
Which of the following commands will give the LEAST chance of detection?

A. nmap -T3 192.168.0.1
B. nmap -P0 192.168.0.1
C. nmap -T0 192.168.0.1
D. nmap -A 192.168.0.1

Answer: C
Explanation:
-T0 Paranoid: Very slow, used for IDS evasion
-T1 Sneaky: Quite slow, used for IDS evasion
-T2 Polite: Slows down to consume less bandwidth, runs ~10 times slower than default
-T3 Normal: Default, a dynamic timing model based on target responsiveness
-T4 Aggressive: Assumes a fast and reliable network and may overwhelm targets
-T5 Insane: Very aggressive; will likely overwhelm targets or miss open ports

QUESTION 182
A final penetration test report has been submitted to the board for review and accepted. The
report has three findings rated high. Which of the following should be the NEXT step?

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 81
https://www.lead2pass.com
A. Perform a new penetration test.
B. Remediate the findings.
C. Provide the list of common vulnerabilities and exposures.
D. Broaden the scope of the penetration test.

Answer: B

QUESTION 183
Which of the following situations would require a penetration tester to notify the emergency
contact for the engagement?

A. The team exploits a critical server within the organization.
B. The team exfiltrates PII or credit card data from the organization.
C. The team loses access to the network remotely.
D. The team discovers another actor on a system on the network.

Answer: D

QUESTION 184
During an engagement, a penetration tester found the following list of strings inside a file:

Which of the following is the BEST technique to determine the known plaintext of the strings?

A. Dictionary attack
B. Rainbow table attack
C. Brute-force attack
D. Credential-stuffing attack

Answer: B
Explanation:
You use a rainbow table for hashes.

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 82
https://www.lead2pass.com
QUESTION 185
A penetration tester ran a simple Python-based scanner. The following is a snippet of the code:

Which of the following BEST describes why this script triggered a `probable port scan` alert in the
organization's IDS?

A. sock.settimeout(20) on line 7 caused each next socket to be created every 20 milliseconds.
B. *range(1, 1025) on line 1 populated the portList list in numerical order.
C. Line 6 uses socket.SOCK_STREAM instead of socket.SOCK_DGRAM
D. The remoteSvr variable has neither been type-hinted nor initialized.

Answer: B
Explanation:
Port randomization is widely used in port scanners. By default, Nmap randomizes the scanned
port order (except that certain commonly accessible ports are moved near the beginning for
efficiency reasons)
https://nmap.org/book/man-port-specification.html

QUESTION 186
A penetration tester is conducting an authorized, physical penetration test to attempt to enter a
client's building during non-business hours. Which of the following are MOST important for the
penetration tester to have during the test? (Choose two.)

A. A handheld RF spectrum analyzer
B. A mask and personal protective equipment
C. Caution tape for marking off insecure areas
D. A dedicated point of contact at the client
E. The paperwork documenting the engagement
F. Knowledge of the building's normal business hours

Answer: DE
Explanation:
Always carry the contact information and any documents stating that you are approved to do this.

QUESTION 187
A penetration tester receives the following results from an Nmap scan:

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 83
https://www.lead2pass.com
Which of the following OSs is the target MOST likely running?

A. CentOS
B. Arch Linux
C. Windows Server
D. Ubuntu

Answer: C

QUESTION 188
A penetration tester downloaded the following Perl script that can be used to identify
vulnerabilities in network switches. However, the script is not working properly.

Which of the following changes should the tester apply to make the script work as intended?

A. Change line 2 to $ip= 10.192.168.254;
B. Remove lines 3, 5, and 6.
C. Remove line 6.
D. Move all the lines below line 7 to the top of the script.

Answer: B

QUESTION 189
A penetration tester finds a PHP script used by a web application in an unprotected internal
source code repository. After reviewing the code, the tester identifies the following:

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 84
https://www.lead2pass.com
Which of the following combinations of tools would the penetration tester use to exploit this
script?

A. Hydra and crunch
B. Netcat and cURL
C. Burp Suite and DIRB
D. Nmap and OWASP ZAP

Answer: B

QUESTION 190
A penetration tester is conducting a penetration test. The tester obtains a root-level shell on a
Linux server and discovers the following data in a file named password.txt in the /home/svsacct
directory:

U3VQZXIkM2NyZXQhCg==

Which of the following commands should the tester use NEXT to decode the contents of the file?

A. echo U3VQZXIkM2NyZXQhCg== | base64 -d
B. tar zxvf password.txt
C. hydra -l svsacct -p U3VQZXIkM2NyZXQhCg== ssh://192.168.1.0/24
D. john --wordlist /usr/share/seclists/rockyou.txt password.txt

Answer: A

QUESTION 191
A company has recruited a penetration tester to conduct a vulnerability scan over the network.
The test is confirmed to be on a known environment. Which of the following would be the BEST
option to identify a system properly prior to performing the assessment?

A. Asset inventory
B. DNS records
C. Web-application scan
D. Full scan

Answer: A

QUESTION 192
A security firm has been hired to perform an external penetration test against a company. The
only information the firm received was the company name. Which of the following passive
reconnaissance approaches would be MOST likely to yield positive initial results?

A. Specially craft and deploy phishing emails to key company leaders.
B. Run a vulnerability scan against the company's external website.

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 85
https://www.lead2pass.com
C. Runtime the company's vendor/supply chain.
D. Scrape web presences and social-networking sites.

Answer: C

QUESTION 193
A security firm is discussing the results of a penetration test with the client. Based on the findings,
the client wants to focus the remaining time on a critical network segment. Which of the following
BEST describes the action taking place?

A. Maximizing the likelihood of finding vulnerabilities
B. Reprioritizing the goals/objectives
C. Eliminating the potential for false positives
D. Reducing the risk to the client environment

Answer: A

QUESTION 194
Which of the following tools would be BEST suited to perform a manual web application security
assessment? (Choose two.)

A. OWASP ZAP
B. Nmap
C. Nessus
D. BeEF
E. Hydra
F. Burp Suite

Answer: AF

QUESTION 195
A penetration tester is evaluating a company's network perimeter. The tester has received limited
information about defensive controls or countermeasures, and limited internal knowledge of the
testing exists. Which of the following should be the FIRST step to plan the reconnaissance
activities?

A. Launch an external scan of netblocks.
B. Check WHOIS and netblock records for the company.
C. Use DNS lookups and dig to determine the external hosts.
D. Conduct a ping sweep of the company's netblocks.

Answer: C

QUESTION 196
A penetration tester captured the following traffic during a web-application test:

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 86
https://www.lead2pass.com
Which of the following methods should the tester use to visualize the authorization information
being transmitted?

A. Decode the authorization header using UTF-8.
B. Decrypt the authorization header using bcrypt.
C. Decode the authorization header using Base64.
D. Decrypt the authorization header using AES.

Answer: C

QUESTION 197
A penetration tester was hired to perform a physical security assessment of an organization's
office. After monitoring the environment for a few hours, the penetration tester notices that some
employees go to lunch in a restaurant nearby and leave their belongings unattended on the table
while getting food. Which of the following techniques would MOST likely be used to get legitimate
access into the organization's building without raising too many alerts?

A. Tailgating
B. Dumpster diving
C. Shoulder surfing
D. Badge cloning

Answer: D

QUESTION 198
A penetration tester wants to find hidden information in documents available on the web at a
particular domain. Which of the following should the penetration tester use?

A. Netcraft
B. CentralOps
C. Responder
D. FOCA

Answer: D
Explanation:
https://kalilinuxtutorials.com/foca-metadata-hidden-documents/

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 87
https://www.lead2pass.com
QUESTION 199
A penetration tester has gained access to the Chief Executive Officer's (CEO's) internal,
corporate email. The next objective is to gain access to the network.
Which of the following methods will MOST likely work?

A. Try to obtain the private key used for S/MIME from the CEO's account.
B. Send an email from the CEO's account, requesting a new account.
C. Move laterally from the mail server to the domain controller.
D. Attempt to escalate privileges on the mail server to gain root access.

Answer: D

QUESTION 200
A penetration tester needs to perform a vulnerability scan against a web server. Which of the
following tools is the tester MOST likely to choose?

A. Nmap
B. Nikto
C. Cain and Abel
D. Ethercap

Answer: B
Explanation:
https://hackertarget.com/nikto-website-scanner/

QUESTION 201
A penetration tester is testing a new version of a mobile application in a sandbox environment. To
intercept and decrypt the traffic between the application and the external API, the tester has
created a private root CA and issued a certificate from it. Even though the tester installed the root
CA into the trusted stone of the smartphone used for the tests, the application shows an error
indicating a certificate mismatch and does not connect to the server. Which of the following is the
MOST likely reason for the error?

A. TCP port 443 is not open on the firewall
B. The API server is using SSL instead of TLS
C. The tester is using an outdated version of the application
D. The application has the API certificate pinned.

Answer: D

QUESTION 202
Which of the following concepts defines the specific set of steps and approaches that are
conducted during a penetration test?

A. Scope details
B. Findings
C. Methodology
D. Statement of work

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 88
https://www.lead2pass.com
Answer: C
Explanation:
The methodology section of the report outlines the types of testing performed during the
penetration test, the steps taken during each phase, and how the attacks were carried out (this is
known as the attack narrative). The methodology section also discusses the process used to
identify and rate the risks for each vulnerability found and what tools were used by the pentesters.

QUESTION 203
A private investigation firm is requesting a penetration test to determine the likelihood that
attackers can gain access to mobile devices and then exfiltrate data from those devices. Which of
the following is a social-engineering method that, if successful, would MOST likely enable both
objectives?

A. Send an SMS with a spoofed service number including a link to download a malicious application.
B. Exploit a vulnerability in the MDM and create a new account and device profile.
C. Perform vishing on the IT help desk to gather a list of approved device IMEIs for masquerading.
D. Infest a website that is often used by employees with malware targeted toward x86 architectures.

Answer: A

QUESTION 204
A physical penetration tester needs to get inside an organization's office and collect sensitive
information without acting suspiciously or being noticed by the security guards. The tester has
observed that the company's ticket gate does not scan the badges, and employees leave their
badges on the table while going to the restroom.
Which of the following techniques can the tester use to gain physical access to the office?
(Choose two.)

A. Shoulder surfing
B. Call spoofing
C. Badge stealing
D. Tailgating
E. Dumpster diving
F. Email phishing

Answer: CD

QUESTION 205
An Nmap scan of a network switch reveals the following:

Which of the following technical controls will most likely be the FIRST recommendation for this

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 89
https://www.lead2pass.com
device?

A. Encrypted passwords
B. System-hardening techniques
C. Multifactor authentication
D. Network segmentation

Answer: B

QUESTION 206
A penetration tester, who is doing an assessment, discovers an administrator has been
exfiltrating proprietary company information. The administrator offers to pay the tester to keep
quiet. Which of the following is the BEST action for the tester to take?

A. Check the scoping document to determine if exfiltration is within scope.
B. Stop the penetration test.
C. Escalate the issue.
D. Include the discovery and interaction in the daily report.

Answer: D

QUESTION 207
A Chief Information Security Officer wants to evaluate the security of the company's e-commerce
application. Which of the following tools should a penetration tester use FIRST to obtain relevant
information from the application without triggering alarms?

A. SQLmap
B. DirBuster
C. w3af
D. OWASP ZAP

Answer: C
Explanation:
W3AF, the Web Application Attack and Audit Framework, is an open source web application
security scanner that includes directory and filename brute forcing in its list of capabilities.

QUESTION 208
Which of the following documents must be signed between the penetration tester and the client to
govern how any provided information is managed before, during, and after the engagement?

A. MSA
B. NDA
C. SOW
D. ROE

Answer: B

QUESTION 209
A penetration tester needs to upload the results of a port scan to a centralized security tool.

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 90
https://www.lead2pass.com
Which of the following commands would allow the tester to save the results in an interchangeable
format?

A. nmap -iL results 192.168.0.10-100
B. nmap 192.168.0.10-100 -O > results
C. nmap -A 192.168.0.10-100 -oX results
D. nmap 192.168.0.10-100 | grep "results"

Answer: D
Explanation:
Grep is interchangable format. -oX is XML format.

QUESTION 210
During a penetration test, the domain names, IP ranges, hosts, and applications are defined in
the:

A. SOW.
B. SLA.
C. ROE.
D. NDA

Answer: C
Explanation:
RoE is the right answer, as The statement of work (SOW), this is a description of the work being
performed, includes the timeline for the project, and contains a breakdown of the cost for the
project.

QUESTION 211
A penetration tester has established an on-path position between a target host and local network
services but has not been able to establish an on-path position between the target host and the
Internet. Regardless, the tester would like to subtly redirect HTTP connections to a spoofed
server IP. Which of the following methods would BEST support the objective?

A. Gain access to the target host and implant malware specially crafted for this purpose.
B. Exploit the local DNS server and add/update the zone records with a spoofed A record.
C. Use the Scapy utility to overwrite name resolution fields in the DNS query response.
D. Proxy HTTP connections from the target host to that of the spoofed host.

Answer: B

QUESTION 212
hich of the following types of information would MOST likely be included in an application security
assessment report addressed to developers? (Choose two.)

A. Use of non-optimized sort functions
B. Poor input sanitization
C. Null pointer dereferences
D. Non-compliance with code style guide
E. Use of deprecated Javadoc tags
F. A cydomatic complexity score of 3

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 91
https://www.lead2pass.com
Answer: BC

QUESTION 213
A penetration tester has found indicators that a privileged user's password might be the same on
30 different Linux systems. Which of the following tools can help the tester identify the number of
systems on which the password can be used?

A. Hydra
B. John the Ripper
C. Cain and Abel
D. Medusa

Answer: A

QUESTION 214
A penetration tester was able to compromise a server and escalate privileges. Which of the
following should the tester perform AFTER concluding the activities on the specified target?
(Choose two.)

A. Remove the logs from the server.
B. Restore the server backup.
C. Disable the running services.
D. Remove any tools or scripts that were installed.
E. Delete any created credentials.
F. Reboot the target server.

Answer: DE

QUESTION 215
A penetration tester is reviewing the following DNS reconnaissance results for comptia.org from
dig:...
;; ANSWER SECTION
comptia.org. 3569 IN MX comptia.org-mail.protection.outlook.com. comptia.org. 3569 IN A
3.219.13.186. comptia.org. 3569 IN NS ns1.comptia.org. comptia.org. 3569 IN SOA haven.
administrator.comptia.org. comptia.org. 3569 IN MX new.mx0.comptia.org. comptia.org. 3569 IN
MX new.mx1.comptia.org.

Which of the following potential issues can the penetration tester identify based on this output?

A. At least one of the records is out of scope.
B. There is a duplicate MX record.
C. The NS record is not within the appropriate domain.
D. The SOA records outside the comptia.org domain.

Answer: A

QUESTION 216

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 92
https://www.lead2pass.com
A consultant just performed a SYN scan of all the open ports on a remote host and now needs to
remotely identify the type of services that are running on the host. Which of the following is an
active reconnaissance tool that would be BEST to use to accomplish this task?

A. tcpdump
B. Snort
C. Nmap
D. Netstat
E. Fuzzer

Answer: C

QUESTION 217
Deconfliction is necessary when the penetration test:

A. determines that proprietary information is being stored in cleartext.
B. occurs during the monthly vulnerability scanning.
C. uncovers indicators of prior compromise over the course of the assessment.
D. proceeds in parallel with a criminal digital forensic investigation.

Answer: C
Explanation:
deconfliction - The process of distinguishing pentest artifacts from artifacts of an actual
compromise or other activity to help resolve contradictory conclusions or responses.

QUESTION 218
A penetration tester wants to test a list of common passwords against the SSH daemon on a
network device.
Which of the following tools would be BEST to use for this purpose?

A. Hashcat
B. Mimikatz
C. Patator
D. John the Ripper

Answer: A
Explanation:
Core Attack Methods
Dictionary attack - -a 0)
Combinator attack - concatenating words from multiple wordlists (-a 1)

QUESTION 219
PCI DSS requires which of the following as part of the penetration-testing process?

A. The penetration tester must have cybersecurity certifications.
B. The network must be segmented.
C. Only externally facing systems should be tested.
D. The assessment must be performed during non-working hours.

Answer: B

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 93
https://www.lead2pass.com
Explanation:
PCI DSS most certainly requires segmentation.
PCI DSS Requirement 11.3.4 requires penetration testing to validate that segmentation controls
and methods are operational, effective, and isolate all out-of-scope systems from systems in the
CDE.
2.2.3 Testing Segmentation Controls
The intent of segmentation is to prevent out-of-scope systems from being able to communicate
with systems in the CDE or impact the security of the CDE. When properly implemented, a
segmented (out-ofscope) system component could not impact the security of the CDE, even if an
attacker obtained control.

QUESTION 220
A penetration tester completed an assessment, removed all artifacts and accounts created during
the test, and presented the findings to the client. Which of the following happens NEXT?

A. The penetration tester conducts a retest.
B. The penetration tester deletes all scripts from the client machines.
C. The client applies patches to the systems.
D. The client clears system logs generated during the test.

Answer: C

QUESTION 221
A penetration tester is examining a Class C network to identify active systems quickly.
Which of the following commands should the penetration tester use?

A. nmap -sn 192.168.0.1/16
B. nmap -sn 192.168.0.1-254
C. nmap -sn 192.168.0.1 192.168.0.1.254
D. nmap -sN 192.168.0.0/24

Answer: B

QUESTION 222
A penetration tester wants to validate the effectiveness of a DLP product by attempting exfiltration
of data using email attachments.
Which of the following techniques should the tester select to accomplish this task?

A. Steganography
B. Metadata removal
C. Encryption
D. Encode64

Answer: B

QUESTION 223
A penetration tester received a 16-bit network block that was scoped for an assessment. During
the assessment, the tester realized no hosts were active in the provided block of IPs and reported
this to the company. The company then provided an updated block of IPs to the tester. Which of
the following would be the most appropriate NEXT step?

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 94
https://www.lead2pass.com
A. Terminate the contract.
B. Update the ROE with new signatures.
C. Scan the 8-bit block to map additional missed hosts.
D. Continue the assessment.

Answer: B

QUESTION 224
A penetration tester needs to access a building that is guarded by locked gates, a security team,
and cameras. Which of the following is a technique the tester can use to gain access to the IT
framework without being detected?

A. Pick a lock.
B. Disable the cameras remotely.
C. Impersonate a package delivery worker.
D. Send a phishing email.

Answer: C

QUESTION 225
A penetration tester is assessing a wireless network. Although monitoring the correct channel and
SSID, the tester is unable to capture a handshake between the clients and the AP. Which of the
following attacks is the MOST effective to allow the penetration tester to capture a handshake?

A. Key reinstallation
B. Deauthentication
C. Evil twin
D. Replay

Answer: B
Explanation:
Capturing handshakes is often part of a deauthentication attack. If you can capture handshakes,
you can then attempt to crack the passphrase and derive keys from that effort.

QUESTION 226
A penetration tester has gained access to part of an internal network and wants to exploit on a
different network segment. Using Scapy, the tester runs the following command:

Which of the following represents what the penetration tester is attempting to accomplish?

A. DNS cache poisoning
B. MAC spoofing
C. ARP poisoning
D. Double-tagging attack

Answer: D
Explanation:

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 95
https://www.lead2pass.com
Double-tagging, a method of VLAN hopping.
https://scapy.readthedocs.io/en/latest/usage.html

QUESTION 227
The attacking machine is on the same LAN segment as the target host during an internal
penetration test. Which of the following commands will BEST enable the attacker to conduct host
delivery and write the discovery to files without returning results of the attack machine?

A. nmap -sn -n -exclude 10.1.1.15 10.1.1.0/24 -oA target_txt
B. nmap -iR 10 -n -oX out.xml | grep "Nmap" | cut -d " " -f5 > live-hosts.txt
C. nmap -Pn -sV -O -iL target.txt -oA target_text_Service
D. nmap -sS -Pn -n -iL target.txt -oA target_txtl

Answer: A

QUESTION 228
SIMULATION

Using the output, identify potential attack vectors that should be further investigated.

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 96
https://www.lead2pass.com
Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 97
https://www.lead2pass.com
Answer:

1: Null session enumeration

Weak SMB file permissions -

Fragmentation attack -

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 98
https://www.lead2pass.com
2: nmap
-sV
-p 1-1023
192.168.2.2
3: #!/usr/bin/python
export $PORTS = 21,22
for $PORT in $PORTS:
try:
s.connect((ip, port))
print("%s:%s "" OPEN" % (ip, port))
except socket.timeout
print("%:%s "" TIMEOUT" % (ip, port))
except socket.error as e:
print("%:%s "" CLOSED" % (ip, port))
finally
s.close()
port_scan(sys.argv, ports)

QUESTION 229
A customer adds a requirement to the scope of a penetration test that states activities can only
occur during normal business hours. Which of the following BEST describes why this would be
necessary?

A. To meet PCI DSS testing requirements
B. For testing of the customer's SLA with the ISP
C. Because of concerns regarding bandwidth limitations
D. To ensure someone is available if something goes wrong

Answer: D

QUESTION 230
An assessor wants to use Nmap to help map out a stateful firewall rule set. Which of the following
scans will the assessor MOST likely run?

A. nmap -sA 192.168.0.1/24
B. nmap -sS 192.168.0.1/24
C. nmap -oG 192.168.0.1/24
D. nmap 192.168.0.1/24

Answer: A
Explanation:
The - sA flag is used to conduct a TCP ACK scan and is most frequently used to test firewall
rulesets.

QUESTION 231
A penetration tester is contracted to attack an oil rig network to look for vulnerabilities. While
conducting the assessment, the support organization of the rig reported issues connecting to
corporate applications and upstream services for data acquisitions. Which of the following is the
MOST likely culprit?

A. Patch installations

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 99
https://www.lead2pass.com
B. Successful exploits
C. Application failures
D. Bandwidth limitations

Answer: D
Explanation:
It states during the testing it occurred. It doesn't indicate to mean that exploited anything. Both
ingress and egress traffic were affected which means to me that bandwidth was an issue.

QUESTION 232
The results of an Nmap scan are as follows:

Which of the following device types will MOST likely have a similar response?

A. Active Directory domain controller
B. IoT/embedded device
C. Exposed RDP
D. Print queue

Answer: B

QUESTION 233
Which of the following are the MOST important items for prioritizing fixes that should be included
in the final report for a penetration test? (Choose two.)

A. The CVSS score of the finding
B. The network location of the vulnerable device
C. The vulnerability identifier
D. The client acceptance form
E. The name of the person who found the flaw
F. The tool used to find the issue

Answer: BC

QUESTION 234

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 100
https://www.lead2pass.com
A penetration tester was contracted to test a proprietary application for buffer overflow
vulnerabilities. Which of the following tools would be BEST suited for this task?

A. GDB
B. Burp Suite
C. SearchSpliot
D. Netcat

Answer: A

QUESTION 235
Which of the following would assist a penetration tester the MOST when evaluating the
susceptibility of top-level executives to social engineering attacks?

A. Scraping social media for personal details
B. Registering domain names that are similar to the target company's
C. Identifying technical contacts at the company
D. Crawling the company's website for company information

Answer: A

QUESTION 236
A penetration tester is testing a new API for the company's existing services and is preparing the
following script:

Which of the following would the test discover?

A. Default web configurations
B. Open web ports on a host
C. Supported HTTP methods
D. Listening web servers in a domain

Answer: C

QUESTION 237
During the scoping phase of an assessment, a client requested that any remote code exploits
discovered during testing would be reported immediately so the vulnerability could be fixed as
soon as possible. The penetration tester did not agree with this request, and after testing began,
the tester discovered a vulnerability and gained internal access to the system. Additionally, this
scenario led to a loss of confidential credit card data and a hole in the system. At the end of the
test, the penetration tester willfully failed to report this information and left the vulnerability in
place. A few months later, the client was breached and credit card data was stolen. After being
notified about the breach, which of the following steps should the company take NEXT?

A. Deny that the vulnerability existed

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 101
https://www.lead2pass.com
B. Investigate the penetration tester.
C. Accept that the client was right.
D. Fire the penetration tester.

Answer: B

QUESTION 238
Given the following script:

Which of the following BEST characterizes the function performed by lines 5 and 6?

A. Retrieves the start-of-authority information for the zone on DNS server 10.10.10.10
B. Performs a single DNS query for www.comptia.org and prints the raw data output
C. Loops through variable b to count the results returned for the DNS query and prints that count to
screen
D. Prints each DNS query result already stored in variable b

Answer: D

QUESTION 239
A penetration-testing team needs to test the security of electronic records in a company's office.
Per the terms of engagement, the penetration test is to be conducted after hours and should not
include circumventing the alarm or performing destructive entry. During outside reconnaissance,
the team sees an open door from an adjoining building. Which of the following would be allowed
under the terms of the engagement?

A. Prying the lock open on the records room
B. Climbing in an open window of the adjoining building
C. Presenting a false employee ID to the night guard
D. Obstructing the motion sensors in the hallway of the records room

Answer: B

QUESTION 240
A penetration tester who is working remotely is conducting a penetration test using a wireless
connection. Which of the following is the BEST way to provide confidentiality for the client while

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 102
https://www.lead2pass.com
using this connection?

A. Configure wireless access to use a AAA server.
B. Use random MAC addresses on the penetration testing distribution.
C. Install a host-based firewall on the penetration testing distribution.
D. Connect to the penetration testing company's VPS using a VPN.

Answer: D

QUESTION 241
A penetration tester is able to use a command injection vulnerability in a web application to get a
reverse shell on a system After running a few commands, the tester runs the following:

python -c 'import pty; pty.spawn("/bin/bash")'

Which of the following actions Is the penetration tester performing?

A. Privilege escalation
B. Upgrading the shell
C. Writing a script for persistence
D. Building a bind shell

Answer: B

QUESTION 242
A penetration tester opened a shell on a laptop at a client's office but is unable to pivot because
of restrictive ACLs on the wireless subnet. The tester is also aware that all laptop users have a
hard-wired connection available at their desks. Which of the following is the BEST method
available to pivot and gain additional access to the network?

A. Set up a captive portal with embedded malicious code.
B. Capture handshakes from wireless clients to crack.
C. Span deauthentication packets to the wireless clients.
D. Set up another access point and perform an evil twin attack.

Answer: C

QUESTION 243
A tester who is performing a penetration test discovers an older firewall that is known to have
serious vulnerabilities to remote attacks but is not part of the original list of IP addresses for the
engagement. Which of the following is the BEST option for the tester to take?

A. Segment the firewall from the cloud.
B. Scan the firewall for vulnerabilities.
C. Notify the client about the firewall.
D. Apply patches to the firewall.

Answer: C

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 103
https://www.lead2pass.com
QUESTION 244
A penetration tester is looking for vulnerabilities within a company's web application that are in
scope. The penetration tester discovers a login page and enters the following string in a field:

1;SELECT Username, Password FROM Users;

Which of the following injection attacks is the penetration tester using?

A. Blind SQL
B. Boolean SQL
C. Stacked queries
D. Error-based

Answer: A

QUESTION 245
Which of the following can be used to store alphanumeric data that can be fed into scripts or
programs as input to penetration-testing tools?

A. Dictionary
B. Directory
C. Symlink
D. Catalog
E. For-loop

Answer:

QUESTION 246
A penetration tester is trying to restrict searches on Google to a specific domain. Which of the
following commands should the penetration tester consider?

A. inurl:
B. link:
C. site:
D. intitle:

Answer: C

QUESTION 247
A client would like to have a penetration test performed that leverages a continuously updated
TTPs framework and covers a wide variety of enterprise systems and networks. Which of the
following methodologies should be used to BEST meet the client's expectations?

A. OWASP Top 10
B. MITRE ATT&CK framework
C. NIST Cybersecurity Framework
D. The Diamond Model of Intrusion Analysis

Answer: B

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 104
https://www.lead2pass.com
QUESTION 248
During a web application test, a penetration tester was able to navigate to https://company.com
and view all links on the web page. After manually reviewing the pages, the tester used a web
scanner to automate the search for vulnerabilities. When returning to the web application, the
following message appeared in the browser: unauthorized to view this page. Which of the
following BEST explains what occurred?

A. The SSL certificates were invalid.
B. The tester IP was blocked.
C. The scanner crashed the system.
D. The web page was not found.

Answer: B

QUESTION 249
A red team completed an engagement and provided the following example in the report to
describe how the team gained access to a web server:

x' OR role LIKE '%admin%

Which of the following should be recommended to remediate this vulnerability?

A. Multifactor authentication
B. Encrypted communications
C. Secure software development life cycle
D. Parameterized queries

Answer: D

QUESTION 250
The following output is from reconnaissance on a public-facing banking website:

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 105
https://www.lead2pass.com
Based on these results, which of the following attacks is MOST likely to succeed?

A. A birthday attack on 64-bit ciphers (Sweet32)
B. An attack that breaks RC4 encryption
C. An attack on a session ticket extension (Ticketbleed)
D. A Heartbleed attack

Answer: B

QUESTION 251
Which of the following documents is agreed upon by all parties associated with the penetration-
testing engagement and defines the scope, contacts, costs, duration, and deliverables?

A. SOW
B. SLA
C. MSA
D. NDA

Answer: A

QUESTION 252
In Python socket programming, SOCK_DGRAM type is:

A. reliable.
B. matrixed.

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 106
https://www.lead2pass.com
C. connectionless.
D. slower.

Answer: C
Explanation:
Connectionless due to the Datagram portion mentioned so that would mean its using UDP.

QUESTION 253
Which of the following is the MOST important information to have on a penetration testing report
that is written for the developers?

A. Executive summary
B. Remediation
C. Methodology
D. Metrics and measures

Answer: C
Explanation:
The audience for this section of the report consists of the technical staff and developers who will
be reviewing your results and taking actions based on your findings.

QUESTION 254
After gaining access to a Linux system with a non-privileged account, a penetration tester
identifies the following file:

Which of the following actions should the tester perform FIRST?

A. Change the file permissions.
B. Use privilege escalation.
C. Cover tracks.
D. Start a reverse shell.

Answer: B

QUESTION 255
Which of the following types of assessments MOST likely focuses on vulnerabilities with the
objective to access specific data?

A. An unknown-environment assessment
B. A known-environment assessment
C. A red-team assessment
D. A compliance-based assessment

Answer: B
Explanation:
A known environment test is often more complete, because testers can get to every system,
service, or other target that is in scope and will have credentials and other materials that will allow
them to be tested.

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 107
https://www.lead2pass.com
QUESTION 256
A penetration tester initiated the transfer of a large data set to verify a proof-of-concept attack as
permitted by the ROE. The tester noticed the client's data included PII, which is out of scope, and
immediately stopped the transfer. Which of the following MOST likely explains the penetration
tester's decision?

A. The tester had the situational awareness to stop the transfer.
B. The tester found evidence of prior compromise within the data set.
C. The tester completed the assigned part of the assessment workflow.
D. The tester reached the end of the assessment time frame.

Answer: A

QUESTION 257
A penetration tester exploited a vulnerability on a server and remotely ran a payload to gain a
shell. However, a connection was not established, and no errors were shown on the payload
execution. The penetration tester suspected that a network device, like an IPS or next-generation
firewall, was dropping the connection. Which of the following payloads are MOST likely to
establish a shell successfully?

A. windows/x64/meterpreter/reverse_tcp
B. windows/x64/meterpreter/reverse_http
C. windows/x64/shell_reverse_tcp
D. windows/x64/powershell_reverse_tcp
E. windows/x64/meterpreter/reverse_https

Answer: A
Explanation:
A reverse tcp connection is usually used to bypass firewall restrictions on open ports. A firewall
usually blocks incoming connections on open ports, but does not block outgoing traffic.
windows/meterpreter/reverse_tcp allows you to remotely control the file system, sniff, keylog,
hashdump, perform network pivoting, control the webcam and microphone, etc.

QUESTION 258
A penetration tester has been hired to examine a website for flaws. During one of the time
windows for testing, a network engineer notices a flood of GET requests to the web server,
reducing the website's response time by 80%. The network engineer contacts the penetration
tester to determine if these GET requests are part of the test. Which of the following BEST
describes the purpose of checking with the penetration tester?

A. Situational awareness
B. Rescheduling
C. DDoS defense
D. Deconfliction

Answer: D

QUESTION 259
Which of the following is the BEST resource for obtaining payloads against specific network

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 108
https://www.lead2pass.com
infrastructure products?

A. Exploit-DB
B. Metasploit
C. Shodan
D. Retina

Answer: A

QUESTION 260
A penetration tester gives the following command to a systems administrator to execute on one of
the target servers:

rm -f /var/www/html/G679h32gYu.php

Which of the following BEST explains why the penetration tester wants this command executed?

A. To trick the systems administrator into installing a rootkit
B. To close down a reverse shell
C. To remove a web shell after the penetration test
D. To delete credentials the tester created

Answer: C

QUESTION 261
The following PowerShell snippet was extracted from a log of an attacker machine:

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 109
https://www.lead2pass.com
A penetration tester would like to identify the presence of an array. Which of the following line
numbers would define the array?

A. Line 8
B. Line 13
C. Line 19
D. Line 20

Answer: A

QUESTION 262
A company provided the following network scope for a penetration test:

Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 110
https://www.lead2pass.com
- 169.137.1.0/24
- 221.10.1.0/24
- 149.14.1.0/24

A penetration tester discovered a remote command injection on IP address 149.14.1.24 and
exploited the system. Later, the tester learned that this particular IP address belongs to a third
party. Which of the following stakeholders is responsible for this mistake?

A. The company that requested the penetration test
B. The penetration testing company
C. The target host's owner
D. The penetration tester
E. The subcontractor supporting the test

Answer: A

QUESTION 263
In an unprotected network file repository, a penetration tester discovers a text file containing
usernames and passwords in cleartext and a spreadsheet containing data for 50 employees,
including full names, roles, and serial numbers. The tester realizes some of the passwords in the
text file follow the format:. Which of the following would be the best action for the tester to take
NEXT with this information?

A. Create a custom password dictionary as preparation for password spray testing.
B. Recommend using a password manager/vault instead of text files to store passwords securely.
C. Recommend configuring password complexity rules in all the systems and applications.
D. Create a TPM-backed sealed storage location within which the unprotected file repository can be
reported.

Answer: B

QUESTION 264
During the reconnaissance phase, a penetration tester obtains the following output:

Reply from 192.168.1.23: bytes=32 time