CompTIA PT0-002 Online Practice Questions and Exam Preparation

CompTIA PT0-002 Online Questions & Answers

• Question 101:

  A penetration tester is conducting an assessment on a web application.

  Which of the following active reconnaissance techniques would be best for the tester to use to gather additional information about the application?

  A. Using cURL with the verbose option
  B. Crawling UR Is using an interception proxy
  C. Using Scapy for crafted requests
  D. Crawling URIs using a web browser
  B. Crawling UR Is using an interception proxy

  ---

  Explanation

  Crawling URIs using an interception proxy is the best active reconnaissance technique for gathering additional information about a web application. An interception proxy, such as Burp Suite or OWASP ZAP, allows the penetration tester to see and manipulate the requests and responses between the client and the server, providing detailed insights into the application's behavior, structure, and vulnerabilities. This technique is more comprehensive and controlled compared to using cURL or a web browser.

  References: OWASP Testing Guide: Web Application Security Testing Burp Suite Documentation OWASP ZAP User Guide

• Question 102:

  A penetration tester wants to find hidden information in documents available on the web at a particular domain.

  Which of the following should the penetration tester use?

  A. Netcraft
  B. CentralOps
  C. Responder
  D. FOCA
  D. FOCA

  ---

  Explanation

  https://kalilinuxtutorials.com/foca-metadata-hidden-documents/ FOCA (Fingerprinting Organizations with Collected Archives) is a tool that is used to find hidden information in documents available on the web. It can be used to extract metadata from documents such as PDF, Microsoft Office, OpenOffice, and others. The metadata can include information such as the author, creation date, and software used to create the document. FOCA can also extract information from the document's properties such as the title, keywords, and comments. This tool can also identify specific keywords and patterns in the document and can be useful in identifying sensitive information that may have been inadvertently left in the document.

• Question 103:

  A penetration tester recently completed a review of the security of a core network device within a corporate environment. The key findings are as follows: The following request was intercepted going to the network device: GET /login HTTP/1.1 Host: 10.50.100.16 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Accept-Language: en-US,en;q=0.5 Connection: keep-alive Authorization: Basic WU9VUilOQU1FOnNlY3JldHBhc3N3b3jk Network management interfaces are available on the production network. An Nmap scan returned the following:

  

  Which of the following would be BEST to add to the recommendations section of the final report? (Choose two.)

  A. Enforce enhanced password complexity requirements.
  B. Disable or upgrade SSH daemon.
  C. Disable HTTP/301 redirect configuration.
  D. Create an out-of-band network for management.
  E. Implement a better method for authentication.
  F. Eliminate network management and control interfaces.
  D. Create an out-of-band network for management.
  E. Implement a better method for authentication.

  ---

  Explanation

  The key findings indicate that the network device is vulnerable to several attacks, such as sniffing, brute-forcing, or exploiting the SSH daemon. To prevent these attacks, the best recommendations are to create an out-of-band network for management, which means a separate network that is not accessible from the production network, and to implement a better method for authentication, such as SSH keys or certificates. The other options are not as effective or relevant.

• Question 104:

  While performing an assessment on a web application, a penetration tester notices the web browser creates the following request when clicking on the stock status for an item: POST /product/stock HTTP/1.0

  Content-Type: application/x-www-form-urlencoded Content-Length: 118 stockApi=http://stock.shop.com:8080/product/stock/check%3FproductId%3D6%26storeId%3D1 Which of the following types of attacks would the penetration tester most likely try NEXT?

  A. Cross-site scripting
  B. Command injection
  C. Local file inclusion
  D. Server-side request forgery
  D. Server-side request forgery

  ---

  Explanation

• Question 105:

  A penetration tester issues the following command after obtaining a shell:

  

  Which of the following describes this technique?

  A. Establishing a backdoor
  B. Privilege escalation
  C. PowerShell remoting
  D. Living-off-the-land
  D. Living-off-the-land

  ---

  Explanation

• Question 106:

  A company is concerned that its cloud service provider is not adequately protecting the VMs housing its software development. The VMs are housed in a datacenter with other companies sharing physical resources. Which of the following attack types is MOST concerning to the company?

  A. Data flooding
  B. Session riding
  C. Cybersquatting
  D. Side channel
  D. Side channel

  ---

  Explanation

  https://www.techtarget.com/searchsecurity/definition/side-channel- attack#:~:text=Side%2Dchannel%20attacks%20can%20even,share%20the%20same%20p hysical%20hardware

• Question 107:

  During the assessment of a client's cloud and on-premises environments, a penetration tester was able to gain ownership of a storage object within the cloud environment using the provided on-premises credentials. Which of the following best describes why the tester was able to gain access?

  A. Federation misconfiguration of the container
  B. Key mismanagement between the environments
  C. laaS failure at the provider
  D. Container listed in the public domain
  A. Federation misconfiguration of the container

  ---

  Explanation

  The best explanation for why the tester was able to gain access to the storage object within the cloud environment using the on-premises credentials is federation misconfiguration of the container. Federation is a process that allows users to access multiple systems or services with a single set of credentials, by using a trusted third-party service that authenticates and authorizes the users. Federation can enable seamless integration between cloud and on-premises environments, but it can also introduce security risks if not configured properly. Federation misconfiguration of the container can allow an attacker to access the storage object with the on-premises credentials, if the container trusts the on-premises identity provider without verifying its identity or scope. The other options are not valid explanations for why the tester was able to gain access to the storage object within the cloud environment using the on-premises credentials. Key mismanagement between the environments is not relevant to this issue, as it refers to a different scenario involving encryption keys or access keys that are used to protect or access data or resources in cloud or on-premises environments. IaaS failure at the provider is not relevant to this issue, as it refers to a different scenario involving infrastructure as a service (IaaS), which is a cloud service model that provides virtualized computing resources over the internet. Container listed in the public domain is not relevant to this issue, as it refers to a different scenario involving container visibility or accessibility from public networks or users.

• Question 108:

  Which of the following tools would be the best to use to intercept an HTTP response at an API, change its content, and forward it back to the origin mobile device?

  A. Drozer
  B. Burp Suite
  C. Android SDK Tools
  D. MobSF
  B. Burp Suite

  ---

  Explanation

  Burp Suite is a web application security testing tool that can intercept, modify, and forward HTTP requests and responses. It can be used to manipulate the data sent between an API and a mobile device, such as changing the content of the

  response before it reaches the device. Drozer is a framework for Android security assessment, but it does not intercept HTTP traffic. Android SDK Tools are a set of tools for developing Android applications, but they do not have the

  functionality to intercept and modify HTTP responses. MobSF is a mobile security framework that can perform static and dynamic analysis of Android and iOS applications, but it does not have the capability to intercept and change HTTP

  responses at an API level.

  References:

  The Official CompTIA PenTest+ Study Guide (Exam PT0-002), Chapter 8: Application Testing1;

  The Official CompTIA PenTest+ Student Guide (Exam PT0-002), Lesson 8: Application Testing2; Burp Suite Documentation3

• Question 109:

  A penetration tester is looking for a particular type of service and obtains the output below:

  I Target is synchronized with 127.127.38.0 (reference clock) I Alternative Target Interfaces:

  I 10.17.4.20

  I Private Servers (0)

  I Public Servers (0)

  I Private Peers (0)

  I Public Peers (0)

  I Private Clients (2)

  I 10.20.8.69 169.254.138.63

  I Public Clients (597)

  I 4.79.17.248 68.70.72.194 74.247.37.194 99.190.119.152

  I 12.10.160.20 68.80.36.133 75.1.39.42 108.7.58.118

  I 68.56.205.98

  I 2001:1400:0:0:0:0:0:1 2001:16d8:ddOO:38:0:0:0:2

  I 2002:db5a:bccd:l:21d:e0ff:feb7:b96f 2002:b6ef:81c4:0:0:1145:59c5:3682

  I Other Associations (1)

  |_ 127.0.0.1 seen 1949869 times, last tx was unicast v2 mode 7

  Which of the following commands was executed by the tester?

  A. nmap-sU-pU:517-Pn-n--script=supermicro-ipmi-config
  B. nmap-sU-pU:123-Pn-n--script=ntp-monlist
  C. nmap-sU-pU:161-Pn-n--script
  D. nmap-sU-pU:37 -Pn -n --script=icap-info
  B. nmap-sU-pU:123-Pn-n--script=ntp-monlist

  ---

  Explanation

  The output provided indicates the use of the NTP protocol (Network Time Protocol) for querying a target system. The reference to "Public Clients" and the specific IP addresses listed, along with the mention of "Other Associations" and the use of NTP version 2, points towards the execution of an NTP monlist request. The monlist feature in NTP servers can be used to obtain a list of the last 600 hosts that have interacted with the NTP server. The command nmap -sU -pU:123 -Pn -n --script=ntp-monlist specifically targets NTP servers on UDP port 123 to retrieve this information, making it the correct choice based on the output shown.

• Question 110:

  A penetration tester runs a scan against a server and obtains the following output: 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 03-12-20 09:23AM 331 index.aspx | ftp-syst: 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2012 Std 3389/tcp open ssl/ms-wbt-server | rdp-ntlm-info: | Target Name: WEB3

  | NetBIOS_Computer_Name: WEB3 | Product_Version: 6.3.9600 |_ System_Time: 2021-01-15T11:32:06+00:00 8443/tcp open http Microsoft IIS httpd 8.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/8.5 |_http-title: IIS Windows Server Which of the following command sequences should the penetration tester try NEXT?

  A. ftp 192.168.53.23
  B. smbclient \\\\WEB3\\IPC$ -I 192.168.53.23 ג€andquot;U guest
  C. ncrack ג€andquot;u Administrator ג€andquot;P 15worst_passwords.txt ג€andquot;p rdp 192.168.53.23
  D. curl ג€andquot;X TRACE https://192.168.53.23:8443/index.aspx
  E. nmap ג€andquot;-script vuln ג€andquot;sV 192.168.53.23
  A. ftp 192.168.53.23

  ---

  Explanation