CompTIA PT0-002 Online Practice Questions and Exam Preparation

CompTIA PT0-002 Online Questions & Answers

• Question 301:

  A penetration tester is attempting to get more people from a target company to download and run an executable.

  Which of the following would be the MOST effective way for the tester to achieve this objective?

  A. Dropping USB flash drives around the company campus with the file on it
  B. Attaching the file in a phishing SMS that warns users to execute the file or they will be locked out of their accounts
  C. Sending a pretext email from the IT department before sending the download instructions later
  D. Saving the file in a common folder with a name that encourages people to click it
  C. Sending a pretext email from the IT department before sending the download instructions later

  ---

  Explanation

  The most effective way for the tester to achieve this objective is to send a pretext email from the IT department before sending the download instructions later. A pretext email is an email that uses deception or impersonation to trick users into believing that it is from a legitimate source or authority, such as the IT department. A pretext email can be used to establish trust or rapport with the users, and then persuade them to perform an action or provide information that benefits the attacker. In this case, the tester can send a pretext email from the IT department that informs users about an important update or maintenance task that requires them to download and run an executable file later. The tester can then send another email with the download instructions and attach or link to the malicious executable file. The users may be more likely to follow these instructions if they have received a prior email from the IT department that prepared them for this action. The other options are not as effective ways for the tester to achieve this objective. Dropping USB flash drives around the company campus with the file on it may not reach many users, as they may not find or pick up the USB flash drives, or they may be suspicious of their origin or content.

• Question 302:

  A penetration tester gives the following command to a systems administrator to execute on one of the target servers:

  rm -f /var/www/html/G679h32gYu.php

  Which of the following BEST explains why the penetration tester wants this command executed?

  A. To trick the systems administrator into installing a rootkit
  B. To close down a reverse shell
  C. To remove a web shell after the penetration test
  D. To delete credentials the tester created
  C. To remove a web shell after the penetration test

  ---

  Explanation

  A web shell is a malicious script that allows remote access and control of a web server. A penetration tester may use a web shell to execute commands on the target server during a penetration test. However, after the test is completed, the penetration tester should remove the web shell to avoid leaving any traces or backdoors on the server. The command rm -f /var/www/html/G679h32gYu.php deletes the file G679h32gYu.php from the web server's document root directory, which is likely the location of the web shell. The other options are not plausible explanations for why the penetration tester wants this command executed.

• Question 303:

  A penetration tester would like to crack a hash using a list of hashes and a predefined set of rules. The tester runs the following command:

  hashcat.exe -a 0 .\hash.txt .\rockyou.txt -r .\rules\replace.rule

  Which of the following is the penetration tester using to crack the hash?

  A. Hybrid attack
  B. Dictionary
  C. Rainbow table
  D. Brute-force method
  B. Dictionary

  ---

  Explanation

  The command hashcat.exe -a 0 .\hash.txt .\rockyou.txt -r .\rules\replace.rule indicates that the penetration tester is using a dictionary attack combined with rule-based modifications. The -a 0 option specifies a dictionary attack mode, where . \rockyou.txt is the dictionary file containing potential passwords, and -r .\rules\replace.rule applies predefined rules to mutate these passwords. This method leverages a known list of potential passwords and augments them with additional variations based on the rules provided.

  References: Hashcat Dictionary Attack Hashcat Rule-based Attack

• Question 304:

  An assessor wants to use Nmap to help map out a stateful firewall rule set.

  Which of the following scans will the assessor MOST likely run?

  A. nmap 192.168.0.1/24
  B. nmap 192.168.0.1/24
  C. nmap oG 192.168.0.1/24
  D. nmap 192.168.0.1/24
  A. nmap 192.168.0.1/24

  ---

  Explanation

• Question 305:

  A penetration tester exploited a vulnerability on a server and remotely ran a payload to gain a shell. However, a connection was not established, and no errors were shown on the payload execution. The penetration tester suspected that a network device, like an IPS or next-generation firewall, was dropping the connection.

  Which of the following payloads are MOST likely to establish a shell successfully?

  A. windows/x64/meterpreter/reverse_tcp
  B. windows/x64/meterpreter/reverse_http
  C. windows/x64/shell_reverse_tcp
  D. windows/x64/powershell_reverse_tcp
  E. windows/x64/meterpreter/reverse_https
  B. windows/x64/meterpreter/reverse_http

  ---

  Explanation

  These two payloads are most likely to establish a shell successfully because they use HTTP or HTTPS protocols, which are commonly allowed by network devices and can bypass firewall rules or IPS signatures. The other payloads use TCP protocols, which are more likely to be blocked or detected by network devices.

• Question 306:

  A penetration tester executes the following Nmap command and obtains the following output:

  

  Which of the following commands would best help the penetration tester discover an exploitable service?

  A. nmap -v -p 25 -- soript smtp-enum-users remotehost
  B. nmap -v -- script=mysql-info.nse remotehost
  C. nmap --ocript=omb-brute.noe remotehoat
  D. nmap -p 3306 -- script "http*vuln*" remotehost
  B. nmap -v -- script=mysql-info.nse remotehost

  ---

  Explanation

  The Nmap command in the question scans all ports on the remote host and identifies the services and versions running on them. The output shows that port 3306 is open and running MariaDB, which is a fork of MySQL. Therefore, the best

  command to discover an exploitable service would be to use the mysql-info.nse script, which gathers information about the MySQL server, such as the version, user accounts, databases, and configuration variables. The other commands are

  either misspelled, irrelevant, or too broad for the task.

  References:

  Best PenTest+ certification study resources and training materials, CompTIA PenTest+ PT0-002 Cert Guide, 101 Labs -- CompTIA PenTest+: Hands-on Labs for the PT0-002 Exam

• Question 307:

  A penetration tester is conducting an assessment on 192.168.1.112. Given the following output:

  

  Which of the following is the penetration tester conducting?

  A. Port scan
  B. Brute force
  C. Credential stuffing
  D. DoS attack
  B. Brute force

  ---

  Explanation

  The output shows multiple login attempts with different passwords for the same username "root" on the IP address 192.168.1.112. This is indicative of a brute force attack, where an attacker systematically tries various password combinations to gain unauthorized access.

  References:

  The Official CompTIA PenTest+ Study Guide (Exam PT0-002), Chapter 4: Conducting Passive Reconnaissance;

  The Official CompTIA PenTest+ Student Guide (Exam PT0-002), Lesson 4: Conducting Active Reconnaissance.

• Question 308:

  Which of the following tools would be best to use to conceal data in various kinds of image files?

  A. Kismet
  B. Snow
  C. Responder
  D. Metasploit
  B. Snow

  ---

  Explanation

  Snow is a tool designed for steganography, which is the practice of concealing messages or information within other non-secret text or data. In this context, Snow is specifically used to hide data within whitespace of text files, which can include the whitespace areas of images saved in formats that support text descriptions or metadata, such as certain PNG or JPEG files. While the other tools listed (Kismet, Responder, Metasploit) are powerful in their respective areas (network sniffing, LLMNR/NBT-NS poisoning, and exploitation framework), they do not offer functionality related to data concealment in image files or steganography.

• Question 309:

  Which of the following describes how a penetration tester could prioritize findings in a report?

  A. Business mission and goals
  B. Cyberassets
  C. Network infrastructure
  D. Cyberthreats
  A. Business mission and goals

  ---

  Explanation

  Prioritizing findings in a penetration test report should align with the business mission and goals. Understanding the business context allows a penetration tester to assess the impact of vulnerabilities in relation to the organization's critical functions and assets. This approach ensures that recommendations are not only technically sound but also relevant and actionable within the business's strategic framework. Options B, C, and D (Cyberassets, Network infrastructure, and Cyberthreats) are important factors but should be considered within the context of how they affect the business's mission and goals.

• Question 310:

  A penetration tester discovers passwords in a publicly available data breach during the reconnaissance phase of the penetration test.

  Which of the following is the best action for the tester to take?

  A. Add thepasswords to an appendix in the penetration test report.
  B. Do nothing. Using passwords from breached data is unethical.
  C. Contactthe client and inform them of the breach.
  D. Use thepasswords in a credential stuffing attack when the external penetration test begins.
  C. Contactthe client and inform them of the breach.

  ---

  Explanation

  Upon discovering passwords in a publicly available data breach during the reconnaissance phase, the most ethical and constructive action for the penetration tester is to contact the client and inform them of the breach. This approach allows the client to take necessary actions to mitigate any potential risks, such as forcing password resets or enhancing their security measures. Adding the passwords to a report appendix (option A) without context or action could be seen as irresponsible, while doing nothing (option B) neglects the tester's duty to inform the client of potential threats. Using the passwords in a credential stuffing attack (option D) without explicit permission as part of an agreed testing scope would be unethical and potentially illegal.