CompTIA PT0-002 Online Practice Questions and Exam Preparation

CompTIA PT0-002 Online Questions & Answers

• Question 361:

  A penetration tester has established an on-path attack position and must now specially craft a DNS query response to be sent back to a target host.

  Which of the following utilities would BEST support this objective?

  A. Socat
  B. tcpdump
  C. Scapy
  D. dig
  C. Scapy

  ---

  Explanation

  https://thepacketgeek.com/scapy/building-network-tools/part-09/

• Question 362:

  An organization is using Android mobile devices but does not use MDM services.

  Which of the following describes an existing risk present in this scenario?

  A. Device log facility does not record actions.
  B. End users have root access by default.
  C. Unsigned applications can be installed.
  D. Push notification services require internet.
  C. Unsigned applications can be installed.

  ---

  Explanation

  The risk present in an organization using Android mobile devices without Mobile Device Management (MDM) services is that unsigned applications can be installed. Without MDM, there are fewer controls over the installation of applications, which increases the risk of installing malicious or unauthorized applications. MDM services typically provide a way to enforce application signing policies, preventing the installation of unsigned apps.

  References: OWASP Mobile Security Project NIST Mobile Device Management Guide

• Question 363:

  A penetration tester is working to enumerate the PLC devices on the 10.88.88.76/24 network.

  Which of the following commands should the tester use to achieve the objective in a way that minimizes the risk of affecting the PLCs?

  A. nmap --script=s7-info -p 102 10.88.88.76/24 -T3
  B. nmap --script=wsdd-discover -p 3702 -sUlO.88.88.76/24
  C. nmap --script=iax2-version -p 4569 -sU -V 10.88.88.76/24 -T2
  D. nmap --script=xll-access -p 6000-6009 10.88.88.76/24
  A. nmap --script=s7-info -p 102 10.88.88.76/24 -T3

  ---

  Explanation

  The nmap command with the --script=s7-info is specifically designed to interact with Siemens S7 PLCs, which are common industrial control systems. The -p 102 specifies the port associated with Siemens S7 communications. The -T3 timing option is chosen to minimize the risk of impacting the PLCs by not being overly aggressive in the scan timing, which is important in operational technology environments where PLCs can be sensitive to high network traffic. The other options listed do not specifically target PLC devices or use appropriate timing to minimize risk.

• Question 364:

  Which of the following types of assessments MOST likely focuses on vulnerabilities with the objective to access specific data?

  A. An unknown-environment assessment
  B. A known-environment assessment
  C. A red-team assessment
  D. A compliance-based assessment
  C. A red-team assessment

  ---

  Explanation

  A red-team assessment is a type of penetration testing that simulates a real- world attack scenario with the goal of accessing specific data or systems. A red-team assessment is different from an unknown-environment assessment, which does not have a predefined objective and focuses on discovering as much information as possible about the target. A known-environment assessment is a type of penetration testing that involves cooperation and communication with the target organization, and may not focus on specific data or systems. A compliance-based assessment is a type of penetration testing that aims to meet certain regulatory or industry standards, and may not focus on specific data or systems.

• Question 365:

  A penetration tester is scanning a corporate lab network for potentially vulnerable services.

  Which of the following Nmap commands will return vulnerable ports that might be interesting to a potential attacker?

  A. nmap 192.168.1.1-5 -PU22-25,80
  B. nmap 192.168.1.1-5 -PA22-25,80
  C. nmap 192.168.1.1-5 -PS22-25,80
  D. nmap 192.168.1.1-5 -Ss22-25,80
  C. nmap 192.168.1.1-5 -PS22-25,80

  ---

  Explanation

  PS/PA/PU/PY are host discovery flags which use TCP SYN/ACK, UDP or SCTP discovery respectively. And since the ports in the options are mostly used by TCP protocols, then it's either the PS or PA flag. But since we need to know if the ports are live, sending SYN packet is a better alternative. Hence, I choose PS in this case. The nmap -PS22-25,80 192.168.1.1-5 command will return vulnerable ports that might be interesting to a potential attacker, as it will perform a TCP SYN scan on ports 22, 23, 24, 25, and 80 of the target hosts. A TCP SYN scan is a stealthy technique that sends a SYN packet to each port and waits for a response. If the response is a SYN/ACK packet, it means the port is open and listening for connections. If the response is a RST packet, it means the port is closed and not accepting connections. If there is no response, it means the port is filtered by a firewall or IDS1.

• Question 366:

  A penetration testing firm wants to hire three additional consultants to support a newly signed long-term contract with a major customer. The following is a summary of candidate background checks:

  

  Which of the following candidates should MOST likely be excluded from consideration?

  A. Candidate 1
  B. Candidate 2
  C. Candidate 3
  D. Candidate 4
  B. Candidate 2

  ---

  Explanation

  In the context of penetration testing or cybersecurity, hiring a consultant with a background in unauthorized system access presents both risks and benefits. From a risk management perspective, Candidate 2's history of unauthorized system access is a significant red flag. Such behavior indicates a willingness to operate outside legal and ethical boundaries, which poses a potential risk to the firm and its clients, especially in a role requiring trust and strict adherence to legal guidelines.

  However, the skills that enabled unauthorized access could also provide the firm with valuable insights into hacker methodologies, potentially enhancing its ability to secure systems against such intrusions. It is a common practice in the cybersecurity industry to employ individuals with a history of hacking in roles where they can contribute positively, often referred to as "ethical hacking" or "white hat" roles.

  Nonetheless, given the legal and ethical responsibilities inherent in cybersecurity work, Candidate 2's past criminal charge of unauthorized system access is particularly relevant to the role and represents a significant risk to the firm's operations and reputation. A thorough risk assessment would be crucial, examining the nature of the unauthorized access, the candidate's subsequent actions, evidence of rehabilitation, and current capabilities before making a hiring decision.

  From the provided information, it appears that Candidate 2 should most likely be excluded from consideration due to the direct relevance of their criminal charges to the position in question. Without evidence of rehabilitation and a clear demonstration of ethical standards, the liability risks might outweigh the potential benefits to the firm.

• Question 367:

  A penetration tester wants to test a list of common passwords against the SSH daemon on a network device. Which of the following tools would be BEST to use for this purpose?

  A. Hashcat
  B. Mimikatz
  C. Patator
  D. John the Ripper
  C. Patator

  ---

  Explanation

  https://www.kali.org/tools/patator/

• Question 368:

  A penetration tester created the following script to use in an engagement:

  

  However, the tester is receiving the following error when trying to run the script:

  

  Which of the following is the reason for the error?

  A. The sys variable was not defined.
  B. The argv variable was not defined.
  C. The sys module was not imported.
  D. The argv module was not imported.
  C. The sys module was not imported.

  ---

  Explanation

  The sys module is a built-in module in Python that provides access to system-specific parameters and functions, such as command-line arguments, standard input/output, and exit status. The sys module must be imported before it can be used in a script, otherwise an error will occur. The script uses the sys.argv variable, which is a list that contains the command-line arguments passed to the script. However, the script does not import the sys module at the beginning, which causes the error "NameError: name `sys' is not defined". To fix this error, the script should include the statement "import sys" at the top. The other options are not valid reasons for the error.

• Question 369:

  A compliance-based penetration test is primarily concerned with:

  A. obtaining Pll from the protected network.
  B. bypassing protection on edge devices.
  C. determining the efficacy of a specific set of security standards.
  D. obtaining specific information from the protected network.
  C. determining the efficacy of a specific set of security standards.

  ---

  Explanation

• Question 370:

  A penetration tester found the following valid URL while doing a manual assessment of a web application: http://www.example.com/product.php?id=123987. Which of the following automated tools would be best to use NEXT to try to identify a vulnerability in this URL?

  A. SQLmap
  B. Nessus
  C. Nikto
  D. DirBuster
  B. Nessus

  ---

  Explanation