CompTIA CompTIA PenTest+ PT0-002 Questions & Answers

• Question 41:

  Which of the following is a rules engine for managing public cloud accounts and resources?

  A. Cloud Custodian

  B. Cloud Brute

  C. Pacu

  D. Scout Suite

  Correct Answer: A

  Cloud Custodian is a rules engine for managing public cloud accounts and resources. It allows users to define policies to enable a well managed cloud infrastructure, that's both secure and cost optimized. It consolidates many of the adhoc scripts organizations have into a lightweight and flexible tool, with unified metrics and reporting.

• Question 42:

  After running the enum4linux.pl command, a penetration tester received the following output:

  

  Which of the following commands should the penetration tester run NEXT?

  A. smbspool //192.160.100.56/print$

  B. net rpc share-S 192.168.100.56-U ''

  C. smbget //192.168.100.56/web-U ''

  D. smbclient //192.168.100.56/web-U ''-N

  Correct Answer: D

  A vulnerability scan is a type of assessment that helps to identify vulnerabilities in a network or system. It scans systems for potential vulnerabilities, misconfigurations, and outdated software. Based on the output from a vulnerability scan, a penetration tester can identify vulnerabilities that may be exploited to gain access to a system. In this scenario, the output from the penetration testing tool shows that 100 hosts contained findings due to improper patch management. This indicates that the vulnerability scan detected vulnerabilities that could have been prevented through proper patch management. Therefore, the most likely test performed by the penetration tester is a vulnerability scan.

• Question 43:

  A penetration tester is conducting an authorized, physical penetration test to attempt to enter a client's building during non-business hours. Which of the following are MOST important for the penetration tester to have during the test? (Choose two.)

  A. A handheld RF spectrum analyzer

  B. A mask and personal protective equipment

  C. Caution tape for marking off insecure areas

  D. A dedicated point of contact at the client

  E. The paperwork documenting the engagement

  F. Knowledge of the building's normal business hours

  Correct Answer: DE

  Always carry the contact information and any documents stating that you are approved to do this.

• Question 44:

  A company is concerned that its cloud VM is vulnerable to a cyberattack and proprietary data may be stolen. A penetration tester determines a vulnerability does exist and exploits the vulnerability by adding a fake VM instance to the IaaS component of the client's VM.

  Which of the following cloud attacks did the penetration tester MOST likely implement?

  A. Direct-to-origin

  B. Cross-site scripting

  C. Malware injection

  D. Credential harvesting

  Correct Answer: D

• Question 45:

  Which of the following tools provides Python classes for interacting with network protocols?

  A. Responder

  B. Impacket

  C. Empire

  D. PowerSploit

  Correct Answer: B

  Reference: https://github.com/SecureAuthCorp/impacket

• Question 46:

  The results of an Nmap scan are as follows:

  

  Which of the following would be the BEST conclusion about this device?

  A. This device may be vulnerable to the Heartbleed bug due to the way transactions over TCP/22 handle heartbeat extension packets, allowing attackers to obtain sensitive information from process memory.

  B. This device is most likely a gateway with in-band management services.

  C. This device is most likely a proxy server forwarding requests over TCP/443.

  D. This device may be vulnerable to remote code execution because of a butter overflow vulnerability in the method used to extract DNS names from packets prior to DNSSEC validation.

  Correct Answer: B

  The heart bleed bug is an open ssl bug which does not affect SSH Ref: https://www.sos-berlin.com/en/news-heartbleed-bug-does-not-affect-jobscheduler-or-ssh

• Question 47:

  A private investigation firm is requesting a penetration test to determine the likelihood that attackers can gain access to mobile devices and then exfiltrate data from those devices. Which of the following is a social-engineering method that, if successful, would MOST likely enable both objectives?

  A. Send an SMS with a spoofed service number including a link to download a malicious application.

  B. Exploit a vulnerability in the MDM and create a new account and device profile.

  C. Perform vishing on the IT help desk to gather a list of approved device IMEIs for masquerading.

  D. Infest a website that is often used by employees with malware targeted toward x86 architectures.

  Correct Answer: A

  Since it doesn't indicate company owned devices, sending a text to download an application is best. And it says social-engineering so a spoofed text falls under that area.

• Question 48:

  A penetration tester is cleaning up and covering tracks at the conclusion of a penetration test. Which of the following should the tester be sure to remove from the system? (Choose two.)

  A. Spawned shells

  B. Created user accounts

  C. Server logs

  D. Administrator accounts

  E. Reboot system

  F. ARP cache

  Correct Answer: AB

  Removing shells: Remove any shell programs installed when performing the pentest.

  Removing tester-created credentials: Be sure to remove any user accounts created during the pentest. This includes backdoor accounts. Removing tools: Remove any software tools that were installed on the customer's systems that were

  used to aid in the exploitation of systems.

• Question 49:

  A penetration tester is able to capture the NTLM challenge-response traffic between a client and a server.

  Which of the following can be done with the pcap to gain access to the server?

  A. Perform vertical privilege escalation.

  B. Replay the captured traffic to the server to recreate the session.

  C. Use John the Ripper to crack the password.

  D. Utilize a pass-the-hash attack.

  Correct Answer: D

• Question 50:

  A penetration tester has established an on-path position between a target host and local network services but has not been able to establish an on-path position between the target host and the Internet. Regardless, the tester would like to subtly redirect HTTP connections to a spoofed server IP. Which of the following methods would BEST support the objective?

  A. Gain access to the target host and implant malware specially crafted for this purpose.

  B. Exploit the local DNS server and add/update the zone records with a spoofed A record.

  C. Use the Scapy utility to overwrite name resolution fields in the DNS query response.

  D. Proxy HTTP connections from the target host to that of the spoofed host.

  Correct Answer: D