CompTIA PT0-002 Online Practice Questions and Exam Preparation

CompTIA PT0-002 Online Questions & Answers

• Question 81:

  A consultant is reviewing the following output after reports of intermittent connectivity issues:

  (192.168.1.1) at 0a:d1:fa:b1:01:67 on en0 ifscope [ethernet]

  (192.168.1.12) at 34:a4:be:09:44:f4 on en0 ifscope [ethernet]

  (192.168.1.17) at 92:60:29:12:ac:d2 on en0 ifscope [ethernet]

  (192.168.1.34) at 88:de:a9:12:ce:fb on en0 ifscope [ethernet]

  (192.168.1.136) at 0a:d1:fa:b1:01:67 on en0 ifscope [ethernet]

  (192.168.1.255) at ff:ff:ff:ff:ff:ff on en0 ifscope [ethernet]

  (224.0.0.251) at 01:02:5e:7f:ff:fa on en0 ifscope permanent [ethernet]

  (239.255.255.250)

  at ff:ff:ff:ff:ff:ff on en0 ifscope permanent [ethernet] Which of the following is MOST likely to be reported by the consultant?

  A. A device on the network has an IP address in the wrong subnet.
  B. A multicast session was initiated using the wrong multicast group.
  C. An ARP flooding attack is using the broadcast address to perform DDoS.
  D. A device on the network has poisoned the ARP cache.
  D. A device on the network has poisoned the ARP cache.

  ---

  Explanation

  The gateway for the network (192.168.1.1) is at 0a:d1:fa:b1:01:67, and then, another machine (192.168.1.136) also claims to be on the same MAC address. With this on the same network, intermittent connectivity will be inevitable as along as

  the gateway remains unreachable on the IP known by the others machines on the network, and given that the new machine claiming to be the gateway has not been configured to route traffic. The output shows an ARP table that contains

  entries for IP addresses and their corresponding MAC addresses on a local network interface (en0). ARP stands for Address Resolution Protocol and is used to map IP addresses to MAC addresses on a network.

  However, one entry in the table is suspicious:

  (192.168.1.136) at 0a:d1:fa:b1:01:67 on en0 ifscope [ethernet] This entry has the same MAC address as another entry:

  (192.168.1.1) at 0a:d1:fa:b1:01:67 on en0 ifscope [ethernet] This indicates that a device on the network has poisoned the ARP cache by sending false ARP replies that associate its MAC address with multiple IP addresses, including

  192.168.1.136 and 192.168.1.1 (which is likely the gateway address). This allows the device to intercept or redirect traffic intended for those IP addresses.

• Question 82:

  After running the enum4linux.pl command, a penetration tester received the following output: Which of the following commands should the penetration tester run NEXT?

  

  A. smbspool //192.160.100.56/print$
  B. net rpc share -S 192.168.100.56 -U ''
  C. smbget //192.168.100.56/web -U ''
  D. smbclient //192.168.100.56/web -U '' -N
  D. smbclient //192.168.100.56/web -U '' -N

  ---

  Explanation

  A vulnerability scan is a type of assessment that helps to identify vulnerabilities in a network or system. It scans systems for potential vulnerabilities, misconfigurations, and outdated software. Based on the output from a vulnerability scan, a penetration tester can identify vulnerabilities that may be exploited to gain access to a system. In this scenario, the output from the penetration testing tool shows that 100 hosts contained findings due to improper patch management. This indicates that the vulnerability scan detected vulnerabilities that could have been prevented through proper patch management. Therefore, the most likely test performed by the penetration tester is a vulnerability scan.

• Question 83:

  In the process of active service enumeration, a penetration tester identifies an SMTP daemon running on one of the target company's servers.

  Which of the following actions would BEST enable the tester to perform phishing in a later stage of the assessment?

  A. Test for RFC-defined protocol conformance.
  B. Attempt to brute force authentication to the service.
  C. Perform a reverse DNS query and match to the service banner.
  D. Check for an open relay configuration.
  D. Check for an open relay configuration.

  ---

  Explanation

  SMTP is a protocol associated with mail servers. Therefore, for a penetration tester, an open relay configuration can be exploited to launch phishing attacks.

• Question 84:

  The output from a penetration testing tool shows 100 hosts contained findings due to improper patch management. Which of the following did the penetration tester perform?

  A. A vulnerability scan
  B. A WHOIS lookup
  C. A packet capture
  D. An Nmap scan
  A. A vulnerability scan

  ---

  Explanation

  A vulnerability scan is a type of penetration testing tool that is used to scan a network for vulnerabilities. A vulnerability scan can detect misconfigurations, missing patches, and other security issues that could be exploited by attackers. In this case, the output shows that 100 hosts had findings due to improper patch management, which means that the tester performed a vulnerability scan.

• Question 85:

  A penetration tester needs to perform a test on a finance system that is PCI DSS v3.2.1 compliant. Which of the following is the MINIMUM frequency to complete the scan of the system?

  A. Weekly
  B. Monthly
  C. Quarterly
  D. Annually
  C. Quarterly

  ---

  Explanation

  Quarterly is the minimum frequency to complete the scan of the system that is PCI DSS v3.2.1 compliant, according to Requirement 11.2.2 of the standard1. PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards that applies to any organization that processes, stores, or transmits credit card information. Requirement 11.2.2 states that organizations must perform internal vulnerability scans at least quarterly and after any significant change in the network. https://www.pcicomplianceguide.org/faq/#25 PCI DSS requires quarterly vulnerability/penetration tests, not weekly.

• Question 86:

  A penetration tester was conducting a penetration test and discovered the network traffic was no longer reaching the client's IP address. The tester later discovered the SOC had used sinkholing on the penetration tester's IP address. Which of the following BEST describes what happened?

  A. The penetration tester was testing the wrong assets
  B. The planning process failed to ensure all teams were notified
  C. The client was not ready for the assessment to start
  D. The penetration tester had incorrect contact information
  B. The planning process failed to ensure all teams were notified

  ---

  Explanation

  Sinkholing is a technique used by security teams to redirect malicious or unwanted network traffic to a controlled destination, such as a black hole or a honeypot. This can help prevent or mitigate attacks, analyze malware behavior, or isolate infected hosts. If the SOC used sinkholing on the penetration tester's IP address, it means that they detected the tester's activity and blocked it from reaching the client's network. This indicates that the planning process failed to ensure all teams were notified about the penetration testing engagement, which could have avoided this situation.

• Question 87:

  Which of the following expressions in Python increase a variable val by one (Choose two.)

  A. val++
  B. +val
  C. val=(val+1)
  D. ++val
  E. val=val++
  F. val+=1
  C. val=(val+1)
  F. val+=1

  ---

  Explanation

  In Python, there are two ways to increase a variable by one: using the assignment operator (=) with an arithmetic expression, or using the augmented assignment operator (+=). The expressions val=(val+1) and val+=1 both achieve this goal. The expressions val++ and ++val are not valid in Python, as there is no increment operator. The expressions +val and val=val++ do not change the value of val2. https://pythonguides.com/increment-and-decrement-operators-in-python/

• Question 88:

  HOTSPOT

  A penetration tester is performing reconnaissance for a web application assessment. Upon investigation, the tester reviews the robots.txt file for items of interest.

  INSTRUCTIONS

  Select the tool the penetration tester should use for further investigation.

  Select the two entries in the robots.txt file that the penetration tester should recommend for removal.

  If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

  

  

  Explanation

  The tool that the penetration tester should use for further investigation is WPScan. This is because WPScan is a WordPress vulnerability scanner that can detect common WordPress security issues, such as weak passwords, outdated

  plugins, and misconfigured settings. WPScan can also enumerate WordPress users, themes, and plugins from the robots.txt file.

  The two entries in the robots.txt file that the penetration tester should recommend for removal are:

  Allow: /admin

  Allow: /wp-admin

  These entries expose the WordPress admin panel, which can be a target for brute-force attacks, SQL injection, and other exploits. Removing these entries can help prevent unauthorized access to the web application's backend. Alternatively,

  the penetration tester can suggest renaming the admin panel to a less obvious name, or adding authentication methods such as two-factor authentication or IP whitelisting.

• Question 89:

  In Python socket programming, SOCK_DGRAM type is:

  A. reliable.
  B. matrixed.
  C. connectionless.
  D. slower.
  C. connectionless.

  ---

  Explanation

  In Python socket programming, SOCK_DGRAM type is connectionless. This means that the socket does not establish a reliable connection between the sender and the receiver, and does not guarantee that the packets will arrive in order or without errors. SOCK_DGRAM type is used for UDP (User Datagram Protocol) sockets, which are faster and simpler than TCP (Transmission Control Protocol) sockets.

• Question 90:

  The results of an Nmap scan are as follows:

  Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-24 01:10 EST

  Nmap scan report for ( 10.2.1.22 )

  Host is up (0.0102s latency).

  Not shown: 998 filtered ports

  Port State Service

  80/tcp open http

  |_http-title: 80F 22% RH 1009.1MB (text/html)

  |_http-slowloris-check:

  | VULNERABLE:

  | Slowloris DoS Attack

  | <..>

  Device type: bridge|general purpose

  Running (JUST GUESSING) : QEMU (95%)

  OS CPE: cpe:/a:qemu:qemu

  No exact OS matches found for host (test conditions non-ideal).

  OS detection performed. Please report any incorrect results at https://nmap.org/submit/.

  Nmap done: 1 IP address (1 host up) scanned in 107.45 seconds

  Which of the following device types will MOST likely have a similar response? (Choose two.)

  A. Network device
  B. Public-facing web server
  C. Active Directory domain controller
  D. IoT/embedded device
  E. Exposed RDP
  F. Print queue
  B. Public-facing web server
  D. IoT/embedded device

  ---

  Explanation

  https://www.netscout.com/what-is-ddos/slowloris-attacks From the http-title in the output, this looks like an IoT device with RH implying Relative Humidity, that offers a web-based interface for visualizing the results.