Free PT1-002 Sample Questions — CompTIA PenTest+ Certification Exam

During a penetration-testing engagement, a consultant performs reconnaissance of a client to identify potential targets for a phishing campaign. Which of the following would allow the consultant to retrieve email addresses for technical and billing contacts quickly, without triggering any of the client's cybersecurity tools? (Choose two.)

• A. Scraping social media sites
• B. Using the WHOIS lookup tool
• C. Crawling the client's website
• D. Phishing company employees
• E. Utilizing DNS lookup tools
• F. Conducting wardriving near the client facility

A penetration tester has completed an analysis of the various software products produced by the company under assessment. The tester found that over the past several years the company has been including vulnerable third-party modules in multiple products, even though the quality of the organic code being developed is very good. Which of the following recommendations should the penetration tester include in the report?

• A. Add a dependency checker into the tool chain
• B. Perform routine static and dynamic analysis of committed code
• C. Validate API security settings before deployment
• D. Perform fuzz testing of compiled binaries

A company is concerned that its cloud service provider is not adequately protecting the VMs housing its software development. The VMs are housed in a datacenter with other companies sharing physical resources. Which of the following attack types is MOST concerning to the company?

• A. Data flooding
• B. Session riding
• C. Cybersquatting
• D. Side channel

A red-team tester has been contracted to emulate the threat posed by a malicious insider on a company's network, with the constrained objective of gaining access to sensitive personnel files. During the assessment, the red-team tester identifies an artifact indicating possible prior compromise within the target environment. Which of the following actions should the tester take?

• A. Perform forensic analysis to isolate the means of compromise and determine attribution
• B. Incorporate the newly identified method of compromise into the red team's approach
• C. Create a detailed document of findings before continuing with the assessment
• D. Halt the assessment and follow the reporting procedures as outlined in the contract

Which of the following provides a matrix of common tactics and techniques used by attackers along with recommended mitigations?

• A. NIST SP 800-53
• B. OWASP Top 10
• C. MITRE ATT&CK framework
• D. PTES technical guidelines

A new security firm is onboarding its first client. The client only allowed testing over the weekend and needed the results Monday morning. However, the assessment team was not able to access the environment as expected until Monday. Which of the following should the security company have acquired BEFORE the start of the assessment?

• A. signed statement of work
• B. The correct user accounts and associated passwords
• C. The expected time frame of the assessment
• D. The proper emergency contacts for the client

A penetration tester has been given eight business hours to gain access to a client's financial system. Which of the following techniques will have the highest likelihood of success?

• A. Attempting to tailgate an employee going into the client's workplace
• B. Dropping a malicious USB key with the company's logo in the parking lot
• C. Using a brute-force attack against the external perimeter to gain a foothold
• D. Performing spear phishing against employees by posing as senior management

A consultant is reviewing the following output after reports of intermittent connectivity issues: ? (192.168.1.1) at 0a:d1:fa:b1:01:67 on en0 ifscope [ethernet] ? (192.168.1.12) at 34:a4:be:09:44:f4 on en0 ifscope [ethernet] ? (192.168.1.17) at 92:60:29:12:ac:d2 on en0 ifscope [ethernet] ? (192.168.1.34) at 88:de:a9:12:ce:fb on en0 ifscope [ethernet] ? (192.168.1.136) at 0a:d1:fa:b1:01:67 on en0 ifscope [ethernet] ? (192.168.1.255) at ff:ff:ff:ff:ff:ff on en0 ifscope [ethernet] ? (224.0.0.251) at 01:02:5e:7f:ff:fa on en0 ifscope permanent [ethernet] ? (239.255.255.250) at ff:ff:ff:ff:ff:ff on en0 ifscope permanent [ethernet] Which of the following is MOST likely to be reported by the consultant?

• A. device on the network has an IP address in the wrong subnet
• B. multicast session was initiated using the wrong multicast group
• C. An ARP flooding attack is using the broadcast address to perform DDoS
• D. device on the network has poisoned the ARP cache

A penetration tester recently performed a social-engineering attack in which the tester found an employee of the target company at a local coffee shop and over time built a relationship with the employee. On the employee's birthday, the tester gave the employee an external hard drive as a gift. Which of the following social-engineering attacks was the tester utilizing?

• A. Phishing
• B. Tailgating
• C. Baiting
• D. Shoulder surfing

A penetration tester is testing a web application that is hosted by a public cloud provider. The tester is able to query the provider's metadata and get the credentials used by the instance to authenticate itself. Which of the following vulnerabilities has the tester exploited?

• A. Cross-site request forgery
• B. Server-side request forgery
• C. Remote file inclusion
• D. Local file inclusion

A large client wants a penetration tester to scan for devices within its network that are Internet facing. The client is specifically looking for Cisco devices with no authentication requirements. Which of the following settings in Shodan would meet the client's requirements?

• A. "cisco-ios" "admin+1234"
• B. "cisco-ios" "no-password"
• C. "cisco-ios" "default-passwords"
• D. "cisco-ios" "last-modified"

User credentials were captured from a database during an assessment and cracked using rainbow tables. Based on the ease of compromise, which of the following algorithms was MOST likely used to store the passwords in the database?

• A. MD5
• B. bcrypt
• C. SHA-1
• D. PBKDF2

A company conducted a simulated phishing attack by sending its employees emails that included a link to a site that mimicked the corporate SSO portal. Eighty percent of the employees who received the email clicked the link and provided their corporate credentials on the fake site. Which of the following recommendations would BEST address this situation?

• A. Implement a recurring cybersecurity awareness education program for all users
• B. Implement multifactor authentication on all corporate applications
• C. Restrict employees from web navigation by defining a list of unapproved sites in the corporate proxy
• D. Implement an email security gateway to block spam and malware from email communications

A penetration-testing team is conducting a physical penetration test to gain entry to a building. Which of the following is the reason why the penetration testers should carry copies of the engagement documents with them?

• A. As backup in case the original documents are lost
• B. To guide them through the building entrances
• C. To validate the billing information with the client
• D. As proof in case they are discovered

Which of the following is the MOST effective person to validate results from a penetration test?

• A. Third party
• B. Team leader
• C. Chief Information Officer
• D. Client

An assessment has been completed, and all reports and evidence have been turned over to the client. Which of the following should be done NEXT to ensure the confidentiality of the client's information?

• A. Follow the established data retention and destruction process
• B. Report any findings to regulatory oversight groups
• C. Publish the findings after the client reviews the report
• D. Encrypt and store any client information for future analysis

Which of the following should a penetration tester consider FIRST when engaging in a penetration test in a cloud environment?

• A. Whether the cloud service provider allows the penetration tester to test the environment
• B. Whether the specific cloud services are being used by the application
• C. The geographical location where the cloud services are running
• D. Whether the country where the cloud service is based has any impeding laws

A penetration tester is looking for a vulnerability that enables attackers to open doors via a specialized TCP service that is used for a physical access control system. The service exists on more than 100 different hosts, so the tester would like to automate the assessment. Identification requires the penetration tester to: ✑ Have a full TCP connection ✑ Send a `hello` payload ✑ Walt for a response ✑ Send a string of characters longer than 16 bytes Which of the following approaches would BEST support the objective?

• A. Run nmap ""Pn ""sV ""script vuln <IP address>
• B. Employ an OpenVAS simple scan against the TCP port of the host
• C. Create a script in the Lua language and use it with NSE
• D. Perform a credentialed scan with Nessus

A penetration tester discovers during a recent test that an employee in the accounting department has been making changes to a payment system and redirecting money into a personal bank account. The penetration test was immediately stopped. Which of the following would be the BEST recommendation to prevent this type of activity in the future?

• A. Enforce mandatory employee vacations
• B. Implement multifactor authentication
• C. Install video surveillance equipment in the office
• D. Encrypt passwords for bank account information

A software development team is concerned that a new product's 64-bit Windows binaries can be deconstructed to the underlying code. Which of the following tools can a penetration tester utilize to help the team gauge what an attacker might see in the binaries?

• A. Immunity Debugger
• B. OllyDbg
• C. GDB
• D. Drozer