New Year Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70percent

Certensure Logo
  1. Home
  2. CompTIA
  3. PenTest+
  4. PT0-001 - CompTIA PenTest+ Exam

CompTIA PT0-001 CompTIA PenTest+ Exam Exam Practice Test

Demo: 44 questions
Total 294 questions
Get PT0-001 Full Access Download PT0-001 PDF

CompTIA PenTest+ Exam Questions and Answers

Question 1

A malicious user wants to perform an MITM attack on a computer. The computer network configuration is given below:

IP: 192.168.1.20

NETMASK: 255.255.255.0

DEFAULT GATEWAY: 192.168.1.254

DHCP: 192.168.1.253

DNS: 192.168.10.10, 192.168.20.10

Which of the following commands should the malicious user execute to perform the MITM attack?

Options:

A.

arpspoof -c both -r -t 192.168.1.1 192.168.1.20

B.

arpspoof -t 192.168.1.20 192.168.1.254

C.

arpspoof -c both -t 192.168.1.20 192.168.1.253

D.

arpspoof -r -t 192 .168.1.253 192.168.1.20

Question 2

A client gives a penetration tester a /8 network range to scan during a week-long engagement. Which of the following tools would BEST complete this task quickly?

Options:

A.

Massscan

B.

Nmap

C.

Angry IP scanner

D.

Unicorn scan

Question 3

During an internal penetration test, several multicast and broadcast name resolution requests are observed traversing the network. Which of the following tools could be used to impersonate network resources and collect authentication requests?

Options:

A.

Ettercap

B.

Tcpdump

C.

Responder

D.

Medusa

Question 4

While conducting information gathering, a penetration tester is trying to identify Windows hosts. Which of the following characteristics would be BEST to use for fingerprinting?

Options:

A.

The system responds with a MAC address that begins with 00:0A:3B.

B.

The system responds with port 22 open.

C.

The system responds with a TTL of 128.

D.

The system responds with a TCP window size of 5840.

Question 5

A penetration tester has gained access to a marketing employee's device. The penetration tester wants to

ensure that if the access is discovered, control of the device can be regained. Which of the following actions

should the penetration tester use to maintain persistence to the device? (Select TWO.)

Options:

A.

Place an entry in HKLM\Software\Microsoft\CurrentVersion\Run to call au57d.ps1.

B.

Place an entry in C:\windows\system32\drivers\etc\hosts for 12.17.20.10 badcomptia.com.

C.

Place a script in C:\users\%username\local\appdata\roaming\temp\au57d.ps1.

D.

Create a fake service in Windows called RTAudio to execute manually.

E.

Place an entry for RTAudio in HKLM\CurrentControlSet\Services\RTAudio.

F.

Create a schedule task to call C:\windows\system32\drivers\etc\hosts.

Question 6

During a penetration test, a tester runs a phishing campaign and receives a shell from an internal PC running Windows 10 OS. The tester wants to perform credential harvesting with Mimikatz.

Which of the following registry changes would allow for credential caching in memory?

Options:

A.

reg add HKLM\System\ControlSet002\Control\SecurityProviders\WDigest /v userLogoCredential /t REG_DWORD /d 0

B.

reg add HKCU\System\CurrentControlSet\Control\SecurityProviders\WDigest /v userLogoCredential /t REG_DWORD /d 1

C.

reg add HKLM\Software\CurrentControlSet\Control\SecurityProviders\WDigest /v userLogoCredential /t REG_DWORD /d 1

D.

reg add HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest /v userLogoCredential /t REG_DWORD /d 1

Question 7

A penetration tester identifies the following findings during an external vulnerability scan:

Which of the following attack strategies should be prioritized from the scan results above?

Options:

A.

Obsolete software may contain exploitable components

B.

Weak password management practices may be employed

C.

Cryptographically weak protocols may be intercepted

D.

Web server configurations may reveal sensitive information

Question 8

A penetration tester observes that several high numbered ports are listening on a public web server. However, the system owner says the application only uses port 443. Which of the following would be BEST to recommend?

Options:

A.

Transition the application to another port

B.

Filter port 443 to specific IP addresses

C.

Implement a web application firewall

D.

Disable unneeded services.

Question 9

A penetration tester executes the following commands:

C:\>%userprofile%\jtr.exe

This program has been blocked by group policy

C:\> accesschk.exe -w -s -q -u Users C:\Windows

rw C:\Windows\Tracing

C:\>copy %userprofile%\jtr.exe C:\Windows\Tracing

C:\Windows\Tracing\jtr.exe

jtr version 3.2…

jtr>

Which of the following is a local host vulnerability that the attacker is exploiting?

Options:

A.

Insecure file permissions

B.

Application Whitelisting

C.

Shell escape

D.

Writable service

Question 10

A penetration tester has gained physical access to a facility and connected directly into the internal network.

The penetration tester now wants to pivot into the server VLAN. Which of the following would accomplish this?

Options:

A.

Spoofing a printer’s MAC address

B.

Abusing DTP negotiation

C.

Performing LLMNR poisoning

D.

Conducting an STP attack

Question 11

A penetration tester is performing an annual security assessment for a repeat client The tester finds indicators of previous compromise Which of the following would be the most logical steps to follow NEXT?

Options:

A.

Report the incident to the tester's immediate manager and follow up with the client immediately

B.

Report the incident to the clients Chief Information Security Officer (CISO) immediately and alter the terms of engagement accordingly

C.

Report the incident to the client's legal department and then follow up with the client's security operations team

D.

Make note of the anomaly, continue with the penetration testing and detail it in the final report

Question 12

A vulnerability scan identifies that an SSL certificate does not match the hostname; however, the client disputes the finding. Which of the following techniques can the penetration tester perform to adjudicate the validity of the findings?

Options:

A.

Ensure the scanner can make outbound DNS requests.

B.

Ensure the scanner is configured to perform ARP resolution.

C.

Ensure the scanner is configured to analyze IP hosts.

D.

Ensure the scanner has the proper plug -ins loaded.

Question 13

A security consultant finds a folder in "C VProgram Files" that has writable permission from an unprivileged user account Which of the following can be used to gam higher privileges?

Options:

A.

Retrieving the SAM database

B.

Kerberoasting

C.

Retrieving credentials in LSASS

D.

DLL hijacking

E.

VM sandbox escape

Question 14

Which of the following BEST describes some significant security weaknesses with an ICS, such as those used

in electrical utility facilities, natural gas facilities, dams, and nuclear facilities?

Options:

A.

ICS vendors are slow to implement adequate security controls.

B.

ICS staff are not adequately trained to perform basic duties.

C.

There is a scarcity of replacement equipment for critical devices.

D.

There is a lack of compliance for ICS facilities.

Question 15

Place each of the following passwords in order of complexity from least complex (1) to most complex (4), based on the character sets represented Each password may be used only once

Options:

Question 16

A penetration tester is performing ARP spoofing against a switch. Which of the following should the penetration tester spoof to get the MOST information?

Options:

A.

MAC address of the client

B.

MAC address of the domain controller

C.

MAC address of the web server

D.

MAC address of the gateway

Question 17

During testing, a critical vulnerability is discovered on a client's core server. Which of the following should be

the NEXT action?

Options:

A.

Disable the network port of the affected service.

B.

Complete all findings, and then submit them to the client.

C.

Promptly alert the client with details of the finding.

D.

Take the target offline so it cannot be exploited by an attacker.

Question 18

A security assessor is attempting to craft specialized XML files to test the security of the parsing functions

during ingest into a Windows application. Before beginning to test the application, which of the following should

the assessor request from the organization?

Options:

A.

Sample SOAP messages

B.

The REST API documentation

C.

A protocol fuzzing utility

D.

An applicable XSD file

Question 19

A penetration tester has been asked to conduct OS fingering with Nmap using a company-provided text file that contains a list of IP addresses. Which of the following are needed to conduct this scan? (Choose two.)

Options:

A.

-O

B.

-iL

C.

-sV

D.

-sS

E.

-oN

F.

-oX

Question 20

Which of the following describe a susceptibility present in Android-based commercial mobile devices when organizations are not employing MDM services? (Choose two.)

Options:

A.

Configurations are user-customizable.

B.

End users have root access to devices by default.

C.

Push notification services require Internet access.

D.

Unsigned apps can be installed.

E.

The default device log facility does not record system actions.

F.

IPSec VPNs are not configurable.

Question 21

When performing compliance-based assessments, which of the following is the MOST important Key consideration?

Options:

A.

Additional rate

B.

Company policy

C.

Impact tolerance

D.

Industry type

Question 22

Which of the following BEST describes the difference between a red team engagement and a penetration test?

Options:

A.

A penetration test has a broad scope and emulates advanced persistent threats while a red team engagement has a limited scope and focuses more on vulnerability identification

B.

A red team engagement has a broad scope and emulates advanced persistent threats, while a penetration test has a limited scope and focuses more on vulnerability identification

C.

A red team engagement has a broad scope and focuses more on vulnerability identification, while a penetration test has a limited scope and emulates advanced persistent threats

D.

A penetration test has a broad scope and focuses more on vulnerability identification while a red team engagement has a limited scope and emulates advanced persistent threats

Question 23

A penetration tester has gained a root shell on a target Linux server and wants to have the server "check in" over HTTP using a GET request to the penetration tester's laptop once every hour, even after system reboots. The penetration tester wrote a bash script to perform this. Which of the following represents the BEST method to persist the script?

Options:

A.

Execute the script to run in a screen session.

B.

Use the nohup command to launch the script immune to logouts.

C.

Configure a systemd service at default run level to launch the script.

D.

Modify .bash_profile to launch the script in the background.

Question 24

A security assessor completed a comprehensive penetration test of a company and its networks and systems.

During the assessment, the tester identified a vulnerability in the crypto library used for TLS on the company's

intranet-wide payroll web application. However, the vulnerability has not yet been patched by the vendor,

although a patch is expected within days. Which of the following strategies would BEST mitigate the risk of

impact?

Options:

A.

Modify the web server crypto configuration to use a stronger cipher-suite for encryption, hashing, and

digital signing.

B.

Implement new training to be aware of the risks in accessing the application. This training can be

decommissioned after the vulnerability is patched.

C.

Implement an ACL to restrict access to the application exclusively to the finance department. Reopen the

application to company staff after the vulnerability is patched.

D.

Require payroll users to change the passwords used to authenticate to the application. Following the

patching of the vulnerability, implement another required password change.

Question 25

Given the following Python script:

#1/usr/bin/python

import socket as skt

for port in range (1,1024):

try:

sox=skt.socket(skt.AF.INET,skt.SOCK_STREAM)

sox.settimeout(1000)

sox.connect ((‘127.0.0.1’, port))

print ‘%d:OPEN’ % (port)

sox.close

except: continue

Which of the following is where the output will go?

Options:

A.

To the screen

B.

To a network server

C.

To a file

D.

To /dev/null

Question 26

A penetration tester wants to check manually if a “ghost” vulnerability exists in a system. Which of the following methods is the correct way to validate the vulnerability?

Options:

A.

Download the GHOST file to a Linux system and compile

gcc -o GHOST

test i:

./GHOST

B.

Download the GHOST file to a Windows system and compile

gcc -o GHOST GHOST.c

test i:

./GHOST

C.

Download the GHOST file to a Linux system and compile

gcc -o GHOST GHOST.c

test i:

./GHOST

D.

Download the GHOST file to a Windows system and compile

gcc -o GHOST

test i:

./GHOST

Question 27

A penetration tester has performed a pivot to a new Linux device on a different network. The tester writes the following command:

for m in {1..254..1};do ping -c 1 192.168.101.$m; done

Which of the following BEST describes the result of running this command?

Options:

A.

Port scan

B.

Service enumeration

C.

Live host identification

D.

Denial of service

Question 28

A penetration tester ran the following Nmap scan on a computer:

nmap -aV 192.168.1.5

The organization said it had disabled Telnet from its environment. However, the results of the Nmap scan show port 22 as closed and port 23 as open to SSH. Which of the following is the BEST explanation for what happened?

Options:

A.

The organization failed to disable Telnet.

B.

Nmap results contain a false positive for port 23.

C.

Port 22 was filtered.

D.

The service is running on a non-standard port.

Question 29

Which of the following tools is used to perform a credential brute force attack?

Options:

A.

Hydra

B.

John the Ripper

C.

Hashcat

D.

Peach

Question 30

A penetration tester has access to a local machine running Linux, but the account has limited privileges. Which of the following types of files could the tester BEST use for privilege escalation?

Options:

A.

Binaries stored in /usr/bin

B.

Files with permission 4xxx

C.

Files stored in /root directory

D.

Files with the wrong ACL rules configured

Question 31

During the information gathering phase, a penetration tester discovers a spreadsheet that contains a domain administrator's credentials. In addition, port scanning reveals that TCP port 445 was open on multiple hosts. Which of the following methods would BEST leverage this information?

Options:

A.

telnet [target IP] 445

B.

ncat [target IP] 445

C.

nbtstat -a [targetIP] 445

D.

psexec [target IP]

Question 32

A client requests that a penetration tester emulate a help desk technician who was recently laid off. Which of the following BEST describes the abilities of the threat actor?

Options:

A.

Advanced persistent threat

B.

Script kiddie

C.

Hacktivist

D.

Organized crime

Question 33

A system security engineer is preparing to conduct a security assessment of some new applications. The applications were provided to the engineer as a set that contains only JAR files. Which of the following would be the MOST detailed method to gather information on the inner working of these applications?

Options:

A.

Launch the applications and use dynamic software analysis tools, including fuzz testing

B.

Use a static code analyzer on the JAR filet to look for code Quality deficiencies

C.

Decompile the applications to approximate source code and then conduct a manual review

D.

Review the details and extensions of the certificate used to digitally sign the code and the application

Question 34

A senior employee received a suspicious email from another executive requesting an urgent wire transfer.

Which of the following types of attacks is likely occurring?

Options:

A.

Spear phishing

B.

Business email compromise

C.

Vishing

D.

Whaling

Question 35

A penetration tester generates a report for a host-based vulnerability management agent that is running on a production web server to gather a list of running processes. The tester receives the following information.

Which of the following processes MOST likely demonstrates a lack of best practices?

Options:

A.

apache2

B.

dbus-daemon

C.

systemd

D.

urlgrabber-ext

Question 36

During a physical security review, a detailed penetration testing report was obtained, which was issued to a

security analyst and then discarded in the trash. The report contains validated critical risk exposures. Which of

the following processes would BEST protect this information from being disclosed in the future?

Options:

A.

Restrict access to physical copies to authorized personnel only.

B.

Ensure corporate policies include guidance on the proper handling of sensitive information.

C.

Require only electronic copies of all documents to be maintained.

D.

Install surveillance cameras near all garbage disposal areas.

Question 37

A MITM attack is being planned. The first step is to get information flowing through a controlled device. Which

of the following should be used to accomplish this?

Options:

A.

Repeating

B.

War driving

C.

Evil twin

D.

Bluejacking

E.

Replay attack

Question 38

If a security consultant comes across a password hash that resembles the following

b117 525b3454 7Oc29ca3dBaeOb556ba8

Which of the following formats is the correct hash type?

Options:

A.

Kerberos

B.

NetNTLMvl

C.

NTLM

D.

SHA-1

Question 39

A penetration tester has run multiple vulnerability scans against a target system. Which of the following would be unique to a credentialed scan?

Options:

A.

Exploits for vulnerabilities found

B.

Detailed service configurations

C.

Unpatched third-party software

D.

Weak access control configurations

Question 40

A penetration tester has been assigned to perform an external penetration assessment of a company. Which of the following steps would BEST help with the passive-information-gathering process? (Choose two.)

Options:

A.

Wait outside of the company’s building and attempt to tailgate behind an employee.

B.

Perform a vulnerability scan against the company’s external netblock, identify exploitable vulnerabilities, and attempt to gain access.

C.

Use domain and IP registry websites to identify the company’s external netblocks and external facing applications.

D.

Search social media for information technology employees who post information about the technologies they work with.

E.

Identify the company’s external facing webmail application, enumerate user accounts and attempt password guessing to gain access.

Question 41

When performing active information reconnaissance, which of the following should be tested FIRST before starting the exploitation process?

Options:

A.

SQLmap

B.

TLS configuration

C.

HTTP verbs

D.

Input fields

Question 42

A consultant is performing a social engineering attack against a client. The consultant was able to collect a number of usernames and passwords using a phishing campaign. The consultant is given credentials to log on to various employees email accounts. Given the findings, which of the following should the consultant recommend be implemented?

Options:

A.

Strong password policy

B.

Password encryption

C.

Email system hardening

D.

Two-factor authentication

Question 43

A penetration tester has been asked to conduct OS fingering with Nmap using a company-provided text file that contains a list of IP addresses. Which of the following are needed to conduct this scan? (Choose two.).

Options:

A.

-O

B.

-iL

C.

-V

D.

-sS

E.

oN

F.

-oX

Question 44

A consultant is attempting to harvest credentials from unsecure network protocols in use by the organization. Which of the following commands should the consultant use?

Options:

A.

Tcmpump

B.

John

C.

Hashcat

D.

nc

Load More PT0-001 Questions
Demo: 44 questions
Total 294 questions
Get PT0-001 Full Access Download PT0-001 PDF