CompTIA PenTest+ Certification Practice Exams (Jonathan Ammerman)

Question 1

A component of the aircrack-ng suite of tools, which command-line tool is a wireless sniffing tool that can be used to discover and validate potential wireless targets?
A.Kismet
B.Airmon-ng
C.Airbase-ng
D.Airodump-ng

Answer 1

D.Airodump-ng

Explanation:
Airodump-ng is a command-line based, wireless sniffing tool that can be used to discover and validate potential wireless targets.

A, B, and C are incorrect. A is incorrect because Kismet is a separate tool and is not a component of the aircrack-ng suite. B and C are incorrect because while airmon-ng and airbase-ng are components of the aircrack-ng suite, airmon-ng serves to place wireless network devices in monitor mode, and airbase-ng is a tool used for attacking clients rather than the access point itself.

Question 2

Which feature of Shodan is useful for investigating potential use cases via popular searches and publicly shared results?
A.Explore
B.Reports
C.Boolean search
D.Programmatic access via API keys

Answer 2

A.Explore

Explanation:
The Explore feature of Shodan can reveal new and interesting use cases by showing the user popular search strings and publicly shared results.

B, C, and D are incorrect. Although automated reporting, support for Boolean search terms, and a documented API for programmatic access are all significant benefits to Shodan, they are not likely to reveal potential new use cases, making these answers incorrect

Question 3

The amount and kinds of risk an organization is willing to accept in its information environment are collectively known as which of the following terms?
A.Severity ratings
B.Risk appetite
C.Tolerance to impact
D.Risk acceptance

Answer 3

B.Risk appetite

Explanation:
Risk appetite refers to the total amount and kinds of risk an organization will tolerate in its networks

Severity ratings is incorrect because severity ratings are used to define the gravitiy of vulnerabilities identified in an organizations network

Tolerance to impact refers to the ability of an organization to withstand the effects of events or occurrences that adversely affect their business assets

Risk acceptance is incorrect because risk acceptance is defined as an organizations understanding and acceptance of the likelihood and impact of a specific threat on its systems or networks

While all of these answers influence an organizations risk appetite, the terms are only related to risk appetite rather than synonymous with it, making them incorrect

Question 4

Which of the following is an access control mechanism that denies all connections that are not explicitly permitted?
A.Limited access
B.Blacklist
C.Pirvileged-level access
D.Whitelist

Answer 4

D.Whitelist

Explanation:
A whitelist only allows specifically identified users (based on identification mechanisms including but not limited to username, IP address and network range) with the required authorization access to access a given system or network.

A and C are incorrect because limited access and privileged-level access refer to methods of access that determine the effective starting point for a pentest.

Question 5

Which term indicates an understanding and acceptance of the likelihood and impact of a specific threat on an organization’s systems or networks?
A.Risk acceptance
B.Scope Creep
C.Tolerance to Impact
D.Return on Investment

Answer 5

A.Risk acceptance

Explanation:
Risk acceptance is a term that indicates an understanding and willingness to bear the likelihood and impact of a specific threat to an organizations system or networks by personnel in that organizations with the authority to do so.

Scope Creep is incorrect because scope creep is the addition to or modification of an agreed upon, contracted target scope within an SOW

Tolerance to impact describes the motivation behind risk acceptance and is therefore related to it.

Return on investment is incorrect because this is often another factor in determining risk acceptance, businesses ultimately look at everything in terms of the impact to the financial bottom line.

Question 6

Of the following options, in which section of a penetration test report would one expect to find a granular breakdown of evidence collected from a social engineering campaign conducted during a penetration test, including an anonymized statistical count of users who opened e-mails or clicked links?
A.Methodology
B.Executive Summary
C.Appendixes
D.Timeline

Answer 6

C.Appendixes

Explanation:
Nestled in the conclusions of a pentest, appendixes contain additional supporting information from a pentest that is not crucial to understanding the findings.

Methodology is incorrect because the methodology section of a pentest report focuses on explaining testing techniques and practices used.

Executive summary is incorrect because this provides a high-level overview of the findings of a pentest report

Timeline is incorrect because this is a component of the executive summary that lays out the sequence of events of a pentest

Question 7

The HIPAA regulatory framework applies for what type of organization?
A.Stores and retailers that accept credit or debit cards as a means of payment for goods and services
B.U.S. government agencies, or organizations that do business with the U.S. government
C.Hospitals, health clinics, and other organizations that store patients’ personal health information, or PHI
D.Power companies, water companies, and other organizations that provide public utilities

Answer 7

C.Hospitals, health clinics, and other organizations that store patients’ personal health information, or PHI

Explanation:
HIPAA regulations—those imposed by the Health Insurance Portability and Accountability Act—apply to hospitals, health clinics, and other organizations that must store the personal health information of their patients.

A, B, and D are incorrect. A is incorrect because stores, retailers, and other organizations that accept debit or credit cards as a means of payment are subject to PCI DSS regulations. B is incorrect because U.S. government agencies and organizations that do business with the U.S. government are subject to the FISMA regulatory framework. D is incorrect because power and water companies and other public utilities do not have a dedicated regulatory framework for their security, but they may adhere to FISMA or other state or local guidelines as mandated by the appropriate legal authorities.

Question 8

In what section of a penetration test report would one expect to find a high-level overview of the results of the test, written specifically for nontechnical stakeholders?
A.Conclusion
B.Methodology
C.Executive summary
D.Appendixes

Answer 8

C.Executive summary

Explanation:
The executive summary is a less technical overview of the findings of a penetration test report, geared toward clearly communicating the findings to client personnel who may not have the background or training necessary to fully understand all the minutiae of the vulnerabilities discovered.

A, B, and D are incorrect. A is incorrect because the conclusion of a penetration test report consists of supplemental material that supports the findings of that penetration test, but it is not critical to understand its contents. This can consist of figures and illustrations, appendixes that contain the results of port scans, or other granular details used during the course of the test. As such, this is far from a nontechnical section of the report, and is therefore incorrect. B is incorrect because the methodology section of a penetration test report presents information regarding testing techniques and practices used as well as the decision-making processes that guided information collection, analysis, and risk evaluation. As this is far more in the weeds than would be appropriate for a nontechnical summary, it is incorrect. D is incorrect because appendixes are a component of the conclusion of a penetration test report, and they detail the results of port scans, automated vulnerability scanners deployed in an effort to find low-hanging fruit, and other fine details. As stated previously, this is a much more detailed section of the penetration test report than is appropriate for nontechnical personnel, making this answer incorrect.

Question 9

User Account Control (UAC) is a security mechanism found in Microsoft Windows operating systems, starting with Windows Vista. How does UAC enhance system security?
A.Prevents users from accessing files and directories belonging to other users of the system
B.Prevents applications from launching until a low-privilege user opens an executable
C.Restricts user applications and software to low-privilege execution unless a sysadmin authorized escalation of privilege for a given running application
D.Locks user accounts after a set number of failed logins

Answer 9

C.Restricts user applications and software to low-privilege execution unless a sysadmin authorized escalation of privilege for a given running application

Explanation:
By restricting application to user-level execution content, unless specifically authorized by a system admin, UAC prevents task running invisibly to the average user from escalating privileges and enabling malicious activity

Question 10

Which of the following items would require specific actions taken by a penetration tester as part of the post-engagement cleanup?
A.Deleting the hardcoded credentials harvested from a user-written shell script
B.Applying a missing patch to a service exploited during the course of the engagement
C.Disabling the sa account used to compromise a MSSQL server
D.Removing a registry entry you modified to provide a reverse shell at boot time

Answer 10

D.Removing a registry entry you modified to provide a reverse shell at boot time

Explanation:
Adding or modifying a registry entry for the purpose of persistence is an example of a change made during the course of a penetration test. Like any other change made during the course of a penetration test, all effort should be made to revert such changes at the conclusion of the engagement; if removing a change is not possible for any reason, the exact nature of the change should be noted and passed along in the penetration test report.

A, B, and C are incorrect. All of these answers would be examples of changes to conditions discovered during the course of a penetration test. As such, the appropriate thing for a tester to do is record and report them in their findings; the onus is on the client organization to remedy these issues.

Question 11

Which function of domain resolution tools returns the domain name for a given IP address by returning its associated PTR (pointer record)?
A.Forward DNS Lookup
B.DNS Dig
C.Reverse DNS Lookup
D.Cname query

Answer 11

C.Reverse DNS Lookup

Explanation:
A reverse DNS lookup queries the PTR record for a named IP address and then returns the associated domain name to the user

A is incorrect because forward DNS resolution requires a domain name as input and returns the associated IP address to the user. B is incorrect because “DNS dig” is not a function provided by a name resolution tool; rather, dig is the name of one such tool. D is incorrect because a cname query (or “canonical name” query) returns cname records for a given domain. A cname record is an alias by which a server is also known.

Question 12

Which of the following are examples of phone-based phishing? (Choose two.)

A.SMS phishing
B.Spear phishing
C.Voice phishing
D.Baiting

Answer 12

A.SMS phishing
C.Voice phishing

Explanation:
SMS phishing and voice phishing (or vishing) are phishing vectors that rely on the use of phones.

B and D are incorrect. B is incorrect because spear phishing is a tightly targeted phishing attack that focuses on specific individuals who may have information or access to systems or resources desired by a penetration tester in the context of a security assessment. D is incorrect because baiting is a motivating factor defined by its use of means that tempt or entice a target into performing a given action.

Question 13

The WHOIS directory service provides what information with a proper query?

A.Domain registration information
B.Website administrator contacts
C.Domain name resolution
D.Reverse lookup

Answer 13

A.Domain registration information

Explanation:
The WHOIS directory service provides domain registration information, including registrant and administrator names, phone numbers, and e-mail addresses.

B, C, and D are incorrect. B is incorrect because website administrator information is not required for a WHOIS entry; that information can often be found on the website in question. C and D are incorrect because domain name resolution and reverse lookup services are both provided by DNS servers. Manual queries for this information may be completed via the use of the nslookup and dig commands.

Question 14

During a physical penetration test, you see a user entering their username and password on a company intranet web application while you glance over from behind as they type. What is this an example of?

A.Pretexting
B.Interrogation
C.Shoulder surfing
D.Baiting

Answer 14

C.Shoulder surfing

Explanation:
Shoulder surfing is the covert observance of individuals geared toward the collection of sensitive information.

A, B, and D are incorrect. A is incorrect because pretexting is the creation of a reason—a pretext—for the penetration tester to be in a given place or to be asking for something. B is incorrect because interrogation is the use of carefully asked questions to elicit information from a target. D is incorrect because baiting is a motivating factor defined by its use of means that tempt or entice a target into performing a given action.

Question 15

Which command (valid in both *nix and Windows) can resolve a domain name to its IP address?
A.nslookup
B.ping
C.dig
D.host

Answer 15

A.nslookup

Explanation:
The nslookup command for both Windows and *nix systems that can query DNS servers to resolve a domain name to its associated IP address, and vice versa.

B, C, and D are incorrect. B is incorrect because the ping command only sends ICMP packets to a host to confirm that it is reachable. C and D are incorrect because although both dig and host are commands that can resolve a domain name to its IP address, they are only valid in *nix operating systems and are not recognized by default on Windows operating systems.

Question 16

Single sign-on (SSO) architectures enhance system simplicity by allowing services requiring authentication to effectively delegate trust to another central system, relying on that system’s affirmation that a user is both identified correctly and authorized for the service they want to use. Which of the following is not an example of an SSO-enabling identity protocol?

A.OAuth
B.OpenID
C.SELinux
D.Active Directory Federated Services (ADFS)

Answer 16

C.SELinux

Explanation:
SELinux is a security module that facilitates access control policies in Linux operating systems.

A, B, and D are incorrect because Oauth, OpenID, and Active Directory Federated Services (ADFS) are all identity protocols that enable deployment of SSO in a given network environment.

Question 17

Which type of primary frame (defined by the IEEE 802.11 wireless standard) transfers data from higher layers of the OSI model, such as web content from an HTTP GET request?
A.Control Frame
B.Probe Response 
C.Probe request frame
D.Data frame

Answer 17

D.Data frame

Explanation:
Data frames transfer information from higher layers of the OSI model.

A, B, and C are incorrect. A is incorrect because control frames ensure data frames are delivered to each station. B and C are incorrect because probe request and probe response frames are subtypes of management frames; they help establish and maintain wireless communication through an access point.

Question 18

LAN Manager (LM) and NT LAN Manager (NTLM) hashes are used to store passwords in which operating system family?
A.Solaris
B.Linux
C.Windows
D.HP-UX

Answer 18

C.Windows

Explanation:
LM and NTLM hashes are used by Windows operating systems to store user passwords.

A, B, and D are incorrect because Solaris, Linux, and HP-UX are all *nix-type operating systems that store user passwords in the /etc/shadow file using a different password-hashing algorithm such as Blowfish or bcrypt.

Question 19

What is the function of an organization’s IT department in relation to a penetration test?

A.Patching systems before the penetration testers can launch exploits
B.Communication of security policies and remediation of incidental outages
C.Providing penetration testers with software tools needed for the assessment
D.Providing final, written authorization for the penetration test

Answer 19

B.Communication of security policies and remediation of incidental outages

Explanation:
During a penetration test, an organization’s IT department serves to communicate security policies and remediate any incidents that may occur during the engagement.

A, C, and D are incorrect. A is incorrect because patching systems is certainly within the traditional job scope of an IT department, but with respect to a penetration test it is expected that systems will not be subjected to any configuration changes or updates for the duration of the assessment. C is incorrect because provisioning of tools required by the penetration testing team is outside of the duties of the IT department as well; although the IT department may coordinate or configure network or VPN access and necessary accounts for credentialed scanning, penetration testers should generally expect to bring their own tools to an engagement. D is incorrect because the signing of the written authorization letter is a function expected of an organization’s executive management or legal personnel.

Question 20

Which of the following is not a module category in recon-ng?
A.Reporting modules
B.Importing modules
C.Discovery modules
D.Exporting modules

Answer 20

D.Exporting modules

Explanation:
There is no such thing as exporting modules

Reporting, Importing and discovery modules are all present in recon-ng, making these all incorrect.

Question 21

What is the effect of the -PU flag in nmap?
A.Triggers SCTP discovery to named ports
B.Triggers TCP ACK discovery to named ports
C.Triggers UDP discovery to named ports
D.Triggers TCP SYN discovery to named ports

Answer 21

C.Triggers UDP discovery to named ports

Explanation:
The -PU flag is used for UDP discovery of declared ports.

A, B, and D are incorrect. A is incorrect because SCTP discovery is the result of the -PY flag. B is incorrect because TCP ACK discovery is the result of the -PA flag. D is incorrect because TCP SYN discovery is the result of the -PS flag.

Question 22

Web fuzzing is a data validation technique used to identify flaws in websites or web applications. Which of the following is not a practice commonly used in web fuzzing?

A.Feeding garbage or unexpected data to a user data input point to elicit error messages or other information B.Inspection of website source data to check for potentially exploitable errors or warnings C.Tampering with URL parameters D.Sending HTTP request methods such as HEAD or POST where another method is expected

Answer 22

B.Inspection of website source data to check for potentially exploitable errors or warnings

Explanation:
B is correct. While it is common to inspect a website’s source page to check for exploitable errors or warnings, this is not a practice that can be defined as fuzzing, which at its most basic level feeds unexpected data to a website or web application to attempt to elicit an unexpected system response.

A, C, and D are incorrect. A is incorrect because feeding garbage or unexpected data to elicit error messages or other information is essentially the definition of web fuzzing. Indeed, C and D—tampering with URL parameters and sending unexpected HTTP request methods—are themselves specific examples of this task.

Question 23

Which term is defined as a surveillance technique used to discover SSIDs, router information, signal strength, MAC addresses, and other information pertinent to an 802.11 wireless network?
A.Stumbling
B.Staggering
C.Tripping
D.Raking

Answer 23

A.Stumbling

Explanation:
tumbling is a surveillance technique that is used to discover SSIDs, router information, signal strength, MAC addresses, and other information pertinent to an 802.11 wireless network.

B, C, and D are incorrect. Neither staggering, tripping, nor raking is a term relevant to 802.11 wireless communications or the penetration testing thereof.

Question 24

Which of the following elicitation attempts is an example of using scarcity as a motivational technique?

A.A call to a company stating that your business is looking to make a large purchase for a product in their industry. You just did a walk through on their competitor’s offering, and you want to do the same with them before buying—but it must happen today or else you’ll be forced to buy from the competitor.
B.Greeting a receptionist in business attire and a warm smile, politely asking about a (nonexistent) meeting scheduled with the manager you know is out of the building, in an effort to elicit when they are expected to be in their office.
C.Sending an e-mail with spoofed headers with a malicious Excel spreadsheet that appears to come from a company’s CFO.
D.Following a crowd of employees coming back in from lunch toward the employee work areas in an effort to find an open cubicle with a free network port.

Answer 24

A.A call to a company stating that your business is looking to make a large purchase for a product in their industry. You just did a walk through on their competitor’s offering, and you want to do the same with them before buying—but it must happen today or else you’ll be forced to buy from the competitor.

Explanation:
The insistence that the offer to purchase from the target company is only valid for a short period of time is a solid example of using scarcity as a motivating factor. By emphasizing that the offer might be rescinded soon, the target is compelled to act quickly.

B, C, and D are incorrect. B is incorrect because approaching someone while well-dressed with an inviting smile and politely asking questions will generally get people to like you in most day-to-day interactions, making it an example of using likeability as a motivating factor. C is incorrect because sending e-mails that are crafted to appear as though they came from the company CFO is an example of the use of authority as a motivating technique, as it relies on employees’ respect for the authority that a CFO would carry. D is incorrect because it is an attempt to leverage social norms in the office environment to your advantage, making it an example of using social proof as a motivating factor.

Question 25

Before beginning a physical penetration test, you decide to craft a persona wherein you are an electrician who has been asked to perform an inspection of the electrical panel and related systems for a client’s building. What is this an example of?
A.Baiting
B.Waterholing
C.Interrogation
D.Pretexting

Answer 25

D.Pretexting

Explanation:
The crafting of a persona that is assumed during a social engineering effort—whether in person, over the phone, or via e-mail—is pretexting. It revolves around creating a reason—a pretext—for the penetration tester to be in a given place or to be asking for something.

A, B, and C are incorrect. A is incorrect because baiting is a motivating factor defined by its use of means that tempt or entice a target into performing a given action. B is incorrect because waterholing is the use of a trusted site to house a malicious payload. C is incorrect because interrogation is the use of carefully asked questions to elicit information from a target.