CompTIA PenTest+ (PT0-001) Practice Certification Exams (Jason Dions 1of6) Flashcards
Dion Training hosts its new web applications on AWS Lambda. You have been contracted to perform a penetration test against this new web application. What target type would this engagement be classified as?
A.On-Site
B.Internal
C.First-party hosted
D.Third-party hosted
D.Third-party hosted
Explanation:
OBJ-1.3: Third-party hosted target types are used when a vendor or partner of the client organization hosts the targeted network or system. In this scenario, Dion Training uses AWS Lambda for hosting its web application. Therefore, this is classified as a third-party hosted target type. This is important to consider before beginning the assessment since the third-party also must consent and agree to the penetration test since they host the systems involved.
You are planning an engagement with a new client. Which target type should be selected to simulate an APT?
A.Internal
B.On-site
C.Third-party hosted
D.External
D.External
Explanation:
OBJ-1.3: An advanced persistent threat (APT) is a threat that uses multiple attack vectors to gain unauthorized access to sensitive resources. APTs are often funded by nation-states and used for intelligence-gathering operations against the government, military, and commercial networks. In general, APT attacks as an external target type.
Which of the following directly impacts the budgetary requirements of a penetration test?
A.Scope
B.Compliance
C.Schedule
D.Tolerance to Impact
A.Scope
Explanation:
OBJ-1.1: The scope has a direct impact on the budgetary requirements of a penetration test. If the scope is smaller, the budget required will be lower. If the scope is larger, then the budget also needs to be larger to support it. The scope can drive the cost, but often a fixed budget is already provided by an organization. In this case, the budget will remain constant, but the scope will shrink to fit within the resources available.
An electronics store was recently the victim of a robbery where an employee was injured, and some property was stolen. The store’s IT department hired an external supplier to expand its network to include a physical access control system. The system has video surveillance, intruder alarms, and remotely monitored locks using an appliance-based system. Which of the following long-term cybersecurity risks might occur based on these actions?
A.There are no new risks due to the install and the company has a stronger physical security posture
B.These devices should be isolated from the rest of the enterprise network
C.These devices should be scanned for viruses before installation
D.These devices are insecure and should be isolated from the internet
B.These devices should be isolated from the rest of the enterprise network
Explanation:
OBJ-1.3: While the physical security posture of the company has definitely been improved by adding the cameras, alarms, and locks, this appliance-based system may pose additional risks to the store’s network. Specialized technology and appliance-based systems rarely receive security updates at the same rate as regular servers or endpoints. These devices need to be on a network to ensure that their network functions can continue, but they don’t necessarily need to be on the enterprise production network. A good option would be to set up a parallel network that is physically or logically isolated from the enterprise network and install the video cameras, alarms, and lock on that one. These devices cannot be isolated from the internet without compromising their functions, such as allowing remote monitoring of the system and locks. The devices should be scanned for viruses before installation, but that is a short-term consideration and doesn’t protect them long-term.
What SCAP component provides a list of entries that contains an identification number, a description, and a public reference for each publicly known weakness in a piece of software?
A.XCCDF
B.CPE
C.CCE
D.CVE
D.CVE
Explanation:
OBJ-2.1: The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. XCCDF (extensible configuration checklist description format) is a language that is used in creating checklists for reporting results. The Common Configuration Enumeration (CCE) provides unique identifiers to system configuration issues to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. Common Platform Enumeration (CPE) is a standardized method of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise’s computing assets.
Which of the following is a special type of embedded operating system that uses a predictable and consistent scheduler? A.Mobile B.IoT C.RTOS D.PoS
C.RTOS
Explanation:
OBJ-2.5: A real-time operating system (RTOS) is a special type of embedded OS. An RTOS ideal for embedded systems because they tend to have strict requirements for when a task should be completed and do not have particularly taxing workloads. An RTOS uses a predictable and consistent scheduler, unlike a general-purpose OS like Windows or macOS.
Which of the following techniques listed below are not appropriate to use during a passive reconnaissance exercise against a specific target company?
A.WHOIS looksups
B.Banner grabbing
C.BGP Looking Glass
D. Registrar Checks
B.Banner grabbing
Explanation:
OBJ-2.1: Banner grabbing requires a connection to the host to grab the banner successfully. This is an active reconnaissance activity. All other options are considered passive processes and typically use information retrieved from third-parties that do not directly connect to an organization’s remote host.
David noticed that port 3389 was open on one of the POS terminals in a store during a scheduled PCI compliance scan. Based on the scan results, what service should he expect to find enabled on this terminal? A.MySQL B.RDP C.LDAP D.IMAP
B.RDP
Explanation:
OBJ-2.5: Port 3389 is an RDP port used for the Remote Desktop Protocol. If this port isn’t supposed to be opened, then an incident response plan should be the next step since this can be used for remote access by an attacker. MySQL runs on port 3306. LDAP runs on port 389. IMAP over SSL runs on port 993.
Which of the following is the most difficult to confirm with an external vulnerability scan? A.Cross-site Scripting (XSS) B.Cross-site Request Forgery (XSRF/CSRF) C.Blind SQL Injection D.Unpatched web server
C.Blind SQL Injection
Explanation:
OBJ-2.2: Vulnerability scanners typically cannot confirm that a blind SQL injection with the execution of code has previously occurred. XSS and CSRF/XSRF are typically easier to detect because the scanner can pick up information that proves a successful attack. The banner information can usually identify unpatched servers.
A coworker is conducting open-source intelligence gathering for an upcoming penetration test against Dion Training. You look over their shoulder and saw them enter the following URL, https://www.google.com/search?q=password+filetype%3Axls+site%3Adiontraining.com&pws=0&filter=p. Which of the following is true about the results of this search? (SELECT THREE)
A.All search filters are deactivated
B.Returns only files hosted at diontraining.com
C.Returns only Microsoft Excel spreadsheets
D.Find sites related to diontraining.com
E.Excludes Microsoft Excel Spreadsheets
F.Personalization is turned off
B.Returns only files hosted at diontraining.com
C.Returns only Microsoft Excel spreadsheets
F.Personalization is turned off
Explanation:
OBJ-2.1: The above example searches for files with the name “password” in them (q=password) and (+) have a filetype equal to xls (filetype%3Axls, %3A is the hex-code for ‘:’) and (+) limits the results to files hosted on diontraining.com (site%3Adiontraining.com) and (&) disables personalization (pws=0) and (&) deactivates the directory filtering function (filter=p). If you wanted to exclude Microsoft Excel spreadsheets, this would be done by typing -filetype%3Axls as part of the search query. To find related websites or pages, you would include the “related:” term to the query. To deactivate all filters from the search, the “filter=0” should be used. To deactivate the directory filtering function, the “filter=p” is used.
Dion Consulting Group has recently been awarded a contract to provide cybersecurity services for a major hospital chain in 48 cities across the United States. You are conducting a vulnerability scan of the hospital’s enterprise network when you detect several devices that could be vulnerable to a buffer overflow attack. Upon further investigation, you determine that these devices are PLCs used to control the hospital’s elevators. Unfortunately, there is not an update available from the elevator manufacturer for these devices. Which of the following mitigations do you recommend?
A.Recommend immediate replacement of the PLCs with ones that are not vulnerable to this type of attack
B.Recommend isolation of the elevator control system from the rest of the production network through the change control process
C.Conduct a penetration test of the elevator control system to prove that the possibility of this kind of attack exists
D.Recommend immediate disconnection of the elevators control system from the enterprise network
B.Recommend isolation of the elevator control system from the rest of the production network through the change control process
Explanation:
OBJ-2.5: The best recommendation is to conduct the elevator control system’s logical or physical isolation from the rest of the production network and the internet. This should be done through the change control process that brings the appropriate stakeholders together to discuss the best way to mitigate the vulnerability to the elevator control system that defines the business impact and risk of the decision. Sudden disconnection of the PLCs from the rest of the network might have disastrous results (i.e., sick and injured trapped in an elevator) if there were resources that the PLCs were dependent on in the rest of the network. Replacement of the elevators may be prohibitively expensive, time-consuming, and likely something that the hospital would not be able to justify to mitigate this vulnerability. Attempting further exploitation of the buffer overflow vulnerability might inadvertently trap somebody in an elevator or cause damage to the elevators themselves.
An organization is currently accepting bids for a contract that will involve penetration testing and reporting. The organization is asking all bidders to provide proof of previous penetration testing and reporting experience. One contractor decides to print out a few reports from some previous penetration tests that they performed. What could have occurred as a result of this contractor’s actions?
A.The contractor will have their bid accepted with a special pay bonus because of their excellent work on previous pentests
B.The contractor may have inadvertently exposed numerous vulnerabilities they have found at other companies on previous assessments
C.The organization accepting the bids will want to use the reports as an example of the format for all bidders to use in the future
D.The company accepting the bids will hire the contractor because of the quality of the reports he submitted with this bid
B.The contractor may have inadvertently exposed numerous vulnerabilities they have found at other companies on previous assessments
Explanation:
OBJ-1.2: Pentesters should never disclose any information from previous penetration tests to anyone outside of the assessed organization since this could expose the vulnerability found. This non-disclosure is usually outlined in the original contract and scope of work. If the contractor wishes to provide a sample report, then the report should be created specifically for the contract and only include information from a sample/test network, not a previous customer’s assessment. This could also be in breach of the NDA between the pentester and the organization, as well.
Dion Training has contracted you to conduct a penetration test of its web application hosted within AWS Lamba. Part of the assessment will include stress testing the web application using a simulated DDoS attack. Which of the following entities would be the proper signing authority for this penetration test?
A.Dion Training’s representative since they hired you
B.Amazon’s representative since they host the servers
C.Both organizations representatives since one is your client and the other hosts the servers
D.Neither organizations representatives since your are simulating a DDoS
C.Both organizations representatives since one is your client and the other hosts the servers
Explanation:
OBJ-1.2: Written authorization documents help control the amount of liability incurred by the penetration tester. You must ensure you have the correct authorization in place before beginning your engagement. You ALWAYS need written authorization from your client. If the client uses a third-party service provider, then you may need to also get proper authorization from them in writing too. During your engagement planning, you should contact the third-party service provider to determine if written consent is required. In the case of Amazon, there are a handful of services that do not require prior authorization before conducting a penetration test on behalf of your client. DoS and DDoS attacks and simulations do require written authorization from both your client and Amazon. If you do not have this, you could be held liable for any negative consequences to Amazon and its client’s servers or even be charged with criminal computer hacking.
During an assessment of the POS terminals that accept credit cards, a cybersecurity analyst notices a recent Windows operating system vulnerability exists on every terminal. Since these systems are all embedded and require a manufacturer update, the analyst cannot install Microsoft’s regular patch. Which of the following options would be best to ensure the system remains protected and are compliant with the rules outlined by the PCI DSS?
A.Replace the Windows POS terminals with standard Windows systems
B.Build a custom OS image that includes the patch
C.Identify, implement and document compensating controls
D.Remove the POS terminals from the network until the vendor releases a patch
C.Identify, implement and document compensating controls
Explanation
OBJ-1.4: Since the analyst cannot remediate the vulnerabilities by installing a patch, the next best action would be to implement some compensating controls. If a vulnerability exists that cannot be patched, compensating controls can mitigate the risk. Additionally, the analyst should document the current situation to achieve compliance with PCI DSS. The analyst will likely not remove the terminals from the network without affecting business operations, so this is a bad option. The analyst should not build a custom OS image with the patch since this could void the support agreement with the manufacturer and introduce additional vulnerabilities. Also, it would be difficult (or impossible) to replace the POS terminals with standard Windows systems due to the custom firmware and software utilized on these systems.
You are working as a penetration tester and have discovered a new method of exploiting a vulnerability within the Windows 10 operating system. You conduct some research online and discover that a security patch against this particular vulnerability doesn’t exist yet. Which type of threat would this BEST be categorized as?
A.Zero-day
B.DDoS
C.Brute force
D.Spoofing
A.Zero-day
Explanation:
OBJ-1.3: A zero-day attack happens once that flaw, or software/hardware vulnerability, is exploited, and attackers release malware before a developer has an opportunity to create a patch to fix the vulnerability, hence the term zero-day.
You have been contracted to perform a web application assessment. You believe the best way to exploit the application is to provide it a specially crafted XML file. The application normally allows users to import XML-based files and then parses them during ingestion. Which of the following support resources should you request from the organization before starting your assessment?
A.Soap Project File
B.Architectural diagrams
C,Authorization to use a fuzzer
D.An XSD file
D.An XSD file
Explanation:
OBJ-1.1: Since the scenario states that you will create a specially crafted XML file for the assessment, you will need to know the XML file structure the web application expects. An XML Schema Definition (XSD) is a recommendation that enables developers to define the structure and data types for XML documents. If the company provides this support resource to you, you will know the exact format expected by the application, which can save you a lot of time, and the organization a lot of expense during the assessment.
A project manager is tasked with the planning of a new network installation. The customer requires that everything discussed in the meetings is installed and configured when a network engineer arrives onsite. Which document should the project manager provide the customer?
A.Acceptable Use Policy
B.Service Level Agreement
C.Statement of Work
D.Security Policy
C.Statement of Work
Explanation:
OBJ-1.2: A Statement of Work (SOW) is a document that outlines all the work that is to be performed, as well as the agreed-upon deliverables and timelines.
An organization wants to get an external attacker’s perspective on their security status. Which of the following services should they purchase?
A.Vulnerability Scan
B.Asset Management
C.Pentest
D.Patch Management
C.Pentest
Explanation:
OBJ-1.4: Penetration tests provide an organization with an external attacker’s perspective on their security status. The NIST process for penetration testing divides tests into four phases: planning, discovery, attack, and reporting. The penetration test results are valuable security planning tools, as they describe the actual vulnerabilities that an attacker might exploit to gain access to a network. A vulnerability scan provides an assessment of your security posture from an internal perspective. Asset management refers to a systematic approach to the governance and realization of value from the things that a group or entity is responsible for over their whole life cycles. It may apply both to tangible assets and intangible assets. Patch management is the process that helps acquire, test, and install multiple patches (code changes) on existing applications and software tools on a computer, enabling systems to stay updated on existing patches and determining which patches are the appropriate ones.
Which of the following rules of engagement provides the scope and limitation of the penetration test?
A.Timeline
B.Location of the team
C.Temporal restrictions
D.Test boundaries
D.Test boundaries
Explanation:
OBJ-1.1: The test boundaries are used to define the acceptable actions and scope used during an engagement. For example, it will define whether servers, endpoints, or both will be in the scope of the attack. It may also dictate whether only technical means may be used for exploitation or if social engineering can also be utilized.
Consider the following snippet from a log file collected on the host with the IP address of 10.10.3.6.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Time: Jun 12, 2020 09:24:12 Port:20 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP
Time: Jun 12, 2020 09:24:14 Port:21 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP
Time: Jun 12, 2020 09:24:16 Port:22 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP
Time: Jun 12, 2020 09:24:18 Port:23 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP
Time: Jun 12, 2020 09:24:20 Port:25 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP
Time: Jun 12, 2020 09:24:22 Port:80 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP
Time: Jun 12, 2020 09:24:24 Port:135 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP
Time: Jun 12, 2020 09:24:26 Port:443 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP
Time: Jun 12, 2020 09:24:26 Port:445 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
What type of activity occurred based on the output above?
A.Port scan targeting 10.10.3.2
B.Fragmentation attack targeting 10.10.3.6
C.Denial of service attack targeting 10.10.3.6
D.Port scan targeting 10.10.3.6
D.Port scan targeting 10.10.3.6
Explanation:
OBJ-2.1: Port Scanning is the name for the technique used to identify open ports and services available on a network host. Based on the logs, you can see a sequential scan of some commonly used ports (20, 21, 22, 23, 25, 80, 135, 443, 445) with a two-second pause between each attempt. The scan source is 10.10.3.2, and the destination of the scan is 10.10.3.6, making “Port scan targeting 10.10.3.6” the correct choice. IP fragmentation attacks are a common form of denial of service attack, in which the perpetrator overbears a network by exploiting datagram fragmentation mechanisms. A denial-of-service (DoS) attack occurs when legitimate users cannot access information systems, devices, or other network resources due to a malicious cyber threat actor’s actions.
A new alert has been distributed throughout the information security community regarding a critical Apache vulnerability. What action could you take to ONLY identify the known vulnerability?
A.Perform an unauthenticated vulnerability scan on all servers in the environment
B.Perform a scan for the specific vulnerability on all web servers
C.Perform a web vulnerability scan on all servers in the environment
D.Perform an authenticated scan on all web servers in the environment
B.Perform a scan for the specific vulnerability on all web servers
Explanation:
OBJ-2.2: Since you wish to check for only the known vulnerability, you should scan for that specific vulnerability on all web servers. All web servers are chosen because Apache is a web server application. While performing an authenticated scan of all web servers or performing a web vulnerability scan of all servers would also find these vulnerabilities, it is a much larger scope. It would waste time and processing power by conducting these scans instead of properly scoping the scans based on your needs. Performing unauthenticated vulnerability scans on all servers is also too large in scope (all servers) while also being less effective (unauthenticated scan).
What is the BEST explanation for why consumer-based IoT devices are less secure than traditional desktops and servers?
A.IoT devices are unable to received patches and updates
B.IoT devices focus convenience more than security
C.IoT devices are not powerful enough to support encryption
D.IoT devices are only used in low security cases
B.IoT devices focus convenience more than security
Explanation:
OBJ-2.5: IoT device manufacturers are more focused on making the devices convenient to use instead of ensuring they have strong security. The other options are incorrect and not true. IoT devices can receive patches and updates through an over-the-air firmware update if a manufacturer creates the patches. IoT devices are powerful these days, and they can support encryption and other security features if manufacturers would add them to their code. IoT devices are not just used in low-security use cases, either. For example, IoT devices are often used as life-saving devices in hospitals or security systems in our homes. Unfortunately, IoT devices are notoriously lax when it comes to security. Some IoT systems may even allow a user full remote control of a device.
A cybersecurity analyst is applying for a new job with a penetration testing firm. He received the job application as a secured Adobe PDF file, but unfortunately, the firm locked the file with a password so the potential employee cannot fill in the application. Instead of asking for an unlocked copy of the document, the analyst decides to write a script in Python to attempt to unlock the PDF file by using passwords from a list of commonly used passwords until he can find the correct password or attempts every password in his list. Based on this description, what kind of cryptographic attack did the analyst perform?
A.Man-in-the-middle attack
B.Brute-force attack
C.Dictionary attack
D.Session hijacking
C.Dictionary attack
Explanation:
OBJ-2.4: A dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying hundreds or sometimes millions of likely possibilities, such as words in a dictionary. The key to answering this question is that they were using passwords from a list. In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. A dictionary attack is a specific form of a brute-force attack that uses a list. A session hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the webserver. A man-in-the-middle attack (MITM), also known as a hijack attack, is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other.
You just completed an nmap scan against a workstation and received the following output:
-=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=- # nmap diontraining012
Starting Nmap ( http://nmap.org ) Nmap scan report for diontraining012 (192.168.14.61) Not shown: 997 filtered ports
PORT STATE
135/tcp open
139/tcp open
445/tcp open
Based on these results, which of the following operating system is most likely being run by this workstation?
A.Ubuntu
B.macOS
C.CentOS
D.Windows
D.Windows
Explanation:
OBJ-2.1: The workstation is most likely running a version of the Windows operating system. Port 139 and port 445 are associated with the SMB file and printer sharing service run by Windows. Since Windows 2000, the NetBIOS file and print sharing has been running over these ports on all Windows systems by default.