Crucial Exams - Practice Questions Flashcards
https://crucialexams.com/exams/comptia/pentest/pt0-002/practice-tests-practice-questions
As part of an internal security assessment, you are required to scan a network segment that contains older, production-critical systems known for their fragility in terms of network traffic handling. Your objective is to identify vulnerabilities without causing system disruptions. Which scanning method would be most appropriate for this scenario?
- Credentialed scan
- TCP connect scan
- Non-credentialed scan
- Stealth scan
Credentialed scan
A credentialed scan is the appropriate choice when dealing with fragile systems. This method uses valid access credentials to perform a more in-depth and safer examination of the target systems, reducing the risk of causing disruptions which may occur with more aggressive uncredentialed scans that can overwhelm sensitive systems. A non-credentialed scan can risk causing issues with fragile systems due to the more intrusive nature of the probing. A stealth scan’s main purpose is to avoid detection, and while it can be less noisy on the network, it might still cause a fragile system to become unstable. Transmission Control Protocol (TCP) connect scans are more intrusive as they establish a full TCP connection, potentially leading to system instability.
When attempting to identify vulnerabilities in a thick client application that interacts with a web service backend, which feature of the Burp Suite community edition should a penetration tester use to MOST effectively analyze and manipulate the HTTP/S traffic between the client and the server?
- Repeater
- Proxy
- Intruder
- Scanner
Proxy
The correct answer is the Proxy feature. The Proxy feature in Burp Suite acts as an interception proxy, which allows the penetration tester to view, modify, and resend HTTP/S requests and responses passing through it. This is essential for testing thick client applications that communicate with a web service backend, as it enables the tester to analyze the traffic for potential vulnerabilities. The Scanner feature is not available in the community edition, which is why it’s an incorrect answer, and Intruder and Repeater are features that are best suited for other types of testing such as automated attacks and manual request resending respectively, rather than initial traffic analysis and interception.
You are conducting a penetration test against an AWS environment and require a tool that can efficiently identify IAM weaknesses and escalate privileges. What is the BEST tool to perform this task while also offering the ability to automate the exploitation of several discovered vulnerabilities?
- Metasploit
- Pacu
- OWASP ZAP
- Scout Suite
Pacu
Pacu is designed as an open-source AWS exploitation framework, providing penetration testers with the ability to simulate an adversary that has obtained credentials to an AWS account. For IAM weaknesses and privilege escalation, Pacu is especially potent due to its specialized modules that automate the exploitation of vulnerabilities. It can aid in revealing misconfigurations that could lead to privilege escalation or other security issues within AWS services. While tools like Scout Suite and OWASP ZAP are powerful in their respective domains (configuration auditing and web application security testing), they are not specialized for IAM weakness identification and exploitation in AWS environments. Metasploit is a versatile penetration testing tool, but it is not cloud-centric like Pacu and does not offer the same in-depth functionality for AWS IAM exploitation.
During the information gathering phase of a penetration test, you are tasked with using strategic search engine analysis to uncover potential leads about an organization’s internet-facing infrastructure. Which of the following search queries could reveal the existence of sensitive documents that the company did not intend to make public?
- example.com:2087 -site:example.com
- intitle:index.of server at example.com
- site:example.com filetype:pdf confidential
- link:example.com -site:example.com
site:example.com filetype:pdf confidential
The search query ‘site:example.com filetype:pdf confidential’ is correct because it explicitly looks for PDF files on the domain ‘example.com’ that contain the keyword ‘confidential’. This type of search is commonly used by penetration testers to find sensitive documents that might have been inadvertently exposed. The use of ‘filetype’ refines the search to a specific type of document, increasing the chances of finding documents with potentially sensitive information. Conversely, the other options do not apply the same level of specificity or relevance to finding sensitive documents unintentionally made public.
Scout Suite
Scout Suite is a multi-cloud security auditing tool that assesses the configuration of cloud environments to identify potential security risks. It supports major cloud providers such as AWS, Azure, Google Cloud Platform, and others. The tool allows penetration testers to evaluate cloud configurations for misconfigurations and vulnerabilities, enabling better security postures
As a penetration tester, you have been tasked to assess the security of a company’s wireless infrastructure. You decide to simulate an evil twin attack to test the network’s resilience to credential theft. Which tool would you use to create a rogue access point that replicates the company’s WPA2-Enterprise network in order to capture employee credentials?
- Use EAPHammer to create the rogue access point and facilitate the attack to capture credentials.
- Deploy mdk4 to conduct a denial-of-service attack on the network, effectively disrupting the wireless services.
- Implement Kismet for network detection and packet sniffing on the target wireless network.
- Utilize Aircrack-ng to crack the WPA2 password and gain unauthorized access to sensitive information.
Use EAPHammer to create the rogue access point and facilitate the attack to capture credentials.
EAPHammer is specifically designed for such a scenario, where it can be used to create a rogue access point that mimics the legitimate WPA2-Enterprise network. It can then capture credentials as employees unwittingly connect to this malicious access point, thinking it is the corporate network. The incorrect answers, while related to Wi-Fi security, do not provide the functionality to mimic WPA2-Enterprise networks for the purpose of capturing credentials through such an attack.
EAP Hammer
- tool designed to conduct targeted wireless network attacks
- particularly against WPA2 Enterprise networks
- automates attacks such as rogue access point (EAP-based) creation, credential harvesting, and network impersonation
- identify weaknesses in enterprise wireless configurations
Which method of using search engines for passive reconnaissance is most likely to yield comprehensive insight into potential vulnerabilities within a target organization’s web applications?
- Looking up the main company website to analyze the business’ profile and obtain general contact information.
- Reviewing the company’s public financial reports to identify budget allocations for cybersecurity.
- Searching the company’s social media feeds for general technology updates or event announcements.
- Using advanced search engine queries with operators to find exposed sensitive information or misconfigurations.
Using advanced search engine queries with operators to find exposed sensitive information or misconfigurations.
By using advanced search engine queries, such as those involving site:, filetype:, inurl:, or intext: operators, a penetration tester can discover sensitive information that may be inadvertently exposed on public websites. This can include configuration files, user credentials, or revealing error messages. This type of strategic search can uncover a wide array of vulnerabilities or misconfigurations more effectively than basic company details or generic searches, which tend to yield only surface-level information. The incorrect answers focus on specific narrow aspects that are less likely to provide a broad view of potential vulnerabilities across web applications.
During a security audit of an application stack, you notice the application is utilizing an outdated open source component known for its critical vulnerabilities that have been patched in subsequent releases. Exploiting these vulnerabilities could lead attackers to compromise the hosting server. Which type of vulnerability does this scenario BEST describe?
- Patching fragmentation
- Dependency vulnerabilities
- Race conditions
- System misconfigurations
Dependency vulnerabilities
The scenario describes a dependency vulnerability, which occurs when an application relies on external components, libraries, or frameworks with known security issues that are not patched or updated. Attackers might exploit these vulnerabilities to breach systems if the dependencies are outdated and contain unfixed security flaws. Patching fragmentation refers to the inconsistent application of patches across systems, often seen in organizations with complex environments where some systems remain unpatched. Thus, a system using an outdated and vulnerable component is primarily at risk from dependency vulnerabilities.
During a penetration test, who should you primarily reach out to for discussing specific technical details of the vulnerabilities found?
- C-suite executive
- Third-party stakeholder
- Emergency contact
- Technical contact
The technical contact is the individual within the client organization who possesses the detailed technical knowledge required to understand and act upon the technical aspects of the findings in a penetration test. Other options may have roles in the process, but the technical contact is the go-to for vulnerability discussions, making Answer A correct.
You are conducting a security audit on a web page and have found a section where user input is dynamically inserted into the document without proper sanitation. To confirm the existence of this client-side security flaw, you intend to inject code that creates a dialog box displaying ‘Test’. Which of the following JavaScript snippets would be correctly executed to demonstrate the vulnerability?
- alert(‘Test’);
- aler’t(‘Test’);
- confirm(‘Test’);
- Alert(‘Test’);
alert(‘Test’);
The correct answer is snippet A, alert(‘Test’);, which is a standard method in JavaScript for invoking a dialog box with specified text content. This method is suitable for testing the insertion of malicious scripts, as it should only trigger when JavaScript is executed within the client’s browser context. Snippet B, Alert(‘Test’);, is incorrect due to the use of a capital ‘A’ in ‘Alert’, which is not recognized in JavaScript due to case sensitivity. Snippet C, aler’t(‘Test’);, contains a misplaced single quote, resulting in invalid syntax, thus, the script would not run. Snippet D, confirm(‘Test’);, would indeed create a dialog box but one that asks for confirmation (OK/Cancel) and is typically used to demonstrate a different form of interaction than just providing an alert.
During the planning phase of a penetration test for a retailer that processes payment cards, it is essential to ensure that the testing activities comply with PCI DSS requirements. Which of the following activities during the penetration test requires special consideration to maintain PCI DSS compliance?
- Notifying Visa and Mastercard before starting the penetration test.
- Inserting a hardware keylogger into point-of-sale systems.
- Performing wireless network sniffing in areas where cardholder data is transmitted.
- Social engineering employees to reveal sensitive information.
Performing wireless network sniffing in areas where cardholder data is transmitted.
Performing wireless network sniffing in areas where cardholder data is transmitted requires special consideration. According to PCI DSS Requirement 4.1, strong encryption must be used during the transmission of cardholder data over open, public networks to safeguard transmission security. A penetration tester must ensure that they have permission and the proper segmentation checks in place so that they do not inadvertently capture or decrypt cardholder data, which would violate PCI DSS. Social engineering employees to reveal sensitive information isn’t directly restricted by PCI DSS during a pen test; it’s an accepted testing technique if agreed upon in the scope. Inserting a hardware keylogger into point-of-sale systems is not against PCI DSS as long as it’s permitted and controlled as part of the pen test, and there isn’t a requirement for notifying the card schemes in advance of a penetration test.
Which PCI DSS requirements should you know?
- Annual and Quarterly Testing
- Scope of Testing: Test the entire cardholder data environment (CDE), including external, public-facing perimeters and LAN-to-LAN attack surfaces; Validate network segmentation to confirm systems are isolated and scope is reduced
- Vulnerability Scanning & Mitigation: both internal and external vulnerability scans quarterly and after significant changes.
- Segmentation Testing
BurpSuite Modules to know
Repeater: This module allows testers to manually edit and replay HTTP/S requests to observe server responses. It’s useful for testing specific inputs and analyzing the resulting behavior
Scanner: Available in the professional version, the scanner automates the discovery of vulnerabilities in web applications by identifying issues like SQL injection or cross-site scripting
Intruder: This module is used to automate customized attacks, such as brute force, by sending a series of payloads to a target. It provides flexibility in testing various scenarios and input combinations
Main Features of BurpSuite
Web Application Testing Toolset: Burp Suite is a comprehensive web application vulnerability scanning and penetration testing toolkit that includes features like vulnerability scanning and request interception
Interception Proxy: This tool can intercept HTTP/S traffic between a web browser and a web server, enabling manual manipulation of requests for testing security defenses
Versions: Available in a community edition (free) and a professional edition (paid), with the professional edition offering enhanced automation and scanning features
Usage Contexts: While primarily associated with web application security, it is also referenced in the textbook in relation to testing mobile application backends and APIs
A penetration tester is tasked with evaluating the security of a mobile application. The tester wants to analyze the behavior of the application in a controlled environment to observe how it interacts with system resources and other applications. Which of the following is the BEST method to accomplish this goal?
- Leveraging a mobile security framework for static code analysis
- Deploying the application on a segmented area of the production network
- Using a mobile device emulator
- Running the application on a jailbroken device with monitoring tools
Using a mobile device emulator
Using a mobile device emulator creates a virtual mobile device on which the application can be safely run and analyzed. This allows the penetration tester to observe the application’s behavior under different conditions without risking the integrity of a physical device or the production environment. The other options either are not as relevant for analysis on a mobile application (a and c) or are general tools for mobile security testing but not specifically designed for behavioral analysis in a controlled environment like an emulator (d).
As a penetration tester, you’re tasked with testing the strength of password hashes. Which tool would you use to perform brute-force attacks against various hash types in a scalable and effective manner?
- John the Ripper
- Aircrack-ng
- Hashcat
- Wireshark
Hashcat
Hashcat is known for its capability to perform brute-force and dictionary attacks against various types of hashes, making it an essential tool for penetration testers when assessing password security. It is chosen for its efficiency and broad support of hash types.
John the Ripper: While also a hash-cracking tool, it is generally less scalable compared to Hashcat.
During an internal security assessment, a penetration tester needs to identify live hosts without performing a full port scan, to reduce network congestion. Which of the following Nmap options would be most appropriate for the tester to use to simply ping the hosts?
- -p
- -sV
- -sn
- -A
-sn
The ‘-sn’ option in Nmap is used to perform a host discovery, which simply pings the hosts without actually scanning any ports. This is the correct answer as it minimizes the amount of traffic and reduces the chance of causing network disruption. The ‘-sV’ option executes a service version detection, which is more intrusive and creates more traffic, going beyond the requirement of just discovering live hosts. The ‘-A’ option enables OS detection, version detection, script scanning, and traceroute, which would not only produce more traffic but also try to scan and fingerprint hosts, which is not needed in this scenario. The ‘-p’ option specifies the target ports to scan, which does not directly relate to host discovery without port scanning.
A WPS PIN attack requires an attacker to physically access the WPS button on a router to initiate the brute-force process.
- True
- False
False
The correct answer is false because a WPS PIN attack can be performed remotely. Attackers do not need physical access to the router; instead, they exploit the WPS PIN feature to gain access to the network by using software tools that attempt to brute-force the WPS PIN, which is an 8-digit number. Such attacks often exploit the fact that the PIN is validated in two halves, which reduces the number of attempts needed to guess the correct PIN.
As a penetration tester in the initial stage of assessing a target organization’s external IT infrastructure, you need to gather intelligence on potentially vulnerable Internet-facing services without triggering security alerts. Which of the following tools would effectively enable passive reconnaissance to identify exposed services and devices, including specific versions and configurations, from publicly available information?
- Nmap
- CeWL
- theHarvester
- SQLmap
theHarvester
The correct answer is theHarvester. It is specifically designed to gather publicly available information such as email accounts, subdomain names, virtual hosts, open ports, and banners from different public sources like search engines and PGP key servers. This makes it suitable for passive reconnaissance. Nmap is typically employed for active scanning and could inadvertently set off security alarms if used inappropriately. SQLmap is an automatic SQL injection and database takeover tool, which is not intended for initial reconnaissance. CeWL creates custom wordlists from a given URL, useful for creating targeted password lists, but does not serve the purpose of identifying services and devices.
During the preliminary phase of a penetration test, you are given a list of web applications owned by the client company that are to be assessed. The client has emphasized the importance of staying within the boundaries of the scoped engagement. Which of the following actions BEST ensures that the penetration test aligns with the client’s requirements?
- Consult the penetration testing team’s standard checklist for application assessments before starting.
- Begin testing with automated scanning tools to quickly identify potential vulnerabilities in the web applications.
- Immediately start a manual assessment of the first web application on the list to understand its functionality.
- Review the contract and scope of work documents to confirm the web applications and types of tests that are authorized.
Review the contract and scope of work documents to confirm the web applications and types of tests that are authorized.
Reviewing the contract and scope of work documents provided by the client ensures that the penetration tester understands which web applications are included in the engagement and what types of tests can be performed. This helps avoid any unauthorized actions and ensures that the engagement is carried out professionally and ethically. The other options, although potentially useful, do not guarantee adherence to the engagement’s limitations and could lead to actions outside the agreed scope.
During an active reconnaissance phase, a penetration tester is analyzing the URLs of a client’s web application to determine entry points and possible vulnerabilities. Which of the following URL formats is MOST likely to be useful for identifying potential parameters for testing inputs or discovering hidden directories?
- user@example.com?subject=Inquiry
- https://www.example.com/product.php?id=1234&category=tools
- https://www.example.com/privacy
- ftp://ftp.example.com/resources
https://www.example.com/product.php?id=1234&category=tools
The correct answer is ‘https://www.example.com/product.php?id=1234&category=tools’. This URL contains parameters (‘id’ and ‘category’), which can be tested for vulnerabilities such as SQL injection, XSS, and more. A penetration tester could manipulate these parameters to see how the application responds, thereby potentially discovering security flaws.
The incorrect answers listed don’t provide the same level of actionable information. The URL containing the ‘mailto’ protocol is typically used for email and does not usually have parameters that could be tested for web application vulnerabilities. The URL with ‘https://www.example.com/privacy’ is likely a static page and while it could contain potential endpoints for further investigation, it does not explicitly showcase parameters like the correct answer. Lastly, the URL ‘ftp://ftp.example.com/resources’ uses the FTP protocol, which is less likely to be the focus of this type of testing in comparison to HTTP(S), which directly interacts with web applications.
During a penetration test, you have obtained access to a suspect’s computer where you suspect secret information is being transmitted using image files. To confirm your suspicions, you decide to analyze these image files for potential hidden data. Which tool would assist you in uncovering data hidden using steganographic techniques?
Aircrack-ng
Wireshark
Snow
Steghide
Gobuster
OWASP ZAP
Steghide
The correct answer is Steghide. It is a steganography program that is able to hide data in various kinds of image- and audio-files. The presence of a tool like Steghide on a suspect’s computer might suggest that the individual is using steganography to conceal data. The other options listed are also tools used in penetration testing, but they do not specialize in steganography like Steghide. Gobuster is for enumerating files and directories on web servers, Snow is a tool for hiding text in whitespace, and OWASP ZAP is for finding vulnerabilities in web applications. So although these are related to the fields of cybersecurity and penetration testing, they would not typically be used for detecting steganographic data.
Snow
Snow is another steganography tool that utilizes whitespace in text files to hide data. By embedding information in spaces and tabs within the text, it allows for concealed data storage