PT0-002 Practice Exam Questions and Answers

Which of the following is the MOST common vulnerability associated with IoT devices that are directly connected to the Internet?

Which of the following should a penetration tester do NEXT after identifying that an application being tested has already been compromised with malware?

A penetration tester has been hired to configure and conduct authenticated scans of all the servers on a software company’s network. Which of the following accounts should the tester use to return the MOST results?

A penetration tester has gained access to part of an internal network and wants to exploit on a different network segment. Using Scapy, the tester runs the following command:

Which of the following represents what the penetration tester is attempting to accomplish?

A penetration tester has completed an analysis of the various software products produced by the company under assessment. The tester found that over the past several years the company has been including vulnerable third-party modules in multiple products, even though the quality of the organic code being developed is very good. Which of the following recommendations should the penetration tester include in the report?

Which of the following BEST describe the OWASP Top 10? (Choose two.)

The results of an Nmap scan are as follows:

Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-24 01:10 EST

Nmap scan report for ( 10.2.1.22 )

Host is up (0.0102s latency).

Not shown: 998 filtered ports

Port State Service

80/tcp open http

|_http-title: 80F 22% RH 1009.1MB (text/html)

|_http-slowloris-check:

| VULNERABLE:

| Slowloris DoS Attack

| <..>

Device type: bridge|general purpose

Running (JUST GUESSING) : QEMU (95%)

OS CPE: cpe:/a:qemu:qemu

No exact OS matches found for host (test conditions non-ideal).

OS detection performed. Please report any incorrect results at https://nmap.org/submit/.

Nmap done: 1 IP address (1 host up) scanned in 107.45 seconds

Which of the following device types will MOST likely have a similar response? (Choose two.)

A penetration tester was able to gain access successfully to a Windows workstation on a mobile client’s laptop. Which of the following can be used to ensure the tester is able to maintain access to the system?

A penetration tester is reviewing the following SOW prior to engaging with a client:

“Network diagrams, logical and physical asset inventory, and employees’ names are to be treated as client confidential. Upon completion of the engagement, the penetration tester will submit findings to the client’s Chief Information Security Officer (CISO) via encrypted protocols and subsequently dispose of all findings by erasing them in a secure manner.”

Based on the information in the SOW, which of the following behaviors would be considered unethical? (Choose two.)

A compliance-based penetration test is primarily concerned with:

A penetration tester who is doing a security assessment discovers that a critical vulnerability is being actively exploited by cybercriminals. Which of the following should the tester do NEXT?

A tester who is performing a penetration test on a website receives the following output:

Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /var/www/search.php on line 62

Which of the following commands can be used to further attack the website?

Which of the following expressions in Python increase a variable val by one (Choose two.)

A penetration tester is testing a web application that is hosted by a public cloud provider. The tester is able to query the provider’s metadata and get the credentials used by the instance to authenticate itself. Which of the following vulnerabilities has the tester exploited?

A company is concerned that its cloud VM is vulnerable to a cyberattack and proprietary data may be stolen. A penetration tester determines a vulnerability does exist and exploits the vulnerability by adding a fake VM instance to the IaaS component of the client's VM. Which of the following cloud attacks did the penetration tester MOST likely implement?

A penetration tester needs to perform a test on a finance system that is PCI DSS v3.2.1 compliant. Which of the following is the MINIMUM frequency to complete the scan of the system?

A new security firm is onboarding its first client. The client only allowed testing over the weekend and needed the results Monday morning. However, the assessment team was not able to access the environment as expected until Monday. Which of the following should the security company have acquired BEFORE the start of the assessment?

When preparing for an engagement with an enterprise organization, which of the following is one of the MOST important items to develop fully prior to beginning the penetration testing activities?

You are a security analyst tasked with hardening a web server.

You have been given a list of HTTP payloads that were flagged as malicious.

INSTRUCTIONS

Given the following attack signatures, determine the attack type, and then identify the associated remediation to prevent the attack in the future.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Which of the following are the MOST important items to include in the final report for a penetration test? (Choose two.)

A penetration tester ran an Nmap scan on an Internet-facing network device with the –F option and found a few open ports. To further enumerate, the tester ran another scan using the following command:

nmap –O –A –sS –p- 100.100.100.50

Nmap returned that all 65,535 ports were filtered. Which of the following MOST likely occurred on the second scan?

Which of the following types of information should be included when writing the remediation section of a penetration test report to be viewed by the systems administrator and technical staff?

A penetration tester has identified several newly released CVEs on a VoIP call manager. The scanning tool the tester used determined the possible presence of the CVEs based off the version number of the service. Which of the following methods would BEST support validation of the possible findings?

Deconfliction is necessary when the penetration test:

A company conducted a simulated phishing attack by sending its employees emails that included a link to a site that mimicked the corporate SSO portal. Eighty percent of the employees who received the email clicked the link and provided their corporate credentials on the fake site. Which of the following recommendations would BEST address this situation?

Which of the following describe the GREATEST concerns about using third-party open-source libraries in application code? (Choose two.)

A penetration tester discovered a vulnerability that provides the ability to upload to a path via directory traversal. Some of the files that were discovered through this vulnerability are:

Which of the following is the BEST method to help an attacker gain internal access to the affected machine?

A company hired a penetration tester to do a social-engineering test against its employees. Although the tester did not find any employees’ phone numbers on the company’s website, the tester has learned the complete phone catalog was published there a few months ago.

In which of the following places should the penetration tester look FIRST for the employees’ numbers?

A company becomes concerned when the security alarms are triggered during a penetration test. Which of the following should the company do NEXT?

A penetration tester has been given an assignment to attack a series of targets in the 192.168.1.0/24 range, triggering as few alarms and countermeasures as possible.

Which of the following Nmap scan syntaxes would BEST accomplish this objective?

Which of the following tools would be MOST useful in collecting vendor and other security-relevant information for IoT devices to support passive reconnaissance?

An assessment has been completed, and all reports and evidence have been turned over to the client. Which of the following should be done NEXT to ensure the confidentiality of the client’s information?

Which of the following would MOST likely be included in the final report of a static application-security test that was written with a team of application developers as the intended audience?

A customer adds a requirement to the scope of a penetration test that states activities can only occur during normal business hours. Which of the following BEST describes why this would be necessary?

A penetration tester is working on a scoping document with a new client. The methodology the client uses includes the following:

• Pre-engagement interaction (scoping and ROE)
• Intelligence gathering (reconnaissance)
• Threat modeling
• Vulnerability analysis
• Exploitation and post exploitation
• Reporting

Which of the following methodologies does the client use?

A company recruited a penetration tester to configure wireless IDS over the network. Which of the following tools would BEST test the effectiveness of the wireless IDS solutions?

A penetration tester has obtained shell access to a Windows host and wants to run a specially crafted binary for later execution using the wmic.exe process call create function. Which of the following OS or filesystem mechanisms is MOST likely to support this objective?

A security professional wants to test an IoT device by sending an invalid packet to a proprietary service listening on TCP port 3011. Which of the following would allow the security professional to easily and programmatically manipulate the TCP header length and checksum using arbitrary numbers and to observe how the proprietary service responds?

A software development team is concerned that a new product's 64-bit Windows binaries can be deconstructed to the underlying code. Which of the following tools can a penetration tester utilize to help the team gauge what an attacker might see in the binaries?

A security analyst is conducting an unknown environment test from 192.168 3.3. The analyst wants to limit observation of the penetration tester's activities and lower the probability of detection by intrusion protection and detection systems. Which of the following Nmap commands should the analyst use to achieve This objective?

During a code review assessment, a penetration tester finds the following vulnerable code inside one of the web application files:

<% String id = request.getParameter("id"); %>

Employee ID: <%= id %>

Which of the following is the best remediation to prevent a vulnerability from being exploited, based on this code?

Penetration on an assessment for a client organization, a penetration tester notices numerous outdated software package versions were installed ...s-critical servers. Which of the following would best mitigate this issue?

A penetration tester is conducting an on-path link layer attack in order to take control of a key fob that controls an electric vehicle. Which of the following wireless attacks would allow a penetration tester to achieve a successful attack?

A penetration tester is reviewing the security of a web application running in an laaS compute instance. Which of the following payloads should the tester send to get the running process credentials?

A penetration tester is performing reconnaissance for a web application assessment. Upon investigation, the tester reviews the robots.txt file for items of interest.

INSTRUCTIONS

Select the tool the penetration tester should use for further investigation.

Select the two entries in the robots.txt file that the penetration tester should recommend for removal.

A penetration testing firm wants to hire three additional consultants to support a newly signed long-term contract with a major customer. The following is a summary of candidate

background checks:

Which of the following candidates should most likely be excluded from consideration?

A penetration tester is conducting an assessment for an e-commerce company and successfully copies the user database to the local machine. After a closer review, the penetration tester identifies several high-profile celebrities who have active user accounts with the online service. Which of the following is the most appropriate next step?

During an engagement, a penetration tester was able to upload to a server a PHP file with the following content:

Which of the following commands should the penetration tester run to successfully achieve RCE?

During a security assessment of a web application, a penetration tester was able to generate the following application response:

Unclosed quotation mark after the character string Incorrect syntax near ".

Which of the following is the most probable finding?

A penetration tester requested, without express authorization, that a CVE number be assigned for a new vulnerability found on an internal client application. Which of the following did the penetration tester most likely breach?

A penetration tester observes an application enforcing strict access controls. Which of the following would allow the tester to bypass these controls and successfully access the organization's sensitive files?

Which of the following tools would be best to use to conceal data in various kinds of image files?

During a security assessment, a penetration tester decides to write the following Python script: import requests

x= ['OPTIONS', 'TRACE', 'TEST'l

for y in x;

z - requests.request(y, 'http://server.net ')

print(y, z.status_code, z.reason)

Which of the following is the penetration tester trying to accomplish? (Select two).

A penetration tester requested, without express authorization, that a CVE number be assigned for a new vulnerability found on an internal client application. Which of the following did the penetration tester most likely breach?

A penetration tester is taking screen captures of hashes obtained from a domain controller. Which of the following best explains why the penetration tester should immediately obscure portions of the images before saving?

Which of the following tools provides Python classes for interacting with network protocols?

A security firm is discussing the results of a penetration test with a client. Based on the findings, the client wants to focus the remaining time on a critical network segment. Which of the following best describes the action taking place?

An executive needs to use Wi-Fi to connect to the company's server while traveling. While looking for available Wi-Fi connections, the executive notices an available access point to a hotel chain that is not available where the executive is staying. Which of the following attacks is the executive most likely experiencing?

During a security assessment, a penetration tester decides to implement a simple TCP port scanner to check the open ports from 1000 to 2000. Which of the following Python scripts would achieve this task?

Which of the following describes how a penetration tester could prioritize findings in a report?

During a client engagement, a penetration tester runs the following Nmap command and obtains the following output:

nmap -sV -- script ssl-enum-ciphers -p 443 remotehost

| TLS_ECDHE_ECDSA_WITH_RC4_128_SHA

| TLS_ECDHE_RSA_WITH_RC4_128_SHA

TLS_RSA_WITH_RC4_128_SHA (rsa 2048)

TLS_RSA_WITH_RC4_128_MD5 (rsa 2048)

Which of the following should the penetration tester include in the report?

A penetration tester is trying to bypass an active response tool that blocks IP addresses that have more than 100 connections per minute. Which of the following commands would allow the tester to finish the test without being blocked?

A penetration tester is testing a company's public API and discovers that specific input allows the execution of arbitrary commands on the base operating system. Which of the following actions should the penetration tester take next?

A penetration tester has been provided with only the public domain name and must enumerate additional information for the public-facing assets.

INSTRUCTIONS

Select the appropriate answer(s), given the output from each section.

Output 1

A penetration tester is conducting an assessment on 192.168.1.112. Given the following output:

Which of the following is the penetration tester conducting?

A penetration tester wants to find the password for any account in the domain without locking any of the accounts. Which of the following commands should the tester use?

Which of the following documents would be the most helpful in determining who is at fault for a temporary outage that occurred during a penetration test?

A penetration tester is conducting an assessment of an organization that has both a web and mobile application. While testing the user profile page, the penetration tester notices that additional data is returned in the API response, which is not displayed in the web user interface. Which of the following is the most effective technique to extract sensitive user data?

A penetration tester is conducting a test after hours and notices a critical system was taken down. Which of the following contacts should be notified first?

A penetration testing firm performs an assessment every six months for the same customer. While performing network scanning for the latest assessment, the penetration tester observes that several of the target hosts appear to be residential connections associated with a major television and ISP in the area. Which of the following is the most likely reason for the observation?

A penetration tester runs the following command:

nmap -p- -A 10.0.1.10

Given the execution of this command, which of the following quantities of ports will Nmap scan?

A penetration tester managed to exploit a vulnerability using the following payload:

IF (1=1) WAIT FOR DELAY '0:0:15'

Which of the following actions would best mitigate this type ol attack?

During an assessment, a penetration tester discovers the following code sample in a web application:

"(&(userid=*)(userid=*))(I(userid=*)(userPwd=(SHAl}a9993e364706816aba3e25717850c26c9cd0d89d==))

Which of the following injections is being performed?

A penetration tester is enumerating shares and receives the following output:

Which of the following should the penetration tester enumerate next?

Within a Python script, a line that states print (var) outputs the following:

[{'1' : 'CentOS', '2' : 'Ubuntu'), {'1' : 'Windows 10', '2' : 'Windows Server 2016'}]

Which of the following objects or data structures is var ?

A penetration tester is conducting an assessment on 192.168.1.112. Given the following output:

[ATTEMPT] target 192.168.1.112 - login "root" - pass "abcde"

[ATTEMPT] target 192.168.1.112 - login "root" - pass "edcfg"

[ATTEMPT] target 192.168.1.112 - login "root" - pass "qazsw"

[ATTEMPT] target 192.168.1.112 - login "root" – pass “tyuio”

Which of the following is the penetration tester conducting?

A penetration tester is performing an assessment for an application that is used by large organizations operating in the heavily regulated financial services industry. The penetration tester observes that the default Admin User account is enabled and appears to be used several times a day by unfamiliar IP addresses. Which of the following is the most appropriate way to remediate this issue?

A client asks a penetration tester to retest its network a week after the scheduled maintenance window. Which of the following is the client attempting to do?

A penetration tester is working to enumerate the PLC devices on the 10.88.88.76/24 network. Which of the following commands should the tester use to achieve the objective in a way that minimizes the risk of affecting the PLCs?

A physical penetration tester needs to get inside an organization's office and collect sensitive information without acting suspiciously or being noticed by the security guards. The tester has observed that the company's ticket gate does not scan the badges, and employees leave their badges on the table while going to the restroom. Which of the following techniques can the tester use to gain physical access to the office? (Choose two.)

A penetration tester was contracted to test a proprietary application for buffer overflow vulnerabilities. Which of the following tools would be BEST suited for this task?

A penetration tester receives the following results from an Nmap scan:

Which of the following OSs is the target MOST likely running?

A penetration tester initiated the transfer of a large data set to verify a proof-of-concept attack as permitted by the RO

E.  

A penetration tester found several critical SQL injection vulnerabilities during an assessment of a client's system. The tester would like to suggest mitigation to the client as soon as possible.

Which of the following remediation techniques would be the BEST to recommend? (Choose two.)

A penetration tester is conducting an assessment against a group of publicly available web servers and notices a number of TCP resets returning from one of the web servers. Which of the following is MOST likely causing the TCP resets to occur during the assessment?

A penetration tester is required to perform a vulnerability scan that reduces the likelihood of false positives and increases the true positives of the results. Which of the following would MOST likely accomplish this goal?

Which of the following documents is agreed upon by all parties associated with the penetration-testing engagement and defines the scope, contacts, costs, duration, and deliverables?

A penetration tester is testing a new version of a mobile application in a sandbox environment. To intercept and decrypt the traffic between the application and the external API, the tester has created a private root CA and issued a certificate from it. Even though the tester installed the root CA into the trusted stone of the smartphone used for the tests, the application shows an error indicating a certificate mismatch and does not connect to the server. Which of the following is the MOST likely reason for the error?

When planning a penetration-testing effort, clearly expressing the rules surrounding the optimal time of day for test execution is important because:

A company provided the following network scope for a penetration test:

169.137.1.0/24

221.10.1.0/24

149.14.1.0/24

A penetration tester discovered a remote command injection on IP address 149.14.1.24 and exploited the system. Later, the tester learned that this particular IP address belongs to a third party. Which of the following stakeholders is responsible for this mistake?

Which of the following BEST explains why a penetration tester cannot scan a server that was previously scanned successfully?

During an internal penetration test against a company, a penetration tester was able to navigate to another part of the network and locate a folder containing customer information such as addresses, phone numbers, and credit card numbers. To be PCI compliant, which of the following should the company have implemented to BEST protect this data?

A penetration tester was able to compromise a web server and move laterally into a Linux web server. The tester now wants to determine the identity of the last user who signed in to the web server. Which of the following log files will show this activity?

Which of the following is the most secure method for sending the penetration test report to the client?

A Chief Information Security Officer wants to evaluate the security of the company's e-commerce application. Which of the following tools should a penetration tester use FIRST to obtain relevant information from the application without triggering alarms?

The output from a penetration testing tool shows 100 hosts contained findings due to improper patch management. Which of the following did the penetration tester perform?

ion tester is attempting to get more people from a target company to download and run an executable. Which of the following would be the.. :tive way for the tester to achieve this objective?

A penetration tester discovered a code repository and noticed passwords were hashed before they were stored in the database with the following code? salt = ‘123’ hash = hashlib.pbkdf2_hmac(‘sha256’, plaintext, salt, 10000) The tester recommended the code be updated to the following salt = os.urandom(32) hash = hashlib.pbkdf2_hmac(‘sha256’, plaintext, salt, 10000) Which of the following steps should the penetration tester recommend?

While performing the scanning phase of a penetration test, the penetration tester runs the following command:

........v -sV -p- 10.10.10.23-28

....ip scan is finished, the penetration tester notices all hosts seem to be down. Which of the following options should the penetration tester try next?

A Chief Information Security Officer wants a penetration tester to evaluate whether a recently installed firewall is protecting a subnetwork on which many decades- old legacy systems are connected. The penetration tester decides to run an OS discovery and a full port scan to identify all the systems and any potential vulnerability. Which of the following should the penetration tester consider BEFORE running a scan?

After gaining access to a previous system, a penetration tester runs an Nmap scan against a network with the following results:

The tester then runs the following command from the previous exploited system, which fails:

Which of the following explains the reason why the command failed?

During a penetration tester found a web component with no authentication requirements. The web component also allows file uploads and is hosted on one of the target public web the following actions should the penetration tester perform next?

Which of the following would a company's hunt team be MOST interested in seeing in a final report?

A penetration tester is conducting an engagement against an internet-facing web application and planning a phishing campaign. Which of the following is the BEST passive method of obtaining the technical contacts for the website?

After compromising a system, a penetration tester wants more information in order to decide what actions to take next. The tester runs the following commands:

Which of the following attacks is the penetration tester most likely trying to perform?

Which of the following is a rules engine for managing public cloud accounts and resources?

A penetration tester uncovers access keys within an organization's source code management solution. Which of the following would BEST address the issue? (Choose two.)

A software company has hired a security consultant to assess the security of the company's software development practices. The consultant opts to begin reconnaissance by performing fuzzing on a software binary. Which of the following vulnerabilities is the security consultant MOST likely to identify?

The following output is from reconnaissance on a public-facing banking website:

Based on these results, which of the following attacks is MOST likely to succeed?

A penetration-testing team needs to test the security of electronic records in a company's office. Per the terms of engagement, the penetration test is to be conducted after hours and should not include circumventing the alarm or performing destructive entry. During outside reconnaissance, the team sees an open door from an adjoining building. Which of the following would be allowed under the terms of the engagement?

A penetration tester needs to upload the results of a port scan to a centralized security tool. Which of the following commands would allow the tester to save the results in an interchangeable format?

A penetration tester captured the following traffic during a web-application test:

Which of the following methods should the tester use to visualize the authorization information being transmitted?

During an engagement, a penetration tester found the following list of strings inside a file:

Which of the following is the BEST technique to determine the known plaintext of the strings?

A penetration tester analyzed a web-application log file and discovered an input that was sent to the company's web application. The input contains a string that says "WAITFOR." Which of the following attacks is being attempted?

A penetration tester is evaluating a company's network perimeter. The tester has received limited information about defensive controls or countermeasures, and limited internal knowledge of the testing exists. Which of the following should be the FIRST step to plan the reconnaissance activities?

A security analyst needs to perform an on-path attack on BLE smart devices. Which of the following tools would be BEST suited to accomplish this task?

A penetration tester who is performing an engagement notices a specific host is vulnerable to EternalBlue. Which of the following would BEST protect against this vulnerability?