Scroll down to see your responses and detailed results
Prepare for the CompTIA PenTest+ PT0-002 exam with this free practice test. Randomly generated and customizable, this test allows you to choose the number of questions.
Tokens issued by a server during a session can be scoped strictly enough to prevent interception and reuse by an unauthorized party.
False
True
Tokens, also known as session tokens, are susceptible to different types of attacks if not secured properly. Although tokens can be scoped, if token handling mechanisms are not implemented with strong security controls, such as proper encryption and validation measures, they can still be intercepted and misused by attackers. The correct answer reflects the understanding that without adequate security controls, even well-scoped tokens can be vulnerable to interception and unauthorized reuse.
AI Generated Content may display inaccurate information, always double-check anything important.
Given that you are conducting an internal penetration test and need to enumerate assets within the organization’s network, which Nmap command or script would you use to produce the most comprehensive list of live hosts, open ports, and services?
--top-ports 100
-Pn
-sV -O --script=all
-sn
The correct answer is -sV -O --script=all. The -sV option enables version detection, probing open ports to determine service/version info, while the -O option triggers OS detection. Combining these with --script=all applies a variety of scripts for further enumeration, including default and non-default scripts that check for a wide range of vulnerabilities and configurations, making it the most comprehensive choice for asset enumeration. -sn only performs host discovery, which would not enumerate open ports or services. --top-ports only scans the most common ports, which might miss out on less common but potentially critical ports. -Pn disables host discovery and should only be used when ensuring all ports are scanned regardless of the host being up.
AI Generated Content may display inaccurate information, always double-check anything important.
Which scanner is most effective for testing web applications for potential vulnerabilities such as SQL injection, Cross-Site Scripting (XSS), and file inclusion?
Nessus
Open vulnerability assessment scanner (OpenVAS)
OWASP ZAP
Nmap
OWASP ZAP (Zed Attack Proxy) is specifically designed for testing web applications and includes features to identify a variety of vulnerabilities including injections and other common web application vulnerabilities. Nessus, while a robust vulnerability scanner, is better suited for more general network security assessments rather than specialized web application vulnerabilities. Acunetix is another web application scanner, yet it is not among the provided options. Nmap is primarily a network discovery and security auditing tool used for network scanning and enumeration rather than testing web applications for the vulnerabilities listed.
AI Generated Content may display inaccurate information, always double-check anything important.
A penetration tester can capture and analyze all network traffic passing through a switch by simply connecting to any of its ports without additional configurations.
False
True
This statement is false because switches are designed to send packets only to the designated port based on the MAC address, starkly contrasting with hubs, which sends packets to all ports. To capture all network traffic, a penetration tester would need to perform a specific attack, such as ARP spoofing, to trick the switch into sending them traffic intended for another host, or otherwise configure the port for mirroring (also known as port spanning).
AI Generated Content may display inaccurate information, always double-check anything important.
In a red team exercise against a company's cloud infrastructure, you discover that the Elastic Compute Cloud (EC2) instances are configured to allow any attached role to access the instance metadata service without restrictions. With this misconfiguration in mind, what sophisticated technique should be used to carry out an attack that leverages the instance metadata service to gain escalated privileges within the cloud environment?
Engage in Kerberoasting to steal Kerberos tickets from the EC2 instances and gain access to the metadata service.
Use NTLM relay attacks to capture authentication details and replay them against the metadata service for escalated cloud privileges.
Execute a Direct-to-Origin attack by accessing the instance metadata service directly to retrieve security credentials for IAM role escalation.
Perform a VLAN hopping attack to bypass network segmentation and access the metadata service from a compromised instance within the same VLAN.
A Direct-to-Origin attack is a sophisticated technique that requires bypassing external defenses to directly interact with the cloud services, such as the metadata service. In this context, the attack could be performed by interacting directly with the EC2 instance's metadata service, typically over HTTP on a specific IP address. By requesting security credentials for an IAM role that's associated with the EC2 instance, an attacker can potentially leverage these credentials for AWS API calls, which may lead to privilege escalation if the role has extensive permissions.
AI Generated Content may display inaccurate information, always double-check anything important.
You have completed a penetration test for a large financial organization and are required to share the final report containing sensitive vulnerability details with multiple stakeholders. Which method should you use to distribute the report securely, as per best practices?
Uploading the report to a password-protected public website where stakeholders can download it.
Encrypting the report and sending it via an encrypted email service, accessible only to authorized stakeholders with the decryption key.
Storing the report on a cloud service without implementing user-specific access controls.
Sending the report via standard email with no encryption.
Posting direct download links to the report on a private forum frequented by the stakeholders.
Distributing physical copies of the report in sealed envelopes via courier services.
Using an encrypted email ensures that the contents of the report are protected during transit and can only be accessed by individuals who have the encryption key or password. This maintains confidentiality and integrity of the findings. Using a standard email without encryption risks exposure of sensitive data to unauthorized individuals due to potential interception. A cloud service without proper security controls or a password-protected public website fails to control access appropriately, potentially allowing unauthorized users to access the report. Physical documents can be secure but are not practical for distributing to multiple stakeholders, especially those in different geographical locations.
AI Generated Content may display inaccurate information, always double-check anything important.
During a penetration test, you are tasked with crafting a phishing campaign to test the organization's resilience to social engineering efforts. Using the Social Engineering Toolkit, which of the following would be the BEST approach to emulate a realistic spear-phishing attack?
Modify the organization's public website to redirect to your malicious site.
Clone a known trusted site and slightly modify it to collect user credentials.
Replicate an exact copy of their public website to confuse employees.
Send out generic business-related documents that contain no organization-specific information.
The correct answer is to clone a known trusted site and slightly modify it (e.g., a login page of their webmail) to collect user credentials. This approach is considered the most effective because it presents a familiar interface to the target, thereby increasing the likelihood of the phishing attack being successful. In contrast, replicating an exact copy of a website may raise red flags if the URL or security certificates don't match, while modifying a company's public website or sending unrelated documents might not be as convincing or relevant to the targeted individual.
AI Generated Content may display inaccurate information, always double-check anything important.
Which of the following best describes the purpose of the CVE system?
A standardized list of identified cybersecurity vulnerabilities
A system for fixing and patching cybersecurity flaws
A ranking system for the severity of cybersecurity threats
A specific type of cybersecurity vulnerability exploit
The correct answer is A standardized list of identified cybersecurity vulnerabilities, as the CVE system provides a common nomenclature for publicly known information-security vulnerabilities and exposures, which is a foundational element for effective data exchange and cybersecurity assessment. Answer B is incorrect because CVE does not involve fixing vulnerabilities but rather identifying and cataloging them. Answer C is incorrect as CVE is not a vulnerability exploit itself but a reference for known vulnerabilities. Answer D is incorrect because CVE does not determine the severity of vulnerabilities but rather provides a reference so that severity can be assessed through other means, such as the Common Vulnerability Scoring System (CVSS).
AI Generated Content may display inaccurate information, always double-check anything important.
During a penetration test, you have been tasked with executing a watering hole attack against a company's employees who routinely visit industry-specific forums and web resources. Before launching the attack, what is the most crucial step to ensure the success of the operation?
Cracking the Wi-Fi encryption used by the company's employees
Conducting reconnaissance to identify the websites most frequently visited by the target group
Monitoring network traffic to capture employee credentials
Updating malware signatures to ensure non-detection by antivirus software
The correct answer is B. Conducting reconnaissance to identify the websites most frequently visited by the target group is essential in a watering hole attack. By understanding where the company’s employees typically gather information or communicate online, the penetration tester can focus efforts on compromising one or more of those specific sites to deliver the malicious payload effectively. Option A is incorrect because monitoring network traffic might help in other types of attacks but doesn't directly address the need to target specific websites for a watering hole attack. Option C is also incorrect; while updating malware signatures could be part of a defensive strategy, it does not contribute to preparing or executing a watering hole attack. Lastly, option D, cracking the Wi-Fi encryption, is irrelevant to the initial step of a watering hole attack, which is focused on compromising websites rather than intercepting wireless data.
AI Generated Content may display inaccurate information, always double-check anything important.
During a penetration test, you observe that a network device is continuously broadcasting requests to identify the hardware address corresponding to a known network address. Seeking to intercept and alter the communication between this device and another server within the same broadcast domain, which method would be most suitable for inserting yourself into their communication stream?
Deploying an unauthorized DHCP server to reroute traffic through your machine
Capturing packets passively to analyze traffic without sending any of your own
Introducing forged address resolution protocol responses to bind your hardware address with the server's network address
Flooding the network with traffic to prevent legitimate communications from occurring
ARP poisoning involves sending falsified address resolution protocol messages to associate the attacker's hardware address with a legitimate network address of another device. This misdirection allows the attacker to intercept, modify, or block communications intended for the original hardware address.
AI Generated Content may display inaccurate information, always double-check anything important.
Which of the following options is the BEST method to identify assets hosted in the cloud as part of an organization's infrastructure during a penetration test?
Reviewing job listings from the organization to infer cloud services in use.
Utilizing traditional network scanners to scan IP ranges owned by the organization.
Employing cloud service discovery tools designed to query cloud provider APIs and enumerate resources.
Conducting wardriving around the vicinity of the organization's physical location.
Using dedicated cloud service discovery tools is the most effective method for identifying assets hosted in the cloud. These tools are designed specifically to detect and enumerate resources running in cloud environments. Scanning with conventional network scanners without cloud-specific functionality may not reveal all the cloud-based assets, as they might not be able to interact with cloud APIs or understand cloud-specific resource conventions and services. Wardriving is a technique used for discovering wireless networks and is not applicable to cloud asset discovery. Checking job listings might incidentally reveal some technologies being used but is not a systematic approach to discovering cloud-hosted assets.
AI Generated Content may display inaccurate information, always double-check anything important.
When conducting a penetration test, which of the following best describes a scenario where Ettercap is MOST effective?
Creating an encrypted reverse shell to secure the communication channel with a compromised host.
ARP poisoning to intercept and modify traffic between two systems on a local network.
Exploiting misconfigured server-side request forgery (SSRF) vulnerabilities.
Code signing to ensure the integrity and origin of the software to be installed.
Ettercap is highly effective for ARP poisoning, which is a technique used to intercept the traffic between two hosts on a network. Its ability to conduct ARP spoofing allows a penetration tester to reroute traffic through their own system, permitting them to sniff packets or even modify them on-the-fly before forwarding them to the intended recipient. This makes ARP poisoning the best scenario for making use of Ettercap's capabilities, as it is designed specifically to handle such types of attacks efficiently. Other options, like creating a reverse shell or code signing, are unrelated to Ettercap's core functionality and thus are incorrect in this context.
AI Generated Content may display inaccurate information, always double-check anything important.
Which of the following outcomes of manually inspecting web links indicates the highest risk and should be prioritized for further investigation during a penetration testing engagement?
Finding several web links that are mislabeled leading to pages with different content than expected.
Discovery of server-side scripts that are not executed but can be downloaded through a web link.
Uncovering personal data that appears to be used for test purposes in the development version of the site.
Discovery of backup files containing source code and database credentials left in a directory accessible through a web link.
The correct answer is 'Discovery of backup files containing source code and database credentials left in a directory accessible through a web link.'. This is the highest risk because backup files can contain sensitive information including source code and credentials that could be used to gain unauthorized access to systems. Finding personal data or server scripts, while important, does not immediately constitute a high risk, and mislabeled links usually represent a lower risk related to site usability rather than security.
AI Generated Content may display inaccurate information, always double-check anything important.
During a penetration testing contract, the client has specifically requested an evaluation of existing physical security measures. Your assessment reveals that the current video surveillance system only covers entry and exit points but does not monitor the server room, which houses critical infrastructure. When compiling your findings report, how should this observation be presented to the client?
Upgrading the resolution of current cameras to capture clearer imagery
Maintaining the current surveillance setup since it adequately covers all necessary areas
A recommendation for increasing surveillance to include critical areas such as the server room
Reducing the hours of surveillance to conserve resources during business hours
The correct answer is A recommendation for increasing surveillance to include critical areas such as the server room
. A comprehensive security program includes surveillance of all sensitive areas, not just entry/exit points. By highlighting the lack of coverage in the server room, you align the physical security recommendation with the protective needs of critical infrastructure. The other options are incorrect because they either do not address the issue identified (maintaining the current surveillance setup), contradict best practices (reducing usage during business hours), or are unrelated to the issue (upgrading the resolution on existing cameras is not the main concern if critical areas are not under surveillance).
AI Generated Content may display inaccurate information, always double-check anything important.
During a penetration test, you have identified that an organization's web application is vulnerable to SQL injection attacks. Which of the following recommendations would be most effective in mitigating this risk?
Keep the web server and database server software up to date through regular patch management
Sanitize user input and utilize parameterized queries
Enforce strong password requirements for all application users
Implement multifactor authentication for user logins
Encrypt passwords stored within the application database
Sanitizing user input is the primary defense against SQL injection attacks. It involves validating and cleaning up all user-supplied data to prevent malicious SQL code from being executed. Parameterized queries, which separate SQL logic from data, are also an effective measure against SQL injection as they ensure that the input is treated strictly as data, not executable code. While strong passwords and multifactor authentication can improve overall security, they do not directly protect against SQL injection attacks. Similarly, encrypting passwords is essential for data protection but is not a mitigation strategy for SQL injection vulnerabilities. Regular patch management is important for addressing known vulnerabilities, but not as directly related to preventing SQL injections as sanitizing input and using parameterized queries.
AI Generated Content may display inaccurate information, always double-check anything important.
Looks like that's it! You can go back and review your answers or click the button below to grade your test.
Join premium for unlimited access and more features