Free CompTIA PenTest+ PT0-002 Practice Test

The correct course of action is to immediately report the potential criminal activity to your point of contact within the organization. Penetration testers have a duty to maintain professionalism and integrity, which includes identifying and reporting criminal activity. While further investigation may be compelling, acting upon this impulse could interfere with legal proceedings and the chain of custody for evidence.

Censys is the correct answer because it scans the internet for information about hosts, websites, and certificates, providing searchable data that penetration testers can use to find security risks and misconfigurations. 'Nessus' is an incorrect answer because it is a vulnerability scanner rather than a searchable database of internet-connected devices. 'John the Ripper' is a password-cracking tool, not an OSINT tool. 'WiGLE' is used for mapping wireless networks and is not designed to provide the same type of host, website, and certificate information.

Defining a comprehensive target list that specifies in-scope assets such as IP ranges, domains, and which cloud services are included in the test is crucial for ensuring that the penetration test is contained within the agreed scope. Testing beyond the specified target list could lead to unauthorized access and potential legal issues. Answers that suggest starting the test immediately or bypassing the scope with the excuse of finding additional vulnerabilities neglect the need for a structured approach and undermine the importance of prior agreement on the engagement scope.

The correct answer is 'C. To utilize a comprehensive matrix of tactics and techniques to simulate adversary behavior and test defenses' because the MITRE ATT&CK framework provides an extensive list of adversary tactics and techniques that can help penetration testers plan and execute test scenarios that are representative of real-world cyber-attacks. Identifying common vulnerabilities relevant to their client's industry is not the primary use of the MITRE ATT&CK framework, although knowledge of such vulnerabilities may stem from understanding the techniques used by adversaries. Mapping the internal network is a tactical step in performing the actual penetration test, which does not necessarily require the use of the MITRE ATT&CK framework. Lastly, complying with international regulations is important, but the MITRE ATT&CK framework's primary use is not for ensuring regulatory compliance but for understanding and simulating adversarial tactics and techniques.

The SOW includes details of the tasks and responsibilities of the penetration testing team. Specifying the types of attacks allowed (e.g., social engineering, network scanning, etc.) is important to ensure both the client and the penetration tester understand the boundaries and methodologies that can be employed during the test. Conversely, an NDA relates to confidentiality agreements, an SLA to service performance metrics, and a risk assessment report to findings after an engagement, rather than the pre-defined tasks of the penetration test itself.

The technical contact is the individual within the client organization who possesses the detailed technical knowledge required to understand and act upon the technical aspects of the findings in a penetration test. Other options may have roles in the process, but the technical contact is the go-to for vulnerability discussions, making Answer A correct.

The correct option automates testing for common vulnerabilities on web servers after an initial port scan shows that web services are available. The script provided by Nmap for http-enum can be used to enumerate potential files and directories on the web server, which is a logical next step when ports 80 and 443 are open. The incorrect options either are not designed for analyzing web vulnerabilities directly (such as a DNS enumeration script or a brute force attack script on an SSH service), or they do not maintain a degree of stealth (like launching a full-scale aggressive vulnerability scan which can be noisy and alert a network's intrusion detection systems).

Default or blank username/password configurations are a common vulnerability in data storage systems. They can be exploited by attackers who attempt to access systems using commonly known default credentials or no credentials at all when the username and password fields are left blank. This issue often arises from improper initial setup and configuration, leaving the system open to unauthorized access. Incorrect answers like 'Data sanitation' or 'Two-factor authentication' do not directly relate to this type of vulnerability. 'Data sanitation' is a technique to prevent injection attacks by cleaning the data inputs, not a vulnerability itself, while 'Two-factor authentication' is an additional security layer, not typically a vulnerability when correctly implemented.

The 'increment' operation is commonly used in loops to increase the value of a counter variable by one. This allows the loop to progress through multiple iterations. The options of 'addition', 'subtraction', and 'division' are arithmetic operations, but they are either too general or not specific to the commonly used term for increasing a value by one in the context of iteration.

In a session fixation attack, the attacker sets a known session ID on an application before the victim logs in, and due to the lack of session rotation upon authentication, the attacker can use this predefined session ID to hijack the session once the victim has logged in. Session rotation is a critical security measure that involves changing the session token after a user logs in to prevent session fixation attacks. The incorrect answers, while they are related to session management in various ways, do not directly exploit the lack of session rotation post-authentication.

Website scraping involves programmatically collecting data from websites, which can reveal hidden paths, metadata, and other useful information that is not immediately visible to users but can be valuable during a penetration test. It is part of passive reconnaissance because it often involves analyzing publicly accessible web resources without actively engaging with the target systems, which could alert an adversary to the presence of a tester.

The correct answer is B: 'Setting clear metrics for service delivery'. SLAs should contain clear metrics for the expected service delivery, which in the context of a penetration test would include the methodologies to be used, the timeline for the delivery of results, and any other pertinent details that define what the client should expect from the service. Specific performance metrics make the agreement actionable and measurable, preventing misunderstandings and future disputes.

EAPHammer is the correct answer because it is specifically designed for launching targeted attacks against WPA2-Enterprise networks. It can be used to perform man-in-the-middle attacks against wireless clients. The other options, while useful for wireless penetration testing, are not as effective or efficient in the context of attacking WPA2-Enterprise authentication mechanisms. Aircrack-ng suite is more suited for cracking WEP and WPA2-PSK keys, Kismet is primarily a network detector and packet sniffer, and mdk4 is a tool for exploiting vulnerabilities in the 802.11 protocol but does not focus on the WPA2-Enterprise authentication like EAPHammer does.

A tester conducting a penetration test for a European bank must prioritize the Payment Card Industry Data Security Standard (PCI DSS) because it specifically relates to the security of payment processing systems. The GDPR focuses on the protection of personal data within the EU but does not specifically relate to payment card security standards. While the GDPR is important for overall data protection considerations, the PCI DSS is the leading standard that directly addresses the security measures required for payment processing systems, which is pertinent in this case.

The correct answer is 'Executive summary.' An executive summary is essential in a penetration testing report as it provides an overview of the most significant findings and risks without the technical details. It is tailored for recipients such as C-suite executives who need to quickly understand the potential impact on the business to make decisions, hence it is concise and avoids technical jargon. While 'Scope details,' 'Methodology,' and 'Findings' are critical components of the report, they are usually more technical and detailed, aimed at individuals who are actively engaged in the remediation process or require a deep understanding of the procedure and results.