Free CompTIA PenTest+ PT0-002 Practice Test

The correct answer is ARP scan. An ARP scan is an efficient and less intrusive method of enumerating live hosts on a local subnet by resolving IP addresses to MAC addresses within the same broadcast domain. It is less likely to be noticed by intrusion detection systems compared to more aggressive scanning techniques that generate a larger amount of network traffic. ICMP echo request might be blocked by firewalls or might trigger IDS systems due to its commonly known usage in scanning activities. Service version scan is not directly used to enumerate active hosts, but rather to identify service versions running on known up hosts. Port scan with SYN packets generates SYN packets, which can be easily detected by IDS systems due to their typical association with reconnaissance activities.

Screenshots provide visual evidence of the findings and support the reproduction of the issues by the technical staff, making them a crucial aspect of ongoing documentation during a penetration test. While they may also assist in illustrating process steps or educating clients on the use of tools, these are not considered the primary purposes for including them in the report documentation.

The in operator in Python can be used to check if a particular substring exists within a string. This is why it is the correct choice. The += operator is used to append a value to an existing variable, typically used in loops for concatenation or arithmetic operations but doesn't check the existence of a substring. The == operator compares two values for equality, which is not useful when looking for a substring within a larger string. % is the modulus operator in arithmetic operations and can be used as a string formatting operator in Python, but it does not check for substring existence either.

Sanitizing user input is the primary defense against SQL injection attacks. It involves validating and cleaning up all user-supplied data to prevent malicious SQL code from being executed. Parameterized queries, which separate SQL logic from data, are also an effective measure against SQL injection as they ensure that the input is treated strictly as data, not executable code. While strong passwords and multifactor authentication can improve overall security, they do not directly protect against SQL injection attacks. Similarly, encrypting passwords is essential for data protection but is not a mitigation strategy for SQL injection vulnerabilities. Regular patch management is important for addressing known vulnerabilities, but not as directly related to preventing SQL injections as sanitizing input and using parameterized queries.

Resource exhaustion is the correct term for this kind of attack because it specifically refers to the depletion of system resources to the point where the system cannot perform its intended functions. It is a common goal of denial-of-service attacks to render a service unavailable by overwhelming it with requests, thus exhausting resources such as bandwidth, memory, or processing power. The incorrect answers are related terms but do not precisely describe the scenario in the question. 'Data corruption' implies the alteration or destruction of data, while 'credential harvesting' refers to the collection of user credentials, typically for unauthorized access. 'Amplification attack' is a type of DDoS attack that increases the volume of traffic sent to a victim, leading to resource exhaustion, but the term itself does not describe the outcome of the attack.

The correct answer is to inform the client and request a token with the correct scope, as per the test's rules of engagement. Accidentally receiving a token that grants broader access than intended can lead to testing systems that are out of scope, which might be against the policies and potentially illegal. While tempting, using the broader scoped token without authorization would be unethical and potentially a violation of the agreed-upon rules. Continuing with the received token without notifying the client or attempting to limit its privileges on your own are both incorrect actions that could lead to adverse outcomes.

Steganography is the practice of hiding a file, message, image, or video within another file, message, image, or video. The correct answer is steganography because it is a method of hiding data within other non-suspicious data, making it difficult for intrusion detection systems to identify the hidden data or the act of exfiltration. Other methods such as encoding or encrypting data can still produce network traffic that might be recognized by an IDS, especially if it uses atypical ports or protocols or if substantial volumes of data are being transmitted.

Identifying whether the assets are first-party or third-party hosted is critical because each may be bound by different legal agreements, such as NDAs, SLAs, and regulatory compliance requirements. Additionally, permission to test third-party hosted systems usually requires additional coordination and explicit consent from the third party. Testing without proper authorization could lead to legal actions against the tester or the hiring organization.

To mitigate the risk of attacks like injection, it is essential to use parameterized queries because this technique allows the application to distinguish between code and data, regardless of user input. Other methods mentioned, such as input length restrictions, do not address the underlying issue and offer no security against well-crafted malicious input targeting database operations. Client-side validation can be easily bypassed, and although input escaping and stored procedures can contribute to security, they have limitations and potential bypasses that do not offer the same level of safety as parameterized queries.

Technical staff will be primarily interested in detailed descriptions of vulnerabilities, how they were exploited, and technical remediation steps. They require specifics in order to understand the risk, replicate the issue, and plan the necessary technical fixes. Other options are either too high-level or unrelated to the staff's direct concerns.

The correct answer is 'Implement bcrypt with a dynamic salt for hashing each user's password.' The use of bcrypt is recommended because it is a slow hashing function specially designed for password storage. It incorporates a salt to protect against rainbow table attacks and has the ability to scale the hashing difficulty with work factors to defend against brute force attacks. The use of MD5 or any fast hashing algorithm, even with a dynamic salt, is inappropriate for password storage due to their vulnerability to brute force attacks and fast hashing speeds, which facilitate cracking efforts.

Even if the rules of engagement do not explicitly disallow certain tests such as Denial of Service (DoS) attacks, ethically and professionally, it is important for the penetration tester to seek explicit permission before conducting any tests that could disrupt the client's operations. Conducting such an invasive test without clear authorization could result in legal issues, client dissatisfaction, or unintended outages. Therefore, it is essential to have a clear agreement and understanding of what is permitted before proceeding.

Reducing the speed at which the scan is carried out (Throttling the scan speed) is the best approach when dealing with bandwidth limitations. It ensures that the vulnerability scan does not consume excessive bandwidth, which could slow down the network for legitimate users or cause disruptions. It also helps avoid triggering alarms that could alert network administrators to the scan's presence. Although performing the scan during off-peak hours or using less intrusive scan types may help, they do not directly address the problem of limited bandwidth as effectively as actively managing the scan's bandwidth usage.

The observations listed (high number of login attempts from foreign IPs, access requests for unusual files, and command history that includes reconnaissance tools) are classic signs of a previously compromised system. The reconnaissance tools found in the command history, in particular, indicate that an unauthorized party may have been probing the system for vulnerabilities, which is not a usual activity for a regular user or admin. Regular login attempts can occur but seeing them frequently from foreign IP addresses increases the chance of them being malicious. Access to unusual files suggests that someone might have been looking for sensitive data or trying to escalate their privileges.

The correct answer is 'Likeness,' as it involves establishing a rapport or a sense of commonality with the target. Understanding this principle is essential because people tend to respond favorably to those whom they perceive as similar to themselves, which can be exploited by attackers. 'Reciprocity' is incorrect as it refers to the obligation to return a favor. While 'Social proof' is incorrect because it's about the influence of seeing others performing the behavior, and 'Consistency' is about people's desire to be consistent with what they have previously said or done.