CompTIA PenTest+ Practice Test (PT0-002)

The Common Vulnerability Scoring System (CVSS) offers a way to rate the severity of vulnerabilities in a standardized manner, providing scores that correspond to a qualitative severity ranking. By applying CVSS, you are able to communicate the severity of vulnerabilities in a uniform way that is independent of proprietary methodologies or the potentially subjective measure of impact to the specific organization. This is the accepted industry practice for reporting severity in penetration testing and is expected knowledge for professionals. Other methods may not provide the standardization needed or could introduce confusion if the stakeholders are not familiar with a custom scoring system.

The OWASP Top 10 provides a list of the most critical security risks to web applications, which serves as a standard to guide the testing process towards the most relevant and common vulnerabilities that attackers are likely to exploit. It helps to align the objectives of the penetration test with industry-recognized security risks, ensuring a comprehensive security assessment specifically for web applications. Mentioning OWASP in the scoping document indicates a structured and knowledgeable approach to web application security.

The correct answer is 'Broken Access Control', which is a category in the OWASP Top 10 that includes failures in restrictions on what authenticated users are allowed to do. Attackers can exploit these flaws to access unauthorized functionality or data, such as access other users' accounts, view sensitive files, modify other users’ data, change access rights, etc. 'A04:2021-Insecure Direct Object References' refers to a subcategory that was a part of earlier editions of the OWASP Top 10, which has been merged under 'Broken Access Control' in recent versions. 'Sensitive Data Exposure' deals with the actual exposure of sensitive data due to inadequate protection, which does not directly relate to the described scenario. 'Insufficient Logging & Monitoring' is about the lack of sufficient tracking and auditing, which may allow breaches to go unnoticed, but is not directly relevant to the issue of failing to restrict URL access.

Static analysis is the process of examining the code without executing the program. It is the best technique for understanding the high-level logic and control flow of the executable without execution, which could reveal vulnerabilities and hidden functionalities. Dynamic analysis involves observing the system's behavior during execution, which does not fit the criteria of not executing the code. A fuzz test is used to feed a series of inputs to software to find vulnerabilities, but it is not a technique used for reverse engineering without execution. Application logs can provide runtime details, but they won't help reverse engineer binary code or understand high-level logic and control flow before execution.

The correct method to ascertain the live status of a digital certificate is to use the Online Certificate Status Protocol (OCSP), which checks with the issuing Certificate Authority for current revocation information. This is more reliable and timely than other methods such as Certificate Revocation Lists (CRLs), which might not be updated immediately. Manually inspecting the browser for warnings or using a vulnerability scanner could yield some information, but these methods are not as direct, current, or authoritative as using OCSP. Additionally, WHOIS lookups provide domain registration details but do not provide information on certificate revocation statuses.

The Common Vulnerabilities and Exposures (CVE) list is a registry of publicly disclosed cybersecurity vulnerabilities and exposures. A CVE list would provide the tester with detailed information about known vulnerabilities in specific versions of software that the target company uses or develops. This information can help pinpoint potential security flaws in the company's infrastructure. On the contrary, CWE offers a categorization of different types of vulnerabilities which is broader and not specific to individual programs or systems. Job listings and strategic search engine analysis could reveal insights about the technology stack but are not focused on known vulnerabilities like the CVE list.

The correct answer is ARP scan. An ARP scan is an efficient and less intrusive method of enumerating live hosts on a local subnet by resolving IP addresses to MAC addresses within the same broadcast domain. It is less likely to be noticed by intrusion detection systems compared to more aggressive scanning techniques that generate a larger amount of network traffic. ICMP echo request might be blocked by firewalls or might trigger IDS systems due to its commonly known usage in scanning activities. Service version scan is not directly used to enumerate active hosts, but rather to identify service versions running on known up hosts. Port scan with SYN packets generates SYN packets, which can be easily detected by IDS systems due to their typical association with reconnaissance activities.

The Payment Card Industry Data Security Standard (PCI DSS) is the correct answer because it is a set of security requirements designed to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. The PCI DSS is important for penetration testers to understand when planning and scoping an engagement as they must comply with these requirements when handling cardholder data.

Establishing a policy that mandates regular security awareness training for all employees is an example of an administrative control. Administrative controls consist of policies, procedures, and regulations that manage the human elements of security operations. They are crucial for ensuring that employees understand their roles and responsibilities regarding organizational security. Technical controls involve the use of technology to mitigate risks, while physical controls address the protection of physical assets. Operational controls, although related to procedures, are more about the day-to-day implementation of security measures rather than policy establishment.

A tree data structure is particularly efficient at representing hierarchical data due to its branching nature, where each node can have any number of child nodes. This allows for easy representation of an organizational schema where entities such as users and groups have parent-child relationships (e.g., groups containing users or other groups). In contrast, a list structure does not inherently represent hierarchical relationships and a hash table or stack is not specialized for representing hierarchical relationships like a tree.

The correct approach in this scenario is to utilize a time-based technique, such as crafting payloads that make the server wait for a certain amount of time before responding (e.g., through a command like SLEEP). The presence of a delay would suggest that the payload was executed, confirming the vulnerability without the need for an error message. Attempting to cause errors or expecting instantaneous feedback are typical signs of standard vulnerabilities and not suitable for scenarios where the application suppresses error details.

The correct answer is True. ARP poisoning involves sending forged ARP reply packets to the target hosts, causing them to associate the attacker's MAC address with the IP address of another host on the network. This man-in-the-middle position allows the attacker to capture traffic between the two hosts. If the traffic is not encrypted, the attacker can also modify it. This attack may go unnoticed by intrusion detection systems, especially if they are not configured to detect anomalies in ARP traffic.

Validating the scope of engagement with the client by reviewing contracts and client requirements is the most important next step. It ensures that the penetration tester understands which assets are included in the test, respects the boundaries set by third-party agreements, and accurately aligns the testing process with the client's timeline and expectations. Other options, while important in different contexts, do not prioritize the immediate requirement to understand and agree upon the scope before beginning any assessment.

Option B is correct because cursory reconnaissance implies a limited understanding of the environment, which is characteristic of unknown-environment testing. This approach involves gathering only readily available information without detailed knowledge of the target, which is consistent with the scenario of an unknown environment. Option A is incorrect because comprehensive documentation review suggests a familiarity with the environment, making it more suited for known-environment testing. Option C is incorrect because it refers to a practice more commonly associated with known-environment testing where previous engagement information is leveraged to understand the scope. Option D is incorrect as intensive source code analysis indicates deep familiarity with the application, aligning more with known-environment testing.

Using a mobile device emulator creates a virtual mobile device on which the application can be safely run and analyzed. This allows the penetration tester to observe the application's behavior under different conditions without risking the integrity of a physical device or the production environment. The other options either are not as relevant for analysis on a mobile application (a and c) or are general tools for mobile security testing but not specifically designed for behavioral analysis in a controlled environment like an emulator (d).