Scroll down to see your responses and detailed results
Prepare for the CompTIA PenTest+ PT0-002 exam with our free practice test. Randomly generated and customizable, this test allows you to choose the number of questions.
During a penetration test, you uncover evidence that suggests an employee of the client company may be involved in illegally selling customer data. What is your immediate course of action following this discovery?
Immediately report the findings to the organization's point of contact.
Ignore the evidence as it is outside the scope of the penetration test.
Confront the employee to gather more information before reporting.
Continue monitoring the employee's activities to collect additional evidence.
The correct course of action is to immediately report the potential criminal activity to your point of contact within the organization. Penetration testers have a duty to maintain professionalism and integrity, which includes identifying and reporting criminal activity. While further investigation may be compelling, acting upon this impulse could interfere with legal proceedings and the chain of custody for evidence.
Which tool can a penetration tester use to query and obtain data about hosts, websites, and certificates to assist in identifying potential security risks and misconfigurations?
WiGLE
Censys
Nessus
John the Ripper
Censys is the correct answer because it scans the internet for information about hosts, websites, and certificates, providing searchable data that penetration testers can use to find security risks and misconfigurations. 'Nessus' is an incorrect answer because it is a vulnerability scanner rather than a searchable database of internet-connected devices. 'John the Ripper' is a password-cracking tool, not an OSINT tool. 'WiGLE' is used for mapping wireless networks and is not designed to provide the same type of host, website, and certificate information.
As a penetration tester, you are contracted to assess the security of a multinational corporation's internal network. The corporation has multiple interconnected sites and relies heavily on cloud services. Which of the following is the most important initial step to ensure that your testing does not impact systems outside of the agreed scope?
Define and discuss a detailed target list with the client, including IP ranges, domains, and specified cloud services that are to be included in the assessment.
Assume all interconnected sites are in scope unless otherwise informed by the client in order to conduct a thorough test of the network.
Start with an immediate vulnerability assessment of the IP ranges connected to their primary data center to look for potential entry points.
Begin testing on the client’s production cloud services to expose as many vulnerabilities as possible regardless of the scope to showcase due diligence.
Defining a comprehensive target list that specifies in-scope assets such as IP ranges, domains, and which cloud services are included in the test is crucial for ensuring that the penetration test is contained within the agreed scope. Testing beyond the specified target list could lead to unauthorized access and potential legal issues. Answers that suggest starting the test immediately or bypassing the scope with the excuse of finding additional vulnerabilities neglect the need for a structured approach and undermine the importance of prior agreement on the engagement scope.
Your team has been contracted to perform a penetration test on a client's network infrastructure. To properly align your testing strategy with industry standards, you decide to incorporate the MITRE ATT&CK framework. What is the primary reason to integrate this framework into your penetration testing planning process?
The correct answer is 'C. To utilize a comprehensive matrix of tactics and techniques to simulate adversary behavior and test defenses' because the MITRE ATT&CK framework provides an extensive list of adversary tactics and techniques that can help penetration testers plan and execute test scenarios that are representative of real-world cyber-attacks. Identifying common vulnerabilities relevant to their client's industry is not the primary use of the MITRE ATT&CK framework, although knowledge of such vulnerabilities may stem from understanding the techniques used by adversaries. Mapping the internal network is a tactical step in performing the actual penetration test, which does not necessarily require the use of the MITRE ATT&CK framework. Lastly, complying with international regulations is important, but the MITRE ATT&CK framework's primary use is not for ensuring regulatory compliance but for understanding and simulating adversarial tactics and techniques.
A penetration tester is reviewing the Statement of Work (SOW) before starting an engagement with a new client. The SOW outlines the objectives, deliverables, timelines, and milestones for the penetration test. Which of the following would MOST likely be specified in the SOW to define the extent of the penetration test?
Service performance metrics that the penetration testing team must adhere to, as per the previously defined service-level agreement (SLA).
The types of attacks the penetration tester is authorized to perform, such as social engineering or network scanning.
The confidentiality agreements outlined in the non-disclosure agreement (NDA) prepared separately by legal teams.
The risk assessment report template to be used for presenting findings to the client post engagement.
The SOW includes details of the tasks and responsibilities of the penetration testing team. Specifying the types of attacks allowed (e.g., social engineering, network scanning, etc.) is important to ensure both the client and the penetration tester understand the boundaries and methodologies that can be employed during the test. Conversely, an NDA relates to confidentiality agreements, an SLA to service performance metrics, and a risk assessment report to findings after an engagement, rather than the pre-defined tasks of the penetration test itself.
During a penetration test, who should you primarily reach out to for discussing specific technical details of the vulnerabilities found?
Third-party stakeholder
C-suite executive
Emergency contact
Technical contact
The technical contact is the individual within the client organization who possesses the detailed technical knowledge required to understand and act upon the technical aspects of the findings in a penetration test. Other options may have roles in the process, but the technical contact is the go-to for vulnerability discussions, making Answer A correct.
During a penetration test, you perform an initial port scan using Nmap against the target web server. The scan results show that ports 80 (http) and 443 (https) are open. To expedite the testing process, which script should be executed next to further examine these services and look for potential vulnerabilities, while maintaining a degree of stealth?
Run the Nmap script engine (NSE) with the http-enum script to locate directories that might reveal the web server's configuration and content.
Execute an aggressive Nessus vulnerability scan on the entire target network to identify all potential vulnerabilities regardless of service.
Launch a brute force attack on the SSH service using Hydra to identify weak credentials that may be used to access the system.
Use the sqlmap tool to automatically attempt SQL injection attacks on the web server's database services.
The correct option automates testing for common vulnerabilities on web servers after an initial port scan shows that web services are available. The script provided by Nmap for http-enum can be used to enumerate potential files and directories on the web server, which is a logical next step when ports 80 and 443 are open. The incorrect options either are not designed for analyzing web vulnerabilities directly (such as a DNS enumeration script or a brute force attack script on an SSH service), or they do not maintain a degree of stealth (like launching a full-scale aggressive vulnerability scan which can be noisy and alert a network's intrusion detection systems).
Which of the following is a common vulnerability in data storage systems that could potentially allow unauthorized access without proper authentication?
Default/blank username/password
Two-factor authentication misconfiguration
Data sanitation fault
Excessive error message verbosity
Default or blank username/password configurations are a common vulnerability in data storage systems. They can be exploited by attackers who attempt to access systems using commonly known default credentials or no credentials at all when the username and password fields are left blank. This issue often arises from improper initial setup and configuration, leaving the system open to unauthorized access. Incorrect answers like 'Data sanitation' or 'Two-factor authentication' do not directly relate to this type of vulnerability. 'Data sanitation' is a technique to prevent injection attacks by cleaning the data inputs, not a vulnerability itself, while 'Two-factor authentication' is an additional security layer, not typically a vulnerability when correctly implemented.
What type of operation in a script would be used to increase the value of a counter variable, which manages the iterations within a loop, by one?
Increment
Division by any number other than zero or one
Addition of any positive number
Subtraction of any negative number
The 'increment' operation is commonly used in loops to increase the value of a counter variable by one. This allows the loop to progress through multiple iterations. The options of 'addition', 'subtraction', and 'division' are arithmetic operations, but they are either too general or not specific to the commonly used term for increasing a value by one in the context of iteration.
A penetration tester is conducting an assessment against a web application and has observed that session tokens are not rotated after login. Which type of attack could the penetration tester employ to take advantage of this vulnerability?
Cross-site scripting (XSS)
Session replay
Cross-site request forgery (CSRF)
Session fixation
In a session fixation attack, the attacker sets a known session ID on an application before the victim logs in, and due to the lack of session rotation upon authentication, the attacker can use this predefined session ID to hijack the session once the victim has logged in. Session rotation is a critical security measure that involves changing the session token after a user logs in to prevent session fixation attacks. The incorrect answers, while they are related to session management in various ways, do not directly exploit the lack of session rotation post-authentication.
Which of the following best describes the purpose of website scraping in the context of passive reconnaissance?
Intercepting and modifying HTTP requests in real-time to exploit web applications
Automatically collecting data from websites to uncover information such as hidden directories or sensitive data in the code
Decrypting SSL/TLS traffic to analyze encrypted communication between clients and servers
Actively probing web servers to detect open ports and running services
Website scraping involves programmatically collecting data from websites, which can reveal hidden paths, metadata, and other useful information that is not immediately visible to users but can be valuable during a penetration test. It is part of passive reconnaissance because it often involves analyzing publicly accessible web resources without actively engaging with the target systems, which could alert an adversary to the presence of a tester.
When performing a penetration test for an organization, what aspect of the SLA would BEST ensure that the expectations for the performance of the security testing are clearly defined and understood by both the service provider and the client?
Detailing the financial penalties for non-performance
Stating the required qualifications of the penetration testers
Documenting the legal ramifications of a data breach
Setting clear metrics for service delivery
Outlining the security frameworks to learn for compliance
Providing an inventory of tools to be used in testing
The correct answer is B: 'Setting clear metrics for service delivery'. SLAs should contain clear metrics for the expected service delivery, which in the context of a penetration test would include the methodologies to be used, the timeline for the delivery of results, and any other pertinent details that define what the client should expect from the service. Specific performance metrics make the agreement actionable and measurable, preventing misunderstandings and future disputes.
As a penetration tester, you are tasked with evaluating the security of a WPA2-Enterprise wireless network. Which of the following tools would be the BEST choice for attempting to bypass the network's authentication mechanism?
mdk4
Kismet
EAPHammer
Aircrack-ng suite
EAPHammer is the correct answer because it is specifically designed for launching targeted attacks against WPA2-Enterprise networks. It can be used to perform man-in-the-middle attacks against wireless clients. The other options, while useful for wireless penetration testing, are not as effective or efficient in the context of attacking WPA2-Enterprise authentication mechanisms. Aircrack-ng suite is more suited for cracking WEP and WPA2-PSK keys, Kismet is primarily a network detector and packet sniffer, and mdk4 is a tool for exploiting vulnerabilities in the 802.11 protocol but does not focus on the WPA2-Enterprise authentication like EAPHammer does.
A bank headquartered in Europe is under a penetration testing contract which involves testing their payment processing system. What should the penetration tester prioritize to ensure that the engagement aligns with industry-specific compliance requirements?
Prioritize compliance with the General Data Protection Regulation (GDPR)
Ensure adherence to the Payment Card Industry Data Security Standard (PCI DSS)
Focus solely on local country-specific cybersecurity legislation
A tester conducting a penetration test for a European bank must prioritize the Payment Card Industry Data Security Standard (PCI DSS) because it specifically relates to the security of payment processing systems. The GDPR focuses on the protection of personal data within the EU but does not specifically relate to payment card security standards. While the GDPR is important for overall data protection considerations, the PCI DSS is the leading standard that directly addresses the security measures required for payment processing systems, which is pertinent in this case.
When crafting a penetration testing report, what section provides a high-level summary of the findings, geared towards key decision-makers like executives who may not require technical details?
Findings
Scope details
Executive summary
Methodology
The correct answer is 'Executive summary.' An executive summary is essential in a penetration testing report as it provides an overview of the most significant findings and risks without the technical details. It is tailored for recipients such as C-suite executives who need to quickly understand the potential impact on the business to make decisions, hence it is concise and avoids technical jargon. While 'Scope details,' 'Methodology,' and 'Findings' are critical components of the report, they are usually more technical and detailed, aimed at individuals who are actively engaged in the remediation process or require a deep understanding of the procedure and results.
Looks like thats it! You can go back and review your answers or click the button below to grade your test.
Join premium for unlimited access and more features