CompTIA PenTest+ Practice Test (PT0-002)

Industrial control systems (ICS) are used in environments like manufacturing to monitor and control industrial processes. They are commonly subject to operational disruption due to attacks on their vulnerabilities. Although SCADA and IIoT systems may also be involved in controlling industrial processes, the question specifically addresses 'systems' in general which pertains to ICS. SCADA is typically a subset of ICS used for centralized monitoring and control, while IIoT refers to the interconnected sensors, instruments, and other devices networked together with industrial processes.

Nessus is primarily used for scanning and assessing networks to find vulnerabilities that could be exploited. It does not directly provide intrusion detection capabilities, network traffic analysis, or firewall configuration, which makes the correct answer stand out as it is the key functionality of Nessus in the penetration testing process.

Although all options are credential testing tools, Hashcat is designed for optimized performance on both CPUs and GPUs and is highly effective for cracking various types of hashes, including MD5. Its GPU acceleration capabilities significantly reduce the time required to crack hashes. John the Ripper also supports hash cracking but is typically outperformed by Hashcat when GPU resources are utilized. Cain is generally used for network sniffing and password recovery but is not as versatile as Hashcat for hash cracking. CeWL is actually a custom word list generator tool and not a hash cracking tool, so it does not apply to the direct cracking of hashes.

The '-sn' option in Nmap is used to perform a host discovery, which simply pings the hosts without actually scanning any ports. This is the correct answer as it minimizes the amount of traffic and reduces the chance of causing network disruption. The '-sV' option executes a service version detection, which is more intrusive and creates more traffic, going beyond the requirement of just discovering live hosts. The '-A' option enables OS detection, version detection, script scanning, and traceroute, which would not only produce more traffic but also try to scan and fingerprint hosts, which is not needed in this scenario. The '-p' option specifies the target ports to scan, which does not directly relate to host discovery without port scanning.

Requesting written authorization from the client for using specific tools, like packet sniffers, is essential, especially where privacy laws are stringent, such as in the European Union under the GDPR. This written authorization helps ensure that you have explicit permission to use techniques that may intercept or process personal data and protects both you and the client from legal repercussions. The other options do not offer the same level of legal protection or adherence to privacy laws, and using tools without consideration of local laws or client permission can lead to serious legal consequences.

The SOW includes details of the tasks and responsibilities of the penetration testing team. Specifying the types of attacks allowed (e.g., social engineering, network scanning, etc.) is important to ensure both the client and the penetration tester understand the boundaries and methodologies that can be employed during the test. Conversely, an NDA relates to confidentiality agreements, an SLA to service performance metrics, and a risk assessment report to findings after an engagement, rather than the pre-defined tasks of the penetration test itself.

The technical contact is the individual within the client organization who possesses the detailed technical knowledge required to understand and act upon the technical aspects of the findings in a penetration test. Other options may have roles in the process, but the technical contact is the go-to for vulnerability discussions, making Answer A correct.

Spoofing is an attack method where the attacker masquerades as a legitimate device or user to gain unauthorized access to resources, intercept communications, or distribute malware. This is central to understanding many cybersecurity threats and is a fundamental concept within the realm of penetration testing. ARP poisoning and DNS cache poisoning are specific techniques where spoofing is utilized, but they are not synonymous with spoofing in the broader sense. Masquerading is not typically used as a technical term in the context of security attacks.

Using responsible discretion when handling the data refers to being cautious about how and where the data is stored, who has access to it, and ensuring that it is not disclosed to unauthorized parties. This is the core principle of maintaining the confidentiality of data. Encrypting the data provides an additional layer of security by rendering the data unreadable should it fall into the wrong hands, which adheres to the practice of maintaining confidentiality. Discussing project details in public undermines confidentiality, as it can lead to unauthorized disclosure of sensitive information. Failing to lock computers leaves data exposed to unauthorized access, also breaching confidentiality.

Screenshots provide visual evidence of the findings and support the reproduction of the issues by the technical staff, making them a crucial aspect of ongoing documentation during a penetration test. While they may also assist in illustrating process steps or educating clients on the use of tools, these are not considered the primary purposes for including them in the report documentation.

A deauthentication attack is primarily used to forcibly disconnect clients from a wireless network. This could allow an attacker to capture the handshake when the client reauthenticates, which is essential for cracking the wireless password. This type of attack disrupts the normal operation and communication by sending deauthentication frames from an access point to the client or vice versa.

To mitigate the risk of weak passwords being exploited, it is recommended that password policies enforce criteria for complexity (e.g., uppercase, lowercase, numbers, and special characters). This recommendation is appropriate because it directly addresses the identified weakness in the company's password policy by suggesting a standard best practice for password management. Other options, like increasing monitoring or encouraging biometric use, may also contribute to security but do not directly address the core issue of password weaknesses as effectively as enforcing password complexity.

The correct answer is 'Using a script that incorporates an initial ping sweep to identify live hosts and then dynamically passing the list of live IP addresses to a vulnerability scanner'. This process is efficient as it first narrows down the list of targets to active hosts and then applies a more resource-intensive vulnerability scan solely to those hosts, rather than wasting resources on scanning potentially down or non-existent systems.

Predefined communication triggers are important because they establish clear guidelines for when the penetration testing team should communicate with stakeholders. These triggers ensure that critical information, such as high severity vulnerabilities or indicators of a prior compromise, is relayed immediately to maintain situational awareness and address potential risks efficiently. Without these triggers, important information might be delayed or overlooked, compromising the value and effectiveness of the test.

An unauthenticated remote code execution vulnerability is usually considered a critical finding because it allows an attacker to gain control over the system without needing credentials, leading to potentially severe impacts on confidentiality, integrity, and availability. Since sensitive customer data is at stake, the severity and potential business impact are high, necessitating immediate attention and remediation efforts. That's why it's classified as critical and should be communicated to the client as such.