Scroll down to see your responses and detailed results
Prepare for the CompTIA PenTest+ PT0-002 exam with our free practice test. Randomly generated and customizable, this test allows you to choose the number of questions.
Which principle of influence might an attacker leverage when they convince a victim that a limited number of security software licenses are available at a discount, prompting immediate action?
Urgency
Social proof
Authority
Scarcity
The principle of 'Scarcity' refers to the human tendency to value and desire something more when it is perceived as rare or dwindling in availability. In the context of social engineering, an attacker may use this principle to create a sense of urgency and prompt immediate decision-making, potentially leading to the victim taking an action they might not have taken under normal circumstances. This may manifest as limited time offers, exclusive access, or in this case, a limited number of available licenses which could lead to hasty purchases without proper verification.
What operational control can help minimize the risk associated with a single individual having complete control over a critical process?
Mandatory vacations
Time-of-day restrictions
Job rotation
User training
Job rotation is an operational control that requires employees to alternate through different positions within an organization. This practice minimizes the risk associated with a single individual having complete control over a critical process by dispersing knowledge and access among several individuals. It prevents any one person from having too much control or knowledge, which could be misused, and it can also uncover fraudulent activities. Mandatory vacations might temporarily remove an individual from control of a process but are primarily intended to ensure employees take rest. Time-of-day restrictions and user training involve limiting access during certain hours and educating users, respectively, but don't directly address the concentration of control over a process.
As a penetration tester, you're tasked with testing the strength of password hashes. Which tool would you use to perform brute-force attacks against various hash types in a scalable and effective manner?
Hashcat
John the Ripper
Wireshark
Aircrack-ng
Hashcat is known for its capability to perform brute-force and dictionary attacks against various types of hashes, making it an essential tool for penetration testers when assessing password security. It is chosen for its efficiency and broad support of hash types.
During a penetration testing engagement, you discover evidence that suggests an active threat actor may currently be operating within the client's network. What is the most appropriate immediate action to take to maintain proper situational awareness and ensure the client is adequately informed?
Continue with the planned testing procedures to avoid tipping off the threat actor, and report the finding in the next scheduled update.
Terminate the penetration test to avoid interference and allow internal security teams to handle the incident.
Immediately report the finding to the client's primary or emergency contact to ensure they are aware of the potential compromise.
Pause the penetration testing analysis and wait for the next regular communication interval to report the finding to the client.
Option C is correct because reporting critical findings immediately to the client is crucial when active threats or compromises are discovered. It ensures situational awareness for both the tester and the client, making it possible to take necessary actions quickly to contain and mitigate any ongoing threat. Option A is incorrect because continuing testing without informing the client may exacerbate the situation and hinder the response to an ongoing incident. Option B is incorrect because pausing the analysis and waiting for a regular communication interval could delay the response to an active threat, potentially aggravating the situation. Option D is incorrect because terminating the test could prevent the identification of other threats and disrupt the collection of valuable information about the active threat actor's methods and objectives.
Which of the following attacks is specifically effective against IoT devices due to their often limited computational power and potential for large-scale distribution?
Bluejacking
Bluesnarfing
Distributed Denial of Service (DDoS)
SQL Injection
Distributed Denial of Service (DDoS) attacks are particularly effective against IoT devices due to their limited computational resources. IoT devices are also commonly used as part of botnets to conduct large-scale DDoS attacks because they are usually always on and connected to the internet. Incorrect answers, such as Bluejacking and Bluesnarfing, are Bluetooth-related attacks that target mobile devices specifically and not IoT devices in general. SQL injection is a web application attack and does not directly relate to the exploitation of IoT devices.
As a penetration tester, you are tasked with identifying vulnerable technologies used by a target organization. Which of the following resources would BEST aid in discovering detailed version information and potential vulnerabilities for the technology stack openly used by the target company?
Engaging directly with the company's IT department staff
Analyzing the target's public source-code repositories
Monitoring the target's social media accounts for employee posts
Reviewing the target's latest financial statements
Public source-code repositories can provide detailed insights into the actual code and technologies used by an organization, including versions and configuration files which could lead to uncovering specific vulnerabilities. It is not uncommon for organizations to inadvertently expose sensitive details in these repositories, which makes them a rich source of information for penetration testers. While the other options also play roles in reconnaissance, they do not offer as direct a route to specific technological details as source-code repositories.
You are planning a penetration testing engagement for an organization that is very concerned about potential service disruptions. While reviewing the established rules of engagement, you note a specific condition that prohibits any tests that could result in denial of service. Which of the following tests should you exclude from your testing plan to comply with the client's requirement?
Performing directory traversal attacks to assess system file access controls
Attempting cross-site scripting (XSS) in various input fields of the client's website
Testing for SQL injection vulnerabilities in web applications
Sending large volumes of traffic to test for Denial of Service (DoS) vulnerabilities
Sending large volumes of traffic to test for a Denial of Service (DoS) vulnerability would be in direct violation of the rules of engagement that prohibit tests potentially leading to service disruptions. SQL injection, directory traversal, and cross-site scripting tests do not inherently risk causing denial of service and thus would not typically be excluded under such a condition, although the way these tests are executed should always consider the potential impact on the organization's services.
A penetration tester is examining a company's network mapping obtained from a recent scan. The scan reveals multiple subnets with hosts that have both Inter-Subnet and Intra-Subnet communication patterns. Considering the layers of the OSI model, what type of network device is MOST likely responsible for allowing or restricting the communication BETWEEN these subnets?
Hub
Firewall without routing capabilities
Router
Switch
A router primarily operates at layer 3 (the Network layer) of the OSI model and is designed to connect multiple subnets and direct data packets between them. Routers use IP addresses to make forwarding decisions and can allow or restrict traffic between subnets. In contrast, switches typically operate at layer 2 (Data Link layer) and handle traffic within the same subnet. Hubs, being even more limited, operate at layer 1 (Physical layer) and merely replicate traffic to all ports. Firewalls, though they can restrict traffic between subnets, are not inherently responsible for allowing communication at the network layer but rather for securing the network by applying policies.
When conducting a penetration test, which tool would be appropriate for crafting custom ICMP echo requests and analyzing responses to perform network testing?
Tcpdump
Hping
Netcat
Nmap
Hping is a network tool that can send custom packets with a varying degree of complexity and analyze responses, making it specifically appropriate for crafting custom ICMP echo requests (ping) and other types of traffic, which is vital for penetration testing and network security assessments. Nmap, while versatile in network scanning, isn't specifically tailored for packet crafting as Hping is. Tcpdump is primarily a packet sniffer and does not have the capability to craft packets. Netcat is known primarily for its network utility for reading from and writing to network connections using TCP or UDP, but it does not have the capacity to craft ICMP packets like Hping.
During a penetration test, you encounter evidence that suggests a previously undetected breach by a third party. What is the BEST course of action?
Continue with the planned testing activities and include the findings in the final report.
Immediately escalate the issue within your own team for analysis before notifying the client.
Pause the penetration test and promptly report the indicator of prior compromise to the primary client contact.
Revise the penetration testing boundaries to exclude the systems involved with the potential prior breach.
When evidence of a prior compromise is encountered, it is critical to communicate this to the client immediately. Doing so aligns with situational awareness, enabling the client to understand the current threat landscape and act accordingly. This takes precedence over other communications because it may impact the client's operational security and requires urgent attention. While documenting the issue and revising test boundaries are important, they do not take precedence over immediate communication in such scenarios.
During a penetration testing engagement for a financial institution, your team is required to assess the security of the client's payment processing system which stores and transmits credit card data. What type of document is MOST important to review before beginning any testing to ensure compliance with industry regulations?
Service-level agreement (SLA)
Non-disclosure agreement (NDA)
Payment Card Industry Data Security Standard (PCI DSS) documentation
Master service agreement
The Payment Card Industry Data Security Standard (PCI DSS) is a regulatory compliance consideration for any entity that stores, processes, or transmits credit card information. Reviewing the Service-level agreement (SLA) or the Non-disclosure agreement (NDA) does not directly address regulatory compliance related to credit card data security. While the Master service agreement provides overall terms and conditions of service between two parties, it may not specifically address compliance with PCI DSS.
A script designed to exploit a vulnerability on a web application's login page, which cycles through a list of usernames and records successful login attempts, is primarily used for user enumeration.
True
False
The script mentioned is focused on automating the process of identifying valid usernames by systematically attempting logins with various username inputs. By recording successful attempts, the script can enumerate, or list, the valid user accounts on the system. This kind of activity is characteristic of user enumeration, which is often an early step in an attack sequence to gather information about potential targets within a system.
During a penetration test, you aim to collect information on a target organization's security posture without directly interacting with their systems. Which of the following sources would most effectively offer insights into the organization's past security incidents and data breaches for passive reconnaissance?
Checking the response headers from the organization's web server for server types and technologies
Manual inspection of the organization's website links
Verification of the organization's SSL certificate details
Analysis of news articles and breach report databases
The correct answer, 'Analysis of news articles and breach report databases,' is most relevant because these sources often record and discuss an organization's previous security incidents and breaches. They provide context to past events, allowing a pentester to understand the vulnerabilities that have been exploited in the past and potentially highlighting patterns useful in assessing the current security posture.
The alternative options, such as looking at current SSL certification or manual inspection of web links, might provide current technical information but are not primarily focused on presenting a detailed history of security incidents and breaches.
Specifying '-p-' as an option in an Nmap scan will only scan ports registered in the /etc/services file.
False
True
The correct answer is false. When using '-p-' with Nmap, it instructs Nmap to scan all 65535 TCP ports. It is not limited to the ports listed in the /etc/services file. This is a common misunderstanding as the /etc/services file contains well-known ports and service names, but Nmap's '-p-' option bypasses this listing and targets all possible TCP ports, hence providing a comprehensive scan.
What is a common but often overlooked security concern when dealing with outdated firmware on network equipment?
Persistent backdoor accounts left from legacy firmware iterations
Physical wear and tear potentially leading to device failure
Increased electrical consumption causing operational disruption
Limited vendor support to assist with technical issues
Backdoor accounts, which are sometimes left by manufacturers for maintenance purposes, may not be removed or secured over time, especially with outdated firmware that is no longer supported or updated. These can provide attackers with an easy entry point into the system. The other options could be symptoms of outdated equipment but do not inherently represent security-specific risks posed by outdated firmware or hardware as clearly as the issue of backdoor accounts.
Looks like thats it! You can go back and review your answers or click the button below to grade your test.