No products in the cart.
CompTIA PenTest+ Exam Questions
Page 4 of 25
61.
Which of the following techniques should be used to create a covert channel to exfiltrate data?
-
Hiding data in encrypted web traffic
-
Using FTP to send file transfers
-
Creating an RDP session from the pentester's workstation
-
Encrypting the data with DES
Correct answer: Hiding data in encrypted web traffic
A common method for exfiltrating data involves hiding it in HTTPS traffic. This type of traffic would not be considered unusual, so it is unlikely to be blocked.
FTP is not considered a covert protocol.
RDP sessions are typically monitored and logged.
DES is not a secure encryption algorithm and does not create a covert channel.
62.
You suspect that you have managed to compromise a virtual Windows machine during your pentesting actions. What method could you use to determine whether the machine is, in fact, virtual or physical?
-
Run the "wmic baseboard get manufacturer, product" command
-
Check the Windows version and determine if it's associated with virtualization
-
Run the "system-detect-virt" command
-
Check the network configuration and look for a VMnet identifier
Correct answer: Run the "wmic baseboard get manufacturer, product" command
This command provides the manufacturer and the product name of the machine's motherboard. On a virtual machine, this command would output the virtualization platform.
The Windows version will not show if it is virtualized. The "system-detect-virt" command is used in Linux to detect virtualization. VMnet identifiers are used with VMware products.
63.
You have identified your client's critical assets. One of the servers is presenting a login portal that is visible to the entire internet. The login form consists only of a username and password combination. According to the client, there is no way this critical asset can be moved to the intranet.
What could you suggest your client do to significantly reduce the risk of simple password guessing and brute-forcing of login credentials?
-
Implement two-factor authentication
-
Require higher password complexity
-
Use a WAF
-
Use CAPTCHA
Correct answer: Implement two-factor authentication
Two-factor authentication would add an additional layer of security. Usually, adding a simple token-based authentication will require not only knowledge of the password, but also physical access to the authenticator of the targeted account.
High password complexity could still be brute-forced. A WAF (web application firewall) would not necessarily prevent all attempts. Using CAPTCHA is a good way to lower the number of brute-force attempts, but it could also be brute-forced or tricked.
64.
A pentester is using a web browser to test the targeted web application. They would like the option to intercept their HTTP request before it hits the site and manipulate some of its parameters.
Which tool can provide this functionality?
-
Burp Suite
-
Nikto
-
Nessus
-
Nmap
Correct answer: Burp Suite
Burp Suite is a powerful tool that provides a proxy functionality. It is able to capture the HTTP request and allow manipulation.
Nikto is a web application scanner but does not have intercepting proxy functionality. Nessus and Nmap are vulnerability scanners.
65.
Timestomping is a technique for doing what?
-
Covering tracks
-
Data exfiltration
-
SQL injection
-
Establishing persistence
Correct answer: Covering tracks
Timestomping is a method of modifying the creation, modification, and access times of files on a system in order to confuse the incident investigator. This is usually used by attackers to cover their tracks.
Data exfiltration is accomplished by techniques such as steganography. SQL injection is accomplished by passing SQL codes in input. Establishing persistence is accomplished by techniques such as implementing backdoors.
66.
How do you maintain situational awareness during a penetration test?
-
Hold regular meetings with the client
-
Monitor the environment for drastic changes
-
Constantly scan targets for changes
-
Occasionally send queries to the client representatives
Correct answer: Hold regular meetings with the client
The reason for holding regular meetings with the client is to maintain situation awareness and be able to respond to any necessary changes in the client environment.
67.
On modern Linux machines, where are the user passwords stored?
-
/etc/shadow
-
/etc/users
-
/etc/passwd
-
/root/passwords
Correct answer: /etc/shadow
/etc/shadow is a text file that contains information about the system's users' passwords. It is owned by user root and group shadow.
/etc/passwd is a text file that contains the attributes of (i.e., basic information about) each user or account on a computer running Linux or another Unix-like operating system.
68.
A penetration tester is gathering information about a client and wants to fingerprint their network. One aspect they want to see is if their web applications are located on-premises or hosted in the cloud.
Which tool can they use to track the path that data packets take until they reach the web applications?
-
traceroute
-
nslookup
-
nmap
-
ping
Correct answer: traceroute
The traceroute tool shows the path packets take to a remote host. This can give insights into the routers that an organization uses and where they are located based on the routers' IP addresses and hostnames.
The nslookup tool is used to translate between IP addresses and domain names. Nmap is used for enumerating networks. Ping is used to test network connectivity.
69.
At what risk level would you categorize a vulnerability with a CVSS v3 score between 9 and 10?
-
Critical
-
High
-
Informational
-
Low
Correct answer: Critical
According to CVSS v3, there are five categories of risk:
- CVSS score between 9 and 10 - Critical
- CVSS score between 7 and 8.9 - High
- CVSS score between 4 and 6.9 - Medium
- CVSS score between 0.1 and 3.9 - Low
- CVSS score 0 - None
70.
You are looking for a small, lightweight tool that you can copy over to a compromised machine and use to scan the internal network.
What would you pick?
-
Netcat
-
Nessus
-
OpenVas
-
DirB
Correct answer: Netcat
Netcat (NC) is a computer networking utility for reading from and writing to network connections using TCP or UDP. The command is designed to be a dependable back-end that can be used directly or easily driven by other programs and scripts. NC could be used for information gathering, scanning, and exploitation. Because of the various applications of NC, it is a preferred choice. You can easily deploy NC on the compromised machine with a wget command.
Once on the machine, scanning the internal network can be accomplished with the following for loop:
for i in {1..254}; do nc -v -n -z -w 1 192.168.0.$i 443; done
The above command line will scan all hosts between 192.168.0.1 and 192.168.0.254 for open port 443. With -z, you specify to NC that it should only scan for listeners on the specified port, but not send any data. The "-n" means it will not attempt DNS resolution, and "-w 1" is a wait time of 1 second.
OpenVas and Nessus are full-blown vulnerability scanners. DirB is not a tool for network mapping.
71.
What is sudo?
-
Sudo stands for "super user do" and is used for elevating privileges
-
Sudo is a package management utility for adding, modifying, and removing Linux applications
-
Sudo is the default admin user on Linux machines
-
Sudo is an interactive script for adding, modifying, and removing user accounts
Correct answer: Sudo stands for "super user do" and is used for elevating privileges
Sudo is a program for Unix-like operating systems that allows administrators to delegate authority within the operating system to lower privileged user accounts.
72.
Before doing a penetration test, a pentester wants to gather information about the company's employees. Which of the following methods would be BEST for retrieving such information?
-
Social media scraping
-
Nmap scanning
-
Metasploit scanning modules
-
DNS zone transfers
Correct answer: Social media scraping
The majority of people use social media, which is publicly available. Social engineering techniques can trick people into giving away personal information.
Nmap is a port scanner tool. Metasploit is an attacking framework. There is enough information online so that you do not need to get access to the database. DNS zone transfers give information about hostnames and mail servers.
73.
A pentester has found the public IP of the client's AP router. The device has a managing web interface, and they are able to log in using the following credentials: Admin:Admin
What sort of exploitation technique has been used?
-
Default credentials
-
Zero-day
-
Cleartext communications
-
Brute-force
Correct answer: Default credentials
Some systems run web-based applications and are configured with default credentials (e.g., admin/admin, admin/password), which make them easy targets for attacks. A pentester’s approach to accessing these devices over the network would be similar to the approach taken against a corporate IT system.
A zero-day is an attack that has not yet been patched by a vendor. Cleartext communications involves sending unencrypted sensitive information over a network. A brute-force is an attack that tries all possible combinations of credentials.
74.
What will the following command achieve when executed on a machine member of the AMS domain?
net group /domain:AMS
-
List groups on the AMS domain
-
Show current SMB shares
-
List users of the AMS domain
-
List hosts of the AMS domain
Correct answer: List groups on the AMS domain
Exploring Windows domains will be a lot easier if you are familiar with the Windows net commands.
The net share command shows current SBM shares. The net user /domain command lists users. The net view command lists hosts in the domain.
75.
With the following HTTP request, Emma is able to execute a file on the target host.
http://target.com/page.php?article=C:\\www\\temp\\test.exe
What type of attack technique is she using?
-
Local file inclusion
-
Remote file inclusion
-
Directory traversal
-
SQL injection
Correct answer: Local file inclusion
There are two kinds of file inclusion: Local File Inclusion (LFI) and Remote File Inclusion (RFI). Local file inclusion includes files outside of the web root and renders the contents of local operating system files, such as the password file, to the browser window.
Remote file inclusion points to code on an external malicious site. Directory traversal allows an attacker to access files and directories outside of the web root folder. SQL injection involves sending malicious SQL code to a server.
76.
When sending a business card over Bluetooth, Kyle uses the connection to sneak a message into the transfer.
What type of attack is this?
-
Bluejacking
-
Bluesnarfing
-
Bluesniffing
-
Bluebugging
Correct answer: Bluejacking
This method transmits data to the device without the user's knowledge. A typical way to carry out this type of attack is by sending an electronic business card via Bluetooth to an unsuspecting victim.
Bluesnarfing gives unauthorized access to a device, including files and contact information. Bluesniffing discovers devices and their communications. Bluebugging allows an attacker to control a Bluetooth-enabled device.
77.
A pentester is using a tool to follow all the links on a website to see which directories are accessible. What activity BEST describes what they are engaged in?
-
Crawling
-
Scraping
-
Scanning
-
Scoping
Correct answer: Crawling
Crawling involves using a tool to follow all the links in a website. By crawling the site, a tester can learn about the structure and organization of information stored on the servers.
Scraping captures useful information off of web pages, such as email addresses and files. Scanning is used for enumerating systems, ports, or vulnerabilities. Scoping can refer to defining the targets of a pentest, or it can refer to finding the limitations of a token.
78.
Why do penetration testers usually end up conducting dynamic code analysis rather than static code analysis?
-
Because pentesters are rarely provided with the source code
-
Because static analysis is always done manually instead of through the use of tools
-
Because dynamic analysis is faster
-
Because static analysis might produce false-positive results
Correct answer: Because pentesters are rarely provided with the source code
Penetration testers are much more likely to find themselves able to conduct dynamic analysis of code rather than static analysis because the terms of penetration-testing SOWs often restrict access to source code.
79.
A pentester is looking for a standard that gives information about the types of questions a pentester should ask their client, as well as how to handle third parties.
Which standard should they consult for this?
-
PTES
-
MITRE ATT&CK
-
ISSAF
-
OWASP
Correct answer: PTES
The Penetration Testing Execution Standard (PTES) gives information about attack types and methods, as well as tools needed for testing methods. Furthermore, it covers pre-engagement interactions, such as what questions to ask clients and how to work with third parties.
MITRE ATT&CK is a knowledge base for adversarial tactics and techniques. The Information System Security Assessment Framework (ISSAF) provides a general framework for informational security. The Open Web Application Security Project (OWASP) focuses on web application security.
80.
Simply by walking slowly through the workstation area and looking at people's keyboards, you have managed to see at least two user-password combinations.
What method of attack did you use?
-
Shoulder surfing
-
Piggybacking
-
Badge cloning
-
Dumpster diving
Correct answer: Shoulder surfing
Shoulder surfing is an observation technique where an attacker pretends to do something else while, instead, observing what a target is doing, such as typing in a password.
Piggybacking involves entering a restricted area by asking an authorized user. Badge cloning involves duplicating access cards. Dumpster diving involves searching through trash for sensitive information.