×

Quiz Session - Attempts With Random Questions

CompTIA PenTest+ Exam Questions

Page 5 of 25

81.

An attacker is attempting to crack offline password hashes they managed to gain during their pentest. They plan to use a precomputed list of passwords in order to speed up the process. 

What type of password cracking attack are they attempting?

  • Rainbow tables

  • Dictionary attack

  • Pass the hash

  • Birthday

Correct answer: Rainbow tables

Rainbow tables contain precomputed hash values of a defined length that can be used to speed up the process of offline password cracking.

Dictionary attacks use a list of words. A pass the hash attack tries to authenticate by using a user's hashed password rather than the plaintext password. A birthday attack looks for collisions where two different inputs can create the same output.

82.

What information will the following command provide?

wmic service get name,displayname,pathname

  • It will list all services with their name, display name, and executable location

  • It will list all scheduled tasks

  • It will start the WMIC service with a specific name and path

  • It will run a service named display name in a specific path

Correct answer: It will list all services with their name, display name, and executable location

WMIC provides a command-line interface for Windows Management Instrumentation (WMI). Lower-privilege users will not be able to modify the service; however, they can still search for services. The WMIC command can be used to look for services with unquoted executable paths.

83.

On an open relay SMTP server, how would the VRFY command be used to aid an attack?

  • The VRFY command could be used for user enumeration

  • The VRFY command could be exploited for privilege escalation

  • The VRFY command could be used in password-guessing attacks

  • The VRFY command could be used to sign emails with company certificates

Correct answer: The VRFY command could be used for user enumeration

After you connect with Netcat or Telnet, issue the VRFY or EXPN command using an internal email address in an attempt to enumerate local or domain users in the environment; for example, VRFY root. If the VRFY command is enabled on the relay server and the account doesn’t exist, you will receive an error message. VRFY is used to ask the server for information about an address, and EXPN is used to ask the server for the membership of a mailing list. If the EXPN command is successful, the server will show each subscriber to the mailing list.

84.

You are preparing an Nmap scan. You need the results to be both in XML (so you can import them in another tool) and in a grepable format (so you can quickly walk through the results using grep and focus on specific services). 

Which flag in Nmap could produce the final results in both XML and grepable formats?

  • -oA

  • -oX

  • -oG

  • -oN

Correct answer: -oA

Nmap can produce reports in a few different outputs, but sometimes you need more than one at the same time. Instead of conducting the same scan twice to get the desired output, you could use -oA to output the results into all available formats.

The -oX flag outputs to XML. The -oG flag outputs to a greppable format. The -oN flag is for normal output.

85.

Which of the following refers to the act of hiding information in image files or other large binary files?

  • Steganography

  • Fuzzing

  • Exfiltration

  • Watermarking

Correct answer: Steganography 

Steganography is the art of hiding information in plain sight, such as within image files or other large binary files. Open Steg and Steghide are two examples of steganography tools. 

Fuzzing involves sending random data to an application to see how it responds. Exfiltration involves taking data without authorization. Watermarking involves embedding information in an image to verify authenticity or for tracking purposes.

86.

In your recommendation, you suggest that the developers sanitize user input to mitigate the vulnerability you have found. 

Which vulnerability would be mitigated with that suggestion?

  • SQL injection

  • Password sent in clear text

  • Hardcoded credentials

  • Unnecessary open ports

Correct answer: SQL injection

If the application doesn't properly sanitize the user-supplied input, the database could read the statement and allow the authentication to proceed without the proper username or password.

Clear text passwords should be mitigated with hashing. Hardcoded credentials can be mitigated with solutions such as secrets management and environment variables. Unnecessary open ports can be mitigated with system hardening techniques.

87.

When scanning a scope of IP addresses, you want to visualize the results so you can better understand where you can pivot in order to avoid security controls. 

What can you do to accomplish this task?

  • Generate a network topology

  • Divide the network into subnets and try to identify where the security controls are

  • There is no need to pivot when you have scope

  • Use brute force to identify security controls

Correct answer: Generate a network topology

A network topology would help you to visualize the hosts and give you a good understanding of the infrastructure.

Simply dividing the network cannot identify security controls. There is a need to pivot when trying to escalate privileges. If you use brute force, security controls are most likely to block the source of the attack.

88.

An attacker has gained access to a corporate Wi-Fi network. They are using Kali Linux and are going to execute an on-path attack. 

Which of the following is the BEST choice to execute this attack?

  • Ettercap

  • Nmap

  • Nikto

  • Nessus

Correct answer: Ettercap

Ettercap is a free and open source network security tool for on-path attacks. It can be used for computer network protocol analysis and security auditing. It runs on various Unix-like operating systems and on Windows. It features sniffing of live connections, content filtering on the fly, and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis.

Nmap, Nikto, and Nessus are scanning tools.

89.

A pentester is conducting a pentest. One of their objectives is to attack the company supply chain. During the OSINT phase, the tester is able to identify third-party resources involved in the supply chain. Those resources are not listed in the scope of testing, but they are part of the supply chain and therefore part of the objectives. 

How should they handle the third-party resources?

  • They should only test in-scope resources and completely exclude any other assets from testing.

  • They should test the third-party resources as long as the tests are not intrusive.

  • If the supply chain is in the objectives, then they should test everything related to it.

  • They should contact the client and ask for permission to test the third-party resources.

Correct answer: They should only test in-scope resources and completely exclude any other assets from testing.

Third-party assets or resources are owned by another company. Unless explicitly approved by that company, they should not attack them. There needs to be a written statement from the third party that such tests are approved.

90.

A pentester is preparing for a pentest, but the client is using NAC, which would prevent most, if not all, of the pentester's packets during testing. 

What can be done to enable the testing?

  • The client can make a security exception in the NAC

  • The pentester can test outside of office hours

  • The client can disable the firewall

  • Devices behind the firewall can be excluded from the testing scope

Correct answer: The client can make a security exception in the NAC

Sometimes, a security exception at the network layer is needed to enable a pentester to complete their tests. Network access control (NAC) is a solution for preventing unauthorized devices from connecting to a network.

An exception will be easier and safer to implement than the other answer choices.

91.

You are running a vulnerability scan using QualysGuard, and your scanning time matches the working hours of the targeted sector. You have been asked to limit the impact of the scan to minimize impact on the company's work.

What could you do to lower the impact and still perform the scan?

  • Set up the scanning parameters for "Port Scanning and Host Discovery" intensity to "Low"

  • Throttle QualysGuard scanner connection to limit its bandwidth

  • Put up a firewall that would limit the scanning impact

  • You shouldn't be concerned with the company's work impact, and you should run the scan with the default setup

Correct answer: Set up the scanning parameters for "Port Scanning and Host Discovery" intensity to "Low"

QualysGuard is a web-based UI which offers network discovery and mapping, asset prioritization, vulnerability assessment reporting, and remediation tracking according to business risk. Most massive scanners, especially the commercial ones, offer fine-tuning of the scan configuration. You could dive deep in the scanner configuration and limit it in a way that it would not impact the company's bandwidth.

92.

What are tools such as ScoutSuite and Pacu used for?

  • Auditing cloud security

  • OSINT

  • Credentials testing

  • Scanning

Correct answer: Auditing cloud security

ScoutSuite is an open-source multi-cloud auditing tool. Pacu is an AWS-specific exploitation framework.

OSINT tools include WHOIS and Nslookup.

Credentials testing tools include Hashcat and Medusa. 

Scanning tools include Nikto and OpenVAS.

93.

You managed to position your machine in the client's internal network. What tool could you use to capture NTLMv2 hashes?

  • Ettercap

  • Aircrack-ng

  • Nessus

  • Reaver

Correct answer: Ettercap

Ettercap is a free and open-source network security tool for on-path (previously referred to as man-in-the-middle or MiTM) attacks on LAN. It can be used for computer network protocol analysis and security auditing. It runs on various Unix-like operating systems, including Linux, Mac OS X, BSD and Solaris, and on Microsoft Windows.

Aircrack-ng focuses on the security of wireless networks. Nessus is a vulnerability scanner. Reaver is used to exploit WPS.

94.

You are preparing to use Recon-ng for reconnaissance. You have installed the module you need with the 'marketplace install' command. 

Which command do you need to run before you can run a query in the module?

  • modules load

  • info

  • options set

  • marketplace refresh

Correct answer: modules load

After installing a Recon-ng module, it needs to be loaded with the 'modules load' command. After being loaded, a tester can set options and run queries.

The 'info' command displays module options. The 'options set' command changes options. The 'marketplace refresh' command refreshes data in the marketplace.

95.

When preparing for a pentest, which document defines terms such as the project timeline, the deliverables, the payment schedule, and any miscellaneous items that could become issues?

  • SoW

  • RoE

  • MSA

  • NDA

Correct answer: SoW

The Statement of Work (SOW) usually contains the following main topics:

  • Purpose
  • Scope of work
  • Location of work
  • Period of performance 
  • Deliverable schedule
  • Applicable industry standards 
  • Acceptance criteria 
  • Special requirements
  • Payment schedule

The rules of engagement (RoE) defines boundaries, conditions, and constraints of a penetration test. A master service agreement (MSA) is used to define terms for future work. A non-disclosure agreement (NDA) is used to ensure that any information learned is kept confidential.

96.

A pentester would like to capture the traffic they are generating and would like to analyze it later. What tool could be used for both actions?

  • Wireshark

  • Arpspoof

  • Nessus

  • Burp Suite

Correct answer: Wireshark

Packet capture has another major use during penetration tests: documentation. One of the most powerful tools for capturing traffic and, at the same time, using it for packet analysis is Wireshark. During testing, pentesters attempt to capture most, if not all, of the traffic associated with their penetration testing efforts. If something goes wrong, the logged traffic can be used to document what occurred and when. Packet captures can also be useful if you think you missed something or cannot get a response to reoccur. Because of its intuitive interface, Wireshark can easily be used to review the traffic and find any possible issues.

Arpspoof is used for ARP spoofing attacks. Nessus is a vulnerability scanner. Burp Suite is a web vulnerability scanner.

97.

Which document includes a payment schedule for the penetration test?

  • SOW

  • RoE

  • Target list

  • NDA

Correct answer: SOW

The statement of work (SOW) is a document that defines what deliverables will be created, the timeline for the work to be completed, the price of the work, and any additional terms and conditions.

A rules of engagement (RoE) describes in detail the plan for the test. The target list is the scope of the test. A non-disclosure agreement (NDA) ensures that information that the tester receives is not shared with other parties.

98.

Similar to RDP and VNC services on Windows, Linux, and MAC, Apple Remote Desktop is remote managing software. 

Which port does it usually listen to?

  • 3283/tcp

  • 443/tcp

  • 3389/tcp

  • 22/tcp

Correct answer: 3283/tcp

Apple remote desktop is used to manage and control Macs over a network. Best practices should be followed to ensure that ARD is secured.

Port 443/tcp is associated with HTTPS. Port 3389/tcp is reserved for Windows Remote Desktop service. Port 22/tcp is the standard SSH port.

99.

Of the following tools, which can be used to visualize Active Directory objects and permissions?

  • Bloodhound

  • Metasploit

  • Nessus

  • Qualys

Correct answer: Bloodhound

Bloodhound is a tool that can be used to visualize Active Directory objects and permissions. However, it can't be used by itself. First, it would be necessary to acquire Active Directory information and then feed it into Bloodhound.

Metasploit is one of the most popular frameworks for exploitation. Nessus and Qualys are both vulnerability scanners.

100.

Which of the following could be considered an indicator of a previous compromise and would be a reason to urgently notify the client rather than waiting until the final report?

  • A cron job running a file from the /tmp folder

  • Multiple user accounts on the system

  • Traces of the psexec command in the event logs

  • The presence of Sysinternals tools in the home folder of the admin

Correct answer: A cron job running a file from the /tmp folder

Such a cron job is usually associated with a malicious file being executed from the /tmp folder. This indicator of prior compromise should be brought to the attention of the customer immediately.

Having multiple user accounts is fairly common and likely benign. Use of the psexec command could be related to legitimate admin work. Sysinternal tools are quite often used by Windows admins.

×