×

Quiz Session - Attempts With Random Questions

CompTIA PenTest+ Exam Questions

Page 6 of 25

101.

Your client was hacked just one month following a penetration test you conducted. It is a vulnerability newly presented due to a software update. 

How can you BEST ensure that you are not held liable for this breach?

  • Include disclaimers in the agreement and final report

  • Apologize for not being able to detect the vulnerability earlier

  • Inform the client that you are not accountable for third-party breaches

  • Do nothing; once a penetration test is completed, pentesters cannot be held liable for any breaches

Correct answer: Include disclaimers in the agreement and final report

Usually, disclaimers are used in the testing agreement and the final report. Such disclaimers state that the list of vulnerabilities and findings is presenting the current security state of the environment and is only valid for the point in time when it was conducted.

102.

What is a pentester doing with the following command?

aws s3 ls s3://my-bucket/

  • Listing object storage

  • Retrieving a bucket policy

  • Downloading a file

  • Creating a bucket

Correct answer: Listing object storage

Command-line tools can be used to analyze object storage in the cloud. The ls command with AWS works similarly to the ls command in Linux.

Retrieving a bucket policy can be accomplished with the get-bucket-policy command. Downloading a file can be accomplished with the cp command. Creating a bucket can be accomplished with the create-bucket command.

103.

You need to scan all ports from 512 to 2000 on a targeted host. Using Nmap, which flag do you need to use to specify the port range?

  • -p 512-2000

  • -p 512:2000

  • -Pn 512-2000

  • -Pn 512:2000

Correct answer: -p 512-2000

The -p flag in Nmap is used to specify ports for scanning. If you need to scan all ports from 512 to 2000, you can use "-" between the starting and the ending numbers. Ports can also be listed using commas. For example, "Nmap -p 21,22,25,80 <host>" will scan only ports 21, 22, 25, and 80 and will skip everything else. 

The -Pn flag is used to disable ping.

104.

A pentester performs a scan and discovers systems running SSH servers. Which Bash command can they use as a basis for a script to automate the next step to brute force attack the SSH servers?

  • hydra -l admin -P passwords.txt ssh://192.168.1.10

  • ssh admin@192.168.1.10 -P passwords.txt

  • nmap -p 22 --script ssh-brute 192.168.1.10

  • hashcat -m 0 ssh://192.168.1.10 wordlist.txt

Correct answer: hydra -l admin -P passwords.txt ssh://192.168.1.10

Hydra is a tool for automating SSH brute force attacks. By looping through the results of a scan, a pentester can automate a brute force attack. For example, they can use:

#!/bin/bash

targets=("192.168.1.10" "192.168.1.11" "192.168.1.12") 

username="admin" 

password_list="passwords.txt" 

for target in "${targets[@]}"; do 

echo "Brute force on $target" 

    hydra -l $username -P $password_list ssh://$target 

done

The ssh command with the -P flag does not perform a brute force attack. 

Nmap is not as optimized as Hydra for brute-forcing. 

Hashcat cracks passwords from a local file.

105.

What is the CVSS used for?

  • To determine the severity of a vulnerability

  • To describe how attackers exploit a vulnerability

  • To catalog instances of data breaches

  • To enumerate common software vulnerabilities

Correct answer: To determine the severity of a vulnerability

CVSS stands for Common Vulnerability Scoring System. This system is used to provide metrics that can be used to determine the impact and severity of a vulnerability to the environment of the organization. Things that are considered when assigning a CVSS score are exploitation difficulty, impact on data integrity, etc.

The CAPAC describes how attackers exploit a vulnerability. Several third-party websites keep track of data breaches. The CWE is used to enumerate common software vulnerabilities.

106.

Which of the following is a technique that relies on requesting service tickets for service account principal names (SPNs)?

  • Kerberoasting

  • ARP poisoning

  • On-path

  • NTLM replay attack

Correct answer: Kerberoasting

Service accounts are accounts that run services rather than allow a user to log in. Compromising a service account can often provide long-term access to a system, as service account passwords usually do not expire. Kerberoasting is a technique that relies on requesting service tickets for service account principal names (SPNs). The tickets are encrypted with the password for the service account associated with the SPN. Once the service tickets have been extracted using a tool like Mimikatz, the tickets can be cracked to obtain the service account password using a password cracking tool. 

ARP poisoning involves sending false ARP messages on a network. On-path attacks involve capturing and modifying traffic between two systems. An NTLM replay attack captures a hashed password to gain access.

107.

A web development company is using Ruby on Rails to develop a website. There are concerns that attackers are able to predict session IDs. 

What tool can they use to statically analyze the Ruby code for the site?

  • Brakeman

  • Scout Suite

  • Spooftooph

  • Fern

Correct answer: Brakeman

Brakeman is a static code analyzer specifically for Ruby on Rails. Static code analysis (sometimes called source code analysis) is conducted by reviewing the code for an application. Since static analysis uses the source code for an application, it can be seen as a type of known environment testing with full visibility by the testers.

Scout Suite is a multi-cloud security auditing tool. Spooftooph is used to impersonate Bluetooth devices. Fern is an interface for network reconnaissance and information gathering.

108.

What type of documentation is MOST useful for a penetration test that targets web application servers?

  • API

  • DNS

  • IP ranges

  • Network diagrams

Correct answer: API

Application requests are usually part of a web application and would be helpful in a web-based pentest. An example of a sample request could be a list of API calls compiled by developers.

DNS, IP ranges, and network diagrams are useful with tests that have a larger scope.

109.

What is the biggest advantage that an attacker can gain when they discover an open mail relay SMTP service?

  • You could use the service in a phishing campaign

  • SMTP exploitation could lead to remote code execution

  • You could exploit the open relay service and gain shell access on the server

  • You could dump the client's mail database

Correct answer: You could use the service in a phishing campaign

Open SMTP relays present the perfect opportunity for a phishing campaign. Your emails could easily be made to appear to be sent from the security director or a high-ranking manager.

Remote code execution and shell access would be more difficult to obtain compared to using a phishing campaign. An SMTP server would not contain email lists.

110.

You are performing a pentest, but you need to hide the origin of your connection, as you are carrying out a red team engagement. 

What tool can you use to hide your original IP?

  • Proxychains

  • Incognito browser

  • Virtual machine on your host

  • Wireshark

Correct answer: Proxychains

As you send traffic to and from systems during a penetration test, you will likely want to hide the content of the traffic you are sending. You can use proxychains to tunnel any traffic through a proxy server, with full support for HTTP, SOCKS4, and SOCKS5 proxy servers and with the ability to chain multiple proxies together to further conceal your actions.

An incognito browser clears browser data after use. A virtual machine creates virtual hardware on a system. Wireshark is used to capture and analyze network traffic.

111.

While testing, a pentester was able to exploit an SQL injection on the client's website. They were able to generate a POC (Proof of Concept). 

What should be their next step?

  • They should contact the client and share the finding

  • They should make a note of it and list it in the final report

  • They should apply immediate remediation for the issue

  • They should quarantine the affected system until the end of the test

Correct answer: They should contact the client and share the finding

High-criticality findings are usually reported to the client the moment they are discovered. The client might need to take some action or provide guidance on future tests of those vulnerabilities. 

Findings with medium, low, or information classification are usually only reported in the final report as they would not require an immediate response from the client. Pentesters do not implement remediation or quarantine systems.

112.

What can be used to passively search by domain name or IP for exposed systems belonging to an organization?

  • Shodan

  • Nmap

  • WHOIS

  • DuckDuckGo

Correct answer: Shodan

Shodan is a security search engine for misconfigured or exposed systems.

Nmap is a tool for active scanning. WHOIS does not provide exposed device information. DuckDuckGo is simply a normal search engine, like Google.

113.

When analyzing traffic captured between you and a targeted host, which tool would you MOST likely use for the packet inspection?

  • Wireshark

  • Nessus

  • Hping

  • Metasploit

Correct answer: Wireshark

Wireshark is a very powerful tool for analyzing and inspecting network traffic and packet captures. It has extensive GUI interfaces that are rich with features.

Nessus is a vulnerability scanner. Hping is a command-line TCP packet assembler and analyzer. Metasploit is a penetration testing framework.

114.

Why would an Nmap syn scan (-sS) produce more results than an Nmap full connect scan (-sT)?

  • A syn scan can work through most firewalls

  • A syn scan uses ICMP echo requests to find hosts

  • A full connect scan takes longer, and some hosts drop the requests

  • A syn scan is compatible with all operating systems, unlike a full connect scan

Correct answer: A syn scan can work through most firewalls

Firewalls tend to allow "syn" packets to pass through, assuming they are part of a live connection, while a full connect scan attempts to initiate a new connection and is recognized by firewalls.

115.

A pentester is testing a web application. They manage to find a search parameter and, after poking around, get the following message from the server:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use at line 1.

What kind of potential vulnerability have they found?

  • SQL injection

  • Cross-site scripting (XSS)

  • Directory traversal

  • Sensitive data exposure

Correct answer: SQL injection

An SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This error message is usually generated by the SQL server, suggesting that the initial request did reach the SQL server and was executed. However, due to the way the request was structured, the output produced an error. It is likely that a properly structured SQL query will succeed in extracting data from the database.

Cross-site scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser-side script, to a different end user.

Directory traversal (also known as file path traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. This might include application code and data, credentials for back-end systems, and sensitive operating system files.

Sensitive data exposure occurs when an application, company, or other entity inadvertently exposes personal data. Sensitive data exposure differs from a data breach, in which an attacker accesses and steals information.

116.

What sort of vulnerability would allow an attacker to navigate the directory structure of a server using HTTP requests and retrieve the contents of a file such as /etc/passwd? For example:

GET http://target.net/article&id=../../../../etc/passwd

  • Directory traversal

  • Local file inclusion

  • Remote file inclusion

  • SQL injection

Correct answer: Directory traversal

Some web servers suffer from a security misconfiguration that allows users to navigate the directory structure and access files that should remain secure. These directory traversal attacks work when web servers allow the inclusion of operators that navigate directory paths and file system access controls don’t properly restrict access to files stored elsewhere on the server.

Local file inclusion can occur when an attacker gets a web application to include one of its own local files as input. Remote file inclusion is similar to a local file inclusion but comes from an external source. A SQL injection can occur when an attacker submits malicious SQL code to a server.

117.

In a red team engagement, a pentester is attempting to remotely connect to a Windows machine. Instead of using RDP, they decide to use the PsExec tool. 

What could be their reason for choosing PsExec over RDP?

  • PsExec is silent and less evident

  • PsExec would not require a password

  • PsExec provides better control over the machine

  • RDP is less secure

Correct answer: PsExec is silent and less evident

In a red team engagement, one is supposed to mimic a real-world attack. No actual attacker would prefer to use Remote Desktop Protocol (RDP), which might even cause a logout for another user.  

PsExec activities can usually be found in the event logs, but other than that, they are rather silent and would likely not trigger any IDS/IPS alerts because PsExec is also regularly used by admins.

118.

What is the purpose of the following command? 

ssh -D 8080 user@intranetserver -p 443

  • This will create a secure tunnel connection with dynamic port forwarding

  • This will create a reverse shell

  • This will create a remote shell

  • This will start DNS spoofing

Correct answer: This will create a secure tunnel connection with dynamic port forwarding

The "ssh -D 8080 user@intranetserver -p 443" command will create a connection to "intranetserver" over SSH and push all https traffic on port 443 through the SSH connection locally on the source on port 8080. Basically, it will proxy HTTPS traffic through "intranetserver" to localhost on port 8080. This can be used to hide traffic from defenders.

119.

Why would you consider analyzing the code's comments in a known environment pentest you are performing?

  • You are looking for insecure code practices

  • You are gathering data in order to build a dictionary

  • Comments list all known vulnerabilities

  • You are gathering info for a social engineering attack

Correct answer: You are looking for insecure code practices

Insecure code practices are very common. You are quite likely to find a username and password listed in the comments that were forgotten by the developers.

120.

What port range includes ports known as "registered ports" that are assigned by IANA when requested?

  • 1024–49151

  • 0–1023

  • 0–1024

  • 5000–50000

Correct answer: 1024–49151

Ports ranging from 1024 to 49151 are registered ports and are assigned by IANA when requested. Many are also used arbitrarily for services. 

Ports 0-1023 are known as well-known ports or system ports.

×