×

Quiz Session - Attempts With Random Questions

CompTIA PenTest+ Exam Questions

Page 8 of 25

141.

When performing an on-site pentest, including Wi-Fi access points, what needs to be clearly defined in the pentest's scope?

  • SSID of the APs being tested

  • Wi-Fi channels of the APs being tested

  • Frequencies of the APs being tested

  • Number of clients for each AP

Correct answer: SSID of the APs being tested

When conducting on-site pentests involving Wi-Fi Access Points (APs), it is important to have a clear understanding of which APs are in the scope of the test. This will help you exclude potential out-of-scope or third-party APs.

Channels, frequencies, and number of clients do not need to be identified in the scope.

142.

KARMA is a tool that can be used in which of the following?

  • Wireless on-path attacks

  • Web application spidering

  • Network host and port discovery

  • Reverse engineering

Correct answer: Wireless on-path attacks

KARMA stands for Karma Attacks Radio Machines Automatically. A radio machine could simply be a smartphone, tablet, laptop, or any WiFi-enabled device. KARMA can be used in wireless on-path attacks. 

Web application spidering can be accomplished with tools such as Scrapy and Burp Suite. Network host and port discovery can be accomplished with tools such as Nmap and Nessus. Reverse engineering can be accomplished with tools such as IDA.

143.

You are asked to perform a penetration test against a client's Wi-Fi access point. Part of the test involves a DoS attack. 

What exploitation method could you use in a DoS attack against the network?

  • Jamming

  • Fragmentation

  • Bluesnarfing

  • Replay

Correct answer: Jamming

Wireless jamming is a type of denial-of-service (DoS) attack in which signal interference prevents legitimate devices from communicating with each other over the network. The goal of jamming is to overwhelm the good signal.

A fragmentation attack exploits a vulnerability in WEP to crack a key. Bluesnarfing is a Bluetooth attack that gives an attacker unauthorized access to a victim's device. A replay attack captures legitimate traffic.

144.

Which OSINT is a good place to check for configuration settings, IP addresses, and even passwords or private keys?

  • Source code repositories

  • WHOIS

  • Job postings

  • SSL certificates

Correct answer: Source code repositories

Source code repositories such as GitHub can sometimes hold valuable information for a pentester. Organizations may even hard-code passwords into code which gets uploaded publicly onto code repositories. 

WHOIS is used to learn about the entity that registered a domain. Job postings can be used to learn about an organization's technology stack. SSL certificates include public keys but not private keys.

145.

A pentester is in the process of writing a penetration report. They want to include full scan reports from scans conducted during the test. 

Where is an appropriate place in the report to place this information?

  • Appendix

  • Conclusion

  • Executive summary

  • Methodology

Correct answer: Appendix

The main body of the report is not an appropriate place for lengthy code listings, scan reports, or other tedious results. Rather, an appendix is an appropriate location for these types of files and information if the tester believes they will add value for the client. 

The conclusion includes a summary and recommendations. The executive summary is a concise section with the most important results. The methodology section includes the tools and types of tests performed.

146.

Which of the following recommendations should be made in regard to key rotation?

  • Ensuring that old keys are securely destroyed or archived

  • Open-sourcing past keys

  • Reusing previous keys in a regular rotation

  • Keeping keys for at least 2 years before rotating

Correct answer: Ensuring that old keys are securely destroyed or archived

Old keys should be destroyed so that they do not fall into the hands of attackers. Secure archival is also a solution in certain situations for regulatory reasons.

Keys should not be open to the public or reused. The longer keys are used without rotation, the higher the risk they can be used in an attack.

147.

What is a pentester accomplishing with the following command?

apkx HelloWorld.apk

  • Decompiling an Android application package

  • Performing dynamic analysis of an APK file

  • Debugging an APK file

  • Injecting code in an Android application package

Correct answer: Decompiling an Android application package

APKX is an Android application packet (APK) decompiler. It extracts code into a human-readable format.

Android Studio can be used for performing dynamic analysis and debugging an APK file. 

Frida can be used to inject code into an APK.

148.

What type of an attack is being attempted with the following request?

https://example.com/../../../../../etc/passwd

  • Directory traversal

  • SQL injection

  • XSS

  • CSRF

Correct answer: Directory traversal

Directory traversal (also known as file path traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. This might include application code and data, credentials for back-end systems, and sensitive operating system files. By adding "../../../../../etc/passwd" the attacker is attempting to read or access the /etc/passwd file on the system. Some vulnerable systems would freely provide this information to the attacker.

A SQL injection submits malicious SQL code to a server. Cross-site scripting (XSS) injects malicious code into a website. Cross-site request forgery (CSRF) tricks a user into performing actions on a site that they are authenticated at.

149.

What sort of vulnerability could be exploited if a website is serving content on both port 443 and port 80 and there is NO HSTS (HTTP strict transport security) protection enforced?

  • SSL stripping or downgrading

  • Cross-site request forgery

  • Cross-site scripting

  • SQL injection

Correct answer: SSL stripping or downgrading

SSL stripping is a type of downgrading attack that allows an attacker to capture plaintext traffic during on-path attacks.

Cross-site request forgery occurs when an attacker tricks a user into performing an action on a site that they are authenticated on. Cross-site scripting occurs when an attacker injects malicious code in a website. SQL injection is an attack against a database server.

150.

What kind of attack is a SYN flood?

  • DoS

  • CSRF

  • XSS

  • SQL injection

Correct answer: DoS

A SYN flood is a form of denial-of-service (DoS) attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic. A DoS attack is when the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet.

Cross-site request forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. Cross-site scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. SQL injections are attacks that send malicious database commands to a server.

151.

An attacker went through the following path of exploitation to successfully gain access to a targeted host: They initially scanned the host, found a vulnerable DB service leaking some credential information, and used those credentials to authenticate to the DB. Using the DB access, they managed to create a backdoor on the system and finally obtained access to it. 

What is this string of attacks called?

  • Exploit chaining

  • Exploit stacking

  • Pivoting

  • Kill chain

Correct answer: Exploit chaining

Exploit chaining is the process of using multiple exploit methods and techniques in a sequence in order to successfully exploit the host.

Exploit stacking combines multiple exploits simultaneously rather than sequentially. Pivoting involves moving to another system on the network. The kill chain encompasses all the processes an attacker takes from reconnaissance to action on objectives.

152.

What would be considered the formal confirmation that the pentesters have successfully completed the agreed-upon scope of work?

  • Client acceptance

  • Receiving of payment

  • Provision of the conclusion report

  • Completion of the post-engagement cleanup

Correct answer: Client acceptance

Pentesters should obtain formal client acceptance of their deliverables. This may simply be a written acknowledgment of the final report, but it usually includes a face-to-face meeting where the testers discuss the results of the engagement with business and technical leaders and answer any questions that might arise.

153.

Two domain administrators share the same account. 

To enforce accountability, what mitigation strategy would you suggest to your client with regard to this finding?

  • Use separate accounts for each system user

  • Use a very complex password

  • Share only local admin passwords

  • Change the password frequently

Correct answer: Use separate accounts for each system user

Even though it is not always possible, it is recommended that each user use their personal account when conducting administrative work in the client's environment. This separation will ensure accountability in case of problems.

154.

What is one of the main advantages of using APK Studio over other APK decompilation tools?

  • It has an IDE specifically designed for Android reverse engineering.

  • It automates the process of gaining root access on Android devices.

  • It includes a suite of side-channel attacks against mobile devices.

  • It offers a built-in network scanner for scanning for vulnerabilities.

Correct answer: It has an IDE specifically designed for Android reverse engineering.

APK Studio is an integrated development environment (IDE) for reverse-engineering Android apps. It can decompile, analyze, and recompile Android application packages (APKs).

155.

A pentester has been given the following specific requirements to test for:

  • Password complexity policy
  • Encryption algorithm complexity
  • Data encryption in transit and at rest

What type of test are they performing?

  • A compliance-based assessment

  • A red team assessment

  • A blue team assessment

  • A purple team assessment

Correct answer: A compliance-based assessment

Compliance-based assessments audit an organization’s ability to implement and follow a given set of security standards within an environment.

A red team assessment tests the overall security posture. A blue team responds to a simulated attack. A purple team coordinates the red and blue teams.

156.

In the mitigation section of your report, you suggest that the client enforce a strong password policy and high complexity. Passwords should be changed often and shared with as few people as possible. 

What vulnerability are you addressing with this suggestion?

  • Shared administrator password

  • Password in cleartext

  • SQL injection

  • Cross-site request forgery

Correct answer: Shared administrator password

Organizations should randomize the passwords of administrator accounts, making them strong, complex passwords that are unique on each system. They may then use a password management tool to track all of those passwords.

157.

Of the following, which is a way to fingerprint a web server?

  • Use netcat on the server

  • Use ping on the server

  • Use nslookup against the domain

  • Use dig against the domain

Correct answer: Use netcat on the server

A Netcat (nc) request over port 80 will return an HTTP response header. This header usually contains the web server version.

Ping determines if a host is reachable. Nslookup and dig return DNS information.

158.

Preparing for a pentest, you have obtained the social media profiles of the targeted organization's employees. What sort of attack could you develop using this information?

  • Social engineering attack

  • Directory traversal attack

  • Remote code execution

  • Fuzzing attack

Correct answer: Social engineering attack

Having a lot of information about a person can make your manipulation strategy easier. Gaining information about the person's habits, regular online shopping behavior, and so on, could potentially aid in a social engineering attack.

Directory traversal attacks and remote code execution are based on web app vulnerability. Fuzzing is an application attack.

159.

A pentester has found a network running SMB. Which tool can they use to gather hashed credentials?

  • Responder

  • Reaver

  • TruffleHog

  • Censys

Correct answer: Responder

Responder can reply to queries for resources on an SMB network. This can gather the hashed credentials from the client who trusts that the system running Responder is legitimate. 

Reaver is used for exploiting WPS. TruffleHog scans code repositories for sensitive information. Censys is a search engine that provides information about devices connected to the Internet.

160.

What type of attack could be carried out if an attacker manages to get the cookie from the site administrator's current session?

  • Session hijacking

  • CSRF

  • Stacked queries

  • Blind SQL

Correct answer: Session hijacking

Web sessions are designed to accompany the user’s interaction with the web framework. A unique session identifier is generated by the web server or web application and lasts for the duration of the user’s visit. A session ID (or token) can be stored locally on the user’s hard drive as a cookie, form field, or URL.

Cross-site request forgeries (CSRF) involve tricking a user to perform an action on a site they are authenticated on. Stacked queries and blind SQL are injection attacks.

×