×

Quiz Session - Attempts With Random Questions

CompTIA PenTest+ Exam Questions

Page 9 of 25

161.

What are tools such as h8mail and the haveibeenpwned.com website used for?

  • Password dumps

  • File metadata

  • Website archiving

  • Social media scraping

Correct answer: Password dumps

Usernames and passwords from previous breaches can be easily accessed through various tools, including h8mail, Pastebin, and online databases. It is important to monitor these services, even for your own personal information.

An example of a file metadata application is Exif. An example of a website archiving tool is The Wayback Machine. An example of a social media scraping tool is Scrapy.

162.

Which type of attack tricks a web server into visiting a URL based on user-supplied input?

  • SSRF

  • CSRF

  • XSS

  • Clickjacking

Correct answer: SSRF

Server-side request forgery (SSRF) is an attack that tricks a server into visiting a URL that the attacker controls. This can occur if the site accepts URLs as user input and retrieves information from those URLs.

Cross-site request forgery (CSRF) tricks a user into performing an action on a site that they are authenticated on. 

Cross-site scripting (XSS) is an attack that injects malicious code into a website. 

Clickjacking tricks a user into clicking something that they did not intend.

163.

Which method can be used to try to detect if a website is using a load balancer?

  • Using ping to look for different TTLs

  • Reviewing cookie names for common patterns

  • Examining header information for specific signatures

  • Searching for FIN/RST packets to end connections

Correct answer: Using ping to look for different TTLs

A few different methods can be employed to try to detect if a website is using a DNS- or HTTP-based load balancer. By using ping, a pentester can examine TTLs, check for varying response times, or see if different IP addresses respond to different requests.

Reviewing cookie names, examining header information, and searching for FIN/RST packets are methods of detecting web application firewalls.

164.

A pentester encounters a captive portal in their test. What method can they attempt to try to bypass it?

  • MAC address cloning

  • XSS

  • CSRF

  • DNS tunneling

Correct answer: MAC address cloning

Captive portals are used by organizations to provide access control and authorization for wireless networks. They typically do not implement complex authentication, so MAC address cloning can often give the pentester access to the network.

Cross-site scripting (XSS) involves inserting malicious code into a website. Cross-site request forgery (CSRF) involves tricking users into performing actions on sites they are authenticated on. DNS tunneling is used to exfiltrate data within DNS traffic.

165.

Parameterized queries would prevent which of the following issues?

  • SQL injection attacks

  • On-path attacks

  • Weak passwords attacks

  • Denial-of-service attacks

Correct answer: SQL injection attacks

Input sanitization (also known as input validation) and parameterized queries are both acceptable methods of preventing SQL injection attacks. 

On-path attacks are mitigated through strong encryption and authentication. Weak passwords attacks are mitigated through strong password controls. Denial-of-service attacks are mitigated through network security measures and load balancing.

166.

What does the following Bash code do?

while read ip; do nc -zv $ip 22; done < ip_addresses.txt

  • Scans port 22 on IP addresses in ip_addresses.txt

  • Attempts to ping each system in ip_addresses.txt 22 times

  • Listens on port 22 for connections from systems in ip_addresses.txt

  • Transfers data sent from port 22 on systems in ip_addresses.txt

Correct answer: Scans port 22 on IP addresses in ip_addresses.txt

This command performs a port scan of a list of IP addresses. It uses a while loop to read each line of ip_addresses.txt and uses the nc command to scan each IP on port 22.

The port that will be scanned is specified by the -z option. 

The -l option is used to listen on a port. 

File transfers can be used by redirecting input to a file.

167.

Which post-exploitation tool for retrieving password hashes from memory is included with other tools such as Metasploit, Empire, and PowerSploit?

  • Mimikatz

  • Cain

  • CeWL

  • Hydra

Correct answer: Mimikatz

Mimikatz is a powerful and versatile tool for post-exploitation, including gaining password hashes from memory. It is one of the most useful Windows tools.

Cain, CeWL, and Hydra are other tools that aid in gathering credentials.

168.

Which Nmap scan method is the MOST popular and is known as half-open scanning?

  • TCP SYN (-sS)

  • UDP scan (-sU)

  • No Ping (-Pn)

  • TCP FIN (-sF)

Correct answer: TCP SYN (-sS)

TCP SYN (Stealth) Scan (-sS) SYN scan is the default and most popular scan option for good reason. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by intrusive firewalls. It requires raw-packet privileges and is the default TCP scan when they are available. Because the three-way handshake is never completed, SYN scan is sometimes called half-open scanning.

UDP scans identify UDP services. No ping scans skip the host discovery part of a scan. TCP FIN scans send FIN packets to ports.

169.

Which of the following describes the process of deconfliction?

  • A communication process of sorting out pentesters' artifacts from real compromise

  • A vulnerability scanning process with limited impact

  • A risk assessment process

  • A change management process for remediating vulnerabilities

Correct answer: A communication process of sorting out pentesters' artifacts from real compromise

Communication with the client provides the ability for deconfliction, which is the process of sorting out pentesters' artifacts from real work compromise. This limits the risk of the pentester becoming the scapegoat in case of business impact.

170.

Which of the following actions is BEST performed by Objection?

  • Bypassing certificate pinning

  • Testing APIs

  • Reverse engineering Android applications

  • Decompiling Android applications

Correct answer: Bypassing certificate pinning

Objection is a runtime mobile platform and app exploration tool that is powered by Frida. It can perform such actions as bypassing certificate pinning, dumping keychains, and performing memory analysis.

A tool that tests APIs is Postman. 

A tool that reverse engineers Android applications is APK Studio. 

A tool that decompiles Android applications is ApkX.

171.

During a penetration test, you are discovering hosts using Nmap. You would like to have the host OS identified and the list of results outputted into an XML file. 

Which Nmap command would cover both conditions?

  • nmap -O  10.15.0.0/24 -oX results

  • nmap -oP -sS 10.15.0.0/24 -x results

  • nmap -P0 -O 10.15.0.0/24 -oS results

  • nmap -sS -O 10.15.0.0/24 -oS results

Correct answer: nmap -O  10.15.0.0/24 -oX results

The "-O" option stands for OS detection. 10.15.0.0/24 is the IP range for scanning. The-oX flag stands for outputting to an XML file.

172.

What needs to be considered when performing a vulnerability scan if SCADA systems are involved?

  • SCADA systems need to be handled carefully, as they could be easily knocked out

  • SCADA systems are very secure and need additional testing

  • There is no difference between SCADA and other systems

  • An NDA needs to be signed

Correct answer: SCADA systems need to be handled carefully, as they could be easily knocked out

SCADA and industrial IoT systems are delicate, fragile environments that were never really developed with security in mind. A single TCP or UDP port scan against a SCADA component can cause catastrophic damage.

173.

What does scraping a website entail?

  • Capturing specific information from a website

  • Scanning a website for vulnerabilities

  • Indexing the pages of a website

  • Performing a DOS against a website.

Correct answer: Capturing specific information from a website

Scraping a website involves gathering information from it for reconnaissance. Useful information such as contacts, email addresses, filenames, and directories can be learned.

Vulnerability scanning looks for weaknesses in a web application server. Crawling involves indexing the pages and content of a website. A DOS is an attack against a website.

174.

A penetration tester is operating a test that is being conducted without the knowledge of the company's cybersecurity staff. The tester wants to remain stealthy so as not to alert IPSs or firewalls. 

When using Nmap, which flag should they use to be stealthy?

  • -sS

  • -sT

  • -sU

  • -sN

Correct answer: -sS

A TCP SYN scan (-sS) is a half-open scan. It is stealthy because it does not complete the TCP handshake and can often bypass firewalls and IPSs.

A TCP Connect scan (-sT) scan completes the TCP handshake. A UDP scan(-sU) sends UDP packets, which is noisy because no handshake is involved. A TCP Null scan (-sN) is noisy because it can be considered abnormal.

175.

Which open data source can an attacker leverage to learn about an organization's potential cryptographic flaws, weak implementations, and OCSP information?

  • SSL certificates

  • Google Dorks

  • Scapy

  • CWE

Correct answer: SSL certificates

SSL certificates reveal a lot of information about the organization that uses them. This includes the validity period, algorithm, and key size.

Google Dorks is useful for finding misconfigurations and exposed data. Scapy is an interactive packet manipulation tool. The CWE is a list of common hardware and software security flaws.

176.

Near an automated door at one of the entrances to their target's building, a threat actor is waiting for people with access to go through. Once the last person passes through the door, the attacker waits a few seconds for them to move away, and just before the door closes, they enter. 

What technique are they using?

  • Tailgating

  • Shoulder surfing 

  • Impersonating

  • Piggybacking

Correct answer: Tailgating

Tailgating refers to an unauthorized individual following behind an authorized individual through an entrance without the authorized individual's consent. 

Shoulder surfing refers to peering over someone's shoulder while they are entering credentials to steal the credentials. Impersonating is pretending to be someone that you are not. Piggybacking involves being acknowledged by an authorized user.

177.

Consider the following code in Python:

for i in my_list:

   print(i)

What type of data structure is "my_list"?

  • It is an array

  • It is a function

  • It is an operator

  • It is a file

Correct answer: It is an array

In the given example, "my_list" is likely an array of elements. This Python code is an example of iterating through an array.

A function is a named block of code. An operator is a special symbol that performs operations on values. A file is a named location that holds data.

178.

Each CWE record should include:

  • A weakness ID

  • Exploitation methods

  • A tool to exploit it

  • The group that exploited it

Correct answer: A weakness ID 

The Common Weakness Enumeration (CWE) contains broad baselines of software weaknesses that can be used to describe specific vulnerabilities. Each CWE record should include a weakness ID. The name of each CWE is also its ID. For example, CWE-36 stands for "Absolute Path Traversal."

179.

An attacker is able to input malicious JavaScript into a comment entry under a post on a web page. This script is executed upon loading the page with the post and does not disappear when the page is reloaded. 

What type of vulnerability does this describe?

  • Stored XSS

  • Reflected XSS

  • SQL injection

  • Reverse shell

Correct answer: Stored XSS 

Stored, or persistent, cross-site scripting (XSS) is a vulnerability that inserts malicious code into a web page. Store XSS survives page reloads. 

Reflected XSS disappears upon reloading of the page. SQL injection involves sending malicious database commands to a server. A reverse shell establishes persistence on a target system.

180.

A pentester has a client with many services hosted on AWS. 

Which tool should they use as a framework to attempt exploits on that platform?

  • Pacu

  • CloudBrute

  • Cloud Custodian

  • Coagula

Correct answer: Pacu

Pacu is designed for AWS penetration. It includes modules for various attack vectors, including privilege escalation and backdoors.

Cloudbrute is used for enumerating cloud assets.

Cloud Custodian focuses on policy compliance and remediation. 

Coagula can be used for audio steganography.

×