CompTIA PenTest+ Exam Questions

Page 1 of 25

1.

Which command would be the correct one to use for sending a SYN packet to "target.com" over port 8181 and receiving a verbose output?

  • hping -S -V target.com -p 8181

  • hping -s -v target.com -P 8181

  • hping --target=target.com --packet=sync --port=8181

  • hping 8181 target.com -S

Correct answer: hping -S -V target.com -p 8181

In this example, an hping would send SYN packets to target.com on TCP port 8181, with the result of verbose output.

2.

An attacker has gained access to the phone directory of a targeted company. They are pretending to be part of the building management and are sending SMS messages containing a malicious link asking all employees who use the parking lot to register their cars with their employee credentials. 

What sort of attack is being conducted?

  • SMS phishing

  • Whaling

  • Quid pro quo

  • Spear phishing

Correct answer: SMS phishing

SMS phishing is similar to regular email phishing. More and more people are mainly using their mobile devices to browse the internet, which makes SMS phishing more successful.

Whaling targets high-level executives at a company. A quid pro quo attack builds trust by helping the target first. Spear phishing targets a select group of individuals.

3.

A pentester is performing a network scan against a subnet of Windows servers. One of the machines reported port 445 to be open. 

What service is listening on port 445?

  • Windows SMB share

  • Windows mail server

  • Windows Remote Desktop Service

  • Microsoft SQL Server

Correct answer: Windows SMB share

The Windows Server Message Block (SMB) protocol is a network file sharing protocol that allows applications on a computer to read and write to files and to request services from server programs in a computer network. The SMB protocol can be used on top of its TCP/IP protocol or other network protocols. Windows SMB shares are usually using port 445. There are many exploits and attacking methods against port 445.

Mail servers relay mail on port 25. Windows Remote Desktop Service is port 3389. Windows Database Server is 1433.

4.

Which command is used for a stealth scan?

  • Nmap -sS

  • Nmap -sT

  • Nmap -sA

  • Nmap -0

Correct answer: Nmap -sS

The Nmap -sS command will initiate a "syn scan," which is also called a "stealth scan" due to not completing the TCP handshake.

Nmap -sT is used to perform a TCP connect. Nmap -sA is used to conduct a TCP ACK scan. Nmap -0 is used for OS detection.

5.

Which type of data structure should be used for session data, including cookies, tokens, and other sensitive information?

  • Dictionary

  • Array

  • List

  • CSV

Correct answer: Dictionary

A dictionary is a key-value pair which is appropriate for associating unique identifiers, with corresponding session data. Key-value pairs are fast for lookups and flexible in the type of data they store.

Arrays, lists, and CSV are not optimized like key-value pairs.

6.

A pentester was able to dump the password hashes from the SAM database of a Windows domain controller into a "hash.txt" file. They are trying to crack the passwords offline in their lab using a list of passwords from a "wordlist1.lst" file. 

Which command would they use?

  • hashcat -m 1000 -a 0 hash.txt wordlist1.lst

  • john -m 1000 -a 0 hash.txt wordlist1.lst

  • cain -m 1000 -a 0 hash.txt wordlist1.lst

  • medusa -m 1000 -a 0 hash.txt wordlist1.lst

Correct answer: hashcat -m 1000 -a 0 hash.txt wordlist1.lst

Hashcat is a password-cracking utility that uses graphics processing units (GPUs) to crack passwords at a very high rate of speed. The "-m" flag sets the hash type. The "-a 0" flag sets the attack to a dictionary attack. Hashcat is much faster than traditional tools (like John the Ripper, which is CPU-bound), making it a tool of choice if you have access to appropriate hardware.

John the Ripper and Medusa have different command formats. Cain and Abel is an outdated utility that uses a graphical user interface.

7.

Which of the following tools could NOT be used in a server brute-force attack?

  • Nikto

  • Patator

  • Hydra

  • Medusa

Correct answer: Nikto

Nikto is a web server scanner. It can detect vulnerabilities and misconfigurations.

Hydra and Medusa are brute-forcing tools. Patator is also a brute-forcing tool that was written as a result of frustration with using Hydra and Medusa.

8.

What is the difference between DOM-based XSS and reflected XSS?

  • DOM-based XSS is executed directly in the browser; reflected or stored XSS is passed back to the server

  • DOM-based XSS uses jQuery; reflected XSS uses JavaScript

  • DOM-based XSS is exploitable only on Apache servers

  • Reflected XSS is associated with HTML; DOM-based XSS is associated with PHP

Correct answer: DOM-based XSS is executed directly in the browser; reflected or stored XSS is passed back to the server

The Document Object Model (DOM) is passed down to the browser from the application during runtime and is used for structuring content. Unlike stored or reflected XSS attacks that get passed back to the server, the execution happens directly in the user’s browser, since not every object is treated as a query by the browser. This can make the detection process even more difficult if the logging only occurs on the client side.

9.

What method could be used to mitigate a CSRF attack?

  • Secure token

  • Output encoding

  • SSL

  • WAF

Correct answer: Secure token

A cross-site request forgery (CSRF) is a type of client-side injection attack that causes a user to perform an action against a trusted website where the user is already authenticated with a valid session. A secure CSRF token is a unique, secret, randomized value that is generated by the server-side application and transmitted to the client in such a way that it is included in a subsequent HTTP request made by the client.

Output encoding is effective against XSS attacks. SSL is used to encrypt internet communications. A web application firewall protects web applications from attacks.

10.

During the post-engagement cleanup, you are removing all your shells and other files. How should you handle the rogue users that were created in the process of compromising the machine?

  • Remove all rogue users

  • Leave the users as a POC

  • Lock the user accounts with strong passwords

  • Suggest that the machine be completely re-imaged

Correct answer: Remove all rogue users

The post-engagement cleanup involves removing shells and tester-created credentials and possibly removing tools from local or remote file shares. In some cases, the client may need to reboot target hosts in order to clear the contents of memory, even if nothing was written to disk. The pentester should also remove all users and accounts created for the purpose of the pentest.

11.

A pentester has found an open mail relay server running on port 25 in the targeted organization's environment. How could they take advantage of this finding?

  • Use it in a social engineering attack by impersonating people from the organization

  • Use it to gather passwords from the server

  • Use it to remotely execute commands on the server

  • Use the open mail relay server for on-path attacks

Correct answer: Use it in a social engineering attack by impersonating people from the organization

The Simple Mail Transfer Protocol (SMTP) is defined under RFC 5321 to allow for the delivery of electronic mail. SMTP servers listen on port 25/TCP, and among their weaknesses are servers configured to be open mail relays, which allow anonymous users to connect over the internet to send email as an impersonated email address to both external and internal destination addresses.

Gathering passwords, remotely executing commands, and on-path attacks are not directly related to open mail relay servers.

12.

Which vulnerability found on a web application could potentially lead to session hijacking?

  • Stored XSS

  • SQL injection

  • Remote file inclusion

  • Local file inclusion

Correct answer: Stored XSS

Stored XSS can be used by injecting code into a log file to steal and redirect a session token, which is later accessed through a web interface by an administrative user.

SQL injection manipulates data in a database. Session hijacking is not a typical consequence of remote or local file exclusion.

13.

You are preparing the concluding report of a pentest. You need to evaluate the risk and share the results with the customer. 

What are the two MAIN factors when calculating risk?

  • Probability and damage potential

  • Complexity and automation

  • Difficulty and impact

  • Available exploits and operating systems

Correct answer: Probability and damage potential

Basic risk calculation is made with the following formula: Risk = Probability * Damage Potential.

A more complex risk scoring system could be used, for example, CVSSv3, where more factors are taken into consideration.

14.

A penetration tester has been asked to assess a company's APIs. What type of file should the tester ask for to get a reference of what a specific API supports?

  • SOAP

  • DirBuster

  • ZAP

  • Nessus

Correct answer: SOAP

The SOAP project file describes the format for sending and receiving messages in a web application. This file could be used by an attacker to learn the recommended methods of sending messages and potentially suggest ways to force it into error condition.

DirBuster is used to find hidden directories on a web server. OWASP Zed Attack Proxy (ZAP) is a web application scanner. Nessus is a vulnerability scanner.

15.

A penetration test has created a list of vulnerabilities that need to be addressed. When developing a remediation plan for these vulnerabilities, which of the following metrics is the LEAST important factor in the prioritization process?

  • Number of public exploits available

  • Criticality of the system and information affected by the vulnerability

  • Difficulty of remediating the vulnerability

  • Exposure of the vulnerability

Correct answer: Number of public exploits available

Although it might have some impact on the exploitation of the vulnerability if there are available public exploits, it is not usually a deciding factor in the remediation planning. Exploits for a specific vulnerability might be available but not released publicly; thus, other factors such as criticality, exposure, severity, and so on are more relevant.

16.

What component can a pentester compromise in IPMI to gain the ability to monitor, reboot, and install software on the target device?

  • BMC

  • Hypervisor

  • NIC

  • TPM

Correct answer: BMC

The Intelligent Platform Management Interface (IPMI) is used to provide out-of-band management to computer systems (including IoT devices). A baseboard management controller (BMC) has direct access to the motherboard and other hardware and can be leveraged to compromise the rest of the system.

Hypervisors are used to provide virtual machines.

Network interface cards (NIC) are used to manage network connections. 

The Trusted Platform Module (TPM) manages cryptographic keys.

17.

Which type of reconnaissance activity is MOST likely to be detected by an organization?

  • Nmap scan from internal network

  • Wardriving

  • Port scan from external network

  • Recon-ng reconnaissance campaign

Correct answer: Nmap scan from internal network

An Nmap scan from inside an organization's network is a highly suspicious activity that will likely be detected. 

Wardriving involves finding Wi-Fi networks. Port scans from external networks are common occurrences. Recon-ng is a form of passive reconnaissance.

18.

A pentester has gained user-level access to a Windows server. What could they do to try to elevate their access?

  • Look for writable scheduled tasks

  • Download the file system contents for analysis

  • Create a new user account with administrative access

  • Brute-force higher-level user accounts

Correct answer: Look for writable scheduled tasks

In some cases, scripts used in scheduled tasks are writable to unprivileged users. That can make it possible to abuse writable services that run as SYSTEM or elevated privileges.

Downloading large amounts of data could set off an incident response process. User-level accounts cannot create administrative-level accounts in a properly configured environment. Brute-forcing higher-level user accounts could lead to user lockouts that alert users.

19.

During Nmap fingerprinting, a pentester has identified one machine running a service called "vsftpd." It appears the current version is 2.3.4. Being tasked to gain access to as many hosts as possible, what should the pentester's next step be?

  • Use SearchSploit to search for an exploit for "vsftpd"

  • Conduct a MITM attack to attempt to capture FTP credentials

  • Try to brute-force the login credentials for the FTP

  • Download the FTP software locally and look for vulnerabilities manually

Correct answer: Use SearchSploit to search for an exploit for "vsftpd"

The pentester should utilize all known exploit databases, such as Exploit-DB, Metasploit, etc., in order to find a possible exploit for the current vsftpd version.

Conducting MITM attacks, brute-forcing credentials, and attempting vulnerabilities manually are more time-intensive activities.

20.

Once your pentest report is completed and ready to be provided to the client, what method should you use to send it to the interested parties?

  • Any secure method preapproved by all parties involved

  • An encrypted mail message

  • A secure FTP site

  • There is no special requirement for report handling

Correct answer: Any secure method preapproved by all parties involved

The report does contain sensitive client information and should be handled with extreme care. The transmission method is usually decided on during the RoE (Rules of Engagement) discussion.