CompTIA PenTest+ Exam Questions

Page 3 of 25

41.

A rainbow table is BEST described as:

  • A precomputed list or a table of all possible hash values

  • A dynamically generated table or a list of values based on predefined criteria

  • A database table of a Postgre server

  • A Windows password hashes table

Correct answer: A precomputed list or a table of all possible hash values

Rainbow tables are prehashed values, and, because of this, they tend to grow in size and require more storage. Using a rainbow table can accelerate password cracking.

42.

A pentester is compiling a penetration test report and has prepared a high-level overview of the results. Which section of the report is suitable for such information?

  • Executive summary

  • Scope details

  • Methodology

  • Appendix

Correct answer: Executive summary

The executive summary is usually at the beginning of the report, and it summarizes the big picture, methodology used, and high- or critical-level findings.

The scope details includes information about what is in-scope and what is out-of-scope for the test. The methodology section includes the types of tests and techniques used. The appendix includes code and definitions.

43.

Which technique is associated with NAC (Network Access Control) bypassing?

  • Cloning the MAC address of a device that was previously connected to the same network port

  • Setting up the hostname of the attacking machine to match the victim's hostname

  • Changing the attacking system's IP address to a legitimate address on the network

  • Using the “pass the hash” technique to capture the credentials of a system that has already authenticated on the network

Correct answer: Cloning the MAC address of a device that was previously connected to the same network port

NAC (Network Access Control) systems are used to authenticate new devices to the corporate network. Some NAC systems, however, can be tricked by simple actions like cloning the MAC address of an already authenticated host or setting up a static IP matching the authenticated host.

NAC does not typically rely on hostnames or IP addresses for authentication. Passing the hash is a lateral movement technique for capturing hashed user credentials after an initial compromise.

44.

Which term is given to an organization that has received approval from the PCI SSC to conduct external vulnerability scanning services?

  • ASV

  • Acquirer

  • PFI

  • QSA

Correct answer: ASV

An approved scanning vendor (ASV) is an organization that has been approved by the Payment Card Industry Security Standards Council to carry out vulnerability scanning services.

An acquirer is an institution that maintains relationships with merchants that accept credit cards. A PCI forensic investigator (PFI) is an individual trained in forensic techniques after a breach related to cardholder data. A qualified security assessor (QSA) is an individual certified to carry out PCI DSS compliance assessments.

45.

A pentester wants to determine their client's public IP addresses. They want to do this passively to not alert any IT staff. What can they use to accomplish this?

  • Using WHOIS service

  • Using hping3

  • Using Nmap

  • Using Gobuster

Correct answer: Using WHOIS service

WHOIS service can provide useful information about IP ranges and hosting environments.

Nmap and hping3 are active tools. Gobuster is an active tool and it brute forces directories.

46.

A tester discovers a package for SSL Kill Switch 2 in a user's directory. What type of security is this intended to disable?

  • Certificate pinning

  • Two-factor authentication

  • Firewall

  • VPN

Correct answer: Certificate pinning

Certificate pinning is the technique of associating one host with its public key and using it to make a trust decision. Tools such as SSL Kill Switch 2 and Burp Suite Mobile Assistant can compromise the process of certificate pinning.

Two-factor authentication can be attacked by phishing tools that proxy web traffic, such as Evilginx. A firewall can be attacked by tools that alter packet headers, such as Ftester. VPNs can be attacked by tools that look for weaknesses, such as Metasploit.

47.

A pentester is looking through the trash can in the HR office of the organization. What exploitation technique are they using?

  • Dumpster diving

  • Tailgating

  • Shoulder surfing

  • Phishing

Correct answer: Dumpster diving

Penetration testers do occasionally engage in dumpster diving, or retrieving information from the organization’s trash receptacles.

Tailgating involves following an authenticated user to gain access to an area. Shoulder surfing involves viewing sensitive information from behind someone. Phishing involves trying to trick users into divulging sensitive information.

48.

You managed to infiltrate an organization and were able to exfiltrate the SAM database from the server. What tool would you use against the SAM database in an attempt to crack the passwords from it?

  • John the Ripper

  • Nessus

  • grep

  • ExifTool

Correct answer: John The Ripper

John the Ripper is a free, powerful password cracking software tool. Originally developed for the Unix operating system, it can run on multiple different platforms.

Nessus is a security vulnerability tool. The grep tool is used to search for strings or regular expressions. The ExifTool is used to view metadata.

49.

A client is worried that certain modules in Metasploit could cause serious damage to some systems. 

Which aspect of an ethical hacking mindset should the pentester apply to this situation?

  • Limiting the use of tools

  • Identifying criminal activity

  • Maintaining confidentiality of data

  • Limiting invasiveness based on scope

Correct answer: Limiting the use of tools

A client may not want certain tools used in the test. In these situations, pentesters should limit their toolsets to meet the client's requests.

Identifying criminal activity is important for notifying a client right away if they discover a breach during testing. Maintaining confidentiality of data is important for ensuring that pentest results do not fall into the wrong hands. Limiting invasiveness based on the scope is important for not disrupting business practices.

50.

What type of information can be found in a captured ARP packet?

  • Sender hardware address

  • TCP port

  • Payload data

  • Error checking fields

Correct answer: Sender hardware address

The Address Resolution Protocol (ARP) is used to determine which hosts have which IP addresses. ARP packets include a header with hardware type, protocol type, hardware address length, protocol address length and operation, and a data portion with the sender hardware address, sender protocol address, target hardware address, and target protocol address.

ARP packets do not have information on TCP ports, a payload, or error checking fields.

51.

A user is entering the following string into an article's comment field:

<h1>You've been hacked</h1>

What type of attack is being attempted?

  • Stored HTML injection

  • Reflected HTML injection

  • SQL injection

  • Cross-site request forgery

Correct answer: Stored HTML injection

Injecting arbitrary HTML into a web page is known as HTML injection. This type of injection happens when the user input is not properly sanitized. Since the injection is stored on the website as a comment, it will remain there for anyone who opens the comment. 

Reflected injections usually only work in the current browser session. SQL injections target database servers. Cross-site request forgeries trick users into performing actions on sites they are authenticated at.

52.

A pentester has a gigantic number of IP addresses. How can they scan them all for vulnerabilities without spending a huge amount of time?

  • By using Nessus

  • By using Medusa

  • By using BeEF

  • By using Wfuzz

Correct answer: By using Nessus

Nessus is a tool that allows scanning for various security issues such as network or web application vulnerabilities. It can be easily configured to run automated scans.

Medusa is a brute-force login attack tool, not a vulnerability scanner. The Browser Exploitation Framework (BeEF) provides an automated toolkit for using social engineering and doesn't provide vulnerability scanning capabilities. Wfuzz is a fuzzing tool.

53.

You have submitted your pentest report and received acceptance of the results from the client. To conclude the penetration testing, what else is required of you?

  • You should conduct a post-engagement cleanup

  • You should stop all running scans and tests

  • Nothing; you are completely done with this pentest and all activities related to it

  • You should start retesting the environment

Correct answer: You should conduct a post-engagement cleanup

You should remove all tools, accounts, and other traces of your work from the client's environment.

54.

You are writing a pentest report. You have found a vulnerability that would require a short Python script to be exploited. You have written out the script in the report to show the customer. 

What is that short Python script called?

  • PoC

  • API

  • Malware

  • Trojan horse

Correct answer: PoC

Although not an exam objective, a proof of concept (PoC) can be beneficial in a pentest report. It represents proof that the vulnerability found could be exploited. This is usually a short script that could be used to exploit it. You may need a compiler to compile proof-of-concept source code for a given operating system, or to modify an exploit to account for certain environmental conditions like firewalls and proxy servers.

An API is a protocol that lets two systems communicate. Malware is malicious code designed to attack a system. A Trojan horse is malware disguised as a legitimate program.

55.

Which of the following is a software testing technique that inputs invalid or random data into the software system to discover coding errors and security loopholes?

  • Fuzzing

  • Brute-forcing

  • Pass the hash

  • Code review

Correct answer: Fuzzing

Fuzzing is a software testing technique that inputs invalid or random data called fuzz into the software system to discover coding errors and security loopholes. Data is inputted using automated or semi-automated testing techniques, after which the system is monitored for various exceptions, such as crashing down of the system or failing built-in code, etc. The goal of fuzzing is to detect validation logic, memory leaks, or error handling.

A brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. Pass the hash is a hacking technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LanMan hash of a user's password instead of requiring the associated plaintext password. Code review is a software quality assurance activity in which one or several people check a program mainly by viewing and reading parts of its source code.

56.

During a web application penetration test, you are examining the HTTP headers in the response. Which tool is designed to help you with this task?

  • Burp Suite

  • grep

  • hping

  • ExifTool

Correct answer: Burp Suite

Burp Suite is a web application testing tool that includes HTTP inspection. Its repeater tool can be used to modify and resend requests to observe changes in response headers.

Grep is a command-line utility for searching plain-text data sets for lines that match a regular expression. Hping is a free packet generator and analyzer for the TCP/IP protocol. ExifTool is a free and open-source software program for reading, writing, and manipulating image, audio, video, and PDF metadata.

57.

Why would a pentester run the strings command on a binary file?

  • To reveal text contents such as configuration details, error messages, or file names

  • To learn about the online community's insights into the purpose of the binary file

  • To step through the binary's execution and inspect its behavior in detail

  • To disassemble the binary into hexadecimal to reveal embedded strings and structure

Correct answer: To reveal text contents such as configuration details, error messages, or file names

If a pentester has a binary file that they cannot decompile, they can try running the strings command to extract plaintext data from the binary. That text data can be analyzed for possible clues about the binary file.

OSINT can be used to learn about the online community's insights into the purpose of a binary file. Debuggers are used to step through a binary's execution and inspect its behavior in detail. A hex editor can be used to view raw data of a file to reveal embedded strings and structure.

58.

Which attack technique could be applicable in a web application pentest?

  • Reflected HTML injection

  • ARP spoofing

  • Bluejacking

  • DLL hijacking

Correct answer: Reflected HTML injection

A reflected HTML injection vulnerability is a nonpersistent browser execution attack, meaning that the injection would be lost once the current browser session was closed.

ARP spoofing is used for techniques such as session hijacking. Bluejacking is a Bluetooth exploit. DLL hijacking is an attacking technique for desktop software.

59.

A threat actor is attempting to enter a high-security area on the client's premises. There is no security guard, but the automated door is controlled by RFID on the outside and a motion sensor on the inside. Clearly, the aim is to prevent people from entering and to enable easy exit. The threat actor pushes a piece of paper through the small gap between the door and the roof. The paper sheet triggers the motion sensor, and the door opens. 

Which security mechanism has been exploited?

  • Egress sensor

  • Dumpster diving

  • RFID sensor

  • Tailgating

Correct answer: Egress sensor

The egress sensor is the detector that enables easy exit. They are used in heavily trafficked areas but can be a security concern.

Dumpster diving involves searching through trash for sensitive information. An RFID sensor can be attacked through RFID cloning. Tailgating involves following an authenticated user into a secure area.

60.

What is the tool, Snow, used for?

  • Steganography

  • Business impact analysis

  • Application testing

  • Reconnaissance

Correct answer: Steganography

Snow is a steganography tool. Steganography is the process of hiding information within another file so that it is not visible to the naked eye. Snow uses whitespace and tabs within a document to hide information. 

An example of a business impact analysis tool is the Fusion Framework System. An example of an application testing tool is Burp Suite. An example of a reconnaissance tool is Nmap.