Free preview mode

Enjoy the free questions and consider upgrading to gain full access!

PT0-002Free trialFree trial

By comptia
Aug, 2025

Verified

25Q per page

Question 51

A penetration tester needs to upload the results of a port scan to a centralized security tool. Which of the following commands would allow the tester to save the results in an interchangeable format?

  • A: nmap -iL results 192.168.0.10-100
  • B: nmap 192.168.0.10-100 -O > results
  • C: nmap -A 192.168.0.10-100 -oX results
  • D: nmap 192.168.0.10-100 | grep "results"

Question 52

During a penetration-testing engagement, a consultant performs reconnaissance of a client to identify potential targets for a phishing campaign. Which of the following would allow the consultant to retrieve email addresses for technical and billing contacts quickly, without triggering any of the client's cybersecurity tools?
(Choose two.)

  • A: Scraping social media sites
  • B: Using the WHOIS lookup tool
  • C: Crawling the client's website
  • D: Phishing company employees
  • E: Utilizing DNS lookup tools
  • F: Conducting wardriving near the client facility

Question 53

During a penetration test, the domain names, IP ranges, hosts, and applications are defined in the:

  • A: SOW.
  • B: SLA.
  • C: ROE.
  • D: NDA

Question 54

A tester who is performing a penetration test on a website receives the following output:
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /var/www/search.php on line 62
Which of the following commands can be used to further attack the website?

  • A: <script>var adr = '../evil.php?test=' + escape(document.cookie);</script>
  • B: ../../../../../../../../../../etc/passwd
  • C: /var/www/html/index.php;whoami
  • D: 1 UNION SELECT 1, DATABASE (), 3 --

Question 55

A penetration tester has established an on-path position between a target host and local network services but has not been able to establish an on-path position between the target host and the Internet. Regardless, the tester would like to subtly redirect HTTP connections to a spoofed server IP. Which of the following methods would BEST support the objective?

  • A: Gain access to the target host and implant malware specially crafted for this purpose.
  • B: Exploit the local DNS server and add/update the zone records with a spoofed A record.
  • C: Use the Scapy utility to overwrite name resolution fields in the DNS query response.
  • D: Proxy HTTP connections from the target host to that of the spoofed host.

Question 56

Which of the following types of information would MOST likely be included in an application security assessment report addressed to developers? (Choose two.)

  • A: Use of non-optimized sort functions
  • B: Poor input sanitization
  • C: Null pointer dereferences
  • D: Non-compliance with code style guide
  • E: Use of deprecated Javadoc tags
  • F: A cydomatic complexity score of 3

Question 57

A penetration tester is scanning a corporate lab network for potentially vulnerable services.
Which of the following Nmap commands will return vulnerable ports that might be interesting to a potential attacker?

  • A: nmap 192.168.1.1-5 -PU22-25,80
  • B: nmap 192.168.1.1-5 -PA22-25,80
  • C: nmap 192.168.1.1-5 -PS22-25,80
  • D: nmap 192.168.1.1-5 -Ss22-25,80

Question 58

A penetration tester has found indicators that a privileged user's password might be the same on 30 different Linux systems. Which of the following tools can help the tester identify the number of systems on which the password can be used?

  • A: Hydra
  • B: John the Ripper
  • C: Cain and Abel
  • D: Medusa

Question 59

A penetration tester recently completed a review of the security of a core network device within a corporate environment. The key findings are as follows:
✑ The following request was intercepted going to the network device:

GET /login HTTP/1.1 -

Host: 10.50.100.16 -
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0)

Gecko/20100101 Firefox/31.0 -

Accept-Language: en-US,en;q=0.5 -

Connection: keep-alive -
Authorization: Basic WU9VUilOQU1FOnNlY3JldHBhc3N3b3jk
✑ Network management interfaces are available on the production network.
✑ An Nmap scan retuned the following:
Port State Service Version
22/tcp open ssh Cisco SSH 1.25 (protocol 2.0
80/tcp open http Cisco IOS http config
|_https-title: Did not follow redirect to https://10.50.100.16
443/tcp open https Cisco IOS https config
Which of the following would be BEST to add to the recommendations section of the final report? (Choose two.)

  • A: Enforce enhanced password complexity requirements.
  • B: Disable or upgrade SSH daemon.
  • C: Disable HTTP/301 redirect configuration.
  • D: Create an out-of-band network for management.
  • E: Implement a better method for authentication.
  • F: Eliminate network management and control interfaces.

Question 60

A penetration tester was able to compromise a server and escalate privileges. Which of the following should the tester perform AFTER concluding the activities on the specified target? (Choose two.)

  • A: Remove the logs from the server.
  • B: Restore the server backup.
  • C: Disable the running services.
  • D: Remove any tools or scripts that were installed.
  • E: Delete any created credentials.
  • F: Reboot the target server.

Question 61

A penetration tester is reviewing the following DNS reconnaissance results for comptia.org from dig:
...
;; ANSWER SECTION
comptia.org. 3569 IN MX comptia.org-mail.protection.outlook.com. comptia.org. 3569 IN A 3.219.13.186. comptia.org. 3569 IN NS ns1.comptia.org. comptia.org. 3569 IN SOA haven. administrator.comptia.org. comptia.org. 3569 IN MX new.mx0.comptia.org. comptia.org. 3569 IN MX new.mx1.comptia.org.
Which of the following potential issues can the penetration tester identify based on this output?

  • A: At least one of the records is out of scope.
  • B: There is a duplicate MX record.
  • C: The NS record is not within the appropriate domain.
  • D: The SOA records outside the comptia.org domain.

Question 62

A consultant just performed a SYN scan of all the open ports on a remote host and now needs to remotely identify the type of services that are running on the host. Which of the following is an active reconnaissance tool that would be BEST to use to accomplish this task?

  • A: tcpdump
  • B: Snort
  • C: Nmap
  • D: Netstat
  • E: Fuzzer

Question 63

Deconfliction is necessary when the penetration test:

  • A: determines that proprietary information is being stored in cleartext.
  • B: occurs during the monthly vulnerability scanning.
  • C: uncovers indicators of prior compromise over the course of the assessment.
  • D: proceeds in parallel with a criminal digital forensic investigation.

Question 64

A penetration tester wants to test a list of common passwords against the SSH daemon on a network device. Which of the following tools would be BEST to use for this purpose?

  • A: Hashcat
  • B: Mimikatz
  • C: Patator
  • D: John the Ripper

Question 65

PCI DSS requires which of the following as part of the penetration-testing process?

  • A: The penetration tester must have cybersecurity certifications.
  • B: The network must be segmented.
  • C: Only externally facing systems should be tested.
  • D: The assessment must be performed during non-working hours.

Question 66

A penetration tester completed an assessment, removed all artifacts and accounts created during the test, and presented the findings to the client. Which of the following happens NEXT?

  • A: The penetration tester conducts a retest.
  • B: The penetration tester deletes all scripts from the client machines.
  • C: The client applies patches to the systems.
  • D: The client clears system logs generated during the test.

Question 67

A penetration tester is examining a Class C network to identify active systems quickly. Which of the following commands should the penetration tester use?

  • A: nmap -sn 192.168.0.1/16
  • B: nmap -sn 192.168.0.1-254
  • C: nmap -sn 192.168.0.1 192.168.0.1.254
  • D: nmap -sN 192.168.0.0/24

Question 68

A penetration tester was brute forcing an internal web server and ran a command that produced the following output:

Image 1

However, when the penetration tester tried to browse the URL http://172.16.100.10:3000/profile, a blank page was displayed.
Which of the following is the MOST likely reason for the lack of output?

  • A: The HTTP port is not open on the firewall.
  • B: The tester did not run sudo before the command.
  • C: The web server is using HTTPS instead of HTTP.
  • D: This URI returned a server error.

Question 69

A penetration tester wants to validate the effectiveness of a DLP product by attempting exfiltration of data using email attachments. Which of the following techniques should the tester select to accomplish this task?

  • A: Steganography
  • B: Metadata removal
  • C: Encryption
  • D: Encode64

Question 70

A penetration tester received a 16-bit network block that was scoped for an assessment. During the assessment, the tester realized no hosts were active in the provided block of IPs and reported this to the company. The company then provided an updated block of IPs to the tester. Which of the following would be the most appropriate NEXT step?

  • A: Terminate the contract.
  • B: Update the ROE with new signatures.
  • C: Scan the 8-bit block to map additional missed hosts.
  • D: Continue the assessment.

Question 71

A penetration tester has completed an analysis of the various software products produced by the company under assessment. The tester found that over the past several years the company has been including vulnerable third-party modules in multiple products, even though the quality of the organic code being developed is very good. Which of the following recommendations should the penetration tester include in the report?

  • A: Add a dependency checker into the tool chain.
  • B: Perform routine static and dynamic analysis of committed code.
  • C: Validate API security settings before deployment.
  • D: Perform fuzz testing of compiled binaries.

Question 72

A penetration tester needs to access a building that is guarded by locked gates, a security team, and cameras. Which of the following is a technique the tester can use to gain access to the IT framework without being detected?

  • A: Pick a lock.
  • B: Disable the cameras remotely.
  • C: Impersonate a package delivery worker.
  • D: Send a phishing email.

Question 73

A penetration tester is assessing a wireless network. Although monitoring the correct channel and SSID, the tester is unable to capture a handshake between the clients and the AP. Which of the following attacks is the MOST effective to allow the penetration tester to capture a handshake?

  • A: Key reinstallation
  • B: Deauthentication
  • C: Evil twin
  • D: Replay

Question 74

A penetration tester has gained access to part of an internal network and wants to exploit on a different network segment. Using Scapy, the tester runs the following command:

Image 1

Which of the following represents what the penetration tester is attempting to accomplish?

  • A: DNS cache poisoning
  • B: MAC spoofing
  • C: ARP poisoning
  • D: Double-tagging attack

Question 75

A company that requires minimal disruption to its daily activities needs a penetration tester to perform information gathering around the company's web presence.
Which of the following would the tester find MOST helpful in the initial information-gathering steps? (Choose two.)

  • A: MX records
  • B: Zone transfers
  • C: DNS forward and reverse lookups
  • D: Internet search engines
  • E: Externally facing open ports
  • F: Shodan results
Page 3 of 19 • Questions 51-75 of 461
12345

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!