Pentest+ Practice Exam Chapter 4 Vulnerability Scanning and Analysis (Jonathan Ammerman)

Question 1

Which of the following is not a publicly accessible list used for vulnerability research and analysis?
A. Common Vulnerabilities and Exposures (CVE)
B.The Japan Computer Emergency Response Team (JPCERT)
C. Common Weakness Enumeration (CWE)
D.Common Attack Pattern Enumeration and Classification (CAPEC)

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 71). McGraw-Hill Education. Kindle Edition.

Answer 1

B. The Japan Computer Emergency Response Team (JPCERT)

Explanation:
The Japan Computer Emergency Response Team, or JPCERT, is a cybersecurity information-sharing organization backed by the Japanese government, rather than a specific resource provided by such an organization
A is incorrect because the Common Vulnerabilities and Exposures, or CVE (https://cve.mitre.org), is a list of entries for publicly known cybersecurity vulnerabilities provided by MITRE (which is the name of the company, rather than an acronym). Each entry contains an identification number, a description, and at least one public reference for further information. C is incorrect because the Common Weakness Enumeration, or CWE (https://cwe.mitre.org), is a community-developed list of common software security weaknesses managed by MITRE. Per MITRE, CWE provides a baseline for weakness identification, mitigation, and prevention efforts. D is incorrect because the Common Attack Pattern Enumeration and Classification, or CAPEC (https://capec.mitre.org), is a dictionary provided by MITRE that serves to help classify various types of attacks so that they can be better understood by analysts, developers, testers, and educators.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 84). McGraw-Hill Education. Kindle Edition.

Question 2

Which of the following is a public, vendor-neutral forum and mailing list that publishes vulnerability analysis details, exploitation techniques, and other relevant information for the security community? 
A.  US-CERT 
B.  MITRE 
C.  NIST 
D.  Full Disclosure

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 71). McGraw-Hill Education. Kindle Edition.

Answer 2

D. Full Disclosure

Explanation:
Full Disclosure is a public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques.

It also provides tools, papers, news and events of interest to the cybersecurity community

Question 3

Which of the following is a major benefit of running a credentialed vulnerability scan over a uncredentialed scan?
A.Uncredentialed vulnerability scans are known to more commonly produce false positives.
B.Credentialed vulnerability scans more accurately represent real-world conditions when facing an outside threat actor.
C.Uncredentialed vulnerability scans tend to reveal more issues, so credentialed scans are easier to report.
D.Credentialed vulnerability scans are usually faster.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 71). McGraw-Hill Education. Kindle Edition.

Answer 3

A. Uncredentialed vulnerability scans are known to more commonly produce false positives.

Explanation:
Uncredentialed vulnerability scans are known to more commonly produce false positives when scanning systems and applications.

As such, credentialed scans are desirable due to their tendency to cut down on such unwarranted alerts during a pentest

Question 4

The National Institute of Standards and Technology (NIST) maintains what public resource for analysis on vulnerabilities published to the CVE dictionary, using the Common Vulnerability Scoring System (CVSS)?
A. Full Disclosure
B. National Vulnerability Database (NVD)
C. CWE
D. OWASP

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 71). McGraw-Hill Education. Kindle Edition.

Answer 4

B. National Vulnerability Database (NVD)

Explanation:
NIST maintains the National Vulnerability Database, or NVD

Question 5

A discovery scan in nmap is described by which of the following statements? (Choose two.)
A. It’s an active scanning technique.
B.It scans all 65,000+ possible network ports.
C.It performs a simple ping test to determine if a host is up and alive on the network.
D.It identifies software and versions running on open ports.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 71). McGraw-Hill Education. Kindle Edition.

Answer 5

A. It’s an active scanning technique.
C. It performs a simple ping test to determine if a host is up and alive on the network.

Explanation:
A discovery scan is an active scanning technique that relies on performing a ping test to determine if a host is up and alive on a network

Question 6

A stealth scan in nmap is denoted by the \_\_\_\_\_\_\_\_\_\_ flag and leverages the use of \_\_\_\_\_\_\_\_\_\_ when probing ports. 
A.  -sT, TCP Connect() calls 
B.  -sT, SYN packets 
C.  -sU, RST packets 
D.  -sS, SYN and RST packets

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (pp. 71-72). McGraw-Hill Education. Kindle Edition.

Answer 6

D. -sS, SYN and RST packets

Explanation:
A stealth scan in nmap is denoted by the -sS flag and leverages the use of SYN and RST packets when probing ports.

If a server responds with a SYN/ACK packet to continue a three-way TCP handshake, nmap trashes the connection by sending an RST packet; this often prevents scans from showing up in server logs

Question 7

Security Content Automation Protocol (SCAP) aware scanners, such as Tenable’s Nessus, test the implementation of best-practice security configuration baselines from the Center for Internet Security (CIS). For which type of scan are these baselines most helpful?
A.  Full scan 
B.  Discovery scan 
C.  Compliance scan 
D.  Stealth scan

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 72). McGraw-Hill Education. Kindle Edition.

Answer 7

C. Compliance scan

Explanation:
The baselines established by SCAP and embedded in scanners such as Nessus are most helpful during a compliance scan.

Question 8

Supervisory Control and Data Acquisition (SCADA) is a real-time control system that monitors the health and status of components of what type of infrastructure?
A.Industrial control systems (ICS) used in manufacturing, power generation, water treatment, and other public works
B. Point-of-sale systems
C.Embedded systems such as MP3 players, smartphones, and e-readers
D.Biometric scanners such as fingerprint readers and retinal scanners

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 72). McGraw-Hill Education. Kindle Edition.

Answer 8

A. Industrial control systems (ICS) used in manufacturing, power generation, water treatment, and other public works

Explanation:
Supervisory Control and Data Acquisition (SCADA) is a real-time control system that monitors the health and status of components of industrial control systems (ICS) used in manufacturing, power generation, water treatment and other public works

Question 9

Which of the following is not an example of a nontraditional asset? 
A.  Real-time operating systems (RTOSs)
B.  SCADA networks 
C.  Linux servers 
D.  IoT devices

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 72). McGraw-Hill Education. Kindle Edition.

Answer 9

C. Linux servers

Explanation:
Linux servers are common computer hardware, and as such are considered rather traditional sort of information system asset

Question 10

The tool shown in the following illustration provides web and web application security testing capabilities. What is it called? 
A.  Nikto 
B.  W3AF 
C.  Burp Suite 
D.  OpenVAS

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 72). McGraw-Hill Education. Kindle Edition.

Answer 10

C. Burp Suite

Question 11

Which of the following is not an issue to consider when performing a vulnerability scan?
A.Services and protocols known to be in use in the environment
B. Bandwidth limitations
C.Overall topology of the network in question
D.The public reputation of the developers of the software or operating system being tested

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 73). McGraw-Hill Education. Kindle Edition.

Answer 11

D. The public reputation of the developers of the software or operating system being tested

Explanation:
The public reputation of the developers of software or an operating system are the concern of those developers alone; the job of the penetration tester is to test and verify system security

Question 12

Why might it be necessary to throttle queries to a target system during a penetration test?
A.To keep your testing system from getting slow
B.To prevent your hard drive from filling up due to the volume of data
C.To more accurately mirror real-world service-use conditions
D.To avoid taking down a system or service through effectively running a denial-of-service attack, or to avoid detection by not tripping log sensors or other alerts

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 73). McGraw-Hill Education. Kindle Edition.

Answer 12

D. To avoid taking down a system or service through effectively running a denial-of-service attack, or to avoid detection by not tripping log sensors or other alerts

Explanation:
Throttling queries to a target system necessarily adds to the load that system encounters.

SInce some scanners can be aggressive, letting them run at full speed can sometimes be enough to take the system down, since overloading a system in such a manner is only distinguishable from an intentional DoS attack in that it was not intedned to be malicious.

Moreover, aggressive scans can trip warning sensors or alerts; if conducting a red team assessment, this could be detrimental to your success as a pentester since an alert blue team is able to counter your activities more readily

Question 13

In addition to their value in compliance-based penetration tests, which of the following is another benefit of the use of testing an environment against CIS preconfigured operational baseline scan templates?
A.Less work on the part of the penetration tester
B. Simplification of the scanning process
C.Aid in the development of organizational security policy
D.Assisting the organization with asset categorization and implementation of industry best practices

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (pp. 73-74). McGraw-Hill Education. Kindle Edition.

Answer 13

D. Assisting the organization with asset categorization and implementation of industry best practices

Explanation:
Preconfigured operational baseline scan templates allow an organization to better understand their technological footprint, which simplifies asset categorization and empowers them to identify and implement industry best practices that may be applicable to their architecture and environment

Question 14

Which of the following is not a benefit of performing vulnerability scanning during a penetration test?
A.Aids penetration testers in prioritizing attack vectors for manual testing based on those most likely to produce findings
B.Thorough review of application code outside of a running system for details on the vulnerability
C.Assists in time management during a penetration test by automating vulnerability discovery
D.Improves the overall quality of the penetration test and the resulting report by providing the penetration tester a sense of focus on higher priority (that is, higher risk) vulnerabilities

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 74). McGraw-Hill Education. Kindle Edition.

Answer 14

B. Thorough review of application code outside of a running system for details on the vulnerability

Explanation:

B is correct. This is an example of the potential benefits of static application analysis, not a benefit of vulnerability scanning. A, C, and D are incorrect. These are all examples of benefits of leveraging vulnerability mapping during a penetration test, making them all incorrect answers. Prioritization of likely successful attack vectors, time management, and overall penetration test quality improvement are all expected benefits

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 90). McGraw-Hill Education. Kindle Edition.

Question 15

As shown by the following output, this open-source command-line tool is a web server scanner that tests for dangerous files or CGIs, outdated server software, and other problems. 
A.  OpenVAS 
B.  Dirbuster 
C.  Nikto 
D.  Gobuster

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 74). McGraw-Hill Education. Kindle Edition.

Answer 15

C. Nikto

Explanation:
The screenshot shows the beginning of a scan using Nikto. A, B, and D are incorrect. A may be safely ruled out as OpenVAS is a graphical interface tool. Since the image in question is of a command-line interface, you can easily determine that OpenVAS is incorrect. B and D are tools that serve to help enumerate directories and file names present on web servers; dirbuster may be used via the command line or graphical interface, and gobuster is a simplified, functionally similar tool exclusive to the command line.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 91). McGraw-Hill Education. Kindle Edition.

Question 16

Which of the following is not a commonly reported theme or issue in vulnerability scan results?
A. Observations
B. Exploits
C. Vulnerabilities
D.Failure to apply industry best practices

Answer 16

B. Exploits

Explanation:
While it is common for vulnerability scan results to detail vulnerabilities specific to a system, a functional exploit that takes advantage of that vulnerability is not going to be presented in the vulnerability scan results. A, C, and D are incorrect because all are examples of commonly reported themes or issues found in vulnerability scan results. Observations may include items such as software or OS version numbers. Vulnerabilities would be highlighted when identified, such as through software or OS build version numbers or based on port scan results. Failure to apply industry best practices is highlighted with vulnerability vulnerability scanners such as Nessus and Burp Suite, and may include items such as a failure to enable HTTP Secure Transport Security or leaving SSLv2 or v3 enabled on a system.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 91). McGraw-Hill Education. Kindle Edition.

Question 17

Which of the following is an example of a vulnerability identification that is typical of those detailed in the results of a vulnerability scan?
A.Software version numbers revealed during scanning.
B.HTTP Strict Transport Security is not enabled on a system web application.
C.OS fingerprinting reveals a system running Windows XP SP2, suggesting susceptibility to MS08-067.
D.SSLv2 and v3 found to be enabled.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 75). McGraw-Hill Education. Kindle Edition.

Answer 17

C. OS fingerprinting reveals a system running Windows XP SP2, suggesting susceptibility to MS08-067.

Explanation:
OS fingerprinting revealing susceptibility to exploits targeting MS08-067 would be an example of a vulnerability identified by a vulnerability scan. A, B, and D are incorrect. A is incorrect because it is an example of an observation that may be identified during a vulnerability scan. B and D are incorrect because they are examples of identified failure to apply industry best practices.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 92). McGraw-Hill Education. Kindle Edition.

Question 18

Which of the following is an example of a failure to apply best practices typical of those detailed in the results of a vulnerability scan?
A.HTTP Strict Transport Security is not enabled on a system web application.
B.Target is identified as an Apache web server.
C.Software version numbers are revealed during scanning.
D.OS fingerprinting reveals a system running Windows XP SP2, suggesting susceptibility to MS08-067.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 75). McGraw-Hill Education. Kindle Edition.

Answer 18

A. HTTP Strict Transport Security is not enabled on a system web application.

Explanation:
A is correct. Not requiring HTTP Strict Transport Security is an example of a failure to apply best practices that may be identified during a vulnerability scan. B, C, and D are incorrect. B and C are incorrect because these are examples of observations that may be identified during a vulnerability scan. D is incorrect because it is an example of a specific vulnerability identified during a penetration test.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 92). McGraw-Hill Education. Kindle Edition.

Question 19

Which of the following is an example of an observation typical of those detailed in the results of a vulnerability scan?

A.OS fingerprinting reveals a system running Windows XP SP2, suggesting susceptibility to MS08-067.
B.A web application’s robots.txt file specifically denies all access to the /cgi-bin/ directory.
C.HTTP Strict Transport Security is not enabled on a system web application.
D.SSLv2 and v3 found to be enabled.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (pp. 75-76). McGraw-Hill Education. Kindle Edition.

Answer 19

B. A web application’s robots.txt file specifically denies all access to the /cgi-bin/ directory.

Explanation:
The contents of a web application’s robots.txt file are often valuable to a malicious attacker or penetration tester, and are therefore provided as an observation in many vulnerability scanners. A, C, and D are incorrect. A is incorrect because it is an example of a specific vulnerability identified during a penetration test. C and D are incorrect because they are examples of industry best practices found to not be applied to a running system.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (pp. 92-93). McGraw-Hill Education. Kindle Edition.

Question 20

Which of the following is an example of static application analysis?

A.Scanning a running web application with Nikto and dirbuster to identify potential flaws
B.Analyzing the written code for an application outside of an actively running instance
C.Using Burp to crawl through the user interface for a web application
D.Fuzzing a running web application with garbage input to assess the application’s reaction

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 76). McGraw-Hill Education. Kindle Edition.

Answer 20

B. Analyzing the written code for an application outside of an actively running instance

Explanation:
Analyzing written code without seeing it executed on a live system is a classic example of static application analysis.
A, C, and D are incorrect because all options listed are assessments made against a currently running system or application. As such, they are all examples of dynamic application analysis.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 93). McGraw-Hill Education. Kindle Edition.

Question 21

Which of the following is an example of dynamic application analysis?
A.Searching for programming flaws in written code for an application outside of an actively running instance
B.Fuzzing a running web application with garbage input to assess the application’s reaction
C.Searching for maliciously placed backdoors in written code
D.Analyzing application code and comparing functions to known best practices in programming such as query parameterization

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 76). McGraw-Hill Education. Kindle Edition.

Answer 21

B. Fuzzing a running web application with garbage input to assess the application’s reaction

Explanation:
Fuzzing a running web application with garbage input to hunt for DoS or buffer overflow opportunities is a classic example of dynamic application analysis. A, C, and D are incorrect because all options listed are assessments made against code that is not actively being run. As such, they are all examples of static application analysis.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 93). McGraw-Hill Education. Kindle Edition.

Question 22

Which of the following is not a detail of CVEs maintained by the CVE Numbering Authority?

A. PoC exploit code
B. CVE ID
C. Brief description of the vulnerability
D. External references or advisories

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 76). McGraw-Hill Education. Kindle Edition.

Answer 22

A. PoC exploit code

Explanation:
PoC exploit code is not a detail of CVEs maintained by the CVE Numbering Authority. Note, however, that such code could be found in the external references or advisories that are maintained as a detail of a given CVE. B, C, and D are incorrect because all three items are key details of CVEs as maintained by the CVE Numbering Authority.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 93). McGraw-Hill Education. Kindle Edition.

Question 23

Which of the following is not a security weakness category as maintained by CWE?

A. Programming concepts
B. Development concepts
C. Research concepts
D. Architectural concepts

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 76). McGraw-Hill Education. Kindle Edition.

Answer 23

A. Programming concepts

Explanation:
Programming concepts are not a security weakness category as maintained by CWE. Be cautious with questions like this; programming-related weaknesses would likely be categorized as development concepts. Remember that the categories monitored by CWE are broad in scope. B, C, and D are incorrect. Development concepts, research concepts, and architectural concepts are all security weakness categories as maintained by CWE, and are therefore incorrect answers for this question.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 94). McGraw-Hill Education. Kindle Edition.

Question 24

Which of the following is an identifier provided for CWE entries?

A. Weakness ID
B. Modes of introduction
C. Likelihood of exploit
D. Answers A, B, and C

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 76). McGraw-Hill Education. Kindle Edition.

Answer 24

D. Answers A, B, and C

Explanation:
All specific items listed (weakness ID, modes of introduction, and likelihood of exploit) are identifiers provided for each CWE entry. As such, answer C (which explicitly includes includes all three named answers) is the correct choice.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 94). McGraw-Hill Education. Kindle Edition.

Question 25

The sample screen shown next displays the product of a scan from __________, a remote vulnerability-scanning tool that can help automate much of the penetration testing process. This tool supports both credentialed and uncredentialed scans, and is one of the most popular commercially available scanners on the market.

A. Nikto
B. OpenVAS
C. Burp Suite
D. Nessus

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 76). McGraw-Hill Education. Kindle Edition.

Answer 25

D. Nessus

Explanation:
The screenshot shows a report that is typical of Tenable’s Nessus scanner. A, B, and C are incorrect. A is easily identifiable as incorrect, as Nikto is a command-line tool exclusively. Since the image in question is of a graphical interface, you can determine that Nikto is incorrect. B and C are tools that, while presented in a graphical interface, look quite different from Nessus.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 95). McGraw-Hill Education. Kindle Edition.

Question 26

26.The CAPEC details thousands of known attack patterns and methodologies. Which of the following is not an attack domain recognized by CAPEC?

A. Social Engineering
B. Supply Chain
C. Physical Security
D. Firmware

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 77). McGraw-Hill Education. Kindle Edition.

Answer 26

D. Firmware

Explanation:
Firmware attacks is not a dedicated category of attack domain per CAPEC categorization, making it the correct answer here. Real-world firmware attacks would likely be categorized as supply chain or hardware vulnerabilities. A, B, and C are incorrect. Social engineering, supply chain attacks, and physical security attacks are all independently recognized domains of attack per CAPEC, and are therefore incorrect answers for this question.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 95). McGraw-Hill Education. Kindle Edition.

Question 27

During a penetration test, you identify and harvest encrypted user passwords from a web application database. You do not have access to a rainbow table for the encryption algorithm used, and do not have any success with dictionary attacks. What remaining attack method—typically one of last resort—could you leverage as an attacker to attempt to decrypt the passwords you have harvested? 
A.  Strategic guessing 
B.  Brute force 
C.  XSS 
D.  CSRF

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (pp. 77-78). McGraw-Hill Education. Kindle Edition.

Answer 27

B. Brute force

Explanation:
Brute force is a valid means of password cracking or recovery, recovery, but is typically considered the approach of last resort due to its general unreliability when compared to dictionary or rainbow table attacks.

A is incorrect because brute-force attempts are decidedly not strategic in their approach. Using raw computational power can be effective, but success rates with dictionary attacks are generally much higher. C and D are incorrect as cross-site scripting (XSS) and cross-site request forgery (CSRF) are vulnerabilities specific to websites and web applications, and are therefore not applicable in the context of password cracking.

Question 28

Which password-cracking method leverages wordlists that are expanded with discovered real-world passwords as they are discovered?
A. Dictionary attack
B. Brute force
C.Calling the owner of the account and posing as a member of the IT department to get them to reveal the password
D. Rainbow tables

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 78). McGraw-Hill Education. Kindle Edition.

Answer 28

A. Dictionary attack

Explanation:
A dictionary attack uses existing wordlists that get expanded whenever real-world passwords are discovered. B, C, and D are incorrect. B is incorrect because brute-force attacks leverage raw computational power to attempt to crack a password, by trying every possible character combination with the given character set. C is incorrect because it describes a generic social engineering attempt. D is incorrect because rainbow tables are collections of pre-calculated password hashes for a given algorithm.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 96). McGraw-Hill Education. Kindle Edition.

Question 29

Which password-cracking method requires extensive storage capacity, sometimes more than 300 GB in total? 
A.  Brute force 
B.  Wordlist attack 
C.  Rainbow tables 
D.  Dictionary attack

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 78). McGraw-Hill Education. Kindle Edition.

Answer 29

C. Rainbow tables

Explanation:
Rainbow tables are effective but consist of massive tables of data for a given algorithm. It is not unheard of to see a rainbow table around 300 GB in total. A, B, and D are incorrect. A is incorrect because brute force is a valid means of password cracking or recovery, but is typically considered the approach of last resort due to its general inefficiency. B and D are incorrect because a wordlist attack is simply another name for a dictionary attack—and dictionary attacks do not require such massive volumes of storage.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (pp. 96-97). McGraw-Hill Education. Kindle Edition.

Question 30

Nessus incorporates NVD’s CVSS when producing vulnerability severity information. Which of the following is not a use for this information for a penetration tester?
A. Mapping vulnerabilities to potential exploits
B.Informing the penetration tester’s plan of attack
C.Identifying potential exploits as appropriate for the software versions in use on a target
D.Populating graphs with data for press releases

than; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 78). McGraw-Hill Education. Kindle Edition.

Answer 30

D. Populating graphs with data for press releases

Explanation:
While Nessus, OpenVAS, and other scanners provide a great deal of information that can be useful to drive business decisions, such decisions are the purview of the client alone. A, B, and C are incorrect because these are all valid uses of Nessus output for a penetration tester.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 97). McGraw-Hill Education. Kindle Edition.

Question 31

During a penetration test, you identify a live local file inclusion (LFI) vulnerability on a web application that allows you to see any file on the target system, including the /etc/passwd and /etc/shadow files. With this information, you feed password hashes from the shadow file into hashcat and crack them with a dictionary attack, ultimately finding a match that allows you to obtain a low-privilege shell on the target system. What is this an example of?

A. Exploit chaining
B. Exploit modification
C. Social engineering
D.Failure to adhere to industry best practices

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 78). McGraw-Hill Education. Kindle Edition.

Answer 31

A. Exploit chaining

Explanation:
This is an example of exploit chaining; in the example given, a local file inclusion vulnerability gives access to weak password hashes, which are then cracked to reveal valid logon credentials. B, C, and D are incorrect. B is incorrect because exploit modification indicates some change has been made to exploit code or the conditions under which the exploit is executed. C is incorrect because social engineering indicates that contact of another person has taken place to solicit information, usually in a manner that defuses any suspicion on the part of the target. D is incorrect because while a failure to adhere to best practices could have resulted in this vulnerability (by way of not updating, patching, or configuring the web application properly), the vulnerability in question could have been unknown to the developers. In such a case, a patch would not exist, and therefore adherence to best practices would be unable to stop the exploit of this vulnerability.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 97). McGraw-Hill Education. Kindle Edition.

Question 32

During a penetration test of a web application, you determine that user session IDs (or tokens) are revealed in the URL after authentication. You further discover that these session IDs are predictably incremented values, and not randomly generated numbers or strings. To which of the following attack types would this application likely be susceptible?
A.  SQL injection 
B.  Remote file inclusion 
C.  Cross-site scripting
D.Session Hijacking

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (pp. 78-79). McGraw-Hill Education. Kindle Edition.

Answer 32

D.Session Hijacking

Explanation:
Since the session IDs are predictable, connecting to the web application with another user’s session ID would be relatively trivial. Given the options listed, this makes session hijacking the most likely vulnerability for this hypothetical web application. A, B, and C are incorrect. A can be safely ruled out here as there is no mention anywhere of a SQL database in the question. B is likewise eliminated, as there is no mention of the inclusion of a file from a source external to the web application server. C may also be ruled out because there is no mention of malicious code being sent to the target in secret as is expected of a cross-site scripting vulnerability.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 98). McGraw-Hill Education. Kindle Edition.

Question 33

Which of the following is a danger associated with the use of default authentication credentials on a system or service?

A.Admin passwords may be easily guessed.
B.Admin passwords are almost guaranteed to be in any major wordlist used in dictionary attacks.
C.Admin passwords will be found with a brief Internet search for the service in question.
D. All of the above.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 79). McGraw-Hill Education. Kindle Edition.

Answer 33

D. All of the above.

Explanation:
All of the options listed are equally valid concerns for the use of default authentication credentials

Question 34

Which of the following is not a potential characteristic of weak authentication credentials?

A. Password is a dictionary word.
B.Password is over 50 characters long with a large character set.
C.Password length is less than eight characters total.
D. Password is identical to username.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 79). McGraw-Hill Education. Kindle Edition.

Answer 34

B. Password is over 50 characters long with a large character set.

Explanation:
A password characters long with a large character set would be non trivially difficult to crack by any means - there is no metric by which such a password could be considered weak

Question 35

The tool shown next is a free and open-source password cracker available for many *nix and Windows variants that leverages the system CPU. This sample output shows the results of cracking a list of hashes using a wordlist.

A. John the Ripper
B. Hashcat
C. Cewl
D.Medusa

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 79). McGraw-Hill Education. Kindle Edition.

Answer 35

A. John the Ripper

Explanation:
The screenshot shows output typical of John the Ripper when used to crack hashes using a wordlist. B, C, and D are incorrect. B is incorrect because Hashcat provides much more detail in its output, and is most often used to leverage GPUs rather than the system CPU; this would be annotated in the initial output of Hashcat. C is incorrect because Cewl is a custom wordlist generator that will crawl through a target website, identify unique words used on the site, and save them in a text file for the user. That text file may then be used to help crack password hashes with JTR or Hashcat. D is incorrect because Medusa is a parallelized, modular login brute-forcing tool that can be used to attack multiple services and protocols. Output typical of Medusa would show the results of each individual live attempt at brute-forcing a login.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 99). McGraw-Hill Education. Kindle Edition.

Question 36

Which type of web application test attempts to provoke unexpected responses by feeding arbitrary values into web page parameters? 
A.  Error code analysis 
B.  Cross-site scripting 
C.  HTTP parameter pollution 
D.  Cross-site request forgery

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (pp. 79-80). McGraw-Hill Education. Kindle Edition.

Answer 36

C. HTTP parameter pollution

Explanation:
The modification—or pollution—of HTTP parameters as they are sent to the web server is used to attempt to trigger unexpected behavior that may reveal other vulnerabilities or information disclosures. A, B, and D are incorrect. A is incorrect because while error code analysis may be performed on the output of an HTTP parameter pollution test, it is not itself an attempt to invoke an unexpected response from a system. B is incorrect because there is no mention of malicious code being injected onto the site in question. D is incorrect because the issue presented fails to describe CSRF; there is no mention of a valid, authenticated user being tricked into sending a malicious request.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 100). McGraw-Hill Education. Kindle Edition.

Question 37

Which of the following is not a potential consequence of a lack of error handling or excessively verbose error handling in servers, web applications, and databases?
A. OS or software version disclosure
B.Disclosure of the username context for the application or database
C. Clickjacking
D.Disclosure of directory information for the application or database

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 80). McGraw-Hill Education. Kindle Edition.

Answer 37

C. Clickjacking

Explanation:
correct. Improper error handling broadly is an information disclosure vulnerability; the type of data revealed varies depending on the developer and the programming language in question, but clickjacking is not a potential consequence of improper error handling. A, B, and D are incorrect. All these options are some sort of information disclosure; as such, they are commonly expected with improper error handling. In the context of this question, that makes these incorrect answers.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 100). McGraw-Hill Education. Kindle Edition.

Question 38

In a text field on a web application, you discover that by entering a semicolon and the *nix command id, you can find the username context for the application on the server. What is this an example of?

A. Brute force
B. Command injection
C. Session hijacking
D. Replay attack

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 80). McGraw-Hill Education. Kindle Edition.

Answer 38

B. Command injection

Explanation:
The use of a semicolon and another OS-level command indicates that the application in question is feeding raw input from the user into a command on the local server operating system. As such, this is a clear example of command injection.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 100). McGraw-Hill Education. Kindle Edition.

Question 39

What is the process of finding all available information on a target system or service in support of developing a plan of attack?

A. Vulnerability mapping
B. Vulnerability scanning
C. Enumeration
D. Fingerprinting

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 80). McGraw-Hill Education. Kindle Edition.

Answer 39

C. Enumeration

Explanation:
Enumeration is the process of finding all available information on a target system or service in support of developing a plan of attack. A, B, and D are incorrect. A is incorrect because vulnerability mapping is the process of detailing identified vulnerabilities and their locations (for example, “Apache web server, version 2.2.14, port 8080”). A vulnerability map does not need to be anything particularly detailed or laid out in a specific format; in fact, nmap output files can often serve adequately in this respect. B is incorrect because vulnerability scanning is the process of inspecting an information system for known security weaknesses. D is incorrect because fingerprinting may be thought of as a component of enumeration, and is the process of determining the names and versions of services running on a system to identify potential methods of attack.

Question 40

Which term describes the process of detailing identified security flaws and their locations?

A. Vulnerability mapping
B. Cross-compiling
C. Cross-building
D. Exploit modification

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 80). McGraw-Hill Education. Kindle Edition.

Answer 40

A. Vulnerability mapping

Explanation:
Vulnerability mapping is the process of detailing identified vulnerabilities and their locations, whether they are physical (no cameras or guards at a back entrance, for instance) or logical (such as SMBv1 being enabled on a Windows 2008 server).
B, C, and D are incorrect. B is incorrect because cross-compiling is the creation of an executable for one operating system or platform from within another, different operating system or platform. This is done with special compilers such as MinGW-w64 when a Windows .exe file is compiled from within Kali Linux, for instance. C is incorrect because “cross-building” is a red herring term that has no real meaning in the context of computer science, but sounds close enough to throw off certification candidates; be wary of such answers on the exam! D is incorrect because exploit modification is the process of tweaking a known, public exploit to render it usable or perhaps more suitable for a given use during a penetration test.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 101). McGraw-Hill Education. Kindle Edition.

Question 41

Which act describes the writing of a first-of-its-kind exploit to demonstrate or weaponize a vulnerability?

A. Exploit modification
B. Cross-compiling
C. Proof-of-concept development
D. Threat hunting

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (pp. 80-81). McGraw-Hill Education. Kindle Edition.

Answer 41

C. Proof-of-concept development

Explanation:
Proof-of-concept development is the process by which first-in-kind exploits are written to demonstrate or weaponize a vulnerability. A, B, and D are incorrect. A is incorrect because exploit modification is the process of tweaking a known, public exploit to render it usable or perhaps more suitable for a given use during a penetration test. B is incorrect because cross-compiling is the creation of an executable for one operating system or platform from within another, different operating system or platform. D is incorrect because threat hunting is the process by which a security team identifies and contains an active threat actor who is capable of evading existing security measures in a system, network, or environment.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 102). McGraw-Hill Education. Kindle Edition.

Question 42

Which of the following is not a result of appropriately prioritizing activities in preparation for a penetration test?

A.Time required for individual activities is decreased, and return on time invested is increased.
B.“Low-hanging fruit” is identified and focused on faster.
C.A plan of attack with a greater chance of success can be developed faster.
D.None of these; all options present are effects of activity prioritization in preparation for and during a penetration test.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 81). McGraw-Hill Education. Kindle Edition.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 81). McGraw-Hill Education. Kindle Edition.

Answer 42

D. None of these; all options present are effects of activity prioritization in preparation for and during a penetration test.

Explanation:
D is correct. A, B, and C are incorrect because all options listed are positive impacts borne by appropriate prioritization of activities in preparation for a penetration test.

on.

Question 43

The tool shown in the following illustration is a free and open-source password cracker available for Linux, Windows, and macOS that leverages system CPUs or GPUs. This sample output shows the results of cracking a list of hashes using a wordlist.

A. Hashcat
B. John the Ripper
C. Cain and Abel
D. Hydra

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 81). McGraw-Hill Education. Kindle Edition.

Answer 43

A. Hashcat

Explanation:
The screenshot shows output that is typical of Hashcat. One of the key indicators in this image is the reference to the NVIDIA GeForce GTX 1070, a GPU that can greatly accelerate the cracking process over the use of CPU cycles.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 103). McGraw-Hill Education. Kindle Edition.

Question 44

Which CAPEC-recognized domain of attack focuses on the manipulation of computer hardware and software within their respective lifecycles?

A. Software
B. Supply Chain
C. Physical Security
D. Communications

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (pp. 81-82). McGraw-Hill Education. Kindle Edition.

Answer 44

B. Supply Chain

Explanation:
Manipulation of computer hardware and software during their respective lifecycles is descriptive of CAPEC’s Supply Chain domain. A, C, and D are incorrect. A is incorrect because the software domain focuses on the exploitation of software applications. C is incorrect because the Physical Security domain focuses on exploitation of weaknesses in physical security. D is incorrect because the Communications domain focuses on attacking communications between computer systems and the protocols used to make that communication possible.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 104). McGraw-Hill Education. Kindle Edition.

Question 45

Which knowledge base maintained by MITRE details techniques and adversarial behavior that can be used to attack organizations?

A. CWE
B. CVE
C. CAPEC
D. ATT&CK

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 82). McGraw-Hill Education. Kindle Edition.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 82). McGraw-Hill Education. Kindle Edition.

Answer 45

D. ATT&CK

Explanation:
The ATT&CK knowledge base (https://attack.mitre.org) details techniques and adversarial behavior that can be used to attack organizations. A, B, and C are incorrect. A is incorrect because the Common Weakness Enumeration, or CWE (https://cwe.mitre.org), is a community-developed list of common software security weaknesses. B is incorrect because the Common Vulnerabilities and Exposures, or CVE (https://cve.mitre.org), is a list of entries for publicly known cybersecurity vulnerabilities. C is incorrect because the Common Attack Pattern Enumeration and Classification, or CAPEC (https://capec.mitre.org), is a dictionary that serves to help classify various types of attacks so that they can be better understood by analysts, developers, testers, and educators. It is worth noting, however, that all these resources are managed by MITRE.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 104). McGraw-Hill Education. Kindle Edition.

Question 46

Which of the following is not a vulnerability scanner commonly used in penetration testing?

A. Nessus
B. OpenVAS
C. SQLmap
D. IDA

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 82). McGraw-Hill Education. Kindle Edition.

Answer 46

D. IDA

Explanation:
IDA—or the Interactive Disassembler—is a disassembly tool that can generate assembly language source code for an application or executable from the executable directly, and is not a vulnerability scanning tool.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 104). McGraw-Hill Education. Kindle Edition.

Question 47

In addition to serving as a method of policy compliance evaluation, __________ is a method for using specific standards for automated discovery and measurement of vulnerabilities.

A. HIPAA
B. FISMA
C. SCAP
D. PCI DSS

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 82). McGraw-Hill Education. Kindle Edition.

Answer 47

C. SCAP

Explanation:
SCAP—or the Security Content Automation Protocol—is a method for using specific standards for automated discovery and the measurement of vulnerabilities, as well as policy compliance evaluation. A, B, and D are incorrect. These are all examples of regulatory frameworks used to help in the design of SCAP guidelines.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (pp. 105-106). McGraw-Hill Education. Kindle Edition.