Practice Free PT0-002 Exam Online Questions
A penetration tester managed to get control of an internal web server that is hosting the IT knowledge base.
Which of the following attacks should the penetration tester attempt next?
- A . Vishing
- B . Watering hole
- C . Whaling
- D . Spear phishing
B
Explanation:
A watering hole attack involves compromising a website that is frequently visited by the target organization or group. By gaining control of the internal web server hosting the IT knowledge base, a penetration tester could modify the content or introduce malicious code that would be downloaded or executed by employees who visit the site. This type of attack is effective because it leverages a trusted resource within the organization to spread malware or capture sensitive information.
Other options like vishing, whaling, and spear phishing involve direct social engineering attacks targeting individuals, whereas a watering hole attack leverages a compromised website to target multiple users within the organization.
Reference: Explanation of watering hole attacks: OWASP Watering Hole Examples from penetration testing engagements where web server compromises were used to conduct watering hole attacks.
A security analyst needs to perform a scan for SMB port 445 over a/16 network.
Which of the following commands would be the BEST option when stealth is not a concern and the task is time sensitive?
- A . Nmap -s 445 -Pn -T5 172.21.0.0/16
- B . Nmap -p 445 -n -T4 -open 172.21.0.0/16
- C . Nmap -sV –script=smb* 172.21.0.0/16
- D . Nmap -p 445 -max -sT 172. 21.0.0/16
B
Explanation:
Nmap is a powerful network scanning tool used for network discovery and security auditing. The options used in this command perform the following functions:
-p 445: This tells nmap to only scan for TCP port 445 (SMB).
-n: This tells nmap to skip DNS resolution, saving time.
-T4: This sets the timing template to "aggressive". This speeds up the scan, but makes it less stealthy, which isn’t a concern here.
-open: This tells nmap to only show open ports in the results, making the output easier to read and understand.
A penetration tester enters a command into the shell and receives the following output:
C:UsersUserXDesktop>vmic service get name, pathname, displayname, startmode | findstr /i auto | findstr /i /v |C:\Windows\" I findstr /i /v""
VulnerableService Some Vulnerable Service C:Program FilesA SubfolderB SubfolderSomeExecutable.exe Automatic
Which of the following types of vulnerabilities does this system contain?
- A . Unquoted service path
- B . Writable services
- C . Clear text credentials
- D . Insecure file/folder permissions
A
Explanation:
The provided output reveals a common vulnerability in Windows services known as an unquoted service path. When the service executable path is not enclosed in quotes and contains spaces, Windows may incorrectly interpret the spaces, potentially leading to the execution of unintended programs.
Details:
Command The command vmic service get name, pathname, displayname, startmode | findstr /i auto | findstr /i /v "C:\Windows\" | findstr /i /v "" filters services that are set to start automatically and are not located in the Windows directory.
Output Interpretation: The output shows a service with a path C:Program FilesA SubfolderB SubfolderSomeExecutable.exe which is not quoted. If a malicious user places an executable in C:Program.exe, C:Program FilesA.exe, or similar, it might get executed instead.
Reference: Common Windows privilege escalation vulnerabilities include unquoted service paths.
This vulnerability is well-documented in security resources and penetration testing guides.
During the assessment of a client’s cloud and on-premises environments, a penetration tester was able to gain ownership of a storage object within the cloud environment using the….. premises credentials.
Which of the following best describes why the tester was able to gain access?
- A . Federation misconfiguration of the container
- B . Key mismanagement between the environments
- C . laaS failure at the provider
- D . Container listed in the public domain
A
Explanation:
The best explanation for why the tester was able to gain access to the storage object within the cloud environment using the on-premises credentials is federation misconfiguration of the container. Federation is a process that allows users to access multiple systems or services with a single set of credentials, by using a trusted third-party service that authenticates and authorizes the users. Federation can enable seamless integration between cloud and on-premises environments, but it can also introduce security risks if not configured properly. Federation misconfiguration of the container can allow an attacker to access the storage object with the on-premises credentials, if the container trusts the on-premises identity provider without verifying its identity or scope. The other options are not valid explanations for why the tester was able to gain access to the storage object within the cloud environment using the on-premises credentials. Key mismanagement between the environments is not relevant to this issue, as it refers to a different scenario involving encryption keys or access keys that are used to protect or access data or resources in cloud or on-premises environments. IaaS failure at the provider is not relevant to this issue, as it refers to a different scenario involving infrastructure as a service (IaaS), which is a cloud service model that provides virtualized computing resources over the internet. Container listed in the public domain is not relevant to this issue, as it refers to a different scenario involving container visibility or accessibility from public networks or users.
A penetration tester runs the unshadow command on a machine.
Which of the following tools will the tester most likely use NEXT?
- A . John the Ripper
- B . Hydra
- C . Mimikatz
- D . Cain and Abel
A
Explanation:
Reference: https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/
A penetration tester has identified several newly released CVEs on a VoIP call manager. The scanning tool the tester used determined the possible presence of the CVEs based off the version number of the service.
Which of the following methods would BEST support validation of the possible findings?
- A . Manually check the version number of the VoIP service against the CVE release
- B . Test with proof-of-concept code from an exploit database
- C . Review SIP traffic from an on-path position to look for indicators of compromise
- D . Utilize an nmap CsV scan against the service
B
Explanation:
Reference: https://dokumen.pub/hacking-exposed-unified-communications-amp-voip-security-secrets-amp- solutions-2nd-edition-9780071798778-0071798773-9780071798761-0071798765.html
A security engineer identified a new server on the network and wants to scan the host to determine if it is running an approved version of Linux and a patched version of Apache.
Which of the following commands will accomplish this task?
- A . nmap Cf CsV Cp80 192.168.1.20
- B . nmap CsS CsL Cp80 192.168.1.20
- C . nmap CA CT4 Cp80 192.168.1.20
- D . nmap CO Cv Cp80 192.168.1.20
A
Explanation:
In this scenario, you’re looking to identify the operating system (in this case, whether it’s an approved version of Linux) and service version information (whether Apache is a patched version).
The command "nmap C f C sV C p80 192.168.1.20" does exactly this:
"-f" option fragments the packets, making it harder for simple packet filters to detect the scan.
"-sV" option enables version detection, which can help identify the version of Apache running.
"-p80" specifies the port number to scan (80, which is the default HTTP port that Apache typically uses).
"192.168.1.20" is the IP address of the target host.
This command will run a scan against the specified host, attempt to determine the service version information for any services running on port 80, and use fragmented packets to help avoid detection.
A consultant just performed a SYN scan of all the open ports on a remote host and now needs to remotely identify the type of services that are running on the host.
Which of the following is an active reconnaissance tool that would be BEST to use to accomplish this task?
- A . tcpdump
- B . Snort
- C . Nmap
- D . Netstat
- E . Fuzzer
Which of the following describes a globally accessible knowledge base of adversary tactics and techniques based on real-world observations?
- A . OWASP Top 10
- B . MITRE ATT&CK
- C . Cyber Kill Chain
- D . Well-Architected Framework
The output from a penetration testing tool shows 100 hosts contained findings due to improper patch management.
Which of the following did the penetration tester perform?
- A . A vulnerability scan
- B . A WHOIS lookup
- C . A packet capture
- D . An Nmap scan
A
Explanation:
A vulnerability scan is a type of penetration testing tool that is used to scan a network for vulnerabilities. A vulnerability scan can detect misconfigurations, missing patches, and other security issues that could be exploited by attackers. In this case, the output shows that 100 hosts had findings due to improper patch management, which means that the tester performed a vulnerability scan.