Read Online PT0-002 Test Practice Test Questions Exam Dumps
Easily To Pass New PT0-002 Premium Exam Updated [Sep 06, 2025]
NEW QUESTION # 146
A penetration tester is performing an assessment against a customer's web application that is hosted in a major cloud provider's environment. The penetration tester observes that the majority of the attacks attempted are being blocked by the organization's WAF. Which of the following attacks would be most likely to succeed?
- A. Reflected XSS
- B. DDoS
- C. Brute-force
- D. Direct-to-origin
Answer: D
Explanation:
When a web application firewall (WAF) is blocking most of the attacks, a direct-to-origin attack is likely to succeed. A direct-to-origin attack targets the backend servers directly, bypassing the WAF. This type of attack exploits any functionality that allows direct access to the origin servers (backend servers) without passing through the WAF. Techniques such as manipulating DNS, exploiting misconfigurations, or using direct IP access can be employed to bypass the WAF, making direct-to-origin attacks effective under these circumstances.
References:
* OWASP WAF Bypass Techniques
* Imperva - What is a WAF? Web Application Firewall
NEW QUESTION # 147
A penetration tester who is doing a company-requested assessment would like to send traffic to another system using double tagging. Which of the following techniques would BEST accomplish this goal?
- A. RFID tagging
- B. RFID cloning
- C. Meta tagging
- D. Tag nesting
Answer: D
Explanation:
Explanation
since vlan hopping requires 2 vlans to be nested in a single packet. Double tagging occurs when an attacker adds and modifies tags on an Ethernet frame to allow the sending of packets through any VLAN. This attack takes advantage of how many switches process tags. Most switches will only remove the outer tag and forward the frame to all native VLAN ports. With that said, this exploit is only successful if the attacker belongs to the native VLAN of the trunk link.
https://cybersecurity.att.com/blogs/security-essentials/vlan-hopping-and-mitigation Tag nesting is a technique that involves inserting two VLAN tags into an Ethernet frame to bypass VLAN hopping prevention mechanisms. The first tag is stripped by the first switch, and the second tag is processed by the second switch, allowing the frame to reach a different VLAN than intended. RFID cloning is a technique that involves copying the data from an RFID tag to another tag or device. RFID tagging is a technique that involves attaching an RFID tag to an object or person for identification or tracking purposes.
Meta tagging is a technique that involves adding metadata to web pages or files for search engine optimization or classification purposes.
NEW QUESTION # 148
Which of the following tools would be the best to use to intercept an HTTP response of an API, change its content, and forward it back to the origin mobile device?
- A. Drozer
- B. MobSF
- C. Android SDK Tools
- D. Burp Suite
Answer: D
Explanation:
Burp Suite is a tool that allows intercepting and modifying HTTP requests and responses of an API, as well as performing other web application security testing tasks. Burp Suite can act as a proxy between the mobile device and the API server, and enable the tester to view, edit, and replay the HTTP traffic. Burp Suite can also modify the content of the HTTP response, such as changing the status code, headers, or body, and forward it back to the mobile device12. The other tools are not suitable for this purpose, as they either focus on Android application analysis and exploitation (Drozer and MobSF) or development and debugging (Android SDK Tools). References:
*Intercepting Mobile Application Traffic Using Burp Suite, Infosec Resources article by Srinivas
*How to Intercept and Modify HTTP Requests and Responses with Burp Suite, MDN Web Docs article by Mozilla
NEW QUESTION # 149
A penetration tester recently completed a review of the security of a core network device within a corporate environment. The key findings are as follows:
* The following request was intercepted going to the network device:
GET /login HTTP/1.1
Host: 10.50.100.16
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Accept-Language: en-US,en;q=0.5 Connection: keep-alive Authorization: Basic WU9VUilOQU1FOnNlY3JldHBhc3N3b3jk
* Network management interfaces are available on the production network.
* An Nmap scan returned the following:
Which of the following would be BEST to add to the recommendations section of the final report? (Choose two.)
- A. Disable HTTP/301 redirect configuration.
- B. Enforce enhanced password complexity requirements.
- C. Disable or upgrade SSH daemon.
- D. Eliminate network management and control interfaces.
- E. Implement a better method for authentication.
- F. Create an out-of-band network for management.
Answer: E,F
Explanation:
Explanation
The key findings indicate that the network device is vulnerable to several attacks, such as sniffing, brute-forcing, or exploiting the SSH daemon. To prevent these attacks, the best recommendations are to create an out-of-band network for management, which means a separate network that is not accessible from the production network, and to implement a better method for authentication, such as SSH keys or certificates.
The other options are not as effective or relevant.
NEW QUESTION # 150
After gaining access to a Linux system with a non-privileged account, a penetration tester identifies the following file:
Which of the following actions should the tester perform FIRST?
- A. Cover tracks.
- B. Start a reverse shell.
- C. Change the file permissions.
- D. Use privilege escalation.
Answer: D
Explanation:
The file .scripts/daily_log_backup.sh has permissions set to 777, meaning that anyone can read, write, or execute the file. Since it's owned by the root user and the penetration tester has access to the system with a non-privileged account, this could be a potential avenue for privilege escalation. In a penetration test, after finding such a file, the tester would likely want to explore it and see if it can be leveraged to gain higher privileges. This is often done by inserting malicious code or commands into the script if it's being executed with higher privileges, such as root in this case.
NEW QUESTION # 151
A penetration tester has found indicators that a privileged user's password might be the same on 30 different Linux systems. Which of the following tools can help the tester identify the number of systems on which the password can be used?
- A. John the Ripper
- B. Cain and Abel
- C. Hydra
- D. Medusa
Answer: D
Explanation:
Both Hydra and Medusa can be used for that same purpose:
THC Hydra is a brute-force cracking tool for remote authentication services. It supports many protocols, including telnet, FTP, LDAP, SSH, SNMP, and others.
Medusa is a Parallel, Modular and Speedy method for brute-force which issued for remote authentication. Following are the applications and protocols like modular design, Thread based parallel testing and flexible user input and protocols are AFP, CVS, FTP, HTTP, IMAP etc.
NEW QUESTION # 152
A penetration-testing team is conducting a physical penetration test to gain entry to a building. Which of the following is the reason why the penetration testers should carry copies of the engagement documents with them?
- A. As proof in case they are discovered
- B. As backup in case the original documents are lost
- C. To validate the billing information with the client
- D. To guide them through the building entrances
Answer: A
Explanation:
The penetration testers should carry copies of the engagement documents with them as proof in case they are discovered by security guards, employees, or law enforcement officials. The engagement documents should include the scope, objectives, authorization, and contact information of the penetration testing team and the client. This will help avoid any legal or ethical issues that may arise from trespassing, breaking and entering, or unauthorized access. The other options are not valid reasons for carrying the engagement documents with them.
Reference: https://hub.packtpub.com/penetration-testing-rules-of-engagement/
NEW QUESTION # 153
Which of the following BEST describe the OWASP Top 10? (Choose two.)
- A. A web-application security standard
- B. A list of all the risks of web applications
- C. A risk-governance and compliance framework
- D. The most critical risks of web applications
- E. A checklist of Apache vulnerabilities
- F. The risks defined in order of importance
Answer: D,F
Explanation:
These two options best describe the OWASP Top 10, which stands for Open Web Application Security Project Top 10 and is a list of the most critical web application security risks based on data from various sources and experts. The list is updated periodically to reflect changes in technology and threat landscape. The list also ranks the risks in order of importance based on their prevalence, impact, and ease of exploitation or remediation. The other options are not accurate descriptions of the OWASP Top 10. The list does not cover all the risks of web applications, but rather focuses on the most common and severe ones. The list is not a web application security standard, but rather a guideline or reference for developers, testers, and security professionals. The list is not a risk-governance and compliance framework, but rather a resource or tool for identifying and mitigating web application vulnerabilities. The list is not a checklist of Apache vulnerabilities, but rather a general list of web application risks that apply to any web server or platform.
Reference: https://www.synopsys.com/glossary/what-is-owasp-top-10.html
NEW QUESTION # 154
An organization is using Android mobile devices but does not use MDM services. Which of the following describes an existing risk present in this scenario?
- A. Unsigned applications can be installed.
- B. End users have root access by default.
- C. Device log facility does not record actions.
- D. Push notification services require internet.
Answer: A
Explanation:
The risk present in an organization using Android mobile devices without Mobile Device Management (MDM) services is that unsigned applications can be installed. Without MDM, there are fewer controls over the installation of applications, which increases the risk of installing malicious or unauthorized applications.
MDM services typically provide a way to enforce application signing policies, preventing the installation of unsigned apps.
References:
* OWASP Mobile Security Project
* NIST Mobile Device Management Guide
NEW QUESTION # 155
A penetration tester utilized Nmap to scan host 64.13.134.52 and received the following results:
Based on the output, which of the following services are MOST likely to be exploited? (Choose two.)
- A. DNS
- B. NTP
- C. SNMP
- D. HTTP
- E. Telnet
- F. SMTP
Answer: A,D
NEW QUESTION # 156
During an assessment, a penetration tester found a suspicious script that could indicate a prior compromise.
While reading the script, the penetration tester noticed the following lines of code:
Which of the following was the script author trying to do?
- A. Change the MAC address
- B. Spawn a local shell.
- C. Disable NIC.
- D. List processes.
Answer: B
Explanation:
The script author was trying to spawn a local shell by using the os.system() function, which executes a command in a subshell. The command being executed is "/bin/bash", which is the path to the bash shell, a common shell program on Linux systems. The script author may have wanted to spawn a local shell to gain more control or access over the compromised system, or to execute other commands that are not possible in the original shell. The other options are not plausible explanations for what the script author was trying to do.
NEW QUESTION # 157
A penetration tester was able to compromise a web server and move laterally into a Linux web server. The tester now wants to determine the identity of the last user who signed in to the web server. Which of the following log files will show this activity?
- A. /var/log/messages
- B. /var/log/lastlog
- C. /var/log/last_user
- D. /var/log/user_log
Answer: B
Explanation:
The /var/log/lastlog file is a log file that stores information about the last user to sign in to the server. This file stores information such as the username, IP address, and timestamp of the last user to sign in to the server. It can be used by a penetration tester to determine the identity of the last user who signed in to the web server, which can be helpful in identifying the user who may have set up the backdoors and other malicious activities.
NEW QUESTION # 158
Which of the following is the MOST important information to have on a penetration testing report that is written for the developers?
- A. Methodology
- B. Remediation
- C. Executive summary
- D. Metrics and measures
Answer: B
NEW QUESTION # 159
In the process of active service enumeration, a penetration tester identifies an SMTP daemon running on one of the target company's servers. Which of the following actions would BEST enable the tester to perform
phishing in a later stage of the assessment?
- A. Perform a reverse DNS query and match to the service banner.
- B. Check for an open relay configuration.
- C. Test for RFC-defined protocol conformance.
- D. Attempt to brute force authentication to the service.
Answer: B
Explanation:
SMTP is a protocol associated with mail servers. Therefore, for a penetration tester, an open relay configuration can be exploited to launch phishing attacks.
NEW QUESTION # 160
Which of the following would MOST likely be included in the final report of a static application-security test that was written with a team of application developers as the intended audience?
- A. Executive summary of the penetration-testing methods used
- B. Quantitative impact assessments given a successful software compromise
- C. Bill of materials including supplies, subcontracts, and costs incurred during assessment
- D. Code context for instances of unsafe type-casting operations
Answer: B
NEW QUESTION # 161
During an assessment, a penetration tester was able to access the organization's wireless network from outside of the building using a laptop running Aircrack-ng. Which of the following should be recommended to the client to remediate this issue?
- A. Using WEP encryption
- B. Disabling Wi-Fi
- C. Configure to stop broadcasting the SSID
- D. Using directional antennas
Answer: D
Explanation:
Directional antennas can limit the signal range to reduce unauthorized access from outside the building. Other options, such as WEP, are outdated and insecure, and stopping SSID broadcast does not prevent network access. This aligns with CompTIA Pentest+ objectives under wireless security and hardening techniques.
NEW QUESTION # 162
Which of the following expressions in Python increase a variable val by one (Choose two.)
- A. val+=1
- B. val=val++
- C. +val
- D. val=(val+1)
- E. ++val
- F. val++
Answer: A,D
Explanation:
Explanation
https://pythonguides.com/increment-and-decrement-operators-in-python/
NEW QUESTION # 163
A new security firm is onboarding its first client. The client only allowed testing over the weekend and needed the results Monday morning. However, the assessment team was not able to access the environment as expected until Monday. Which of the following should the security company have acquired BEFORE the start of the assessment?
- A. A signed statement of work
- B. The correct user accounts and associated passwords
- C. The proper emergency contacts for the client
- D. The expected time frame of the assessment
Answer: A
Explanation:
According to the CompTIA PenTest+ Study Guide, Exam PT0-0021, a statement of work (SOW) is a document that defines the scope, objectives, deliverables, and terms of a penetration testing project. It is a formal agreement between the service provider and the client that specifies what is expected from both parties, including the timeline, budget, resources, and responsibilities. A SOW is essential for any penetration testing engagement, as it helps to avoid misunderstandings, conflicts, and legal issues.
The CompTIA PenTest+ Study Guide also provides an example of a SOW template that covers the following sections1:
* Project overview: A brief summary of the project's purpose, scope, objectives, and deliverables.
* Project scope: A detailed description of the target system, network, or application that will be tested, including the boundaries, exclusions, and assumptions.
* Project objectives: A clear statement of the expected outcomes and benefits of the project, such as
* identifying vulnerabilities, improving security posture, or complying with regulations.
* Project deliverables: A list of the tangible products or services that will be provided by the service provider to the client, such as reports, recommendations, or remediation plans.
* Project timeline: A schedule of the project's milestones and deadlines, such as kickoff meeting, testing phase, reporting phase, or closure meeting.
* Project budget: A breakdown of the project's costs and expenses, such as labor hours, travel expenses, tools, or licenses.
* Project resources: A specification of the project's human and technical resources, such as team members, roles, responsibilities, skills, or equipment.
* Project terms and conditions: A statement of the project's legal and contractual aspects, such as confidentiality, liability, warranty, or dispute resolution.
The CompTIA PenTest+ Study Guide also explains why having a SOW is important before starting an assessment1:
* It establishes a clear and mutual understanding of the project's scope and expectations between the service provider and the client.
* It provides a basis for measuring the project's progress and performance against the agreed-upon objectives and deliverables.
* It protects both parties from potential risks or disputes that may arise during or after the project.
NEW QUESTION # 164
Which of the following provides a matrix of common tactics and techniques used by attackers along with recommended mitigations?
- A. PTES technical guidelines
- B. NIST SP 800-53
- C. OWASP Top 10
- D. MITRE ATT&CK framework
Answer: D
NEW QUESTION # 165
During an assessment, a penetration tester obtains a list of 30 email addresses by crawling the target company's website and then creates a list of possible usernames based on the email address format. Which of the following types of attacks would MOST likely be used to avoid account lockout?
- A. Rainbow
- B. Dictionary
- C. Mask
- D. Password spraying
Answer: D
Explanation:
Explanation
Password spraying is a type of password guessing attack that involves trying one or a few common passwords against many usernames or accounts. Password spraying can avoid account lockout policies that limit the number of failed login attempts per account by spreading out the attempts over time and across different accounts. Password spraying can also increase the chances of success by using passwords that are likely to be used by many users, such as default passwords, seasonal passwords, or company names. Mask is a type of password cracking attack that involves using a mask or a pattern to generate passwords based on known or guessed characteristics of the password, such as length, case, or symbols. Rainbow is a technique of storing precomputed hashes of passwords in a table that can be used to quickly crack passwords by looking up the hashes. Dictionary is a type of password cracking attack that involves using a wordlist or a dictionary of common or likely passwords to try against an account.
NEW QUESTION # 166
......
PT0-002 Certification All-in-One Exam Guide Sep-2025: https://www.prep4pass.com/PT0-002_exam-braindumps.html
Get Real PT0-002 Exam Dumps [Sep-2025] Practice Tests: https://drive.google.com/open?id=1YZpk_5MSAHSSkxT5hzIoDFUD6SFLRDCx
