CompTIA Pentest+ (Ethical Hacking) Course & Practice
Exam
1. Jack is assessing the likelihood of reconnaissance activities being per- formed against his organization.
Which of the following would best classify the likelihood of a port scan being conducted against his DMZ?:
High
2. Which of the following types of information is protected by rules in the United States that specify the
minimum frequency of vulnerability scanning required for devices that process it?: The Payment Card Industry
Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards
from the major card schemes. The PCI Standard is mandated by the card brands but administered by the Payment Card
Industry Security Stan- dards Council. As part of PCI DSS compliance, organizations must conduct internal and external
scans at prescribed intervals on any devices or systems that process credit card data.
3. Which of the following penetration testing methodologies is focused on testing web applications and the
people, processes, and technology that support them?: The Open Web Application Security Project (OWASP) is an
orga- nization aimed at increasing awareness of web security and provides a framework for testing during each phase of
the software development process. The OWASP Testing Guide (OTG) provides different steps for the testing process and
outlines the importance of assessing the entire organization, including the people, processes, and technology, during a
penetration test.
4. Which of the following is the MOST important thing to receive from the client during the planning for an
engagement?: Tolerance to impact
5. Which of the following would trigger the penetration tester to stop and contact the system owners during an
engagement?: The penetration testing team should have a direct communication path with the system owners or their
trusted agents during an engagement. If the team discovers any security breaches, current hacking activity, extremely
critical findings on a production server, or a production server becomes unresponsive during exploitation, then the team
should stop what they are doing and contract their trusted point of contact within the organization to get further guidance.
6. You have just concluded a two-month engagement that targeted Dion Train- ing's network. You have a
detailed list of findings and have prepared your report for the company. Which of the following reasons explains
why you must keep your report confidential and secure?: The findings could be used by attackers to exploit the
client's systems
7. You are a penetration tester hired by an organization that wants you to conduct a risk assessment of their
perimeter network. The company-provided Rules of Engagement states that you must do all penetration testing
from an external IP address without any prior knowledge of the internal IT system
, CompTIA Pentest+ (Ethical Hacking) Course & Practice
Exam
architecture. What kind of penetration test will you perform?: An unknown environment penetration test requires no
previous information and usually takes the approach of an uninformed attacker. The penetration tester has no prior
information about the target system or network in an unknown environment penetration test.
These tests provide a realistic scenario for testing the defenses, but they can be costlier and more time-consuming to
conduct as the tester is examining a system from an outsider's perspective.
8. You have been hired by a corporate client to perform a web application penetration test. After you presented
your findings to the client, they have asked you to perform a static code review, update the web server
application, and configure a new web application firewall to protect the system. The client organization does not
have the additional budget or a written modification
to your previously signed contract to support these requests. Which of the following are you experiencing?: Scope
creep
9. What technique is an attacker using if they review data and publicly avail- able information to gather
intelligence about the target organization without scanning or other technical information-gathering activities?:
Passive recon- naissance
10.A cybersecurity analyst is attempting to perform an active reconnaissance technique to audit their
company's security controls. Which DNS assessment technique would be classified as active?: A zone transfer -
DNS zone transfer, also sometimes known by the inducing DNS query type AXFR, is a DNS transaction type. It is one
of the many mechanisms available for administrators to replicate DNS databases across a set of DNS servers. DNS zone
transfers are an active technique.
11.You have conducted a Google search for the "site:diontraining.com
-site:sales.diontraining.com financial." What results do you expect to re- ceive?: When conducting a Google search,
using site:AAA in the query will return results only from that website (AAA). If you use -site:AAA, you will get results n
explicitly on the website (AAA). In the case of this question, no results should show up from sales.diontraining.com. All
results should only come from diontraining.com.
Google results matching "financial" in domain diontraining.com, but no results from the site sales.diontraining.com
12.As a newly hired cybersecurity analyst, you are attempting to determine your organization's current public-
facing attack surface. Which of the follow- ing methodologies or tools generates a current and historical view of
the company's public-facing IP space?: Shodan
13.An organization has hired a cybersecurity analyst to conduct an assess- ment of its current security
posture. The analyst begins by conducting an
, CompTIA Pentest+ (Ethical Hacking) Course & Practice
Exam
external assessment against the organization's network to determine what information is exposed to a potential
external attacker. What technique should the analyst perform first?: Enumeration
14.What techniques are commonly used by port and vulnerability scanners to enumerate the services running
on a target system?: Banner grabbing and comparing response fingerprints
15.A penetration tester wants to collect software versioning information from servers on the network. The
penetration tester has set up a packet sniffer on a victimized host and sent a copy of the network traffic back to
their workstation. The penetration tester's objective in this assessment is to emulate an APT and remain stealthy
for as long as possible while gathering information. Which of the following should the penetration tester do
enumerate the software version used by the server?: Manually analyze the packet captures
16.You are currently conducting active reconnaissance in preparation for an upcoming penetration test against
Dion Training.You want to identify the areas of the company's website that are not crawled by search engines.
Which of the following should you review to determine these areas?: A robots.txt file tells search engine crawlers
which URLs the crawler should index and access on your site. When conducting active reconnaissance, you may wish to
manually evaluate the robots.txt file and then access those portions of the website.
17.As a cybersecurity analyst conducting vulnerability scans, you have just completed your first scan of an
enterprise network comprising over 10,000 workstations. As you examine your findings, you note that you have
less than 1 critical finding per 100 workstations. Which of the following statement does BEST explain these
results?: Uncredentialed scans are generally unable to detect many vulnerabilities on a device. When conducting an
internal assessment, you should perform an authenticated (credentialed) scan of the environment to most accurately
determine the network's vulnerability posture. In most enterprise networks, if a vulnerability exists on one machine, it
also exists on most other workstations since they use a common baseline or image. If the scanner failed to connect to the
workstations, an error would have been generated in the report.
18.Which of the following vulnerability scanning tools would be used to
conduct a web application vulnerability assessment?: Nikto is a web application scanner that can perform comprehensi
tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated
versions of over 1250 servers, and version-specific problems on over 270 servers. While OpenVAS, Nessus, and Qualys
can scan the web servers themselves for vulnerabilities, they are not the best option to conduct a web application
vulnerability
, CompTIA Pentest+ (Ethical Hacking) Course & Practice
Exam
assessment. OpenVAS, Nessus, and Qualys are infrastructure vulnerability scan- ners that focus on vulnerabilities with
hosts and network devices.
19.Which of the following tools can NOT be used to conduct a banner grab from a web server on a remote
host?: FTP cannot be used to conduct a banner grab. A cybersecurity analyst or penetration tester uses a banner grab to
gain information about a computer system on a network and the services running on its open ports. Administrators can
use this to take inventory of the systems and services on their network. This is commonly done using telnet, wget, or
netcat.
20.An organization has hired a cybersecurity analyst to conduct an assess- ment of its current security posture.
The analyst begins by conducting an external assessment against the organization's network to determine what
information is exposed to a potential external attacker. What technique should the analyst perform first?1:
Scanning and enumeration are used to determine open ports and identify the software and firmware/device types running
on the host. This is also referred to as footprinting or fingerprinting. This technique is used to create a security profile of
an organization by using a methodological manner to conduct the scanning. If this scan is conducted from outside of the
organization's network, it can be used to determine the network devices and information available to an unauthorized and
external attacker.
21.A security analyst conducts a Nmap scan of a server and found that port
25 is open. What risk might this server be exposed to?: Open mail relay
22.Which attack method is MOST likely to be used by a malicious employee or insider trying to obtain
another user's passwords?: Shoulder surfing
23.Several users have contacted the help desk to report that they received an email from a well-known bank
stating that their accounts have been compro- mised and they need to "click here" to reset their banking
password. Some of these users are not even customers of this particular bank, though. Which of the following best
describes this type of attack?: Phishing is an email-based social engineering attack in which the attacker sends an email
from a supposedly reputable source, such as a bank, to try to elicit private information from the victim. Phishing attacks
target an indiscriminate large group of random people. The email in this scenario appears to be untargeted since it was
sent to both customers and non-customers of this particular bank so it is best classified as phishing.
24.Your organization has been receiving many phishing emails recently, and
you are trying to determine why they are effective in getting your users to click on their links. The latest email
consists of what looks like an advertisement that is offering an exclusive early access opportunity to buy a new
iPhone at a discounted price. Still, there are only 5 phones available at this price. What type of social engineering
principle is being exploited here?: Scarcity
Exam
1. Jack is assessing the likelihood of reconnaissance activities being per- formed against his organization.
Which of the following would best classify the likelihood of a port scan being conducted against his DMZ?:
High
2. Which of the following types of information is protected by rules in the United States that specify the
minimum frequency of vulnerability scanning required for devices that process it?: The Payment Card Industry
Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards
from the major card schemes. The PCI Standard is mandated by the card brands but administered by the Payment Card
Industry Security Stan- dards Council. As part of PCI DSS compliance, organizations must conduct internal and external
scans at prescribed intervals on any devices or systems that process credit card data.
3. Which of the following penetration testing methodologies is focused on testing web applications and the
people, processes, and technology that support them?: The Open Web Application Security Project (OWASP) is an
orga- nization aimed at increasing awareness of web security and provides a framework for testing during each phase of
the software development process. The OWASP Testing Guide (OTG) provides different steps for the testing process and
outlines the importance of assessing the entire organization, including the people, processes, and technology, during a
penetration test.
4. Which of the following is the MOST important thing to receive from the client during the planning for an
engagement?: Tolerance to impact
5. Which of the following would trigger the penetration tester to stop and contact the system owners during an
engagement?: The penetration testing team should have a direct communication path with the system owners or their
trusted agents during an engagement. If the team discovers any security breaches, current hacking activity, extremely
critical findings on a production server, or a production server becomes unresponsive during exploitation, then the team
should stop what they are doing and contract their trusted point of contact within the organization to get further guidance.
6. You have just concluded a two-month engagement that targeted Dion Train- ing's network. You have a
detailed list of findings and have prepared your report for the company. Which of the following reasons explains
why you must keep your report confidential and secure?: The findings could be used by attackers to exploit the
client's systems
7. You are a penetration tester hired by an organization that wants you to conduct a risk assessment of their
perimeter network. The company-provided Rules of Engagement states that you must do all penetration testing
from an external IP address without any prior knowledge of the internal IT system
, CompTIA Pentest+ (Ethical Hacking) Course & Practice
Exam
architecture. What kind of penetration test will you perform?: An unknown environment penetration test requires no
previous information and usually takes the approach of an uninformed attacker. The penetration tester has no prior
information about the target system or network in an unknown environment penetration test.
These tests provide a realistic scenario for testing the defenses, but they can be costlier and more time-consuming to
conduct as the tester is examining a system from an outsider's perspective.
8. You have been hired by a corporate client to perform a web application penetration test. After you presented
your findings to the client, they have asked you to perform a static code review, update the web server
application, and configure a new web application firewall to protect the system. The client organization does not
have the additional budget or a written modification
to your previously signed contract to support these requests. Which of the following are you experiencing?: Scope
creep
9. What technique is an attacker using if they review data and publicly avail- able information to gather
intelligence about the target organization without scanning or other technical information-gathering activities?:
Passive recon- naissance
10.A cybersecurity analyst is attempting to perform an active reconnaissance technique to audit their
company's security controls. Which DNS assessment technique would be classified as active?: A zone transfer -
DNS zone transfer, also sometimes known by the inducing DNS query type AXFR, is a DNS transaction type. It is one
of the many mechanisms available for administrators to replicate DNS databases across a set of DNS servers. DNS zone
transfers are an active technique.
11.You have conducted a Google search for the "site:diontraining.com
-site:sales.diontraining.com financial." What results do you expect to re- ceive?: When conducting a Google search,
using site:AAA in the query will return results only from that website (AAA). If you use -site:AAA, you will get results n
explicitly on the website (AAA). In the case of this question, no results should show up from sales.diontraining.com. All
results should only come from diontraining.com.
Google results matching "financial" in domain diontraining.com, but no results from the site sales.diontraining.com
12.As a newly hired cybersecurity analyst, you are attempting to determine your organization's current public-
facing attack surface. Which of the follow- ing methodologies or tools generates a current and historical view of
the company's public-facing IP space?: Shodan
13.An organization has hired a cybersecurity analyst to conduct an assess- ment of its current security
posture. The analyst begins by conducting an
, CompTIA Pentest+ (Ethical Hacking) Course & Practice
Exam
external assessment against the organization's network to determine what information is exposed to a potential
external attacker. What technique should the analyst perform first?: Enumeration
14.What techniques are commonly used by port and vulnerability scanners to enumerate the services running
on a target system?: Banner grabbing and comparing response fingerprints
15.A penetration tester wants to collect software versioning information from servers on the network. The
penetration tester has set up a packet sniffer on a victimized host and sent a copy of the network traffic back to
their workstation. The penetration tester's objective in this assessment is to emulate an APT and remain stealthy
for as long as possible while gathering information. Which of the following should the penetration tester do
enumerate the software version used by the server?: Manually analyze the packet captures
16.You are currently conducting active reconnaissance in preparation for an upcoming penetration test against
Dion Training.You want to identify the areas of the company's website that are not crawled by search engines.
Which of the following should you review to determine these areas?: A robots.txt file tells search engine crawlers
which URLs the crawler should index and access on your site. When conducting active reconnaissance, you may wish to
manually evaluate the robots.txt file and then access those portions of the website.
17.As a cybersecurity analyst conducting vulnerability scans, you have just completed your first scan of an
enterprise network comprising over 10,000 workstations. As you examine your findings, you note that you have
less than 1 critical finding per 100 workstations. Which of the following statement does BEST explain these
results?: Uncredentialed scans are generally unable to detect many vulnerabilities on a device. When conducting an
internal assessment, you should perform an authenticated (credentialed) scan of the environment to most accurately
determine the network's vulnerability posture. In most enterprise networks, if a vulnerability exists on one machine, it
also exists on most other workstations since they use a common baseline or image. If the scanner failed to connect to the
workstations, an error would have been generated in the report.
18.Which of the following vulnerability scanning tools would be used to
conduct a web application vulnerability assessment?: Nikto is a web application scanner that can perform comprehensi
tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated
versions of over 1250 servers, and version-specific problems on over 270 servers. While OpenVAS, Nessus, and Qualys
can scan the web servers themselves for vulnerabilities, they are not the best option to conduct a web application
vulnerability
, CompTIA Pentest+ (Ethical Hacking) Course & Practice
Exam
assessment. OpenVAS, Nessus, and Qualys are infrastructure vulnerability scan- ners that focus on vulnerabilities with
hosts and network devices.
19.Which of the following tools can NOT be used to conduct a banner grab from a web server on a remote
host?: FTP cannot be used to conduct a banner grab. A cybersecurity analyst or penetration tester uses a banner grab to
gain information about a computer system on a network and the services running on its open ports. Administrators can
use this to take inventory of the systems and services on their network. This is commonly done using telnet, wget, or
netcat.
20.An organization has hired a cybersecurity analyst to conduct an assess- ment of its current security posture.
The analyst begins by conducting an external assessment against the organization's network to determine what
information is exposed to a potential external attacker. What technique should the analyst perform first?1:
Scanning and enumeration are used to determine open ports and identify the software and firmware/device types running
on the host. This is also referred to as footprinting or fingerprinting. This technique is used to create a security profile of
an organization by using a methodological manner to conduct the scanning. If this scan is conducted from outside of the
organization's network, it can be used to determine the network devices and information available to an unauthorized and
external attacker.
21.A security analyst conducts a Nmap scan of a server and found that port
25 is open. What risk might this server be exposed to?: Open mail relay
22.Which attack method is MOST likely to be used by a malicious employee or insider trying to obtain
another user's passwords?: Shoulder surfing
23.Several users have contacted the help desk to report that they received an email from a well-known bank
stating that their accounts have been compro- mised and they need to "click here" to reset their banking
password. Some of these users are not even customers of this particular bank, though. Which of the following best
describes this type of attack?: Phishing is an email-based social engineering attack in which the attacker sends an email
from a supposedly reputable source, such as a bank, to try to elicit private information from the victim. Phishing attacks
target an indiscriminate large group of random people. The email in this scenario appears to be untargeted since it was
sent to both customers and non-customers of this particular bank so it is best classified as phishing.
24.Your organization has been receiving many phishing emails recently, and
you are trying to determine why they are effective in getting your users to click on their links. The latest email
consists of what looks like an advertisement that is offering an exclusive early access opportunity to buy a new
iPhone at a discounted price. Still, there are only 5 phones available at this price. What type of social engineering
principle is being exploited here?: Scarcity
