Sample questions
CompTIA PenTest+ PT0-002 practice questions
A penetration tester is performing passive reconnaissance on a target organization. Which of the following activities would be considered passive reconnaissance?
Trap 1: Scanning open ports on the target web server
Port scanning sends packets to the target, making it an active reconnaissance technique.
Trap 2: Sending a crafted ICMP echo request to the target
ICMP echo requests are direct interactions with the target, classifying this as active reconnaissance.
Trap 3: Attempting a SQL injection on a login form
SQL injection is an active attack that sends malicious input to the target application.
- A
Scanning open ports on the target web server
Why wrong: Port scanning sends packets to the target, making it an active reconnaissance technique.
- B
Using a search engine to find exposed documents
Correct. Search engines index publicly accessible data; this activity does not send traffic to the target.
- C
Sending a crafted ICMP echo request to the target
Why wrong: ICMP echo requests are direct interactions with the target, classifying this as active reconnaissance.
- D
Attempting a SQL injection on a login form
Why wrong: SQL injection is an active attack that sends malicious input to the target application.
A penetration tester is conducting passive reconnaissance on a target organization. Which technique can be used to discover subdomains of the target's domain without sending any packets to the target's network?
Trap 1: Performing a DNS brute-force attack against the target's domain
DNS brute force sends queries to DNS servers, which may be logged by the target.
Trap 2: Sending ICMP echo requests to potential subdomain IP addresses
ICMP requests are active and may be detected by intrusion detection systems.
Trap 3: Querying WHOIS databases for domain registration information
WHOIS provides registration info, not subdomains.
- A
Performing a DNS brute-force attack against the target's domain
Why wrong: DNS brute force sends queries to DNS servers, which may be logged by the target.
- B
Using the 'site:' operator in a search engine query
Search engines index subdomains; querying 'site:example.com' reveals them passively.
- C
Sending ICMP echo requests to potential subdomain IP addresses
Why wrong: ICMP requests are active and may be detected by intrusion detection systems.
- D
Querying WHOIS databases for domain registration information
Why wrong: WHOIS provides registration info, not subdomains.
A penetration tester is analyzing a Python script that uses the 'requests' library to send HTTP POST requests to a target URL with different payloads. The script also implements a retry mechanism with exponential backoff. What is the most likely purpose of this script?
Trap 1: Directory brute-forcing
Directory brute-forcing typically uses GET requests and looks for valid paths, not POST requests with different payloads targeting a single URL.
Trap 2: SQL injection testing
SQL injection testing often sends various payloads but rarely implements exponential backoff, as retrying without a delay is more common to test multiple vectors quickly.
Trap 3: Session hijacking
Session hijacking typically involves stealing or predicting session tokens, not sending multiple POST payloads with retry logic.
- A
Directory brute-forcing
Why wrong: Directory brute-forcing typically uses GET requests and looks for valid paths, not POST requests with different payloads targeting a single URL.
- B
Password spraying
The script sends POST requests (likely to a login endpoint) with different payloads (passwords) and uses retry with backoff to evade rate limiting, which is characteristic of password spraying.
- C
SQL injection testing
Why wrong: SQL injection testing often sends various payloads but rarely implements exponential backoff, as retrying without a delay is more common to test multiple vectors quickly.
- D
Session hijacking
Why wrong: Session hijacking typically involves stealing or predicting session tokens, not sending multiple POST payloads with retry logic.
A penetration tester is analyzing a PowerShell script that contains the following code: Get-WmiObject -Class Win32_Service | Where-Object {$_.PathName -like "* *"} | Select-Object Name, PathName, State What is the primary purpose of this script?
Trap 1: Enumerate all installed services to find vulnerable applications
The script filters for paths with spaces, not all services, so it is specifically targeting unquoted path vulnerabilities rather than general enumeration.
Trap 2: Identify services that run with elevated privileges
The script does not check the user account under which the service runs (e.g., LocalSystem vs. NetworkService). It only looks at the path name pattern.
Trap 3: Check for services with weak file permissions
The script does not examine file permissions on the binary or its directories; it only selects services based on the path containing a space.
- A
Enumerate all installed services to find vulnerable applications
Why wrong: The script filters for paths with spaces, not all services, so it is specifically targeting unquoted path vulnerabilities rather than general enumeration.
- B
Identify services that run with elevated privileges
Why wrong: The script does not check the user account under which the service runs (e.g., LocalSystem vs. NetworkService). It only looks at the path name pattern.
- C
List services that have unquoted paths in their binary path
The wildcard pattern '* *' catches paths with spaces, which is the hallmark of an unquoted service path vulnerability. The script identifies such services for further analysis.
- D
Check for services with weak file permissions
Why wrong: The script does not examine file permissions on the binary or its directories; it only selects services based on the path containing a space.
A client review of a penetration test report reveals confusion about why a particular vulnerability exists. The client's security engineer wants to understand the root cause and the exact steps to reproduce the issue. Which section of the report should the tester point the engineer to?
Trap 1: Executive Summary
The Executive Summary contains high-level information for management, not detailed technical explanations.
Trap 2: Methodology
The Methodology section describes the testing process and tools used, not details on specific findings.
Trap 3: Risk Rating Appendix
The Risk Rating Appendix assigns severity scores but does not provide root cause or reproduction steps.
- A
Executive Summary
Why wrong: The Executive Summary contains high-level information for management, not detailed technical explanations.
- B
Technical Findings
This section includes in-depth vulnerability descriptions, root cause analysis, reproduction steps, and remediation guidance.
- C
Methodology
Why wrong: The Methodology section describes the testing process and tools used, not details on specific findings.
- D
Risk Rating Appendix
Why wrong: The Risk Rating Appendix assigns severity scores but does not provide root cause or reproduction steps.
A penetration tester has completed the test and is writing the findings section. For a critical vulnerability, the tester wants to provide a clear and actionable remediation recommendation. Which of the following is the best practice for writing this recommendation?
Trap 1: State 'Upgrade the software to the latest version'
This is too vague; it does not specify the version number or any steps to perform the upgrade, leaving room for error.
Trap 2: Recommend applying vendor-supplied patches but do not include…
Without specific version numbers, the client might apply the wrong patch or miss critical updates.
Trap 3: Suggest hiring a third-party consultant to fix the issue
While sometimes necessary, this recommendation does not provide immediate actionable steps and may be seen as avoiding responsibility.
- A
State 'Upgrade the software to the latest version'
Why wrong: This is too vague; it does not specify the version number or any steps to perform the upgrade, leaving room for error.
- B
Provide a step-by-step guide including commands, patches, and configuration changes
This gives the client a clear path to remediation, reducing the chance of misinterpretation and ensuring the vulnerability is properly addressed.
- C
Recommend applying vendor-supplied patches but do not include specific versions
Why wrong: Without specific version numbers, the client might apply the wrong patch or miss critical updates.
- D
Suggest hiring a third-party consultant to fix the issue
Why wrong: While sometimes necessary, this recommendation does not provide immediate actionable steps and may be seen as avoiding responsibility.
A client requests a penetration test that includes both their internal network and a third-party cloud service provider's infrastructure. The cloud provider has not given permission for testing. Which action should the penetration tester take regarding the cloud provider's assets?
Trap 1: Test the cloud assets as part of the engagement because they…
Testing without authorization from the provider is unauthorized and illegal.
Trap 2: Test only the client-facing parts of the cloud service
Even client-facing parts are owned by the provider; testing them without permission is still unauthorized.
Trap 3: Request the client to sign an additional liability waiver for…
A waiver does not grant permission from the cloud provider; the tester must have explicit authorization from the asset owner.
- A
Test the cloud assets as part of the engagement because they support the client's business
Why wrong: Testing without authorization from the provider is unauthorized and illegal.
- B
Exclude the cloud provider's assets from the scope and update the rules of engagement
Assets owned by third parties without their consent must be excluded to remain within legal and ethical boundaries.
- C
Test only the client-facing parts of the cloud service
Why wrong: Even client-facing parts are owned by the provider; testing them without permission is still unauthorized.
- D
Request the client to sign an additional liability waiver for testing third-party assets
Why wrong: A waiver does not grant permission from the cloud provider; the tester must have explicit authorization from the asset owner.
A client wants to perform a penetration test on a new web application that is still in development. The application is not yet connected to the internet. Which of the following is the most appropriate scope for this test?
Trap 1: External network penetration test
An external network test targets internet-facing systems, but the application is not yet on the internet.
Trap 2: Internal network penetration test
While the app may be hosted internally, the focus should be on the application itself, not the network infrastructure.
Trap 3: Social engineering campaign
Social engineering targets human behavior, not application code.
- A
External network penetration test
Why wrong: An external network test targets internet-facing systems, but the application is not yet on the internet.
- B
Internal network penetration test
Why wrong: While the app may be hosted internally, the focus should be on the application itself, not the network infrastructure.
- C
Web application vulnerability assessment
This type of assessment is designed to find vulnerabilities in web applications, regardless of network location.
- D
Social engineering campaign
Why wrong: Social engineering targets human behavior, not application code.
A client requests a penetration test of a new mobile application that is still in development and only accessible on a test server behind the corporate VPN. The tester should include which of the following in the scope?
Trap 1: The production servers hosting the app when it goes live
Production servers are not yet live and should not be included in the scope.
Trap 2: The corporate VPN infrastructure
The VPN is a means of access, not a target unless the client wants it tested separately.
Trap 3: All third-party APIs used by the application
Third-party APIs are likely out of scope without explicit permission.
- A
The production servers hosting the app when it goes live
Why wrong: Production servers are not yet live and should not be included in the scope.
- B
Only the test server and the mobile application client
These are the actual targets of the test and should be scoped.
- C
The corporate VPN infrastructure
Why wrong: The VPN is a means of access, not a target unless the client wants it tested separately.
- D
All third-party APIs used by the application
Why wrong: Third-party APIs are likely out of scope without explicit permission.
A penetration tester has compromised a host and wants to move laterally to a server using pass-the-hash. Which of the following is required for a successful pass-the-hash attack against a Windows target?
Trap 1: The target must have SMB signing enabled
SMB signing would prevent relay, but pass-the-hash still works as long as signing is not enforced.
Trap 2: The target must have a user account with the same password
Pass-the-hash uses the hash, not the password, and requires the same local account hash, not just same password.
Trap 3: The target must have the same machine account hash
Machine account hashes are used for domain logins, not pass-the-hash for lateral movement.
- A
The target must have SMB signing enabled
Why wrong: SMB signing would prevent relay, but pass-the-hash still works as long as signing is not enforced.
- B
The target must have the same local admin password hash
If the local admin account on the target has the same hash, the attacker can authenticate using that hash.
- C
The target must have a user account with the same password
Why wrong: Pass-the-hash uses the hash, not the password, and requires the same local account hash, not just same password.
- D
The target must have the same machine account hash
Why wrong: Machine account hashes are used for domain logins, not pass-the-hash for lateral movement.
A client requests a penetration test of their internal network. During scoping, the tester learns that the client uses a managed security service provider (MSSP) that monitors all network traffic. The client does not want the MSSP to be informed about the test. What is the most appropriate action for the tester to take?
Trap 1: Proceed with the test without informing the MSSP, as the client has…
This could trigger security alerts from the MSSP, potentially leading to service disruption, legal issues, and a breach of the MSSP's terms.
Trap 2: Include a clause in the rules of engagement that holds the tester…
While a hold harmless clause may protect the tester, it does not prevent the MSSP from taking action against the test traffic, which could impact the test.
Trap 3: Perform the test only after hours to minimize the chance of the…
Testing after hours does not guarantee the MSSP will not detect the test; it may still trigger alerts and cause issues.
- A
Proceed with the test without informing the MSSP, as the client has requested confidentiality
Why wrong: This could trigger security alerts from the MSSP, potentially leading to service disruption, legal issues, and a breach of the MSSP's terms.
- B
Include a clause in the rules of engagement that holds the tester harmless for any disruptions caused by the MSSP's monitoring
Why wrong: While a hold harmless clause may protect the tester, it does not prevent the MSSP from taking action against the test traffic, which could impact the test.
- C
Advise the client to inform the MSSP about the scheduled test and coordinate a maintenance window or exclusion list
Proper coordination ensures the MSSP can whitelist test traffic, avoid false positives, and prevent unnecessary incident response. This aligns with best practices for scoping.
- D
Perform the test only after hours to minimize the chance of the MSSP detecting the test activity
Why wrong: Testing after hours does not guarantee the MSSP will not detect the test; it may still trigger alerts and cause issues.
A penetration tester has gained access to a Windows domain and wants to perform a Kerberoasting attack. Which account privileges are required to request service tickets for Kerberoasting?
Trap 1: Domain Admin
Domain Admin privileges are not needed; a standard domain user account can request TGS tickets.
Trap 2: Local Administrator on the domain controller
Local admin on a DC is not required; the attack leverages standard Kerberos functionality available to all users.
Trap 3: Enterprise Admin
Enterprise Admin is a highly privileged role and not necessary for requesting TGS tickets.
- A
Domain Admin
Why wrong: Domain Admin privileges are not needed; a standard domain user account can request TGS tickets.
- B
Any domain user
Any authenticated user in the domain can request service tickets, making Kerberoasting a low-privilege attack vector.
- C
Local Administrator on the domain controller
Why wrong: Local admin on a DC is not required; the attack leverages standard Kerberos functionality available to all users.
- D
Enterprise Admin
Why wrong: Enterprise Admin is a highly privileged role and not necessary for requesting TGS tickets.
A client engages a penetration testing firm to evaluate the security of their internal network. During the scoping meeting, the client states that they use a network access control (NAC) solution that might block the tester's machine if it is connected to the internal network without prior authorization. Which of the following should be included in the rules of engagement to address this potential issue?
Trap 1: Include a requirement that the client disables NAC during the…
Disabling NAC globally would change the security posture and potentially allow other unauthorized devices onto the network, which is not a reasonable request.
Trap 2: State that the tester will not connect to the internal network and…
The client requested an internal network test; testing externally would not fulfill the project scope.
Trap 3: Specify that the tester will bypass NAC as part of the test…
Bypassing NAC could be a test goal, but the immediate operational issue is that the tester's device may be blocked. The ROE should address access, not add an unexpected objective.
- A
Include a requirement that the client disables NAC during the testing window.
Why wrong: Disabling NAC globally would change the security posture and potentially allow other unauthorized devices onto the network, which is not a reasonable request.
- B
State that the tester will not connect to the internal network and will only test externally.
Why wrong: The client requested an internal network test; testing externally would not fulfill the project scope.
- C
Specify that the tester will bypass NAC as part of the test objectives.
Why wrong: Bypassing NAC could be a test goal, but the immediate operational issue is that the tester's device may be blocked. The ROE should address access, not add an unexpected objective.
- D
Add a clause requiring the client to whitelist the tester's MAC address in the NAC policy before testing.
Whitelisting the tester's MAC address allows the NAC to recognize the testing device as authorized, preventing service disruption without weakening overall security.
A penetration test report includes a finding about a SQL injection vulnerability in a public-facing web application. Which section of the report would be the MOST appropriate place to provide step-by-step remediation instructions for the development team?
Trap 1: Executive Summary
The Executive Summary provides high-level business impact to management, not detailed technical remediation steps.
Trap 2: Risk Assessment
Risk Assessment assigns severity and likelihood ratings, but does not contain detailed fix instructions.
Trap 3: Appendices
Appendices usually contain raw data or supplementary information, not step-by-step remediation.
- A
Executive Summary
Why wrong: The Executive Summary provides high-level business impact to management, not detailed technical remediation steps.
- B
Risk Assessment
Why wrong: Risk Assessment assigns severity and likelihood ratings, but does not contain detailed fix instructions.
- C
Technical Findings
This section is where remediation steps for each finding should be documented for the development team.
- D
Appendices
Why wrong: Appendices usually contain raw data or supplementary information, not step-by-step remediation.
A penetration tester has gained a shell on a Linux machine as a low-privileged user. The user can execute the binary 'less' with sudo privileges without a password. Which technique can the tester use to escalate privileges to root?
Trap 1: Exploit a buffer overflow in the 'less' binary.
While buffer overflows could theoretically be exploited, this is not the most direct method given the sudo privilege. The '!' command provides immediate command execution without memory corruption.
Trap 2: Run 'sudo -u root bash' to switch to a root shell.
The sudoers rule only allows 'less' specifically. Running 'sudo -u root bash' would prompt for a password or be denied because the rule is not general.
Trap 3: Modify the PATH to trick sudo into running a malicious binary.
PATH manipulation is not effective when the binary path is explicitly specified in sudoers (i.e., using the full path). Additionally, 'less' is typically at a fixed location.
- A
Exploit a buffer overflow in the 'less' binary.
Why wrong: While buffer overflows could theoretically be exploited, this is not the most direct method given the sudo privilege. The '!' command provides immediate command execution without memory corruption.
- B
Use the '!' command within 'less' to execute a shell.
Correct. The '!' command in less allows execution of shell commands. With sudo, this runs as root, granting privilege escalation.
- C
Run 'sudo -u root bash' to switch to a root shell.
Why wrong: The sudoers rule only allows 'less' specifically. Running 'sudo -u root bash' would prompt for a password or be denied because the rule is not general.
- D
Modify the PATH to trick sudo into running a malicious binary.
Why wrong: PATH manipulation is not effective when the binary path is explicitly specified in sudoers (i.e., using the full path). Additionally, 'less' is typically at a fixed location.
A penetration tester is analyzing a Python script that performs a buffer overflow attack. The script imports the struct module and the socket module. It constructs a payload by packing a pattern of characters, then overwriting a return address with a specific offset. Which of the following is the most critical piece of information the tester must determine before running this script against the target?
Trap 1: The IP address and port of the target service
While necessary to connect, this information is typically obtained during reconnaissance. The script likely already has this or prompts for it. The critical unknown is the address to jump to after overwriting the return address.
Trap 2: The version of the operating system running on the target
Knowing the OS version helps in locating useful gadgets (like JMP ESP) but is not the final critical information; the actual address is needed.
Trap 3: The username and password for the target service
Buffer overflow exploits typically target services that do not require authentication or where the authentication can be bypassed. Credentials are not typically needed; the exploit targets the service directly.
- A
The IP address and port of the target service
Why wrong: While necessary to connect, this information is typically obtained during reconnaissance. The script likely already has this or prompts for it. The critical unknown is the address to jump to after overwriting the return address.
- B
The exact location of a JMP ESP instruction in memory
For a buffer overflow where the shellcode is placed in the stack, overwriting the return address with the address of a JMP ESP instruction (which must be at a fixed, predictable address) will redirect execution to the shellcode. Determining this address is crucial for a reliable exploit.
- C
The version of the operating system running on the target
Why wrong: Knowing the OS version helps in locating useful gadgets (like JMP ESP) but is not the final critical information; the actual address is needed.
- D
The username and password for the target service
Why wrong: Buffer overflow exploits typically target services that do not require authentication or where the authentication can be bypassed. Credentials are not typically needed; the exploit targets the service directly.
A penetration tester is analyzing a Python script used during a test. The script contains the following code: 'import requests; r = requests.get('http://target', headers={'User-Agent': 'Mozilla/5.0'}); print(r.text)'. What is the primary purpose of setting the User-Agent header in this script?
Trap 1: To bypass IP-based rate limiting.
IP-based rate limiting is tied to the source IP, not the User-Agent header.
Trap 2: To authenticate to the web server.
Authentication typically uses credentials via cookies, tokens, or Authorization headers, not User-Agent.
Trap 3: To enable SSL/TLS encryption.
Encryption is controlled by the URL scheme (http vs https) and does not depend on the User-Agent header.
- A
To bypass IP-based rate limiting.
Why wrong: IP-based rate limiting is tied to the source IP, not the User-Agent header.
- B
To mimic a legitimate browser to evade detection by web application firewalls.
Many WAFs inspect the User-Agent and may block requests that don't look like they come from a standard browser.
- C
To authenticate to the web server.
Why wrong: Authentication typically uses credentials via cookies, tokens, or Authorization headers, not User-Agent.
- D
To enable SSL/TLS encryption.
Why wrong: Encryption is controlled by the URL scheme (http vs https) and does not depend on the User-Agent header.
A client hires a penetration testing firm to assess a web application that integrates with a third-party API for payment processing. The client wants to include the API endpoint in the test scope. What should the penetration tester do FIRST to ensure the test is conducted ethically and legally?
Trap 1: Assume the client has already obtained permission from the API…
Assumptions can lead to legal violations; written proof from the provider is required.
Trap 2: Rely on the client's statement that the API is within scope
The client cannot grant permission for a third party's infrastructure.
Trap 3: Test only the client's application code and ignore the API
This would not fulfill the client's request to include the API in the test.
- A
Assume the client has already obtained permission from the API provider
Why wrong: Assumptions can lead to legal violations; written proof from the provider is required.
- B
Obtain written authorization from the third-party API provider
Formal permission from the API owner is necessary to avoid legal repercussions.
- C
Rely on the client's statement that the API is within scope
Why wrong: The client cannot grant permission for a third party's infrastructure.
- D
Test only the client's application code and ignore the API
Why wrong: This would not fulfill the client's request to include the API in the test.
A client with a hybrid infrastructure (on-premises and cloud IaaS) requests a penetration test covering both environments. The cloud provider's terms of service require notification and restrict scanning to specific IP ranges. In which document should these constraints be documented?
Trap 1: Non-Disclosure Agreement (NDA)
The NDA protects confidential information but does not define technical constraints or scope boundaries.
Trap 2: Penetration Testing Report
The report is delivered after the test and contains findings, not pre-test constraints.
Trap 3: Scope of Work (SOW)
While the SOW outlines high-level objectives, the detailed constraints are typically included in the ROE.
- A
Non-Disclosure Agreement (NDA)
Why wrong: The NDA protects confidential information but does not define technical constraints or scope boundaries.
- B
Rules of Engagement (ROE)
The ROE is the correct document to specify constraints like notification requirements and allowed IP ranges.
- C
Penetration Testing Report
Why wrong: The report is delivered after the test and contains findings, not pre-test constraints.
- D
Scope of Work (SOW)
Why wrong: While the SOW outlines high-level objectives, the detailed constraints are typically included in the ROE.
A penetration tester has gained a foothold on a Linux server through a vulnerable web application. The server has an outbound firewall that blocks all traffic except DNS queries (UDP 53). The tester needs to establish a reverse shell to maintain access. Which technique is most likely to succeed?
Trap 1: Use a bind shell on a high TCP port and connect from the tester's…
The bind shell would listen on a port, but the outbound firewall on the server does not restrict inbound connections; however, the tester would need to connect to the server. But the firewall allows outbound DNS only, so the server cannot initiate a connection back. This approach is not suitable.
Trap 2: Attempt a reverse shell over HTTP using TCP port 80
The firewall blocks all outbound traffic except DNS (UDP 53), so a connection on TCP port 80 would be blocked.
Trap 3: Use SSH reverse port forwarding to the tester's server on port 443
SSH requires a TCP connection, which would be blocked by the firewall. DNS tunneling does not rely on a direct TCP connection to the tester's server.
- A
Use a bind shell on a high TCP port and connect from the tester's machine
Why wrong: The bind shell would listen on a port, but the outbound firewall on the server does not restrict inbound connections; however, the tester would need to connect to the server. But the firewall allows outbound DNS only, so the server cannot initiate a connection back. This approach is not suitable.
- B
Encode the payload in Base64 and use DNS tunneling to execute commands
DNS tunneling can encode arbitrary data within DNS queries, which are allowed through the firewall, and can be used to establish a two-way communication channel, enabling a reverse shell.
- C
Attempt a reverse shell over HTTP using TCP port 80
Why wrong: The firewall blocks all outbound traffic except DNS (UDP 53), so a connection on TCP port 80 would be blocked.
- D
Use SSH reverse port forwarding to the tester's server on port 443
Why wrong: SSH requires a TCP connection, which would be blocked by the firewall. DNS tunneling does not rely on a direct TCP connection to the tester's server.
A client wants to test a web application that uses a third-party payment gateway. The client explicitly wants the payment gateway to be excluded from the test to avoid service disruption. Where should this exclusion be formally documented?
Trap 1: Non-Disclosure Agreement (NDA)
The NDA covers confidentiality of findings, not scope exclusions.
Trap 2: Statement of Work (SOW)
The SOW defines deliverables and timeline but not granular exclusions.
Trap 3: Penetration Test Plan
The test plan details the methodology, but exclusions are typically in the ROE.
- A
Non-Disclosure Agreement (NDA)
Why wrong: The NDA covers confidentiality of findings, not scope exclusions.
- B
Statement of Work (SOW)
Why wrong: The SOW defines deliverables and timeline but not granular exclusions.
- C
Rules of Engagement (ROE)
The ROE documents scope, exclusions, and rules for the test.
- D
Penetration Test Plan
Why wrong: The test plan details the methodology, but exclusions are typically in the ROE.
A penetration tester has completed an internal network test. The client's IT manager requests a document that lists each vulnerability with its CVSS score, risk rating, and a brief description of the impact. Which section of the final report should contain this information?
Trap 1: Executive Summary
The Executive Summary provides a high-level overview for management, not detailed vulnerability listings.
Trap 2: Methodology
The Methodology section describes the tools and techniques used, not the findings.
Trap 3: Remediation Summary
The Remediation Summary focuses on recommended fixes, not detailed findings with scores.
- A
Executive Summary
Why wrong: The Executive Summary provides a high-level overview for management, not detailed vulnerability listings.
- B
Technical Findings
The Technical Findings section lists vulnerabilities with CVSS scores, risk ratings, and impact descriptions, tailored for technical staff.
- C
Methodology
Why wrong: The Methodology section describes the tools and techniques used, not the findings.
- D
Remediation Summary
Why wrong: The Remediation Summary focuses on recommended fixes, not detailed findings with scores.
A penetration tester has identified a critical misconfiguration in a cloud storage bucket that exposes sensitive customer data. The client's technical team has already applied a fix, but the tester wants to ensure the report accurately reflects the risk and the remediation. Which section of the report should include the steps to reproduce the vulnerability?
Trap 1: Executive summary
The executive summary is a high-level overview for management and does not include detailed reproduction steps.
Trap 2: Findings and risk rating
This section lists vulnerabilities and their risk scores but typically omits the detailed step-by-step reproduction steps.
Trap 3: Remediation recommendations
Remediation recommendations focus on how to fix the vulnerability, not on reproducing it.
- A
Executive summary
Why wrong: The executive summary is a high-level overview for management and does not include detailed reproduction steps.
- B
Findings and risk rating
Why wrong: This section lists vulnerabilities and their risk scores but typically omits the detailed step-by-step reproduction steps.
- C
Technical details and proof of concept
This is the correct section, as it contains the exact commands, screenshots, and steps needed to reproduce the vulnerability for technical staff.
- D
Remediation recommendations
Why wrong: Remediation recommendations focus on how to fix the vulnerability, not on reproducing it.
A client wants to conduct a penetration test of their web application, but they are concerned about potential service disruption. They request that the tester avoid using any techniques that could cause the application to crash or become unresponsive. Which of the following should the tester include in the rules of engagement to address this requirement?
Trap 1: Specify that the tester will only use ACK scans and never send data…
ACK scans are less likely to crash services, but the main issue is DoS. ACK scans can still cause log overload and might not be sufficient to guarantee no disruption.
Trap 2: State that the tester will not use any automated tools and will…
Manual testing alone may be too slow and inefficient to meet test objectives. Rate-limiting automated tools is a better approach.
Trap 3: Do not include any specific limitation; the tester assumes…
Ignoring the client's request is unprofessional and could lead to liability issues. The ROE must reflect the client's constraints.
- A
Specify that the tester will only use ACK scans and never send data payloads.
Why wrong: ACK scans are less likely to crash services, but the main issue is DoS. ACK scans can still cause log overload and might not be sufficient to guarantee no disruption.
- B
Include a clause that prohibits denial-of-service attacks and rate-limits all automated tools.
Explicitly prohibiting DoS and implementing rate limits directly addresses the client's concern about service disruption.
- C
State that the tester will not use any automated tools and will perform only manual testing.
Why wrong: Manual testing alone may be too slow and inefficient to meet test objectives. Rate-limiting automated tools is a better approach.
- D
Do not include any specific limitation; the tester assumes responsibility for any outages.
Why wrong: Ignoring the client's request is unprofessional and could lead to liability issues. The ROE must reflect the client's constraints.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.