Free CompTIA PT0-002 Practice Exam with Questions & Answers | Set: 7

The Rules of Engagement (RoE) document is crucial when there's a dispute or issue with accepting a penetration test report. The RoE outlines the scope, methods, timing, legal considerations, and objectives of a penetration test. It serves as a guideline for both the client and the testing team on what is expected and permissible during the assessment. If there are issues with the report, referring back to the agreed-upon RoE can clarify whether the test was conducted within the agreed parameters and help resolve any disputes.

The signed authorization letter, statement of work, and non-disclosure agreement are also important documents but are more related to the permission, scope of work, and confidentiality aspects of the engagement, respectively, rather than the specifics of how the test was to be conducted, which is what the RoE covers.

The Nmap command in the question aims to use custom NSE scripts stored in a specific folder. The correct syntax for this option is to use the script argument followed by the path to the folder. The other commands are either invalid, use the wrong argument, or do not specify the folder path. References: Best PenTest+ certification study resources and training materials, CompTIA PenTest+ PT0-002 Cert Guide, 101 Labs — CompTIA PenTest+: Hands-on Labs for the PT0-002 Exam

Insecure Direct Object References (IDOR) vulnerabilities occur when an application provides direct access to objects based on user-supplied input. This can allow an attacker to bypass authorization and access resources in the system directly, for example database records or files1. In this case, the penetration tester could potentially bypass the strict access controls and access the organization’s sensitive files. References: IDOR Vulnerability Overview

The Nmap command uses the Xmas scan technique, which sends packets with the FIN, PSH, and URG flags set. This is an attempt to bypass firewall rules and elicit a response from open ports. However, if the target responds with an RST packet, it means that the port is closed. Open ports will either ignore the Xmas scan packets or send back an ACK packet. Therefore, the information most likely indicates that all of the ports in the target range are closed. References: [Nmap Scan Types], [Nmap Port Scanning Techniques], [CompTIA PenTest+ Study Guide: Exam PT0-002, Chapter 4: Conducting Passive Reconnaissance, page 127]

 Deauthentication attacks can force legitimate users to disconnect from a wireless network, prompting them to reconnect and, in the process, capture valid user credentials using a rogue access point or network monitoring tools.

 Details:

A. Wardriving: Involves driving around to discover wireless networks; it does not directly gather user credentials.

B. Captive portal: Requires users to log in but is not an attack method; it is a legitimate method to control network access.

C. Deauthentication: Forces users to reauthenticate, allowing an attacker to capture credentials during the reconnection process.

D. Impersonation: Involves pretending to be someone else to gain access but is less effective for directly capturing user credentials compared to deauthentication.

 References: Deauthentication attacks are well-documented in wireless security assessments and penetration testing guides.

Most likely vulnerability: Perform a SSRF attack against App01.example.com from CDN.example.com.

The scenario suggests that the CDN network (with a WAF) can be used to perform a Server-Side Request Forgery (SSRF) attack. Since the penetration tester has the pentester workstation interacting through the CDN/WAF and the production network is behind it, the most plausible attack vector is to exploit SSRF to interact with the internal services like App01.example.com.

Two best remediation options:

Restrict direct communications to App01.example.com to only approved components.

Require an additional authentication header value between CDN.example.com and App01.example.com.

Restrict direct communications to App01.example.com to only approved components: This limits the exposure of the application server by ensuring that only specified, trusted entities can communicate with it.

Require an additional authentication header value between CDN.example.com and App01.example.com: Adding an authentication layer between the CDN and the app server helps ensure that requests are legitimate and originate from trusted sources, mitigating SSRF and other indirect attack vectors.

Nmap Scan Observations:

CDN/WAF shows open ports for HTTP and HTTPS but filtered for MySQL, indicating it acts as a filtering layer.

App Server has open ports for HTTP, HTTPS, and filtered for MySQL.

DB Server has all ports filtered, typical for a database server that should not be directly accessible.

These findings align with the SSRF vulnerability and the appropriate remediation steps to enhance the security of internal communications.

To limit observation of the penetration tester’s activities and lower the probability of detection by intrusion protection and detection systems, the security analyst should use the Nmap -D 10.5.2.2 192.168.3.3 command 1. The -D option is used to conceal the identity of the attacker by using decoy IP addresses. This option can be used to confuse the IDS/IPS and lower the probability of detection 1.

References: 1: CompTIA. (2021). CompTIA PenTest+ Certification Exam Objectives. Retrieved from https://www.comptia.org/content/dam/comptia/documents/certifications/Exam%20Objectives/CompTIA-PenTest%2B%20Exam%20Objectives%20PT0-002.pdf

The tool that the penetration tester should use for further investigation is WPScan. This is because WPScan is a WordPress vulnerability scanner that can detect common WordPress security issues, such as weak passwords, outdated plugins, and misconfigured settings. WPScan can also enumerate WordPress users, themes, and plugins from the robots.txt file.

The two entries in the robots.txt file that the penetration tester should recommend for removal are:

Allow: /admin

Allow: /wp-admin

These entries expose the WordPress admin panel, which can be a target for brute-force attacks, SQL injection, and other exploits. Removing these entries can help prevent unauthorized access to the web application’s backend. Alternatively, the penetration tester can suggest renaming the admin panel to a less obvious name, or adding authentication methods such as two-factor authentication or IP whitelisting.

A penetration tester should most likely include metrics and measures in a report at the end of an assessment. Metrics and measures provide quantitative data that helps in understanding the extent and impact of vulnerabilities found during the assessment. They offer a clear and objective way to convey the results and the effectiveness of the security controls in place. This data-driven approach aids in prioritizing remediation efforts, benchmarking against industry standards, and demonstrating improvements over time.

References:

OWASP Penetration Testing Methodologies

NIST SP 800-115 - Technical Guide to Information Security Testing and Assessment