WGU D332 Pentest+ - Exam Practice 2: Reconnaissance annd Enumeration with 100% accurate solutions + rationales 2026

What is the purpose of the command Nmap -sP 172.16.50.0/24?

TCP FIN SCAN - A ping sweep using __ is an effective way to find which hosts are currently open and listening for initial host enumeration. A ping sweep is quick, does not generate a full connection, and does not generate trigger firewalls.

A TCP FIN scan can be useful in certain circumstances but is not the first option to use. UDP Scans are not typical since UDP is a connectionless protocol but can occasionally be useful. It will not generally be the first option used for host enumeration.

Full connection TCP connection gives a lot of information but is slow, and firewalls will pick them up.

A penetration tester is performing host enumeration on 172.16.50.0/24. What command would the penetration tester run?

Nmap -sP 172.16.50.0/24. A ping sweep using Nmap (Nmap -sP) is an effective way to find which hosts are currently open and listening for initial host enumeration. A ping sweep is quick, does not generate a full connection, and does not generate trigger firewalls. A TCP FIN scan (Nmap -sF) can be useful in certain circumstances but is not the first option to use.

UDP Scans (Nmap -sU) are not typical since UDP is a connectionless protocol but can occasionally be useful. It will not generally be the first option used for host enumeration.

Full connection TCP connection (Nmap -sT) gives a lot of information but is slow, and firewalls will pick them up.

Which of the following statements BEST describes the differences between PowerShell and Python in the context of penetration testing?

PowerShell cmdlets are used for automating tasks in Windows environments, while Python is often used for developing custom penetration testing tools and is cross-platform. PowerShell is primarily used in Windows environments for tasks like managing Active Directory, Group Policy, and the Windows network stack. Python, with its extensive libraries and cross-platform compatibility, is often used to develop custom penetration testing tools that can run on various operating systems. PowerShell was originally designed for Windows environments and is built on the .NET Framework, though it has since become cross-platform with PowerShell Core. Python, on the other hand, is inherently cross-platform and not tied to any specific operating system architecture.

Python scripts can be executed on multiple operating systems, including Windows, Linux, and macOS. PowerShell, while originally Windows-specific, has become cross-platform, so its scripts can also be executed on various operating systems.

While PowerShell is case-insensitive, Python is case-sensitive. Additionally, Python is not limited to Windows-based tasks; it is widely used across different platforms and in various aspects of penetration testing beyond just Windows environments.

During a penetration test on an industrial environment, a tester is assessing the security of Operational Technology (OT) components, including Programmable Logic Controllers (PLCs) and Supervisory Control and Data Acquisition (SCADA) systems.

Which of the following actions would be considered a significant risk if an attacker gains access to these OT systems?

Modifying register values in a PLC. Altering the values in a PLC's registers can significantly impact the functioning of industrial processes. For example, a malicious actor could change the operational parameters to cause machinery to operate outside safe limits, leading to equipment damage, production delays, or even safety hazards. This type of attack poses a direct and severe risk to OT environments.

While network scanning can reveal information about potential vulnerabilities in a system, it is not in itself a significant risk to OT components like PLCs or SCADA systems. The action of scanning does not directly cause harm to OT systems but could be a preliminary step in an attack.

Monitoring network traffic for legitimate purposes such as performance tuning or troubleshooting does not pose a significant risk to OT environments. However, if done with malicious intent, it could be used to gather information about the network that might facilitate an attack. Still, it does not directly compromise OT system operations.

Changing user access permissions on systems not related to the OT environment does not directly affect OT components like PLCs or SCADA systems. While it could potentially lead to IT security issues, it does not constitute a significant risk to industrial operations.

Which of the following actions should users take to minimize the risk of their passwords being compromised after a data breach, such as the RockYou hack?

Use password-checking services like haveibeenpwned.com. Services like haveibeenpwned.com allow users to check whether their passwords have been exposed in a known data breach. This can help users to identify compromised passwords and take appropriate action, such as changing their passwords.

Reusing passwords across different sites increases the risk of multiple accounts being compromised if one password is leaked in a data breach. Hackers can use the compromised password to gain unauthorized access to other accounts through credential stuffing.

Storing passwords in plaintext is highly insecure. In the case of a breach, plaintext passwords are easily readable, making it effortless for hackers to steal and misuse the information. Instead, users should store passwords securely, such as in an encrypted password manager.

Using passwords from well-known lists, such as those leaked in breaches like RockYou, is highly insecure because these passwords are easily accessible to attackers. Instead, users should create strong, unique passwords for each account.

When evaluating the effectiveness of network mapping tools in the penetration testing process, which of the following features is most critical for ensuring a comprehensive understanding of the network's structure and vulnerabilities?

The capability to interrogate ARP caches, routing, and MAC tables to gather detailed network information. The capability to interrogate ARP caches, routing, and MAC tables to gather detailed network information is critical for evaluating the network's structure and identifying potential vulnerabilities. By interrogating ARP caches, routing, and MAC tables, a PenTester can gather comprehensive information about the network's topology, which is essential for understanding how devices are interconnected and where vulnerabilities may exist.

While exporting scan results in various formats can be useful for documentation and analysis, it does not directly contribute to understanding the network's structure and vulnerabilities. This feature is more about data management than network evaluation.

While creating professional-looking diagrams can aid in presenting findings, it does not inherently enhance the understanding of the network's structure or vulnerabilities. This feature is more about presentation than evaluation.

Offering free trials is a marketing strategy and does not impact the effectiveness of the tool in evaluating the network's structure and vulnerabilities. This feature is unrelated to the technical capabilities of the tool in the context of network mapping.

A penetration tester is trying to determine the operating systems running on several hosts within a network. The tester wants to avoid detection by firewalls and intrusion detection systems (IDS).

Which method should the tester use, and what is a potential drawback of this method?

Passive OS fingerprinting; less accurate in identifying the OS. Passive OS fingerprinting involves capturing traffic without actively probing the target, which helps avoid detection. However, it is less accurate in identifying the OS compared to active methods, as it relies on analyzing packet characteristics such as TTL values.

Active OS fingerprinting is used for more accurate OS detection by sending probes, but it incorrectly describes the likelihood of bypassing security appliances. Active methods can trigger firewalls and IDS, so this answer is incorrect.

Active OS fingerprinting does not merely analyze captured traffic. It actively sends probes to targets and analyzes the responses, making it more interactive and accurate, but also more detectable.

While passive OS fingerprinting avoids detection, it does not always provide accurate results. It may misidentify the operating system due to limited data from captured traffic, making it less reliable than active methods.

In the initial stages of a penetration test, your team gathers information about the target organization. What is the primary difference between passive reconnaissance and active reconnaissance during this process?

Passive reconnaissance involves gathering information without interacting directly with the target, while active reconnaissance involves direct interaction and can be detected. Passive reconnaissance gathers information from public sources without engaging with the target, while active reconnaissance involves direct interaction with the target's systems, which can potentially be detected.

Passive reconnaissance does not involve direct interaction with the target, while active reconnaissance does. This option reverses the definitions of passive and active reconnaissance.

Passive reconnaissance is generally undetectable by the target, as it only involves gathering information from open-source resources. Active reconnaissance, on the other hand, can be detected because it involves interacting with the target's systems.

Both passive and active reconnaissance can gather a variety of information, including both technical and administrative details. The key distinction between them is the level of interaction with the target, not the type of information gathered.

Which of the following tools would be MOST effective for a pentester to use when they need to visualize and analyze connections between various data points collected during user enumeration?

Maltego is specifically designed to visualize and analyze connections between various data points. It offers a powerful GUI with a library of transforms that help in mapping relationships and commonalities among data sources, making it the most effective tool for this purpose.

While theHarvester is a useful tool for gathering information such as email addresses, subdomains, and employee names, it does not provide visualization capabilities to analyze connections between data points. Its primary function is data collection rather than data analysis and visualization.

SpiderFoot is a tool designed for automating the collection of OSINT data, similar to theHarvester. It can gather a wide range of information but lacks the specific capability to visualize and analyze the connections between different data points, which is essential for evaluating relationships.

Hunter.io is primarily used for finding and verifying email addresses associated with a domain. It does not provide visualization or analysis of connections between data points, which is necessary for evaluating relationships during user enumeration.

When performing Open Source Intelligence Gathering, what useful information can be found on LinkedIn?

Key Contacts. LinkedIn is a social networking site for careers. People list their jobs, companies, and responsibilities. This information builds a picture of networks and helps to identify key contacts.

LinkedIn uses hashtags to find specific trends. This information tends to be generic and would not help gather information about a particular company.

LinkedIn also has online education courses, and which ones are trending. This information is not particularly useful for gathering information about a specific company.

Sponsored information only indicates which companies are advertising on LinkedIn, not any useful open-source information.

What is a distinctive feature of Recon-ng?

Allows for customization using different modules. Recon-ng uses modules to customize the search. Some modules include Whois query, PGP Key search, Social media profile associations, file crawler, and DNS record enumerator.

Shodan is a search engine designed to locate and index IoT devices connected to the Internet. There is a free version, but it requires a subscription to access all tools.

Maltego specializes in the visualization of data. The OSINT can generate extensive data, and Maltego helps to find the connections between different pieces.

theHarvester is an intuitive tool that can search a company's visible threat landscape. The tool gathers information on subdomain names, employee names, email addresses, PGP key entries, open ports, and service banners.

A penetration tester is performing website enumeration on a public-facing web server. The tester uses Nmap with the http-enum script and discovers that the server is running Apache with WordPress installed.

The pentester decides to further investigate the plugins used by WordPress and evaluates the site's robots.txt file.

Which of the following is would be the MOST effective combination of tools and techniques for identifying vulnerable plugins and unprotected resources on this server?

WPScan, Forced Browsing, Spiderfoot. The combination of WPScan, Forced Browsing, and Spiderfoot would be the most effective because it addresses both the WordPress-specific vulnerabilities (with WPScan) and the broader website enumeration (with Forced Browsing and Spiderfoot).

While DirBuster, Nmap, and Google Dorkingn cover general enumeration well (e.g., with Nmap and DirBuster), the combination doesn't specifically focus on identifying vulnerable WordPress plugins, making it less effective than the correct option.

The Metasploit, Maltego, and robots.txt combination doesn't provide the most effective tools for identifying vulnerable WordPress plugins or unprotected resources. Metasploit is better for post-enumeration exploitation, and Maltego is not as relevant in this context.

While the Nmap, WPScan, and manual inspection is a strong option (especially with WPScan and manual inspection), it lacks a more comprehensive enumeration tool like Forced Browsing or Spiderfoot to cover additional potential vulnerabilities outside of WordPress.

A PenTester wants to quickly check the running processes on a Windows computer but only has access via a reverse_powershell session. How will the PenTester find this information?

Run the Get-Process cmdlet. Since this scenario is in a reverse_powershell session, the PowerShell cmdlet Get-Process will return all currently running processes on the computer. It will help navigate the next attack or check on currently running scans and tools used.

Since this scenario is in a reverse_powershell session, the graphical user interface (GUI) is unavailable to show running programs and processes.

ipconfig -all will only return general network connection information for the computer. This will not produce any processes currently running on the machine.

msfvenom is a very flexible and useful component of the Metasploit framework generating many different payloads, such as reverse_powershell, to grant remote access to target computers. An attacker can get to a reverse shell but not to running processes.

What open source intelligence tool (OSINT) allows for customization using different modules?

Recon-ng. Recon-ng uses modules to customize the search. Some modules include Whois query, PGP Key search, Social media profile associations, file crawler, and DNS record enumerator.

Shodan is a search engine designed to locate and index IoT devices connected to the Internet. There is a free version, but it requires a subscription to access all tools.

Maltego specializes in the visualization of data. The OSINT can generate extensive data, and Maltego helps to find the connections between different pieces.

theHarvester is an intuitive tool that can search a company's visible threat landscape. The tool gathers information on subdomain names, employee names, email addresses, PGP key entries, open ports, and service banners.

When evaluating the effectiveness of an attack path map in a penetration testing process, which of the following criteria is most crucial?

It is important that the attack path map is detailed and comprehensive. You can use tools like Maltego to visualize complex pathways, which helps in identifying vulnerabilities and potential attack paths effectively. It also enhances accuracy and efficiency. The focus is on comprehensiveness to identify vulnerabilities effectively and should include both external and internal pathways.

A penetration tester is examining a digital certificate used for TLS communications on a target web server. The certificate includes a Subject Alternative Name (SAN) field with a wildcard entry, and the pentester plans to investigate further using Certificate Transparency (CT) logs.

Which of the following actions is the pentester MOST likely to take based on the information gathered?

Scan for subdomains not covered by the wildcard in the SAN and investigate whether they are vulnerable. Scanning for subdomains not covered by the wildcard in the SAN and investigating whether they are vulnerable is the most likely action a penetration tester would take. The SAN field in the certificate may contain a wildcard, covering subdomains like *.comptia.org, but subdomains not covered by this wildcard could be vulnerable. Additionally, subdomains uncovered by CT logs may offer more information about the target.

While a Certificate Authority (CA) hierarchy exists with root and subordinate CAs, this option involves attacking the infrastructure of the CA itself, which is not relevant to what a pentester would typically do when investigating a certificate for a specific target. Root CA exploitation is far beyond the scope of normal penetration testing procedures.

Although CRL is a method for checking certificate validity, it is not the most efficient approach used in modern systems. The Online Certificate Status Protocol (OCSP) is typically preferred for real-time checks, and "stapling" improves efficiency by placing the responsibility on the server. Additionally, this answer does not align with the context of using SANs or CT logs to gather information about subdomains.

Investigating whether any subdomains listed in the CT logs are using expired or revoked certificates is a good action to take as part of a thorough assessment. CT logs can reveal subdomains that are no longer covered by the certificate or use expired/revoked certificates. This action would help the pentester evaluate security flaws associated with these subdomains. While it is not the most immediate step, it complements the investigation into subdomains and SANs. This answer is plausible but secondary to scanning for vulnerabilities.

Which of the following commands or tools would a penetration tester use to enumerate permissions on a local Windows machine in order to determine which user accounts have access to specific directories or files?

Get-Acl. The PowerShell cmdlet Get-Acl is used to retrieve permissions on files, directories, and registry keys, which directly aligns with the task of enumerating which user accounts have access to specific directories or files.

The whoami /priv command displays the privileges associated with the current user. While it is useful for understanding the level of access of the currently logged-in user, it does not directly enumerate permissions for other users or specific directories/files.

The net localgroup command provides information on the members of a specified group on the system. While this helps enumerate group membership, it doesn't show which files or directories those users or groups can access.

The ping command is used to test network connectivity between devices. It has no relevance to enumerating user permissions or file access.

During a network scan at the beginning of a penetration test, a pentester uses Nmap to discover open ports, services, and protocols on a target network. The pentester must ensure network stability while balancing the need for fast and thorough scanning.

Which of the following Nmap timing options would be the MOST appropriate for achieving fast scans without significantly compromising network stability?

T4 - T4 is recommended for fast scans while maintaining reasonable network stability. It strikes a good balance between speed and stability, making it the most appropriate choice when the network can handle a slightly faster scan without significant performance impact.

T1 is a very slow scan option designed for minimizing detection and is best for IDS evasion. However, it is extremely slow and not suitable for situations where speed is a priority. It would not be appropriate for balancing network performance with fast scanning.

T3 is the default Nmap timing option, offering a stable and balanced scan. It is a safe choice but may not be fast enough for a pentester who wants to expedite the process without causing network instability.

T5 is the fastest timing option available in Nmap, but it is also the most unstable. It should only be used on networks that are capable of handling high-speed scans without significant disruption. In most cases, this can overwhelm the network and cause instability.

Which of the following BEST describes the purpose of enumeration during a penetration test?

Discovering detailed information about the network, such as operating systems, user accounts, and network services. Enumeration focuses on discovering critical details about a target network, such as operating systems, users, groups, services, and network devices, which help in building a complete picture for further testing and exploitation.

While identifying the firewall rulesets and detecting open ports through TCP ACK scans is related to the scanning phase, it is not the primary purpose of enumeration. TCP ACK scans are used to bypass firewalls and determine the state of ports but do not encompass the broader goals of enumeration, which include gathering detailed system and network information.

Running a UDP scan to identify ports used by services like DNS and SNMP is specific to scanning rather than enumeration. While scanning may help identify services like DNS and SNMP, enumeration involves gathering more detailed information beyond just open or closed ports.

Detecting the security measures used in a network by utilizing timing options during an Nmap scan refers to adjusting scan timing to evade detection or manage network load, which is part of the scanning process but not a primary activity within enumeration. Enumeration aims to gather information rather than measure security response timing.

A security engineer is conducting an Open-source Intelligence (OSINT) recon against the organization to find out its public-facing exposure. The security engineer wants to visualize the gathered information using a GUI to help process the information.

Which of the following tools is BEST suited for this?

Maltego has a full Graphical User Interface (GUI) to help users visualize the gathered information. Maltego features an extensive library of "transforms," which automate the querying of public sources of data.

theHarvester is an intuitive tool that can search a company's visible threat landscape using command line. The tool gathers information on subdomain names, employee names, email addresses, PGP key entries, and open ports and service banners.

Recon-ng is also a command line tool that uses modules to customize the search. When searching, the PenTester can run a specific type of query and then set various options that are either required or optional.

Shodan is a search engine designed to locate and index IoT devices connected to the Internet.

A PenTester is using Python to write a script in preparation for a PenTest. What can the PenTester do to complete the script quickly as well as take advantage of work that others have already completed?

Use modules, Use classes, and Use pre-built libraries. The PenTester can use classes which are user-defined prototypes or templates from which PenTesters can create objects and they allow the PenTester to bundle data and functionality together.

The PenTester can use modules which are a way for the PenTester to code re-usable functions, variables, and classes that the tester can import into scripts.

The PenTester can use pre-built libraries. Importing and using existing modules in libraries can save the PenTester a lot of time because the tester is re-using modules that others have already created.

Writing each line of code from scratch will not save the PenTester any time and does not take advantage of work that others have already completed.

Which of the following BEST describes the purpose of using the robots.txt file on a website?

To direct web crawlers on which parts of the website should not be accessed or indexed. The robots.txt file is used to instruct web crawlers about which parts of a website should not be accessed or indexed. It is a simple yet essential file that helps control the behavior of web crawlers by specifying the areas that should not be followed. This is crucial for managing how a website's content is indexed by search engines and other automated bots. The robots.txt file does not deal with caching or enhancing loading speeds. Caching is typically managed by server configurations or content delivery networks (CDNs), not by the robots.txt file.

The robots.txt file does not provide encryption or enhance security directly. It is primarily used for guiding web crawlers and does not handle data encryption, which is typically managed by protocols like HTTPS.

The robots.txt file does not list plugins or extensions. It is not used for detailing the software components of a website but rather for directing the behavior of web crawlers regarding which parts of the site to access or avoid.