Exam PT0-002 All QuestionsBrowse all questions from this exam
Go to Exam
Question 39

A penetration tester is looking for a vulnerability that enables attackers to open doors via a specialized TCP service that is used for a physical access control system. The service exists on more than 100 different hosts, so the tester would like to automate the assessment. Identification requires the penetration tester to:

✑ Have a full TCP connection

✑ Send a `hello` payload

✑ Wait for a response

✑ Send a string of characters longer than 16 bytes

Which of the following approaches would BEST support the objective?

    Correct Answer: C

    A penetration tester needs to automate a series of specific actions on a specialized TCP service used for physical access control: establishing a full TCP connection, sending a 'hello' payload, waiting for a response, and then sending a string longer than 16 bytes. Using a pre-built tool alone may not cater to this custom requirement. Creating a script in the Lua language and using it with Nmap's NSE (Nmap Scripting Engine) allows for tailor-made automation of these exact steps, making it the best approach for this specialized task.

Discussion
ryanzouOption: C

C is correct

Manzer

https://nmap.org/book/nse-language.html

solutionzOption: C

The scenario presented requires a specific sequence of actions: establishing a full TCP connection, sending a specific payload, waiting for a response, and then sending another specific string. This custom behavior is unlikely to be covered by generic vulnerability scanning tools or scripts. The best approach to achieve this specific goal would be to create a custom script that implements the required behavior. Nmap's NSE (Nmap Scripting Engine) is designed to allow users to write scripts for specialized network discovery and vulnerability detection tasks, and it uses Lua as its scripting language. Thus, the correct answer is: C. Create a script in the Lua language and use it with NSE.

BOYA2022Option: C

"...the tester would like to automate the assessment." So C is the only logical answer.

Lino_CarbonOption: C

C is the correct answer

Etc_Shadow28000Option: C

C. This custom script Send a string of characters longer than 16 bytes. This method provides the flexibility to automate the assessment exactly as required, across multiple hosts. Analysis of Other Options: A. Run nmap -Pn -sV –script vuln : This command uses default vulnerability scripts that may not specifically cover the specialized TCP service for physical access control. It lacks the customization needed to meet all the specified steps. B. Employ an OpenVAS simple scan against the TCP port of the host: OpenVAS is a comprehensive vulnerability scanner, but it might not have the specific checks required for the specialized TCP service without custom scripting or configuration. D. Perform a credentialed scan with Nessus: While a credentialed scan with Nessus can provide in-depth vulnerability information, it may not specifically target the specialized TCP service in the manner described without custom plugins or configurations.

nickwen007Option: C

The best approach to support the objective is to create a script in the Lua language and use it with NSE. NSE provides an extensive library of scripts that can be used to automate processes such as vulnerability scanning, network discovery, OS detection, etc. The Lua language is a powerful scripting language designed for extensibility and performance, so it is well suited for the task at hand.

masso435Option: D

Detecting hardware‐related vulnerabilities often requires the use of credentialed scanning, configuration management tools, or other approaches that leverage inside access to the system.