ExamTopics Logo
Mail Us[email protected]
Menu
Comptia Discussions
exam questions

Exam PT0-002 All Questions

View all questions & answers for the PT0-002 exam
Go to Exam

Exam PT0-002 topic 1 question 206 discussion

Actual exam question from CompTIA's PT0-002
Question #: 206
Topic #: 1
[All PT0-002 Questions]

A company provided the following network scope for a penetration test:

• 169.137.1.0/24
• 221.10.1.0/24
• 149.14.1.0/24

A penetration tester discovered a remote command injection on IP address 149.14.1.24 and exploited the system. Later, the tester learned that this particular IP address belongs to a third party. Which of the following stakeholders is responsible for this mistake?

  • A. The company that requested the penetration test
  • B. The penetration testing company
  • C. The target host's owner
  • D. The penetration tester
  • E. The subcontractor supporting the test
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by Hskwkhfb at Dec. 6, 2022, 11:32 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Nikamy
5 months, 2 weeks ago
Selected Answer: B
Isn't the responsability of the Pentesting Company to gather information about the client and the scope?
upvoted 2 times
Nikamy
5 months, 2 weeks ago
I change my answer to A. Here's why: In essence, the primary responsibility lies with the client, but the penetration tester also has an obligation to verify and document scope details to minimize the risk of such mistakes.
upvoted 1 times
yeahnodontthinkso
4 days, 7 hours ago
It's definitely A. The company provided that IP as in scope. Are you really supposed to go over every IP set they provided and ask "Are you SURE about this one? Okay, what bout THIS one?" Definitely the requesting company's fault for providing that IP range.
upvoted 1 times
...
...
...
Marty35
11 months, 1 week ago
The client is primarily responsible for defining the scope.
upvoted 2 times
...
j904
1 year ago
Selected Answer: D
D. makes logical sense
upvoted 1 times
...
Myfeedins479
1 year ago
Selected Answer: D
In chapter one of the All-in-One guide, under governance, Risk, and Compliance and Permission to Test, "Pentesters must do their own due diligence to verify that the person who is requesting the testing has authority over tested assets in order to approve the test or that additional permission has been acquired."
upvoted 4 times
yeahnodontthinkso
4 days, 7 hours ago
So, when a company provides a list of IP ranges you're supposed to go over every single one with them asking them "Are you sure about this range? Okay, how about this one? And this one?" That doesn't make sense. It's the requesting company's fault. Answer is A.
upvoted 1 times
...
Snagggggin
3 months ago
My common sense says A, but reading this I agree D is probably correct. The pentester has to do their own due diligence to make sure the requestor is making an appropriate request. That is why the pentester is the professional here, the client isn't always very knowledgable.
upvoted 1 times
...
...
mehewas855
1 year, 4 months ago
Selected Answer: D
If lets say, company asks the pentester to hack google, even without any authority over that domain, pentester should still verify, that the domain is companies property and the person, that signed the document is legally entitled to sign it. Plus what Natthew99 said, its from the book
upvoted 2 times
...
Natthew99
1 year, 6 months ago
going with D - the All in One book says something like "pentester must do their own due diligence to verify that the person requesting the testing has authority over the assets to approve the test and that any additional permissions have been acquired."
upvoted 4 times
...
solutionz
1 year, 8 months ago
Selected Answer: A
In a penetration testing scenario, the company requesting the test should provide accurate and clear scope, including the range of IP addresses that are to be tested. If an IP address is within the scope defined by the client and later turns out to be a third-party system, the responsibility for that mistake falls on the company that defined the scope. So, the correct answer is: A. The company that requested the penetration test
upvoted 4 times
...
KingIT_ENG
2 years, 1 month ago
A is the answer
upvoted 4 times
...
[Removed]
2 years, 1 month ago
A is the correct answer The company that requested the penetration test
upvoted 2 times
...
[Removed]
2 years, 1 month ago
I think A is correct
upvoted 2 times
...
cy_analyst
2 years, 1 month ago
Selected Answer: B
The responsible stakeholder for this mistake is the penetration testing company. Penetration testers are responsible for verifying the scope of their testing and ensuring that they have permission to test all systems in the specified range. They should have confirmed the ownership of the IP address before conducting any testing, and if there was any doubt, they should have raised the issue with the company that requested the penetration test. In this scenario, the fact that the IP address belonged to a third party indicates that the penetration tester did not conduct adequate reconnaissance or validation of the IP addresses before testing them. This oversight is the responsibility of the penetration testing company.
upvoted 3 times
KingIT_ENG
2 years, 1 month ago
I think A is correct
upvoted 1 times
...
cy_analyst
2 years, 1 month ago
I think the lesson here is to not scan and exploit any ip address they give us, recon first and then accept.
upvoted 2 times
...
cy_analyst
2 years ago
Just careful whose ip you scan even if behind it is a company because a company has friends and also enemies.
upvoted 1 times
...
[Removed]
2 years, 1 month ago
Why not A?
upvoted 1 times
...
...
[Removed]
2 years, 2 months ago
A 100% sure
upvoted 2 times
...
2Fish
2 years, 2 months ago
Selected Answer: A
A, for sure. The company/client requesting the Pen Test is responsible.
upvoted 3 times
...
ronniehaang
2 years, 4 months ago
Selected Answer: A
149.14.1.24 is part of the network scope (149.14.1.0/24)
upvoted 4 times
...
Hskwkhfb
2 years, 4 months ago
Isn't it D?
upvoted 2 times
Orean
2 years, 2 months ago
The penetration-tester isn't responsible for defining the scope of acceptable IPs; the client is. The company should've known it was a third-party IP before contracting the pentester to attack it.
upvoted 2 times
[Removed]
2 years, 2 months ago
A is correct
upvoted 2 times
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago