1

CompTIA
SY0-601 Security+
Practice Exams
PBQs & Labs
by DojoLab

2
Contents

Practice Exam A (Questions) ..........................................6

Practice Exam A (Answers).............................................20
Practice Exam B (Questions) ..........................................34
Practice Exam B (Answers) .............................................41
Practice Exam C (Questions) ..........................................55
Practice Exam C (Answers).............................................60

3
DojoLab’s CompTIA Security+ (SY0-601) Written by DojoLab
Ltd.
Copyright © 2022 by DojoLab Ltd.

https://www.dojolab.org
All rights reserved. No part of this book may be reproduced or
transmitted in any form or by any means, electronic or mechan-
ical, including photocopying, recording, or by any information
storage and retrieval system, without written permission from
the publisher.

Trademark Acknowledgments

All product names and trademarks are the property of their re-
spective owners, and are in no way associated or a liated with
DojoLab Ltd.

“CompTIA” and “Security+” are registered trademarks of

CompTIA, Inc.

Warning and Disclaimer

This book is designed to provide information about the Comp-

TIA SY0-601 Security+ certi cation exam. However, there may
be typographical and/or content errors. Therefore, this book
should serve only as a general guide and not as the ultimate
source of subject information. The author shall have no liability
or responsibility to any person or entity regarding any loss or
damage incurred, or alleged to have incurred, directly or indi-
rectly, by the information contained in this book.

4
fi
ffi
The CompTIA SY0-601 Security+ Certi cation

CompTIA's Security+ certi cation is the entry point for IT secu-

rity professionals. If you're planning on securing the data and
networks on the world's largest networks, then you're in the
right place.

Earning the Security+ certi cation requires the completion of

one exam covering a broad range of security topics. After
completing the certi cation, a CompTIA Security+ certi ed
professional will have an understanding of attack types, net-
work security technologies, secure network architecture con-
cepts, cryptography, and much more.

Here's the breakdown of each domain and the percentage of

each topic on the SY0-601 exam:

Domain 1.0 - Threats, Attacks, and Vulnerabilities - 24%

Domain 2.0 - Architecture and Design - 21%
Domain 3.0 - Implementation - 25%
Domain 4.0 - Operations and Incident Response - 16%
Domain 5.0 - Governance, Risk, and Compliance - 14%

5
fi
fi
fi
fi
fi
PRACTICE EXAM A (QUESTIONS)
Performance-Based Questions

1. Match the appropriate authentication reference to each

description. Each authentication factor and authentication
attribute will be used once.

Authentication factors and authentication attributes:

Something you have Something you know

Something you are Somewhere you are

Your login will not work unless

you are connected to the VPN Select an authentication factor or
using the United States as a authentication attribute
country

You use your fingerprint to Select an authentication factor or

unlock a door authentication attribute

You enter your passcode to Select an authentication factor or

unlock your iPhone authentication attribute

During the checkout process,

Select an authentication factor or
you receive an OTP passcode
authentication attribute
to finalize the purchase

6
 2. Match the description with the most accurate attack type.

Attack types:

Spear phishing Vishing

Smishing Phishing

Α type of social engineering

attack which is used to steal
user data, including login
credentials and credit card Select an attack type
numbers. It occurs when an
attacker, masquerading as a
trusted entity
An attack that is implemented
through text messages or
SMS. The criminal executes
the attack with the intent to Select an attack type
gather personal information,
including social insurance and/
or credit card numbers
A phone attack designed to
get you to share personal in-
formation. The attacker uses
social engineering to get you
Select an attack type
to share personal information
and nancial details, such as
account numbers and pass-
words
An email or electronic
communications scam
targeted towards a specific Select an attack type
individual, organization or
business
7
fi
3. Match the description with the most accurate attack
type.

Attack types:

Typosquatting Whaling

Tailgating Pharming

An online scam where a

website's traffic is
manipulated and confidential
information is stolen. In
Select an attack type
essence, it is the criminal act
of producing a fake website
and then redirecting users to
it
Attackers seeking entry to a
restricted area without proper
authentication. In it, the
Select an attack type
perpetrators can simply follow
an authorized person into a
restricted location
A highly targeted phishing at-
tack – aimed at senior execu-
Select an attack type
tives – masquerading as a le-
gitimate email
A URL hijacking or a fake URL
where threat actors
impersonate legitimate
Select an attack type
domains for malicious
purposes such as fraud or
malware spreading

8
4. Match the cryptographic concepts to the implementa-
tion.

Cryptographic concepts:

Digital signatures Key length

Hashing Salting

The addition of random data

to a hash function to obtain a Select a cryptographic
unique output, which refers to concept
the hash
A parameter of symmetrical
or asymmetric encryption
processes that provides Select a cryptographic
information on how many concept
different key values a key can
accept in a specific protocol
A method of cryptography
Select a cryptographic
that converts any form of data
concept
into a unique string of text
A cryptographic value that is
calculated from the data and a Select a cryptographic
secret key is known only by concept
the signer

9
5. Refer to the following rewall table:

Destination
Rule# Source IP Port Allow/Block
IP

1 5.5.5.5 20.5.30.40 443 Allow

2 Any 20.5.30.140 25 Block

3 Any Any Any Block

Categorize the following tra c flows as ALLOWED or BLOCKED

through the rewall:

_________ Transfer emails from 1.2.3.4 to 20.5.30.140

_________ Request a secured web page on 20.5.30.40 from 5.5.5.5

_________ Perform a DNS query from 10.1.10.88 to 9.9.9.9

6. Refer to the following rewall table:

Destination
Rule# Source IP Port Allow/Block
IP

1 Any Any 53 Allow

2 Any Any 123 Allow

3 Any Any Any Block

10
fi
ffi
fi
fi
Categorize the following tra c flows as ALLOWED or BLOCKED
through the rewall:

_________ Synchronize the clock on a server at 99.99.99.4 from

88.88.88.1

_________ Perform a DNS query from 4.5.6.7 to 7.6.5.4

_________ Request an unsecured web page on 20.5.30.140

_________ Request a secured web page on 20.5.30.140

_________ Use SSH connection to connect to 20.5.30.140

7. Refer to the following rewall table:

Destination
Rule# Source IP Port Allow/Block
IP

1 Any 20.5.30.40 22 Allow

2 Any 20.5.30.140 80 Allow

3 Any Any Any Block

Categorize the following tra c flows as ALLOWED or BLOCKED

through the rewall:

_________ Use SSH connection to connect to 20.5.30.40

_________ Use SSH connection to connect to 20.5.30.140

11
fi
fi
fi
ffi
ffi
_________ Request an unsecured web page on 20.5.30.140

_________ Request a secured web page on 20.5.30.140

8. Fill in the blank with the BEST malware type for the de-
scription.

_________ - A type of malicious software that infects a com-

puter and restricts users’ access to it until a ransom is paid to
unlock it.

_________ - A type of malware that is often disguised as legit-

imate software and can be employed by hackers trying to gain
access to users’ systems.

_________ - A type of malware that spreads copies of itself

from computer to computer.

9. Match the appropriate wireless network attack to each

description. Each wireless attack will be used once.

Wireless network attacks:

Evil twin Bluejacking

Bluesnarfing Disassociation

12
 An attacker setting up a
fraudulent wireless access
point that mimics the
characteristics of a legitimate
Select a wireless
AP. Users may connect
network attack
automatically to the evil twin
or do so thinking the
fraudulent AP is part of a
trusted wifi network
A type of Denial Of Services
Attack, which is used to
disconnect an access point
Select a wireless
(mobile device in this case)
network attack
from a router by sending
disassociation packets to the
device
An attacker gains unautho-
rized access to a wireless de-
vice via a Bluetooth connec-
tion. Once the hacker has ac-
Select a wireless
cess to the device, they can
network attack
steal sensitive user informa-
tion, including personal pho-
tos, contact lists, emails, and
passwords
A hacking method that lets a
person send unsolicited
messages (typically flirtatious Select a wireless
but can also be malicious) to network attack
any Bluetooth-enabled device
within his own device’s range

13
10. Match the appropriate programming language to each
script. Each programming language will be used once.

Programming languages:

Python Powershell Bash

function greeting() {
str="Hello, $name"
echo $str }

echo "Enter your name"

Select a programming
read name
language
val=$(greeting)

echo "Return value of the

function is $val"

string1 = "Dojo"
string2 = "Lab"

Select a programming
joined_string = string1 +
language
string2
print(joined_string)

$tls10 = 'HKLM:\SYSTEM\Cur-
rentCntrSet

$tls10check = ($tls10 | Test-

Path) Select a programming
language
if ($tls10check -eq $True){
Set-ItemProperty -Path
'HKLM:\SYSTEM\}

14
11. Con gure the following stateful rewall rules:
1. Allow the File Server to access the Database Server using LDAP
2. Block the Storage Server to transfer les to the Web Server using
FTP
3. Allow the FTP Server to transfer les to the Mail Server over HTTPS

Destination
Rule# Source IP Port Allow/Block
IP

15
fi
fi
fi
fi
12. Con gure the following stateful rewall rules:
1. Block the Web Server to access the Database Server using LDAP
2. Allow the Storage Server to transfer les to the Web Server using
SFTP
3. Allow the Mail Server to transfer emails to the Storage Server us-
ing SMTP

Destination
Rule# Source IP Port Allow/Block
IP

16
fi
fi
fi
13. Match the device to the description.

Devices:

Network address translation Web application firewall

Network-based intrusion
Proxy
detection system

A device intelligently
distributed within networks
that passively inspect traffic Select device
traversing the devices on
which they sit
A way to map multiple local
private addresses to a public
Select device
one before transferring the
information

A server, referred to as an “in-

termediary” because it goes
Select device
between end-users and the
web pages they visit online

A device that helps protect

web applications by filtering
and monitoring HTTP traffic Select device
between a web application
and the Internet

17
14. Match the description with the most accurate malware.

Malware:

Crypto malware Remote access Trojan

Backdoor Logic bombs

A piece of often-malicious
code that is intentionally
inserted into the software. It is
Select malware
activated upon the host
network only when certain
conditions are met
A method by which
authorized and unauthorized
users are able to get around
Select malware
normal security measures and
gain root access to a
computer system
A type of malware that allows
threat actors to use someone
Select malware
else's computer or server to
mine for cryptocurrencies
A malware program that gives
an intruder administrative
Select malware
control over a target
computer

18
15. Fill in the blank with the BEST password attack for the
description.

_________ - An attacker will brute force logins based on a list of

usernames with default passwords on the application. For ex-
ample, an attacker will use one password (say, Secure@123)
against many di erent accounts on the application to avoid ac-
count lockouts that would normally occur when brute forcing a
single account with many passwords.

_________ - A method of breaking into a password-protected

computer, network, or other IT resource by systematically en-
tering every word in a dictionary as a password.

_________ - A type of hacking wherein the perpetrator tries to

use a rainbow hash table to crack the passwords stored in a
database system.

19
ff
PRACTICE EXAM A (ANSWERS)
Performance-Based Questions - Answers

1. Match the appropriate authentication reference to each

description. Each authentication factor and authentication
attribute will be used once.

Authentication factors and authentication attributes:

Something you have Something you know

Something you are Somewhere you are

Your login will not work unless

you are connected to the VPN
Somewhere you are
using the United States as a
country

You use your fingerprint to

Something you are
unlock a door

You enter your passcode to

Something you know
unlock your iPhone
During the checkout process,
you receive an OTP passcode Something you have
to finalize the purchase

20
 2. Match the description with the most accurate attack type.

Attack types:

Spear phishing Vishing

Smishing Phishing

Α type of social engineering

attack which is used to steal
user data, including login
credentials and credit card Phishing
numbers. It occurs when an
attacker, masquerading as a
trusted entity
An attack that is implemented
through text messages or
SMS. The criminal executes
the attack with the intent to Smishing
gather personal information,
including social insurance and/
or credit card numbers
A phone attack designed to
get you to share personal in-
formation. The attacker uses
social engineering to get you
Vishing
to share personal information
and nancial details, such as
account numbers and pass-
words
An email or electronic
communications scam
targeted towards a specific Spear phishing
individual, organization or
business
21
fi
3. Match the description with the most accurate attack
type.

Attack types:

Typosquatting Whaling

Tailgating Pharming

An online scam where a

website's traffic is
manipulated and confidential
information is stolen. In
Pharming
essence, it is the criminal act
of producing a fake website
and then redirecting users to
it
Attackers seeking entry to a
restricted area without proper
authentication. In it, the
Tailgating
perpetrators can simply follow
an authorized person into a
restricted location
A highly targeted phishing at-
tack – aimed at senior execu-
Whaling
tives – masquerading as a le-
gitimate email
A URL hijacking or a fake URL
where threat actors
impersonate legitimate
Typosquatting
domains for malicious
purposes such as fraud or
malware spreading

22
4. Match the cryptographic concepts to the implementa-
tion.

Cryptographic concepts:

Digital signatures Key length

Hashing Salting

The addition of random data

to a hash function to obtain a
Salting
unique output, which refers to
the hash
A parameter of symmetrical
or asymmetric encryption
processes that provides
Key length
information on how many
different key values a key can
accept in a specific protocol
A method of cryptography
that converts any form of data Hashing
into a unique string of text
A cryptographic value that is
calculated from the data and a
Digital signatures
secret key is known only by
the signer

23
5. Refer to the following rewall table:

Destination
Rule# Source IP Port Allow/Block
IP

1 5.5.5.5 20.5.30.40 443 Allow

2 Any 20.5.30.140 25 Block

3 Any Any Any Block

Categorize the following tra c flows as ALLOWED or BLOCKED

through the rewall:

Allowed Transfer emails from 1.2.3.4 to 20.5.30.140

Allowed Request a secured web page on 20.5.30.40 from 5.5.5.5

Blocked Perform a DNS query from 10.1.10.88 to 9.9.9.9

6. Refer to the following rewall table:

Destination
Rule# Source IP Port Allow/Block
IP

1 Any Any 53 Allow

2 Any Any 123 Allow

3 Any Any Any Block

24
fi
ffi
fi
fi
Categorize the following tra c flows as ALLOWED or BLOCKED
through the rewall:

Allowed Synchronize the clock on a server at 99.99.99.4 from

88.88.88.1

Allowed Perform a DNS query from 4.5.6.7 to 7.6.5.4

Blocked Request an unsecured web page on 20.5.30.140

Blocked Request a secured web page on 20.5.30.140

Blocked Use SSH connection to connect to 20.5.30.140

7. Refer to the following rewall table:

Destination
Rule# Source IP Port Allow/Block
IP

1 Any 20.5.30.40 22 Allow

2 Any 20.5.30.140 80 Allow

3 Any Any Any Block

Categorize the following tra c flows as ALLOWED or BLOCKED

through the rewall:

Allowed Use SSH connection to connect to 20.5.30.40

Blocked Use SSH connection to connect to 20.5.30.140

25
fi
fi
fi
ffi
ffi
Allowed Request an unsecured web page on 20.5.30.140

Blocked Request a secured web page on 20.5.30.140

8. Fill in the blank with the BEST malware type for the de-
scription.

Ransomware - A type of malicious software that infects a comput-

er and restricts users’ access to it until a ransom is paid to unlock it.

Trojan - A type of malware that is often disguised as legitimate

software and can be employed by hackers trying to gain access to
users’ systems.

Worms - A type of malware that spreads copies of itself from com-

puter to computer.

9. Match the appropriate wireless network attack to each

description. Each wireless attack will be used once.

Wireless network attacks:

Evil twin Bluejacking

Bluesnarfing Disassociation

26
 An attacker setting up a
fraudulent wireless access
point that mimics the
characteristics of a legitimate
AP. Users may connect Evil twin
automatically to the evil twin
or do so thinking the
fraudulent AP is part of a
trusted wifi network
A type of Denial Of Services
Attack, which is used to
disconnect an access point
(mobile device in this case) Disassociation
from a router by sending
disassociation packets to the
device
An attacker gains unautho-
rized access to a wireless de-
vice via a Bluetooth connec-
tion. Once the hacker has ac-
cess to the device, they can Bluesnarfing
steal sensitive user informa-
tion, including personal pho-
tos, contact lists, emails, and
passwords
A hacking method that lets a
person send unsolicited
messages (typically flirtatious
Bluejacking
but can also be malicious) to
any Bluetooth-enabled device
within his own device’s range

27
10. Match the appropriate programming language to each
script. Each programming language will be used once.

Programming languages:

Python Powershell Bash

function greeting() {
str="Hello, $name"
echo $str }

echo "Enter your name"

read name Bash script
val=$(greeting)

echo "Return value of the function

is $val"

string1 = "Dojo"
string2 = "Lab"

Python script
joined_string = string1 + string2
print(joined_string)

$tls10 = 'HKLM:\SYSTEM\Current-
CntrSet

$tls10check = ($tls10 | Test-Path)

PowerShell script
if ($tls10check -eq $True){
Set-ItemProperty -Path 'HKLM:
\SYSTEM\}

28
11. Con gure the following stateful rewall rules:
1. Allow the File Server to access the Database Server using LDAP
2. Block the Storage Server to transfer les to the Web Server using
FTP
3. Allow the FTP Server to transfer les to the Mail Server over HTTPS

Destination
Rule# Source IP Port Allow/Block
IP

1 10.1.2.1 20.1.2.5 389 Allow

2 20.1.2.1 10.1.2.5 21 Block

3 20.1.2.9 10.1.2.9 443 Allow

29
fi
fi
fi
fi
12. Con gure the following stateful rewall rules:
1. Block the Web Server to access the Database Server using LDAP
2. Allow the Storage Server to transfer les to the Web Server using
SFTP
3. Allow the Mail Server to transfer emails to the Storage Server us-
ing SMTP

Destination
Rule# Source IP Port Allow/Block
IP

1 10.1.2.5 20.1.2.5 389 Block

2 20.1.2.1 10.1.2.5 22 Allow

3 10.1.2.9 20.1.2.1 25 Allow

30
fi
fi
fi
13. Match the device to the description.

Devices:

Network address translation Web application firewall

Network-based intrusion
Proxy
detection system

A device intelligently
distributed within networks
Network-based intrusion
that passively inspect traffic
detection system
traversing the devices on
which they sit
A way to map multiple local
private addresses to a public Network Address
one before transferring the Translation
information

A server, referred to as an “in-

termediary” because it goes
Proxy
between end-users and the
web pages they visit online

A device that helps protect

web applications by filtering
Web application
and monitoring HTTP traffic
firewall
between a web application
and the Internet

31
14. Match the description with the most accurate malware.

Malware:

Crypto malware Remote access Trojan

Backdoor Logic bombs

A piece of often-malicious
code that is intentionally
inserted into the software. It is
Logic bombs
activated upon the host
network only when certain
conditions are met
A method by which
authorized and unauthorized
users are able to get around
Backdoor
normal security measures and
gain root access to a
computer system
A type of malware that allows
threat actors to use someone
Crypto malware
else's computer or server to
mine for cryptocurrencies
A malware program that gives
an intruder administrative
Remote access Trojan
control over a target
computer

32
 15. Fill in the blank with the BEST password attack for the
description.

Spraying - An attacker will brute force logins based on a list of

usernames with default passwords on the application. For example,
an attacker will use one password (say, Secure@123) against many
di erent accounts on the application to avoid account lockouts
that would normally occur when brute forcing a single account with
many passwords.

Dictionary - A method of breaking into a password-protected

computer, network, or other IT resource by systematically entering
every word in a dictionary as a password.

Rainbow table - A type of hacking wherein the perpetrator tries to

use a rainbow hash table to crack the passwords stored in a data-
base system.

33
ff
 PRACTICE EXAM B (QUESTIONS)
Performance-Based Questions

1. Match the Public key infrastructure (PKI) component to

the description.

PKI components:

CA RA OCSP CRL CSR

An entity that issues digital

Select a KPI component
certificates
Used by Certificate
Authorities to check the
Select a KPI component
revocation status of an X.509
digital certificate

The rst step towards getting

Select a KPI component
your own SSL/TLS certi cate
A company that is responsible
for receiving and validating
requests for digital Select a KPI component
certificates and public/private
key pairs
A list of digital certificates
that have been revoked by the
issuing certificate authority
Select a KPI component
before their scheduled
expiration date and should no
longer be trusted

34
fi
fi
2. You are at a Windows 10 workstation and have a com-
mand prompt open. Type the command to view resource
record information on a particular DNS server.

C:\> ______________

3. You are working at a Linux command prompt. You need

to capture and analyze packets from the ethernet inter-
face 0 using the tcpdump command. Type the command to
start capturing the packets.

student@dojolab:~$ ______________

4. Type the Windows command-line utility to view the ARP

table stored in memory.

C:\> ______________

35
 5. You are troubleshooting a faulty network. You need to il-
lustrate the route packets take through the inter-network
in order to identify the weak spot. Assuming you are work-
ing on a Windows environment, type the command to nd
where the packets are dropped.

C:\> ______________

6. Type the command-line utility to delete the ARP cache

on your Windows workstation.

C:\> ______________

7. You are working at a Linux command prompt. You need

to nd the A record from the website dojolab.org to trou-
bleshoot DNS-related issues. Type the command to display
the records from the dojolab DNS server.

student@dojolab:~$ ______________

36
fi
fi
8. Match the characteristic to the attack type.

Attack types:

Phishing DoS

Spoofing Domain Hijacking

An attacker impersonates an
authorized device or user to
steal data, spread malware, or Select an Attack type
bypass access control
systems
An attack that shuts down a
machine or network, making it
Select an Attack type
inaccessible to its intended
users
A type of social engineering
where an attacker sends a
fraudulent ("spoofed") mes-
sage designed to trick a hu- Select an Attack type
man victim into revealing sen-
sitive information to the at-
tacker
The act of changing the
registration of a domain name
Select an Attack type
without the permission of the
original owner

37
9. Type the Windows command-line utility that produces
the following output.

C:\> ______________

10. Type the Windows command-line utility that produces

the following output.

C:\> ______________
38
11. Type the Windows command-line utility that produces
the following output.

C:\> ______________

12. The network administrator has changed the DHCP set-

tings and now your computer is unable to get an IP address,
subnet mask, and default gateway IP address. The network
administrator asks you to send him a screenshot of your
TCP/IP con guration values.

Type the command to reveal the network details of your

workstation.

C:\> ______________

39
fi
 13. You need to perform a nmap scan using the hostname
server1.dojolab.org to nd out all open ports, services and
MAC address on that system. Type the command to initiate
the scan.

student@dojolab:~$ ______________

14. You are at a Windows 10 workstation and have a com-

mand prompt open. Type the command that displays the
routing table on the local computer.

C:\> ______________

15. Type the command to view the Internet Protocol (IP)

con guration on a Linux host.

student@dojolab:~$ ______________

40
fi
fi
 PRACTICE EXAM B (ANSWERS)
Performance-Based Questions - Answers

1. Match the Public key infrastructure (PKI) component to

the description.

PKI components:

CA RA OCSP CRL CSR

An entity that issues digital

Certificate authority (CA)
certificates
Used by Certificate
Authorities to check the Online Certificate Status
revocation status of an X.509 Protocol (OCSP)
digital certificate

The rst step towards getting Certificate signing request

your own SSL/TLS certi cate (CSR)
A company that is responsible
for receiving and validating
requests for digital Registration authority (RA)
certificates and public/private
key pairs
A list of digital certificates
that have been revoked by the
issuing certificate authority Certificate revocation list
before their scheduled (CRL)
expiration date and should no
longer be trusted

41
fi
fi
2. You are at a Windows 10 workstation and have a com-
mand prompt open. Type the command to view resource
record information on a particular DNS server.

C:\> nslookup

The nslookup command displays information that you can use to

diagnose Domain Name System (DNS) infrastructure. Before using
this tool, you should be familiar with how DNS works.
The nslookup command-line tool is available only if you have in-
stalled the TCP/IP protocol.

The nslookup command-line tool has two modes: interactive and

noninteractive.

3. You are working at a Linux command prompt. You need

to capture and analyze packets from the ethernet inter-
face 0 using the tcpdump command. Type the command to
start capturing the packets.

student@dojolab:~$ tcpdump -i eth0

The tcpdump command is the most powerful and widely used

command-line packets sni er or package analyzer tool which is
used to capture or lter TCP/IP packets that are received or trans-
ferred over a network on a speci c interface.
42
fi
ff
fi
The command screen will scroll up until you interrupt and when we
execute the tcpdump command it will capture from all the inter-
faces, however with -i switch only captures from the desired inter-
face.

# tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv
for full protocol decode
listening on eth0, link-type EN10MB (Ethernet),
capture size 65535 bytes
11:33:31.976358 IP 172.16.25.126.ssh >
172.16.25.125.apwi-rxspooler: Flags [P.], seq
3500440357:3500440553, ack 3652628334, win 18760,
length 196
11:33:31.976603 IP 172.16.25.125.apwi-rxspooler >
172.16.25.126.ssh: Flags [.], ack 196, win 64487,
length 0
11:33:31.977243 ARP, Request who-has tecmint.com
tell 172.16.25.126, length 28
11:33:31.977359 ARP, Reply tecmint.com is-at
00:14:5e:67:26:1d (oui Unknown), length 46
11:33:31.977367 IP 172.16.25.126.54807 > tecmint.-
com: 4240+ PTR? 125.25.16.172.in-addr.arpa. (44)
11:33:31.977599 IP tecmint.com >
172.16.25.126.54807: 4240 NXDomain 0/1/0 (121)
11:33:31.977742 IP 172.16.25.126.44519 > tecmint.-
com: 40988+ PTR? 126.25.16.172.in-addr.arpa. (44)
11:33:32.028747 IP 172.16.20.33.netbios-ns >
172.16.31.255.netbios-ns: NBT UDP PACKET(137):
QUERY; REQUEST; BROADCAST

43
11:33:32.112045 IP 172.16.21.153.netbios-ns >
172.16.31.255.netbios-ns: NBT UDP PACKET(137):
QUERY; REQUEST; BROADCAST
11:33:32.115606 IP 172.16.21.144.netbios-ns >
172.16.31.255.netbios-ns: NBT UDP PACKET(137):
QUERY; REQUEST; BROADCAST
11:33:32.156576 ARP, Request who-has 172.16.16.37
tell old-oraclehp1.midcorp.mid-day.com, length 46
11:33:32.348738 IP tecmint.com >
172.16.25.126.44519: 40988 NXDomain 0/1/0 (121)
.

4. Type the Windows command-line utility to view the ARP

table stored in memory.

C:\> arp -a

Using the arp command allows you to display and modify the Ad-
dress Resolution Protocol (ARP) cache. An ARP cache is a simple
mapping of IP addresses to MAC addresses. Each time a comput-
er’s TCP/IP stack uses ARP to determine the Media Access Control
(MAC) address for an IP address, it records the mapping in the ARP
cache so that future ARP lookups go faster.

If you use the arp command without any parameters, you get a list
of the command’s parameters. To display the ARP cache entry for a
speci c IP address, use an -a switch followed by the IP address. For
example:

C:>arp -a 192.168.168.22
Interface: 192.168.168.21 --- 0x10004
44
fi
 Internet Address Physical Address
Type
192.168.168.22 00-60-08-39-e5-a1
dynamic
C:>

You can display the complete ARP cache by using -a without speci-
fying an IP address, like this:

C:>arp -a
Interface: 192.168.168.21 --- 0x10004
Internet Address Physical Address
Type
192.168.168.9 00-02-e3-16-e4-5d
dynamic
192.168.168.10 00-50-04-17-66-90
dynamic
192.168.168.22 00-60-08-39-e5-a1
dynamic
192.168.168.254 00-40-10-18-42-49
dynamic

ARP is sometimes useful when diagnosing duplicate IP assign-

ments.

45
5. You are troubleshooting a faulty network. You need to il-
lustrate the route packets take through the inter-network
in order to identify the weak spot. Assuming you are work-
ing on a Windows environment, type the command to nd
where the packets are dropped.

C:\> tracert

The tracert diagnostic utility determines the route to a destination

by sending Internet Control Message Protocol (ICMP) echo packets
to the destination. In these packets, tracert uses varying IP Time-
To-Live (TTL) values. Because each router along the path is re-
quired to decrement the packet’s TTL by at least 1 before forward-
ing the packet, the TTL is e ectively a hop counter. When the TTL
on a packet reaches zero (0), the router sends an ICMP “Time Ex-
ceeded” message back to the source computer.

6. Type the command-line utility to delete the ARP cache

on your Windows workstation.

C:\> arp -d

The arp -d command is for deleting cache entries, and by running it

with the asterisk wildcard, the command deletes all of the entries
in the cache.

46
ff
fi
 7. You are working at a Linux command prompt. You need
to nd the A record from the website dojolab.org to trou-
bleshoot DNS-related issues. Type the command to display
the records from the dojolab DNS server.

student@dojolab:~$ dig dojolab.org

The dig command stands for Domain Information Groper. It is used

for retrieving information about DNS name servers. It is basically
used by network administrators. It is used for verifying and trou-
bleshooting DNS problems and to perform DNS lookups.

8. Match the characteristic to the attack type.

Attack types:

Phishing DoS

Spoofing Domain Hijacking

47
fi
 An attacker impersonates an
authorized device or user to
steal data, spread malware, or Spoofing
bypass access control
systems
An attack that shuts down a
machine or network, making it
DoS
inaccessible to its intended
users
A type of social engineering
where an attacker sends a
fraudulent ("spoofed") mes-
sage designed to trick a hu- Phishing
man victim into revealing sen-
sitive information to the at-
tacker
The act of changing the
registration of a domain name
Domain hijacking
without the permission of the
original owner

9. Type the Windows command-line utility that produces

the following output.

48
C:\> tracert

The tracert diagnostic utility determines the route to a destination

by sending Internet Control Message Protocol (ICMP) echo packets
to the destination. In these packets, tracert uses varying IP Time-
To-Live (TTL) values. Because each router along the path is re-
quired to decrement the packet’s TTL by at least 1 before forward-
ing the packet, the TTL is e ectively a hop counter. When the TTL
on a packet reaches zero (0), the router sends an ICMP “Time Ex-
ceeded” message back to the source computer.

10. Type the Windows command-line utility that produces

the following output.

C:\> netstat

49
ff
The netstat command displays active TCP connections, ports on
which the computer is listening, Ethernet statistics, the IP routing
table, IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols), and
IPv6 statistics (for the IPv6, ICMPv6, TCP over IPv6, and UDP over
IPv6 protocols). Used without parameters, this command displays
active TCP connections.

11. Type the Windows command-line utility that produces

the following output.

C:\> ping 1.2.3.4

The ping command veri es IP-level connectivity to another TCP/IP

computer by sending Internet Control Message Protocol (ICMP)
echo Request messages. The receipt of corresponding echo Reply
messages are displayed, along with round-trip times. ping is the
primary TCP/IP command used to troubleshoot connectivity,
50
fi
 reachability, and name resolution. Used without parameters, this
command displays Help content.

You can also use this command to test both the computer name
and the IP address of the computer. If pinging the IP address is suc-
cessful, but pinging the computer name isn’t, you might have a
name resolution problem. In this case, make sure the computer
name you are specifying can be resolved through the local Hosts
le, by using Domain Name System (DNS) queries, or through Net-
BIOS name resolution techniques.

12. The network administrator has changed the DHCP set-

tings and now your computer is unable to get an IP address,
subnet mask, and default gateway IP address. The network
administrator asks you to send him a screenshot of your
TCP/IP con guration values.

Type the command to reveal the network details of your

workstation.

C:\> ipconfig/all

The ipcon g command displays all current TCP/IP network con g-

uration values and refreshes Dynamic Host Con guration Protocol
(DHCP) and Domain Name System (DNS) settings. Used without
parameters, ipcon g displays Internet Protocol version 4 (IPv4) and
IPv6 addresses, subnet mask, and default gateway for all adapters.

51
fi
fi
fi
fi
fi
fi
 Parameter Description

/all Displays the full TCP/IP configuration for all

adapters. Adapters can represent physical
interfaces, such as installed network adapters, or
logical interfaces, such as dial-up connections.

13. You need to perform a nmap scan using the hostname

server1.dojolab.org to nd out all open ports, services and
MAC address on that system. Type the command to initiate
the scan.

student@dojolab:~$ nmap server1.dojolab.org

The Nmap tool o ers various methods to scan a system. In this ex-
ample, we are performing a scan using the hostname server1.dojo-
lab.org to nd out all open ports, services and MAC address on the
system.

Starting Nmap 4.11 ( http://www.insecure.org/

nmap/ ) at 2021-11-11 15:42 EST
Interesting ports on server1.dojolab.org
(192.168.0.22):
Not shown: 1674 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
52
fi
ff
fi
957/tcp open unknown
3306/tcp open mysql
8888/tcp open sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer
Systems)

Nmap finished: 1 IP address (1 host up) scanned

in 0.415 seconds
You have new mail in /var/spool/mail/root

14. You are at a Windows 10 workstation and have a com-

mand prompt open. Type the command that displays the
routing table on the local computer.

C:\> netstat -r

53
 The netstat command is used to show network status. Tradi-
tionally, it is used more for problem determination than for per-
formance measurement. However, the netstat command can
be used to determine the amount of tra c on the network to
ascertain whether performance problems are due to network
congestion and can display the routing table.

15. Type the command to view the Internet Protocol (IP)

con guration on a Linux host.

student@dojolab:~$ ifconfig

The ifcon g (interface con guration) command is used to con-

gure the kernel-resident network interfaces. It is used at the
boot time to set up the interfaces as necessary. After that, it is
usually used when needed during debugging or when you need
system tuning. Also, this command is used to assign the IP ad-
dress and netmask to an interface or to enable or disable a giv-
en interface.

54
fi
fi
fi
fi
ffi
PRACTICE EXAM C (QUESTIONS)
Performance-Based Questions

1. You want to gather open-source intelligence information

such as emails from the wgu.edu site using automated
tools. Type the command to get a list of email addresses
for WGU on a bing search.

student@dojolab:~$ ______________

2. You are working at a Linux command prompt. Type the

command to search all lines that start with “hello” in a le
named greetings.txt.

student@dojolab:~$ ______________

3. You are working at a Linux command prompt. Type the

command to search all lines that end with “done” in a le
named tasks.doc.

student@dojolab:~$ ______________

55
fi
fi
 4. You have been tasked to present the content of two log
les. First, you need to display the content of the le
named log le1.txt and then the content of the le named
log le2.txt. Type the command to display the content of
the two les.

student@dojolab:~$ ______________

5. You need to search and display the total number of times

that the tag “h1” appears in a le named main.html using
grep. Type the Linux command for it.

student@dojolab:~$ ______________

6. You are working at a Linux command prompt. You have

been tasked to view the last 50 lines of a log le named
log le.txt. Type the command to complete the task.

student@dojolab:~$ ______________

7. Type the command that shows the route to a remote sys-

tem on a Windows 10 workstation.

C:\> ______________

56
fi
fi
fi
fi
fi
fi
fi
fi
fi
8. Type the command to retrieve only email-related DNS
records for the domain dojolab.org using the -query=mx
option.

student@dojolab:~$ ______________

9. You have been tasked to scan ONLY for open ports in the
range 20-80 on the server 10.11.10.1 using netcat. The re-
sults of the scan should provide verbose information. Type
the command to complete the task.

student@dojolab:~$ ______________

10. You want to see what DNS information can be queried

for the website dojolab.org as well as what hostnames and
subdomains may exist. Type the command that provides
DNS query information for the domain dojolab.org.

student@dojolab:~$ ______________

11. You are working at a Linux command prompt. Set the

permissions of le.txt to “owner can read and write; group
can read only; others can read only” using octal permis-
sions notation.

student@dojolab:~$ ______________

57
fi
12. You are working at a Kali Linux command prompt. You
want to launch a DoS attack to a testing environment with
IP 195.12.11.10. You are allowed to use only the hping3 com-
mand to send ICMP packets. Type the command to initiate
a DoS attack.

student@dojolab:~$ ______________

13. You want to capture HTTP packets using tcpdump. The

HTTP service is running on its default port and your Ether-
net adapter is eth1. Type the command to capture the
packets.

student@dojolab:~$ ______________

14. Type the command to add entries into the Linux system
log so that they will be sent to your security information
and event management (SIEM) device when speci c
scripted events occur.

student@dojolab:~$ ______________

58
fi
15. Type the command to add entries into the Linux system
log so that they will be sent to your security information
and event management (SIEM) device when speci c
scripted events occur.

C:\> ______________

59
fi
PRACTICE EXAM C (ANSWERS)
Performance-Based Questions - Answers

1. You want to gather open-source intelligence information

such as emails from the wgu.edu site using automated
tools. Type the command to get a list of email addresses
for WGU on a bing search.

student@dojolab:~$ theharvester -d wgu.edu -b

bing

The objective of this program is to gather emails, subdomains,

hosts, employee names, open ports, and banners from di er-
ent public sources like search engines, PGP key servers, and
SHODAN computer database.

This tool is intended to help Penetration testers in the early

stages of the penetration test in order to understand the cus-
tomer footprint on the Internet. It is also useful for anyone that
wants to know what an attacker can see about their organiza-
tion.

60
ff
The switch -d speci es the website you want to gather infor-
mation from.

The switch -b speci es from which search engine you want to

use for the data gathering.

2. You are working at a Linux command prompt. Type the

command to search all lines that start with “hello” in a le
named greetings.txt.

student@dojolab:~$ grep "^hello" greetings.txt

Grep is an essential Linux and Unix command. It is used to

search text and strings in a given le. In other words, grep
command searches the given le for lines containing a match
to the given strings or words.

The syntax is as follow:

grep ‘word’ lename

3. You are working at a Linux command prompt. Type the

command to search all lines that end with “done” in a le
named tasks.doc.

61
fi
fi
fi
fi
fi
fi
fi
 student@dojolab:~$ grep "done$" tasks.doc

Grep is an essential Linux and Unix command. It is used to

search text and strings in a given le. In other words, grep
command searches the given le for lines containing a match
to the given strings or words.

The syntax is as follow:

grep ‘word’ lename
4. You have been tasked to present the content of two log
les. First, you need to display the content of the le
named log le1.txt and then the content of the le named
log le2.txt. Type the command to display the content of
the two les.

student@dojolab:~$ cat logfile1.txt logfile2.txt

The cat (short for “concatenate“) command is one of the most

frequently used commands in Linux/Unix-like operating sys-
tems. cat command allows us to create single or multiple les,
view content of a le, concatenate les and redirect output in
terminal or les.

62
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
 5. You need to search and display the total number of times
that the tag “h1” appears in a le named main.html using
grep. Type the Linux command for it.

student@dojolab:~$ grep -c "h1" main.html

Grep is an essential Linux and Unix command. It is used to

search text and strings in a given le. In other words, grep
command searches the given le for lines containing a match
to the given strings or words.

The grep can report the number of times that the pattern has
been matched for each le using the -c (count) option.
The syntax is as follow:
grep ‘word’ lename

6. You are working at a Linux command prompt. You have

been tasked to view the last 50 lines of a log le named
log le.txt. Type the command to complete the task.

student@dojolab:~$ tail -n 50 logfile.txt

The tail command reads a le, and outputs the last part of it
(the “tail”).

63
fi
fi
fi
fi
fi
fi
fi
fi
 The tail command can also monitor data streams and open
les, displaying new information as it is written. For example, it’s
a useful way to monitor the newest events in a system log in
real time.

7. Type the command that shows the route to a remote sys-

tem on a Windows 10 workstation.

C:\> tracert

The tracert diagnostic utility determines the route to a desti-

nation by sending Internet Control Message Protocol (ICMP)
echo packets to the destination. In these packets, TRACERT
uses varying IP Time-To-Live (TTL) values. Because each router
along the path is required to decrement the packet’s TTL by at
least 1 before forwarding the packet, the TTL is e ectively a
hop counter. When the TTL on a packet reaches zero (0), the
router sends an ICMP “Time Exceeded” message back to the
source computer.
8. Type the command to retrieve only email-related DNS
records for the domain dojolab.org using the -query=mx
option.

student@dojolab:~$ nslookup -query=mx dojo-

lab.org

nslookup (name server lookup) is a tool used to perform DNS

lookups in Linux. It is used to display DNS details, such as the IP
64
fi
ff
address of a particular computer, the MX records for a domain
or the NS servers of a domain.

nslookup can operate in two modes: interactive and non-inter-

active. The interactive mode allows you to query name servers
for information about various hosts and domains or to print a
list of hosts in a domain. The non-interactive mode allows you
to print just the name and requested information for a host or
domain.

9. You have been tasked to scan ONLY for open ports in the
range 20-80 on the server 10.11.10.1 using netcat. The re-
sults of the scan should provide verbose information. Type
the command to complete the task.

student@dojolab:~$ nc -z -v 10.11.10.1 20-80

Scanning ports is one of the most common uses for Netcat. You
can scan a single port or a port range.

For example, to scan for open ports in the range 100-443 on

the workstation 20.20.1.1 you would use the following com-
mand:

nc -z -v 20.20.1.1 100-443

65
The -z option will tell nc to only scan for open ports, without
sending any data to them and the -v option to provide more
verbose information.

The output will look something like this:

nc: connect to 20.20.1.1 port 100 (tcp) failed:
Connection refused
nc: connect to 20.20.1.1 port 101 (tcp) failed:
Connection refused
Connection to 20.20.1.1 102 port [tcp] succeed-
ed!
nc: connect to 20.20.1.1 port 103 (tcp) failed:
Connection refused
...
nc: connect to 20.20.1.1 port 442 (tcp) failed:
Connection refused
Connection to 10.10.8.8 443 port [tcp/https]
succeeded!

10. You want to see what DNS information can be queried

for the website dojolab.org as well as what hostnames and
subdomains may exist. Type the command that provides
DNS query information for the domain dojolab.org.

student@dojolab:~$ dnsenum dojolab.org

The dnsenum command is a multithreaded perl script to enu-

merate DNS information of a domain and to discover non-con-
tiguous ip blocks.

66
Use DNSenum to scan your server to see which information is
publicly available.

11. You are working at a Linux command prompt. Set the

permissions of le.txt to “owner can read and write; group
can read only; others can read only” using octal permis-
sions notation.

student@dojolab:~$ chmod 644 file.txt

The chmod command sets the permissions of les or directories.

Let’s say you are the owner of a le named my le, and you
want to set its permissions so that:
1. the user can read, write, and execute it;
2. members of your group can read and execute it; and
3. others may only read it.

This command will do the trick:

chmod u=rwx,g=rx,o=r myfile

This example uses symbolic permissions notation. The

letters u, g, and o stand for “user“, “group“, and “other“. The
equals sign (“=“) means “set the permissions exactly like this,”
and the letters “r“, “w“, and “x” stand for “read”, “write”, and
“execute”, respectively. The commas separate the di erent
classes of permissions, and there are no spaces between them.
67
fi
fi
fi
fi
ff
Here is the equivalent command using octal permissions nota-
tion:

chmod 754 myfile

Here the digits 7, 5, and 4 each individually represent the per-

missions for the user, group, and others, in that order. Each digit
is a combination of the numbers 4, 2, 1, and 0:
• 4 stands for “read”,
• 2 stands for “write”,
• 1 stands for “execute”, and
• 0 stands for “no permission.”
So 7 is the combination of permissions 4+2+1 (read, write, and
execute), 5 is 4+0+1 (read, no write, and execute),
and 4 is 4+0+0 (read, no write, and no execute).

12. You are working at a Kali Linux command prompt. You

want to launch a DoS attack to a testing environment with
IP 195.12.11.10. You are allowed to use only the hping3 com-
mand to send ICMP packets. Type the command to initiate
a DoS attack.

student@dojolab:~$ hping3 -l 195.12.11.10

hping is a command-line oriented TCP/IP packet assembler/an-

alyzer. The interface is inspired to the ping(8) unix command,
68
but hping isn’t only able to send ICMP echo requests. It sup-
ports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute
mode, the ability to send les between a covered channel, and
many other features.

While hping was mainly used as a security tool in the past, it can
be used in many ways by people that don’t care about security
to test networks and hosts.

13. You want to capture HTTP packets using tcpdump. The

HTTP service is running on its default port and your Ether-
net adapter is eth1. Type the command to capture the
packets.

student@dojolab:~$ tcpdump -i eth1 tcp port 80

tcpdump is a command-line utility that you can use to capture

and inspect network tra c going to and from your system. It is
the most commonly used tool among network administrators
for troubleshooting network issues and security testing.

With -i switch only capture from the desired interface.

69
ffi
fi
 14. Type the command to add entries into the Linux system
log so that they will be sent to your security information
and event management (SIEM) device when speci c
scripted events occur.

student@dojolab:~$ logger

The Linux logger command provides an easy way to add log

les to /var/log/syslog — from the command line, from scripts,
or from other les. You can add logger commands to scripts to
make it easier to track the completion of important tasks.

15. Type the command to add entries into the Linux system
log so that they will be sent to your security information
and event management (SIEM) device when speci c
scripted events occur.

C:\> pathping 172.16.0.254

70
fi
fi
fi
fi
The pathping command is a combination of Ping and Tracert.
Where a ping command only test the network connection be-
tween the source (your computer) and the destination, Path-
ping will test the connection to each hop between it. When you
run a Pathping, it will rst trace the route to the destination and
then performs a ping to each node in between it.

71
fi
 Continue your journey on
dojolab.org

Online Test Bank

Register to gain one month of FREE access after activation to
the online interactive PBQs & Labs bank to help you study for
your CompTIA Security+ certi cation exam— included with
your purchase of this book! All of the domain-by-domain ques-
tions and the practice exams in this book are included in the
online test bank so you can practice in a timed and graded set-
ting.

Register and Access

the Online PBQs & Labs
To register your book and get access to the online test bank,
follow these steps:

1. Got to: https://dojolab.org/registration/

2. Complete the required registration information

3. Send your registered email address to [email protected]

72
fi