CompTIA PenTest+ (PT0-002) — Question 447

A penetration tester is looking for a vulnerability that enables attackers to open doors via a specialized TCP service that is used for a physical access control system. The service exists on more than 100 different hosts, so the tester would like to automate the assessment. Identification requires the penetration tester to:
✑ Have a full TCP connection
✑ Send a `hello` payload
✑ Wait for a response
✑ Send a string of characters longer than 16 bytes
Which of the following approaches would BEST support the objective?

Answer options

• A. Run nmap -Pn -sV --script vuln <IP address>.
• B. Employ an OpenVAS simple scan against the TCP port of the host.
• C. Create a script in the Lua language and use it with NSE.
• D. Perform a credentialed scan with Nessus.

Correct answer: C

Explanation

The correct answer is C, as creating a script in Lua allows for customization to meet the specific requirements of a full TCP connection, sending the correct payload, and handling the response. Options A and B are less effective because they do not provide the necessary control or specificity required for this task. Option D involves credentialed scanning, which is not needed for this scenario.