CompTIA PT0-003 Online Practice Questions and Exam Preparation

CompTIA PT0-003 Online Questions & Answers

• Question 1:

  SIMULATION

  A penetration tester has been provided with only the public domain name and must enumerate additional information for the public-facing assets.

  INSTRUCTIONS

  Select the appropriate answer(s), given the output from each section.

  

  

  

  Explanation

• Question 2:

  During a pre-engagement activity with a new customer, a penetration tester looks for assets to test.

  Which of the following is an example of a target that can be used for testing?

  A. API
  B. HTTP
  C. IPA
  D. ICMP
  A. API

  ---

  Explanation

  API as a Target:

  APIs (Application Programming Interfaces) are common assets to test for vulnerabilities such as improper authentication, data leakage, or injection attacks.

  Testing APIs often uncovers critical issues in modern applications.

  Why Not Other Options?

  Option B (HTTP): This is a protocol, not a specific asset.

  Option C (IPA): Unrelated to penetration testing (likely a typo or irrelevant here).

  Option D (ICMP): This is a protocol used for network diagnostics, not an application asset.

  References:

  Domain 1.0 (Planning and Scoping)

• Question 3:

  A penetration tester identifies the URL for an internal administration application while following DevOps team members on their commutes.

  Which of the following attacks did the penetration tester most likely use?

  A. Shoulder surfing
  B. Dumpster diving
  C. Spear phishing
  D. Tailgating
  A. Shoulder surfing

• Question 4:

  A penetration tester conducts OSINT for a client and discovers the robots.txt file explicitly blocks a major search engine.

  Which of the following would most likely help the penetration tester achieve the objective?

  A. Modifying the WAF
  B. Utilizing a CSRF attack
  C. Changing the robots.txt file
  D. Leveraging a competing provider
  D. Leveraging a competing provider

  ---

  Explanation

  In OSINT, the tester's objective is to gather information using publicly available, non-intrusive sources without altering the target environment. A robots.txt file is a crawler directive that can discourage or block specific search engine bots from indexing certain paths. If one "major" engine is explicitly blocked, the most practical OSINT adjustment is to use other search engines and data providers that may not be restricted in the same way or may already have historical indexing and cached results. This aligns with PenTest+ reconnaissance techniques that emphasize using multiple sources and pivoting between providers to maximize coverage and reduce blind spots.

  Modifying the WAF or changing robots.txt would be active alteration of the client's systems and is not an OSINT method; it also typically falls outside the intent of passive recon and may violate rules of engagement. A CSRF attack is an exploitation technique unrelated to discovering publicly indexed information. Therefore, leveraging a competing provider is the best way to continue OSINT collection when one crawler is blocked.

• Question 5:

  A penetration tester wants to check the security awareness of specific workers in the company with targeted attacks.

  Which of the following attacks should the penetration tester perform?

  A. Phishing
  B. Tailgating
  C. Whaling
  D. Spear phishing
  D. Spear phishing

  ---

  Explanation

  Spear phishing is a targeted email attack aimed at specific individuals within an organization. Unlike general phishing, spear phishing is personalized and often involves extensive reconnaissance to increase the likelihood of success.

  Understanding Spear Phishing:

  Targeted Attack: Focuses on specific individuals or groups within an organization.

  Customization: Emails are customized based on the recipient's role, interests, or recent activities.

  Purpose:

  Testing Security Awareness: Evaluates how well individuals recognize and respond to phishing attempts.

  Information Gathering: Attempts to collect sensitive information such as credentials, financial data, or personal details.

  Process:

  Reconnaissance: Gather information about the target through social media, public records, and other sources.

  Email Crafting: Create a convincing email that appears to come from a trusted source.

  Delivery and Monitoring: Send the email and monitor for responses or actions taken by the recipient.

  References from Pentesting Literature:

  Spear phishing is highlighted in penetration testing methodologies for testing security awareness and the effectiveness of email filtering systems.

  HTB write-ups and phishing simulation exercises often detail the use of spear phishing to assess organizational security.

  References:

  Penetration Testing - A Hands-on Introduction to Hacking

  HTB Official Writeups

• Question 6:

  Given the following statements:

  1. Implement a web application firewall.

  2. Upgrade end-of-life operating systems.

  Implement a secure software development life cycle.

  In which of the following sections of a penetration test report would the above statements be found?

  A. Executive summary
  B. Attack narrative
  C. Detailed findings
  D. Recommendations
  D. Recommendations

  ---

  Explanation

  The given statements are actionable steps aimed at improving security. They fall under the recommendations section of a penetration test report. Here's why option D is correct:

  Recommendations: This section of the report provides specific actions that should be taken to mitigate identified vulnerabilities and improve the overall security posture. Implementing a WAF, upgrading operating systems, and implementing a secure SDLC are recommendations to enhance security.

  Executive Summary: This section provides a high-level overview of the findings and their implications, intended for executive stakeholders.

  Attack Narrative: This section details the steps taken during the penetration test, describing the attack vectors and methods used.

  Detailed Findings: This section provides an in-depth analysis of each identified vulnerability, including evidence and technical details.

  References from Pentest:

  Forge HTB: The report's recommendations section suggests specific measures to address the identified issues, similar to the given statements.

  Writeup HTB: Highlights the importance of the recommendations section in providing actionable steps to improve security based on the findings from the assessment.

  Conclusion:

  Option D, recommendations, is the correct section where the given statements would be found in a penetration test report.

• Question 7:

  A penetration tester is authorized to perform a DoS attack against a host on a network.

  Given the following input:

  ip = IP("192.168.50.2")

  tcp = TCP(sport=RandShort(), dport=80, flags="S")

  raw = RAW(b"X"*1024)

  p = ip/tcp/raw

  send(p, loop=1, verbose=0)

  Which of the following attack types is most likely being used in the test?

  A. MDK4
  B. Smurf attack
  C. FragAttack
  D. SYN flood
  D. SYN flood

  ---

  Explanation

  A SYN flood attack exploits the TCP handshake process by sending a large number of SYN packets to a target, consuming resources and causing a denial of service.

  Understanding the Script:

  Purpose of SYN Flood:

  Detection and Mitigation: References from Pentesting Literature:

  Step-by-Step ExplanationReferences: Penetration Testing - A Hands-on Introduction to Hacking HTB Official Writeups

• Question 8:

  A penetration tester exports the following CSV data from a scanner. The tester wants to parse the data using Bash and input it into another tool.

  CSV data before parsing:

  cat data.csv

  Host, IP, Username, Password

  WINS212, 10.111.41.74, admin, Spring11

  HRDB, 10.13.9.212, hradmin, HRForTheWin

  WAS01, 192.168.23.13, admin, Snowfall97

  Intended output:

  admin Spring11

  hradmin HRForTheWin

  admin Snowfall97

  Which of the following will provide the intended output?

  A. cat data.csv | grep -v "IP" | cut -d"," -f 3,4 | sed -e 's/,/ /'
  B. cat data.csv | find . -iname Username,Password
  C. cat data.csv | grep 'username|Password'
  D. cat data.csv | grep -i "admin" | grep -v "WINS212\|HRDB\|WAS01\|10.111.41.74\|10.13.9.212\| 192.168.23.13"
  A. cat data.csv | grep -v "IP" | cut -d"," -f 3,4 | sed -e 's/,/ /'

  ---

  Explanation

  Option A correctly performs the standard Bash text-processing sequence PenTest+ expects testers to use when transforming scan output into tool-ready input. First, grep -v "IP" removes the header line by excluding the row containing "IP" (the CSV header includes "Host, IP, Username, Password"). Next, cut - d"," -f 3,4 splits each remaining line on commas and selects fields 3 and 4, which correspond to Username and Password in the exported format. Finally, sed -e 's/,/ /' replaces the remaining comma between those two fields with a space, producing the intended two-column output suitable for piping into password auditing, spraying, or validation tooling.

  The other choices do not correctly parse CSV columns: find searches filenames, not CSV content; the grep expression in Option C does not extract fields and would only match lines; and

  Option D attempts to filter text by excluding hostnames and IPs rather than selecting the required columns. This makes

  Option A the only option that reliably yields "username password" per line from the CSV.

• Question 9:

  A penetration tester wants to create a malicious QR code to assist with a physical security assessment.

  Which of the following tools has the built-in functionality most likely needed for this task?

  A. BeEF
  B. John the Ripper
  C. ZAP
  D. Evilginx
  A. BeEF

  ---

  Explanation

  BeEF (Browser Exploitation Framework) is a penetration testing tool that focuses on web browsers. It has built-in functionality for generating malicious QR codes, which can be used to direct users to malicious websites, execute browser-based attacks, or gather information.

  Understanding BeEF:

  Purpose: BeEF is designed to exploit vulnerabilities in web browsers and gather information from compromised browsers.

  Features: Includes tools for generating malicious payloads, QR codes, and social engineering techniques.

  Creating Malicious QR Codes:

  Functionality: BeEF has a feature to generate QR codes that, when scanned, redirect the user to a malicious URL controlled by the attacker.

  Command: Generate a QR code that directs to a BeEF hook URL.

  Step-by-Step Explanationbeef -x --qr

  Usage in Physical Security Assessments:

  Deployment: Place QR codes in strategic locations to test whether individuals scan them and subsequently compromise their browsers.

  Exploitation: Once scanned, the QR code can lead to browser exploitation, information gathering, or other payload execution.

  References from Pentesting Literature:

  BeEF is commonly discussed in penetration testing guides for its browser exploitation capabilities.

  HTB write-ups and social engineering exercises often mention the use of BeEF for creating malicious QR codes and exploiting browser vulnerabilities.

  References:

  Penetration Testing - A Hands-on Introduction to Hacking

  HTB Official Writeups

• Question 10:

  During an internal penetration test, the tester uses the following command:

  C:\> Invoke-mimikatz.ps1 "kerberos::golden /domain:test.local /sid:S-1-5-21-3234... /target:dc01.test.local /

  service:CIFS /rc4:237749d82...

  /user:support /ptt" Which of the following best describes the tester's goal when executing this command?

  A. Bypassing normal authentication
  B. Enumerating shares
  C. Obtaining current user credentials
  D. Using password spraying
  A. Bypassing normal authentication

  ---

  Explanation

  This command uses Mimikatz's kerberos::golden module to forge a Golden Ticket, which is a fabricated Kerberos Ticket Granting Ticket (TGT) created using the domain's Kerberos key material (commonly the KRBTGT hash, supplied here as an RC4 key). In PenTest+ post-exploitation tradecraft, a Golden Ticket allows an attacker to impersonate arbitrary users and obtain Kerberos service tickets without performing legitimate logon steps.

  The inclusion of /service:CIFS and /target:dc01.test.local indicates the tester intends to access the domain controller's SMB/CIFS service using Kerberos authentication. The /ptt switch ("pass-the-ticket") injects the forged ticket into the current session so the system will present it automatically to services.

  The goal is therefore to bypass normal authentication controls by using a forged Kerberos ticket to gain authorized access to resources (such as SMB shares) as a chosen identity. It is not share enumeration itself, not credential harvesting, and not password spraying.