CompTIA PT0-003 Online Practice Questions and Exam Preparation

CompTIA PT0-003 Online Questions & Answers

• Question 101:

  During a penetration testing exercise, a team decides to use a watering hole strategy.

  Which of the following is the most effective approach for executing this attack?

  A. Compromise a website frequently visited by the organization's employees.
  B. Launch a DDoS attack on the organization's website.
  C. Create fake social media profiles to befriend employees.
  D. Send phishing emails to the organization's employees.
  A. Compromise a website frequently visited by the organization's employees.

  ---

  Explanation

  Watering Hole Attack Explanation:

  A watering hole attack involves compromising a website that the target frequently visits.

  The attacker injects malicious code into the site, which then exploits users who access it.

  Why Not Other Options?

  Option B: DDoS attacks disrupt services but do not align with the watering hole strategy.

  Option C: Social engineering may be effective but is not a watering hole attack.

  Option D: Phishing is unrelated to compromising trusted websites.

  References:

  Domain 3.0 (Attacks and Exploits)

• Question 102:

  DRAG DROP

  Instructions:

  Analyze the code segments to determine which sections are needed to complete a port scanning script. Drag the appropriate elements into the correct locations to complete the script.

  If at any time you would like to bring back the initial state of the simulation, please click the reset all button.

  During a penetration test, you gain access to a system with a limited user interface. This machine appears to have access to an isolated network that you would like to port scan.

  Select and Place:

  

  

  ---

  
  

• Question 103:

  A penetration tester is evaluating a company's network perimeter. The tester has received limited information about defensive controls or countermeasures, and limited internal knowledge of the testing exists.

  Which of the following should be the FIRST step to plan the reconnaissance activities?

  A. Launch an external scan of netblocks.
  B. Check WHOIS and netblock records for the company.
  C. Use DNS lookups and dig to determine the external hosts.
  D. Conduct a ping sweep of the company's netblocks.
  C. Use DNS lookups and dig to determine the external hosts.

• Question 104:

  Which of the following is a term used to describe a situation in which a penetration tester bypasses physical access controls and gains access to a facility by entering at the same time as an employee?

  A. Badge cloning
  B. Shoulder surfing
  C. Tailgating
  D. Site survey
  C. Tailgating

  ---

  Explanation

  Tailgating is the term used to describe a situation where a penetration tester bypasses physical access controls and gains access to a facility by entering at the same time as an employee.

  Tailgating:

  Definition: Tailgating occurs when an unauthorized person follows an authorized person into a restricted area without the latter's consent or knowledge. The authorized person typically opens a door or checkpoint, and the unauthorized person slips in behind them.

  Example: An attacker waits near the entrance of a building and enters right after an employee, bypassing security measures.

  Physical Security:

  Importance: Physical security is a crucial aspect of overall security posture. Tailgating exploits human factors and weaknesses in physical security controls.

  Prevention: Security measures such as turnstiles, mantraps, and security personnel can help prevent tailgating.

  References:

  Physical Penetration Testing: Tailgating is a common technique used in physical penetration tests to assess the effectiveness of an organization's physical security controls.

  Social Engineering: Tailgating often involves social engineering, where the attacker relies on the politeness or unawareness of the employee to gain unauthorized access.

  By understanding and using tailgating, penetration testers can evaluate the effectiveness of an organization's physical security measures and identify potential vulnerabilities that could be exploited by malicious actors.

• Question 105:

  Which of the following post-exploitation activities allows a penetration tester to maintain persistent access in a compromised system?

  A. Creating registry keys
  B. Installing a bind shell
  C. Executing a process injection
  D. Setting up a reverse SSH connection
  A. Creating registry keys

  ---

  Explanation

  Maintaining persistent access in a compromised system is a crucial goal for a penetration tester after achieving initial access. Here's an explanation of each option and why creating registry keys is the preferred method:

  Creating registry keys (Answer: A): Modifying or adding specific registry keys can ensure that malicious code or backdoors are executed every time the system starts, thus maintaining persistence.

  Advantages: This method is stealthy and can be effective in maintaining access over long periods, especially on Windows systems.

  Example: Adding a new entry to the HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry key to execute a malicious script upon system boot.

  References:

  Persistence techniques involving registry keys are common in penetration tests and are highlighted in various cybersecurity resources as effective methods to maintain access.

  Installing a bind shell (Option B): A bind shell listens on a specific port and waits for an incoming connection from the attacker.

  Drawbacks: This method is less stealthy and can be easily detected by network monitoring tools. It also requires an open port, which might be closed or filtered by firewalls.

  Executing a process injection (Option C): Process injection involves injecting malicious code into a running process to evade detection.

  Drawbacks: While effective for evading detection, it doesn't inherently provide persistence. The injected code will typically be lost when the process terminates or the system reboots.

  Setting up a reverse SSH connection (Option D): A reverse SSH connection allows the attacker to connect back to their machine from the compromised system.

  Drawbacks: This method can be useful for maintaining a session but is less reliable for long-term persistence.

  It can be disrupted by network changes or monitoring tools.

  Conclusion: Creating registry keys is the most effective method for maintaining persistent access in a compromised system, particularly in Windows environments, due to its stealthiness and reliability.

• Question 106:

  A penetration tester gained a foothold within a network. The penetration tester needs to enumerate all users within the domain.

  Which of the following is the best way to accomplish this task?

  A. pwd.exe
  B. net.exe
  C. sc.exe
  D. msconfig.exe
  B. net.exe

  ---

  Explanation

  net.exe is the classic Windows networking utility that includes commands for enumerating domain resources and accounts from a compromised host where the tester has any authenticated domain context.

  Typical commands used by penetration testers to enumerate domain users with net.exe include:

  net user /domain -- lists domain user accounts (name and some properties).

  net group "Domain Users" /domain -- lists members of the Domain Users group.

  net view /domain -- lists computers in the domain (useful to find targets for further enumeration).

  Why net.exe is the best option here:

  It is installed by default on Windows systems and works with the current authenticated domain credentials (common after gaining a foothold).

  It provides a quick, low-noise way to enumerate user accounts and groups without requiring additional tooling or elevated privileges beyond an authenticated domain user.

  Results can be scripted and parsed for further enumeration and pivoting.

  Why the other options are not appropriate:

  Option A: pwd.exe -- Not a standard Windows tool for domain enumeration (and not present by default).

  Option C: sc.exe -- Service Controller tool for managing services; not used to enumerate domain users.

  Option D: msconfig.exe -- System configuration GUI utility for startup/services; not for domain account enumeration.

  Related alternatives (contextual, commonly used in pentests): dsquery user -limit 0 (on systems with RSAT/AD tools) to query AD directly.

  Get-ADUser -Filter * (PowerShell, requires the ActiveDirectory module and appropriate rights).

  Tools like PowerView (PowerShell) or BloodHound (collection phase) can provide richer AD enumeration, but net.exe is the simplest built-in option to enumerate domain users from an authenticated foothold.

  CompTIA PT0-003 Objective Mapping (summary):

  Domain 2.0 Information Gathering and Vulnerability Scanning -- enumerate network and Active Directory objects using native tools and scripts (e.g., net.exe for domain user enumeration).

• Question 107:

  A tester completed a report for a new client.

  Prior to sharing the report with the client, which of the following should the tester request to complete a review?

  A. A generative AI assistant
  B. The customer's designated contact
  C. A cybersecurity industry peer
  D. A team member
  D. A team member

  ---

  Explanation

  Before releasing a penetration test report to the client, peer review by another qualified team member ensures:

  Accuracy of findings

  Technical validity of vulnerabilities and exploits

  Proper severity ratings

  Professional clarity (avoiding errors/typos)

  Compliance with reporting standards

  This process is part of quality assurance and ensures the client receives a polished, correct report.

  Why not the others?

  Option A: Generative AI assistant: Not appropriate or approved in official PT0-003; confidentiality risks.

  Option B: Customer's designated contact: They review after delivery, not before.

  Option C: Cybersecurity industry peer: Would break confidentiality and violate engagement scope.

  CompTIA PT0-003 Mapping:

  Domain 5.0: Reporting and Communication 5.3: Explain post-report delivery activities and processes (peer review, validation of accuracy).

• Question 108:

  A penetration tester wants to analyze an organization's Active Directory environment to determine how a low-privileged user account could pivot through group and system relationships to eventually reach a high-value target. The tester needs a tool that can enumerate AD objects, map trust relationships, and visually model potential privilege escalation paths.

  Which of the following tools would BEST meet this objective?

  A. Responder
  B. Mimikatz
  C. Hydra
  D. BloodHound
  E. TruffleHog
  D. BloodHound

  ---

  Explanation

  BloodHound is a tool designed for Active Directory attack path analysis.

  It enumerates relationships between users, groups, and computers, showing how a low-privileged account can escalate privileges to high-value targets (like the HR database server).

  This exactly matches the tester's objective: modeling attack paths to accounts with sufficient permissions.

  Why not the others?

  Option A:

  Responder: Used for LLMNR/NBT-NS poisoning and credential capture, not AD path analysis.

  Option B:

  Mimikatz: Used for credential dumping (plaintext passwords, hashes, Kerberos tickets), but doesn't model attack paths.

  Option C:

  Hydra: Brute-force login tool, not for AD privilege pathing.

  Option E:

  TruffleHog: Secret discovery tool (API keys, passwords in repos), unrelated to AD attack path analysis.

  CompTIA PT0-003 Objective Mapping:

  Domain 2.0 Information Gathering and Vulnerability Scanning 2.4: Use appropriate tools for network/AD enumeration and privilege escalation path discovery (BloodHound).

• Question 109:

  A penetration tester gains access to a host but does not have access to any type of shell.

  Which of the following is the best way for the tester to further enumerate the host and the environment in which it resides?

  A. ProxyChains
  B. Netcat
  C. PowerShell ISE
  D. Process IDs
  B. Netcat

  ---

  Explanation

  If a penetration tester gains access to a host but does not have a shell, the best tool for further enumeration is Netcat. Here's why:

  Netcat:

  Versatility: Netcat is known as the "Swiss Army knife" of networking tools. It can be used for port scanning, banner grabbing, and setting up reverse shells.

  Enumeration: Without a shell, Netcat can help enumerate open ports and services running on the host, providing insight into the host's environment.

  Comparison with Other Tools:

  ProxyChains: Used to chain proxies together, not directly useful for enumeration without an initial shell.

  PowerShell ISE: Requires a shell to execute commands and scripts.

  Process IDs: Without a shell, enumerating process IDs directly isn't possible.

  Netcat's ability to perform multiple network-related tasks without needing a shell makes it the best choice for further enumeration.

• Question 110:

  Which of the following authorizations is mandatory when a penetration tester is involved in a complex IT infrastructure?

  A. Customer authorization
  B. Penetration tester authorization
  C. Third-party authorization
  D. Internal team authorization
  A. Customer authorization

  ---

  Explanation

  Before any penetration testing begins -- especially in a complex IT infrastructure involving multiple systems, cloud environments, and potentially shared platforms -- a formal written authorization from the customer (client organization) is mandatory.

  This authorization defines the scope, targets, timeframes, and limitations of the assessment and ensures legal protection for both the tester and the organization. Conducting testing without explicit client authorization could violate laws (e.g., Computer Fraud and Abuse Act in the U.S.) and corporate policies.

  Why not the others:

  Option B: Penetration tester authorization: The tester cannot authorize their own actions; authorization must come from the system owner.

  Option C: Third-party authorization: Only relevant if the third party owns the infrastructure; otherwise, it's not mandatory.

  Option D: Internal team authorization: Internal teams may coordinate logistics, but legal authorization must come from the customer/asset owner.

  CompTIA PT0-003 Objective Mapping:

  Domain 1.0: Planning and Scoping 1.2: Explain legal concepts, authorization requirements, and rules of engagement prior to testing.