CompTIA PT0-003 Online Practice Questions and Exam Preparation

CompTIA PT0-003 Online Questions & Answers

• Question 111:

  A penetration tester reviews a SAST vulnerability scan report. The following vulnerability has been reported as high severity:

  Source file: components.ts

  Issue 2 of 12: Command injection

  Severity: High

  Call: .innerHTML = response

  The tester inspects the source file and finds the variable response is defined as a constant and is not referred to or used in other sections of the code.

  Which of the following describes how the tester should classify this reported vulnerability?

  A. False negative
  B. False positive
  C. True positive
  D. Low severity
  B. False positive

  ---

  Explanation

  A false positive occurs when a vulnerability scan incorrectly flags a security issue that does not exist or is not exploitable in the context of the application. Here's the reasoning: Definition of Command Injection:Command injection vulnerabilities occur when user-controllable data is passed to an interpreter or command execution context without proper sanitization, allowing an attacker to execute arbitrary commands.

  Code Analysis:

  The response variable is defined as a constant (const), which implies its value is immutable during runtime.

  The response is not sourced from user input nor used elsewhere, meaning there is no attack surface or exploitation pathway for an attacker to influence the content of response.

  Scanner Misclassification:Static Application Security Testing (SAST) tools may flag vulnerabilities based on patterns (e.g., .innerHTML usage) without assessing the source and flow of data, resulting in false positives.

  Final Classification:Since the response variable is static and unchangeable, the flagged issue is not exploitable. This makes it a false positive.

  References:

  Domain 3.0 (Attacks and Exploits)

  Domain 4.0 (Penetration Testing Tools)

  OWASP Static Code Analysis Guide

• Question 112:

  A penetration testing team needs to determine whether it is possible to disrupt the wireless communications for PCs deployed in the client's offices.

  Which of the following techniques should the penetration tester leverage?

  A. Port mirroring
  B. Sidecar scanning
  C. ARP poisoning
  D. Channel scanning
  D. Channel scanning

  ---

  Explanation

  Wireless communications can be disrupted by identifying and interfering with the channels used by Wi-Fi networks.

  Channel scanning allows the tester to map all active Wi-Fi channels, identify the target network, and determine possible jamming or interference strategies.

  Why Not Other Options?

  Option A (Port mirroring): This applies to wired network traffic duplication for monitoring purposes and is unrelated to wireless disruption.

  Option B (Sidecar scanning): Not a relevant technique in the context of wireless disruption.

  Option C (ARP poisoning): This targets Ethernet/IP communication in a local network, not wireless communication at the radio frequency level.

  References:

  Domain 3.0 (Attacks and Exploits) Wireless Network Disruption Techniques

• Question 113:

  During a security assessment, a penetration tester needs to exploit a vulnerability in a wireless network's authentication mechanism to gain unauthorized access to the network.

  Which of the following attacks would the tester most likely perform to gain access?

  A. KARMA attack
  B. Beacon flooding
  C. MAC address spoofing
  D. Eavesdropping
  A. KARMA attack

  ---

  Explanation

  To exploit a vulnerability in a wireless network's authentication mechanism and gain unauthorized access, the penetration tester would most likely perform a KARMA attack.

  KARMA Attack:

  Purpose:

  Other Options:

  References:

  Wireless Security Assessments: Understanding common attack techniques such as KARMA is crucial for identifying and exploiting vulnerabilities in wireless networks. Rogue Access Points: Setting up rogue APs to capture credentials or perform man-in-the-middle attacks is a common tactic in wireless penetration testing. By performing a KARMA attack, the penetration tester can exploit the wireless network's authentication mechanism and gain unauthorized access to the network.

• Question 114:

  Which of the following provides an exploitation suite with payload modules that cover the broadest range of target system types?

  A. Nessus
  B. Metasploit
  C. Burp Suite
  D. Ethercap
  B. Metasploit

• Question 115:

  A client evaluating a penetration testing company requests examples of its work.

  Which of the following represents the BEST course of action for the penetration testers?

  A. Redact identifying information and provide a previous customer's documentation.
  B. Allow the client to only view the information while in secure spaces.
  C. Determine which reports are no longer under a period of confidentiality.
  D. Provide raw output from penetration testing tools.
  C. Determine which reports are no longer under a period of confidentiality.

  ---

  Explanation

  Penetration testing reports contain sensitive information about the vulnerabilities and risks of a customer's systems and networks. Therefore, penetration testers should respect the confidentiality and privacy of their customers and only share their reports with authorized parties. Penetration testers should also follow the terms and conditions of their contracts with their customers, which may include a period of confidentiality that prohibits them from disclosing any information related to the testing without the customer's consent.

• Question 116:

  During a security assessment for an internal corporate network, a penetration tester wants to gain unauthorized access to internal resources by executing an attack that uses software to disguise itself as legitimate software.

  Which of the following host-based attacks should the tester use?

  A. On-path
  B. Logic bomb
  C. Rootkit
  D. Buffer overflow
  C. Rootkit

  ---

  Explanation

  A rootkit is a type of malicious software designed to provide an attacker with unauthorized access to a computer system while concealing its presence. Rootkits achieve this by modifying the host's operating system or other software to hide their existence, allowing the attacker to maintain control over the system without detection.

  Definition and Purpose:

  Rootkits are primarily used to gain and maintain root access (administrative privileges) on a system.

  They disguise themselves as legitimate software or integrate deeply into the operating system to avoid detection.

  Mechanisms of Action:

  Kernel Mode Rootkits: These operate at the kernel level, which is the core of the operating system, making them very powerful and hard to detect.

  User Mode Rootkits: These run in the same space as user applications, intercepting and altering standard system API calls to hide their presence.

  Bootkits: These infect the Master Boot Record (MBR) or Volume Boot Record (VBR) and load before the operating system, making them extremely difficult to detect and remove.

  Detection and Prevention:

  Detection Tools: Tools like RootkitRevealer, Chkrootkit, and rkhunter can help in identifying rootkits.

  Prevention: Regular system updates, use of strong antivirus and anti-malware solutions, and integrity checking tools like Tripwire can help in preventing rootkit infections.

  Real-World Examples:

  Sony BMG Rootkit: In 2005, Sony BMG included a rootkit in their digital rights management (DRM) software on music CDs. The rootkit hid files and processes, leading to a major scandal when it was discovered.

  Stuxnet: This sophisticated worm included a rootkit component to hide its presence on infected systems, making it one of the most infamous examples of rootkit use in a cyber attack.

  References from Pentesting Literature:

  In "Penetration Testing - A Hands-on Introduction to Hacking" by Georgia Weidman, rootkits are discussed in the context of post-exploitation, where maintaining access to the compromised system is crucial.

  Various HTB write-ups, such as the analysis of complex attacks involving multiple stages of exploitation, often highlight the use of rootkits in maintaining persistent access.

  Step-by-Step ExplanationReferences:

  Penetration Testing - A Hands-on Introduction to Hacking HTB Official Writeups on sophisticated attacks

• Question 117:

  Which of the following OT protocols sends information in cleartext?

  A. TTEthernet
  B. DNP3
  C. Modbus
  D. PROFINET
  C. Modbus

  ---

  Explanation

  Operational Technology (OT) protocols are used in industrial control systems (ICS) to manage and automate physical processes. Here's an analysis of each protocol regarding whether it sends information in cleartext:

  Option A: TTEthernet is designed for real-time communication and safety-critical systems.

  Security: It includes mechanisms for reliable and deterministic data transfer, not typically sending information in cleartext.

  Option B: DNP3 (Distributed Network Protocol) is used in electric and water utilities for SCADA (Supervisory Control and Data Acquisition) systems.

  Security: While the original DNP3 protocol transmits data in cleartext, the DNP3 Secure Authentication extensions provide cryptographic security features.

  Option C: Modbus is a communication protocol used in industrial environments for transmitting data between electronic devices.

  Security: Modbus transmits data in cleartext, which makes it susceptible to interception and unauthorized access.

  References:

  The lack of security features in Modbus, such as encryption, is well-documented and a known vulnerability in ICS environments.

  Option D: PROFINET is a standard for industrial networking in automation.

  Security: PROFINET includes several security features, including support for encryption, which means it doesn't necessarily send information in cleartext.

  Conclusion: Modbus is the protocol that most commonly sends information in cleartext, making it vulnerable to eavesdropping and interception.

• Question 118:

  During a security assessment, a penetration tester needs to exploit a vulnerability in a wireless network's authentication mechanism to gain unauthorized access to the network.

  Which of the following attacks would the tester most likely perform to gain access?

  A. KARMA attack
  B. Beacon flooding
  C. MAC address spoofing
  D. Eavesdropping
  A. KARMA attack

  ---

  Explanation

  To exploit a vulnerability in a wireless network's authentication mechanism and gain unauthorized access, the penetration tester would most likely perform a KARMA attack.

  KARMA Attack:

  Purpose:

  Other Options:

  References:

  Wireless Security Assessments: Understanding common attack techniques such as KARMA is crucial for identifying and exploiting vulnerabilities in wireless networks. Rogue Access Points: Setting up rogue APs to capture credentials or perform man-in-the-middle attacks is a common tactic in wireless penetration testing. By performing a KARMA attack, the penetration tester can exploit the wireless network's authentication mechanism and gain unauthorized access to the network.

• Question 119:

  A penetration tester was contracted to test a proprietary application for buffer overflow vulnerabilities.

  Which of the following tools would be BEST suited for this task?

  A. GDB
  B. Burp Suite
  C. SearchSpliot
  D. Netcat
  A. GDB

  ---

  Explanation

  GDB is a debugging tool that can be used to analyze and manipulate the memory of a running process, which is useful for finding and exploiting buffer overflow vulnerabilities. Burp Suite is a web application testing tool that does not directly test for buffer overflows. SearchSpliot is a database of known exploits that does not test for new vulnerabilities. Netcat is a network utility that can be used to send and receive data, but not to test for buffer overflows.

• Question 120:

  A penetration testing team wants to conduct DNS lookups for a set of targets provided by the client. The team crafts a Bash script for this task. However, they find a minor error in one line of the script:

  1 #!/bin/bash

  2 for i in $(cat example.txt); do 3 curl $i 4 done

  Which of the following changes should the team make to line 3 of the script?

  A. resolvconf $i
  B. rndc $i
  C. systemd-resolve $i
  D. host $i
  D. host $i

  ---

  Explanation

  Script Analysis:

  Line 1: #!/bin/bash - This line specifies the script should be executed in the Bash shell.

  Line 2: for i in $(cat example.txt); do - This line starts a loop that reads each line from the file example.txt and assigns it to the variable i.

  Line 3: curl $i - This line attempts to fetch the content from the URL stored in i using curl. However, for DNS lookups, curl is inappropriate.

  Line 4: done - This line ends the loop.

  Error Identification:

  The curl command is used for transferring data from or to a server, often used for HTTP requests, which is not suitable for DNS lookups.

  Correct Command:

  To perform DNS lookups, the host command should be used. The host command performs DNS lookups and displays information about the given domain.

  Corrected Script:

  Replace curl $i with host $i to perform DNS lookups on each target specified in example.txt.

  References:

  In penetration testing, DNS enumeration is a crucial step. It involves querying DNS servers to gather information about the target domain, which includes resolving domain names to IP addresses and vice versa.

  Common tools for DNS enumeration include host, dig, and nslookup. The host command is particularly straightforward for simple DNS lookups.

  By correcting the script to use host $i, the penetration testing team can effectively perform DNS lookups on the targets specified in example.txt.