CompTIA PT0-003 Online Practice Questions and Exam Preparation

CompTIA PT0-003 Online Questions & Answers

• Question 161:

  A company requires that all hypervisors have the latest available patches installed.

  Which of the following would BEST explain the reason why this policy is in place?

  A. To provide protection against host OS vulnerabilities
  B. To reduce the probability of a VM escape attack
  C. To fix any misconfigurations of the hypervisor
  D. To enable all features of the hypervisor
  B. To reduce the probability of a VM escape attack

  ---

  Explanation

  A hypervisor is a type of virtualization software that allows multiple virtual machines (VMs) to run on a single physical host machine. If the hypervisor is compromised, an attacker could potentially gain access to all of the VMs running on that host, which could lead to a significant data breach or other security issues.

  One common type of attack against hypervisors is known as a VM escape attack. In this type of attack, an attacker exploits a vulnerability in the hypervisor to break out of the VM and gain access to the host machine. From there, the attacker can potentially gain access to other VMs running on the same host. By ensuring that all hypervisors have the latest available patches installed, the company can reduce the likelihood that a VM escape attack will be successful. Patches often include security updates and vulnerability fixes that address known issues and can help prevent attacks.

• Question 162:

  A penetration tester has found a web application that is running on a cloud virtual machine instance.

  Vulnerability scans show a potential SSRF for the same application URL path with an injectable parameter.

  Which of the following commands should the tester run to successfully test for secrets exposure exploitability?

  A. curl <url>?param=http://169.254.169.254/latest/meta-data/
  B. curl '<url>?param=http://127.0.0.1/etc/passwd'
  C. curl '<url>?param=<script>alert(1)<script>/'
  D. curl <url>?param=http://127.0.0.1/
  A. curl <url>?param=http://169.254.169.254/latest/meta-data/

  ---

  Explanation

  In a cloud environment, testing for Server-Side Request Forgery (SSRF) vulnerabilities involves attempting to access metadata services. Here's why the specified command is appropriate:

  Accessing Cloud Metadata Service:

  URL:

  http://169.254.169.254/latest/meta-data/is

  a well-known endpoint in cloud environments (e.g., AWS) to access instance metadata.Purpose:ByexploitingSSRFtoaccessthisURL,anattackercanretrievesensitiveinformationsuchasinstancecredentialsandothermetadata.ComparisonwithOtherCommands:127.0.0.1/etc/passwd:Thisismoreaboutlocalfileinclusion,notspecifictocloudmetadata.

  <script>alert(1)</script>: This tests for XSS, not SSRF.

  127.0.0.1: This is a generic loopback address and does not specifically test for metadata access in a cloud environment.

  Using curl <url>?param=

  http://169.254.169.254/latest/meta-data/

  is the correct approach to test for SSRFvulnerabilitiesincloudenvironmentstopotentiallyexposesecrets.

• Question 163:

  During a penetration testing engagement, a tester targets the internet-facing services used by the client.

  Which of the following describes the type of assessment that should be considered in this scope of work?

  A. Segmentation
  B. Mobile
  C. External
  D. Web
  C. External

  ---

  Explanation

  An external assessment focuses on testing the security of internet-facing services. Here's why option C is correct:

  External Assessment: It involves evaluating the security posture of services exposed to the internet, such as web servers, mail servers, and other public-facing infrastructure. The goal is to identify vulnerabilities that could be exploited by attackers from outside the organization's network.

  Segmentation: This type of assessment focuses on ensuring that different parts of a network are appropriately segmented to limit the spread of attacks. It's more relevant to internal network architecture.

  Mobile: This assessment targets mobile applications and devices, not general internet-facing services.

  Web: While web assessments focus on web applications, the scope of an external assessment is broader and includes all types of internet-facing services.

  References from Pentest:

  Horizontall HTB: Highlights the importance of assessing external services to identify vulnerabilities that could be exploited from outside the network.

  Luke HTB: Demonstrates the process of evaluating public-facing services to ensure their security.

  Conclusion:

  Option C, External, is the most appropriate type of assessment for targeting internet-facing services used by the client.

• Question 164:

  A penetration tester is testing input validation on a search form that was discovered on a website.

  Which of the following characters is the BEST option to test the website for vulnerabilities?

  A. Comma
  B. Double dash
  C. Single quote
  D. Semicolon
  C. Single quote

  ---

  Explanation

  A single quote (') is a common character used to test for SQL injection vulnerabilities, which occur when user input is directly passed to a database query. A single quote can terminate a string literal and allow an attacker to inject malicious SQL commands. For example, if the search form uses the query SELECT * FROM products WHERE name LIKE `%user_input%', then entering a single quote as user input would result in an error or unexpected behavior

• Question 165:

  While conducting a reconnaissance activity, a penetration tester extracts the following information:

  Emails: - [email protected] - [email protected] - [email protected]

  Which of the following risks should the tester use to leverage an attack as the next step in the security assessment?

  A. Unauthorized access to the network
  B. Exposure of sensitive servers to the internet
  C. Likelihood of SQL injection attacks
  D. Indication of a data breach in the company
  A. Unauthorized access to the network

  ---

  Explanation

  When a penetration tester identifies email addresses during reconnaissance, the most immediate risk to leverage for an attack is unauthorized access to the network. Here's why:

  Phishing Attacks:

  Email addresses are often used to conduct phishing attacks. By crafting a convincing email, an attacker can trick the recipient into revealing their login credentials or downloading malicious software, thereby gaining unauthorized access to the network.

  Spear Phishing:

  With specific email addresses (like [email protected]), attackers can perform spear phishing, targeting key individuals within the organization to gain access to more sensitive parts of the network.

  Comparison with Other Risks: Exposure of sensitive servers to the internet (B): This is unrelated to the email addresses and more about network configuration.

  Likelihood of SQL injection attacks (C): SQL injection targets web applications and databases, not email addresses.

  Indication of a data breach in the company (D): The presence of email addresses alone does not indicate a data breach.

  Email addresses are a starting point for phishing attacks, making unauthorized access to the network the most relevant risk.

• Question 166:

  A company has recruited a penetration tester to conduct a vulnerability scan over the network. The test is confirmed to be on a known environment.

  Which of the following would be the BEST option to identify a system properly prior to performing the assessment?

  A. Asset inventory
  B. DNS records
  C. Web-application scan
  D. Full scan
  A. Asset inventory

• Question 167:

  A penetration tester was hired to test Wi-Fi equipment.

  Which of the following tools should be used to gather information about the wireless network?

  A. Kismet
  B. Burp Suite
  C. BeEF
  D. WHOIS
  A. Kismet

  ---

  Explanation

  Kismet is a well-known tool used in penetration testing for wireless network detection, packet sniffing, and intrusion detection. It is particularly useful for gathering information about Wi-Fi networks as it can detect hidden networks and capture network packets. This capability allows penetration testers to analyze the wireless environment, identify potential vulnerabilities, and assess the security posture of the Wi-Fi equipment being tested. Unlike the other tools listed, Kismet is specifically designed for wireless network analysis, making it the ideal choice for this task.

• Question 168:

  During an assessment, a penetration tester plans to gather metadata from various online files, including pictures.

  Which of the following standards outlines the formats for pictures, audio, and additional tags that facilitate this type of reconnaissance?

  A. EXIF
  B. GIF
  C. COFF
  D. ELF
  A. EXIF

  ---

  Explanation

  Metadata extraction allows attackers to collect sensitive information from digital files.

  EXIF (Exchangeable Image File Format) (Option A):

  EXIF metadata contains camera details, GPS coordinates, timestamps, and software versions used to edit the file.

  Attackers use tools like ExifTool to extract metadata for reconnaissance.

  References:

  CompTIA PenTest+ PT0-003 Official Study Guide - "Metadata Analysis in Open-Source Intelligence (OSINT)"

  Incorrect options:

  Option B (GIF): A file format for images, but not a metadata standard.

  Option C (COFF): Common Object File Format, related to executable files, not images.

  Option D (ELF): Executable and Linkable Format, used for Linux binaries, not metadata analysis.

• Question 169:

  A penetration tester finds it is possible to downgrade a web application's HTTPS connections to HTTP while performing on-path attacks on the local network. The tester reviews the output of the server response to:

  curl -s -i https://internalapp/HTTP/2 302

  date: Thu, 11 Jan 2024 15:56:24 GMT

  content-type: text/html; charset=iso-8659-1

  location: /login

  x-content-type-options: nosniff

  server: Prod

  Which of the following recommendations should the penetration tester include in the report?

  A. Add the HSTS header to the server.
  B. Attach the httponly flag to cookies.
  C. Front the web application with a firewall rule to block access to port 80.
  D. Remove the x-content-type-options header.
  A. Add the HSTS header to the server.

  ---

  Explanation

  The tester identified an HTTPS downgrade attack (e.g., SSL stripping). The best mitigation is to enforce HSTS (HTTP Strict Transport Security).

  HSTS (Option A):

  HSTS (Strict-Transport-Security) ensures that the browser always uses HTTPS, preventing downgrade attacks.

  Example header:

  Strict-Transport-Security: max-age=31536000; includeSubDomains

  References:

  CompTIA PenTest+ PT0-003 Official Study Guide - "Web Security Headers and HTTPS Enforcements"

  Incorrect options:

  Option B (httponly flag): Protects cookies from JavaScript access but does not enforce HTTPS.

  Option C (Firewall rule on port 80): Helps, but does not force browsers to use HTTPS.

  Option D (Removing x-content-type-options): Unrelated

  nosniff prevents MIME-type sniffing.

• Question 170:

  A penetration tester has identified several newly released CVEs on a VoIP call manager. The scanning tool the tester used determined the possible presence of the CVEs based off the version number of the service.

  Which of the following methods would BEST support validation of the possible findings?

  A. Manually check the version number of the VoIP service against the CVE release
  B. Test with proof-of-concept code from an exploit database
  C. Review SIP traffic from an on-path position to look for indicators of compromise
  D. Utilize an nmap -sV scan against the service
  B. Test with proof-of-concept code from an exploit database

  ---

  Explanation

  Testing with proof-of-concept code from an exploit database is the best method to support validation of the possible findings, as it will demonstrate whether the CVEs are actually exploitable on the target VoIP call manager. Proof-of-concept code is a piece of software or script that shows how an attacker can exploit a vulnerability in a system or application. An exploit database is a repository of publicly available exploits, such as Exploit Database or Metasploit.

  References:

  https://dokumen.pub/hacking-exposed-unified-communications-amp-voip-security-secrets-amp-solutions-2nd-edition-9780071798778-0071798773-9780071798761-0071798765.html