CompTIA PT0-003 Online Practice Questions and Exam Preparation

CompTIA PT0-003 Online Questions & Answers

• Question 11:

  During a security assessment, a penetration tester gains access to an internal server and manipulates some data to hide its presence.

  Which of the following is the best way for the penetration tester to hide the activities performed?

  A. Clear the Windows event logs.
  B. Modify the system time.
  C. Alter the log permissions.
  D. Reduce the log retention settings.
  A. Clear the Windows event logs.

  ---

  Explanation

  During a penetration test, one of the critical steps for maintaining access and covering tracks is to clear evidence of the attack. Manipulating data to hide activities on an internal server involves ensuring that logs and traces of the attack are removed. Here's a detailed explanation of why clearing the Windows event logs is the best method for this scenario:

  Understanding Windows Event Logs: Windows event logs are a key forensic artifact that records system, security, and application events. These logs can provide detailed information about user activities, system changes, and potential security incidents.

  Why Clear Windows Event Logs:

  Comprehensive Coverage: Clearing the event logs removes all recorded events, including login attempts, application errors, and security alerts. This makes it difficult for an investigator to trace back the actions performed by the attacker.

  Avoiding Detection: Penetration testers clear event logs to ensure that their presence and activities are not detected by system administrators or security monitoring tools.

  Method to Clear Event Logs:

  Use the built-in Windows command line utility wevtutil to clear logs. For example:

  shell

  Copy code

  wevtutil cl System

  wevtutil cl Security

  wevtutil cl Application

  These commands clear the System, Security, and Application logs, respectively.

  Alternative Options and Their Drawbacks:

  Modify the System Time: Changing the system time can create confusion but is easily detectable and can be reverted. It does not erase existing log entries.

  Alter Log Permissions: Changing permissions might prevent new entries but does not remove existing ones and can alert administrators to suspicious activity.

  Reduce Log Retention Settings: This can limit future logs but does not affect already recorded logs and can be easily noticed by administrators.

  References:

  HTB Writeups: Many Hack The Box (HTB) writeups demonstrate the importance of clearing logs post-exploitation to maintain stealth. For example, in the "Gobox" and "Writeup" machines, maintaining a low profile involved managing log data to avoid detection.

  Real-World Scenarios: In real-world penetration tests, attackers often clear logs to avoid detection by forensic investigators and incident response teams. This step is crucial during red team engagements and advanced persistent threat (APT) simulations.

  In conclusion, clearing Windows event logs is a well-established practice for hiding activities during a penetration test. It is the most effective way to remove evidence of the attack from the system, thereby maintaining stealth and ensuring that the tester's actions remain undetected.

• Question 12:

  A penetration tester has been given an assignment to attack a series of targets in the 192.168.1.0/24 range, triggering as few alarms and countermeasures as possible.

  Which of the following Nmap scan syntaxes would BEST accomplish this objective?

  A. nmap -sT -vvv -O 192.168.1.2/24 -PO
  B. nmap -sV 192.168.1.2/24 -PO
  C. nmap -sA -v -O 192.168.1.2/24
  D. nmap -sS -O 192.168.1.2/24 -T1
  D. nmap -sS -O 192.168.1.2/24 -T1

  ---

  Explanation

  References:

  https://nmap.org/book/man-port-scanning-techniques.html

• Question 13:

  During the reconnaissance phase, a penetration tester collected the following information from the DNS records:

  A-----> www

  A-----> host

  TXT --> vpn.comptia.org

  SPF---> ip =2.2.2.2

  Which of the following DNS records should be in place to avoid phishing attacks using spoofing domain techniques?

  A. MX
  B. SOA
  C. DMARC
  D. CNAME
  C. DMARC

  ---

  Explanation

  DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that helps prevent email spoofing and phishing. It builds on SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to provide a mechanism for email senders and receivers to improve and monitor the protection of the domain from fraudulent email.

  Understanding DMARC:

  SPF: Defines which IP addresses are allowed to send emails on behalf of a domain.

  DKIM: Provides a way to check that an email claiming to come from a specific domain was indeed authorized by the owner of that domain.

  DMARC: Uses SPF and DKIM to determine the authenticity of an email and specifies what action to take if the email fails the authentication checks.

  Implementing DMARC:

  Create a DMARC policy in your DNS records. This policy can specify to reject, quarantine, or take no action on emails that fail SPF or DKIM checks.

  Example DMARC record: v=DMARC1; p=reject; rua=mailto:[email protected]; Benefits of DMARC:

  Helps to prevent email spoofing and phishing attacks.

  Provides visibility into email sources through reports.

  Enhances domain reputation by ensuring only legitimate emails are sent from the domain.

  DMARC Record Components:

  v: Version of DMARC. p: Policy for handling emails that fail the DMARC check (none, quarantine, reject).

  rua: Reporting URI of aggregate reports.

  ruf: Reporting URI of forensic reports.

  pct: Percentage of messages subjected to filtering.

  Real-World Example:

  A company sets up a DMARC policy with p=reject to ensure that any emails failing SPF or DKIM checks are rejected outright, significantly reducing the risk of phishing attacks using their domain.

  References from Pentesting Literature:

  In "Penetration Testing - A Hands-on Introduction to Hacking," DMARC is mentioned as part of email security protocols to prevent phishing.

  HTB write-ups often highlight the importance of DMARC in securing email communications and preventing spoofing attacks.

  References:

  Penetration Testing - A Hands-on Introduction to Hacking

  HTB Official Writeups

• Question 14:

  A penetration tester needs to complete cleanup activities from the testing lead.

  Which of the following should the tester do to validate that reverse shell payloads are no longer running?

  A. Run scripts to terminate the implant on affected hosts.
  B. Spin down the C2 listeners.
  C. Restore the firewall settings of the original affected hosts.
  D. Exit from C2 listener active sessions.
  A. Run scripts to terminate the implant on affected hosts.

  ---

  Explanation

  To ensure that reverse shell payloads are no longer running, it is essential to actively terminate any implanted malware or scripts. Here's why option A is correct: Run Scripts to Terminate the Implant: This ensures that any reverse shell payloads or malicious implants are actively terminated on the affected hosts. It is a direct and effective method to clean up after a penetration test. Spin Down the

  C2 Listeners: This stops the command and control listeners but does not remove the implants from the hosts.

  Restore the Firewall Settings: This is important for network security but does not directly address the termination of active implants. Exit from

  C2 Listener Active Sessions: This closes the current sessions but does not ensure that implants are terminated.

  References from Pentest:

  Anubis HTB: Demonstrates the process of cleaning up and ensuring that all implants are removed after an assessment.

  Forge HTB: Highlights the importance of thoroughly cleaning up and terminating any payloads or implants to leave the environment secure post-assessment.

• Question 15:

  A penetration tester is testing a new version of a mobile application in a sandbox environment. To intercept and decrypt the traffic between the application and the external API, the tester has created a private root CA and issued a certificate from it. Even though the tester installed the root CA into the trusted stone of the smartphone used for the tests, the application shows an error indicating a certificate mismatch and does not connect to the server.

  Which of the following is the MOST likely reason for the error?

  A. TCP port 443 is not open on the firewall
  B. The API server is using SSL instead of TLS
  C. The tester is using an outdated version of the application
  D. The application has the API certificate pinned.
  D. The application has the API certificate pinned.

  ---

  Explanation

  This is the most likely reason for the error because the application is unable to validate the certificate issued by the tester's private root CA. Certificate pinning is a process where an application compares the certificate presented by the server with a predefined set of certificates and only accepts connections if the presented certificate is one of the predefined certificates. This means that the application will reject any certificate that is not in the predefined set, even if it is valid.

• Question 16:

  During an assessment, a penetration tester gains access to one of the internal hosts. Given the following command:

  schtasks /create /sc onlogon /tn "Windows Update" /tr "cmd.exe /c reverse_shell.exe"

  Which of the following is the penetration tester trying to do with this code?

  A. Enumerate the scheduled tasks
  B. Establish persistence
  C. Deactivate the Windows Update functionality
  D. Create a binary application for Windows System Updates
  B. Establish persistence

  ---

  Explanation

  The command creates a scheduled task that executes a reverse shell payload at logon, ensuring persistence.

  Option A (Enumerate tasks): This command creates a task, not lists tasks (schtasks /query is used for enumeration).

  Option B (Establish persistence): Correct.

  The attacker ensures a reverse shell opens every time a user logs in.

  Option C (Deactivate Windows Update): The task is named "Windows Update" but does not disable updates.

  Option D (Create a Windows Update binary): This executes a reverse shell, not a system update.

  References:

  CompTIA PenTest+ PT0-003 Official Guide ?Windows Persistence Techniques

• Question 17:

  A penetration tester gains shell access to a Windows host. The tester needs to permanently turn off protections in order to install additional payload.

  Which of the following commands is most appropriate?

  A. sc config <svc_name> start=disabled
  B. sc query state= all
  C. pskill <pid_svc_name>
  D. net config <svc_name>
  A. sc config <svc_name> start=disabled

  ---

  Explanation

  The sc config command is used to configure service startup settings in Windows. Using start=disabled will permanently disable a specific service, effectively turning off protections such as antivirus or other monitoring services.

  Why Not Other Options?

  Option B (sc query state= all): This command lists all services and their states but does not disable or modify any service.

  Option C (pskill): This command is used to terminate a process temporarily, but it does not permanently disable the service.

  Option D (net config): This command is used for configuring network settings, not for managing services.

  References:

  Domain 3.0 (Attacks and Exploits) Windows Service Exploitation Guidelines

• Question 18:

  A penetration tester ran a simple Python-based scanner. The following is a snippet of the code:

  

  Which of the following BEST describes why this script triggered a `probable port scan` alert in the organization's IDS?

  A. sock.settimeout(20) on line 7 caused each next socket to be created every 20 milliseconds.
  B. *range(1, 1025) on line 1 populated the portList list in numerical order.
  C. Line 6 uses socket.SOCK_STREAM instead of socket.SOCK_DGRAM
  D. The remoteSvr variable has neither been type-hinted nor initialized.
  B. *range(1, 1025) on line 1 populated the portList list in numerical order.

  ---

  Explanation

  Port randomization is widely used in port scanners. By default, Nmap randomizes the scanned port order (except that certain commonly accessible ports are moved near the beginning for efficiency reasons)

  https://nmap.org/book/man-port-specification.html

• Question 19:

  A penetration tester needs to obtain sensitive data from several executives who regularly work while commuting by train.

  Which of the following methods should the tester use for this task?

  A. Shoulder surfing
  B. Credential harvesting
  C. Bluetooth spamming
  D. MFA fatigue
  A. Shoulder surfing

• Question 20:

  Which of the following should a penetration tester attack to gain control of the state in the HTTP protocol after the user is logged in?

  A. HTTPS communication
  B. Public and private keys
  C. Password encryption
  D. Sessions and cookies
  D. Sessions and cookies