CompTIA PT0-003 Online Practice Questions and Exam Preparation

CompTIA PT0-003 Online Questions & Answers

• Question 221:

  A penetration tester identifies an exposed corporate directory containing first and last names and phone numbers for employees.

  Which of the following attack techniques would be the most effective to pursue if the penetration tester wants to compromise user accounts?

  A. Smishing
  B. Impersonation
  C. Tailgating
  D. Whaling
  A. Smishing

  ---

  Explanation

  When a penetration tester identifies an exposed corporate directory containing first and last names and phone numbers, the most effective attack technique to pursue would be smishing. Here's why:

  Understanding Smishing:

  Smishing (SMS phishing) involves sending fraudulent messages via SMS to trick individuals into revealing personal information or performing actions that compromise security. Since the tester has access to phone numbers, this method is directly applicable.

  Why Smishing is Effective:

  Personalization: Knowing the first and last names allows the attacker to personalize the messages, making them appear more legitimate and increasing the likelihood of the target responding.

  Immediate Access: People tend to trust and respond quickly to SMS messages compared to emails, especially if the messages appear urgent or important.

  Alternative Attack Techniques:

  Impersonation: While effective, it generally requires real-time interaction and may not scale well across many targets.

  Tailgating: This physical social engineering technique involves following someone into a restricted area and is not feasible with just names and phone numbers.

  Whaling: This targets high-level executives with highly personalized phishing attacks. Although effective, it is more specific and may not be suitable for the broader set of employees in the directory.

• Question 222:

  A penetration tester is working on an engagement in which a main objective is to collect confidential information that could be used to exfiltrate data and perform a ransomware attack. During the engagement, the tester is able to obtain an internal foothold on the target network.

  Which of the following is the next task the tester should complete to accomplish the objective?

  A. Initiate a social engineering campaign.
  B. Perform credential dumping.
  C. Compromise an endpoint.
  D. Share enumeration.
  D. Share enumeration.

  ---

  Explanation

  Given that the penetration tester has already obtained an internal foothold on the target network, the next logical step to achieve the objective of collecting confidential information and potentially exfiltrating data or performing a ransomware attack is to perform credential dumping. Here's why:

  Credential Dumping:

  Purpose: Credential dumping involves extracting password hashes and plaintext passwords from compromised systems. These credentials can be used to gain further access to sensitive data and critical systems within the network.

  Tools: Common tools used for credential dumping include Mimikatz, Windows Credential Editor, and ProcDump.

  Impact: With these credentials, the tester can move laterally across the network, escalate privileges, and access confidential information.

  Comparison with Other Options:

  Initiate a Social Engineering Campaign (A): Social engineering is typically an initial access technique rather than a follow-up action after gaining internal access.

  Compromise an Endpoint (C): The tester already has a foothold, so compromising another endpoint is less direct than credential dumping for accessing sensitive information.

  Share Enumeration (D): While share enumeration can provide useful information, it is less impactful than credential dumping in terms of gaining further access and achieving the main objective.

  Performing credential dumping is the most effective next step to escalate privileges and access sensitive data, making it the best choice.

• Question 223:

  Which of the following is the most efficient way to infiltrate a file containing data that could be sensitive?

  A. Use steganography and send the file over FTP
  B. Compress the file and send it using TFTP
  C. Split the file in tiny pieces and send it over dnscat
  D. Encrypt and send the file over HTTPS
  D. Encrypt and send the file over HTTPS

  ---

  Explanation

  When considering efficiency and security for exfiltrating sensitive data, the chosen method must ensure data confidentiality and minimize the risk of detection. Here's an analysis of each option:

  Use steganography and send the file over FTP (Option A):

  Steganography hides data within other files, such as images. FTP is a protocol for transferring files.

  Drawbacks: FTP is not secure as it transmits data in clear text, making it susceptible to interception.

  Steganography can add an extra layer of obfuscation, but the use of FTP makes this option insecure.

  Compress the file and send it using TFTP (Option B):

  TFTP is a simple file transfer protocol that lacks encryption.

  Drawbacks: TFTP is inherently insecure because it does not support encryption, making it easy for attackers to intercept the data during transfer.

  Split the file in tiny pieces and send it over dnscat (Option C):

  dnscat is a tool for tunneling data over DNS.

  Drawbacks: While effective at evading detection by using DNS, splitting the file and managing the reassembly adds complexity. Additionally, large data transfers over DNS can raise suspicion.

  Encrypt and send the file over HTTPS (Answer: D):

  Encrypting the file ensures that its contents are protected during transfer. HTTPS provides a secure, encrypted channel for communication over the internet.

  Advantages: HTTPS is widely used and trusted, making it less likely to raise suspicion. Encryption ensures the data remains confidential during transit.

  References:

  The use of HTTPS for secure data transfer is a standard practice in cybersecurity, providing both encryption and integrity of the data being transmitted.

  Conclusion: Encrypting the file and sending it over HTTPS is the most efficient and secure method for exfiltrating sensitive data, ensuring both confidentiality and reducing the risk of detection.

• Question 224:

  During an engagement, a penetration tester found some weaknesses that were common across the customer's entire environment. The weaknesses included the following:

  1. Weaker password settings than the company standard

  2. Systems without the company's endpoint security software installed

  3. Operating systems that were not updated by the patch management system.

  Which of the following recommendations should the penetration tester provide to address the root issue?

  A. Add all systems to the vulnerability management system.
  B. Implement a configuration management system.
  C. Deploy an endpoint detection and response system.
  D. Patch the out-of-date operating systems.
  B. Implement a configuration management system.

  ---

  Explanation

  Identified Weaknesses:

  Weaker password settings than the company standard: Indicates inconsistency in password policies across systems.

  Systems without the company's endpoint security software installed: Suggests lack of uniformity in security software deployment.

  Operating systems not updated by the patch management system: Points to gaps in patch management processes.

  Configuration Management System:

  Definition: A configuration management system automates the deployment, maintenance, and enforcement of configurations across all systems in an organization.

  Benefits: Ensures consistency in security settings, software installations, and patch management across the entire environment.

  Examples: Tools like Ansible, Puppet, and Chef can help automate and manage configurations, ensuring compliance with organizational standards.

  Other Recommendations:

  Vulnerability Management System: While adding systems to this system helps track vulnerabilities, it does not address the root cause of configuration inconsistencies.

  Endpoint Detection and Response (EDR): Useful for detecting and responding to threats, but not for enforcing consistent configurations.

  Patch Management: Patching systems addresses specific vulnerabilities but does not solve broader configuration management issues.

  References:

  System Hardening: Ensuring all systems adhere to security baselines and configurations to reduce attack surfaces.

  Automation in Security: Using configuration management tools to automate security practices, ensuring compliance and reducing manual errors.

  Implementing a configuration management system addresses the root issue by ensuring consistent security configurations, software deployments, and patch management across the entire environment.

• Question 225:

  A penetration tester is conducting reconnaissance on a target network. The tester runs the following Nmap

  command: nmap -sv -sT -p - 192.168.1.0/24.

  Which of the following describes the most likely purpose of this scan?

  A. OS fingerprinting
  B. Attack path mapping
  C. Service discovery
  D. User enumeration
  C. Service discovery

  ---

  Explanation

  The Nmap command nmap -sv -sT -p- 192.168.1.0/24 is designed to discover services on a network. Here is a breakdown of the command and its purpose:

  Command Breakdown:

  nmap: The network scanning tool.

  -sV: Enables service version detection. This option tells Nmap to determine the version of the services running on open ports.

  -sT: Performs a TCP connect scan. This is a more reliable method of scanning as it completes the TCP handshake but can be easily detected by firewalls and intrusion detection systems.

  -p-: Scans all 65535 ports. This ensures a comprehensive scan of all possible TCP ports.

  192.168.1.0/24: Specifies the target network range (subnet) to be scanned.

  Purpose of the Scan:

  Service Discovery (Answer: C): The primary purpose of this scan is to discover which services are running on the network's hosts and determine their versions. This information is crucial for identifying potential vulnerabilities and understanding the network's exposure.

  References:

  Service discovery is a common task in penetration testing to map out the network services and versions, as seen in various Hack The Box (HTB) write-ups where comprehensive service enumeration is performed before further actions.

  Conclusion: The nmap -sv -sT -p- 192.168.1.0/24 command is most likely used for service discovery, as it

  aims to identify all running services and their versions on the target subnet.

• Question 226:

  A penetration tester obtains a regular domain user's set of credentials. The tester wants to attempt a dictionary attack by creating a custom word list based on the Active Directory password policy.

  Which of the following tools should the penetration tester use to retrieve the password policy?

  A. Responder
  B. CrackMapExec
  C. Hydra
  D. msfvenom
  B. CrackMapExec

  ---

  Explanation

  CrackMapExec (CME) is the best choice because it supports authenticated enumeration against Active Directory and can retrieve domain configuration information-including password policy details-using valid domain credentials. In the PenTest+ methodology, once a tester has a standard domain account, a common next step is to enumerate domain settings that influence attack feasibility and safety, such as minimum password length, complexity requirements, lockout threshold, lockout duration, and password history. These values directly inform how to build a "policy-aware" custom wordlist and how to tune dictionary or spraying attempts to remain within rules of engagement and avoid triggering lockouts.

  Responder is primarily used for LLMNR/NBT-NS poisoning and capturing or relaying authentication on local networks; it does not query AD policy as its main function. Hydra is a login brute-force tool that performs attacks, not policy retrieval. msfvenom is a payload generator used for exploitation and post- exploitation delivery, unrelated to enumerating AD password policy. Therefore, CME is the most appropriate tool to retrieve the password policy for informed dictionary construction.

• Question 227:

  The following line-numbered Python code snippet is being used in reconnaissance:

  

  Which of the following line numbers from the script MOST likely contributed to the script triggering a "probable port scan" alert in the organization's IDS?

  A. Line 01
  B. Line 02
  C. Line 07
  D. Line 08
  D. Line 08

• Question 228:

  SIMULATION

  A penetration tester has been provided with only the public domain name and must enumerate additional information for the public-facing assets.

  INSTRUCTIONS

  Select the appropriate answer(s), given the output from each section.

  

  

  

  Explanation

• Question 229:

  A penetration tester wants to send a specific network packet with custom flags and sequence numbers to a vulnerable target.

  Which of the following should the tester use?

  A. tcprelay
  B. Bluecrack
  C. Scapy
  D. tcpdump
  C. Scapy

  ---

  Explanation

  Scapy is a powerful interactive Python-based packet manipulation tool used by penetration testers to create, modify, send, and analyze custom packets. It supports many protocols and allows you to set TCP flags, sequence numbers, and more.

  tcprelay is used to redirect TCP traffic, not to craft packets.

  Bluecrack is used for cracking Bluetooth encryption, irrelevant in this context.

  tcpdump is a packet capture tool, not suitable for crafting or injecting packets.

  References:

  PT0-003 Objective 3.4 ?Tools for manipulating traffic, including Scapy for custom packet creation.

• Question 230:

  An internal penetration tester is on site assessing network access for company-owned mobile devices.

  Which of the following would be the best tool to identify the available networks?

  A. Wireshark
  B. theHarvester
  C. Recon-ng
  D. WiGLE.net
  D. WiGLE.net

  ---

  Explanation

  WiGLE.net is the best choice because it is purpose-built for identifying and mapping wireless networks (SSIDs/BSSIDs) using aggregated wardriving-style data and location-based search. In PenTest+ reconnaissance, testers often need to quickly determine what wireless networks are present in or around a physical location-especially when assessing how corporate mobile devices might encounter nearby SSIDs that could be abused for evil-twin or misassociation scenarios. WiGLE helps identify networks by area and provides details that support follow-on testing decisions, such as which SSIDs are common, whether naming patterns suggest corporate ownership, and whether nearby networks could confuse users or devices.

  Wireshark is a packet analyzer and requires traffic capture; it is not a discovery database for "what networks exist" in a geographic area. theHarvester and Recon-ng are OSINT tools oriented toward emails, domains, hosts, and identity data-not local wireless network identification. For the stated goal of identifying available Wi-Fi networks for mobile-device exposure assessment, WiGLE.net most directly fits the objective.