CompTIA PT0-003 Online Practice Questions and Exam Preparation

CompTIA PT0-003 Online Questions & Answers

• Question 261:

  A penetration tester writes a Bash script to automate the execution of a ping command on a Class C network:

  for var in --MISSING TEXT-- do

  ping -c 1 192.168.10.$var

  done

  Which of the following pieces of code should the penetration tester use in place of the --MISSING TEXT-- placeholder?

  A. crunch 1 254 loop
  B. seq 1 254
  C. echo 1-254
  D. {1.-254}
  B. seq 1 254

  ---

  Explanation

  Correct Syntax for a Range Loop in Bash:

  The seq command generates a sequence of numbers in a specified range, which is ideal for iterating over IP addresses in a Class C subnet (1?54).

  Example: seq 1 254 will output numbers 1, 2, ..., 254 sequentially.

  Explanation of Other Options:

  A (crunch): The crunch command is used for wordlist generation and is unrelated to looping in Bash.

  C (echo 1-254): This would output "1-254" as a string instead of generating a numeric range.

  D ({1.-254}): This is incorrect Bash syntax and would result in a script error.

  Final Script:

  bash

  for var in $(seq 1 254)

  do

  ping -c 1 192.168.10.$var

  done References:

  Domain 4.0 (Penetration Testing Tools)

  Bash Scripting and Automation

• Question 262:

  A tester scans a subnet and receives the following results for a Linux host:

  22/tcp open ssh

  111/tcp open rpcbind

  2049/tcp open nfs

  Which is the BEST next action to check for exposed data?

  A. Attempt to enumerate NFS shares
  B. Attempt SSH brute force
  C. Perform banner grabbing on rpcbind
  D. Launch a kernel exploit against the host
  A. Attempt to enumerate NFS shares

  ---

  Explanation

  With port 2049 (NFS) open, the tester should enumerate accessible shares. Misconfigured NFS exports can expose sensitive data or allow file writes.

  Why not others:

  Option B - Brute force is noisy and not prioritizing exposed data.

  Option C - Rpcbind enumeration is useful but not as immediate as NFS data access.

  Option D - Exploitation comes after enumeration.

  PT0-003 Mapping: Domain 3 - Enumerating network file shares.

• Question 263:

  During a penetration tester found a web component with no authentication requirements.

  The web component also allows file uploads and is hosted on one of the target public web the following actions should the penetration tester perform next?

  A. Continue the assessment and mark the finding as critical.
  B. Attempting to remediate the issue temporally.
  C. Notify the primary contact immediately.
  D. Shutting down the web server until the assessment is finished
  A. Continue the assessment and mark the finding as critical.

• Question 264:

  A penetration tester needs to help create a threat model of a custom application.

  Which of the following is the most likely framework the tester will use?

  A. MITRE ATT&CK
  B. OSSTMM
  C. CI/CD
  D. DREAD
  D. DREAD

  ---

  Explanation

  The DREAD model is a risk assessment framework used to evaluate and prioritize the security risks of an application. It stands for Damage potential, Reproducibility, Exploitability, Affected users, and Discoverability.

  Understanding DREAD:

  Purpose: Provides a structured way to assess and prioritize risks based on their potential impact and likelihood.

  Components:

  Damage Potential: The extent of harm that an exploit could cause.

  Reproducibility: How easily the exploit can be reproduced.

  Exploitability: The ease with which the vulnerability can be exploited.

  Affected Users: The number of users affected by the exploit.

  Discoverability: The likelihood that the vulnerability will be discovered.

  Usage in Threat Modeling:

  Evaluation: Assign scores to each DREAD component to assess the overall risk.

  Prioritization: Higher scores indicate higher risks, helping prioritize remediation efforts.

  Process:

  Identify Threats: Enumerate potential threats to the application.

  Assess Risks: Use the DREAD model to evaluate each threat.

  Prioritize: Focus on addressing the highest-scoring threats first.

  References from Pentesting Literature:

  The DREAD model is widely discussed in threat modeling and risk assessment sections of penetration testing guides.

  HTB write-ups often include references to DREAD when explaining how to assess and prioritize vulnerabilities in applications.

  References:

  Penetration Testing - A Hands-on Introduction to Hacking

  HTB Official Writeups

• Question 265:

  A penetration tester currently conducts phishing reconnaissance using various tools and accounts for multiple intelligence-gathering platforms. The tester wants to consolidate some of the tools and accounts into one solution to analyze the output from the intelligence-gathering tools.

  Which of the following is the best tool for the penetration tester to use?

  A. Caldera
  B. SpiderFoot
  C. Maltego
  D. WIGLE.net
  C. Maltego

  ---

  Explanation

  Penetration testers use OSINT (Open-Source Intelligence) tools to collect and analyze reconnaissance data.

  Maltego (Option C): Maltego is a powerful graph-based OSINT tool that integrates data from multiple sources (e.g., social media, DNS records, leaked credentials).

  It automates data correlation and helps visualize connections.

  References:

  CompTIA PenTest+ PT0-003 Official Study Guide - "OSINT and Intelligence Gathering"

  Incorrect options:

  Option A (Caldera): Used for adversary emulation, not OSINT.

  Option B (SpiderFoot): A reconnaissance tool but lacks data correlation capabilities.

  Option D (WIGLE.net): A wireless network database, not an OSINT analysis tool.

• Question 266:

  A penetration tester performs a service enumeration process and receives the following result after scanning a server using the Nmap tool:

  

  Based on the output, which of the following services provides the best target for launching an attack?

  A. Database
  B. Remote access
  C. Email
  D. File sharing
  D. File sharing

  ---

  Explanation

  Based on the Nmap scan results, the services identified on the target server are as follows:

  22/tcp open ssh:

  Service: SSH (Secure Shell)

  Function: Provides encrypted remote access.

  Attack Surface: Brute force attacks or exploiting vulnerabilities in outdated SSH implementations. However, it is generally considered secure if properly configured.

  25/tcp filtered smtp:

  Service: SMTP (Simple Mail Transfer Protocol)

  Function: Email transmission.

  Attack Surface: Potential for email-related attacks such as spoofing, but the port is filtered, indicating that access may be restricted or protected by a firewall.

  111/tcp open rpcbind:

  Service: RPCBind (Remote Procedure Call Bind)

  Function: Helps in mapping RPC program numbers to network addresses.

  Attack Surface: Can be exploited in specific configurations, but generally not a primary target compared to others.

  2049/tcp open nfs:

  Service: NFS (Network File System)

  Function: Allows for file sharing over a network.

  Attack Surface: NFS can be a significant target for attacks due to potential misconfigurations that can allow unauthorized access to file shares or exploitation of vulnerabilities in NFS services.

  Conclusion: The NFS service (2049/tcp) provides the best target for launching an attack. File sharing services like NFS often contain sensitive data and can be vulnerable to misconfigurations that allow unauthorized access or privilege escalation.

• Question 267:

  A penetration tester needs to upload the results of a port scan to a centralized security tool.

  Which of the following commands would allow the tester to save the results in an interchangeable format?

  A. nmap -iL results 192.168.0.10-100
  B. nmap 192.168.0.10-100 -O > results
  C. nmap -A 192.168.0.10-100 -oX results
  D. nmap 192.168.0.10-100 | grep "results"
  C. nmap -A 192.168.0.10-100 -oX results

• Question 268:

  During a vulnerability assessment, a penetration tester configures the scanner sensor and performs the initial vulnerability scanning under the client's internal network. The tester later discusses the results with the client, but the client does not accept the results. The client indicates the host and assets that were within scope are not included in the vulnerability scan results.

  Which of the following should the tester have done?

  A. Rechecked the scanner configuration.
  B. Performed a discovery scan.
  C. Used a different scan engine.
  D. Configured all the TCP ports on the scan.
  B. Performed a discovery scan.

  ---

  Explanation

  When the client indicates that the scope's hosts and assets are not included in the vulnerability scan results, it suggests that the tester may have missed discovering all the devices in the scope. Here's the best course of action: Performing a Discovery Scan:

  Purpose: A discovery scan identifies all active devices on the network before running a detailed vulnerability scan. It ensures that all in-scope devices are included in the assessment.

  Process: The discovery scan uses techniques like ping sweeps, ARP scans, and port scans to identify active hosts and services.

  Comparison with Other Actions:

  Rechecking the Scanner Configuration (A): Useful but not as comprehensive as ensuring all hosts are discovered.

  Using a Different Scan Engine (C): Not necessary if the issue is with host discovery rather than the scanner's capability.

  Configuring All TCP Ports on the Scan (D): Helps in detailed scanning but does not address missing hosts.

  Performing a discovery scan ensures that all in-scope devices are identified and included in the vulnerability assessment, making it the best course of action.

• Question 269:

  A penetration tester is conducting a wireless security assessment for a client with 2.4GHz and 5GHz access points. The tester places a wireless USB dongle in the laptop to start capturing WPA2 handshakes.

  Which of the following steps should the tester take next?

  A. Enable monitoring mode using Aircrack-ng.
  B. Use Kismet to automatically place the wireless dongle in monitor mode and collect handshakes.
  C. Run KARMA to break the password.
  D. Research WiGLE.net for potential nearby client access points.
  A. Enable monitoring mode using Aircrack-ng.

  ---

  Explanation

  Enabling monitoring mode on the wireless adapter is the essential step before capturing WPA2 handshakes. Monitoring mode allows the adapter to capture all wireless traffic in its vicinity, which is necessary for capturing handshakes.

  Preparation:

  Enable Monitoring Mode:

  Step-by-Step Explanationairmon-ng start wlan0 uk.co.certification.simulator.questionpool.PList@6a986d34 iwconfig

  Capture WPA2 Handshakes:

  airodump-ng wlan0mon

  References from Pentesting Literature:

  References:

  Penetration Testing - A Hands-on Introduction to Hacking HTB Official Writeups

• Question 270:

  A penetration tester is conducting an authorized, physical penetration test to attempt to enter a client's building during non-business hours.

  Which of the following are MOST important for the penetration tester to have during the test? (Choose two.)

  A. A handheld RF spectrum analyzer
  B. A mask and personal protective equipment
  C. Caution tape for marking off insecure areas
  D. A dedicated point of contact at the client
  E. The paperwork documenting the engagement
  F. Knowledge of the building's normal business hours
  D. A dedicated point of contact at the client
  E. The paperwork documenting the engagement

  ---

  Explanation

  Always carry the contact information and any documents stating that you are approved to do this.