CompTIA PT0-003 Online Practice Questions and Exam Preparation

CompTIA PT0-003 Online Questions & Answers

• Question 271:

  Which of the following tools would BEST allow a penetration tester to capture wireless handshakes to reveal a Wi-Fi password from a Windows machine?

  A. Wireshark
  B. EAPHammer
  C. Kismet
  D. Aircrack-ng
  D. Aircrack-ng

  ---

  Explanation

  The BEST tool to capture wireless handshakes to reveal a Wi-Fi password from a Windows machine is Aircrack-ng. Aircrack-ng is a suite of tools used to assess the security of wireless networks. It starts by capturing wireless network packets, then attempts to crack the network password by analyzing them.

  Aircrack-ng supports FMS, PTW, and other attack types, and can also be used to generate keystreams for WEP and WPA-PSK encryption. It is capable of running on Windows, Linux, and Mac OS X. The BEST tool to capture wireless handshakes to reveal a Wi-Fi password from a Windows machine is Aircrack-ng.

  Aircrack-ng is a suite of tools used to assess the security of wireless networks. It starts by capturing wireless network packets, then attempts to crack the network password by analyzing them. Aircrack-ng supports FMS, PTW, and other attack types, and can also be used to generate keystreams for WEP and WPA-PSK encryption.

  It is capable of running on Windows, Linux, and Mac OS X.

• Question 272:

  Which of the following methods should a physical penetration tester employ to access a rarely used door that has electronic locking mechanisms?

  A. Lock picking
  B. Impersonating
  C. Jamming
  D. Tailgating
  E. Bypassing
  E. Bypassing

  ---

  Explanation

  For electronic locking mechanisms, traditional lock picking is ineffective. Instead, bypassing techniques are often used, such as:

  Triggering the emergency release.

  Using a shim or bypass tool.

  Exploiting wiring faults or RFID vulnerabilities.

  This method doesn't involve human deception (impersonation), social engineering (tailgating), or causing interference (jamming). It focuses on exploiting the electronic door system without needing to "unlock" it traditionally.

  References:

  PT0-003 Objective 1.3: Given a scenario, perform a physical assessment. CompTIA emphasizes the distinction between bypassing and other physical intrusion methods.

• Question 273:

  Which of the following scenarios would most likely lead a client to reprioritize goals after a penetration test begins?

  A. An end-of-life web server is decommissioned.
  B. A new zero-day vulnerability is publicly disclosed.
  C. The penetration tester is not capturing artifacts for an exploited vulnerability.
  D. A new lead penetration tester is assigned to the project.
  B. A new zero-day vulnerability is publicly disclosed.

  ---

  Explanation

  During an active PenTest+ engagement, goal changes are most commonly driven by new, material risk that affects the client's threat landscape or business exposure. A publicly disclosed zero-day vulnerability can immediately change what the organization considers most critical because it may be actively exploited in the wild, may impact internet-facing systems, and may require urgent validation of compensating controls, patch readiness, or exposure level. In PenTest+ planning and scoping practices, the tester and client may revisit priorities mid-engagement when emerging threats create a higher likelihood of compromise or when leadership requires rapid answers (for example, "Are we vulnerable?" and "Can you prove impact?").

  Decommissioning an end-of-life server (A) typically reduces scope rather than reprioritizing goals, and it is a routine operational change. Not capturing artifacts (C) is a tester process/quality issue addressed through engagement management, not a client-driven reprioritization trigger. Assigning a new lead tester (D) is a staffing change and should not alter the client's goals unless scope and requirements change. The zero-day disclosure is the clearest driver for reprioritization.

• Question 274:

  Which of the following tools can a penetration tester use to brute force a user password over SSH using multiple threads?

  A. CeWL
  B. John the Ripper
  C. Hashcat
  D. Hydra
  D. Hydra

  ---

  Explanation

  Hydra is a powerful tool for conducting brute-force attacks against various protocols, including SSH. It is capable of using multiple threads to perform concurrent attempts, significantly increasing the efficiency of the attack. This capability makes Hydra particularly suited for brute-forcing user passwords over SSH, as it can quickly try numerous combinations of usernames and passwords. The tool's ability to support a wide range of protocols, its flexibility in handling different authentication mechanisms, and its efficiency in managing multiple simultaneous connections make it a go-to choice for penetration testers looking to test the strength of passwords in a target system's SSH service.

• Question 275:

  A penetration tester creates the following Python script that can be used to enumerate information about email accounts on a target mail server:

  mail = imaplib.IMAP4(target_server, target_port) mail.login(target_login, target_passwd) status, messages = mail.select("inbox") print(f"Total Emails: {int(messages[0])}") mail.logout()

  Which of the following logic constructs would permit the script to continue despite failure?

  A. Add a do/while loop.
  B. Add an iterator.
  C. Add a t.ry/except. block.
  D. Add an if/else conditional.
  C. Add a t.ry/except. block.

  ---

  Explanation

  The correct construct for handling runtime failures (for example, login failures, network timeouts, or server errors) in Python is a try/except block (option C). Wrapping potentially failing operations in a try block and handling exceptions in except allows the script to catch the exception and continue execution (log the error, skip the target, retry, etc.) rather than crashing.

  Why Option C is correct:

  try/except is the Python mechanism to handle exceptions raised during execution. For network/email operations (IMAP login/select), IMAP libraries raise exceptions on failure -- try/except catches these and enables recovery logic.

  Example corrected snippet:

  import imaplib, sys def enumerate_inbox(server, port, user, passwd):

  try:

  mail = imaplib.IMAP4(server, port)

  mail.login(user, passwd)

  status, messages = mail.select("inbox")

  print(f"Total Emails: {int(messages[0])}") except imaplib.IMAP4.error as e:

  print(f"IMAP error for {user}: {e}")

  # continue to next account or retry except Exception as e:

  print(f"Unexpected error for {user}: {e}")

  finally:

  try:

  mail.logout()

  except:

  pass

  Why the other options are not the best fit:

  Option A: do/while loop: Python has no native do/while; loops alone won't catch exceptions -- they may repeat the crash.

  Option B: iterator: Iterators control iteration over collections, not exception handling.

  Option D: if/else conditional: Conditionals can test return values but cannot handle exceptions thrown by library calls; they are not sufficient to prevent the script from aborting when an exception is raised.

  CompTIA PT0-003 Mapping:

  Domain 4.0 Tools and Code Analysis -- basic defensive programming and error handling when writing or reviewing scripts used in engagements (use exception handling to make enumeration tools robust and predictable).

• Question 276:

  A penetration tester downloads a JAR file that is used in an organization's production environment. The tester evaluates the contents of the JAR file to identify potentially vulnerable components that can be targeted for exploit.

  Which of the following describes the tester's activities?

  A. SAST
  B. SBOM
  C. ICS
  D. SCA
  D. SCA

  ---

  Explanation

  The tester's activity involves analyzing the contents of a JAR file to identify potentially vulnerable components. This process is known as Software Composition Analysis (SCA). Here's why:

  Understanding SCA:

  Definition: SCA involves analyzing software to identify third-party and open-source components, checking for known vulnerabilities, and ensuring license compliance.

  Purpose: To detect and manage risks associated with third-party software components.

  Comparison with Other Terms:

  SAST (A): Static Application Security Testing involves analyzing source code for security vulnerabilities without executing the code.

  SBOM (B): Software Bill of Materials is a detailed list of all components in a software product, often used in SCA but not the analysis itself.

  ICS (C): Industrial Control Systems, not relevant to the context of software analysis.

  The tester's activity of examining a JAR file for vulnerable components aligns with SCA, making it the correct answer.

• Question 277:

  A penetration tester switches their wireless adapter to monitor mode but cannot detect the client's wireless network at all, even though the client confirms the network is active. The tester can see 2.4GHz and 5GHz networks nearby, but the target network never appears in the capture tool.

  Which of the following is the MOST likely reason the tester cannot see the client's network?

  A. The client's network uses 6GHz and not 5GHz/2.4GHz.
  B. The tester misconfigured the capture device.
  C. The client provided the wrong SSID for the network.
  D. The tester is not using Aircrack-ng.
  A. The client's network uses 6GHz and not 5GHz/2.4GHz.

  ---

  Explanation

  The scenario indicates that the tester's capture device, when in monitor mode, cannot detect the target wireless network.

  The most likely cause is frequency band incompatibility -- if the client's wireless infrastructure uses Wi-Fi 6E (6GHz band), and the tester's adapter only supports 2.4GHz/5GHz, then the tester won't see any packets or SSIDs from that band.

  Why not the others:

  Option B:

  Misconfiguration: While possible, the question specifies the network cannot be seen at all, pointing to hardware capability rather than misconfiguration.

  Option C:

  Wrong SSID: Even with a wrong SSID, the tester would still see the beacon frames if on the same frequency band.

  Option D: Not using

  Aircrack-ng: The tool used doesn't affect whether the capture device can see the network -- the adapter's frequency support does.

  CompTIA PT0-003 Mapping:

  Domain 3.0: Attacks and Exploits Wireless network attacks and troubleshooting (frequency bands, hardware compatibility, Wi-Fi 6E considerations).

• Question 278:

  SIMULATION

  You are a penetration tester running port scans on a server.

  INSTRUCTIONS

  Part 1: Given the output, construct the command that was used to generate this output from the available options.

  Part 2: Once the command is appropriately constructed, use the given output to identify the potential attack vectors that should be investigated further.

  If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

  

  

  A. See explanation below.
  B. PlaceHolder
  C. PlaceHolder
  D. PlaceHolder
  A. See explanation below.

  ---

  Explanation

  Part 1 - 192.168.2.2 -O -sV --top-ports=100 and SMB vulns Part 2 - Weak SMB file permissions

  https://subscription.packtpub.com/book/networking-and-servers/9781786467454/1/ch01lvl1sec13/fingerprinting-os-and-services-running-on-a-target-host

• Question 279:

  A penetration tester is testing a power plant's network and needs to avoid disruption to the grid.

  Which of the following methods is most appropriate to identify vulnerabilities in the network?

  A. Configure a network scanner engine and execute the scan.
  B. Execute a testing framework to validate vulnerabilities on the devices.
  C. Configure a port mirror and review the network traffic.
  D. Run a network mapper tool to get an understanding of the devices.
  C. Configure a port mirror and review the network traffic.

  ---

  Explanation

  When testing a power plant's network and needing to avoid disruption to the grid, configuring a port mirror and reviewing the network traffic is the most appropriate method to identify vulnerabilities without causing disruptions.

  Port Mirroring:

  Definition: Port mirroring (SPAN - Switched Port Analyzer) is a method of monitoring network traffic by duplicating packets from one or more switch ports to another port where a monitoring device is connected.

  Purpose: Allows passive monitoring of network traffic without impacting network operations or device performance.

  Avoiding Disruption:

  Non-Intrusive: Port mirroring is non-intrusive and does not generate additional traffic or load on the network devices, making it suitable for sensitive environments like power plants where disruption is not acceptable.

  Other Options:

  Network Scanner Engine: Active scanning might disrupt network operations or devices, which is not suitable for critical infrastructure.

  Testing Framework: Validating vulnerabilities on devices might involve active testing, which can be disruptive.

  Network Mapper Tool: Running a network mapper tool (like Nmap) actively scans the network and might disrupt services.

  References:

  Passive Monitoring: Passive techniques such as port mirroring are essential in environments where maintaining operational integrity is critical.

  Critical Infrastructure Security: Understanding the need for non-disruptive methods in critical infrastructure penetration testing to ensure continuous operations.

  By configuring a port mirror and reviewing network traffic, the penetration tester can identify vulnerabilities in the power plant's network without risking disruption to the grid.

• Question 280:

  A penetration tester must gain entry to a client's office building without raising attention.

  Which of the following should be the tester's first step?

  A. Interacting with security employees to clone a badge
  B. Trying to enter the back door after hours on a weekend
  C. Collecting building blueprints to run a site survey
  D. Conducting surveillance of the office to understand foot traffic
  D. Conducting surveillance of the office to understand foot traffic

  ---

  Explanation

  The appropriate first step for a low-profile physical access attempt is conducting surveillance to gather information such as entry points, peak/low occupancy times, security guard patterns, camera placement, and typical foot traffic. Surveillance (visual observation, external photography, publicly available schedules) informs a safe, low-risk entry plan and helps the tester choose tactics that minimize attention.

  Why not the others first:

  Option A: Interacting with security employees to clone a badge -- directly engaging security staff to manipulate them is an escalation and could alert personnel; it's also ethically/contractually risky if done without prior scoped approval and planning.

  Option B: Trying to enter the back door after hours on a weekend -- acting without reconnaissance increases likelihood of detection or legal exposure.

  Option C: Collecting building blueprints to run a site survey -- blueprints are useful but often hard to obtain and not the initial low-effort step; surveillance provides immediate, actionable behavioral intelligence.

  CompTIA PT0-003 Mapping: Physical security assessments -- perform reconnaissance and site survey activities first to develop low-visibility access strategies that adhere to the engagement rules of engagement and legal constraints.