CompTIA PT0-003 Online Practice Questions and Exam Preparation

CompTIA PT0-003 Online Questions & Answers

• Question 291:

  A company has hired a penetration tester to deploy and set up a rogue access point on the network.

  Which of the following is the BEST tool to use to accomplish this goal?

  A. Wireshark
  B. Aircrack-ng
  C. Kismet
  D. Wifite
  B. Aircrack-ng

  ---

  Explanation

  References:

  https://null-byte.wonderhowto.com/how-to/hack-wi-fi-stealing-wi-fi-passwords-with-evil-twin-attack-0183880/https://thecybersecurityman.com/2018/08/11/creating-an-evil-twin-or-fake-access-point-using-aircrack-ng-and-dnsmasq-part-2-the-attack/

• Question 292:

  Which of the following protocols would a penetration tester most likely utilize to exfiltrate data covertly and evade detection?

  A. FTP
  B. HTTPS
  C. SMTP
  D. DNS
  D. DNS

  ---

  Explanation

  Covert data exfiltration is a crucial aspect of advanced penetration testing. Penetration testers often need to move data out of a network without being detected by the organization's security monitoring tools.

  Here's a breakdown of the potential methods and why DNS is the preferred choice for covert data exfiltration:

  FTP (File Transfer Protocol) (Option A):

  Characteristics: FTP is a clear-text protocol used to transfer files.

  Drawbacks: It is easily detected by network security tools due to its lack of encryption and distinctive traffic patterns. Most modern networks block or heavily monitor FTP traffic to prevent unauthorized file transfers.

  References:

  The use of FTP in penetration testing is often limited to environments where encryption is not a concern or for internal transfers where monitoring is lax. It's rarely used for covert exfiltration due to its high detectability.

  HTTPS (Hypertext Transfer Protocol Secure) (Option B):

  Characteristics: HTTPS encrypts data in transit, making it harder to inspect by network monitoring tools.

  Drawbacks: While HTTPS is more secure, large amounts of unusual or unexpected HTTPS traffic can still trigger alerts on sophisticated security systems. Its usage for exfiltration depends on the network's normal traffic patterns and the ability to blend in.

  References: HTTPS is used when there is a need to encrypt data during exfiltration. However, it can still be flagged by traffic analysis tools if the data patterns or destinations are unusual.

  SMTP (Simple Mail Transfer Protocol) (Option C):

  Characteristics: SMTP is used for sending emails.

  Drawbacks: Like FTP, SMTP is not inherently secure and can be monitored. Additionally, large or frequent email attachments can trigger alerts.

  References: SMTP might be used in some exfiltration scenarios but is generally considered risky due to the ease of monitoring email traffic.

  DNS (Domain Name System) (Option D):

  Characteristics: DNS is used to resolve domain names to IP addresses and vice versa.

  Advantages: DNS traffic is ubiquitous and often less scrutinized than other types of traffic. Data can be encoded into DNS queries and responses, making it an effective covert channel for exfiltration.

  References:

  Many penetration tests and red team engagements leverage DNS tunneling for covert data exfiltration due to its ability to bypass firewalls and intrusion detection systems. This technique involves encoding data within DNS queries to an attacker-controlled domain, effectively evading detection.

  Conclusion: DNS tunneling stands out as the most effective method for covert data exfiltration due to its ability to blend in with normal network traffic and avoid detection by conventional security mechanisms.

  Penetration testers utilize this method to evade scrutiny while exfiltrating data.

• Question 293:

  The following file was obtained during reconnaissance:

  

  Which of the following is most likely to be successful if a penetration tester achieves non-privileged user access?

  A. Exposure of other users' sensitive data
  B. Unauthorized access to execute binaries via sudo
  C. Hijacking the default user login shells
  D. Corrupting the skeleton configuration file
  A. Exposure of other users' sensitive data

  ---

  Explanation

  DIR_MODE=0777 configures new home directories to be created world-readable, world-writable, and world-executable (rwxrwxrwx). With such permissive permissions, any unprivileged local user can traverse into other users' home directories, list files, read them, and even modify or replace them. That makes exposure of other users' sensitive data the most likely and immediate outcome once the tester has any local user account.

  Why the other options are less likely:

  Option B: Unauthorized sudo execution: Requires membership in sudo/wheel or explicit entries in /etc/ sudoers. Nothing in the snippet indicates that, and file mode on home dirs doesn't grant sudo.

  Option C: Hijacking default login shells: DSHELL=/bin/zsh only sets the default shell for new users.

  Replacing /bin/zsh or altering /etc/passwd would require root.

  Option D: Corrupting the skeleton configuration: SKEL=/etc/systemd-conf/temp-skeleton is under /etc/..., which is root-owned on standard systems. A normal user cannot write there, so "corrupting the skeleton" is unlikely without privilege escalation.

  Practical exploitation as a non-privileged user (illustrative):

  # Find world-writable homes

  find /home -maxdepth 1 -type d -perm -0002 -ls

  # Read another user's files

  cd /home/targetuser && ls -la && cat Documents/tax_return.pdf (Depending on per-file permissions.)

  CompTIA PenTest+ PT0-003 Objective Mapping (for study):

  Domain 3.0 Attacks and Exploits 3.1 Exploit system vulnerabilities and misconfigurations (e.g., insecure file permissions leading to data exposure/privilege abuse).

• Question 294:

  A penetration tester finds an internal MySQL server with no firewall restrictions. The tester runs:

  mysql -u root -p

  No password is required, and the tester gains full access.

  Which vulnerability BEST describes this condition?

  A. Improper session management
  B. Default credentials
  C. Null authentication configuration
  D. SQL injection
  C. Null authentication configuration

  ---

  Explanation

  The MySQL instance allows root login without a password, indicating null authentication - a severe misconfiguration.

  Why not others:

  A - Session management refers to tokens, not database logins.

  B - Default credentials imply preset vendor values (e.g., root/root) - this is empty auth.

  D - SQL injection does not relate to authentication configuration.

  PT0-003 Mapping: Domain 3 - Database misconfigurations and privilege abuses.

• Question 295:

  A penetration tester finished a security scan and uncovered numerous vulnerabilities on several hosts.

  Based on the targets' EPSS and CVSS scores, which of the following targets is the most likely to get attacked?

  A. Target 1: EPSS Score = 0.6 and CVSS Score = 4
  B. Target 2: EPSS Score = 0.3 and CVSS Score = 2
  C. Target 3: EPSS Score = 0.6 and CVSS Score = 1
  D. Target 4: EPSS Score = 0.4 and CVSS Score = 4.5
  A. Target 1: EPSS Score = 0.6 and CVSS Score = 4

  ---

  Explanation

  EPSS and CVSS Analysis:

  References:

  Domain 2.0 (Information Gathering and Vulnerability Identification)

• Question 296:

  Which of the following technologies is most likely used with badge cloning? (Select two).

  A. NFC
  B. RFID
  C. Bluetooth
  D. Modbus
  E. Zigbee
  F. CAN bus
  A. NFC
  B. RFID

  ---

  Explanation

  Badge cloning typically involves copying the data from access control badges, which frequently utilize the following technologies:

  NFC (Near-Field Communication):

  NFC is a subset of RFID technology that operates at short ranges (up to 10 cm). It is commonly used in modern access control systems, payment systems, and badge technologies. NFC cloning tools can intercept and copy badge data.

  RFID (Radio-Frequency Identification):

  RFID operates over a broader range of frequencies and distances than NFC. Many legacy access systems use RFID badges, which are susceptible to cloning attacks using RFID readers and cloning devices.

  Exclusions:

  Bluetooth, Modbus, Zigbee, CAN bus are not typically used in badge-based access control systems and are unrelated to badge cloning.

  References:

  Domain 3.0 (Attacks and Exploits) Domain 4.0 (Penetration Testing Tools)

• Question 297:

  A penetration tester needs to evaluate the order in which the next systems will be selected for testing.

  Given the following output:

  

  Which of the following targets should the tester select next?

  A. fileserver
  B. hrdatabase
  C. legaldatabase
  D. financesite
  A. fileserver

  ---

  Explanation

  CVSS (Common Vulnerability Scoring System): Indicates the severity of vulnerabilities, with higher scores representing more critical vulnerabilities.

  EPSS (Exploit Prediction Scoring System): Estimates the likelihood of a vulnerability being exploited in the wild.

  Analysis:

  hrdatabase: CVSS = 9.9, EPSS = 0.50

  financesite: CVSS = 8.0, EPSS = 0.01

  legaldatabase: CVSS = 8.2, EPSS = 0.60

  fileserver: CVSS = 7.6, EPSS = 0.90

  Selection Justification:

  fileserver has the highest EPSS score of 0.90, indicating a high likelihood of exploitation despite having a slightly lower CVSS score compared to other targets.

  This makes it a critical target for immediate testing to mitigate potential exploitation risks.

  References:

  Risk Prioritization: Balancing between severity (CVSS) and exploitability (EPSS) is crucial for effective vulnerability management.

  Risk Assessment: Evaluating both the impact and the likelihood of exploitation helps in making informed decisions about testing priorities.

  By selecting the fileserver, the penetration tester focuses on a target that is highly likely to be exploited, addressing the most immediate risk based on the given scores.

• Question 298:

  A company becomes concerned when the security alarms are triggered during a penetration test.

  Which of the following should the company do NEXT?

  A. Halt the penetration test.
  B. Contact law enforcement.
  C. Deconflict with the penetration tester.
  D. Assume the alert is from the penetration test.
  C. Deconflict with the penetration tester.

  ---

  Explanation

  Deconflicting with the penetration tester is the best thing to do next after the security alarms are triggered during a penetration test, as it will help determine whether the alarm was caused by the tester's activity or by an actual threat. Deconflicting is the process of communicating and coordinating with other parties involved in a penetration testing engagement, such as security teams, network administrators, or emergency contacts, to avoid confusion or interference.

• Question 299:

  An external legal firm is conducting a penetration test of a large corporation.

  Which of the following would be most appropriate for the legal firm to use in the subject line of a weekly email update?

  A. Privileged & Confidential Status Update
  B. Action Required Status Update
  C. Important Weekly Status Update
  D. Urgent Status Update
  A. Privileged & Confidential Status Update

  ---

  Explanation

  Penetration test results are sensitive information and must be handled confidentially.

  Privileged &

  Confidential Status Update (Option A):

  Helps ensure compliance with legal and regulatory standards by labeling the report as confidential.

  Encourages secure handling by recipients.

  References:

  CompTIA PenTest+ PT0-003 Official Study Guide - "Secure Communication and Reporting"

  Incorrect options:

  Option B (Action Required): Suggests an immediate response is needed, which may not always be the case.

  Option C (Important Weekly Status Update): Does not emphasize confidentiality.

  Option D (Urgent Status Update): Could cause unnecessary alarm unless truly urgent.

• Question 300:

  During a penetration test, the tester identifies several unused services that are listening on all targeted internal laptops.

  Which of the following technical controls should the tester recommend to reduce the risk of compromise?

  

  A. Multifactor authentication
  B. Patch management
  C. System hardening
  D. Network segmentation
  C. System hardening

  ---

  Explanation

  When a penetration tester identifies several unused services listening on targeted internal laptops, the most appropriate recommendation to reduce the risk of compromise is system hardening. Here's why:

  System Hardening:

  Purpose: System hardening involves securing systems by reducing their surface of vulnerability. This includes disabling unnecessary services, applying security patches, and configuring systems securely.

  Impact: By disabling unused services, the attack surface is minimized, reducing the risk of these services being exploited by attackers.

  Comparison with Other Controls:

  Multifactor Authentication (A): While useful for securing authentication, it does not address the issue of unused services running on the system.

  Patch Management (B): Important for addressing known vulnerabilities but not specifically related to disabling unused services.

  Network Segmentation (D): Helps in containing breaches but does not directly address the issue of unnecessary services.

  System hardening is the most direct control for reducing the risk posed by unused services, making it the best recommendation.