CompTIA PT0-003 Online Practice Questions and Exam Preparation

CompTIA PT0-003 Online Questions & Answers

• Question 301:

  A penetration tester needs to perform a test on a finance system that is PCI DSS v3.2.1 compliant.

  Which of the following is the MINIMUM frequency to complete the scan of the system?

  A. Weekly
  B. Monthly
  C. Quarterly
  D. Annually
  C. Quarterly

  ---

  Explanation

  Quarterly is the minimum frequency to complete the scan of the system that is PCI DSS v3.2.1 compliant, according to Requirement 11.2.2 of the standard 1. PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards that applies to any organization that processes, stores, or transmits credit card information. Requirement 11.2.2 states that organizations must perform internal vulnerability scans at least quarterly and after any significant change in the network.

  https://www.pcicomplianceguide.org/faq/#25PCIDSSrequiresquarterlyvulnerability/penetrationtests,notweekly.

• Question 302:

  A penetration tester identifies the following open ports during a network enumeration scan:

  

  Which of the following commands did the tester use to get this output?

  A. nmap -Pn -A 10.10.10.10
  B. nmap -sV 10.10.10.10
  C. nmap -Pn -w 10.10.10.10
  D. nmap -sV -Pn -p- 10.10.10.10
  D. nmap -sV -Pn -p- 10.10.10.10

  ---

  Explanation

  To detect all open ports and enumerate services, the tester needs to:

  Use -sV (Service Version Detection)

  Use -Pn (Disables ICMP ping to bypass firewalls)

  Use -p- (Scans all 65,535 TCP ports) nmap -sV -Pn -p- 10.10.10.10 (Option D):

  This command performs full-port scanning, including high-numbered ports like 50123/tcp (ms-rpc).

  Without -p-, high ports would be missed.

  References:

  CompTIA PenTest+ PT0-003 Official Study Guide - "Nmap Scanning Techniques"

  Incorrect options:

  Option A (-A): Includes OS detection but does not guarantee scanning all ports.

  Option B (-sV without -p-): Scans default ports only, missing 50123/tcp.

  Option C (-w): Invalid Nmap flag.

• Question 303:

  A client warns the assessment team that an ICS application is maintained by the manufacturer. Any tampering of the host could void the enterprise support terms of use.

  Which of the following techniques would be most effective to validate whether the application encrypts communications in transit?

  A. Utilizing port mirroring on a firewall appliance
  B. Installing packet capture software on the server
  C. Reconfiguring the application to use a proxy
  D. Requesting that certificate pinning be disabled
  A. Utilizing port mirroring on a firewall appliance

  ---

  Explanation

  Since direct interaction with the ICS application is restricted, the best way to analyze network traffic without modifying the system is to use port mirroring on a firewall or network switch.

  Option A (Port mirroring) : Correct. Port mirroring (SPAN) copies network traffic without modifying the host system.

  Allows passive analysis of whether encryption is used.

  Option B (Packet capture on the server) : Requires modifying the host, which is prohibited by the client.

  Option C (Reconfiguring the app to use a proxy) : Modifies application settings, which violates the client's terms.

  Option D (Disabling certificate pinning) : Requires changes to security settings, which is not allowed in this scenario.

  References:

  CompTIA PenTest+ PT0-003 Official Guide ?Passive Traffic Analysis for ICS Systems

• Question 304:

  DRAG DROP

  A technician is reviewing the following report. Given this information, identify which vulnerability can be definitively confirmed to be a false positive by dragging the “false positive” token to the “Confirmed” column for each vulnerability that is a false positive.

  Select and Place:

  

  

• Question 305:

  Which of the following is a term used to describe a situation in which a penetration tester bypasses physical access controls and gains access to a facility by entering at the same time as an employee?

  A. Badge cloning
  B. Shoulder surfing
  C. Tailgating
  D. Site survey
  C. Tailgating

  ---

  Explanation

  Understanding Tailgating:

  Methods to Prevent Tailgating:

  Examples in Penetration Testing: References from Pentesting Literature:

  References:

  Penetration Testing - A Hands-on Introduction to Hacking HTB Official Writeups

• Question 306:

  A penetration tester needs to collect information over the network for further steps in an internal assessment.

  Which of the following would most likely accomplish this goal?

  A. ntlmrelayx.py -t 192.168.1.0/24 -1 1234
  B. nc -tulpn 1234 192.168.1.2
  C. responder.py -I eth0 -wP
  D. crackmapexec smb 192.168.1.0/24
  C. responder.py -I eth0 -wP

  ---

  Explanation

  To collect information over the network, especially during an internal assessment, tools that can capture and analyze network traffic are essential. Responder is specifically designed for this purpose, and it can capture NTLM hashes and other credentials by poisoning various network protocols. Here's a breakdown of the options:

  Option A: ntlmrelayx.py -t 192.168.1.0/24 -1 1234 ntlmrelayx.py is used for relaying NTLM authentication but not for broad network information collection.

  Option B: nc -tulpn 1234 192.168.1.2

  Netcat (nc) is a network utility for reading from and writing to network connections using TCP or UDP but is not specifically designed for comprehensive information collection over a network.

  Option C: responder.py -I eth0 -wP

  Responder is a tool for LLMNR, NBT-NS, and MDNS poisoning. The -I eth0 option specifies the network interface, and -wP enables WPAD rogue server which is effective for capturing network credentials and

  other information.

  Option D: crackmapexec smb 192.168.1.0/24

  CrackMapExec is useful for SMB-related enumeration and attacks but not specifically for broad network information collection.

  References from Pentest:

  Anubis HTB: Highlights the use of Responder to capture network credentials and hashes during internal assessments.

  Horizontall HTB: Demonstrates the effectiveness of Responder in capturing and analyzing network traffic for further exploitation.

• Question 307:

  During an assessment, a penetration tester obtains an NTLM hash from a legacy Windows machine.

  Which of the following tools should the penetration tester use to continue the attack?

  A. Responder
  B. Hydra
  C. BloodHound
  D. CrackMapExec
  D. CrackMapExec

  ---

  Explanation

  When a penetration tester obtains an NTLM hash from a legacy Windows machine, they need to use a tool that can leverage this hash for further attacks, such as pass-the-hash attacks, or for cracking the hash.

  Here's a breakdown of the options:

  Option A: Responder

  Responder is primarily used for poisoning LLMNR, NBT-NS, and MDNS to capture hashes, but not for leveraging NTLM hashes obtained post-exploitation.

  Option B: Hydra

  Hydra is a password-cracking tool but not specifically designed for NTLM hashes or pass-the-hash attacks.

  Option C: BloodHound

  BloodHound is used for mapping out Active Directory relationships and identifying potential attack paths but not for using NTLM hashes directly.

  Option D: CrackMapExec

  CrackMapExec is a versatile tool that can perform pass-the-hash attacks, execute commands, and more using NTLM hashes. It is designed for post-exploitation scenarios involving NTLM hashes.

  References from Pentest:

  Forge HTB: Demonstrates the use of CrackMapExec for leveraging NTLM hashes to gain further access within a network.

  Horizontall HTB: Shows how CrackMapExec can be used for various post-exploitation activities, including using NTLM hashes to authenticate and execute commands.

  Conclusion:

  Option D, CrackMapExec, is the most suitable tool for continuing the attack using an NTLM hash. It supports pass-the-hash techniques and other operations that can leverage NTLM hashes effectively.

• Question 308:

  A Chief Information Security Officer wants a penetration tester to evaluate the security awareness level of the company's employees.

  Which of the following tools can help the tester achieve this goal?

  A. Metasploit
  B. Hydra
  C. SET
  D. WPScan
  A. Metasploit

• Question 309:

  A security analyst is conducting an unknown environment test from 192.168 3.3. The analyst wants to limit observation of the penetration tester's activities and lower the probability of detection by intrusion protection and detection systems.

  Which of the following Nmap commands should the analyst use to achieve.

  This objective?

  A. Nmap 192.168.5.5
  B. Map atalength 2.192.168.5.5
  C. Nmap 10.5.2.2.168.5.5
  D. Map canflags SYNFIN 192.168.5.5
  D. Map canflags SYNFIN 192.168.5.5

  ---

  Explanation

  To limit observation of the penetration tester's activities and lower the probability of detection by intrusion protection and detection systems, the security analyst should use the Nmap -D 10.5.2.2 192.168.3.3

  command 1. The -D option is used to conceal the identity of the attacker by using decoy IP addresses.

  This option can be used to confuse the IDS/IPS and lower the probability of detection

  References: CompTIA. (2021). CompTIA PenTest+ Certification Exam Objectives.

  https://www.comptia.org/content/dam/comptia/documents/certifications/Exam%20Objectives/CompTIA-PenTest%2B%20Exam%20Objectives%20PT0-002.pdf

• Question 310:

  In a file stored in an unprotected source code repository, a penetration tester discovers the following line of code:

  sshpass -p donotchange ssh [email protected]

  Which of the following should the tester attempt to do next to take advantage of this information?

  (Select two).

  A. Use Nmap to identify all the SSH systems active on the network.
  B. Take a screen capture of the source code repository for documentation purposes.
  C. Investigate to find whether other files containing embedded passwords are in the code repository.
  D. Confirm whether the server 192.168.6.14 is up by sending ICMP probes.
  E. Run a password-spraying attack with Hydra against all the SSH servers.
  F. Use an external exploit through Metasploit to compromise host 192.168.6.14.
  B. Take a screen capture of the source code repository for documentation purposes.
  C. Investigate to find whether other files containing embedded passwords are in the code repository.

  ---

  Explanation

  When a penetration tester discovers hard-coded credentials in a file within an unprotected source code repository, the next steps should focus on documentation and further investigation to identify additional security issues.

  Taking a Screen Capture (Option B):

  Documentation: It is essential to document the finding for the final report. A screen capture provides concrete evidence of the discovered hard-coded credentials.

  Audit Trail: This ensures that there is a record of the vulnerability and can be used to communicate the issue to stakeholders, such as the development team or the client.

  Investigating for Other Embedded Passwords (Option C):

  Thorough Search: Finding one hard-coded password suggests there might be others. A thorough investigation can reveal additional credentials, which could further compromise the security of the system.

  Automation Tools: Tools like truffleHog, git-secrets, and grep can be used to scan the repository for other instances of hard-coded secrets.

  References:

  Initial Discovery: Discovering hard-coded credentials often occurs during source code review or automated scanning of repositories.

  Documentation: Keeping detailed records of all findings is a critical part of the penetration testing process.

  This ensures that all discovered vulnerabilities are reported accurately and comprehensively.

  Further Investigation: After finding a hard-coded credential, it is best practice to look for other security issues within the same repository. This might include other credentials, API keys, or sensitive information.

  Steps to Perform:

  Take a Screen Capture:

  Use a screenshot tool to capture the evidence of the hard-coded credentials. Ensure the capture includes the context, such as the file path and relevant code lines.

  Investigate Further:

  Use tools and manual inspection to search for other embedded passwords.

  Commands such as grep can be helpful:

  grep -r 'password' /path/to/repository

  Tools like truffleHog can search for high entropy strings indicative of secrets: trufflehog --regex --entropy=True /path/to/repository

  By documenting the finding and investigating further, the penetration tester ensures a comprehensive assessment of the repository, identifying and mitigating potential security risks effectively.