CompTIA PT0-003 Online Practice Questions and Exam Preparation

CompTIA PT0-003 Online Questions & Answers

• Question 331:

  auth=yYKGORbrpabgr842ajbvrpbptaui42342

  When the tester logs in, the server sends only one Set-Cookie header, and the value is exactly the same as shown above.

  Which of the following vulnerabilities has the tester discovered?

  A. JWT manipulation
  B. Cookie poisoning
  C. Session fixation
  D. Collision attack
  C. Session fixation

  ---

  Explanation

  Session fixation occurs when an application accepts a session identifier provided by the client (or set before authentication) and continues to use that same identifier after the user authenticates. In this scenario the server issues the same cookie value both before and after login, indicating the session ID is set pre-authentication and not rotated/renewed on successful authentication -- a classic session fixation vulnerability. An attacker could force or coerce a victim to use a known session ID, then log in and hijack the authenticated session.

  Why not the others: Option A: JWT manipulation: Would involve JSON Web Tokens (signed tokens with predictable structure);

  the cookie shown has no JWT structure.

  Option B: Cookie poisoning: Usually refers to unauthorized modification of cookie contents to change application behavior -- not the primary issue here.

  Option D: Collision attack: Cryptographic collision attacks are not relevant to identical session cookies before /after login.

  CompTIA PT0-003 Mapping:

  Domain 3.0 Attacks and Exploits -- web application session management vulnerabilities (session fixation,

  improper session handling).

• Question 332:

  A penetration tester was able to gather MD5 hashes from a server and crack the hashes easily with rainbow tables.

  Which of the following should be included as a recommendation in the remediation report?

  A. Stronger algorithmic requirements
  B. Access controls on the server
  C. Encryption on the user passwords
  D. A patch management program
  A. Stronger algorithmic requirements

• Question 333:

  During an assessment, a penetration tester obtains a low-privilege shell and then runs the following command:

  findstr /SIM /C:"pass" *.txt *.cfg *.

  xml Which of the following is the penetration tester trying to enumerate?

  A. Configuration files
  B. Permissions
  C. Virtual hosts
  D. Secrets
  D. Secrets

  ---

  Explanation

  By running the command findstr /SIM /C:"pass" *.txt *.cfg *.xml, the penetration tester is trying to enumerate secrets.

  Command Analysis:

  findstr: A command-line utility in Windows used to search for specific strings in files.

  /SIM: Combination of options; /S searches for matching files in the current directory and all subdirectories, / I specifies a case-insensitive search, and /M prints only the filenames with matching content.

  /C:"pass": Searches for the literal string "pass".

  ***.txt .cfg .xml: Specifies the file types to search within.

  Objective:

  The command is searching for the string "pass" within .txt, .cfg, and .xml files, which is indicative of searching for passwords or other sensitive information (secrets).

  These file types commonly contain configuration details, credentials, and other sensitive data that might include passwords or secrets.

  Other Options:

  Configuration files: While .cfg and .xml files can be configuration files, the specific search for "pass" indicates looking for secrets like passwords.

  Permissions: This command does not check or enumerate file permissions.

  Virtual hosts: This command is not related to enumerating virtual hosts.

  References:

  Post-Exploitation: Enumerating sensitive information like passwords is a common post-exploitation activity after gaining initial access.

  Credential Discovery: Searching for stored credentials within configuration files and documents to escalate privileges or move laterally within the network.

  By running this command, the penetration tester aims to find stored passwords or other secrets that could help in further exploitation of the target system.

• Question 334:

  A penetration tester enumerates a legacy Windows host on the same subnet. The tester needs to select exploit methods that will have the least impact on the host's operating stability.

  Which of the following commands should the tester try first?

  A. responder -I eth0 john responder_output.txt <rdp to target>
  B. hydra -L administrator -P /path/to/pwlist.txt -t 100 rdp://<target_host>
  C. msf > use <module_name> msf > set <options> msf > set PAYLOAD windows/meterpreter/reverse_tcp msf > run
  D. python3 ./buffer_overflow_with_shellcode.py <target> 445
  A. responder -I eth0 john responder_output.txt <rdp to target>

  ---

  Explanation

  Responder is a tool used for capturing and analyzing NetBIOS, LLMNR, and MDNS queries to perform various man-in-the-middle (MITM) attacks. It can be used to capture hashed credentials, which can then be cracked offline. Using Responder has the least impact on the host's operating stability compared to more aggressive methods like buffer overflow attacks or payload injections.

  Understanding Responder:

  Purpose: Responder is used to capture NTLMv2 hashes from a Windows network.

  Operation: It listens on the network for LLMNR, NBT-NS, and MDNS requests and responds to them, tricking the client into authenticating with the attacker's machine.

  Command Breakdown:

  responder -I eth0: Starts Responder on the network interface eth 0. john responder_output.txt: Uses John the Ripper to crack the hashes captured by Responder.

  <rdp to target>: Suggests the next step after capturing credentials might involve using RDP with the cracked password, but the initial capture is passive and low impact.

  Why This is the Best Choice:

  Least Impact: Responder passively captures network traffic without interacting directly with the target host's system processes.

  Stealth: It operates quietly on the network, making it less likely to cause stability issues or be detected by host-based security mechanisms.

  References from Pentesting Literature:

  Tools like Responder are discussed in penetration testing guides for initial reconnaissance and credential gathering without causing significant disruptions.

  HTB write-ups frequently mention the use of Responder in network-based attacks to capture credentials safely.

  Step-by-Step ExplanationReferences:

  Penetration Testing - A Hands-on Introduction to Hacking

  HTB Official Writeups

• Question 335:

  During an engagement, a penetration tester runs the following command against the host system:

  host -t axfr domain.com dnsl.domain.com

  Which of the following techniques best describes what the tester is doing?

  A. Zone transfer
  B. Host enumeration
  C. DNS poisoning
  D. DNS query
  A. Zone transfer

  ---

  Explanation

  A DNS zone transfer attack occurs when a misconfigured DNS server allows attackers to retrieve the entire DNS record set.

  Zone transfer (Option A):

  The command host -t axfr domain.com dnsl.domain.com requests an AXFR (authoritative transfer) of the

  DNS records.

  This provides subdomains, email servers, and internal DNS records, which attackers can use for reconnaissance.

  References:

  CompTIA PenTest+ PT0-003 Official Study Guide - "DNS Enumeration Techniques"

  Incorrect options:

  Option B (Host enumeration): Host enumeration gathers information about a specific host, not the entire

  DNS zone.

  Option C (DNS poisoning): DNS poisoning modifies cache entries to redirect users. This is a different attack.

  Option D (DNS query): A standard DNS query retrieves a single record, not a full zone transfer.

• Question 336:

  A penetration tester observes the following output from an Nmap command while attempting to troubleshoot connectivity to a Linux server:

  

  Which of the following is the most likely reason for the connectivity issue?

  A. The SSH service is running on a different port.
  B. The SSH service is blocked by a firewall.
  C. The SSH service requires certificate authentication.
  D. The SSH service is not active.
  A. The SSH service is running on a different port.

  ---

  Explanation

  The key detail in the Nmap scan output is that port 2222/tcp is open and running the SSH service. The standard SSH port is 22, so if the tester was attempting to connect on port 22, they would not succeed because SSH is instead listening on port 2222.

  This is a common security hardening tactic--moving services to non-standard ports to reduce automated attacks.

  There is no indication that the service is blocked (B), or requires certificates (C), or is inactive (D), because Nmap clearly shows the service is open and identified.

  References:

  PT0-003 Objective 3.3: Analyze tool output or data related to engagement activities.

  Nmap usage and interpreting scan results is emphasized in multiple sections.

• Question 337:

  A penetration tester compromises a Windows OS endpoint that is joined to an Active Directory local environment.

  Which of the following tools should the tester use to manipulate authentication mechanisms to move laterally in the network?

  A. Rubeus
  B. WinPEAS
  C. NTLMRelayX
  D. Impacket
  A. Rubeus

  ---

  Explanation

  Rubeus is a post-exploitation tool used for Kerberos abuse, including ticket extraction, pass-the-ticket, ticket renewal, and Kerberoasting. It's ideal for lateral movement within Active Directory environments.

  WinPEAS is mainly used for local privilege escalation and enumeration.

  NTLMRelayX (from Impacket) is useful for relaying NTLM authentication but is not focused on Kerberos.

  Impacket is a collection of tools; Rubeus is more targeted for Kerberos attacks.

  References:

  PT0-003 Objective 4.2 ?Tools and techniques for lateral movement and manipulating authentication in Windows AD environments.

• Question 338:

  A penetration tester attempts to obtain the preshared key for a client's wireless network.

  Which of the following actions will most likely aid the tester?

  A. Deploying an evil twin with a WiFi Pineapple
  B. Performing a password spraying attack with Hydra
  C. Setting up a captive portal using SET
  D. Deauthenticating clients using aireplay-ng
  D. Deauthenticating clients using aireplay-ng

  ---

  Explanation

  Obtaining a wireless preshared key (PSK) in a WPA/WPA2-Personal environment typically relies on capturing the 4-way handshake (or equivalent key exchange) between a client and the access point.

  PenTest+ emphasizes that the handshake is captured when a client authenticates or reauthenticates to the network; once the handshake is collected, the tester can attempt an offline password attack to determine the PSK (subject to rules of engagement and authorization).

  Using aireplay-ng to perform a deauthentication attack forces connected clients to disconnect and then automatically reconnect, which triggers a new handshake that can be captured by the tester's monitoring interface. This directly supports the goal of acquiring material needed to recover the PSK.

  An evil twin (A) and captive portal (C) are social-engineering approaches more aligned with credential harvesting for enterprise or portal-based access, not reliably extracting a WPA2-PSK. Password spraying with Hydra (B) targets online login services and is not applicable to cracking a WPA/WPA2 PSK, which is derived from the handshake and performed offline.

• Question 339:

  A penetration tester needs to scan a remote infrastructure with Nmap.

  The tester issues the following command: nmap 10.10.1.0/24 Which of the following is the number of TCP ports that will be scanned?

  A. 256
  B. 1,000
  C. 1,024
  D. 65,535
  B. 1,000

  ---

  Explanation

  Default Behavior of Nmap Scans:

  Why Not Other Options?

  References:

  Domain 2.0 (Information Gathering and Vulnerability Identification)

• Question 340:

  A penetration tester is conducting a penetration test and discovers a vulnerability on a web server that is owned by the client. Exploiting the vulnerability allows the tester to open a reverse shell. Enumerating the server for privilege escalation, the tester discovers the following:

  

  Which of the following should the penetration tester do NEXT?

  A. Close the reverse shell the tester is using.
  B. Note this finding for inclusion in the final report.
  C. Investigate the high numbered port connections.
  D. Contact the client immediately.
  C. Investigate the high numbered port connections.

  ---

  Explanation

  49155. These ports are in the range of ephemeral ports, which are dynamically assigned by the operating system for temporary use by applications or processes. The foreign addresses of these connections are also high numbered ports, such as 4433, 4434, 4435, and 4436. These ports are not well-known or registered ports for any common service or protocol. The combination of high numbered ports for both local and foreign addresses suggests that these connections are suspicious and may indicate a backdoor or a covert channel on the host.

  Therefore, the penetration tester should investigate these connections next to determine their nature and purpose. The other options are not appropriate actions for the penetration tester at this stage.