CompTIA PT0-003 Online Practice Questions and Exam Preparation

CompTIA PT0-003 Online Questions & Answers

• Question 31:

  A penetration tester intercepts HTTP traffic and sees:

  Set-Cookie: sessionid=12345abcd; SameSite=None; Secure

  The tester later observes that session cookies remain unchanged after authentication.

  What vulnerability is MOST likely present?

  A. Cookie poisoning
  B. Session fixation
  C. Cross-site scripting
  D. Header injection
  B. Session fixation

  ---

  Explanation

  Reusing the same cookie before and after login is classic session fixation, enabling attackers to predetermine a victim's session ID.

  Why not others:

  Option A - Cookie poisoning modifies values but doesn't explain pre-login reuse.

  Option C - No script injection is shown.

  Option D - No header manipulation is implied.

  PT0-003 Mapping: Domain 3 - Web application session management weaknesses.

• Question 32:

  A penetration tester found several critical SQL injection vulnerabilities during an assessment of a client's system. The tester would like to suggest mitigation to the client as soon as possible.

  Which of the following remediation techniques would be the BEST to recommend? (Choose two.)

  A. Closing open services
  B. Encryption users' passwords
  C. Randomizing users' credentials
  D. Users' input validation
  E. Parameterized queries
  F. Output encoding
  D. Users' input validation
  E. Parameterized queries

  ---

  Explanation

  SQL injection is a type of attack that exploits a vulnerability in a web application that allows an attacker to execute malicious SQL statements on a database server. SQL injection can result in data theft, data corruption, authentication bypass, or command execution. To mitigate SQL injection vulnerabilities, the following remediation techniques are recommended: Users' input validation: This involves checking and sanitizing the user input before passing it to the database server. Input validation can prevent malicious or unexpected input from reaching the database server and causing harm. Input validation can be done by using whitelists, blacklists, regular expressions, or escaping mechanisms.

  Parameterized queries: This involves using placeholders or parameters for user input instead of concatenating it with the SQL statement. Parameterized queries can separate the user input from the SQL logic and prevent it from being interpreted as part of the SQL statement. Parameterized queries can be implemented by using prepared statements, stored procedures, or frameworks that support them. The other options are not relevant or effective remediation techniques for SQL injection vulnerabilities.

• Question 33:

  A penetration tester finds that an application responds with the contents of the /etc/passwd file when the following payload is sent:

  xml

  Copy code

  <?xml version="1.0"?>

  <!DOCTYPE data [ <!ENTITY foo SYSTEM "file:///etc/passwd" >

  ]>

  <test>&foo;</test>

  Which of the following should the tester recommend in the report to best prevent this type of vulnerability?

  A. Drop all excessive file permissions with chmod o-rwx.
  B. Ensure the requests application access logs are reviewed frequently.
  C. Disable the use of external entities.
  D. Implement a WAF to filter all incoming requests.
  C. Disable the use of external entities.

  ---

  Explanation

  The vulnerability in question is XML External Entity (XXE) injection, which occurs when an application processes XML input containing external entities that access files on the server or external resources.

  Disabling External Entities:

  The root cause of the issue is the application's ability to process external entities (<!ENTITY foo SYSTEM ... >). Disabling external entities entirely prevents XXE attacks.

  This can be achieved by properly configuring the XML parser (e.g., in Java, disable DocumentBuilderFactory. setFeature("

  http://apache.org/xml/features/disallow-doctype-decl

  ", true)).WhyNotOtherOptions?OptionA(chmodo-rwx):FilepermissionhardeningmayreducetheimpactofasuccessfulattackbutdoesnotmitigateXXEattheparserlevel.OptionB(Reviewlogs):Reviewinglogsisareactivemeasure,notapreventionmechanism.OptionD(WAF):AWAFmayblocksomemaliciousrequestsbutisnotareliablemitigationforXXEvulnerabilitiesembeddedinlegitimateXMLinput.

  References:

  Domain 3.0 (Attacks and Exploits) OWASP XXE Prevention Cheat Sheet

• Question 34:

  A penetration testing firm performs an assessment every six months for the same customer. While performing network scanning for the latest assessment, the penetration tester observes that several of the target hosts appear to be residential connections associated with a major television and ISP in the area.

  Which of the following is the most likely reason for the observation?

  A. The penetration tester misconfigured the network scanner.
  B. The network scanning tooling is not functioning properly.
  C. The IP ranges changed ownership.
  D. The network scanning activity is being blocked by a firewall.
  C. The IP ranges changed ownership.

  ---

  Explanation

  When a penetration tester notices several target hosts appearing to be residential connections associated with a major television and ISP, it's likely that the IP ranges initially assigned to the target organization have changed ownership and are now allocated to the ISP for residential use. This can happen due to reallocation of IP addresses by regional internet registries. Misconfiguration of the scanner (option A), malfunctioning of scanning tools (option B), or firewall blocking (option D) would not typically result in the discovery of residential connections in place of expected organizational targets.

• Question 35:

  During an engagement, a penetration tester needs to break the key for the Wi-Fi network that uses WPA2 encryption.

  Which of the following attacks would accomplish this objective?

  A. ChopChop
  B. Replay
  C. Initialization vector
  D. KRACK
  D. KRACK

  ---

  Explanation

  KRACK (Key Reinstallation Attack) exploits a vulnerability in the WPA2 protocol to decrypt and inject packets, potentially allowing an attacker to break the encryption key and gain access to the Wi-Fi network.

  Understanding KRACK:

  Attack Steps:

  Impact:

  Mitigation:

  References from Pentesting Literature:

  Step-by-Step ExplanationReferences: Penetration Testing - A Hands-on Introduction to Hacking HTB Official Writeups

• Question 36:

  A penetration tester is developing the rules of engagement for a potential client.

  Which of the following would most likely be a function of the rules of engagement?

  A. Testing window
  B. Terms of service
  C. Authorization letter
  D. Shared responsibilities
  A. Testing window

  ---

  Explanation

  The rules of engagement define the scope, limitations, and conditions under which a penetration test is conducted. Here's why option A is correct:

  Testing Window: This specifies the time frame during which the penetration testing activities are authorized to occur. It is a crucial part of the rules of engagement to ensure the testing does not disrupt business operations and is conducted within agreed-upon hours.

  Terms of Service: This generally refers to the legal agreement between a service provider and user, not specific to penetration testing engagements.

  Authorization Letter: This provides formal permission for the penetration tester to perform the assessment but is not a component of the rules of engagement.

  Shared Responsibilities: This refers to the division of security responsibilities between parties, often seen in cloud service agreements, but not specifically a function of the rules of engagement.

  References from Pentest:

  Luke HTB: Highlights the importance of clearly defining the testing window in the rules of engagement to ensure all parties are aligned.

  Forge HTB: Demonstrates the significance of having a well-defined testing window to avoid disruptions and ensure compliance during the assessment.

• Question 37:

  A penetration tester aims to exploit a vulnerability in a wireless network that lacks proper encryption. The lack of proper encryption allows malicious content to infiltrate the network.

  Which of the following techniques would most likely achieve the goal?

  A. Packet injection
  B. Bluejacking
  C. Beacon flooding
  D. Signal jamming
  A. Packet injection

  ---

  Explanation

  If a wireless network lacks proper encryption, attackers can inject malicious packets into the traffic stream.

  Packet injection (Option A):

  Attackers forge and transmit fake packets to manipulate network behavior. Common in WEP/WPA attacks to force IV collisions or spoof DHCP responses.

  References:

  CompTIA PenTest+ PT0-003 Official Study Guide - "Wireless Injection and Exploitation Techniques"

  Incorrect options:

  Option B (Bluejacking): Sends spam messages via Bluetooth, not for network exploitation.

  Option C (Beacon flooding): Overloads wireless access points, not an attack on encryption.

  Option D (Signal jamming): Disrupts connectivity but does not inject packets.

• Question 38:

  A penetration tester recently performed a social-engineering attack in which the tester found an employee of the target company at a local coffee shop and over time built a relationship with the employee. On the employee's birthday, the tester gave the employee an external hard drive as a gift.

  Which of the following social-engineering attacks was the tester utilizing?

  A. Phishing
  B. Tailgating
  C. Baiting
  D. Shoulder surfing
  C. Baiting

  ---

  Explanation

  References:

  https://phoenixnap.com/blog/what-is-social-engineering-types-of-threats

• Question 39:

  Which of the following elements of a penetration test report can be used to most effectively prioritize the remediation efforts for all the findings?

  A. Methodology
  B. Detailed findings list
  C. Risk score
  D. Executive summary
  C. Risk score

  ---

  Explanation

  Risk scores quantify the severity and likelihood of exploitation for each finding. This helps organizations prioritize which vulnerabilities to remediate first based on potential impact and exploitability.

  Methodology outlines how the test was performed.

  Findings list shows issues, but without prioritization.

  Executive summary provides a high-level overview for decision-makers, not technical prioritization.

  References:

  PT0-003 Objective 5.2 ?Reporting components including risk ratings and prioritization.

• Question 40:

  A penetration tester is conducting an Nmap scan and wants to scan for ports without establishing a connection. The tester also wants to find version data information for services running on Projects.

  Which of the following Nmap commands should the tester use?

  A. ..nmap -sU -sV -T4 -F target.company.com
  B. ..nmap -sS -sV -F target.company.com
  C. ..nmap -sT -v -T5 target.company.com
  D. ..nmap -sX -sC target.company.com
  B. ..nmap -sS -sV -F target.company.com

  ---

  Explanation

  The Nmap command that the tester should use to scan for ports without establishing a connection and to find version data information for services running on open ports is nmap -sS -sV -F target.company.com.

  This command has the following options:

  -sS performs a TCP SYN scan, which is a scan technique that sends TCP packets with the SYN flag set to the target ports and analyzes the responses. A TCP SYN scan does not establish a full TCP connection, as it only completes the first step of the three-way handshake. A TCP SYN scan can stealthily scan for open ports without alerting the target system or application. -sV performs version detection, which is a feature that probes open ports to determine the service and version information of the applications running on them. Version detection can provide useful information for identifying vulnerabilities or exploits that affect specific versions of services or applications. -F performs a fast scan, which is a scan option that only scans the 100 most common ports according to the nmap-services file. A fast scan can speed up the scan process by avoiding scanning less likely or less interesting ports. target.company.com specifies the domain name of the target system or network to be scanned.

  The other options are not valid Nmap commands that meet the requirements of the question.

  Option A performs a UDP scan (-sU), which is a scan technique that sends UDP packets to the target ports and analyzes the responses. A UDP scan can scan for open ports that use UDP protocol, such as DNS, SNMP, or DHCP. However, a UDP scan does establish a connection with the target system or application, unlike a TCP SYN scan.

  Option C performs a TCP connect scan (- sT), which is a scan technique that sends TCP packets with the SYN flag set to the target ports and completes the three-way handshake with an ACK packet if a SYN/ACK packet is received. A TCP connect scan can scan for open ports that use TCP protocol, such as HTTP, FTP, or SSH. However, a TCP connect scan does establish a full TCP connection with the target system or application, unlike a TCP SYN scan.

  Option D performs an Xmas scan (-sX), which is a scan technique that sends TCP packets with the FIN, PSH, and URG flags set to the target ports and analyzes the responses. An Xmas scan can stealthily scan for open ports without alerting the target system or application, similar to a TCP SYN scan. However, option D does not perform version detection (-sV), which is one of the requirements of the question.