CompTIA PT0-003 Online Practice Questions and Exam Preparation

CompTIA PT0-003 Online Questions & Answers

• Question 391:

  A penetration tester initiated the transfer of a large data set to verify a proof-of-concept attack as permitted by the ROE. The tester noticed the client's data included PII, which is out of scope, and immediately stopped the transfer.

  Which of the following MOST likely explains the penetration tester's decision?

  A. The tester had the situational awareness to stop the transfer.
  B. The tester found evidence of prior compromise within the data set.
  C. The tester completed the assigned part of the assessment workflow.
  D. The tester reached the end of the assessment time frame.
  A. The tester had the situational awareness to stop the transfer.

  ---

  Explanation

  Situational awareness is the ability to perceive and understand the environment and events around oneself, and to act accordingly. The penetration tester demonstrated situational awareness by stopping the transfer of PII, which was out of scope and could have violated the ROE or legal and ethical principles. The other options are not relevant to the situation or the decision of the penetration tester.

• Question 392:

  A penetration tester attempts to run an automated web application scanner against a target URL. The tester validates that the web page is accessible from a different device. The tester analyzes the following HTTP request header logging output:

  

  Which of the following actions should the tester take to get the scans to work properly?

  A. Modify the scanner to slow down the scan.
  B. Change the source IP with a VPN.
  C. Modify the scanner to only use HTTP GET requests.
  D. Modify the scanner user agent.
  D. Modify the scanner user agent.

• Question 393:

  A tester is working on an engagement that has evasion and stealth requirements.

  Which of the following enumeration methods is the least likely to be detected by the IDS?

  A. curl https://api.shodan.io/shodan/host/search?key=<API_KEY>&query=hostname:<target>
  B. proxychains nmap -sV -T2 <target>
  C. for i in <target>; do curl -k $i; done
  D. nmap -sV -T2 <target>
  A. curl https://api.shodan.io/shodan/host/search?key=<API_KEY>&query=hostname:<target>

  ---

  Explanation

  Option A uses Shodan's API to gather information about a target without directly touching the target system. This makes it the stealthiest option as there's no traffic generated from the tester's IP to the target.

  Options B & D use Nmap which is active scanning, and while -T2 reduces intensity, it still generates packets.

  Option C is a custom curl script that also interacts directly with the target and can trigger IDS alerts.

  References:

  PT0-003 Objective 2.1 & 2.3: Passive vs Active reconnaissance techniques.

  Using OSINT sources like Shodan is a key stealth recon method.

• Question 394:

  A penetration tester is evaluating a company's cybersecurity preparedness. The tester wants to acquire valid credentials using a social engineering campaign.

  Which of the following tools and techniques are most applicable in this scenario? (Select two).

  A. TruffleHog for collecting credentials
  B. Shodan for identifying potential targets
  C. Gophish for sending phishing emails
  D. Maltego for organizing targets
  E. theHarvester for discovering additional targets
  F. Evilginx for handling legitimate authentication requests through a proxy
  C. Gophish for sending phishing emails
  F. Evilginx for handling legitimate authentication requests through a proxy

  ---

  Explanation

  To acquire valid credentials through a social engineering campaign, the tester needs both a mechanism to deliver phishing content to targets and a technique to capture authentication data when users attempt to log in. Gophish is a phishing campaign framework designed for security testing. It allows testers to create and send phishing emails, manage landing pages, and track campaign metrics such as email opens, link clicks, and submitted credentials. This makes it well suited for conducting controlled phishing simulations as part of a social engineering assessment.

  Evilginx is commonly used in credential-harvesting scenarios because it operates as a reverse-proxy phishing platform. It relays authentication traffic between the victim and the legitimate website while capturing credentials and session tokens during the login process. This technique allows testers to evaluate whether authentication protections such as multi-factor authentication and conditional access controls can be bypassed during a phishing attack.

  The other options are not primarily used to obtain credentials through social engineering campaigns.

  TruffleHog is used to search for exposed secrets in repositories. Shodan identifies internet-exposed systems. Maltego and theHarvester assist with reconnaissance and target discovery rather than credential capture. Therefore, Gophish and Evilginx are the tools most applicable to this scenario.

• Question 395:

  A penetration tester is performing an assessment against a customer's web application that is hosted in a major cloud provider's environment. The penetration tester observes that the majority of the attacks attempted are being blocked by the organization's WAF.

  Which of the following attacks would be most likely to succeed?

  A. Reflected XSS
  B. Brute-force
  C. DDoS
  D. Direct-to-origin
  D. Direct-to-origin

• Question 396:

  Which of the following are valid reasons for including base, temporal, and environmental CVSS metrics in the findings section of a penetration testing report? (Select two).

  A. Providing details on how to remediate vulnerabilities
  B. Helping to prioritize remediation based on threat context
  C. Including links to the proof-of-concept exploit itself
  D. Providing information on attack complexity and vector
  E. Prioritizing compliance information needed for an audit
  F. Adding risk levels to each asset
  B. Helping to prioritize remediation based on threat context
  D. Providing information on attack complexity and vector

  ---

  Explanation

  The Common Vulnerability Scoring System (CVSS) provides a standardized way to evaluate the severity of security vulnerabilities. It includes:

  Base Metrics: Inherent characteristics of a vulnerability (e.g., attack vector, complexity).

  Temporal Metrics: Factors that change over time (e.g., exploit availability).

  Environmental Metrics: Customization based on an organization's environment.

  Correct answers:

  Helping to prioritize remediation based on threat context (Option B):

  CVSS scores help organizations prioritize vulnerabilities based on real-world impact.

  The Environmental metric allows customization based on business risk.

  References:

  CompTIA PenTest+ PT0-003 Official Study Guide - "Risk Prioritization in Reporting"

  Providing information on attack complexity and vector (Option D):

  CVSS Base scores define attack complexity (e.g., low vs. high) and attack vector (e.g., network vs. physical).

  This helps security teams understand how a vulnerability can be exploited.

  CompTIA PenTest+ PT0-003 Official Study Guide - "CVSS Metrics in Vulnerability Assessment"

  Incorrect options:

  Option A (Providing remediation details): CVSS does not include remediation steps

  it only scores severity.

  Option C (Proof-of-concept exploit links): CVSS scores are not based on specific exploits.

  Option E (Compliance information): CVSS focuses on technical risk, not regulatory compliance.

  Option F (Adding risk levels to assets): CVSS evaluates individual vulnerabilities, not asset risk classification.

• Question 397:

  While conducting an assessment, a penetration tester identifies the details for several unreleased products announced at a company-wide meeting.

  Which of the following attacks did the tester most likely use to discover this information?

  A. Eavesdropping
  B. Bluesnarfing
  C. Credential harvesting
  D. SQL injection attack
  A. Eavesdropping

  ---

  Explanation

  Eavesdropping involves intercepting communications between parties without their consent. If the details were obtained from a meeting, it likely involved intercepting audio or network communications, such as unsecured VoIP calls, radio signals, or in-room microphones.

  Why Not Other Options?

  Option B (Bluesnarfing): Targets Bluetooth-enabled devices, which is unlikely to apply to general meeting communications.

  Option C (Credential harvesting): Focuses on collecting user credentials and does not explain the discovery of product details from a meeting.

  Option D (SQL injection): Exploits databases and is unrelated to capturing meeting communication.

  References:

  Domain 3.0 (Attacks and Exploits)

  Techniques for Intercepting Communication

• Question 398:

  A penetration tester is enumerating a Linux system. The goal is to modify the following script to provide more comprehensive system information:

  #!/bin/bash

  ps aux >> linux_enum.txt

  Which of the following lines would provide the most comprehensive enumeration of the system?

  A. cat /etc/passwd >> linux_enum.txt; netstat -tuln >> linux_enum.txt; cat /etc/bash.bashrc >> linux_enum.txt
  B. whoami >> linux_enum.txt; uname -a >> linux_enum.txt; ifconfig >> linux_enum.txt
  C. hostname >> linux_enum.txt; echo $USER >> linux_enum.txt; curl ifconfig.me >> linux_enum.txt
  D. lsof -i >> linux_enum.txt; uname -a >> linux_enum.txt; ls /home/ >> linux_enum.txt
  A. cat /etc/passwd >> linux_enum.txt; netstat -tuln >> linux_enum.txt; cat /etc/bash.bashrc >> linux_enum.txt

  ---

  Explanation

  This command gathers:

  /etc/passwd lists all local user accounts.

  netstat -tuln lists listening ports and associated services.

  /etc/bash.bashrc contains environment variables and configurations that could reveal system behaviors or hidden persistence mechanisms.

  This provides a much broader and deeper enumeration compared to other options.

  References:

  PT0-003 Objective 4.1 Post-exploitation techniques including enumeration of system users, services, and configurations.

• Question 399:

  A penetration tester discovers a deprecated directory in which files are accessible to anyone.

  Which of the following would most likely assist the penetration tester in finding sensitive information without raising suspicion?

  A. Enumerating cached pages available on web pages
  B. Looking for externally available services
  C. Scanning for exposed ports associated with the domain
  D. Searching for vulnerabilities and potential exploits
  A. Enumerating cached pages available on web pages

  ---

  Explanation

  When a penetration tester finds a deprecated web directory that's publicly accessible, the goal is to gather as much information as possible without triggering alerts.

  Enumerating cached pages (such as those stored by Google Cache, the Wayback Machine, or local proxy caches) allows the tester to:

  View historical or deleted content that might contain sensitive data, credentials, or configuration info.

  Gather evidence without directly interacting with the target system, thus minimizing detection risk.

  Why not the others:

  Option B: Looking for externally available services: Useful for attack surface mapping, but not for extracting data from the discovered directory.

  Option C: Scanning for exposed ports: Active probing that increases detection risk; unrelated to exploring a directory.

  Option D: Searching for vulnerabilities/exploits: Premature; reconnaissance and content discovery come first.

  CompTIA PT0-003 Mapping:

  Domain 2.0: Information Gathering and Vulnerability Scanning OSINT and passive reconnaissance to identify exposed data and files.

• Question 400:

  A penetration tester is conducting an engagement against an internet-facing web application and planning a phishing campaign.

  Which of the following is the BEST passive method of obtaining the technical contacts for the website?

  A. WHOIS domain lookup
  B. Job listing and recruitment ads
  C. SSL certificate information
  D. Public data breach dumps
  A. WHOIS domain lookup

  ---

  Explanation

  The BEST passive method of obtaining the technical contacts for the website would be a WHOIS domain lookup. WHOIS is a protocol that provides information about registered domain names, such as the registration date, registrant's name and contact information, and the name servers assigned to the domain.

  By performing a WHOIS lookup, the penetration tester can obtain the contact information of the website's technical staff, which can be used to craft a convincing phishing email.