CompTIA PT0-003 Online Practice Questions and Exam Preparation

CompTIA PT0-003 Online Questions & Answers

• Question 51:

  SIMULATION A penetration tester has been provided with only the public domain name and must enumerate additional information for the public-facing assets. INSTRUCTIONS Select the appropriate answer(s), given the output from each section. Output 1

  

  

  A. See explanation below.
  B. PlaceHolder
  C. PlaceHolder
  D. PlaceHolder
  A. See explanation below.

  ---

  Explanation

  

• Question 52:

  During a web application assessment, a penetration tester identifies an input field that allows JavaScript injection. The tester inserts a line of JavaScript that results in a prompt, presenting a text box when browsing to the page going forward.

  Which of the following types of attacks is this an example of?

  A. SQL injection
  B. SSRF
  C. XSS
  D. Server-side template injection
  C. XSS

  ---

  Explanation

  Cross-Site Scripting (XSS) is an attack that involves injecting malicious scripts into web pages viewed by other users. Here's why option C is correct:

  XSS (Cross-Site Scripting): This attack involves injecting JavaScript into a web application, which is then executed by the user's browser. The scenario describes injecting a JavaScript prompt, which is a typical

  XSS payload.

  SQL Injection: This involves injecting SQL commands to manipulate the database and does not relate to JavaScript injection.

  SSRF (Server-Side Request Forgery): This attack tricks the server into making requests to unintended locations, which is not related to client-side JavaScript execution.

  Server-Side Template Injection: This involves injecting code into server-side templates, not JavaScript that executes in the user's browser.

  References from Pentest:

  Horizontall HTB: Demonstrates identifying and exploiting XSS vulnerabilities in web applications.

  Luke HTB: Highlights the process of testing for XSS by injecting scripts and observing their execution in the browser.

• Question 53:

  A penetration tester finishes an initial discovery scan for hosts on a /24 customer subnet. The customer states that the production network is composed of Windows servers but no container clusters. The following are the last several lines from the scan log:

  Line 1: 112 hosts found... trying ports

  Line 2: FOUND 22 with OpenSSH 1.2p2 open on 99 hosts Line 3: FOUND 161 with UNKNOWN banner open on 110 hosts Line 4: TCP RST received on ports 21, 3389, 80 Line 5: Scan complete.

  Which of the following is the most likely reason for the results?

  A. Multiple honeypots were encountered
  B. The wrong subnet was scanned
  C. Windows is using WSL
  D. IPS is blocking the ports
  A. Multiple honeypots were encountered

  ---

  Explanation

  Seeing services like OpenSSH 1.2p2 open on 99 hosts, and port 161 (SNMP) with unknown banners on 110 hosts suggests a high level of uniformity, which is uncommon in real-world Windows environments.

  This strongly points to honeypots being present, possibly for detection or deception.

  The official CompTIA guide discusses this under scan anomalies: "Identical responses from a large number of hosts, especially deprecated versions or unchanging banners, could indicate the presence of honeypots or decoy systems."

  References:

  CompTIA PenTest+ PT0-003 Official Study Guide, Chapter 5

• Question 54:

  A tester gains initial access to a server and needs to enumerate all corporate domain DNS records.

  Which of the following commands should the tester use?

  A. dig +short A AAAA local.domain
  B. nslookup local.domain
  C. dig axfr @local.dns.server
  D. nslookup -server local.dns.server local.domain *
  C. dig axfr @local.dns.server

• Question 55:

  During a penetration test, a junior tester uses Hunter.io for an assessment and plans to review the information that will be collected.

  Which of the following describes the information the junior tester will receive from the Hunter.io tool?

  A. A collection of email addresses for the target domain that is available on multiple sources on the internet
  B. DNS records for the target domain and subdomains that could be used to increase the external attack surface
  C. Data breach information about the organization that could be used for additional enumeration
  D. Information from the target's main web page that collects usernames, metadata, and possible data exposures
  A. A collection of email addresses for the target domain that is available on multiple sources on the internet

  ---

  Explanation

  Hunter.io is a tool used for finding professional email addresses associated with a domain. Here's what it provides:

  Functionality of Hunter.io:

  Email Address Collection: Gathers email addresses associated with a target domain from various sources across the internet.

  Verification: Validates the email addresses to ensure they are deliverable.

  Sources: Aggregates data from public sources, company websites, and other internet databases.

  Comparison with Other Options:

  DNS Records (B): Hunter.io does not focus on DNS records; tools like dig or nslookup are used for DNS information.

  Data Breach Information (C): Services like Have I Been Pwned are used for data breach information.

  Web Page Information (D): Tools like wget, curl, or specific web scraping tools are used for collecting detailed web page information.

  Hunter.io is specifically designed to collect and validate email addresses for a given domain, making it the correct answer.

• Question 56:

  Before starting an assessment, a penetration tester needs to scan a Class B IPv4 network for open ports in a short amount of time.

  Which of the following is the best tool for this task?

  A. Burp Suite
  B. masscan
  C. Nmap
  D. hping
  B. masscan

  ---

  Explanation

  When needing to scan a large network for open ports quickly, the choice of tool is critical. Here's why option B is correct:

  masscan: This tool is designed for high-speed port scanning and can scan entire networks much faster than traditional tools like Nmap. It can handle large ranges of IP addresses and ports with high efficiency.

  Nmap: While powerful and versatile, Nmap is generally slower than masscan for scanning very large networks, especially when speed is crucial.

  Burp Suite: This tool is primarily for web application security testing and not optimized for network-wide port scanning. hping: This is a network tool used for packet crafting and network testing, but it is not designed for high-speed network port scanning.

  References from Pentest:

  Luke HTB: Highlights the use of efficient tools for large-scale network scanning to identify open ports quickly.

  Anubis HTB: Demonstrates scenarios where high-speed scanning tools like masscan are essential for large network assessments.

• Question 57:

  A company hires a penetration tester to test the security of its wireless networks. The main goal is to intercept and access sensitive data.

  Which of the following tools should the security professional use to best accomplish this task?

  A. Metasploit
  B. WiFi-Pumpkin
  C. SET
  D. theHarvester
  E. WiGLE.net
  B. WiFi-Pumpkin

  ---

  Explanation

  WiFi-Pumpkin is used for man-in-the-middle (MitM) attacks on Wi-Fi networks, making it ideal for intercepting and accessing data.

  Option A (Metasploit): Good for exploitation, but not specialized for Wi-Fi attacks.

  Option B (WiFi-Pumpkin) : Correct.

  Creates fake Wi-Fi access points.

  Intercepts network traffic (SSL stripping, DNS spoofing).

  Option C (SET - Social Engineering Toolkit): Focuses on phishing, not Wi-Fi attacks.

  Option D (theHarvester): Used for OSINT, not Wi-Fi exploitation.

  Option E (WiGLE.net): Maps Wi-Fi networks, but does not capture sensitive data.

  References:

  CompTIA PenTest+ PT0-003 Official Guide - Wireless Attacks&

  Fake APs

• Question 58:

  Which of the following types of information would MOST likely be included in an application security assessment report addressed to developers? (Choose two.)

  A. Use of non-optimized sort functions
  B. Poor input sanitization
  C. Null pointer dereferences
  D. Non-compliance with code style guide
  E. Use of deprecated Javadoc tags
  F. A cydomatic complexity score of 3
  B. Poor input sanitization
  C. Null pointer dereferences

• Question 59:

  Which of the following tasks would ensure the key outputs from a penetration test are not lost as part of the cleanup and restoration activities?

  A. Preserving artifacts
  B. Reverting configuration changes
  C. Keeping chain of custody
  D. Exporting credential data
  A. Preserving artifacts

  ---

  Explanation

  Preserving Artifacts:

  Other Tasks:

  References:

  Reporting: Comprehensive documentation and reporting of findings are crucial parts of penetration testing.

  Evidence Handling: Properly preserving and handling artifacts ensure that the integrity of the test results is maintained and can be used for future reference. By preserving artifacts, the penetration tester ensures that all key outputs from the test are retained for analysis, reporting, and future reference.

• Question 60:

  A penetration tester is conducting an unknown environment test and gathering additional information that can be used for later stages of an assessment.

  Which of the following would most likely produce useful information for additional testing?

  A. Searching for code repositories associated with a developer who previously worked for the target company code repositories associated with the
  B. Searching for code repositories target company's organization
  C. Searching for code repositories associated with the target company's organization
  D. Searching for code repositories associated with a developer who previously worked for the target company
  B. Searching for code repositories target company's organization

  ---

  Explanation

  Code repositories are online platforms that store and manage source code and other files related to software development projects. Code repositories can contain useful information for additional testing, such as application names, versions, features, functions, vulnerabilities, dependencies, credentials, comments, or documentation. Searching for code repositories associated with the target company's organization would most likely produce useful information for additional testing, as it would reveal the software projects that the target company is working on or using, and potentially expose some weaknesses or flaws that can be exploited. Code repositories can be searched by using tools such as GitHub, GitLab, Bitbucket, or SourceForge. The other options are not as likely to produce useful information for additional testing, as they are not directly related to the target company's software development activities. Searching for code repositories associated with a developer who previously worked for the target company may not yield any relevant or current information, as the developer may have deleted, moved, or updated their code repositories after leaving the company. Searching for code repositories associated with the target company's competitors or customers may not yield any useful or accessible information, as they may have different or unrelated software projects, or they may have restricted or protected their code repositories from public view.