CompTIA PT0-003 Online Practice Questions and Exam Preparation

CompTIA PT0-003 Online Questions & Answers

• Question 81:

  A penetration tester wants to use PowerView in an AD environment.

  Which of the following is the most likely reason?

  A. To collect local hashes
  B. To decrypt stored passwords
  C. To enumerate user groups
  D. To escalate privileges
  C. To enumerate user groups

  ---

  Explanation

  PowerView is a PowerShell tool used for Active Directory enumeration. It is part of the PowerSploit framework and allows penetration testers to gather detailed information about the AD environment, including user accounts, groups, computers, shares, and trust relationships.

  PowerView is most commonly used to: Enumerate domain users, groups, and memberships

  Identify privileged users and group memberships

  Discover domain trusts and permissions

  According to the CompTIA PenTest+ PT0-003 Official Study Guide (Chapter 8 ?Post-Exploitation and Lateral Movement):

  "PowerView is a post-exploitation tool used primarily for Active Directory reconnaissance, including user and group enumeration, identifying domain trusts, and mapping out the AD structure."

  References:

  CompTIA PenTest+ PT0-003 Official Study Guide, Chapter 8

• Question 82:

  A penetration tester gains access to a domain server and wants to enumerate the systems within the domain.

  Which of the following tools would provide the best oversight of domains?

  A. Netcat
  B. Wireshark
  C. Nmap
  D. Responder
  C. Nmap

  ---

  Explanation

  Installation:

  Nmap can be installed on various operating systems. For example, on a Debian-based system:

  sudo apt-get install nmap

  Basic Network Scanning:

  To scan a range of IP addresses in the network:

  nmap -sP 192.168.1.0/24 Service and Version Detection: To scan for open ports and detect the service versions running on a specific host:

  nmap -sV 192.168.1.10 Enumerating Domain Systems:

  Use Nmap with additional scripts to enumerate domain systems. For example, using the --script option:

  nmap -p 445 --script=smb-enum-domains 192.168.1.10

  Advanced Scanning Options:

  Stealth Scan: Use the -sS option to perform a stealth scan:

  nmap -sS 192.168.1.10 Aggressive Scan: Use the -A option to enable OS detection, version detection, script scanning, and

  traceroute:

  nmap -A 192.168.1.10 Real-World Example:

  A penetration tester uses Nmap to enumerate the systems within a domain by scanning the network for live hosts and identifying the services running on each host. This information helps in identifying potential vulnerabilities and entry points for further exploitation.

  References from Pentesting Literature:

  In "Penetration Testing - A Hands-on Introduction to Hacking," Nmap is extensively discussed for various stages of the penetration testing process, from reconnaissance to vulnerability assessment.

  HTB write-ups often illustrate the use of Nmap for network enumeration and discovering potential attack vectors.

  References:

  Penetration Testing - A Hands-on Introduction to Hacking

  HTB Official Writeups

• Question 83:

  A penetration tester gains initial access to a system and gets ready to perform additional reconnaissance.

  The tester cannot use Nmap on the system they used to gain initial access. The tester develops the following script to scan a network range:

  $port = 80

  $network = 192.168.1

  $range = 1..254

  $ErrorActionPreference = 'silentlycontinue'

  $(Foreach ($r in $range)

  {

  $ip = "{0}.{1}" -F $network,$r

  Write-Progress "Scanning" $ip -PercentComplete (($r/$range.Count)*100)

  If(Test-Connection -BufferSize 32 -Count 1 -quiet -ComputerName $ip)

  {

  $socket = new-object System.Net.Sockets.TcpClient($ip, $port)

  If($socket.Connected)

  {

  "$ip port $port is open"

  $socket.Close()

  }

  else { "$ip port $port is closed" }

  }

  }) | Out-File C:\nefarious_location\portscan.csv

  The tester wants to modify the current script so multiple ports can be scanned. The tester enters a comma-separated list of ports in the port variable.

  Which of the following should the tester do next to provide the intended outcome?

  A. Duplicate the $socket code block and modify $port for each new port variable.
  B. Add a new Foreach loop directly beneath the other Foreach loop and enclose it with { ... }.
  C. Add $p in $port to the initial Foreach loop directly following the $range variable.
  B. Add a new Foreach loop directly beneath the other Foreach loop and enclose it with { ... }.

  ---

  Explanation

  When Nmap is unavailable on a compromised host, PenTest+ expects testers to adapt by using native scripting (for example, PowerShell) to perform reconnaissance and port checks with built-in .NET classes such as System.Net.Sockets.TcpClient. To scan multiple ports, the script must iterate over two dimensions: the host range and the port list. In PowerShell, supplying a comma-separated list to a variable (for example, $port = 80,443,445) creates an array-like collection. The correct way to use that collection is to add a nested Foreach loop inside the existing loop that iterates through IPs, so each reachable host is tested against every port in the list.

  Duplicating the socket block (A) is inefficient, error-prone, and does not scale as the number of ports grows. Option C is not the correct syntax for combining two enumerations in a single Foreach header;

  PowerShell requires a separate loop (or pipeline) to iterate ports. Therefore, adding a second Foreach directly beneath the current one and enclosing the socket logic within it best achieves the intended multi-port scanning behavior.

• Question 84:

  A penetration tester gains access to a Windows machine and executes:

  reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run

  The tester discovers an application launched at startup that is writable by all users.

  What type of attack is MOST likely possible?

  A. DLL sideloading
  B. Startup hijacking
  C. Token impersonation
  D. Kerberoasting
  B. Startup hijacking

  ---

  Explanation

  Writable startup executables allow attackers to replace or modify the binary. When Windows boots, the malicious executable runs with the user's privileges, often SYSTEM, leading to startup hijacking.

  Why not others:

  Option A - DLL hijacking requires DLL loading misconfigurations, not writable startup items.

  Option C - Token impersonation requires a privileged session.

  Option D - Kerberoasting involves SPN accounts in Active Directory.

  PT0-003 Mapping: Domain 3 - Persistence and privilege escalation via startup mechanisms.

• Question 85:

  A penetration tester is working in an environment with no Windows hosts and needs to obtain credentials from non-Windows servers, such as SSH systems. The SOC only monitors endpoints, not servers, so aggressive credential-guessing attempts are unlikely to be noticed.

  Which tool and command would BEST allow the tester to perform credential discovery across multiple SSH targets?

  A. pwinspector -i <file_of_targets> -o <found_credentials> -m 8 -M 16 -1 -u -n -p
  B. responder -I eth0
  C. nmap -sV -n -T3 -p 22 <targets> --reason
  D. hydra -L root -P /path/to/wordlist -t 3 -M <file of targets>
  D. hydra -L root -P /path/to/wordlist -t 3 -M <file of targets>

  ---

  Explanation

  The environment contains no Windows hosts (so Windows-specific credential-capture tools like Responder are ineffective). The tester needs credentials on non-Windows servers (likely SSH). The SOC only monitors endpoints (not servers), meaning aggressive credential guessing against servers may go unnoticed. hydra is a parallelized remote-auth brute-force tool that targets services such as SSH and can iterate a username list (-L) and password list (-P) across multiple targets (-M). This makes option D the most direct tool to attempt credential discovery on non-Windows hosts (SSH brute-force).

  Why not the others:

  Option A: pwinspector is Windows-focused/unknown in this context.

  Option B: responder targets LLMNR/NetBIOS broadcasts on Windows networks -- not applicable.

  Option C: nmap will enumerate services (helpful), but it does not obtain credentials.

  PT0-003 mapping: Domain 3 -- post-compromise credential discovery and use of appropriate tools given

  OS /service mix.

• Question 86:

  While performing reconnaissance, a penetration tester attempts to identify publicly accessible ICS (Industrial Control Systems) and IoT (Internet of Things) systems.

  Which of the following tools is most effective for this task?

  A. theHarvester
  B. Shodan
  C. Amass
  D. Nmap
  B. Shodan

  ---

  Explanation

  Shodan is a search engine that specializes in finding internet-connected devices, including ICS, IoT, webcams, routers, and servers. Attackers and security professionals use Shodan to scan for publicly accessible systems that may be vulnerable.

  Option A (theHarvester): theHarvester is primarily used for OSINT (Open-Source Intelligence) gathering, such as email addresses, subdomains, and hostnames, but it does not specialize in ICS/IoT discovery.

  Option B (Shodan): Correct. Shodan scans the internet for connected devices and services, allowing penetration testers to find ICS/IoT systems that are exposed.

  Option C (Amass): Amass is used for subdomain enumeration and DNS reconnaissance, not for ICS or

  IoT discovery.

  Option D (Nmap): Nmap is a port scanner that can identify live hosts and open ports, but it does not search for publicly available systems on a large scale like Shodan.

  References:

  CompTIA PenTest+ PT0-003 Official Guide ?OSINT and Reconnaissance

• Question 87:

  A penetration tester obtains local administrator access on a Windows system and wants to attempt lateral movement. The system exists within a Windows Workgroup environment.

  Which of the following actions should the tester take?

  A. Create a malicious certificate.
  B. Dump credentials from memory.
  C. Craft Kerberos tickets.
  D. List potential privilege escalation paths.
  B. Dump credentials from memory.

  ---

  Explanation

  In a Windows Workgroup environment, systems are not centrally managed by Active Directory, and common domain-based lateral movement techniques (such as Kerberos ticket forging) generally do not apply because there is no domain controller or Kerberos trust relationship to leverage. Since the tester already has local administrator rights on the compromised host, the next logical step for lateral movement is to obtain credentials that can authenticate to other hosts-such as local account passwords, NTLM hashes, or cached credentials-so the tester can attempt SMB/WMI/WinRM/RDP access elsewhere.

  Dumping credentials from memory (often by targeting the authentication subsystem where credentials and hashes may be present during active sessions) supports exactly this goal: it enables "reuse" opportunities like pass-the-hash or testing whether the same local admin password exists across multiple workgroup machines. Creating a malicious certificate is not the most direct path to lateral movement here. Listing privilege escalation paths is unnecessary because the tester already has admin. Crafting Kerberos tickets is domain-centric and least applicable in a workgroup.

• Question 88:

  A penetration tester presents the following findings to stakeholders:

  Control | Number of findings | Risk | Notes

  Encryption | 1 | Low | Weak algorithm noted

  Patching | 8 | Medium | Unsupported systems System hardening | 2 | Low | Baseline drift observed Secure SDLC | 10 | High | Libraries have vulnerabilities

  Password policy | 0 | Low | No exceptions noted Based on the findings, which of the following recommendations should the tester make? (Select two).

  A. Develop a secure encryption algorithm.
  B. Deploy an asset management system.
  C. Write an SDLC policy.
  D. Implement an SCA tool.
  E. Obtain the latest library version.
  F. Patch the libraries.
  D. Implement an SCA tool.
  E. Obtain the latest library version.

  ---

  Explanation

  Based on the findings, the focus should be on addressing vulnerabilities in libraries and ensuring their security. Here's why options D and E are correct:

  Implement an SCA Tool: SCA (Software Composition Analysis) tools are designed to analyze and manage open-source components in an application. Implementing an SCA tool would help in identifying and managing vulnerabilities in libraries, aligning with the finding of vulnerable libraries in the secure SDLC process.

  This recommendation addresses the high-risk finding related to the Secure SDLC by providing a systematic approach to manage and mitigate vulnerabilities in software dependencies.

  Obtain the Latest Library Version:

  Keeping libraries up to date is a fundamental practice in maintaining the security of an application.

  Ensuring that the latest, most secure versions of libraries are used directly addresses the high-risk finding related to vulnerable libraries.

  This recommendation is a direct and immediate action to mitigate the identified vulnerabilities.

  Other Options Analysis:

  Develop a Secure Encryption Algorithm: This is not practical or necessary given that the issue is with the use of a weak algorithm, not the need to develop a new one.

  Deploy an Asset Management System: While useful, this is not directly related to the identified high-risk issue of vulnerable libraries.

  Write an SDLC Policy: While helpful, the more immediate and effective actions involve implementing tools and processes to manage and update libraries.

  References from Pentest:

  Horizontall HTB: Demonstrates the importance of managing software dependencies and using tools to identify and mitigate vulnerabilities in libraries.

  Writeup HTB: Highlights the need for keeping libraries updated to ensure application security and mitigate risks.

  Conclusion:

  Options D and E, implementing an SCA tool and obtaining the latest library version, are the most appropriate recommendations to address the high-risk finding related to vulnerable libraries in the Secure SDLC process.

• Question 89:

  A penetration tester has been given eight business hours to gain access to a client's financial system.

  Which of the following techniques will have the highest likelihood of success?

  A. Attempting to tailgate an employee going into the client's workplace
  B. Dropping a malicious USB key with the company's logo in the parking lot
  C. Using a brute-force attack against the external perimeter to gain a foothold
  D. Performing spear phishing against employees by posing as senior management
  D. Performing spear phishing against employees by posing as senior management

• Question 90:

  A penetration tester has prepared the following phishing email for an upcoming penetration test:

  

  Which of the following is the penetration tester using MOST to influence phishing targets to click on the link?

  A. Familiarity and likeness
  B. Authority and urgency
  C. Scarcity and fear
  D. Social proof and greed
  B. Authority and urgency