• Home
  • Articles
  • PT0-003 Exam Practice Questions prepared by CompTIA Professionals [Q54-Q70]

PT0-003 Exam Practice Questions prepared by CompTIA Professionals [Q54-Q70]

Share

PT0-003 Exam Practice Questions prepared by CompTIA Professionals

Use Valid New PT0-003 Questions - Top choice Help You Gain Success


CompTIA PT0-003 Exam Syllabus Topics:

TopicDetails
Topic 1
  • Reconnaissance and Enumeration: This topic focuses on applying information gathering and enumeration techniques. Cybersecurity analysts will learn how to modify scripts for reconnaissance and enumeration purposes. They will also understand which tools to use for these stages, essential for gathering crucial information before performing deeper penetration tests.
Topic 2
  • Attacks and Exploits: This extensive topic trains cybersecurity analysts to analyze data and prioritize attacks. Analysts will learn how to conduct network, authentication, host-based, web application, cloud, wireless, and social engineering attacks using appropriate tools. Understanding specialized systems and automating attacks with scripting will also be emphasized.
Topic 3
  • Post-exploitation and Lateral Movement: Cybersecurity analysts will gain skills in establishing and maintaining persistence within a system. This topic also covers lateral movement within an environment and introduces concepts of staging and exfiltration. Lastly, it highlights cleanup and restoration activities, ensuring analysts understand the post-exploitation phase’s responsibilities.
Topic 4
  • Engagement Management: In this topic, cybersecurity analysts learn about pre-engagement activities, collaboration, and communication in a penetration testing environment. The topic covers testing frameworks, methodologies, and penetration test reports. It also explains how to analyze findings and recommend remediation effectively within reports, crucial for real-world testing scenarios.
Topic 5
  • Vulnerability Discovery and Analysis: In this section, cybersecurity analysts will learn various techniques to discover vulnerabilities. Analysts will also analyze data from reconnaissance, scanning, and enumeration phases to identify threats. Additionally, it covers physical security concepts, enabling analysts to understand security gaps beyond just the digital landscape.

 

NEW QUESTION # 54
During a security assessment, a penetration tester captures plaintext login credentials on the communication between a user and an authentication system. The tester wants to use this information for further unauthorized access.
Which of the following tools is the tester using?

  • A. Metasploit
  • B. Burp Suite
  • C. Zed Attack Proxy (ZAP)
  • D. Wireshark

Answer: D

Explanation:
Capturing plaintext credentials in network traffic is done using packet sniffing. Wireshark is the best tool for this task.
* Option A (Burp Suite) #: Used for web application testing and intercepting HTTPS traffic, but not general network sniffing.
* Option B (Wireshark) #: Correct.
* Wireshark is a packet analysis tool that captures unencrypted network traffic, including plaintext credentials.
* Option C (ZAP - Zed Attack Proxy) #: Similar to Burp Suite, but focused on web application security, not network packet capture.
* Option D (Metasploit) #: Metasploit is used for exploitation rather than capturing traffic.
# Reference: CompTIA PenTest+ PT0-003 Official Guide - Packet Sniffing & Network Traffic Analysis


NEW QUESTION # 55
During an assessment, a penetration tester found an application with the default credentials enabled. Which of the following best describes the technical control required to fix this issue?

  • A. Multifactor authentication
  • B. System hardening
  • C. Patch management
  • D. Password encryption

Answer: B

Explanation:
System hardening involves securing a system by reducing its surface of vulnerability, which includes changing default credentials, disabling unnecessary services, and applying security patches.


NEW QUESTION # 56
A penetration tester is performing an assessment for an application that is used by large organizations operating in the heavily regulated financial services industry. The penetration tester observes that the default Admin User account is enabled and appears to be used several times a day by unfamiliar IP addresses. Which of the following is the most appropriate way to remediate this issue?

  • A. Restrict simultaneous user log-ins.
  • B. Require local network access.
  • C. Implement system hardening.
  • D. Increase password complexity.

Answer: B

Explanation:
Requiring local network access for the default Admin User account is a targeted measure to prevent unauthorized access from unfamiliar IP addresses, particularly those originating from outside the organization's network. This approach ensures that only devices physically connected to or authenticated within the local network can attempt to use the Admin User account, significantly reducing the risk of external attacks. Increasing password complexity and restricting simultaneous log-ins are good practices but do not directly address the issue of access from unfamiliar IPs. System hardening is broader and not specifically focused on the Admin User account issue.


NEW QUESTION # 57
A penetration tester joins the assessment team in the middle of the assessment. The client has asked the team, both verbally and in the scoping document, not to test the production networks. However, the new tester is not aware of this request and proceeds to perform exploits in the production environment. Which of the following would have MOST effectively prevented this misunderstanding?

  • A. Prohibiting exploitation in the production environment
  • B. Prohibiting testers from joining the team during the assessment
  • C. Never assessing the production networks
  • D. Requiring all testers to review the scoping document carefully

Answer: D

Explanation:
The scoping document is a document that defines the objectives, scope, limitations, deliverables, and expectations of a penetration testing engagement. It is an essential document that guides the penetration testing process and ensures that both the tester and the client agree on the terms and conditions of the test.
Requiring all testers to review the scoping document carefully would have most effectively prevented this misunderstanding, as it would have informed the new tester about the client's request not to test the production networks. The other options are not effective or realistic ways to prevent this misunderstanding.


NEW QUESTION # 58
A penetration tester runs a scan against a server and obtains the following output:
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-12-20 09:23AM 331 index.aspx
| ftp-syst:
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2012 Std
3389/tcp open ssl/ms-wbt-server
| rdp-ntlm-info:
| Target Name: WEB3
| NetBIOS_Computer_Name: WEB3
| Product_Version: 6.3.9600
|_ System_Time: 2021-01-15T11:32:06+00:00
8443/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
Which of the following command sequences should the penetration tester try NEXT?

  • A. nmap --script vuln -sV 192.168.53.23
  • B. ftp 192.168.53.23
  • C. ncrack -u Administrator -P 15worst_passwords.txt -p rdp 192.168.53.23
  • D. curl -X TRACE https://192.168.53.23:8443/index.aspx
  • E. smbclient \\\\WEB3\\IPC$ -I 192.168.53.23 -U guest

Answer: B


NEW QUESTION # 59
A penetration tester assesses a complex web application and wants to explore potential security weaknesses by searching for subdomains that might have existed in the past. Which of the following tools should the penetration tester use?

  • A. Wayback Machine
  • B. Shodan
  • C. Censys.io
  • D. SpiderFoot

Answer: A

Explanation:
The Wayback Machine is an online tool that archives web pages over time, allowing users to see how a website looked at various points in its history. This can be extremely useful for penetration testers looking to explore potential security weaknesses by searching for subdomains that might have existed in the past.
Step-by-Step Explanation
Accessing the Wayback Machine:
Go to the Wayback Machine website: archive.org/web.
Enter the URL of the target website you want to explore.
Navigating Archived Pages:
The Wayback Machine provides a timeline and calendar interface to browse through different snapshots taken over time.
Select a snapshot to view the archived version of the site. Look for links, subdomains, and resources that may no longer be available in the current version of the website.
Identifying Subdomains:
Examine the archived pages for references to subdomains, which might be visible in links, scripts, or embedded content.
Use the information gathered to identify potential entry points or older versions of web applications that might still be exploitable.
Tool Integration:
Tools like Burp Suite or SpiderFoot can integrate with the Wayback Machine to automate the discovery process of archived subdomains and resources.
Real-World Example:
During a penetration test, a tester might find references to oldadmin.targetsite.com in an archived page from several years ago. This subdomain might no longer be listed in DNS but could still be accessible, leading to potential security vulnerabilities.
Reference from Pentesting Literature:
In various penetration testing guides and HTB write-ups, using the Wayback Machine is a common technique for passive reconnaissance, providing historical context and revealing past configurations that might still be exploitable.
Reference:
HTB Official Writeups


NEW QUESTION # 60
A penetration tester discovered a code repository and noticed passwords were hashed before they were stored in the database with the following code? salt = '123' hash = hashlib.pbkdf2_hmac('sha256', plaintext, salt,
10000) The tester recommended the code be updated to the following salt = os.urandom(32) hash = hashlib.pbkdf2_hmac('sha256', plaintext, salt, 10000) Which of the following steps should the penetration tester recommend?

  • A. Replacing the SHA-256 algorithm to something more secure
  • B. Rehashing all old passwords with the new code
  • C. Changing passwords that were created before this code update
  • D. Keeping hashes created by both methods for compatibility

Answer: C

Explanation:
The penetration tester recommended the code be updated to use a random salt instead of a fixed salt for hashing passwords. A salt is a random value that is added to the plaintext password before hashing it, to prevent attacks such as rainbow tables or dictionary attacks that rely on precomputed hashes of common or weak passwords. A random salt ensures that each password hash is unique and unpredictable, even if two users have the same password. However, changing the salt does not affect the existing hashes that were created with the old salt, which may still be vulnerable to attacks. Therefore, the penetration tester should recommend changing passwords that were created before this code update, so that they can be hashed with the new salt and be more secure. The other options are not valid steps that the penetration tester should recommend. Keeping hashes created by both methods for compatibility would defeat the purpose of updating the code, as it would leave some hashes vulnerable to attacks. Rehashing all old passwords with the new code would not work, as it would require knowing the plaintext passwords, which are not stored in the database.
Replacing the SHA-256 algorithm to something more secure is not necessary, as SHA-256 is a secure and widely used hashing algorithm that has no known vulnerabilities or collisions.


NEW QUESTION # 61
You are a security analyst tasked with hardening a web server.
You have been given a list of HTTP payloads that were flagged as malicious.
INSTRUCTIONS
Given the following attack signatures, determine the attack type, and then identify the associated remediation to prevent the attack in the future.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Answer:

Explanation:

Explanation:
1. Reflected XSS - Input sanitization (<> ...)
2. Sql Injection Stacked - Parameterized Queries
3. DOM XSS - Input Sanitization (<> ...)
4. Local File Inclusion - sandbox req
5. Command Injection - sandbox req
6. SQLi union - paramtrized queries
7. SQLi error - paramtrized queries
8. Remote File Inclusion - sandbox
9. Command Injection - input saniti $
10. URL redirect - prevent external calls


NEW QUESTION # 62
A tester is working on an engagement that has evasion and stealth requirements. Which of the following enumeration methods is the least likely to be detected by the IDS?

  • A. nmap -sV -T2 <target>
  • B. proxychains nmap -sV -T2 <target>
  • C. curl https://api.shodan.io/shodan/host/search?key=<API_KEY>&query=hostname:<target>
  • D. for i in <target>; do curl -k $i; done

Answer: C

Explanation:
* Option A uses Shodan's API to gather information about a target without directly touching the target system. This makes it the stealthiest option as there's no traffic generated from the tester's IP to the target.
* Options B & D use Nmap which is active scanning, and while -T2 reduces intensity, it still generates packets.
* Option C is a custom curl script that also interacts directly with the target and can trigger IDS alerts.
CompTIA PenTest+ Reference:
* PT0-003 Objective 2.1 & 2.3: Passive vs Active reconnaissance techniques.
* Using OSINT sources like Shodan is a key stealth recon method.


NEW QUESTION # 63
Which of the following should a penetration tester consider FIRST when engaging in a penetration test in a cloud environment?

  • A. The geographical location where the cloud services are running
  • B. Whether the specific cloud services are being used by the application
  • C. Whether the cloud service provider allows the penetration tester to test the environment
  • D. Whether the country where the cloud service is based has any impeding laws

Answer: C

Explanation:
The first thing that a penetration tester should consider when engaging in a penetration test in a cloud environment is whether the cloud service provider allows the tester to test the environment, as this will determine whether the tester has permission or authorization to perform the test. Some cloud service providers have policies or terms of service that prohibit or restrict penetration testing on their platforms or require prior approval or notification before testing. The tester should review these policies and obtain written consent from the provider before conducting any testing activities.


NEW QUESTION # 64
dnscmd.exe /config /serverlevelplugindll C:\users\necad-TA\Documents\adduser.dll Which of the following is the penetration tester trying to achieve?

  • A. Command injection
  • B. DNS enumeration
  • C. Privilege escalation
  • D. A list of available users

Answer: C

Explanation:
The tester is attempting to register a malicious DLL as a server-level plugin to escalate privileges.
* Privilege escalation (Option B):
* The command uses dnscmd.exe, a legitimate Windows tool for managing DNS servers.
* By setting a malicious DLL (adduser.dll) as a server-level plugin, attackers can gain SYSTEM- level privileges.
* This technique is a DLL hijacking attack.


NEW QUESTION # 65
A penetration tester performs an assessment on the target company's Kubernetes cluster using kube-hunter.
Which of the following types of vulnerabilities could be detected with the tool?

  • A. Weaknesses and misconfigurations in the Kubernetes cluster
  • B. Network configuration errors in Kubernetes services
  • C. Security vulnerabilities specific to Docker containers
  • D. Application deployment issues in Kubernetes

Answer: A

Explanation:
kube-hunter is a tool designed to perform security assessments on Kubernetes clusters. It identifies various vulnerabilities, focusing on weaknesses and misconfigurations. Here's why option B is correct:
* Kube-hunter: It scans Kubernetes clusters to identify security issues, such as misconfigurations, insecure settings, and potential attack vectors.
* Network Configuration Errors: While kube-hunter might identify some network-related issues, its primary focus is on Kubernetes-specific vulnerabilities and misconfigurations.
* Application Deployment Issues: These are more related to the applications running within the cluster, not the cluster configuration itself.
* Security Vulnerabilities in Docker Containers: Kube-hunter focuses on the Kubernetes environment rather than Docker container-specific vulnerabilities.
References from Pentest:
* Forge HTB: Highlights the use of specialized tools to identify misconfigurations in environments, similar to how kube-hunter operates within Kubernetes clusters.
* Anubis HTB: Demonstrates the importance of identifying and fixing misconfigurations within complex environments like Kubernetes clusters.
Conclusion:
Option B, weaknesses and misconfigurations in the Kubernetes cluster, accurately describes the type of vulnerabilities that kube-hunter is designed to detect.


NEW QUESTION # 66
A penetration tester gains access to a host but does not have access to any type of shell. Which of the following is the best way for the tester to further enumerate the host and the environment in which it resides?

  • A. PowerShell ISE
  • B. Process IDs
  • C. Netcat
  • D. ProxyChains

Answer: C

Explanation:
If a penetration tester gains access to a host but does not have a shell, the best tool for further enumeration is Netcat. Here's why:
Netcat:
Versatility: Netcat is known as the "Swiss Army knife" of networking tools. It can be used for port scanning, banner grabbing, and setting up reverse shells.
Enumeration: Without a shell, Netcat can help enumerate open ports and services running on the host, providing insight into the host's environment.
Comparison with Other Tools:
ProxyChains: Used to chain proxies together, not directly useful for enumeration without an initial shell.
PowerShell ISE: Requires a shell to execute commands and scripts.
Process IDs: Without a shell, enumerating process IDs directly isn't possible.
Netcat's ability to perform multiple network-related tasks without needing a shell makes it the best choice for further enumeration.


NEW QUESTION # 67
During a red-team exercise, a penetration tester obtains an employee's access badge. The tester uses the badge's information to create a duplicate for unauthorized entry. Which of the following best describes this action?

  • A. Smurfing
  • B. RFID cloning
  • C. Card skimming
  • D. Credential stuffing

Answer: B

Explanation:
* RFID Cloning:
* RFID (Radio-Frequency Identification) cloning involves copying the data from an access badge and creating a duplicate that can be used for unauthorized entry.
* Tools like Proxmark or RFID duplicators are commonly used for this purpose.
* Why Not Other Options?
* A (Smurfing): A network-based denial-of-service attack, unrelated to physical access.
* B (Credential stuffing): Involves using stolen credentials in bulk for authentication attempts, unrelated to badge cloning.
* D (Card skimming): Relates to stealing credit card information, not access badges.
CompTIA Pentest+ References:
* Domain 3.0 (Attacks and Exploits)


NEW QUESTION # 68
During an assessment, a penetration tester manages to get RDP access via a low-privilege user. The tester attempts to escalate privileges by running the following commands:
Import-Module .\PrintNightmare.ps1
Invoke-Nightmare -NewUser "hacker" -NewPassword "Password123!" -DriverName "Print" The tester attempts to further enumerate the host with the new administrative privileges by using the runas command. However, the access level is still low. Which of the following actions should the penetration tester take next?

  • A. Bypass the execution policy.
  • B. Attempt to add another user.
  • C. Add a malicious printer driver.
  • D. Log off and log on with "hacker".

Answer: D

Explanation:
In the scenario where a penetration tester uses the PrintNightmare exploit to create a new user with administrative privileges but still experiences low-privilege access, the tester should log off and log on with the new "hacker" account to escalate privileges correctly.
* PrintNightmare Exploit:
* PrintNightmare (CVE-2021-34527) is a vulnerability in the Windows Print Spooler service that allows remote code execution and local privilege escalation.
* The provided commands are intended to exploit this vulnerability to create a new user with administrative privileges.
* Commands Breakdown:
* Import-Module .\PrintNightmare.ps1: Loads the PrintNightmare exploit script.
* Invoke-Nightmare -NewUser "hacker" -NewPassword "Password123!" -DriverName "Print":
Executes the exploit, creating a new user "hacker" with administrative privileges.
* Issue:
* The tester still experiences low privileges despite running the exploit successfully.
* This could be due to the current session not reflecting the new privileges.
* Solution:
* Logging off and logging back on with the new "hacker" account will start a new session with the updated administrative privileges.
* This ensures that the new privileges are applied correctly.
Pentest References:
* Privilege Escalation: After gaining initial access, escalating privileges is crucial to gain full control over the target system.
* Session Management: Understanding how user sessions work and ensuring that new privileges are recognized by starting a new session.
* The use of the PrintNightmare exploit highlights a specific technique for privilege escalation within Windows environments.
By logging off and logging on with the new "hacker" account, the penetration tester can ensure the new administrative privileges are fully applied, allowing for further enumeration and exploitation of the target system.


NEW QUESTION # 69
During host discovery, a security analyst wants to obtain GeoIP information and a comprehensive summary of exposed services. Which of the following tools is best for this task?

  • A. WiGLE.net
  • B. theHarvester
  • C. Censys.io
  • D. WHOIS

Answer: C

Explanation:
Censys.io:
Censys.io is a search engine for Internet-connected devices. It provides information about IP addresses, domains, GeoIP data, and exposed services.
Why Not Other Options?
A (WiGLE.net): Focuses on mapping Wi-Fi networks, not providing detailed information about IP addresses or services.
B (WHOIS): Provides domain registration and ownership details but lacks GeoIP and service summaries.
C (theHarvester): Primarily gathers OSINT like email addresses, subdomains, and names but not service information or GeoIP data.
CompTIA Pentest+ Reference:
Domain 2.0 (Information Gathering and Vulnerability Identification)


NEW QUESTION # 70
......

PT0-003 Exam Practice Materials Collection: https://pass4lead.newpassleader.com/CompTIA/PT0-003-exam-preparation-materials.html

Related Articles

more
CompTIA PT0-003 Certification Practice Exam