Practice Free PT0-003 Exam Online Questions
Question #101
During an assessment, a penetration tester obtains access to an internal server and would like to perform further reconnaissance by capturing LLMNR traffic.
Which of the following tools should the tester use?
- A . Burp Suite
- B . Netcat
- C . Responder
- D . Nmap
Correct Answer: C
C
Explanation:
Responder es una herramienta especializada para capturar tráfico LLMNR, NBNS y MDNS, y realizar
ataques de spoofing y captura de hashes. Es ampliamente utilizada en entornos Windows para capturar credenciales cuando se resuelven nombres que no existen en el DNS.
Netcat y Burp Suite no están diseñados para este propósito. Nmap sirve para escaneo de redes, pero no para captura ni explotación de LLMNR.
Referencia: PT0-003 Objective 4.2 C Explain lateral movement techniques and privilege escalation tools (Responder is explicitly listed).
C
Explanation:
Responder es una herramienta especializada para capturar tráfico LLMNR, NBNS y MDNS, y realizar
ataques de spoofing y captura de hashes. Es ampliamente utilizada en entornos Windows para capturar credenciales cuando se resuelven nombres que no existen en el DNS.
Netcat y Burp Suite no están diseñados para este propósito. Nmap sirve para escaneo de redes, pero no para captura ni explotación de LLMNR.
Referencia: PT0-003 Objective 4.2 C Explain lateral movement techniques and privilege escalation tools (Responder is explicitly listed).
Question #102
During an assessment, a penetration tester obtains a low-privilege shell and then runs the following command:
findstr /SIM /C:"pass" *.txt *.cfg *.xml
Which of the following is the penetration tester trying to enumerate?
- A . Configuration files
- B . Permissions
- C . Virtual hosts
- D . Secrets
Correct Answer: D
D
Explanation:
By running the command findstr /SIM /C:"pass" *.txt *.cfg *.xml, the penetration tester is trying to enumerate secrets.
Command Analysis:
findstr: A command-line utility in Windows used to search for specific strings in files.
/SIM: Combination of options; /S searches for matching files in the current directory and all subdirectories, /I specifies a case-insensitive search, and /M prints only the filenames with matching content.
/C:"pass": Searches for the literal string "pass".
***.txt .cfg .xml: Specifies the file types to search within.
Objective:
The command is searching for the string "pass" within .txt, .cfg, and .xml files, which is indicative of searching for passwords or other sensitive information (secrets).
These file types commonly contain configuration details, credentials, and other sensitive data that might include passwords or secrets.
Other Options:
Configuration files: While .cfg and .xml files can be configuration files, the specific search for "pass" indicates looking for secrets like passwords.
Permissions: This command does not check or enumerate file permissions. Virtual hosts: This command is not related to enumerating virtual hosts. Pentest
Reference: Post-Exploitation: Enumerating sensitive information like passwords is a common post-exploitation activity after gaining initial access.
Credential Discovery: Searching for stored credentials within configuration files and documents to escalate privileges or move laterally within the network.
By running this command, the penetration tester aims to find stored passwords or other secrets that could help in further exploitation of the target system.
D
Explanation:
By running the command findstr /SIM /C:"pass" *.txt *.cfg *.xml, the penetration tester is trying to enumerate secrets.
Command Analysis:
findstr: A command-line utility in Windows used to search for specific strings in files.
/SIM: Combination of options; /S searches for matching files in the current directory and all subdirectories, /I specifies a case-insensitive search, and /M prints only the filenames with matching content.
/C:"pass": Searches for the literal string "pass".
***.txt .cfg .xml: Specifies the file types to search within.
Objective:
The command is searching for the string "pass" within .txt, .cfg, and .xml files, which is indicative of searching for passwords or other sensitive information (secrets).
These file types commonly contain configuration details, credentials, and other sensitive data that might include passwords or secrets.
Other Options:
Configuration files: While .cfg and .xml files can be configuration files, the specific search for "pass" indicates looking for secrets like passwords.
Permissions: This command does not check or enumerate file permissions. Virtual hosts: This command is not related to enumerating virtual hosts. Pentest
Reference: Post-Exploitation: Enumerating sensitive information like passwords is a common post-exploitation activity after gaining initial access.
Credential Discovery: Searching for stored credentials within configuration files and documents to escalate privileges or move laterally within the network.
By running this command, the penetration tester aims to find stored passwords or other secrets that could help in further exploitation of the target system.
Question #103
While performing reconnaissance, a penetration tester attempts to identify publicly accessible ICS (Industrial Control Systems) and IoT (Internet of Things) systems.
Which of the following tools is most effective for this task?
- A . theHarvester
- B . Shodan
- C . Amass
- D . Nmap
Correct Answer: B
B
Explanation:
Shodan is a search engine that specializes in finding internet-connected devices, including ICS, IoT, webcams, routers, and servers. Attackers and security professionals use Shodan to scan for publicly accessible systems that may be vulnerable.
Option A (theHarvester) ❌ : theHarvester is primarily used for OSINT (Open-Source Intelligence) gathering, such as email addresses, subdomains, and hostnames, but it does not specialize in ICS/IoT discovery.
Option B (Shodan) ✅ : Correct. Shodan scans the internet for connected devices and services, allowing penetration testers to find ICS/IoT systems that are exposed.
Option C (Amass) ❌ : Amass is used for subdomain enumeration and DNS reconnaissance, not for ICS or IoT discovery.
Option D (Nmap) ❌ : Nmap is a port scanner that can identify live hosts and open ports, but it does not search for publicly available systems on a large scale like Shodan.
Reference: CompTIA PenTest+ PT0-003 Official Guide C OSINT and Reconnaissance
B
Explanation:
Shodan is a search engine that specializes in finding internet-connected devices, including ICS, IoT, webcams, routers, and servers. Attackers and security professionals use Shodan to scan for publicly accessible systems that may be vulnerable.
Option A (theHarvester) ❌ : theHarvester is primarily used for OSINT (Open-Source Intelligence) gathering, such as email addresses, subdomains, and hostnames, but it does not specialize in ICS/IoT discovery.
Option B (Shodan) ✅ : Correct. Shodan scans the internet for connected devices and services, allowing penetration testers to find ICS/IoT systems that are exposed.
Option C (Amass) ❌ : Amass is used for subdomain enumeration and DNS reconnaissance, not for ICS or IoT discovery.
Option D (Nmap) ❌ : Nmap is a port scanner that can identify live hosts and open ports, but it does not search for publicly available systems on a large scale like Shodan.
Reference: CompTIA PenTest+ PT0-003 Official Guide C OSINT and Reconnaissance
Question #104
Which of the following is the most efficient way to infiltrate a file containing data that could be sensitive?
- A . Use steganography and send the file over FTP
- B . Compress the file and send it using TFTP
- C . Split the file in tiny pieces and send it over dnscat
- D . Encrypt and send the file over HTTPS
Correct Answer: D
D
Explanation:
When considering efficiency and security for exfiltrating sensitive data, the chosen method must ensure data confidentiality and minimize the risk of detection.
Here ’ s an analysis of each option:
Use steganography and send the file over FTP (Option A):
Steganography hides data within other files, such as images. FTP is a protocol for transferring files.
Drawbacks: FTP is not secure as it transmits data in clear text, making it susceptible to interception.
Steganography can add an extra layer of obfuscation, but the use of FTP makes this option insecure.
Compress the file and send it using TFTP (Option B):
TFTP is a simple file transfer protocol that lacks encryption.
Drawbacks: TFTP is inherently insecure because it does not support encryption, making it easy for attackers to intercept the data during transfer.
Split the file in tiny pieces and send it over dnscat (Option C):
dnscat is a tool for tunneling data over DNS.
Drawbacks: While effective at evading detection by using DNS, splitting the file and managing the reassembly adds complexity. Additionally, large data transfers over DNS can raise suspicion.
Encrypt and send the file over HTTPS ( Answer D):
Encrypting the file ensures that its contents are protected during transfer. HTTPS provides a secure, encrypted channel for communication over the internet.
Advantages: HTTPS is widely used and trusted, making it less likely to raise suspicion. Encryption ensures the data remains confidential during transit.
Reference: The use of HTTPS for secure data transfer is a standard practice in cybersecurity, providing both encryption and integrity of the data being transmitted.
Conclusion: Encrypting the file and sending it over HTTPS is the most efficient and secure method for exfiltrating sensitive data, ensuring both confidentiality and reducing the risk of detection.
D
Explanation:
When considering efficiency and security for exfiltrating sensitive data, the chosen method must ensure data confidentiality and minimize the risk of detection.
Here ’ s an analysis of each option:
Use steganography and send the file over FTP (Option A):
Steganography hides data within other files, such as images. FTP is a protocol for transferring files.
Drawbacks: FTP is not secure as it transmits data in clear text, making it susceptible to interception.
Steganography can add an extra layer of obfuscation, but the use of FTP makes this option insecure.
Compress the file and send it using TFTP (Option B):
TFTP is a simple file transfer protocol that lacks encryption.
Drawbacks: TFTP is inherently insecure because it does not support encryption, making it easy for attackers to intercept the data during transfer.
Split the file in tiny pieces and send it over dnscat (Option C):
dnscat is a tool for tunneling data over DNS.
Drawbacks: While effective at evading detection by using DNS, splitting the file and managing the reassembly adds complexity. Additionally, large data transfers over DNS can raise suspicion.
Encrypt and send the file over HTTPS ( Answer D):
Encrypting the file ensures that its contents are protected during transfer. HTTPS provides a secure, encrypted channel for communication over the internet.
Advantages: HTTPS is widely used and trusted, making it less likely to raise suspicion. Encryption ensures the data remains confidential during transit.
Reference: The use of HTTPS for secure data transfer is a standard practice in cybersecurity, providing both encryption and integrity of the data being transmitted.
Conclusion: Encrypting the file and sending it over HTTPS is the most efficient and secure method for exfiltrating sensitive data, ensuring both confidentiality and reducing the risk of detection.
Question #105
A penetration tester gains shell access to a Windows host. The tester needs to permanently turn off protections in order to install additional payload.
Which of the following commands is most appropriate?
- A . sc config <svc_name> start=disabled
- B . sc query state= all
- C . pskill <pid_svc_name>
- D . net config <svc_name>
Correct Answer: A
A
Explanation:
Command
The sc config command is used to configure service startup settings in Windows. Using start=disabled will permanently disable a specific service, effectively turning off protections such as antivirus or other monitoring services.
Why Not Other Options?
B (sc query state= all): This command lists all services and their states but does not disable or modify any service.
C (pskill): This command is used to terminate a process temporarily, but it does not permanently disable the service.
D (net config): This command is used for configuring network settings, not for managing services.
CompTIA Pentest+
Reference: Domain 3.0 (Attacks and Exploits)
Windows Service Exploitation Guidelines
A
Explanation:
Command
The sc config command is used to configure service startup settings in Windows. Using start=disabled will permanently disable a specific service, effectively turning off protections such as antivirus or other monitoring services.
Why Not Other Options?
B (sc query state= all): This command lists all services and their states but does not disable or modify any service.
C (pskill): This command is used to terminate a process temporarily, but it does not permanently disable the service.
D (net config): This command is used for configuring network settings, not for managing services.
CompTIA Pentest+
Reference: Domain 3.0 (Attacks and Exploits)
Windows Service Exploitation Guidelines
Question #106
A penetration tester enters an invalid user ID on the login page of a web application. The tester receives a message indicating the user is not found. Then, the tester tries a valid user ID but an incorrect password, but the web application indicates the password is invalid.
Which of the following should the tester attempt next?
- A . Error log analysis
- B . DoS attack
- C . Enumeration
- D . Password dictionary attack
Correct Answer: C
C
Explanation:
The application is giving distinct error messages for valid vs. invalid usernames. This is a classic case of user enumeration, where an attacker can determine valid accounts before proceeding to brute-force or password attacks.
From the CompTIA PenTest+ PT0-003 Official Study Guide (Chapter 6 C Vulnerability Identification):
“Authentication systems that return different error messages based on the validity of the username can allow attackers to enumerate valid accounts.”
Reference: Chapter 6, CompTIA PenTest+ PT0-003 Official Study Guide
C
Explanation:
The application is giving distinct error messages for valid vs. invalid usernames. This is a classic case of user enumeration, where an attacker can determine valid accounts before proceeding to brute-force or password attacks.
From the CompTIA PenTest+ PT0-003 Official Study Guide (Chapter 6 C Vulnerability Identification):
“Authentication systems that return different error messages based on the validity of the username can allow attackers to enumerate valid accounts.”
Reference: Chapter 6, CompTIA PenTest+ PT0-003 Official Study Guide