Practice Free PT0-003 Exam Online Questions
A penetration tester completes a scan and sees the following output on a host:
bash
Copy code
Nmap scan report for victim (10.10.10.10)
Host is up (0.0001s latency)
PORT STATE SERVICE
161/udp open|filtered snmp
445/tcp open microsoft-ds
3389/tcp open microsoft-ds
Running Microsoft Windows 7
OS CPE: cpe:/o:microsoft:windows_7_sp0
The tester wants to obtain shell access.
Which of the following related exploits should the tester try first?
- A . exploit/windows/smb/psexec
- B . exploit/windows/smb/ms08_067_netapi
- C . exploit/windows/smb/ms17_010_eternalblue
- D . auxiliary/scanner/snmp/snmp_login
C
Explanation:
The ms17_010_eternalblue exploit is the most appropriate choice based on the scenario.
Why MS17-010 EternalBlue?
EternalBlue is a critical vulnerability in SMBv1 (port 445) affecting older versions of Windows, including Windows 7.
The exploit can be used to execute arbitrary code remotely, providing shell access to the target system.
Other Options:
A (psexec): This exploit is a post-exploitation tool that requires valid credentials to execute commands remotely.
B (ms08_067_netapi): A vulnerability targeting older Windows systems (e.g., Windows XP). It is unlikely to work on Windows 7.
D (snmp_login): This is an auxiliary module for enumerating SNMP, not gaining shell access. CompTIA Pentest+
Reference: Domain 2.0 (Information Gathering and Vulnerability Identification) Domain 3.0 (Attacks and Exploits)
A penetration tester completes a scan and sees the following output on a host:
bash
Copy code
Nmap scan report for victim (10.10.10.10)
Host is up (0.0001s latency)
PORT STATE SERVICE
161/udp open|filtered snmp
445/tcp open microsoft-ds
3389/tcp open microsoft-ds
Running Microsoft Windows 7
OS CPE: cpe:/o:microsoft:windows_7_sp0
The tester wants to obtain shell access.
Which of the following related exploits should the tester try first?
- A . exploit/windows/smb/psexec
- B . exploit/windows/smb/ms08_067_netapi
- C . exploit/windows/smb/ms17_010_eternalblue
- D . auxiliary/scanner/snmp/snmp_login
C
Explanation:
The ms17_010_eternalblue exploit is the most appropriate choice based on the scenario.
Why MS17-010 EternalBlue?
EternalBlue is a critical vulnerability in SMBv1 (port 445) affecting older versions of Windows, including Windows 7.
The exploit can be used to execute arbitrary code remotely, providing shell access to the target system.
Other Options:
A (psexec): This exploit is a post-exploitation tool that requires valid credentials to execute commands remotely.
B (ms08_067_netapi): A vulnerability targeting older Windows systems (e.g., Windows XP). It is unlikely to work on Windows 7.
D (snmp_login): This is an auxiliary module for enumerating SNMP, not gaining shell access. CompTIA Pentest+
Reference: Domain 2.0 (Information Gathering and Vulnerability Identification) Domain 3.0 (Attacks and Exploits)
A penetration tester downloads a JAR file that is used in an organization’s production environment. The tester evaluates the contents of the JAR file to identify potentially vulnerable components that can be targeted for exploit.
Which of the following describes the tester’s activities?
- A . SAST
- B . SBOM
- C . ICS
- D . SCA
D
Explanation:
The tester’s activity involves analyzing the contents of a JAR file to identify potentially vulnerable components. This process is known as Software Composition Analysis (SCA).
Here’s why: Understanding SCA:
Definition: SCA involves analyzing software to identify third-party and open-source components, checking for known vulnerabilities, and ensuring license compliance.
Purpose: To detect and manage risks associated with third-party software components.
Comparison with Other Terms:
SAST (A): Static Application Security Testing involves analyzing source code for security vulnerabilities without executing the code.
SBOM (B): Software Bill of Materials is a detailed list of all components in a software product, often used in SCA but not the analysis itself.
ICS (C): Industrial Control Systems, not relevant to the context of software analysis.
The tester’s activity of examining a JAR file for vulnerable components aligns with SCA, making it the correct answer.
A penetration tester creates the following Python script that can be used to enumerate information about email accounts on a target mail server:
Which of the following logic constructs would permit the script to continue despite failure?
- A . Add a do/while loop.
- B . Add an iterator.
- C . Add a t.ry/except. block.
- D . Add an if/else conditional.
C
Explanation:
The correct construct for handling runtime failures (for example, login failures, network timeouts, or server errors) in Python is a try/except block (option C). Wrapping potentially failing operations in a try block and handling exceptions in except allows the script to catch the exception and continue execution (log the error, skip the target, retry, etc.) rather than crashing.
Why C is correct:
try/except is the Python mechanism to handle exceptions raised during execution. For network/email operations (IMAP login/select), IMAP libraries raise exceptions on failure ― try/except catches these and enables recovery logic.
Example corrected snippet:
import imaplib, sys
def enumerate_inbox(server, port, user, passwd):
try:
mail = imaplib.IMAP4(server, port)
mail.login(user, passwd)
status, messages = mail.select("inbox")
print(f"Total Emails: {int(messages[0])}")
except imaplib.IMAP4.error as e:
print(f"IMAP error for {user}: {e}")
# continue to next account or retry except Exception as e:
print(f"Unexpected error for {user}: {e}") finally:
try:
mail.logout()
except: pass
Why the other options are not the best fit:
A penetration tester creates the following Python script that can be used to enumerate information about email accounts on a target mail server:
Which of the following logic constructs would permit the script to continue despite failure?
- A . Add a do/while loop.
- B . Add an iterator.
- C . Add a t.ry/except. block.
- D . Add an if/else conditional.
C
Explanation:
The correct construct for handling runtime failures (for example, login failures, network timeouts, or server errors) in Python is a try/except block (option C). Wrapping potentially failing operations in a try block and handling exceptions in except allows the script to catch the exception and continue execution (log the error, skip the target, retry, etc.) rather than crashing.
Why C is correct:
try/except is the Python mechanism to handle exceptions raised during execution. For network/email operations (IMAP login/select), IMAP libraries raise exceptions on failure ― try/except catches these and enables recovery logic.
Example corrected snippet:
import imaplib, sys
def enumerate_inbox(server, port, user, passwd):
try:
mail = imaplib.IMAP4(server, port)
mail.login(user, passwd)
status, messages = mail.select("inbox")
print(f"Total Emails: {int(messages[0])}")
except imaplib.IMAP4.error as e:
print(f"IMAP error for {user}: {e}")
# continue to next account or retry except Exception as e:
print(f"Unexpected error for {user}: {e}") finally:
try:
mail.logout()
except: pass
Why the other options are not the best fit:
A penetration tester finds it is possible to downgrade a web application’s HTTPS connections to HTTP while performing on-path attacks on the local network.
The tester reviews the output of the server response to:
curl -s -i https://internalapp/
HTTP/2 302
date: Thu, 11 Jan 2024 15:56:24 GMT
content-type: text/html; charset=iso-8659-1
location: /login
x-content-type-options: nosniff
server: Prod
Which of the following recommendations should the penetration tester include in the report?
- A . Add the HSTS header to the server.
- B . Attach the httponly flag to cookies.
- C . Front the web application with a firewall rule to block access to port 80.
- D . Remove the x-content-type-options header.
A
Explanation:
The tester identified an HTTPS downgrade attack (e.g., SSL stripping). The best mitigation is to enforce HSTS (HTTP Strict Transport Security).
HSTS (Option A):
HSTS (Strict-Transport-Security) ensures that the browser always uses HTTPS, preventing downgrade attacks.
Example header:
Strict-Transport-Security: max-age=31536000; includeSubDomains
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Web Security Headers and HTTPS Enforcements"
Incorrect options:
Option B (httponly flag): Protects cookies from JavaScript access but does not enforce HTTPS.
Option C (Firewall rule on port 80): Helps, but does not force browsers to use HTTPS.
Option D (Removing x-content-type-options): Unrelated; nosniff prevents MIME-type sniffing.
A company hires a penetration tester to test the security implementation of its wireless networks. The main goal for this assessment is to intercept and get access to sensitive data from the company’s employees.
Which of the following tools should the security professional use to best accomplish this task?
- A . Metasploit
- B . WiFi-Pumpkin
- C . SET
- D . theHarvester
- E . WiGLE.net
B
Explanation:
The question specifies wireless network security assessment with the goal of intercepting sensitive employee data.
WiFi-Pumpkin is specifically designed for Wi-Fi penetration testing. It can act as a rogue access point (evil twin attack) to trick users into connecting, then perform man-in-the-middle (MITM) attacks, traffic interception, credential harvesting, and phishing over Wi-Fi. This matches the goal of capturing sensitive employee data.
Why not the others?
A penetration tester is enumerating a Linux system.
The goal is to modify the following script to provide more comprehensive system information:
#!/bin/bash
ps aux >> linux_enum.txt
Which of the following lines would provide the most comprehensive enumeration of the system?
- A . cat /etc/passwd >> linux_enum.txt; netstat -tuln >> linux_enum.txt; cat /etc/bash.bashrc >> linux_enum.txt
- B . whoami >> linux_enum.txt; uname -a >> linux_enum.txt; ifconfig >> linux_enum.txt
- C . hostname >> linux_enum.txt; echo $USER >> linux_enum.txt; curl ifconfig.me >> linux_enum.txt
- D . lsof -i >> linux_enum.txt; uname -a >> linux_enum.txt; ls /home/ >> linux_enum.txt
A
Explanation:
This command gathers:
/etc/passwd C lists all local user accounts.
netstat -tuln C lists listening ports and associated services.
/etc/bash.bashrc C contains environment variables and configurations that could reveal system behaviors or hidden persistence mechanisms.
This provides a much broader and deeper enumeration compared to other options.
Reference: PT0-003 Objective 4.1 C Post-exploitation techniques including enumeration of system users, services, and configurations.
A tester performs a vulnerability scan and identifies several outdated libraries used within the customer SaaS product offering.
Which of the following types of scans did the tester use to identify the libraries?
- A . IAST
- B . SBOM
- C . DAST
- D . SAST
D
Explanation:
kube-hunter is a tool designed to perform security assessments on Kubernetes clusters. It identifies various vulnerabilities, focusing on weaknesses and misconfigurations.
Here’s why option B is correct:
Kube-hunter: It scans Kubernetes clusters to identify security issues, such as misconfigurations, insecure settings, and potential attack vectors.
Network Configuration Errors: While kube-hunter might identify some network-related issues, its primary focus is on Kubernetes-specific vulnerabilities and misconfigurations.
Application Deployment Issues: These are more related to the applications running within the cluster, not the cluster configuration itself.
Security Vulnerabilities in Docker Containers: Kube-hunter focuses on the Kubernetes environment rather than Docker container-specific vulnerabilities.
Reference from Pentest:
Forge HTB: Highlights the use of specialized tools to identify misconfigurations in environments, similar to how kube-hunter operates within Kubernetes clusters.
Anubis HTB: Demonstrates the importance of identifying and fixing misconfigurations within complex environments like Kubernetes clusters.
Conclusion:
Option B, weaknesses and misconfigurations in the Kubernetes cluster, accurately describes the type of vulnerabilities that kube-hunter is designed to detect.
During an assessment, a penetration tester obtains access to a Microsoft SQL server using sqlmap and runs the following command:
sql> xp_cmdshell whoami /all
Which of the following is the tester trying to do?
- A . List database tables
- B . Show logged-in database users
- C . Enumerate privileges
- D . Display available SQL commands
C
Explanation:
The command xp_cmdshell executes system-level commands from SQL Server. The command whoami /all is used to enumerate user privileges, group memberships, and security contexts on Windows systems.
From the CompTIA PenTest+ PT0-003 Official Study Guide (Chapter 8 C Post-Exploitation Techniques): “Using xp_cmdshell and system commands like whoami /all allows testers to identify the privilege level of the database user and system access level.”
Reference: Chapter 8, CompTIA PenTest+ PT0-003 Official Study Guide