Practice Free PT0-003 Exam Online Questions
Question #31
During a routine penetration test, the client’s security team observes logging alerts that indicate several ID badges were reprinted after working hours without authorization.
Which of the following is the penetration tester most likely trying to do?
- A . Obtain long-term, valid access to the facility
- B . Disrupt the availability of facility access systems
- C . Change access to the facility for valid users
- D . Revoke access to the facility for valid users
Correct Answer: A
A
Explanation:
The unauthorized reprinting of ID badges suggests the penetration tester is attempting physical security penetration testing to gain long-term access.
Option A (Obtain long-term, valid access) ✅ : Correct. Cloning or reprinting badges allows persistent access past security checks.
Option B (Disrupt availability) ❌ : There is no indication of a denial-of-service attack.
Option C (Change access for valid users) ❌ : The goal is not modifying user access, but rather gaining unauthorized access.
Option D (Revoke access for valid users) ❌ : The logs show new badges being printed, not revocation.
Reference: CompTIA PenTest+ PT0-003 Official Guide C Physical Security Testing
A
Explanation:
The unauthorized reprinting of ID badges suggests the penetration tester is attempting physical security penetration testing to gain long-term access.
Option A (Obtain long-term, valid access) ✅ : Correct. Cloning or reprinting badges allows persistent access past security checks.
Option B (Disrupt availability) ❌ : There is no indication of a denial-of-service attack.
Option C (Change access for valid users) ❌ : The goal is not modifying user access, but rather gaining unauthorized access.
Option D (Revoke access for valid users) ❌ : The logs show new badges being printed, not revocation.
Reference: CompTIA PenTest+ PT0-003 Official Guide C Physical Security Testing
Question #32
A penetration tester needs to help create a threat model of a custom application.
Which of the following is the most likely framework the tester will use?
- A . MITRE ATT&CK
- B . OSSTMM
- C . CI/CD
- D . DREAD
Correct Answer: D
D
Explanation:
The DREAD model is a risk assessment framework used to evaluate and prioritize the security risks of an application. It stands for Damage potential, Reproducibility, Exploitability, Affected users, and Discoverability.
Understanding DREAD:
Purpose: Provides a structured way to assess and prioritize risks based on their potential impact and likelihood.
Components:
Damage Potential: The extent of harm that an exploit could cause.
Reproducibility: How easily the exploit can be reproduced.
Exploitability: The ease with which the vulnerability can be exploited.
Affected Users: The number of users affected by the exploit.
Discoverability: The likelihood that the vulnerability will be discovered.
Usage in Threat Modeling:
Evaluation: Assign scores to each DREAD component to assess the overall risk.
Prioritization: Higher scores indicate higher risks, helping prioritize remediation efforts.
Process:
Identify Threats: Enumerate potential threats to the application.
Assess Risks: Use the DREAD model to evaluate each threat.
Prioritize: Focus on addressing the highest-scoring threats first.
Reference from Pentesting Literature:
The DREAD model is widely discussed in threat modeling and risk assessment sections of penetration testing guides.
HTB write-ups often include references to DREAD when explaining how to assess and prioritize vulnerabilities in applications.
Step-by-Step ExplanationReference: Penetration Testing – A Hands-on Introduction to Hacking HTB Official Writeups
D
Explanation:
The DREAD model is a risk assessment framework used to evaluate and prioritize the security risks of an application. It stands for Damage potential, Reproducibility, Exploitability, Affected users, and Discoverability.
Understanding DREAD:
Purpose: Provides a structured way to assess and prioritize risks based on their potential impact and likelihood.
Components:
Damage Potential: The extent of harm that an exploit could cause.
Reproducibility: How easily the exploit can be reproduced.
Exploitability: The ease with which the vulnerability can be exploited.
Affected Users: The number of users affected by the exploit.
Discoverability: The likelihood that the vulnerability will be discovered.
Usage in Threat Modeling:
Evaluation: Assign scores to each DREAD component to assess the overall risk.
Prioritization: Higher scores indicate higher risks, helping prioritize remediation efforts.
Process:
Identify Threats: Enumerate potential threats to the application.
Assess Risks: Use the DREAD model to evaluate each threat.
Prioritize: Focus on addressing the highest-scoring threats first.
Reference from Pentesting Literature:
The DREAD model is widely discussed in threat modeling and risk assessment sections of penetration testing guides.
HTB write-ups often include references to DREAD when explaining how to assess and prioritize vulnerabilities in applications.
Step-by-Step ExplanationReference: Penetration Testing – A Hands-on Introduction to Hacking HTB Official Writeups
Question #33
A penetration tester is configuring a vulnerability management solution to perform credentialed scans of an Active Directory server.
Which of the following account types should the tester provide to the scanner?
- A . Read-only
- B . Domain administrator
- C . Local user
- D . Root
Correct Answer: B
B
Explanation:
To perform credentialed scans on an Active Directory (AD) server, the scanner requires high-level access to retrieve system configuration, patch levels, and user rights. A Domain Administrator account ensures full visibility into domain resources and permissions, which is essential for a complete vulnerability assessment.
From the CompTIA PenTest+ PT0-003 Objectives C Domain 2.0: Information Gathering and
Vulnerability Identification:
“Credentialed scans require administrative-level access on target systems to provide detailed insights into software versions, missing patches, and security settings.”
Reference: CompTIA PenTest+ PT0-003 Official Study Guide, Chapter 6
B
Explanation:
To perform credentialed scans on an Active Directory (AD) server, the scanner requires high-level access to retrieve system configuration, patch levels, and user rights. A Domain Administrator account ensures full visibility into domain resources and permissions, which is essential for a complete vulnerability assessment.
From the CompTIA PenTest+ PT0-003 Objectives C Domain 2.0: Information Gathering and
Vulnerability Identification:
“Credentialed scans require administrative-level access on target systems to provide detailed insights into software versions, missing patches, and security settings.”
Reference: CompTIA PenTest+ PT0-003 Official Study Guide, Chapter 6
Question #34
Which of the following is within the scope of proper handling and most crucial when working on a penetration testing report?
- A . Keeping both video and audio of everything that is done
- B . Keeping the report to a maximum of 5 to 10 pages in length
- C . Basing the recommendation on the risk score in the report
- D . Making the report clear for all objectives with a precise executive summary
Correct Answer: D
D
Explanation:
Importance of a Clear Executive Summary:
The executive summary is essential because it provides decision-makers with a concise overview of the findings, risks, and recommendations without requiring deep technical knowledge.
Clarity in objectives ensures that all stakeholders understand the purpose, scope, and outcomes of the test.
Why Not Other Options?
A: Keeping video and audio records is helpful during testing but not typically included in the final report for handling purposes.
B: Limiting the report to 5C10 pages may compromise its comprehensiveness and omit critical details.
C: Recommendations based solely on the risk score may not address the broader context or organizational priorities.
CompTIA Pentest+
Reference: Domain 5.0 (Reporting and Communication)
D
Explanation:
Importance of a Clear Executive Summary:
The executive summary is essential because it provides decision-makers with a concise overview of the findings, risks, and recommendations without requiring deep technical knowledge.
Clarity in objectives ensures that all stakeholders understand the purpose, scope, and outcomes of the test.
Why Not Other Options?
A: Keeping video and audio records is helpful during testing but not typically included in the final report for handling purposes.
B: Limiting the report to 5C10 pages may compromise its comprehensiveness and omit critical details.
C: Recommendations based solely on the risk score may not address the broader context or organizational priorities.
CompTIA Pentest+
Reference: Domain 5.0 (Reporting and Communication)
Question #35
A penetration tester discovers evidence of an advanced persistent threat on the network that is being tested.
Which of the following should the tester do next?
- A . Report the finding.
- B . Analyze the finding.
- C . Remove the threat.
- D . Document the finding and continue testing.
Correct Answer: A
A
Explanation:
Upon discovering evidence of an advanced persistent threat (APT) on the network, the penetration tester should report the finding immediately.
Advanced Persistent Threat (APT):
Definition: APTs are prolonged and targeted cyberattacks in which an intruder gains access to a network and remains undetected for an extended period.
Significance: APTs often involve sophisticated tactics, techniques, and procedures (TTPs) aimed at stealing data or causing disruption.
Immediate Reporting:
Criticality: Discovering an APT requires immediate attention from the organization’s security team due to the potential impact and persistence of the threat.
Chain of Command: Following the protocol for reporting such findings ensures that appropriate incident response measures are initiated promptly.
Other Actions:
Analyzing the Finding: While analysis is important, it should be conducted by the incident response team after reporting.
Removing the Threat: This action should be taken by the organization’s security team following established incident response procedures.
Documenting and Continuing Testing: Documentation is crucial, but the immediate priority should be reporting the APT to ensure prompt action.
Pentest
Reference: Incident Response: Understanding the importance of immediate reporting and collaboration with the organization’s security team upon discovering critical threats like APTs.
Ethical Responsibility: Following ethical guidelines and protocols to ensure the organization can respond effectively to significant threats.
By reporting the finding immediately, the penetration tester ensures that the organization’s security team is alerted to the presence of an APT, allowing them to initiate an appropriate incident response.
A
Explanation:
Upon discovering evidence of an advanced persistent threat (APT) on the network, the penetration tester should report the finding immediately.
Advanced Persistent Threat (APT):
Definition: APTs are prolonged and targeted cyberattacks in which an intruder gains access to a network and remains undetected for an extended period.
Significance: APTs often involve sophisticated tactics, techniques, and procedures (TTPs) aimed at stealing data or causing disruption.
Immediate Reporting:
Criticality: Discovering an APT requires immediate attention from the organization’s security team due to the potential impact and persistence of the threat.
Chain of Command: Following the protocol for reporting such findings ensures that appropriate incident response measures are initiated promptly.
Other Actions:
Analyzing the Finding: While analysis is important, it should be conducted by the incident response team after reporting.
Removing the Threat: This action should be taken by the organization’s security team following established incident response procedures.
Documenting and Continuing Testing: Documentation is crucial, but the immediate priority should be reporting the APT to ensure prompt action.
Pentest
Reference: Incident Response: Understanding the importance of immediate reporting and collaboration with the organization’s security team upon discovering critical threats like APTs.
Ethical Responsibility: Following ethical guidelines and protocols to ensure the organization can respond effectively to significant threats.
By reporting the finding immediately, the penetration tester ensures that the organization’s security team is alerted to the presence of an APT, allowing them to initiate an appropriate incident response.
Question #36
A penetration tester is conducting a wireless security assessment for a client with 2.4GHz and 5GHz access points. The tester places a wireless USB dongle in the laptop to start capturing WPA2 handshakes.
Which of the following steps should the tester take next?
- A . Enable monitoring mode using Aircrack-ng.
- B . Use Kismet to automatically place the wireless dongle in monitor mode and collect handshakes.
- C . Run KARMA to break the password.
- D . Research WiGLE.net for potential nearby client access points.
Correct Answer: A
A
Explanation:
Enabling monitoring mode on the wireless adapter is the essential step before capturing WPA2 handshakes. Monitoring mode allows the adapter to capture all wireless traffic in its vicinity, which is necessary for capturing handshakes.
Preparation:
Wireless USB Dongle: Ensure the wireless USB dongle is compatible with monitoring mode and packet injection.
Aircrack-ng Suite: Use the Aircrack-ng suite, a popular set of tools for wireless network auditing.
Enable Monitoring Mode:
Command: Use the airmon-ng tool to enable monitoring mode on the wireless interface.
Step-by-Step Explanationairmon-ng start wlan0
Verify: Check if the interface is in monitoring mode.
iwconfig
Capture WPA2 Handshakes:
Airodump-ng: Use airodump-ng to start capturing traffic and handshakes.
airodump-ng wlan0mon
Reference from Pentesting Literature:
Enabling monitoring mode is a fundamental step in wireless penetration testing, discussed in guides like "Penetration Testing – A Hands-on Introduction to Hacking".
HTB write-ups often start with enabling monitoring mode before proceeding with capturing WPA2 handshakes.
Reference: Penetration Testing – A Hands-on Introduction to Hacking HTB Official Writeups
A
Explanation:
Enabling monitoring mode on the wireless adapter is the essential step before capturing WPA2 handshakes. Monitoring mode allows the adapter to capture all wireless traffic in its vicinity, which is necessary for capturing handshakes.
Preparation:
Wireless USB Dongle: Ensure the wireless USB dongle is compatible with monitoring mode and packet injection.
Aircrack-ng Suite: Use the Aircrack-ng suite, a popular set of tools for wireless network auditing.
Enable Monitoring Mode:
Command: Use the airmon-ng tool to enable monitoring mode on the wireless interface.
Step-by-Step Explanationairmon-ng start wlan0
Verify: Check if the interface is in monitoring mode.
iwconfig
Capture WPA2 Handshakes:
Airodump-ng: Use airodump-ng to start capturing traffic and handshakes.
airodump-ng wlan0mon
Reference from Pentesting Literature:
Enabling monitoring mode is a fundamental step in wireless penetration testing, discussed in guides like "Penetration Testing – A Hands-on Introduction to Hacking".
HTB write-ups often start with enabling monitoring mode before proceeding with capturing WPA2 handshakes.
Reference: Penetration Testing – A Hands-on Introduction to Hacking HTB Official Writeups
Question #37
During a security assessment, a penetration tester needs to exploit a vulnerability in a wireless network’s authentication mechanism to gain unauthorized access to the network.
Which of the following attacks would the tester most likely perform to gain access?
- A . KARMA attack
- B . Beacon flooding
- C . MAC address spoofing
- D . Eavesdropping
Correct Answer: C
C
Explanation:
MAC address spoofing involves changing the MAC address of a network interface to mimic another device on the network. This technique is often used to bypass network access controls and gain unauthorized access to a network.
Understanding MAC Address Spoofing:
MAC Address: A unique identifier assigned to network interfaces for communication on the physical network segment.
Spoofing: Changing the MAC address to a different one, typically that of an authorized device, to gain access to restricted networks.
Purpose:
Bypassing Access Controls: Gain access to networks that use MAC address filtering as a security measure.
Impersonation: Assume the identity of another device on the network to intercept traffic or access network resources.
Tools and Techniques:
Linux Command: Use the ifconfig or ip command to change the MAC address.
Step-by-Step Explanationifconfig eth0 hw ether 00: 11: 22: 33: 44: 55
Tools: Tools like macchanger can automate the process of changing MAC addresses.
Impact:
Network Access: Gain unauthorized access to networks and network resources.
Interception: Capture traffic intended for another device, potentially leading to data theft or further exploitation.
Detection and Mitigation:
Monitoring: Use network monitoring tools to detect changes in MAC addresses.
Secure Configuration: Implement port security on switches to restrict which MAC addresses can connect to specific ports.
Reference from Pentesting Literature:
MAC address spoofing is a common technique discussed in wireless and network security chapters of penetration testing guides.
HTB write-ups often include examples of using MAC address spoofing to bypass network access controls and gain unauthorized access.
Reference: Penetration Testing – A Hands-on Introduction to Hacking
HTB Official Writeups
Top of Form
Bottom of Form
C
Explanation:
MAC address spoofing involves changing the MAC address of a network interface to mimic another device on the network. This technique is often used to bypass network access controls and gain unauthorized access to a network.
Understanding MAC Address Spoofing:
MAC Address: A unique identifier assigned to network interfaces for communication on the physical network segment.
Spoofing: Changing the MAC address to a different one, typically that of an authorized device, to gain access to restricted networks.
Purpose:
Bypassing Access Controls: Gain access to networks that use MAC address filtering as a security measure.
Impersonation: Assume the identity of another device on the network to intercept traffic or access network resources.
Tools and Techniques:
Linux Command: Use the ifconfig or ip command to change the MAC address.
Step-by-Step Explanationifconfig eth0 hw ether 00: 11: 22: 33: 44: 55
Tools: Tools like macchanger can automate the process of changing MAC addresses.
Impact:
Network Access: Gain unauthorized access to networks and network resources.
Interception: Capture traffic intended for another device, potentially leading to data theft or further exploitation.
Detection and Mitigation:
Monitoring: Use network monitoring tools to detect changes in MAC addresses.
Secure Configuration: Implement port security on switches to restrict which MAC addresses can connect to specific ports.
Reference from Pentesting Literature:
MAC address spoofing is a common technique discussed in wireless and network security chapters of penetration testing guides.
HTB write-ups often include examples of using MAC address spoofing to bypass network access controls and gain unauthorized access.
Reference: Penetration Testing – A Hands-on Introduction to Hacking
HTB Official Writeups
Top of Form
Bottom of Form
Question #38
A penetration tester assesses an application allow list and has limited command-line access on the Windows system.
Which of the following would give the penetration tester information that could aid in continuing the test?
- A . mmc.exe
- B . icacls.exe
- C . nltest.exe
- D . rundll.exe
Correct Answer: C
C
Explanation:
When a penetration tester has limited command-line access on a Windows system, the choice of tool is critical for gathering information to aid in furthering the test.
Here ’ s an explanation for each option:
mmc.exe (Microsoft Management Console):
Primarily used for managing Windows and its services. It’s not typically useful for gathering information about the system from the command line in a limited access scenario.
icacls.exe:
This tool is used for modifying file and folder permissions. While useful for modifying security settings, it does not directly aid in gathering system information or enumeration.
nltest.exe:
This is a powerful command-line utility for network testing and gathering information about domain controllers, trusts, and replication status. Key functionalities include:
Listing domain controllers: nltest /dclist: <DomainName>
Querying domain trusts: nltest /domain_trusts
Checking secure channel: nltest /sc_query: <DomainName>
These capabilities make nltest very useful for understanding the network environment, especially in a domain context, which is essential for penetration testing.
rundll.exe:
This utility is used to run DLLs as programs. While it can be used for executing code, it does not provide direct information about the system or network environment.
Conclusion: nltest.exe is the best choice among the given options as it provides valuable information about the network, domain controllers, and trust relationships. This information is crucial for a penetration tester to plan further actions and understand the domain environment.
C
Explanation:
When a penetration tester has limited command-line access on a Windows system, the choice of tool is critical for gathering information to aid in furthering the test.
Here ’ s an explanation for each option:
mmc.exe (Microsoft Management Console):
Primarily used for managing Windows and its services. It’s not typically useful for gathering information about the system from the command line in a limited access scenario.
icacls.exe:
This tool is used for modifying file and folder permissions. While useful for modifying security settings, it does not directly aid in gathering system information or enumeration.
nltest.exe:
This is a powerful command-line utility for network testing and gathering information about domain controllers, trusts, and replication status. Key functionalities include:
Listing domain controllers: nltest /dclist: <DomainName>
Querying domain trusts: nltest /domain_trusts
Checking secure channel: nltest /sc_query: <DomainName>
These capabilities make nltest very useful for understanding the network environment, especially in a domain context, which is essential for penetration testing.
rundll.exe:
This utility is used to run DLLs as programs. While it can be used for executing code, it does not provide direct information about the system or network environment.
Conclusion: nltest.exe is the best choice among the given options as it provides valuable information about the network, domain controllers, and trust relationships. This information is crucial for a penetration tester to plan further actions and understand the domain environment.
Question #39
A company hires a penetration tester to test the security implementation of its wireless networks. The main goal for this assessment is to intercept and get access to sensitive data from the company’s employees.
Which of the following tools should the security professional use to best accomplish this task?
- A . Metasploit
- B . WiFi-Pumpkin
- C . SET
- D . theHarvester
- E . WiGLE.net
Correct Answer: B
B
Explanation:
The question specifies wireless network security assessment with the goal of intercepting sensitive employee data.
WiFi-Pumpkin is specifically designed for Wi-Fi penetration testing. It can act as a rogue access point (evil twin attack) to trick users into connecting, then perform man-in-the-middle (MITM) attacks, traffic interception, credential harvesting, and phishing over Wi-Fi. This matches the goal of capturing sensitive employee data.
Why not the others?
B
Explanation:
The question specifies wireless network security assessment with the goal of intercepting sensitive employee data.
WiFi-Pumpkin is specifically designed for Wi-Fi penetration testing. It can act as a rogue access point (evil twin attack) to trick users into connecting, then perform man-in-the-middle (MITM) attacks, traffic interception, credential harvesting, and phishing over Wi-Fi. This matches the goal of capturing sensitive employee data.
Why not the others?
Question #39
A company hires a penetration tester to test the security implementation of its wireless networks. The main goal for this assessment is to intercept and get access to sensitive data from the company’s employees.
Which of the following tools should the security professional use to best accomplish this task?
- A . Metasploit
- B . WiFi-Pumpkin
- C . SET
- D . theHarvester
- E . WiGLE.net
Correct Answer: B
B
Explanation:
The question specifies wireless network security assessment with the goal of intercepting sensitive employee data.
WiFi-Pumpkin is specifically designed for Wi-Fi penetration testing. It can act as a rogue access point (evil twin attack) to trick users into connecting, then perform man-in-the-middle (MITM) attacks, traffic interception, credential harvesting, and phishing over Wi-Fi. This matches the goal of capturing sensitive employee data.
Why not the others?
B
Explanation:
The question specifies wireless network security assessment with the goal of intercepting sensitive employee data.
WiFi-Pumpkin is specifically designed for Wi-Fi penetration testing. It can act as a rogue access point (evil twin attack) to trick users into connecting, then perform man-in-the-middle (MITM) attacks, traffic interception, credential harvesting, and phishing over Wi-Fi. This matches the goal of capturing sensitive employee data.
Why not the others?