Practice Free PT0-003 Exam Online Questions
A penetration tester is conducting reconnaissance for an upcoming assessment of a large corporate client. The client authorized spear phishing in the rules of engagement.
Which of the following should the tester do first when developing the phishing campaign?
- A . Shoulder surfing
- B . Recon-ng
- C . Social media
- D . Password dumps
C
Explanation:
When developing a phishing campaign, the tester should first use social media to gather information about the targets.
Social Media:
Purpose: Social media platforms like LinkedIn, Facebook, and Twitter provide valuable information about individuals, including their job roles, contact details, interests, and connections.
Reconnaissance: This information helps craft convincing and targeted phishing emails, increasing the likelihood of success.
Process:
Gathering Information: Collect details about the target employees, such as their names, job titles, email addresses, and any personal information that can make the phishing email more credible.
Crafting Phishing Emails: Use the gathered information to personalize phishing emails, making them appear legitimate and relevant to the recipients.
Other Options:
Shoulder Surfing: Observing someone’s screen or keyboard input to gain information, not suitable for gathering broad information for a phishing campaign.
Recon-ng: A tool for automated reconnaissance, useful but more general. Social media is specifically targeted for gathering personal information.
Password Dumps: Using previously leaked passwords to find potential targets is more invasive and less relevant to the initial stage of developing a phishing campaign. Pentest
Reference: Spear Phishing: A targeted phishing attack aimed at specific individuals, using personal information to increase the credibility of the email.
OSINT (Open Source Intelligence): Leveraging publicly available information to gather intelligence on targets, including through social media.
By starting with social media, the penetration tester can collect detailed and personalized information about the targets, which is essential for creating an effective spear phishing campaign.
During a penetration test, the tester gains full access to the application’s source code. The application repository includes thousands of code files.
Given that the assessment timeline is very short, which of the following approaches would allow the tester to identify hard-coded credentials most effectively?
- A . Run TruffleHog against a local clone of the application
- B . Scan the live web application using Nikto
- C . Perform a manual code review of the Git repository
- D . Use SCA software to scan the application source code
A
Explanation:
Given a short assessment timeline and the need to identify hard-coded credentials in a large codebase, using an automated tool designed for this specific purpose is the most effective approach.
Here ’ s an explanation of each option:
Run TruffleHog against a local clone of the application ( Answer A):
TruffleHog is a specialized tool that scans for hard-coded secrets such as passwords, API keys, and other sensitive data within the code repositories.
Effectiveness: It quickly and automatically identifies potential credentials and other sensitive information across thousands of files, making it the most efficient choice under time constraints.
Reference: TruffleHog is widely recognized for its ability to uncover hidden secrets in code repositories, making it a valuable tool for penetration testers.
Scan the live web application using Nikto (Option B):
Nikto is a web server scanner that identifies vulnerabilities in web applications.
Drawbacks: It is not designed to scan source code for hard-coded credentials. Instead, it focuses on web application vulnerabilities such as outdated software and misconfigurations. Perform a manual code review of the Git repository (Option C):
Manually reviewing code can be thorough but is extremely time-consuming, especially with thousands of files.
Drawbacks: Given the short timeline, this approach is impractical and inefficient for identifying hard-coded credentials quickly.
Use SCA software to scan the application source code (Option D):
Software Composition Analysis (SCA) tools are used to analyze open source and third-party components within the code for vulnerabilities and license compliance.
Drawbacks: While SCA tools are useful for dependency analysis, they are not specifically tailored for finding hard-coded credentials.
Conclusion: Running TruffleHog against a local clone of the application is the most effective approach for quickly identifying hard-coded credentials in a large codebase within a limited timeframe.
DRAG DROP
You are a penetration tester reviewing a client’s website through a web browser.
INSTRUCTIONS
Review all components of the website through the browser to determine if vulnerabilities are present.
Remediate ONLY the highest vulnerability from either the certificate, source, or cookies.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
Explanation:
A screenshot of a computer Description automatically generated
During an internal penetration test, a tester compromises a Windows OS-based endpoint and bypasses the defensive mechanisms. The tester also discovers that the endpoint is part of an Active Directory (AD) local domain.
The tester’s main goal is to leverage credentials to authenticate into other systems within the Active Directory environment.
Which of the following steps should the tester take to complete the goal?
- A . Use Mimikatz to collect information about the accounts and try to authenticate in other systems
- B . Use Hashcat to crack a password for the local user on the compromised endpoint
- C . Use Evil-WinRM to access other systems in the network within the endpoint credentials
- D . Use Metasploit to create and execute a payload and try to upload the payload into other systems
A
Explanation:
Since the tester has compromised a Windows machine and bypassed security, the best next step is to extract credentials from memory to move laterally within Active Directory.
Option A (Mimikatz) ✅ : Correct.
Mimikatz extracts hashed credentials, plaintext passwords, and Kerberos tickets from memory. Attackers use Pass-the-Hash (PtH) or Pass-the-Ticket (PtT) to authenticate on other systems without cracking passwords.
Option B (Hashcat) ❌ : Cracking passwords takes time and is not necessary if Mimikatz provides reusable credentials.
Option C (Evil-WinRM) ❌ : Evil-WinRM is useful for remotely executing commands, but without valid credentials, it won’t work.
Option D (Metasploit) ❌ : Metasploit payloads may be useful for initial exploitation, but credential dumping is a better next step.
Reference: CompTIA PenTest+ PT0-003 Official Guide C Credential Dumping & Lateral Movement
During an assessment, a penetration tester gains access to one of the internal hosts.
Given the following command:
schtasks /create /sc onlogon /tn "Windows Update" /tr "cmd.exe /c reverse_shell.exe"
Which of the following is the penetration tester trying to do with this code?
- A . Enumerate the scheduled tasks
- B . Establish persistence
- C . Deactivate the Windows Update functionality
- D . Create a binary application for Windows System Updates
B
Explanation:
The command creates a scheduled task that executes a reverse shell payload at logon, ensuring persistence.
Option A (Enumerate tasks) ❌ : This command creates a task, not lists tasks (schtasks /query is used for enumeration).
Option B (Establish persistence) ✅ : Correct.
The attacker ensures a reverse shell opens every time a user logs in.
Option C (Deactivate Windows Update) ❌ : The task is named "Windows Update" but does not disable updates.
Option D (Create a Windows Update binary) ❌ : This executes a reverse shell, not a system update.
Reference: CompTIA PenTest+ PT0-003 Official Guide C Windows Persistence Techniques
A tester runs an Nmap scan against a Windows server and receives the following results:
Nmap scan report for win_dns.local (10.0.0.5)
Host is up (0.014s latency)
Port State Service
53/tcp open domain
161/tcp open snmp
445/tcp open smb-ds
3389/tcp open rdp
Which of the following TCP ports should be prioritized for using hash-based relays?
- A . 53
- B . 161
- C . 445
- D . 3389
C
Explanation:
Port 445 is used for SMB (Server Message Block) services, which are commonly targeted for hash-based relay attacks like NTLM relay attacks.
Step-by-Step Explanation
Understanding Hash-Based Relays:
NTLM Relay Attack: An attacker intercepts and relays NTLM authentication requests to another service, effectively performing authentication on behalf of the victim.
SMB Protocol: Port 445 is used for SMB/CIFS traffic, which supports NTLM authentication.
Prioritizing Port 445:
Vulnerability: SMB is often targeted because it frequently supports NTLM authentication, making it susceptible to relay attacks.
Tools: Tools like Responder and NTLMRelayX are commonly used to capture and relay NTLM hashes over SMB.
Execution:
Capture Hash: Use a tool like Responder to capture NTLM hashes.
Relay Hash: Use a tool like NTLMRelayX to relay the captured hash to another service on port 445.
Reference from Pentesting Literature:
Penetration testing guides frequently discuss targeting SMB (port 445) for hash-based relay attacks.
HTB write-ups often include examples of NTLM relay attacks using port 445.
Reference: Penetration Testing – A Hands-on Introduction to Hacking HTB Official Writeups
A penetration tester assesses an application allow list and has limited command-line access on the Windows system.
Which of the following would give the penetration tester information that could aid in continuing the test?
- A . mmc.exe
- B . icacls.exe
- C . nltest.exe
- D . rundll.exe
C
Explanation:
When a penetration tester has limited command-line access on a Windows system, the choice of tool is critical for gathering information to aid in furthering the test.
Here ’ s an explanation for each option:
mmc.exe (Microsoft Management Console):
Primarily used for managing Windows and its services. It’s not typically useful for gathering information about the system from the command line in a limited access scenario. icacls.exe:
This tool is used for modifying file and folder permissions. While useful for modifying security settings, it does not directly aid in gathering system information or enumeration. nltest.exe:
This is a powerful command-line utility for network testing and gathering information about domain controllers, trusts, and replication status. Key functionalities include: Listing domain controllers: nltest /dclist:<DomainName>
Querying domain trusts: nltest /domain_trusts
Checking secure channel: nltest /sc_query:<DomainName>
These capabilities make nltest very useful for understanding the network environment, especially in a domain context, which is essential for penetration testing. rundll.exe:
This utility is used to run DLLs as programs. While it can be used for executing code, it does not provide direct information about the system or network environment.
Conclusion: nltest.exe is the best choice among the given options as it provides valuable information about the network, domain controllers, and trust relationships. This information is crucial for a penetration tester to plan further actions and understand the domain environment.
During a penetration test, a tester compromises a Windows computer.
The tester executes the following command and receives the following output:
mimikatz # privilege::debug
mimikatz # lsadump::cache
—Output—
lapsUser
27dh9128361tsg2459210138754ij
—OutputEnd—
Which of the following best describes what the tester plans to do by executing the command?
- A . The tester plans to perform the first step to execute a Golden Ticket attack to compromise the Active Directory domain.
- B . The tester plans to collect application passwords or hashes to compromise confidential information within the local computer.
- C . The tester plans to use the hash collected to perform lateral movement to other computers using a local administrator hash.
- D . The tester plans to collect the ticket information from the user to perform a Kerberoasting attack on the domain controller.
C
Explanation:
The tester is using Mimikatz to dump cached credentials from Local Security Authority (LSA) memory.
Pass-the-Hash (Option C):
The tester extracts cached credentials to authenticate without cracking passwords.
Pass-the-Hash (PtH) allows lateral movement by reusing the NTLM hash on other systems.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Post-Exploitation Techniques in Windows"
Incorrect options:
Option A (Golden Ticket attack): Requires KRBTGT ticket creation, not cached credentials.
Option B (Collect application passwords): Cached hashes are not application-specific.
Option D (Kerberoasting): Kerberoasting targets Service Principal Names (SPNs), not cached credentials.
A penetration tester needs to exploit a vulnerability in a wireless network that has weak encryption to perform traffic analysis and decrypt sensitive information.
Which of the following techniques would best allow the penetration tester to have access to the sensitive information?
- A . Bluejacking
- B . SSID spoofing
- C . Packet sniffing
- D . ARP poisoning
C
Explanation:
If a wireless network uses weak encryption (e.g., WEP), attackers can capture and analyze packets to extract sensitive data.
Packet sniffing (Option C):
Tools like Wireshark, Aircrack-ng, and Kismet capture network packets.
Attackers analyze captured traffic to decrypt WEP encryption or extract plaintext credentials.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Wireless Network Attacks and Sniffing" Incorrect options:
Option A (Bluejacking): Sends unsolicited Bluetooth messages, not for network sniffing.
Option B (SSID spoofing): Involves creating a fake access point, but does not analyze traffic.
Option D (ARP poisoning): Used for MITM attacks, but not specific to wireless traffic analysis.
A penetration tester is searching for vulnerabilities or misconfigurations on a container environment.
Which of the following tools will the tester most likely use to achieve this objective?
- A . Nikto
- B . Trivy
- C . Nessus
- D . Nmap
B
Explanation:
Containers (e.g., Docker, Kubernetes) require specialized scanning tools to detect vulnerabilities.
Trivy (Option B):
Trivy is an open-source vulnerability scanner designed specifically for containers and Kubernetes environments.
It scans container images, repositories, and running containers for known vulnerabilities (CVEs).
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Container Security and Vulnerability
Scanning"
Incorrect options:
Option A (Nikto): Web server scanner, not container-focused.
Option C (Nessus): General network vulnerability scanner, but lacks container-specific scanning.
Option D (Nmap): Network mapper, not a vulnerability scanner.