Practice Free PT0-003 Exam Online Questions
Question #30
A penetration tester is preparing a password-spraying attack against a known list of users for the company "example".
The tester is using the following list of commands:
pw-inspector -i sailwords -t 8 -S pass
spray365.py spray -ep plan
users="~/user.txt"; allwords="~/words.txt"; pass="~/passwords.txt"; plan="~/spray.plan"
spray365.py generate –password-file $pass –userfile $user –domain "example.com" –execution-plan $plan
cew -m 5 "http://www.example.com" -w sailwords
Which of the following is the correct order for the list of the commands?
- A . 3,4,1,2,5
- B . 3,1,2,5,4
- C . 2,3,1,4,5
- D . 3,5,1,4,2
Correct Answer: A
A
Explanation:
Let’s break it down in order:
Step 3: Sets environment variables (paths to user list, password list, etc.).
Step 4: Generates the execution plan using spray365.py generate with the variables set in step 3.
Step 1: Filters the password list using pw-inspector to enforce a minimum password policy.
Step 2: Executes the password spraying using the generated plan.
Step 5: Optionally verifies availability or reachability using cew (custom enumeration wrapper).
The correct logical order of operations matches option A.
CompTIA PenTest+
Reference: PT0-003 Objective 2.3: Perform password attacks.
Kali tools & scripts usage and scripting logic are core elements in PenTest+ methodology.
A
Explanation:
Let’s break it down in order:
Step 3: Sets environment variables (paths to user list, password list, etc.).
Step 4: Generates the execution plan using spray365.py generate with the variables set in step 3.
Step 1: Filters the password list using pw-inspector to enforce a minimum password policy.
Step 2: Executes the password spraying using the generated plan.
Step 5: Optionally verifies availability or reachability using cew (custom enumeration wrapper).
The correct logical order of operations matches option A.
CompTIA PenTest+
Reference: PT0-003 Objective 2.3: Perform password attacks.
Kali tools & scripts usage and scripting logic are core elements in PenTest+ methodology.
Question #32
While conducting an assessment, a penetration tester identifies the details for several unreleased products announced at a company-wide meeting.
Which of the following attacks did the tester most likely use to discover this information?
- A . Eavesdropping
- B . Bluesnarfing
- C . Credential harvesting
- D . SQL injection attack
Correct Answer: A
A
Explanation:
Eavesdropping:
Eavesdropping involves intercepting communications between parties without their consent. If the details were obtained from a meeting, it likely involved intercepting audio or network communications, such as unsecured VoIP calls, radio signals, or in-room microphones.
Why Not Other Options?
B (Bluesnarfing): Targets Bluetooth-enabled devices, which is unlikely to apply to general meeting communications.
C (Credential harvesting): Focuses on collecting user credentials and does not explain the discovery of product details from a meeting.
D (SQL injection): Exploits databases and is unrelated to capturing meeting communication.
CompTIA Pentest+
Reference: Domain 3.0 (Attacks and Exploits)
Techniques for Intercepting Communication
A
Explanation:
Eavesdropping:
Eavesdropping involves intercepting communications between parties without their consent. If the details were obtained from a meeting, it likely involved intercepting audio or network communications, such as unsecured VoIP calls, radio signals, or in-room microphones.
Why Not Other Options?
B (Bluesnarfing): Targets Bluetooth-enabled devices, which is unlikely to apply to general meeting communications.
C (Credential harvesting): Focuses on collecting user credentials and does not explain the discovery of product details from a meeting.
D (SQL injection): Exploits databases and is unrelated to capturing meeting communication.
CompTIA Pentest+
Reference: Domain 3.0 (Attacks and Exploits)
Techniques for Intercepting Communication
Question #33
A company hires a penetration tester to test the security implementation of its wireless networks. The main goal for this assessment is to intercept and get access to sensitive data from the company’s employees.
Which of the following tools should the security professional use to best accomplish this task?
- A . Metasploit
- B . WiFi-Pumpkin
- C . SET
- D . theHarvester
- E . WiGLE.net
Correct Answer: B
B
Explanation:
The question specifies wireless network security assessment with the goal of intercepting sensitive employee data.
WiFi-Pumpkin is specifically designed for Wi-Fi penetration testing. It can act as a rogue access point (evil twin attack) to trick users into connecting, then perform man-in-the-middle (MITM) attacks, traffic interception, credential harvesting, and phishing over Wi-Fi. This matches the goal of capturing sensitive employee data.
Why not the others?
B
Explanation:
The question specifies wireless network security assessment with the goal of intercepting sensitive employee data.
WiFi-Pumpkin is specifically designed for Wi-Fi penetration testing. It can act as a rogue access point (evil twin attack) to trick users into connecting, then perform man-in-the-middle (MITM) attacks, traffic interception, credential harvesting, and phishing over Wi-Fi. This matches the goal of capturing sensitive employee data.
Why not the others?
Question #34
A penetration tester cannot use Nmap and must perform port discovery and banner grabbing for potential vulnerable SSH services.
Given the following script:
#!/usr/bin/bash
ip_address = "192.168.5."
…
for i in {1..254}
do
–missing command–
done
…
Which of the following commands will best help the tester achieve this objective?
- A . ping -c 22 "$ip_address$i"
- B . nc "$ip_address$i" ":22"
- C . arp "$ip_address$i" ":22"
- D . curl scp://"$ip_address$i" ":22"
Correct Answer: B
B
Explanation:
The correct answer is B. nc "$ip_address$i" ":22"
Netcat, commonly invoked as nc, can be used to connect to a specific TCP port and read service banners. SSH servers commonly listen on TCP port 22 and usually return a banner such as:
SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8
This banner can help identify the SSH implementation and version, which may then be checked for known vulnerabilities.
A is incorrect because ping uses ICMP and does not connect to TCP port 22. The -c 22 option sends 22 ICMP echo requests; it does not perform SSH banner grabbing.
C is incorrect because arp is used to view or manipulate Address Resolution Protocol entries. It does not perform TCP port discovery or banner grabbing.
D is incorrect because curl scp://… attempts to use the SCP protocol and is not the best method for simple SSH port discovery and banner grabbing.
In PenTest+ terms, this falls under Information Gathering and Vulnerability Scanning, specifically service discovery and banner grabbing using tools other than Nmap.
B
Explanation:
The correct answer is B. nc "$ip_address$i" ":22"
Netcat, commonly invoked as nc, can be used to connect to a specific TCP port and read service banners. SSH servers commonly listen on TCP port 22 and usually return a banner such as:
SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8
This banner can help identify the SSH implementation and version, which may then be checked for known vulnerabilities.
A is incorrect because ping uses ICMP and does not connect to TCP port 22. The -c 22 option sends 22 ICMP echo requests; it does not perform SSH banner grabbing.
C is incorrect because arp is used to view or manipulate Address Resolution Protocol entries. It does not perform TCP port discovery or banner grabbing.
D is incorrect because curl scp://… attempts to use the SCP protocol and is not the best method for simple SSH port discovery and banner grabbing.
In PenTest+ terms, this falls under Information Gathering and Vulnerability Scanning, specifically service discovery and banner grabbing using tools other than Nmap.
Question #35
A penetration tester performs a service enumeration process and receives the following result after scanning a server using the Nmap tool:
PORT STATE SERVICE
22/tcp open ssh
25/tcp filtered smtp
111/tcp open rpcbind
2049/tcp open nfs
Based on the output, which of the following services provides the best target for launching an attack?
- A . Database
- B . Remote access
- C . Email
- D . File sharing
Correct Answer: D
D
Explanation:
Based on the Nmap scan results, the services identified on the target server are as follows:
22/tcp open ssh:
Service: SSH (Secure Shell)
Function: Provides encrypted remote access.
Attack Surface: Brute force attacks or exploiting vulnerabilities in outdated SSH implementations.
However, it is generally considered secure if properly configured.
25/tcp filtered smtp:
Service: SMTP (Simple Mail Transfer Protocol)
Function: Email transmission.
Attack Surface: Potential for email-related attacks such as spoofing, but the port is filtered, indicating that access may be restricted or protected by a firewall.
111/tcp open rpcbind:
Service: RPCBind (Remote Procedure Call Bind)
Function: Helps in mapping RPC program numbers to network addresses.
Attack Surface: Can be exploited in specific configurations, but generally not a primary target compared to others.
2049/tcp open nfs:
Service: NFS (Network File System)
Function: Allows for file sharing over a network.
Attack Surface: NFS can be a significant target for attacks due to potential misconfigurations that can allow unauthorized access to file shares or exploitation of vulnerabilities in NFS services.
Conclusion: The NFS service (2049/tcp) provides the best target for launching an attack. File sharing services like NFS often contain sensitive data and can be vulnerable to misconfigurations that allow unauthorized access or privilege escalation.
D
Explanation:
Based on the Nmap scan results, the services identified on the target server are as follows:
22/tcp open ssh:
Service: SSH (Secure Shell)
Function: Provides encrypted remote access.
Attack Surface: Brute force attacks or exploiting vulnerabilities in outdated SSH implementations.
However, it is generally considered secure if properly configured.
25/tcp filtered smtp:
Service: SMTP (Simple Mail Transfer Protocol)
Function: Email transmission.
Attack Surface: Potential for email-related attacks such as spoofing, but the port is filtered, indicating that access may be restricted or protected by a firewall.
111/tcp open rpcbind:
Service: RPCBind (Remote Procedure Call Bind)
Function: Helps in mapping RPC program numbers to network addresses.
Attack Surface: Can be exploited in specific configurations, but generally not a primary target compared to others.
2049/tcp open nfs:
Service: NFS (Network File System)
Function: Allows for file sharing over a network.
Attack Surface: NFS can be a significant target for attacks due to potential misconfigurations that can allow unauthorized access to file shares or exploitation of vulnerabilities in NFS services.
Conclusion: The NFS service (2049/tcp) provides the best target for launching an attack. File sharing services like NFS often contain sensitive data and can be vulnerable to misconfigurations that allow unauthorized access or privilege escalation.
Question #36
A penetration tester established an initial compromise on a host. The tester wants to pivot to other targets and set up an appropriate relay. The tester needs to enumerate through the compromised host as a relay from the tester’s machine.
Which of the following commands should the tester use to do this task from the tester’s host?
- A . attacker_host$ nmap -sT <target_cidr> | nc -n <compromised_host> 22
- B . attacker_host$ mknod backpipe p attacker_host$ nc -l -p 8000 | 0<backpipe | nc <target_cidr> 80 | tee backpipe
- C . attacker_host$ nc -nlp 8000 | nc -n <target_cidr> attacker_host$ nmap -sT 127.0.0.1 8000
- D . attacker_host$ proxychains nmap -sT <target_cidr>
Correct Answer: D
D
Explanation:
ProxyChains is a tool that allows you to route your traffic through a chain of proxy servers, which can be used to anonymize your network activity. In this context, it is being used to route Nmap scan traffic through the compromised host, allowing the penetration tester to pivot and enumerate other targets within the network.
Understanding ProxyChains:
Purpose: ProxyChains allows you to force any TCP connection made by any given application to follow through proxies like TOR, SOCKS4, SOCKS5, and HTTP(S).
Usage: It’s commonly used to anonymize network traffic and perform actions through an intermediate proxy.
Command Breakdown:
proxychains nmap -sT <target_cidr>: This command uses ProxyChains to route the Nmap scan traffic through the configured proxies.
Nmap Scan (-sT): This option specifies a TCP connect scan.
Setting Up ProxyChains:
Configuration File: ProxyChains configuration is typically found at /etc/proxychains.conf.
Adding Proxy: Add the compromised host as a SOCKS proxy.
Step-by-Step Explanationplaintext
Copy code
socks4 127.0.0.1 1080
Execution:
Start Proxy Server: On the compromised host, run a SOCKS proxy (e.g., using ssh -D 1080 user@compromised_host).
Run ProxyChains with Nmap: Execute the command on the attacker’s host.
proxychains nmap -sT <target_cidr>
Reference from Pentesting Literature:
ProxyChains is commonly discussed in penetration testing guides for scenarios involving pivoting through a compromised host.
HTB write-ups frequently illustrate the use of ProxyChains for routing traffic through intermediate
systems.
Reference: Penetration Testing – A Hands-on Introduction to Hacking HTB Official Writeups
D
Explanation:
ProxyChains is a tool that allows you to route your traffic through a chain of proxy servers, which can be used to anonymize your network activity. In this context, it is being used to route Nmap scan traffic through the compromised host, allowing the penetration tester to pivot and enumerate other targets within the network.
Understanding ProxyChains:
Purpose: ProxyChains allows you to force any TCP connection made by any given application to follow through proxies like TOR, SOCKS4, SOCKS5, and HTTP(S).
Usage: It’s commonly used to anonymize network traffic and perform actions through an intermediate proxy.
Command Breakdown:
proxychains nmap -sT <target_cidr>: This command uses ProxyChains to route the Nmap scan traffic through the configured proxies.
Nmap Scan (-sT): This option specifies a TCP connect scan.
Setting Up ProxyChains:
Configuration File: ProxyChains configuration is typically found at /etc/proxychains.conf.
Adding Proxy: Add the compromised host as a SOCKS proxy.
Step-by-Step Explanationplaintext
Copy code
socks4 127.0.0.1 1080
Execution:
Start Proxy Server: On the compromised host, run a SOCKS proxy (e.g., using ssh -D 1080 user@compromised_host).
Run ProxyChains with Nmap: Execute the command on the attacker’s host.
proxychains nmap -sT <target_cidr>
Reference from Pentesting Literature:
ProxyChains is commonly discussed in penetration testing guides for scenarios involving pivoting through a compromised host.
HTB write-ups frequently illustrate the use of ProxyChains for routing traffic through intermediate
systems.
Reference: Penetration Testing – A Hands-on Introduction to Hacking HTB Official Writeups
Question #37
During wireless testing, a penetration tester observes the following customer APs and configurations:
SSID / Configuration
AP1 C WPA3
AP2 C WPA3
AP3 C WPA2
AP4 C WPA3
Which of the following attacks can the tester use only against AP3?
- A . Brute force
- B . Signal jamming
- C . Evil twin
- D . Deauthentication
Correct Answer: D
D
Explanation:
Deauthentication is the correct answer because it is classically effective against WPA2 wireless networks, while WPA3 includes protections against unauthenticated deauthentication management-frame abuse when properly implemented with Protected Management Frames. Since AP3 is the only access point using WPA2, it is the only one that clearly remains the specific target for this attack in the scenario. A deauthentication attack forces connected clients off the network, often to capture handshakes or to push users toward reconnect behavior during wireless assessments. Brute force is not exclusive to AP3 in the way this question asks, signal jamming can affect any wireless network regardless of security standard, and evil twin attacks are not limited only to WPA2 networks. Therefore, the attack that applies only to AP3, based on its WPA2 configuration, is deauthentication.
D
Explanation:
Deauthentication is the correct answer because it is classically effective against WPA2 wireless networks, while WPA3 includes protections against unauthenticated deauthentication management-frame abuse when properly implemented with Protected Management Frames. Since AP3 is the only access point using WPA2, it is the only one that clearly remains the specific target for this attack in the scenario. A deauthentication attack forces connected clients off the network, often to capture handshakes or to push users toward reconnect behavior during wireless assessments. Brute force is not exclusive to AP3 in the way this question asks, signal jamming can affect any wireless network regardless of security standard, and evil twin attacks are not limited only to WPA2 networks. Therefore, the attack that applies only to AP3, based on its WPA2 configuration, is deauthentication.
Question #38
A penetration tester would like to leverage a CSRF vulnerability to gather sensitive details from an application’s end users.
Which of the following tools should the tester use for this task?
- A . Browser Exploitation Framework
- B . Maltego
- C . Metasploit
- D . theHarvester
Correct Answer: A
A
Explanation:
Cross-Site Request Forgery (CSRF) vulnerabilities can be leveraged to trick authenticated users into performing unwanted actions on a web application. The right tool for this task would help in exploiting web-based vulnerabilities, particularly those related to web browsers and interactions.
Browser Exploitation Framework (BeEF) ( Answer A):
BeEF is a powerful tool specifically designed for exploiting web browser vulnerabilities. It can hook web browsers and perform a wide range of attacks, including CSRF.
Capabilities: BeEF is equipped with modules to create CSRF attacks, capture session tokens, and gather sensitive information from the target user’s browser session.
Reference: BeEF is widely used in penetration testing for its extensive capabilities in exploiting web application vulnerabilities and manipulating browser sessions.
Maltego (Option B):
Maltego is an open-source intelligence (OSINT) tool used for information gathering and visualizing relationships between data.
Drawbacks: While useful for reconnaissance, Maltego is not designed for exploiting web vulnerabilities like CSRF.
Metasploit (Option C):
Metasploit is a versatile exploitation framework that can be used for various types of penetration testing tasks, including web application exploitation.
Capabilities: While Metasploit can exploit some web vulnerabilities, it is not specifically tailored for CSRF attacks as effectively as BeEF.
Reference: Metasploit’s strength lies in its comprehensive exploitation modules, but for specific
browser-based attacks, BeEF is more focused and effective.
theHarvester (Option D):
theHarvester is a tool for gathering open-source intelligence (OSINT) about a target, primarily used for reconnaissance.
Drawbacks: It does not provide capabilities for exploiting CSRF vulnerabilities.
Conclusion: The Browser Exploitation Framework (BeEF) is the most suitable tool for leveraging a CSRF vulnerability to gather sensitive details from an application’s end users. It is specifically designed for browser-based exploitation, making it the best choice for this task.
A
Explanation:
Cross-Site Request Forgery (CSRF) vulnerabilities can be leveraged to trick authenticated users into performing unwanted actions on a web application. The right tool for this task would help in exploiting web-based vulnerabilities, particularly those related to web browsers and interactions.
Browser Exploitation Framework (BeEF) ( Answer A):
BeEF is a powerful tool specifically designed for exploiting web browser vulnerabilities. It can hook web browsers and perform a wide range of attacks, including CSRF.
Capabilities: BeEF is equipped with modules to create CSRF attacks, capture session tokens, and gather sensitive information from the target user’s browser session.
Reference: BeEF is widely used in penetration testing for its extensive capabilities in exploiting web application vulnerabilities and manipulating browser sessions.
Maltego (Option B):
Maltego is an open-source intelligence (OSINT) tool used for information gathering and visualizing relationships between data.
Drawbacks: While useful for reconnaissance, Maltego is not designed for exploiting web vulnerabilities like CSRF.
Metasploit (Option C):
Metasploit is a versatile exploitation framework that can be used for various types of penetration testing tasks, including web application exploitation.
Capabilities: While Metasploit can exploit some web vulnerabilities, it is not specifically tailored for CSRF attacks as effectively as BeEF.
Reference: Metasploit’s strength lies in its comprehensive exploitation modules, but for specific
browser-based attacks, BeEF is more focused and effective.
theHarvester (Option D):
theHarvester is a tool for gathering open-source intelligence (OSINT) about a target, primarily used for reconnaissance.
Drawbacks: It does not provide capabilities for exploiting CSRF vulnerabilities.
Conclusion: The Browser Exploitation Framework (BeEF) is the most suitable tool for leveraging a CSRF vulnerability to gather sensitive details from an application’s end users. It is specifically designed for browser-based exploitation, making it the best choice for this task.
Question #39
A penetration tester is researching a path to escalate privileges.
While enumerating current user privileges, the tester observes the following:
SeAssignPrimaryTokenPrivilege Disabled
SeIncreaseQuotaPrivilege Disabled
SeChangeNotifyPrivilege Enabled
SeManageVolumePrivilege Enabled
SeImpersonatePrivilege Enabled
SeCreateGlobalPrivilege Enabled
SeIncreaseWorkingSetPrivilege Disabled
Which of the following privileges should the tester use to achieve the goal?
- A . SeImpersonatePrivilege
- B . SeCreateGlobalPrivilege
- C . SeChangeNotifyPrivilege
- D . SeManageVolumePrivilege
Correct Answer: A
A
Explanation:
The SeImpersonatePrivilege allows a process to impersonate another user’s security context, which is commonly used in token manipulation attacks for privilege escalation.
Option A (SeImpersonatePrivilege) ✅ : Correct.
Used in Juicy Potato or Rogue Potato attacks to escalate privileges.
Option B (SeCreateGlobalPrivilege) ❌ : Allows creating global objects, but not privilege escalation.
Option C (SeChangeNotifyPrivilege) ❌ : Enables traverse directory access, not privilege escalation.
Option D (SeManageVolumePrivilege) ❌ : Used for disk management, not privilege escalation.
Reference: CompTIA PenTest+ PT0-003 Official Guide C Windows Privilege Escalation via Token Impersonation
A
Explanation:
The SeImpersonatePrivilege allows a process to impersonate another user’s security context, which is commonly used in token manipulation attacks for privilege escalation.
Option A (SeImpersonatePrivilege) ✅ : Correct.
Used in Juicy Potato or Rogue Potato attacks to escalate privileges.
Option B (SeCreateGlobalPrivilege) ❌ : Allows creating global objects, but not privilege escalation.
Option C (SeChangeNotifyPrivilege) ❌ : Enables traverse directory access, not privilege escalation.
Option D (SeManageVolumePrivilege) ❌ : Used for disk management, not privilege escalation.
Reference: CompTIA PenTest+ PT0-003 Official Guide C Windows Privilege Escalation via Token Impersonation
Question #40
A penetration tester discovers evidence of an advanced persistent threat on the network that is being tested.
Which of the following should the tester do next?
- A . Report the finding.
- B . Analyze the finding.
- C . Remove the threat.
- D . Document the finding and continue testing.
Correct Answer: A
A
Explanation:
Upon discovering evidence of an advanced persistent threat (APT) on the network, the penetration tester should report the finding immediately.
Advanced Persistent Threat (APT):
Definition: APTs are prolonged and targeted cyberattacks in which an intruder gains access to a network and remains undetected for an extended period.
Significance: APTs often involve sophisticated tactics, techniques, and procedures (TTPs) aimed at stealing data or causing disruption.
Immediate Reporting:
Criticality: Discovering an APT requires immediate attention from the organization’s security team due to the potential impact and persistence of the threat.
Chain of Command: Following the protocol for reporting such findings ensures that appropriate incident response measures are initiated promptly.
Other Actions:
Analyzing the Finding: While analysis is important, it should be conducted by the incident response team after reporting.
Removing the Threat: This action should be taken by the organization’s security team following established incident response procedures.
Documenting and Continuing Testing: Documentation is crucial, but the immediate priority should be reporting the APT to ensure prompt action.
Pentest
Reference: Incident Response: Understanding the importance of immediate reporting and collaboration with the organization’s security team upon discovering critical threats like APTs.
Ethical Responsibility: Following ethical guidelines and protocols to ensure the organization can respond effectively to significant threats.
By reporting the finding immediately, the penetration tester ensures that the organization’s security team is alerted to the presence of an APT, allowing them to initiate an appropriate incident response.
A
Explanation:
Upon discovering evidence of an advanced persistent threat (APT) on the network, the penetration tester should report the finding immediately.
Advanced Persistent Threat (APT):
Definition: APTs are prolonged and targeted cyberattacks in which an intruder gains access to a network and remains undetected for an extended period.
Significance: APTs often involve sophisticated tactics, techniques, and procedures (TTPs) aimed at stealing data or causing disruption.
Immediate Reporting:
Criticality: Discovering an APT requires immediate attention from the organization’s security team due to the potential impact and persistence of the threat.
Chain of Command: Following the protocol for reporting such findings ensures that appropriate incident response measures are initiated promptly.
Other Actions:
Analyzing the Finding: While analysis is important, it should be conducted by the incident response team after reporting.
Removing the Threat: This action should be taken by the organization’s security team following established incident response procedures.
Documenting and Continuing Testing: Documentation is crucial, but the immediate priority should be reporting the APT to ensure prompt action.
Pentest
Reference: Incident Response: Understanding the importance of immediate reporting and collaboration with the organization’s security team upon discovering critical threats like APTs.
Ethical Responsibility: Following ethical guidelines and protocols to ensure the organization can respond effectively to significant threats.
By reporting the finding immediately, the penetration tester ensures that the organization’s security team is alerted to the presence of an APT, allowing them to initiate an appropriate incident response.