Practice Free PT0-003 Exam Online Questions
While conducting a reconnaissance activity, a penetration tester extracts the following information:
Emails: – [email protected] – [email protected] – [email protected]
Which of the following risks should the tester use to leverage an attack as the next step in the security assessment?
- A . Unauthorized access to the network
- B . Exposure of sensitive servers to the internet
- C . Likelihood of SQL injection attacks
- D . Indication of a data breach in the company
A
Explanation:
When a penetration tester identifies email addresses during reconnaissance, the most immediate risk to leverage for an attack is unauthorized access to the network.
Here’s why: Phishing Attacks:
Email addresses are often used to conduct phishing attacks. By crafting a convincing email, an attacker can trick the recipient into revealing their login credentials or downloading malicious software, thereby gaining unauthorized access to the network.
Spear Phishing:
With specific email addresses (like [email protected]), attackers can perform spear phishing, targeting key individuals within the organization to gain access to more sensitive parts of the network.
Comparison with Other Risks:
Exposure of sensitive servers to the internet (B): This is unrelated to the email addresses and more about network configuration.
Likelihood of SQL injection attacks (C): SQL injection targets web applications and databases, not email addresses.
Indication of a data breach in the company (D): The presence of email addresses alone does not indicate a data breach.
Email addresses are a starting point for phishing attacks, making unauthorized access to the network the most relevant risk.
During an engagement, a penetration tester wants to enumerate users from Linux systems by using finger and rwho commands. However, the tester realizes these commands alone will not achieve the desired result.
Which of the following is the best tool to use for this task?
- A . Nikto
- B . Burp Suite
- C . smbclient
- D . theHarvester
C
Explanation:
The smbclient tool is used to access SMB/CIFS resources on a network. It allows penetration testers to connect to shared resources and enumerate users on a network, particularly in Windows environments. While finger and rwho are more common on Unix/Linux systems, smbclient provides better functionality for enumerating users across a network. Understanding smbclient:
Purpose: smbclient is used to access and manage files and directories on SMB/CIFS servers.
Capabilities: It allows for browsing shared resources, listing directories, downloading and uploading files, and enumerating users.
User Enumeration:
Command: Use smbclient with the -L option to list available shares and users.
Step-by-Step Explanationsmbclient -L //target_ip -U username
Example: Enumerating users on a target system.
smbclient -L //192.168.50.2 -U anonymous
Advantages:
Comprehensive: Provides detailed information about shared resources and users.
Cross-Platform: Can be used on both Linux and Windows systems.
Reference from Pentesting Literature:
SMB enumeration is a common practice discussed in penetration testing guides for identifying shared resources and users in a network environment.
HTB write-ups frequently mention the use of smbclient for enumerating network shares and users.
Reference: Penetration Testing – A Hands-on Introduction to Hacking HTB Official Writeups
A penetration tester performs several Nmap scans against the web application for a client.
INSTRUCTIONS
Click on the WAF and servers to review the results of the Nmap scans. Then click on each tab to select the appropriate vulnerability and remediation options.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
A screenshot of a computer Description automatically generated
A screenshot of a computer screen Description automatically generated
Most likely vulnerability: Perform a SSRF attack against App01.example.com from CDN.example.com.
Explanation:
The scenario suggests that the CDN network (with a WAF) can be used to perform a Server-Side Request Forgery (SSRF) attack. Since the penetration tester has the pentester workstation interacting through the CDN/WAF and the production network is behind it, the most plausible attack vector is to exploit SSRF to interact with the internal services like App01.example.com.
Two best remediation options:
Restrict direct communications to App01.example.com to only approved components. Require an additional authentication header value between CDN.example.com and App01.example.com.
Restrict direct communications to App01.example.com to only approved components: This limits the exposure of the application server by ensuring that only specified, trusted entities can communicate with it.
Require an additional authentication header value between CDN.example.com and App01.example.com: Adding an authentication layer between the CDN and the app server helps ensure that requests are legitimate and originate from trusted sources, mitigating SSRF and other indirect attack vectors.
Nmap Scan Observations:
CDN/WAF shows open ports for HTTP and HTTPS but filtered for MySQL, indicating it acts as a filtering layer.
App Server has open ports for HTTP, HTTPS, and filtered for MySQL.
DB Server has all ports filtered, typical for a database server that should not be directly accessible. These findings align with the SSRF vulnerability and the appropriate remediation steps to enhance the security of internal communications.
A tester obtains access to an endpoint subnet and wants to move laterally in the network.
Given the following Nmap scan output:
Nmap scan report for some_host
Host is up (0.01s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
smb2-security-mode: Message signing disabled
Which of the following command and attack methods is the most appropriate for reducing the chances of being detected?
- A . responder -I eth0 -dwv ntlmrelayx.py -smb2support -tf <target>
- B . msf > use exploit/windows/smb/ms17_010_psexec
- C . hydra -L administrator -P /path/to/passwdlist smb://<target>
- D . nmap –script smb-brute.nse -p 445 <target>
A
Explanation:
The Nmap scan output indicates SMB (port 445) is open, and message signing is disabled. This makes the system vulnerable to NTLM relay attacks.
Option A (responder -I eth0 -dwv ntlmrelayx.py -smb2support -tf <target>) ✅ : Correct.
Responder poisons LLMNR and NBT-NS requests, capturing NTLM hashes.
NTLMRelayX then relays captured hashes to an SMB service without message signing, allowing unauthorized access.
This attack is stealthier than brute-force methods.
Option B (ms17_010_psexec) ❌ : This exploits EternalBlue, but we don’t have confirmation that this system is vulnerable to MS17-010.
Option C (hydra brute-force) ❌ : SMB brute-force is noisy and will likely trigger alerts.
Option D (smb-brute.nse) ❌ : This brute-force attack is also loud and detectable.
Reference: CompTIA PenTest+ PT0-003 Official Guide C NTLM Relay & SMB Exploitation
Which of the following components should a penetration tester include in the final assessment report?
- A . User activities
- B . Customer remediation plan
- C . Key management
- D . Attack narrative
D
Explanation:
The attack narrative is a critical part of the report that tells the story of how the tester exploited vulnerabilities, gained access, and moved laterally. It helps stakeholders understand the real-world impact in a readable and logical sequence.
User activities are more operational logs than part of a pentest report.
Customer remediation plan is the client’s responsibility.
Key management might be discussed but is not a required component of the report.
Reference: PT0-003 Objective 5.2 C Components of a penetration test report, including attack narrative.
A penetration tester needs to launch an Nmap scan to find the state of the port for both TCP and UDP services.
Which of the following commands should the tester use?
- A . nmap -sU -sW -p 1-65535 example.com
- B . nmap -sU -sY -p 1-65535 example.com
- C . nmap -sU -sT -p 1-65535 example.com
- D . nmap -sU -sN -p 1-65535 example.com
C
Explanation:
To find the state of both TCP and UDP ports using Nmap, the appropriate command should combine both TCP and UDP scan options:
Understanding the Options:
-sU: Performs a UDP scan.
-sT: Performs a TCP connect scan.
Command
Command: nmap -sU -sT -p 1-65535 example.com
This command will scan both TCP and UDP ports from 1 to 65535 on the target example.com.
Combining -sU and -sT ensures that both types of services are scanned.
Comparison with Other Options:
-sW: Initiates a TCP Window scan, not relevant for identifying the state of TCP and UDP services.
-sY: Initiates a SCTP INIT scan, not relevant for this context.
-sN: Initiates a TCP Null scan, which is not used for discovering UDP services.
Which of the following is the most efficient way to infiltrate a file containing data that could be
sensitive?
- A . Use steganography and send the file over FTP
- B . Compress the file and send it using TFTP
- C . Split the file in tiny pieces and send it over dnscat
- D . Encrypt and send the file over HTTPS
D
Explanation:
When considering efficiency and security for exfiltrating sensitive data, the chosen method must ensure data confidentiality and minimize the risk of detection.
Here ’ s an analysis of each option: Use steganography and send the file over FTP (Option A):
Steganography hides data within other files, such as images. FTP is a protocol for transferring files. Drawbacks: FTP is not secure as it transmits data in clear text, making it susceptible to interception. Steganography can add an extra layer of obfuscation, but the use of FTP makes this option insecure. Compress the file and send it using TFTP (Option B):
TFTP is a simple file transfer protocol that lacks encryption.
Drawbacks: TFTP is inherently insecure because it does not support encryption, making it easy for attackers to intercept the data during transfer.
Split the file in tiny pieces and send it over dnscat (Option C):
dnscat is a tool for tunneling data over DNS.
Drawbacks: While effective at evading detection by using DNS, splitting the file and managing the reassembly adds complexity. Additionally, large data transfers over DNS can raise suspicion. Encrypt and send the file over HTTPS ( Answer D):
Encrypting the file ensures that its contents are protected during transfer. HTTPS provides a secure, encrypted channel for communication over the internet.
Advantages: HTTPS is widely used and trusted, making it less likely to raise suspicion. Encryption ensures the data remains confidential during transit.
Reference: The use of HTTPS for secure data transfer is a standard practice in cybersecurity, providing both encryption and integrity of the data being transmitted.
Conclusion: Encrypting the file and sending it over HTTPS is the most efficient and secure method for exfiltrating sensitive data, ensuring both confidentiality and reducing the risk of detection.
While conducting a peer review for a recent assessment, a penetration tester finds the debugging mode is still enabled for the production system.
Which of the following is most likely responsible for this observation?
- A . Configuration changes were not reverted.
- B . A full backup restoration is required for the server.
- C . The penetration test was not completed on time.
- D . The penetration tester was locked out of the system.
A
Explanation:
Debugging Mode:
Purpose: Debugging mode provides detailed error messages and debugging information, useful during development.
Risk: In a production environment, it exposes sensitive information and vulnerabilities, making the system more susceptible to attacks.
Common Causes:
Configuration Changes: During testing or penetration testing, configurations might be altered to facilitate debugging. If not reverted, these changes can leave the system in a vulnerable state.
Oversight: Configuration changes might be overlooked during deployment. Best Practices:
Deployment Checklist: Ensure a checklist is followed that includes reverting any debug configurations
before moving to production.
Configuration Management: Use configuration management tools to track and manage changes.
Reference from Pentesting Literature:
The importance of reverting configuration changes is highlighted in penetration testing guides to prevent leaving systems in a vulnerable state post-testing.
HTB write-ups often mention checking and ensuring debugging modes are disabled in production
environments.
Reference: Penetration Testing – A Hands-on Introduction to Hacking HTB Official Writeups
During a penetration testing engagement, a tester targets the internet-facing services used by the client.
Which of the following describes the type of assessment that should be considered in this scope of work?
- A . Segmentation
- B . Mobile
- C . External
- D . Web
C
Explanation:
An external assessment focuses on testing the security of internet-facing services.
Here’s why option C is correct:
External Assessment: It involves evaluating the security posture of services exposed to the internet, such as web servers, mail servers, and other public-facing infrastructure. The goal is to identify vulnerabilities that could be exploited by attackers from outside the organization’s network.
Segmentation: This type of assessment focuses on ensuring that different parts of a network are appropriately segmented to limit the spread of attacks. It’s more relevant to internal network architecture.
Mobile: This assessment targets mobile applications and devices, not general internet-facing services.
Web: While web assessments focus on web applications, the scope of an external assessment is broader and includes all types of internet-facing services.
Reference from Pentest:
Horizontall HTB: Highlights the importance of assessing external services to identify vulnerabilities that could be exploited from outside the network.
Luke HTB: Demonstrates the process of evaluating public-facing services to ensure their security.
Conclusion:
Option C, External, is the most appropriate type of assessment for targeting internet-facing services used by the client.
During a discussion of a penetration test final report, the consultant shows the following payload
used to attack a system:
html
Copy code
7/<sCRitP>aLeRt(‘pwned’)</ScriPt>
Based on the code, which of the following options represents the attack executed by the tester and the associated countermeasure?
- A . Arbitrary code execution: the affected computer should be placed on a perimeter network
- B . SQL injection attack: should be detected and prevented by a web application firewall
- C . Cross-site request forgery: should be detected and prevented by a firewall
- D . XSS obfuscated: should be prevented by input sanitization
D
Explanation:
XSS Attack
The payload exploits Cross-Site Scripting (XSS) by injecting obfuscated JavaScript into the application.
When rendered, the browser executes the malicious code (e.g., alert(‘pwned’)).
Obfuscation (<sCRitP> instead of <script>) attempts to bypass naive input filters.
Countermeasure:
Implement input sanitization to ensure all user inputs are properly validated and escaped before being processed or rendered.
Other measures include using Content Security Policies (CSP) and output encoding.
Why Not Other Options?
A: This is not arbitrary code execution; it is a browser-based attack.
B: XSS is unrelated to SQL injection.
C: Cross-Site Request Forgery (CSRF) is a different vulnerability targeting session handling, not script injection.
CompTIA Pentest+
Reference: Domain 3.0 (Attacks and Exploits) OWASP XSS Prevention Cheat Sheet