Practice Free PT0-003 Exam Online Questions
A penetration tester has been asked to conduct a blind web application test against a customer’s corporate website.
Which of the following tools would be best suited to perform this assessment?
- A . ZAP
- B . Nmap
- C . Wfuzz
- D . Trufflehog
A
Explanation:
A blind web application test means that the tester has no prior knowledge of the application’s internal workings. The best tool for automated scanning and vulnerability detection is a web application proxy such as OWASP ZAP.
ZAP (Option A):
OWASP Zed Attack Proxy (ZAP) is a widely used web application scanner for finding common vulnerabilities (e.g., SQL injection, XSS, authentication flaws).
It provides passive and active scanning features to test web applications for security weaknesses.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Web Application Testing Tools"
Incorrect options:
Option B (Nmap): Nmap is a network scanning tool, not specialized for web application testing.
Option C (Wfuzz): Wfuzz is a fuzzer for brute-force attacks, but it is not a full web vulnerability scanner.
Option D (Trufflehog): Trufflehog is used for secrets detection in repositories, not web testing.
A penetration tester uses the Intruder tool from the Burp Suite Community Edition while assessing a web application. The tester notices the test is taking too long to complete.
Which of the following tools can the tester use to accelerate the test and achieve similar results?
- A . TruffleHog
- B . Postman
- C . Wfuzz
- D . WPScan
C
Explanation:
Burp Suite Community Edition imposes limitations that can slow high-volume Intruder activities, particularly when performing repetitive request mutation such as parameter fuzzing, directory/file discovery, or input testing with wordlists. In PenTest+ tooling guidance, testers are expected to select alternative tools when a platform constraint reduces efficiency while still keeping the testing objective the same. Wfuzz is designed specifically for fast web fuzzing: it can rapidly send large volumes of HTTP requests while varying parameters, headers, paths, or payload positions using wordlists, and it supports filtering/matching responses (status codes, response size, strings) to identify interesting results―functionally similar to many Intruder use cases.
TruffleHog focuses on discovering exposed secrets in repositories and artifacts, not accelerating web request fuzzing. Postman is primarily an API client for building and replaying requests, but it is not optimized as a high-speed fuzzing engine. WPScan targets WordPress-specific enumeration and vulnerability checks and won’t provide general-purpose Intruder-like fuzzing across arbitrary web applications. Therefore, Wfuzz is the best option to speed up and achieve comparable fuzzing outcomes.
A penetration tester finds it is possible to downgrade a web application’s HTTPS connections to HTTP while performing on-path attacks on the local network.
The tester reviews the output of the server response to:
curl -s -i https: //internalapp/
HTTP/2 302
date: Thu, 11 Jan 2024 15: 56: 24 GMT
content-type: text/html; charset=iso-8659-1
location: /login
x-content-type-options: nosniff
server: Prod
Which of the following recommendations should the penetration tester include in the report?
- A . Add the HSTS header to the server.
- B . Attach the httponly flag to cookies.
- C . Front the web application with a firewall rule to block access to port 80.
- D . Remove the x-content-type-options header.
A
Explanation:
The tester identified an HTTPS downgrade attack (e.g., SSL stripping). The best mitigation is to enforce HSTS (HTTP Strict Transport Security).
HSTS (Option A):
HSTS (Strict-Transport-Security) ensures that the browser always uses HTTPS, preventing downgrade attacks.
Example header:
Strict-Transport-Security: max-age=31536000; includeSubDomains
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Web Security Headers and HTTPS Enforcements"
Incorrect options:
Option B (httponly flag): Protects cookies from JavaScript access but does not enforce HTTPS.
Option C (Firewall rule on port 80): Helps, but does not force browsers to use HTTPS.
Option D (Removing x-content-type-options): Unrelated; nosniff prevents MIME-type sniffing.
A tester obtains access to an endpoint subnet and wants to move laterally in the network.
Given the following Nmap scan output:
Nmap scan report for some_host
Host is up (0.01s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
smb2-security-mode: Message signing disabled
Which of the following command and attack methods is the most appropriate for reducing the chances of being detected?
- A . responder -I eth0 -dwv ntlmrelayx.py -smb2support -tf <target>
- B . msf > use exploit/windows/smb/ms17_010_psexec
- C . hydra -L administrator -P /path/to/passwdlist smb: //<target>
- D . nmap –script smb-brute.nse -p 445 <target>
A
Explanation:
The Nmap scan output indicates SMB (port 445) is open, and message signing is disabled. This makes the system vulnerable to NTLM relay attacks.
Option A (responder -I eth0 -dwv ntlmrelayx.py -smb2support -tf <target>) ✅ : Correct.
Responder poisons LLMNR and NBT-NS requests, capturing NTLM hashes.
NTLMRelayX then relays captured hashes to an SMB service without message signing, allowing unauthorized access.
This attack is stealthier than brute-force methods.
Option B (ms17_010_psexec) ❌ : This exploits EternalBlue, but we don’t have confirmation that this system is vulnerable to MS17-010.
Option C (hydra brute-force) ❌ : SMB brute-force is noisy and will likely trigger alerts.
Option D (smb-brute.nse) ❌ : This brute-force attack is also loud and detectable.
Reference: CompTIA PenTest+ PT0-003 Official Guide C NTLM Relay & SMB Exploitation
Which of the following components should a penetration tester include in the final assessment report?
- A . User activities
- B . Customer remediation plan
- C . Key management
- D . Attack narrative
D
Explanation:
The attack narrative is a critical part of the report that tells the story of how the tester exploited vulnerabilities, gained access, and moved laterally. It helps stakeholders understand the real-world impact in a readable and logical sequence.
User activities are more operational logs than part of a pentest report.
Customer remediation plan is the client’s responsibility.
Key management might be discussed but is not a required component of the report.
Reference: PT0-003 Objective 5.2 C Components of a penetration test report, including attack narrative.
A penetration tester identifies the URL for an internal administration application while following DevOps team members on their commutes.
Which of the following attacks did the penetration tester most likely use?
- A . Shoulder surfing
- B . Dumpster diving
- C . Spear phishing
- D . Tailgating
A
Explanation:
La técnica utilizada en este escenario es Shoulder Surfing, que consiste en observar directamente a una persona mientras trabaja, con el objetivo de recopilar información sensible, como credenciales, direcciones URL internas u otros datos confidenciales.
En este caso, el pentester siguió a los miembros del equipo DevOps durante sus desplazamientos (commute) y logró identificar una URL interna. No se usó ingeniería social directa (como en spear phishing), ni acceso físico no autorizado (como en tailgating), ni revisión de basura (dumpster diving).
Referencia: PT0-003 Objective 2.1 – Explain the importance of physical security assessments.
Shoulder surfing is listed as a key social engineering technique.
During a red-team exercise, a penetration tester obtains an employee’s access badge. The tester uses the badge’s information to create a duplicate for unauthorized entry.
Which of the following best describes this action?
- A . Smurfing
- B . Credential stuffing
- C . RFID cloning
- D . Card skimming
C
Explanation:
RFID cloning involves copying data from an existing access card to create a duplicate badge. Attackers use tools like Proxmark3 or Flipper Zero to capture and replicate RFID signals.
Option A (Smurfing) ❌ : A DDoS attack technique, unrelated to physical security.
Option B (Credential stuffing) ❌ : Uses compromised usernames/passwords, not RFID badges.
Option C (RFID cloning) ✅ : Correct. Creates a duplicate access badge using RFID technology.
Option D (Card skimming) ❌ : Steals credit card data, but does not duplicate RFID badges.
Reference: CompTIA PenTest+ PT0-003 Official Guide C Physical Security Testing & RFID Cloning
During a security assessment, a penetration tester wants to compromise user accounts without triggering IDS/IPS detection rules.
Which of the following is the most effective way for the tester to accomplish this task?
- A . Crack user accounts using compromised hashes.
- B . Brute force accounts using a dictionary attack.
- C . Bypass authentication using SQL injection.
- D . Compromise user accounts using an XSS attack.
A
Explanation:
To avoid triggering IDS/IPS alerts, the attacker should use offline cracking on compromised hashes rather than direct brute-force attempts.
Crack user accounts using compromised hashes (Option A):
Hashes can be cracked offline using tools like Hashcat or John the Ripper.
No direct login attempts, avoiding detection by security systems.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Password Cracking Techniques and Evasion"
Incorrect options:
Option B (Brute force): Generates excessive failed logins, triggering IDS/IPS alerts.
Option C (SQL injection): Exploits database vulnerabilities, not direct account compromise.
Option D (XSS attack): Can steal cookies but does not directly compromise accounts.
A penetration tester observes the following output from an Nmap command while attempting to troubleshoot connectivity to a Linux server:
Starting Nmap 7.91 ( https: //nmap.org ) at 2024-01-10 12: 00 UTC
Nmap scan report for example.com (192.168.1.10)
Host is up (0.001s latency).
Not shown: 9999 closed ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
2222/tcp open ssh
444/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds
Which of the following is the most likely reason for the connectivity issue?
- A . The SSH service is running on a different port.
- B . The SSH service is blocked by a firewall.
- C . The SSH service requires certificate authentication.
- D . The SSH service is not active.
A
Explanation:
The key detail in the Nmap scan output is that port 2222/tcp is open and running the SSH service. The standard SSH port is 22, so if the tester was attempting to connect on port 22, they would not succeed because SSH is instead listening on port 2222.
This is a common security hardening tactic―moving services to non-standard ports to reduce automated attacks.
There is no indication that the service is blocked (B), or requires certificates (C), or is inactive (D), because Nmap clearly shows the service is open and identified.
CompTIA PenTest+
Reference: PT0-003 Objective 3.3: Analyze tool output or data related to engagement activities.
Nmap usage and interpreting scan results is emphasized in multiple sections.
A penetration tester observes the following output from an Nmap command while attempting to troubleshoot connectivity to a Linux server:
Starting Nmap 7.91 ( https: //nmap.org ) at 2024-01-10 12: 00 UTC
Nmap scan report for example.com (192.168.1.10)
Host is up (0.001s latency).
Not shown: 9999 closed ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
2222/tcp open ssh
444/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds
Which of the following is the most likely reason for the connectivity issue?
- A . The SSH service is running on a different port.
- B . The SSH service is blocked by a firewall.
- C . The SSH service requires certificate authentication.
- D . The SSH service is not active.
A
Explanation:
The key detail in the Nmap scan output is that port 2222/tcp is open and running the SSH service. The standard SSH port is 22, so if the tester was attempting to connect on port 22, they would not succeed because SSH is instead listening on port 2222.
This is a common security hardening tactic―moving services to non-standard ports to reduce automated attacks.
There is no indication that the service is blocked (B), or requires certificates (C), or is inactive (D), because Nmap clearly shows the service is open and identified.
CompTIA PenTest+
Reference: PT0-003 Objective 3.3: Analyze tool output or data related to engagement activities.
Nmap usage and interpreting scan results is emphasized in multiple sections.