Practice Free PT0-003 Exam Online Questions
Question #41
A tester completed a report for a new client.
Prior to sharing the report with the client, which of the following should the tester request to complete a review?
- A . A generative AI assistant
- B . The customer’s designated contact
- C . A cybersecurity industry peer
- D . A team member
Correct Answer: B
B
Explanation:
Before sharing a report with a client, it is crucial to have it reviewed to ensure accuracy, clarity, and completeness. The best choice for this review is a team member.
Here ’ s why:
Internal Peer Review:
Familiarity with the Project: A team member who worked on the project or is familiar with the methodologies used can provide a detailed and context-aware review.
Quality Assurance: This review helps catch any errors, omissions, or inconsistencies in the report before it reaches the client.
Alternative Review Options:
A Generative AI Assistant: While useful for drafting and checking for language issues, it may not fully understand the context and technical details of the penetration test.
The Customer’s Designated Contact: Typically, the client reviews the report after the internal review to provide their perspective and request clarifications or additional details.
A Cybersecurity Industry Peer: Although valuable, this option might not be practical due to confidentiality concerns and the peer’s lack of specific context regarding the engagement.
In summary, an internal team member is the most suitable choice for a thorough and contextually accurate review before sharing the report with the client.
B
Explanation:
Before sharing a report with a client, it is crucial to have it reviewed to ensure accuracy, clarity, and completeness. The best choice for this review is a team member.
Here ’ s why:
Internal Peer Review:
Familiarity with the Project: A team member who worked on the project or is familiar with the methodologies used can provide a detailed and context-aware review.
Quality Assurance: This review helps catch any errors, omissions, or inconsistencies in the report before it reaches the client.
Alternative Review Options:
A Generative AI Assistant: While useful for drafting and checking for language issues, it may not fully understand the context and technical details of the penetration test.
The Customer’s Designated Contact: Typically, the client reviews the report after the internal review to provide their perspective and request clarifications or additional details.
A Cybersecurity Industry Peer: Although valuable, this option might not be practical due to confidentiality concerns and the peer’s lack of specific context regarding the engagement.
In summary, an internal team member is the most suitable choice for a thorough and contextually accurate review before sharing the report with the client.
Question #42
A penetration tester downloads a JAR file that is used in an organization’s production environment. The tester evaluates the contents of the JAR file to identify potentially vulnerable components that can be targeted for exploit.
Which of the following describes the tester’s activities?
- A . SAST
- B . SBOM
- C . ICS
- D . SCA
Correct Answer: D
D
Explanation:
The tester’s activity involves analyzing the contents of a JAR file to identify potentially vulnerable components. This process is known as Software Composition Analysis (SCA).
Here ’ s why:
Understanding SCA:
Definition: SCA involves analyzing software to identify third-party and open-source components, checking for known vulnerabilities, and ensuring license compliance.
Purpose: To detect and manage risks associated with third-party software components.
Comparison with Other Terms:
SAST (A): Static Application Security Testing involves analyzing source code for security vulnerabilities without executing the code.
SBOM (B): Software Bill of Materials is a detailed list of all components in a software product, often used in SCA but not the analysis itself.
ICS (C): Industrial Control Systems, not relevant to the context of software analysis.
The tester’s activity of examining a JAR file for vulnerable components aligns with SCA, making it the correct answer.
D
Explanation:
The tester’s activity involves analyzing the contents of a JAR file to identify potentially vulnerable components. This process is known as Software Composition Analysis (SCA).
Here ’ s why:
Understanding SCA:
Definition: SCA involves analyzing software to identify third-party and open-source components, checking for known vulnerabilities, and ensuring license compliance.
Purpose: To detect and manage risks associated with third-party software components.
Comparison with Other Terms:
SAST (A): Static Application Security Testing involves analyzing source code for security vulnerabilities without executing the code.
SBOM (B): Software Bill of Materials is a detailed list of all components in a software product, often used in SCA but not the analysis itself.
ICS (C): Industrial Control Systems, not relevant to the context of software analysis.
The tester’s activity of examining a JAR file for vulnerable components aligns with SCA, making it the correct answer.
Question #43
A penetration tester conducts OSINT for a client and discovers the robots.txt file explicitly blocks a major search engine.
Which of the following would most likely help the penetration tester achieve the objective?
- A . Modifying the WAF
- B . Utilizing a CSRF attack
- C . Changing the robots.txt file
- D . Leveraging a competing provider
Correct Answer: D
D
Explanation:
In OSINT, the tester’s objective is to gather information using publicly available, non-intrusive sources without altering the target environment. A robots.txt file is a crawler directive that can discourage or block specific search engine bots from indexing certain paths. If one “major” engine is explicitly blocked, the most practical OSINT adjustment is to use other search engines and data providers that may not be restricted in the same way or may already have historical indexing and cached results. This aligns with PenTest+ reconnaissance techniques that emphasize using multiple sources and pivoting between providers to maximize coverage and reduce blind spots.
Modifying the WAF or changing robots.txt would be active alteration of the client’s systems and is not an OSINT method; it also typically falls outside the intent of passive recon and may violate rules of engagement. A CSRF attack is an exploitation technique unrelated to discovering publicly indexed information. Therefore, leveraging a competing provider is the best way to continue OSINT collection when one crawler is blocked.
D
Explanation:
In OSINT, the tester’s objective is to gather information using publicly available, non-intrusive sources without altering the target environment. A robots.txt file is a crawler directive that can discourage or block specific search engine bots from indexing certain paths. If one “major” engine is explicitly blocked, the most practical OSINT adjustment is to use other search engines and data providers that may not be restricted in the same way or may already have historical indexing and cached results. This aligns with PenTest+ reconnaissance techniques that emphasize using multiple sources and pivoting between providers to maximize coverage and reduce blind spots.
Modifying the WAF or changing robots.txt would be active alteration of the client’s systems and is not an OSINT method; it also typically falls outside the intent of passive recon and may violate rules of engagement. A CSRF attack is an exploitation technique unrelated to discovering publicly indexed information. Therefore, leveraging a competing provider is the best way to continue OSINT collection when one crawler is blocked.
Question #44
A penetration tester finishes an initial discovery scan for hosts on a /24 customer subnet. The customer states that the production network is composed of Windows servers but no container clusters.
The following are the last several lines from the scan log:
Line 1: 112 hosts found… trying ports
Line 2: FOUND 22 with OpenSSH 1.2p2 open on 99 hosts
Line 3: FOUND 161 with UNKNOWN banner open on 110 hosts
Line 4: TCP RST received on ports 21, 3389, 80
Line 5: Scan complete.
Which of the following is the most likely reason for the results?
- A . Multiple honeypots were encountered
- B . The wrong subnet was scanned
- C . Windows is using WSL
- D . IPS is blocking the ports
Correct Answer: A
A
Explanation:
Seeing services like OpenSSH 1.2p2 open on 99 hosts, and port 161 (SNMP) with unknown banners on 110 hosts suggests a high level of uniformity, which is uncommon in real-world Windows environments. This strongly points to honeypots being present, possibly for detection or deception.
The official CompTIA guide discusses this under scan anomalies:
“Identical responses from a large number of hosts, especially deprecated versions or unchanging banners, could indicate the presence of honeypots or decoy systems.”
Reference: CompTIA PenTest+ PT0-003 Official Study Guide, Chapter 5
A
Explanation:
Seeing services like OpenSSH 1.2p2 open on 99 hosts, and port 161 (SNMP) with unknown banners on 110 hosts suggests a high level of uniformity, which is uncommon in real-world Windows environments. This strongly points to honeypots being present, possibly for detection or deception.
The official CompTIA guide discusses this under scan anomalies:
“Identical responses from a large number of hosts, especially deprecated versions or unchanging banners, could indicate the presence of honeypots or decoy systems.”
Reference: CompTIA PenTest+ PT0-003 Official Study Guide, Chapter 5
Question #45
A penetration tester is configuring a vulnerability management solution to perform credentialed scans of an Active Directory server.
Which of the following account types should the tester provide to
the scanner?
- A . Read-only
- B . Domain administrator
- C . Local user
- D . Root
Correct Answer: B
B
Explanation:
To perform credentialed scans on an Active Directory (AD) server, the scanner requires high-level access to retrieve system configuration, patch levels, and user rights. A Domain Administrator account ensures full visibility into domain resources and permissions, which is essential for a complete vulnerability assessment.
From the CompTIA PenTest+ PT0-003 Objectives C Domain 2.0: Information Gathering and
Vulnerability Identification:
“Credentialed scans require administrative-level access on target systems to provide detailed insights into software versions, missing patches, and security settings.”
Reference: CompTIA PenTest+ PT0-003 Official Study Guide, Chapter 6
B
Explanation:
To perform credentialed scans on an Active Directory (AD) server, the scanner requires high-level access to retrieve system configuration, patch levels, and user rights. A Domain Administrator account ensures full visibility into domain resources and permissions, which is essential for a complete vulnerability assessment.
From the CompTIA PenTest+ PT0-003 Objectives C Domain 2.0: Information Gathering and
Vulnerability Identification:
“Credentialed scans require administrative-level access on target systems to provide detailed insights into software versions, missing patches, and security settings.”
Reference: CompTIA PenTest+ PT0-003 Official Study Guide, Chapter 6
Question #46
Which of the following elements of a penetration test report can be used to most effectively prioritize the remediation efforts for all the findings?
- A . Methodology
- B . Detailed findings list
- C . Risk score
- D . Executive summary
Correct Answer: C
C
Explanation:
Risk scores quantify the severity and likelihood of exploitation for each finding. This helps organizations prioritize which vulnerabilities to remediate first based on potential impact and exploitability.
Methodology outlines how the test was performed.
Findings list shows issues, but without prioritization.
Executive summary provides a high-level overview for decision-makers, not technical prioritization.
Reference: PT0-003 Objective 5.2 C Reporting components including risk ratings and prioritization.
C
Explanation:
Risk scores quantify the severity and likelihood of exploitation for each finding. This helps organizations prioritize which vulnerabilities to remediate first based on potential impact and exploitability.
Methodology outlines how the test was performed.
Findings list shows issues, but without prioritization.
Executive summary provides a high-level overview for decision-makers, not technical prioritization.
Reference: PT0-003 Objective 5.2 C Reporting components including risk ratings and prioritization.
Question #47
A penetration tester is getting ready to conduct a vulnerability scan as part of the testing process. The tester will evaluate an environment that consists of a container orchestration cluster.
Which of the following tools should the tester use to evaluate the cluster?
- A . Trivy
- B . Nessus
- C . Grype
- D . Kube-hunter
Correct Answer: D
D
Explanation:
Evaluating a container orchestration cluster, such as Kubernetes, requires specialized tools designed to assess the security and configuration of container environments.
Here ’ s an analysis of each tool and why Kube-hunter is the best choice:
Trivy (Option A):
Trivy is a vulnerability scanner for container images and filesystem.
Capabilities: While effective at scanning container images for vulnerabilities, it is not specifically designed to assess the security of a container orchestration cluster itself.
Nessus (Option B):
Nessus is a general-purpose vulnerability scanner that can assess network devices, operating systems, and applications.
Capabilities: It is not tailored for container orchestration environments and may miss specific issues related to Kubernetes or other orchestration systems.
Grype (Option C):
Grype is a vulnerability scanner for container images.
Capabilities: Similar to Trivy, it focuses on identifying vulnerabilities in container images rather than
assessing the overall security posture of a container orchestration cluster.
Kube-hunter ( Answer D):
Kube-hunter is a tool specifically designed to hunt for security vulnerabilities in Kubernetes clusters.
Capabilities: It scans the Kubernetes cluster for a wide range of security issues, including misconfigurations and vulnerabilities specific to Kubernetes environments.
Reference: Kube-hunter is recognized for its effectiveness in identifying Kubernetes-specific security issues and is widely used in security assessments of container orchestration clusters.
Conclusion: Kube-hunter is the most appropriate tool for evaluating a container orchestration cluster, such as Kubernetes, due to its specialized focus on identifying security vulnerabilities and misconfigurations specific to such environments.
D
Explanation:
Evaluating a container orchestration cluster, such as Kubernetes, requires specialized tools designed to assess the security and configuration of container environments.
Here ’ s an analysis of each tool and why Kube-hunter is the best choice:
Trivy (Option A):
Trivy is a vulnerability scanner for container images and filesystem.
Capabilities: While effective at scanning container images for vulnerabilities, it is not specifically designed to assess the security of a container orchestration cluster itself.
Nessus (Option B):
Nessus is a general-purpose vulnerability scanner that can assess network devices, operating systems, and applications.
Capabilities: It is not tailored for container orchestration environments and may miss specific issues related to Kubernetes or other orchestration systems.
Grype (Option C):
Grype is a vulnerability scanner for container images.
Capabilities: Similar to Trivy, it focuses on identifying vulnerabilities in container images rather than
assessing the overall security posture of a container orchestration cluster.
Kube-hunter ( Answer D):
Kube-hunter is a tool specifically designed to hunt for security vulnerabilities in Kubernetes clusters.
Capabilities: It scans the Kubernetes cluster for a wide range of security issues, including misconfigurations and vulnerabilities specific to Kubernetes environments.
Reference: Kube-hunter is recognized for its effectiveness in identifying Kubernetes-specific security issues and is widely used in security assessments of container orchestration clusters.
Conclusion: Kube-hunter is the most appropriate tool for evaluating a container orchestration cluster, such as Kubernetes, due to its specialized focus on identifying security vulnerabilities and misconfigurations specific to such environments.
Question #48
A penetration tester enumerates a legacy Windows host on the same subnet. The tester needs to select exploit methods that will have the least impact on the host’s operating stability.
Which of the following commands should the tester try first?
- A . responder -I eth0 john responder_output.txt <rdp to target>
- B . hydra -L administrator -P /path/to/pwlist.txt -t 100 rdp://<target_host>
- C . msf > use <module_name> msf > set <options> msf > set PAYLOAD windows/meterpreter/reverse_tcp msf > run
- D . python3 ./buffer_overflow_with_shellcode.py <target> 445
Correct Answer: A
A
Explanation:
Responder is a tool used for capturing and analyzing NetBIOS, LLMNR, and MDNS queries to perform various man-in-the-middle (MITM) attacks. It can be used to capture hashed credentials, which can then be cracked offline. Using Responder has the least impact on the host’s operating stability compared to more aggressive methods like buffer overflow attacks or payload injections.
Understanding Responder:
Purpose: Responder is used to capture NTLMv2 hashes from a Windows network.
Operation: It listens on the network for LLMNR, NBT-NS, and MDNS requests and responds to them, tricking the client into authenticating with the attacker’s machine.
Command Breakdown:
responder -I eth0: Starts Responder on the network interface eth0.
john responder_output.txt: Uses John the Ripper to crack the hashes captured by Responder.
<rdp to target>: Suggests the next step after capturing credentials might involve using RDP with the cracked password, but the initial capture is passive and low impact.
Why This is the Best Choice:
Least Impact: Responder passively captures network traffic without interacting directly with the target host’s system processes.
Stealth: It operates quietly on the network, making it less likely to cause stability issues or be detected by host-based security mechanisms.
Reference from Pentesting Literature:
Tools like Responder are discussed in penetration testing guides for initial reconnaissance and credential gathering without causing significant disruptions.
HTB write-ups frequently mention the use of Responder in network-based attacks to capture credentials safely.
Step-by-Step ExplanationReference: Penetration Testing – A Hands-on Introduction to Hacking HTB Official Writeups
A
Explanation:
Responder is a tool used for capturing and analyzing NetBIOS, LLMNR, and MDNS queries to perform various man-in-the-middle (MITM) attacks. It can be used to capture hashed credentials, which can then be cracked offline. Using Responder has the least impact on the host’s operating stability compared to more aggressive methods like buffer overflow attacks or payload injections.
Understanding Responder:
Purpose: Responder is used to capture NTLMv2 hashes from a Windows network.
Operation: It listens on the network for LLMNR, NBT-NS, and MDNS requests and responds to them, tricking the client into authenticating with the attacker’s machine.
Command Breakdown:
responder -I eth0: Starts Responder on the network interface eth0.
john responder_output.txt: Uses John the Ripper to crack the hashes captured by Responder.
<rdp to target>: Suggests the next step after capturing credentials might involve using RDP with the cracked password, but the initial capture is passive and low impact.
Why This is the Best Choice:
Least Impact: Responder passively captures network traffic without interacting directly with the target host’s system processes.
Stealth: It operates quietly on the network, making it less likely to cause stability issues or be detected by host-based security mechanisms.
Reference from Pentesting Literature:
Tools like Responder are discussed in penetration testing guides for initial reconnaissance and credential gathering without causing significant disruptions.
HTB write-ups frequently mention the use of Responder in network-based attacks to capture credentials safely.
Step-by-Step ExplanationReference: Penetration Testing – A Hands-on Introduction to Hacking HTB Official Writeups
Question #49
A penetration tester has adversely affected a critical system during an engagement, which could have a material impact on the organization.
Which of the following should the penetration tester do to address this issue?
- A . Restore the configuration.
- B . Perform a BIA.
- C . Follow the escalation process.
- D . Select the target.
Correct Answer: C
C
Explanation:
If a penetration tester unintentionally disrupts a critical system, they must immediately follow the client’s escalation process to ensure proper handling.
Follow the escalation process (Option C):
The penetration testing engagement follows a predefined incident response and escalation plan.
The tester documents the issue, informs stakeholders, and works with IT teams to minimize impact.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Incident Handling and Escalation During Testing"
Incorrect options:
Option A (Restore the configuration): Unauthorized changes could violate the engagement scope.
Option B (Perform a BIA): Business Impact Analysis (BIA) is for risk management, not an immediate response.
Option D (Select the target): The target was already chosen; this option is irrelevant.
C
Explanation:
If a penetration tester unintentionally disrupts a critical system, they must immediately follow the client’s escalation process to ensure proper handling.
Follow the escalation process (Option C):
The penetration testing engagement follows a predefined incident response and escalation plan.
The tester documents the issue, informs stakeholders, and works with IT teams to minimize impact.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Incident Handling and Escalation During Testing"
Incorrect options:
Option A (Restore the configuration): Unauthorized changes could violate the engagement scope.
Option B (Perform a BIA): Business Impact Analysis (BIA) is for risk management, not an immediate response.
Option D (Select the target): The target was already chosen; this option is irrelevant.
Question #50
A consultant starts a network penetration test. The consultant uses a laptop that is hardwired to the network to try to assess the network with the appropriate tools.
Which of the following should the consultant engage first?
- A . Service discovery
- B . OS fingerprinting
- C . Host discovery
- D . DNS enumeration
Correct Answer: C
C
Explanation:
In network penetration testing, the initial steps involve gathering information to build an understanding of the network’s structure, devices, and potential entry points. The process generally follows a structured approach, starting from broad discovery methods to more specific identification techniques.
Here’s a comprehensive breakdown of the steps:
Host Discovery ( Answer C):
Explanation:
Objective: Identify live hosts on the network.
Tools & Techniques:
Ping Sweep: Using tools like nmap with the -sn option (ping scan) to check for live hosts by sending ICMP Echo requests.
ARP Scan: Useful in local networks, arp-scan can help identify all devices on the local subnet by broadcasting ARP requests.
nmap -sn 192.168.1.0/24
Reference: The GoBox HTB write-up emphasizes the importance of identifying hosts before moving to service enumeration.
The Forge HTB write-up also highlights using Nmap for initial host discovery in its enumeration phase.
Service Discovery (Option A):
Objective: After identifying live hosts, determine the services running on them.
Tools & Techniques:
Nmap: Often used with options like -sV for version detection to identify services.
nmap -sV 192.168.1.100
Reference: As seen in multiple write-ups (e.g., Anubis HTB and Bolt HTB), service discovery follows host identification to understand the services available for potential exploitation.
OS Fingerprinting (Option B):
Objective: Determine the operating system of the identified hosts.
Tools & Techniques:
Nmap: With the -O option for OS detection.
nmap -O 192.168.1.100
Reference: Accurate OS fingerprinting helps tailor subsequent attacks and is often performed after host and service discovery, as highlighted in the write-ups.
DNS Enumeration (Option D):
Objective: Identify DNS records and gather subdomains related to the target domain.
Tools & Techniques:
dnsenum, dnsrecon, and dig.
dnsenum example.com
Reference: DNS enumeration is crucial for identifying additional attack surfaces, such as subdomains and related services. This step is typically part of the reconnaissance phase but follows host discovery and sometimes service identification.
Conclusion: The initial engagement in a network penetration test is to identify the live hosts on the network (Host Discovery). This foundational step allows the penetration tester to map out active devices before delving into more specific enumeration tasks like service discovery, OS fingerprinting, and DNS enumeration. This structured approach ensures that the tester maximizes their understanding of the network environment efficiently and systematically.
C
Explanation:
In network penetration testing, the initial steps involve gathering information to build an understanding of the network’s structure, devices, and potential entry points. The process generally follows a structured approach, starting from broad discovery methods to more specific identification techniques.
Here’s a comprehensive breakdown of the steps:
Host Discovery ( Answer C):
Explanation:
Objective: Identify live hosts on the network.
Tools & Techniques:
Ping Sweep: Using tools like nmap with the -sn option (ping scan) to check for live hosts by sending ICMP Echo requests.
ARP Scan: Useful in local networks, arp-scan can help identify all devices on the local subnet by broadcasting ARP requests.
nmap -sn 192.168.1.0/24
Reference: The GoBox HTB write-up emphasizes the importance of identifying hosts before moving to service enumeration.
The Forge HTB write-up also highlights using Nmap for initial host discovery in its enumeration phase.
Service Discovery (Option A):
Objective: After identifying live hosts, determine the services running on them.
Tools & Techniques:
Nmap: Often used with options like -sV for version detection to identify services.
nmap -sV 192.168.1.100
Reference: As seen in multiple write-ups (e.g., Anubis HTB and Bolt HTB), service discovery follows host identification to understand the services available for potential exploitation.
OS Fingerprinting (Option B):
Objective: Determine the operating system of the identified hosts.
Tools & Techniques:
Nmap: With the -O option for OS detection.
nmap -O 192.168.1.100
Reference: Accurate OS fingerprinting helps tailor subsequent attacks and is often performed after host and service discovery, as highlighted in the write-ups.
DNS Enumeration (Option D):
Objective: Identify DNS records and gather subdomains related to the target domain.
Tools & Techniques:
dnsenum, dnsrecon, and dig.
dnsenum example.com
Reference: DNS enumeration is crucial for identifying additional attack surfaces, such as subdomains and related services. This step is typically part of the reconnaissance phase but follows host discovery and sometimes service identification.
Conclusion: The initial engagement in a network penetration test is to identify the live hosts on the network (Host Discovery). This foundational step allows the penetration tester to map out active devices before delving into more specific enumeration tasks like service discovery, OS fingerprinting, and DNS enumeration. This structured approach ensures that the tester maximizes their understanding of the network environment efficiently and systematically.