Practice Free PT0-003 Exam Online Questions
Question #51
During a security assessment, a penetration tester needs to exploit a vulnerability in a wireless network’s authentication mechanism to gain unauthorized access to the network.
Which of the following attacks would the tester most likely perform to gain access?
- A . KARMA attack
- B . Beacon flooding
- C . MAC address spoofing
- D . Eavesdropping
Correct Answer: C
C
Explanation:
MAC address spoofing involves changing the MAC address of a network interface to mimic another device on the network. This technique is often used to bypass network access controls and gain unauthorized access to a network.
Understanding MAC Address Spoofing:
MAC Address: A unique identifier assigned to network interfaces for communication on the physical network segment.
Spoofing: Changing the MAC address to a different one, typically that of an authorized device, to gain access to restricted networks.
Purpose:
Bypassing Access Controls: Gain access to networks that use MAC address filtering as a security measure.
Impersonation: Assume the identity of another device on the network to intercept traffic or access network resources.
Tools and Techniques:
Linux Command: Use the ifconfig or ip command to change the MAC address.
Step-by-Step Explanationifconfig eth0 hw ether 00:11:22:33:44:55
Tools: Tools like macchanger can automate the process of changing MAC addresses.
Impact:
Network Access: Gain unauthorized access to networks and network resources.
Interception: Capture traffic intended for another device, potentially leading to data theft or further exploitation.
Detection and Mitigation:
Monitoring: Use network monitoring tools to detect changes in MAC addresses.
Secure Configuration: Implement port security on switches to restrict which MAC addresses can connect to specific ports.
Reference from Pentesting Literature:
MAC address spoofing is a common technique discussed in wireless and network security chapters of penetration testing guides.
HTB write-ups often include examples of using MAC address spoofing to bypass network access controls and gain unauthorized access.
Reference: Penetration Testing – A Hands-on Introduction to Hacking
HTB Official Writeups
Top of Form
Bottom of Form
C
Explanation:
MAC address spoofing involves changing the MAC address of a network interface to mimic another device on the network. This technique is often used to bypass network access controls and gain unauthorized access to a network.
Understanding MAC Address Spoofing:
MAC Address: A unique identifier assigned to network interfaces for communication on the physical network segment.
Spoofing: Changing the MAC address to a different one, typically that of an authorized device, to gain access to restricted networks.
Purpose:
Bypassing Access Controls: Gain access to networks that use MAC address filtering as a security measure.
Impersonation: Assume the identity of another device on the network to intercept traffic or access network resources.
Tools and Techniques:
Linux Command: Use the ifconfig or ip command to change the MAC address.
Step-by-Step Explanationifconfig eth0 hw ether 00:11:22:33:44:55
Tools: Tools like macchanger can automate the process of changing MAC addresses.
Impact:
Network Access: Gain unauthorized access to networks and network resources.
Interception: Capture traffic intended for another device, potentially leading to data theft or further exploitation.
Detection and Mitigation:
Monitoring: Use network monitoring tools to detect changes in MAC addresses.
Secure Configuration: Implement port security on switches to restrict which MAC addresses can connect to specific ports.
Reference from Pentesting Literature:
MAC address spoofing is a common technique discussed in wireless and network security chapters of penetration testing guides.
HTB write-ups often include examples of using MAC address spoofing to bypass network access controls and gain unauthorized access.
Reference: Penetration Testing – A Hands-on Introduction to Hacking
HTB Official Writeups
Top of Form
Bottom of Form
Question #52
A penetration tester assesses a complex web application and wants to explore potential security weaknesses by searching for subdomains that might have existed in the past.
Which of the following tools should the penetration tester use?
- A . Censys.io
- B . Shodan
- C . Wayback Machine
- D . SpiderFoot
Correct Answer: C
C
Explanation:
The Wayback Machine is an online tool that archives web pages over time, allowing users to see how a website looked at various points in its history. This can be extremely useful for penetration testers looking to explore potential security weaknesses by searching for subdomains that might have existed in the past.
Accessing the Wayback Machine:
Go to the Wayback Machine website: archive.org/web.
Enter the URL of the target website you want to explore.
Navigating Archived Pages:
The Wayback Machine provides a timeline and calendar interface to browse through different snapshots taken over time.
Select a snapshot to view the archived version of the site. Look for links, subdomains, and resources that may no longer be available in the current version of the website.
Identifying Subdomains:
Examine the archived pages for references to subdomains, which might be visible in links, scripts, or embedded content.
Use the information gathered to identify potential entry points or older versions of web applications that might still be exploitable.
Tool Integration:
Tools like Burp Suite or SpiderFoot can integrate with the Wayback Machine to automate the discovery process of archived subdomains and resources.
Real-World Example:
During a penetration test, a tester might find references to oldadmin.targetsite.com in an archived page from several years ago. This subdomain might no longer be listed in DNS but could still be accessible, leading to potential security vulnerabilities. Reference from Pentesting Literature:
In various penetration testing guides and HTB write-ups, using the Wayback Machine is a common
technique for passive reconnaissance, providing historical context and revealing past configurations
that might still be exploitable.
Step-by-Step ExplanationReference: HTB Official Writeups
C
Explanation:
The Wayback Machine is an online tool that archives web pages over time, allowing users to see how a website looked at various points in its history. This can be extremely useful for penetration testers looking to explore potential security weaknesses by searching for subdomains that might have existed in the past.
Accessing the Wayback Machine:
Go to the Wayback Machine website: archive.org/web.
Enter the URL of the target website you want to explore.
Navigating Archived Pages:
The Wayback Machine provides a timeline and calendar interface to browse through different snapshots taken over time.
Select a snapshot to view the archived version of the site. Look for links, subdomains, and resources that may no longer be available in the current version of the website.
Identifying Subdomains:
Examine the archived pages for references to subdomains, which might be visible in links, scripts, or embedded content.
Use the information gathered to identify potential entry points or older versions of web applications that might still be exploitable.
Tool Integration:
Tools like Burp Suite or SpiderFoot can integrate with the Wayback Machine to automate the discovery process of archived subdomains and resources.
Real-World Example:
During a penetration test, a tester might find references to oldadmin.targetsite.com in an archived page from several years ago. This subdomain might no longer be listed in DNS but could still be accessible, leading to potential security vulnerabilities. Reference from Pentesting Literature:
In various penetration testing guides and HTB write-ups, using the Wayback Machine is a common
technique for passive reconnaissance, providing historical context and revealing past configurations
that might still be exploitable.
Step-by-Step ExplanationReference: HTB Official Writeups
Question #53
A penetration tester gains shell access to a Windows host. The tester needs to permanently turn off protections in order to install additional payload.
Which of the following commands is most appropriate?
- A . sc config <svc_name> start=disabled
- B . sc query state= all
- C . pskill <pid_svc_name>
- D . net config <svc_name>
Correct Answer: A
A
Explanation:
Command
The sc config command is used to configure service startup settings in Windows. Using start=disabled will permanently disable a specific service, effectively turning off protections such as antivirus or other monitoring services.
Why Not Other Options?
B (sc query state= all): This command lists all services and their states but does not disable or modify any service.
C (pskill): This command is used to terminate a process temporarily, but it does not permanently disable the service.
D (net config): This command is used for configuring network settings, not for managing services.
CompTIA Pentest+
Reference: Domain 3.0 (Attacks and Exploits)
Windows Service Exploitation Guidelines
A
Explanation:
Command
The sc config command is used to configure service startup settings in Windows. Using start=disabled will permanently disable a specific service, effectively turning off protections such as antivirus or other monitoring services.
Why Not Other Options?
B (sc query state= all): This command lists all services and their states but does not disable or modify any service.
C (pskill): This command is used to terminate a process temporarily, but it does not permanently disable the service.
D (net config): This command is used for configuring network settings, not for managing services.
CompTIA Pentest+
Reference: Domain 3.0 (Attacks and Exploits)
Windows Service Exploitation Guidelines
Question #53
A penetration tester gains shell access to a Windows host. The tester needs to permanently turn off protections in order to install additional payload.
Which of the following commands is most appropriate?
- A . sc config <svc_name> start=disabled
- B . sc query state= all
- C . pskill <pid_svc_name>
- D . net config <svc_name>
Correct Answer: A
A
Explanation:
Command
The sc config command is used to configure service startup settings in Windows. Using start=disabled will permanently disable a specific service, effectively turning off protections such as antivirus or other monitoring services.
Why Not Other Options?
B (sc query state= all): This command lists all services and their states but does not disable or modify any service.
C (pskill): This command is used to terminate a process temporarily, but it does not permanently disable the service.
D (net config): This command is used for configuring network settings, not for managing services.
CompTIA Pentest+
Reference: Domain 3.0 (Attacks and Exploits)
Windows Service Exploitation Guidelines
A
Explanation:
Command
The sc config command is used to configure service startup settings in Windows. Using start=disabled will permanently disable a specific service, effectively turning off protections such as antivirus or other monitoring services.
Why Not Other Options?
B (sc query state= all): This command lists all services and their states but does not disable or modify any service.
C (pskill): This command is used to terminate a process temporarily, but it does not permanently disable the service.
D (net config): This command is used for configuring network settings, not for managing services.
CompTIA Pentest+
Reference: Domain 3.0 (Attacks and Exploits)
Windows Service Exploitation Guidelines
Question #55
During a testing engagement, a penetration tester compromises a host and locates data for exfiltration.
Which of the following are the best options to move the data without triggering a data loss prevention tool? (Select two).
- A . Move the data using a USB flash drive.
- B . Compress and encrypt the data.
- C . Rename the file name extensions.
- D . Use FTP for exfiltration.
- E . Encode the data as Base64.
- F . Send the data to a commonly trusted service.
Correct Answer: B,E
B,E
Explanation:
Data Loss Prevention (DLP) tools monitor sensitive data and prevent unauthorized exfiltration. The
two best options to bypass DLP are:
Compress and encrypt the data (Option B):
Compression reduces file size, making detection harder. Encryption further protects the data by making it unreadable without a key.
DLP tools often inspect content based on known patterns (e.g., credit card numbers, sensitive keywords). Encrypted files bypass content inspection since DLP cannot analyze encrypted data.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Data Exfiltration Techniques" Encode the data as Base64 (Option E):
Base64 encoding disguises data by converting it into ASCII text, making it less likely to trigger DLP signature-based detection.
Many DLP systems do not analyze encoded text deeply, assuming it is non-sensitive.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Encoding and Obfuscation in
Exfiltration"
Incorrect options:
Option A (USB flash drive): Physical exfiltration is risky and easily detectable in enterprise environments.
Option C (Rename file extensions): DLP systems analyze content, not just filenames.
Option D (FTP for exfiltration): FTP is monitored by security tools and is a high-risk method.
Option F (Trusted service): Many organizations monitor outbound traffic to cloud storage or email services.
B,E
Explanation:
Data Loss Prevention (DLP) tools monitor sensitive data and prevent unauthorized exfiltration. The
two best options to bypass DLP are:
Compress and encrypt the data (Option B):
Compression reduces file size, making detection harder. Encryption further protects the data by making it unreadable without a key.
DLP tools often inspect content based on known patterns (e.g., credit card numbers, sensitive keywords). Encrypted files bypass content inspection since DLP cannot analyze encrypted data.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Data Exfiltration Techniques" Encode the data as Base64 (Option E):
Base64 encoding disguises data by converting it into ASCII text, making it less likely to trigger DLP signature-based detection.
Many DLP systems do not analyze encoded text deeply, assuming it is non-sensitive.
Reference: CompTIA PenTest+ PT0-003 Official Study Guide – "Encoding and Obfuscation in
Exfiltration"
Incorrect options:
Option A (USB flash drive): Physical exfiltration is risky and easily detectable in enterprise environments.
Option C (Rename file extensions): DLP systems analyze content, not just filenames.
Option D (FTP for exfiltration): FTP is monitored by security tools and is a high-risk method.
Option F (Trusted service): Many organizations monitor outbound traffic to cloud storage or email services.
Question #56
A penetration tester completes a scan and sees the following output on a host:
bash
Copy code
Nmap scan report for victim (10.10.10.10)
Host is up (0.0001s latency)
PORT STATE SERVICE
161/udp open|filtered snmp
445/tcp open microsoft-ds
3389/tcp open microsoft-ds
Running Microsoft Windows 7
OS CPE: cpe:/o:microsoft:windows_7_sp0
The tester wants to obtain shell access.
Which of the following related exploits should the tester try first?
- A . exploit/windows/smb/psexec
- B . exploit/windows/smb/ms08_067_netapi
- C . exploit/windows/smb/ms17_010_eternalblue
- D . auxiliary/scanner/snmp/snmp_login
Correct Answer: C
C
Explanation:
The ms17_010_eternalblue exploit is the most appropriate choice based on the scenario.
Why MS17-010 EternalBlue?
EternalBlue is a critical vulnerability in SMBv1 (port 445) affecting older versions of Windows, including Windows 7.
The exploit can be used to execute arbitrary code remotely, providing shell access to the target
system.
Other Options:
A (psexec): This exploit is a post-exploitation tool that requires valid credentials to execute commands remotely.
B (ms08_067_netapi): A vulnerability targeting older Windows systems (e.g., Windows XP). It is unlikely to work on Windows 7.
D (snmp_login): This is an auxiliary module for enumerating SNMP, not gaining shell access. CompTIA Pentest+
Reference: Domain 2.0 (Information Gathering and Vulnerability Identification) Domain 3.0 (Attacks and Exploits)
C
Explanation:
The ms17_010_eternalblue exploit is the most appropriate choice based on the scenario.
Why MS17-010 EternalBlue?
EternalBlue is a critical vulnerability in SMBv1 (port 445) affecting older versions of Windows, including Windows 7.
The exploit can be used to execute arbitrary code remotely, providing shell access to the target
system.
Other Options:
A (psexec): This exploit is a post-exploitation tool that requires valid credentials to execute commands remotely.
B (ms08_067_netapi): A vulnerability targeting older Windows systems (e.g., Windows XP). It is unlikely to work on Windows 7.
D (snmp_login): This is an auxiliary module for enumerating SNMP, not gaining shell access. CompTIA Pentest+
Reference: Domain 2.0 (Information Gathering and Vulnerability Identification) Domain 3.0 (Attacks and Exploits)
Question #56
A penetration tester completes a scan and sees the following output on a host:
bash
Copy code
Nmap scan report for victim (10.10.10.10)
Host is up (0.0001s latency)
PORT STATE SERVICE
161/udp open|filtered snmp
445/tcp open microsoft-ds
3389/tcp open microsoft-ds
Running Microsoft Windows 7
OS CPE: cpe:/o:microsoft:windows_7_sp0
The tester wants to obtain shell access.
Which of the following related exploits should the tester try first?
- A . exploit/windows/smb/psexec
- B . exploit/windows/smb/ms08_067_netapi
- C . exploit/windows/smb/ms17_010_eternalblue
- D . auxiliary/scanner/snmp/snmp_login
Correct Answer: C
C
Explanation:
The ms17_010_eternalblue exploit is the most appropriate choice based on the scenario.
Why MS17-010 EternalBlue?
EternalBlue is a critical vulnerability in SMBv1 (port 445) affecting older versions of Windows, including Windows 7.
The exploit can be used to execute arbitrary code remotely, providing shell access to the target
system.
Other Options:
A (psexec): This exploit is a post-exploitation tool that requires valid credentials to execute commands remotely.
B (ms08_067_netapi): A vulnerability targeting older Windows systems (e.g., Windows XP). It is unlikely to work on Windows 7.
D (snmp_login): This is an auxiliary module for enumerating SNMP, not gaining shell access. CompTIA Pentest+
Reference: Domain 2.0 (Information Gathering and Vulnerability Identification) Domain 3.0 (Attacks and Exploits)
C
Explanation:
The ms17_010_eternalblue exploit is the most appropriate choice based on the scenario.
Why MS17-010 EternalBlue?
EternalBlue is a critical vulnerability in SMBv1 (port 445) affecting older versions of Windows, including Windows 7.
The exploit can be used to execute arbitrary code remotely, providing shell access to the target
system.
Other Options:
A (psexec): This exploit is a post-exploitation tool that requires valid credentials to execute commands remotely.
B (ms08_067_netapi): A vulnerability targeting older Windows systems (e.g., Windows XP). It is unlikely to work on Windows 7.
D (snmp_login): This is an auxiliary module for enumerating SNMP, not gaining shell access. CompTIA Pentest+
Reference: Domain 2.0 (Information Gathering and Vulnerability Identification) Domain 3.0 (Attacks and Exploits)
Question #56
A penetration tester completes a scan and sees the following output on a host:
bash
Copy code
Nmap scan report for victim (10.10.10.10)
Host is up (0.0001s latency)
PORT STATE SERVICE
161/udp open|filtered snmp
445/tcp open microsoft-ds
3389/tcp open microsoft-ds
Running Microsoft Windows 7
OS CPE: cpe:/o:microsoft:windows_7_sp0
The tester wants to obtain shell access.
Which of the following related exploits should the tester try first?
- A . exploit/windows/smb/psexec
- B . exploit/windows/smb/ms08_067_netapi
- C . exploit/windows/smb/ms17_010_eternalblue
- D . auxiliary/scanner/snmp/snmp_login
Correct Answer: C
C
Explanation:
The ms17_010_eternalblue exploit is the most appropriate choice based on the scenario.
Why MS17-010 EternalBlue?
EternalBlue is a critical vulnerability in SMBv1 (port 445) affecting older versions of Windows, including Windows 7.
The exploit can be used to execute arbitrary code remotely, providing shell access to the target
system.
Other Options:
A (psexec): This exploit is a post-exploitation tool that requires valid credentials to execute commands remotely.
B (ms08_067_netapi): A vulnerability targeting older Windows systems (e.g., Windows XP). It is unlikely to work on Windows 7.
D (snmp_login): This is an auxiliary module for enumerating SNMP, not gaining shell access. CompTIA Pentest+
Reference: Domain 2.0 (Information Gathering and Vulnerability Identification) Domain 3.0 (Attacks and Exploits)
C
Explanation:
The ms17_010_eternalblue exploit is the most appropriate choice based on the scenario.
Why MS17-010 EternalBlue?
EternalBlue is a critical vulnerability in SMBv1 (port 445) affecting older versions of Windows, including Windows 7.
The exploit can be used to execute arbitrary code remotely, providing shell access to the target
system.
Other Options:
A (psexec): This exploit is a post-exploitation tool that requires valid credentials to execute commands remotely.
B (ms08_067_netapi): A vulnerability targeting older Windows systems (e.g., Windows XP). It is unlikely to work on Windows 7.
D (snmp_login): This is an auxiliary module for enumerating SNMP, not gaining shell access. CompTIA Pentest+
Reference: Domain 2.0 (Information Gathering and Vulnerability Identification) Domain 3.0 (Attacks and Exploits)
Question #59
During an assessment, a penetration tester wants to extend the vulnerability search to include the use of dynamic testing.
Which of the following tools should the tester use?
- A . Mimikatz
- B . ZAP
- C . OllyDbg
- D . SonarQube
Correct Answer: B
B
Explanation:
Dynamic Application Security Testing (DAST):
Definition: DAST involves testing the application in its running state to identify vulnerabilities that could be exploited by an attacker.
Purpose: Simulates attacks on a live application, examining how it behaves and identifying security weaknesses.
ZAP (Zed Attack Proxy):
Description: An open-source DAST tool developed by OWASP.
Features: Capable of scanning web applications for vulnerabilities, including SQL injection, XSS, CSRF, and other common web application vulnerabilities.
Usage: Ideal for dynamic testing as it interacts with the live application and identifies vulnerabilities
that may not be visible in static code analysis.
Other Tools:
Mimikatz: Used for post-exploitation activities, specifically credential dumping on Windows systems. OllyDbg: A debugger used for reverse engineering and static analysis of binary files, not suitable for dynamic testing.
SonarQube: A static code analysis tool used for SAST (Static Application Security Testing), not for
dynamic testing.
Pentest
Reference: Web Application Security Testing: Utilizing DAST tools like ZAP to dynamically test and find vulnerabilities in running web applications.
OWASP Tools: Leveraging open-source tools recommended by OWASP for comprehensive security testing.
By using ZAP, the penetration tester can perform dynamic testing to identify runtime vulnerabilities in web applications, extending the scope of the vulnerability search.
B
Explanation:
Dynamic Application Security Testing (DAST):
Definition: DAST involves testing the application in its running state to identify vulnerabilities that could be exploited by an attacker.
Purpose: Simulates attacks on a live application, examining how it behaves and identifying security weaknesses.
ZAP (Zed Attack Proxy):
Description: An open-source DAST tool developed by OWASP.
Features: Capable of scanning web applications for vulnerabilities, including SQL injection, XSS, CSRF, and other common web application vulnerabilities.
Usage: Ideal for dynamic testing as it interacts with the live application and identifies vulnerabilities
that may not be visible in static code analysis.
Other Tools:
Mimikatz: Used for post-exploitation activities, specifically credential dumping on Windows systems. OllyDbg: A debugger used for reverse engineering and static analysis of binary files, not suitable for dynamic testing.
SonarQube: A static code analysis tool used for SAST (Static Application Security Testing), not for
dynamic testing.
Pentest
Reference: Web Application Security Testing: Utilizing DAST tools like ZAP to dynamically test and find vulnerabilities in running web applications.
OWASP Tools: Leveraging open-source tools recommended by OWASP for comprehensive security testing.
By using ZAP, the penetration tester can perform dynamic testing to identify runtime vulnerabilities in web applications, extending the scope of the vulnerability search.
Question #60
A penetration tester gains access to a domain server and wants to enumerate the systems within the domain.
Which of the following tools would provide the best oversight of domains?
- A . Netcat
- B . Wireshark
- C . Nmap
- D . Responder
Correct Answer: C
C
Explanation:
Installation:
Nmap can be installed on various operating systems.
For example, on a Debian-based system:
sudo apt-get install nmap
Basic Network Scanning:
To scan a range of IP addresses in the network:
nmap -sP 192.168.1.0/24
Service and Version Detection:
To scan for open ports and detect the service versions running on a specific host:
nmap -sV 192.168.1.10
Enumerating Domain Systems:
Use Nmap with additional scripts to enumerate domain systems.
For example, using the –script
option:
nmap -p 445 –script=smb-enum-domains 192.168.1.10
Advanced Scanning Options:
Stealth Scan: Use the -sS option to perform a stealth scan:
nmap -sS 192.168.1.10
Aggressive Scan: Use the -A option to enable OS detection, version detection, script scanning, and
traceroute:
nmap -A 192.168.1.10
Real-World Example:
A penetration tester uses Nmap to enumerate the systems within a domain by scanning the network for live hosts and identifying the services running on each host. This information helps in identifying potential vulnerabilities and entry points for further exploitation.
Reference from Pentesting Literature:
In "Penetration Testing – A Hands-on Introduction to Hacking," Nmap is extensively discussed for various stages of the penetration testing process, from reconnaissance to vulnerability assessment.
HTB write-ups often illustrate the use of Nmap for network enumeration and discovering potential attack vectors.
Reference: Penetration Testing – A Hands-on Introduction to Hacking HTB Official Writeups
C
Explanation:
Installation:
Nmap can be installed on various operating systems.
For example, on a Debian-based system:
sudo apt-get install nmap
Basic Network Scanning:
To scan a range of IP addresses in the network:
nmap -sP 192.168.1.0/24
Service and Version Detection:
To scan for open ports and detect the service versions running on a specific host:
nmap -sV 192.168.1.10
Enumerating Domain Systems:
Use Nmap with additional scripts to enumerate domain systems.
For example, using the –script
option:
nmap -p 445 –script=smb-enum-domains 192.168.1.10
Advanced Scanning Options:
Stealth Scan: Use the -sS option to perform a stealth scan:
nmap -sS 192.168.1.10
Aggressive Scan: Use the -A option to enable OS detection, version detection, script scanning, and
traceroute:
nmap -A 192.168.1.10
Real-World Example:
A penetration tester uses Nmap to enumerate the systems within a domain by scanning the network for live hosts and identifying the services running on each host. This information helps in identifying potential vulnerabilities and entry points for further exploitation.
Reference from Pentesting Literature:
In "Penetration Testing – A Hands-on Introduction to Hacking," Nmap is extensively discussed for various stages of the penetration testing process, from reconnaissance to vulnerability assessment.
HTB write-ups often illustrate the use of Nmap for network enumeration and discovering potential attack vectors.
Reference: Penetration Testing – A Hands-on Introduction to Hacking HTB Official Writeups